From 1956ed2f4e7e11d9ec55ac60b3c163eac6ba1072 Mon Sep 17 00:00:00 2001 From: Adrian Goins Date: Thu, 20 Feb 2020 20:41:12 -0300 Subject: [PATCH 001/183] remove inconsistent reference --- content/rancher/v2.x/en/catalog/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index 447d3a2f4be..84b297cddd1 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -59,7 +59,7 @@ Within Rancher, there are default catalogs packaged as part of Rancher. These ca - **Library** - The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. In Rancher 2.x, only global catalogs are supported. Support for cluster-level and project-level charts will be added in the future. + The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. This catalog features Rancher Charts, which include some [notable advantages]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. From 2e8d0f14af8c61e84750742f255fada621d5162f Mon Sep 17 00:00:00 2001 From: Matt Nikkel Date: Mon, 24 Feb 2020 16:32:43 -0500 Subject: [PATCH 002/183] Update quickstarts to reflect Terraform refactor rancher/quickstart will be refactored to use RKE and Helm terraform providers. Reflect these changes in the quickstart docs pages. --- .../deployment/amazon-aws-qs/_index.md | 52 +++++++++++-------- .../deployment/digital-ocean-qs/_index.md | 52 ++++++++++++------- 2 files changed, 63 insertions(+), 41 deletions(-) diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md index 65fee61875a..8023d181f51 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md @@ -3,7 +3,7 @@ title: Rancher AWS Quick Start Guide description: Read this step by step Rancher AWS guide to quickly deploy a Rancher Server with a single node cluster attached. weight: 100 --- -The following steps will quickly deploy a Rancher Server with a single node cluster attached. +The following steps will quickly deploy a Rancher Server on AWS with a single node cluster attached. ## Prerequisites @@ -20,34 +20,44 @@ The following steps will quickly deploy a Rancher Server with a single node clus 1. Clone [Rancher Quickstart](https://github.com/rancher/quickstart) to a folder using `git clone https://github.com/rancher/quickstart`. -2. Go into the AWS folder containing the terraform file by executing `cd quickstart/aws`. +1. Go into the AWS folder containing the terraform files by executing `cd quickstart/aws`. -3. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. +1. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. -4. Edit `terraform.tfvars` and customize the following variables at minimum. To change node counts and sizes, see `node sizes`. +1. Edit `terraform.tfvars` and customize the following variables: + - `aws_access_key` - Amazon AWS Access Key + - `aws_secret_key` - Amazon AWS Secret Key + - `rancher_server_admin_password` - Admin password for created Rancher server - - `aws_access_key` - Amazon AWS Access Key - - `aws_secret_key` - Amazon AWS Secret Key - - `ssh_key_name` - Amazon AWS Key Pair Name - - `prefix` - Resource Prefix - -5. **Optional:** Modify the count of the various node types within `terraform.tfvars`. See the [Quickstart Readme](https://github.com/rancher/quickstart) for more information on the variables. +1. **Optional:** Modify optional variables within `terraform.tfvars`. +See the [Quickstart Readme](https://github.com/rancher/quickstart) and the [AWS Quickstart Readme](https://github.com/rancher/quickstart/tree/master/aws) for more information. +Suggestions include: + - `aws_region` - Amazon AWS region, choose the closest instead of the default + - `prefix` - Prefix for all created resources + - `instance_type` - EC2 instance size used, minimum is `t3a.medium` but `t3a.large` or `t3a.xlarge` could be used if within budget + - `ssh_key_file_name` - Use a specific SSH key instead of `~/.ssh/id_rsa` (public key is assumed to be `${ssh_key_file_name}.pub`) -6. Run `terraform init`. +1. Run `terraform init`. -7. To initiate the creation of the environment, run `terraform apply`. Then wait for the following output: +1. Install the [RKE terraform provider](https://github.com/rancher/terraform-provider-rke), see [installation instructions](https://github.com/rancher/terraform-provider-rke#using-the-provider). - ``` - Apply complete! Resources: 3 added, 0 changed, 0 destroyed. - Outputs: - rancher-url = [ - https://xxx.xxx.xxx.xxx - ] - ``` +1. To initiate the creation of the environment, run `terraform apply --auto-approve`. Then wait for output similar to the following: -8. Paste the `rancher-url` from the output above into the browser. Log in when prompted (default username is `admin`, and default password is `admin`). + ``` + Apply complete! Resources: 16 added, 0 changed, 0 destroyed. -**Result:** Rancher Server and your Kubernetes cluster is installed in Amazon AWS. + Outputs: + + rancher_node_ip = xx.xx.xx.xx + rancher_server_url = https://ec2-xx-xx-xx-xx.compute-1.amazonaws.com + workload_node_ip = yy.yy.yy.yy + ``` + +1. Paste the `rancher_server_url` from the output above into the browser. Log in when prompted (default username is `admin`, use the password set in `rancher_server_admin_password`). + +#### Result + +Two Kubernetes clusters are deployed into your AWS account, one running Rancher Server and the other ready for experimentation deployments. ### What's Next? diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md index 800757e7674..3e1f67b37e2 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md @@ -1,8 +1,9 @@ --- -title: DigitalOcean Quick Start +title: Rancher DigitalOcean Quick Start Guide +description: Read this step by step Rancher DigitalOcean guide to quickly deploy a Rancher Server with a single node cluster attached. weight: 100 --- -The following steps will quickly deploy a Rancher Server with a single node cluster attached. +The following steps will quickly deploy a Rancher Server on DigitalOcean with a single node cluster attached. ## Prerequisites @@ -18,32 +19,43 @@ The following steps will quickly deploy a Rancher Server with a single node clus 1. Clone [Rancher Quickstart](https://github.com/rancher/quickstart) to a folder using `git clone https://github.com/rancher/quickstart`. -2. Go into the DigitalOcean folder containing the terraform file by executing `cd quickstart/do`. +1. Go into the DigitalOcean folder containing the terraform files by executing `cd quickstart/do`. -3. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. +1. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. -4. Edit `terraform.tfvars` to include your DigitalOcean Access Key. +1. Edit `terraform.tfvars` and customize the following variables: + - `do_token` - DigitalOcean access key + - `rancher_server_admin_password` - Admin password for created Rancher server -5. **Optional:** Edit `terraform.tfvars` to: +1. **Optional:** Modify optional variables within `terraform.tfvars`. +See the [Quickstart Readme](https://github.com/rancher/quickstart) and the [DO Quickstart Readme](https://github.com/rancher/quickstart/tree/master/do) for more information. +Suggestions include: + - `do_region` - DigitalOcean region, choose the closest instead of the default + - `prefix` - Prefix for all created resources + - `droplet_size` - Droplet size used, minimum is `s-2vcpu-4gb` but `s-4vcpu-8g` could be used if within budget + - `ssh_key_file_name` - Use a specific SSH key instead of `~/.ssh/id_rsa` (public key is assumed to be `${ssh_key_file_name}.pub`) - - Change the number of nodes. (`count_agent_all_nodes`) - - Change the password of the `admin` user for logging into Rancher. (`admin_password`) +1. Run `terraform init`. -6. Run `terraform init`. +1. Install the [RKE terraform provider](https://github.com/rancher/terraform-provider-rke), see [installation instructions](https://github.com/rancher/terraform-provider-rke#using-the-provider). -7. To initiate the creation of the environment, run `terraform apply`. Then wait for the following output: +1. To initiate the creation of the environment, run `terraform apply --auto-approve`. Then wait for output similar to the following: - ``` - Apply complete! Resources: 2 added, 0 changed, 0 destroyed. - Outputs: - rancher-url = [ - https://xxx.xxx.xxx.xxx - ] - ``` + ``` + Apply complete! Resources: 15 added, 0 changed, 0 destroyed. -8. Paste the `rancher-url` from the output above into the browser. Log in when prompted (default password is `admin`). + Outputs: -**Result:** Rancher Server and your Kubernetes cluster is installed on DigitalOcean. + rancher_node_ip = xx.xx.xx.xx + rancher_server_url = https://rancher.xx.xx.xx.xx.xip.io + workload_node_ip = yy.yy.yy.yy + ``` + +1. Paste the `rancher_server_url` from the output above into the browser. Log in when prompted (default username is `admin`, use the password set in `rancher_server_admin_password`). + +#### Result + +Two Kubernetes clusters are deployed into your DigitalOcean account, one running Rancher Server and the other ready for experimentation deployments. ### What's Next? @@ -51,6 +63,6 @@ Use Rancher to create a deployment. For more information, see [Creating Deployme ## Destroying the Environment -1. From the `quickstart/do` folder, execute `terraform destroy --force`. +1. From the `quickstart/aws` folder, execute `terraform destroy --auto-approve`. 2. Wait for confirmation that all resources have been destroyed. From 2adc5defccfbf6298e82c0601824af94cb62979d Mon Sep 17 00:00:00 2001 From: Sam Kleiner Date: Thu, 27 Feb 2020 19:32:57 -0500 Subject: [PATCH 003/183] update ha install docs Updates docs to mention the --tls-san option during HA install. --- content/k3s/latest/en/installation/ha/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/ha/_index.md b/content/k3s/latest/en/installation/ha/_index.md index adea8ad1938..0c06efcb20e 100644 --- a/content/k3s/latest/en/installation/ha/_index.md +++ b/content/k3s/latest/en/installation/ha/_index.md @@ -59,7 +59,7 @@ Agent nodes need a URL to register against. This can be the IP or hostname of an * Round-robin DNS * Virtual or elastic IP addresses -This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file to point to it instead of a specific node. +This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file to point to it instead of a specific node. To avoid certificate errors you should install the server with the `--tls-san YOUR_IP_OR_HOSTNAME_HERE` option. This option can be specified multiple times if you would like to access via both the ip and hostname. ### 4. Optional: Join Agent Nodes From e3885d04abfb0e56476594dc47429edd56f176c9 Mon Sep 17 00:00:00 2001 From: caiconkhicon Date: Fri, 28 Feb 2020 11:01:30 +0100 Subject: [PATCH 004/183] Fix wrong apiVersion for PodSecurityPolicy To create a PodSecurityPolicy, the apiVersion `policy/v1beta1` should be used. If I apply the current manifest, which use `apiVersion: policy/v1beta1`, it throws out the error: "no matches for kind "PodSecurityPolicy" in version "extensions/v1beta1" --- content/rancher/v2.x/en/security/hardening-2.3.3/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md index 00eb91129ef..488c6fbcc4d 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md @@ -613,7 +613,7 @@ addons: | kind: Group name: system:authenticated --- - apiVersion: extensions/v1beta1 + apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp From 7479f046b2a94e36726f6f80f042ccec219e07f8 Mon Sep 17 00:00:00 2001 From: dotancohen81 <61625757+dotancohen81@users.noreply.github.com> Date: Sat, 29 Feb 2020 19:58:32 +0200 Subject: [PATCH 005/183] Update _index.md AWS regions are not equivalent to DC DC=Az Region=Multiple Az --- .../v2.x/en/installation/k8s-install/create-nodes-lb/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index 97c3e200657..f414d2ccbf4 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -7,7 +7,7 @@ aliases: Use your infrastructure provider of choice to provision three nodes and a load balancer endpoint for your RKE install. -> **Note:** These nodes must be in the same region/datacenter. You may place these servers in separate availability zones. +> **Note:** These nodes must be in the same region. You may place these servers in separate availability zones (datacenter). ### Requirements for OS, Docker, Hardware, and Networking From c6238e9bf7d414e94fa0abaa97818252453df698 Mon Sep 17 00:00:00 2001 From: dkeightley Date: Mon, 2 Mar 2020 15:46:04 +1300 Subject: [PATCH 006/183] Add note for update-only actions --- content/rke/latest/en/managing-clusters/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/rke/latest/en/managing-clusters/_index.md b/content/rke/latest/en/managing-clusters/_index.md index 4a9ff3ddb8e..5f0b6422df9 100644 --- a/content/rke/latest/en/managing-clusters/_index.md +++ b/content/rke/latest/en/managing-clusters/_index.md @@ -20,6 +20,8 @@ After you've made changes to add/remove nodes, run `rke up` with the updated `cl You can add/remove only worker nodes, by running `rke up --update-only`. This will ignore everything else in the `cluster.yml` except for any worker nodes. +> **Note:** When using `--update-only`, other actions that do not specifically relate to nodes may be deployed or updated, for example [addons]({{< baseurl >}}/rke/latest/en/config-options/add-ons). + ### Removing Kubernetes Components from Nodes In order to remove the Kubernetes components from nodes, you use the `rke remove` command. From 0a2921dcec34bfd647c4b171e473354ff05a256a Mon Sep 17 00:00:00 2001 From: David Noland Date: Mon, 2 Mar 2020 18:13:27 -0800 Subject: [PATCH 007/183] Fixed link to PDF. --- content/rancher/v2.x/en/security/benchmark-2.3.3/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.3.3/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3.3/_index.md index 44086210d49..488d48686eb 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3.3/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3.3/_index.md @@ -11,7 +11,7 @@ Self Assessment Guide Version | Rancher Version | Hardening Guide Version | Kube ---------------------------|----------|---------|-------|----- Self Assessment Guide v2.3.3 | Rancher v2.3.3 | Hardening Guide v2.3.3 | Kubernetes v1.16 | Benchmark v1.4.1 -[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.3.3/Rancher_Benchmark_Assessment.pdf) +[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.3.x/Rancher_Benchmark_Assessment.pdf) > The CIS Benchmark version v1.4.1 covers the security posture of Kubernetes 1.13 clusters. This self-assessment has been run against Kubernetes 1.16, using the guidelines outlined in the CIS v1.4.1 benchmark. Updates to the CIS benchmarks will be applied to this document as they are released. From 780fb4ea3acfdc54a5886ddfddbbd7ad6df48a70 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 4 Mar 2020 12:37:45 -0700 Subject: [PATCH 008/183] Change cert-manager upgrade version to 0.12.0 --- .../air-gap-helm2/populate-private-registry/_index.md | 8 ++++---- .../en/installation/options/helm2/helm-rancher/_index.md | 4 ++-- .../upgrading-cert-manager/helm-2-instructions/_index.md | 6 +++--- .../air-gap/populate-private-registry/_index.md | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md index 6a286a8656a..3eefbd5fd3b 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md @@ -51,12 +51,12 @@ In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.9.1, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). + > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). ```plain helm repo add jetstack https://charts.jetstack.io helm repo update - helm fetch jetstack/cert-manager --version v0.9.1 + helm fetch jetstack/cert-manager --version v0.12.0 helm template ./cert-manager-.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt ``` @@ -215,12 +215,12 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.9.1, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). + > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). ```plain helm repo add jetstack https://charts.jetstack.io helm repo update - helm fetch jetstack/cert-manager --version v0.9.1 + helm fetch jetstack/cert-manager --version v0.12.0 helm template ./cert-manager-.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt ``` diff --git a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md index 0690c435343..544f21c6054 100644 --- a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md @@ -42,7 +42,7 @@ There are three recommended options for the source of the certificate. > **Important:** > Due to an issue with Helm v2.12.0 and cert-manager, please use Helm v2.12.1 or higher. -> Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.9.1, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). +> Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). Rancher relies on [cert-manager](https://github.com/jetstack/cert-manager) to issue certificates from Rancher's own generated CA or to request Let's Encrypt certificates. @@ -79,7 +79,7 @@ These instructions are adapted from the [official cert-manager documentation](ht helm install \ --name cert-manager \ --namespace cert-manager \ - --version v0.9.1 \ + --version v0.12.0 \ jetstack/cert-manager ``` diff --git a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/helm-2-instructions/_index.md b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/helm-2-instructions/_index.md index 3ea49690f27..3299f50c08d 100644 --- a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/helm-2-instructions/_index.md +++ b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/helm-2-instructions/_index.md @@ -74,7 +74,7 @@ In order to upgrade cert-manager, follow these instructions: 1. Install the new version of cert-manager ```plain - helm install --version 0.9.1 --name cert-manager --namespace kube-system jetstack/cert-manager + helm install --version 0.12.0 --name cert-manager --namespace kube-system jetstack/cert-manager ``` {{% /accordion %}} @@ -95,13 +95,13 @@ Before you can perform the upgrade, you must prepare your air gapped environment 1. Fetch the latest cert-manager chart available from the [Helm chart repository](https://hub.helm.sh/charts/jetstack/cert-manager). ```plain - helm fetch jetstack/cert-manager --version v0.9.1 + helm fetch jetstack/cert-manager --version v0.12.0 ``` 1. Render the cert manager template with the options you would like to use to install the chart. Remember to set the `image.repository` option to pull the image from your private registry. This will create a `cert-manager` directory with the Kubernetes manifest files. ```plain - helm template ./cert-manager-v0.9.1.tgz --output-dir . \ + helm template ./cert-manager-v0.12.0.tgz --output-dir . \ --name cert-manager --namespace kube-system \ --set image.repository=/quay.io/jetstack/cert-manager-controller --set webhook.image.repository=/quay.io/jetstack/cert-manager-webhook diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index cc490aa4ca6..99f5c66bef5 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -50,12 +50,12 @@ In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.9.1, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). + > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). ```plain helm repo add jetstack https://charts.jetstack.io helm repo update - helm fetch jetstack/cert-manager --version v0.9.1 + helm fetch jetstack/cert-manager --version v0.12.0 helm template ./cert-manager-.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt ``` @@ -214,12 +214,12 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.9.1, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). + > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). ```plain helm repo add jetstack https://charts.jetstack.io helm repo update - helm fetch jetstack/cert-manager --version v0.9.1 + helm fetch jetstack/cert-manager --version v0.12.0 helm template ./cert-manager-.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt ``` From 1aed03038f31b1da4e465b948a1c4144e297f8af Mon Sep 17 00:00:00 2001 From: Ross Kirkpatrick Date: Wed, 4 Mar 2020 16:16:14 -0500 Subject: [PATCH 009/183] update _index.md added the proper namespace for `helm get values rancher` to work --- content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md index b2ff236b0d1..8522ff2f813 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md @@ -80,7 +80,7 @@ This section describes how to upgrade normal (Internet-connected) or air gap ins Get the values, which were passed with `--set`, from the current Rancher Helm chart that is installed. ``` -helm get values rancher +helm get values rancher -n cattle-system hostname: rancher.my.org ``` From a8e7bb13751787e2b870748e295f7e2f93a409a2 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 5 Mar 2020 10:34:06 -0700 Subject: [PATCH 010/183] Update Helm 2 command for Helm 3 --- .../en/installation/options/upgrading-cert-manager/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md index d2ec4366763..83bce83066b 100644 --- a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md +++ b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md @@ -50,7 +50,7 @@ In order to upgrade cert-manager, follow these instructions: 1. [Uninstall existing deployment](https://cert-manager.io/docs/installation/uninstall/kubernetes/#uninstalling-with-helm) ```plain - helm delete --purge cert-manager + helm uninstall cert-manager ``` Delete the CustomResourceDefinition using the link to the version vX.Y you installed From fb54465ebd0c1fd8054e1a41a22f76f8e33b79d0 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 5 Mar 2020 16:24:09 -0700 Subject: [PATCH 011/183] Fix link --- .../v2.x/en/cluster-admin/cluster-access/kubectl/_index.md | 1 + content/rancher/v2.x/en/overview/architecture/_index.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md b/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md index f8d6817e65f..b6083597ff9 100644 --- a/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md @@ -8,6 +8,7 @@ aliases: - /rancher/v2.x/en/concepts/clusters/kubeconfig-files/ - /rancher/v2.x/en/k8s-in-rancher/kubeconfig/ - /rancher/2.x/en/cluster-admin/kubeconfig + - /rancher/v2.x/en/cluster-admin/cluster-access/kubeconfig/ --- This section describes how to manipulate your downstream Kubernetes cluster with kubectl from the Rancher UI or from your workstation. diff --git a/content/rancher/v2.x/en/overview/architecture/_index.md b/content/rancher/v2.x/en/overview/architecture/_index.md index c28ab874aa8..57ff6e2c673 100644 --- a/content/rancher/v2.x/en/overview/architecture/_index.md +++ b/content/rancher/v2.x/en/overview/architecture/_index.md @@ -128,7 +128,7 @@ The files mentioned below are needed to maintain, troubleshoot and upgrade your - `kube_config_rancher-cluster.yml`: The Kubeconfig file for the cluster, this file contains credentials for full access to the cluster. You can use this file to authenticate with a Rancher-launched Kubernetes cluster if Rancher goes down. - `rancher-cluster.rkestate`: The Kubernetes cluster state file. This file contains credentials for full access to the cluster. Note: This state file is only created when using RKE v0.2.0 or higher. -For more information on connecting to a cluster without the Rancher authentication proxy and other configuration options, refer to the [kubeconfig file]({{}}/rancher/v2.x/en/cluster-admin/cluster-access/kubeconfig/) documentation. +For more information on connecting to a cluster without the Rancher authentication proxy and other configuration options, refer to the [kubeconfig file]({{}}/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/) documentation. # Tools for Provisioning Kubernetes Clusters From 80c87c94c7fcadb68b3dbaa805ac15908b2e509e Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Thu, 5 Mar 2020 16:05:55 -0800 Subject: [PATCH 012/183] set rancher docs prefix for default titles in docs audit 24 --- layouts/partials/seo.html | 135 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 layouts/partials/seo.html diff --git a/layouts/partials/seo.html b/layouts/partials/seo.html new file mode 100644 index 00000000000..e1ae8ae8a14 --- /dev/null +++ b/layouts/partials/seo.html @@ -0,0 +1,135 @@ + + {{ with .Params.metaTitle }} + {{ . }} + {{ else }} + {{ if eq .Section "tags" }} + {{ .Title }} Blog Posts by Rancher + {{ else }} + Rancher Docs: {{ .Title }} + {{ end }} + {{ end }} + + +{{- .Scratch.Set "permalink" .Permalink -}} +{{- if (and .Pages (not .IsHome)) -}} + {{/* + Hugo doesn't generate permalinks for lists with the page number in them, + which makes all the pages of a list look lik the same page to a search + engine, which is bad. + */}} + + {{- $by := .Params.pageBy | default .Site.Params.pageBy | default "default" -}} + {{- $limit := .Site.Params.pageLimit | default 10 -}} + + {{- if (eq .Site.Params.pageBy "newest") -}} + {{- $paginator := .Paginate .Pages.ByDate.Reverse $limit -}} + {{- .Scratch.Set "paginator" $paginator -}} + {{- else if (eq .Site.Params.pageBy "title") -}} + {{- $paginator := .Paginate .Pages.ByTitle $limit -}} + {{- .Scratch.Set "paginator" $paginator -}} + {{- else -}} + {{- $paginator := .Paginate $limit -}} + {{- .Scratch.Set "paginator" $paginator -}} + {{- end -}} + + {{- $paginator := .Scratch.Get "paginator" -}} + {{- if (gt $paginator.PageNumber 1) -}} + {{ .Scratch.Set "permalink" ($paginator.URL | absURL) }} + {{- end -}} + + {{ with $paginator.Prev -}} + + {{- end }} + {{ with $paginator.Next -}} + + {{- end }} +{{- end -}} + + {{ $permalink := .Scratch.Get "permalink" }} + {{ if .Params.canonical }} + + {{ end }} + + {{ if .RSSLink -}} + + {{- end }} + + {{ if eq .Section "tags" }} + + {{ else }} + + {{ end }} + + + + + + + + + + + + + + + + + {{ range .Params.categories }}{{ end }} + {{ if isset .Params "date" }}{{ end }} + +{{- if .IsHome -}} + +{{- else if .IsPage -}} + +{{ end }} From ce7f2abd3b10dfd18ca48c1ecba53e66dc9d019d Mon Sep 17 00:00:00 2001 From: Jason Skrzypek Date: Thu, 5 Mar 2020 11:50:50 -0500 Subject: [PATCH 013/183] Updated GCP Docs --- .../en/quick-start-guide/deployment/_index.md | 2 + .../deployment/google-gcp-qs/_index.md | 69 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md index f11ab6241fb..f7d4da476aa 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md @@ -7,6 +7,8 @@ Use one of the following guides to deploy and provision Rancher and a Kubernetes - [DigitalOcean](./digital-ocean-qs) (uses Terraform) - [AWS](./amazon-aws-qs) (uses Terraform) +- [Azure](./microsoft-azure-qs) (uses Terraform) +- [GCP](./google-gcp-qs) (uses Terraform) - [Vagrant](./quickstart-vagrant) If you prefer, the following guide will take you through the same process in individual steps. Use this if you want to run Rancher in a different provider, on prem, or if you would just like to see how easy it is. diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md new file mode 100644 index 00000000000..7e5df527735 --- /dev/null +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md @@ -0,0 +1,69 @@ +--- +title: Rancher GCP Quick Start Guide +description: Read this step by step Rancher GCP guide to quickly deploy a Rancher Server with a single node cluster attached. +weight: 100 +--- +The following steps will quickly deploy a Rancher Server on GCP with a single node cluster attached. + +## Prerequisites + +>**Note** +>Deploying to Google GCP will incur charges. + +- [Google GCP Account](https://console.cloud.google.com/): A Google GCP Account is required to create resources for deploying Rancher and Kubernetes. +- [Google GCP Project](https://cloud.google.com/appengine/docs/standard/nodejs/building-app/creating-project): Use this link to follow a tutorial to create a GCP Project if you don't have one yet. +- [Google GCP Service Account](https://cloud.google.com/iam/docs/creating-managing-service-account-keys): Use this link and follow instructions to create a GCP service account and token file. +- [Terraform](https://www.terraform.io/downloads.html): Used to provision the server and cluster in Google GCP. + + +## Getting Started + +1. Clone [Rancher Quickstart](https://github.com/rancher/quickstart) to a folder using `git clone https://github.com/rancher/quickstart`. + +1. Go into the GCP folder containing the terraform files by executing `cd quickstart/gcp`. + +1. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. + +1. Edit `terraform.tfvars` and customize the following variables: + - `gcp_account_json` - GCP service account file path and file name + - `rancher_server_admin_password` - Admin password for created Rancher server + +1. **Optional:** Modify optional variables within `terraform.tfvars`. +See the [Quickstart Readme](https://github.com/rancher/quickstart) and the [GCP Quickstart Readme](https://github.com/rancher/quickstart/tree/master/gcp) for more information. +Suggestions include: + - `gcp_region` - Google GCP region, choose the closest instead of the default + - `prefix` - Prefix for all created resources + - `machine_type` - Compute instance size used, minimum is `n1-standard-1` but `n1-standard-2` or `n1-standard-4` could be used if within budget + - `ssh_key_file_name` - Use a specific SSH key instead of `~/.ssh/id_rsa` (public key is assumed to be `${ssh_key_file_name}.pub`) + +1. Run `terraform init`. + +1. Install the [RKE terraform provider](https://github.com/rancher/terraform-provider-rke), see [installation instructions](https://github.com/rancher/terraform-provider-rke#using-the-provider). + +1. To initiate the creation of the environment, run `terraform apply --auto-approve`. Then wait for output similar to the following: + + ``` + Apply complete! Resources: 16 added, 0 changed, 0 destroyed. + + Outputs: + + rancher_node_ip = xx.xx.xx.xx + rancher_server_url = https://xx-xx-xx-xx.nip.io + workload_node_ip = yy.yy.yy.yy + ``` + +1. Paste the `rancher_server_url` from the output above into the browser. Log in when prompted (default username is `admin`, use the password set in `rancher_server_admin_password`). + +#### Result + +Two Kubernetes clusters are deployed into your GCP account, one running Rancher Server and the other ready for experimentation deployments. + +### What's Next? + +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). + +## Destroying the Environment + +1. From the `quickstart/gcp` folder, execute `terraform destroy --auto-approve`. + +2. Wait for confirmation that all resources have been destroyed. From 4abf8f3612956a858c8aaf9f0dcbef5643b83d89 Mon Sep 17 00:00:00 2001 From: Jason Skrzypek Date: Tue, 10 Mar 2020 09:52:01 -0400 Subject: [PATCH 014/183] Updated AZURE Quickstart Docs --- .../en/quick-start-guide/deployment/_index.md | 1 + .../deployment/microsoft-azure-qs/_index.md | 73 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md index f11ab6241fb..4671ff11d64 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/_index.md @@ -7,6 +7,7 @@ Use one of the following guides to deploy and provision Rancher and a Kubernetes - [DigitalOcean](./digital-ocean-qs) (uses Terraform) - [AWS](./amazon-aws-qs) (uses Terraform) +- [AZURE](./microsoft-azure-qs) (uses Terraform) - [Vagrant](./quickstart-vagrant) If you prefer, the following guide will take you through the same process in individual steps. Use this if you want to run Rancher in a different provider, on prem, or if you would just like to see how easy it is. diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md new file mode 100644 index 00000000000..4ac5882d04b --- /dev/null +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md @@ -0,0 +1,73 @@ +--- +title: Rancher Azure Quick Start Guide +description: Read this step by step Rancher Azure guide to quickly deploy a Rancher Server with a single node cluster attached. +weight: 100 +--- +The following steps will quickly deploy a Rancher Server on Azure with a single node cluster attached. + +## Prerequisites + +>**Note** +>Deploying to Microsoft Azure will incur charges. + +- [Microsoft Azure Account](https://azure.microsoft.com/en-us/free/): A Microsoft Azure Account is required to create resources for deploying Rancher and Kubernetes. +- [Microsoft Azure Subscription](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription#create-a-subscription-in-the-azure-portal): Use this link to follow a tutorial to create a Microsoft Azure subscription if you don't have one yet. +- [Micsoroft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant): Use this link and follow instructions to create a Microsoft Azure tenant. +- [Microsoft Azure Client ID/Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal): Use this link and follow instructions to create a Microsoft Azure client and secret. +- [Terraform](https://www.terraform.io/downloads.html): Used to provision the server and cluster in Microsoft Azure. + + +## Getting Started + +1. Clone [Rancher Quickstart](https://github.com/rancher/quickstart) to a folder using `git clone https://github.com/rancher/quickstart`. + +1. Go into the Azure folder containing the terraform files by executing `cd quickstart/azure`. + +1. Rename the `terraform.tfvars.example` file to `terraform.tfvars`. + +1. Edit `terraform.tfvars` and customize the following variables: + - `azure_subscription_id` - Microsoft Azure Subscription ID + - `azure_client_id` - Microsoft Azure Client ID + - `azure_client_secret` - Microsoft Azure Client Secret + - `azure_tenant_id` - Microsoft Azure Tenant ID + - `rancher_server_admin_password` - Admin password for created Rancher server + +2. **Optional:** Modify optional variables within `terraform.tfvars`. +See the [Quickstart Readme](https://github.com/rancher/quickstart) and the [Azure Quickstart Readme](https://github.com/rancher/quickstart/tree/master/azure) for more information. +Suggestions include: + - `azure_location` - Microsoft Azure region, choose the closest instead of the default + - `prefix` - Prefix for all created resources + - `instance_type` - Compute instance size used, minimum is `Standard_DS2_v2` but `Standard_DS2_v3` or `Standard_DS3_v2` could be used if within budget + - `ssh_key_file_name` - Use a specific SSH key instead of `~/.ssh/id_rsa` (public key is assumed to be `${ssh_key_file_name}.pub`) + +1. Run `terraform init`. + +1. Install the [RKE terraform provider](https://github.com/rancher/terraform-provider-rke), see [installation instructions](https://github.com/rancher/terraform-provider-rke#using-the-provider). + +1. To initiate the creation of the environment, run `terraform apply --auto-approve`. Then wait for output similar to the following: + + ``` + Apply complete! Resources: 16 added, 0 changed, 0 destroyed. + + Outputs: + + rancher_node_ip = xx.xx.xx.xx + rancher_server_url = https://xx-xx-xx-xx.nip.io + workload_node_ip = yy.yy.yy.yy + ``` + +1. Paste the `rancher_server_url` from the output above into the browser. Log in when prompted (default username is `admin`, use the password set in `rancher_server_admin_password`). + +#### Result + +Two Kubernetes clusters are deployed into your Azure account, one running Rancher Server and the other ready for experimentation deployments. + +### What's Next? + +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). + +## Destroying the Environment + +1. From the `quickstart/azure` folder, execute `terraform destroy --auto-approve`. + +2. Wait for confirmation that all resources have been destroyed. From c72ec1e278926409723187a454876c338df84994 Mon Sep 17 00:00:00 2001 From: Caleb Bron Date: Tue, 10 Mar 2020 09:29:14 -0700 Subject: [PATCH 015/183] Adds section on deploying istio with PSP enabled --- .../setup/enable-istio-in-cluster/_index.md | 2 + .../enable-istio-with-psp/_index.md | 59 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/_index.md index 9df03283a12..9ea611c7c45 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/_index.md @@ -7,6 +7,8 @@ This cluster uses the default Nginx controller to allow traffic into the cluster A Rancher [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) can configure Rancher to deploy Istio in a Kubernetes cluster. +> If the cluster has a Pod Security Policy enabled there are [prerequisites steps]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/) + 1. From the **Global** view, navigate to the **cluster** where you want to enable Istio. 1. Click **Tools > Istio.** 1. Optional: Configure member access and [resource limits]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/resources/) for the Istio components. Ensure you have enough resources on your worker nodes to enable Istio. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md new file mode 100644 index 00000000000..4de81646b16 --- /dev/null +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md @@ -0,0 +1,59 @@ +--- +title: Enable Istio with Pod Security Policies +--- + + >**Note:** The following guide is only for RKE provisioned clusters + +If you have restrictive Pod Security Policies enabled, then istio may not be able to function correctly as it needs certain permissions in order to install itself and manage pod infrastructure. In this section we will configure a cluster with PSP's enabled for an Istio install, and also setup the Istio CNI plugin. + +The Istio CNI plugin removes the need for each application pod to have a priveleged `NET_ADMIN` container. For further information see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). + +#### Allow access to iptables + +Configure the cluster to allow the CNI plugin to set networking rules via iptables modules + +1. From the **Global** view, navigate to the **cluster** where you want to enable Istio. +1. Select the **Ellipsis (...) > Edit**. +1. Click "Edit as YAML", find the services block and edit to include: + +``` +services: + kubelet: + extra_binds: + - '/lib/modules:/lib/modules' +``` + +#### Configure the System Project Policy to allow Istio install + +1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. +1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**. +1. Change the Pod Security Policy option to be unrestricted, then click Save. + + +#### Install the CNI Plugin in the System Project + +1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. +1. Select the **Project: System** project. +1. Choose **Tools > Catalogs** in the navigation bar. +1. Add a catalog with the following: + 1. Name: istio-cni + 1. Catalog URL: https://github.com/istio/cni + 1. Branch: The branch that matches your current release, for example: `release-1.4`. +1. From the main menu select **Apps** +1. Click Launch and select istio-cni +1. Update the namespace to be "kube-system" +1. In the answers section, click "Edit as YAML", and paste in the following: +``` +--- + logLevel: "info" + excludeNamespaces: + - "istio-system" + - "kube-system" +``` +1. Click Launch + +#### Install Istio + +Follow the [primary instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/), adding a custom answer: `istio_cni.enabled: true`. + +After Istio has finished installing, the Apps page in System Projects should show both istio and istio-cni applications deployed successfully. Sidecar injection will now be functional. From 8afc07f8df62740a6b5d6ea64766d84b500d8aa4 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 11 Mar 2020 04:37:11 -0700 Subject: [PATCH 016/183] Change GCE to GKE in GKE docs --- .../hosted-kubernetes-clusters/gke/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md index 7664d720dbf..ad6540fe68d 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md @@ -1,17 +1,17 @@ --- title: Creating a GKE Cluster -shortTitle: Google Container Engine +shortTitle: Google Kubernetes Engine weight: 2105 aliases: - /rancher/v2.x/en/tasks/clusters/creating-a-cluster/create-cluster-gke/ --- -## Prerequisites in Google Cloud Platform +## Prerequisites in Google Kubernetes Engine >**Note** >Deploying to GKE will incur charges. -Create a service account using [Google Cloud Platform](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts). GKE uses this account to operate your cluster. Creating this account also generates a private key used for authentication. +Create a service account using [Google Kubernetes Engine](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts). GKE uses this account to operate your cluster. Creating this account also generates a private key used for authentication. The service account requires the following roles: From 61925cc4a081be039da461e45b0dd9802b2d1711 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 11 Mar 2020 05:07:46 -0700 Subject: [PATCH 017/183] Minor correction --- .../hosted-kubernetes-clusters/gke/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md index ad6540fe68d..f08a196861b 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/_index.md @@ -28,7 +28,7 @@ Use {{< product >}} to set up and configure your Kubernetes cluster. 1. From the **Clusters** page, click **Add Cluster**. -2. Choose **Google Container Engine**. +2. Choose **Google Kubernetes Engine**. 3. Enter a **Cluster Name**. From 7b51d0dd7629ed27446ef712780a170e0dc6cb2e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 11 Mar 2020 14:16:11 -0700 Subject: [PATCH 018/183] Grammar/style edit --- .../enable-istio-with-psp/_index.md | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md index 4de81646b16..ed1201c10ec 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md @@ -2,19 +2,24 @@ title: Enable Istio with Pod Security Policies --- - >**Note:** The following guide is only for RKE provisioned clusters + >**Note:** The following guide is only for RKE provisioned clusters. -If you have restrictive Pod Security Policies enabled, then istio may not be able to function correctly as it needs certain permissions in order to install itself and manage pod infrastructure. In this section we will configure a cluster with PSP's enabled for an Istio install, and also setup the Istio CNI plugin. +If you have restrictive Pod Security Policies enabled, then Istio may not be able to function correctly, because it needs certain permissions in order to install itself and manage pod infrastructure. In this section, we will configure a cluster with PSPs enabled for an Istio install, and also set up the Istio CNI plugin. -The Istio CNI plugin removes the need for each application pod to have a priveleged `NET_ADMIN` container. For further information see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). +The Istio CNI plugin removes the need for each application pod to have a priveleged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). -#### Allow access to iptables +- 1. [Allow access to iptables.](#1-allow-access-to-iptables) +- 2. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install) +- 3. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project) +- 4. [Install Istio.](#4-install-istio) -Configure the cluster to allow the CNI plugin to set networking rules via iptables modules +### 1. Allow access to iptables -1. From the **Global** view, navigate to the **cluster** where you want to enable Istio. +Configure the cluster to allow the CNI plugin to set networking rules via iptables modules: + +1. From the **Global** view, navigate to the cluster where you want to enable Istio. 1. Select the **Ellipsis (...) > Edit**. -1. Click "Edit as YAML", find the services block and edit to include: +1. Click "Edit as YAML", find the services block, and edit to include: ``` services: @@ -23,14 +28,14 @@ services: - '/lib/modules:/lib/modules' ``` -#### Configure the System Project Policy to allow Istio install +### 2. Configure the System Project Policy to allow Istio install 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. 1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**. 1. Change the Pod Security Policy option to be unrestricted, then click Save. -#### Install the CNI Plugin in the System Project +### 3. Install the CNI Plugin in the System Project 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. 1. Select the **Project: System** project. @@ -52,8 +57,8 @@ services: ``` 1. Click Launch -#### Install Istio +### 4. Install Istio Follow the [primary instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/), adding a custom answer: `istio_cni.enabled: true`. -After Istio has finished installing, the Apps page in System Projects should show both istio and istio-cni applications deployed successfully. Sidecar injection will now be functional. +After Istio has finished installing, the Apps page in System Projects should show both istio and `istio-cni` applications deployed successfully. Sidecar injection will now be functional. From ba9b14dcacb49840db77c1c489deb30f74218000 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 11 Mar 2020 14:16:34 -0700 Subject: [PATCH 019/183] Fix typo --- .../enable-istio-in-cluster/enable-istio-with-psp/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md index ed1201c10ec..6cd21ae4475 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md @@ -6,7 +6,7 @@ title: Enable Istio with Pod Security Policies If you have restrictive Pod Security Policies enabled, then Istio may not be able to function correctly, because it needs certain permissions in order to install itself and manage pod infrastructure. In this section, we will configure a cluster with PSPs enabled for an Istio install, and also set up the Istio CNI plugin. -The Istio CNI plugin removes the need for each application pod to have a priveleged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). +The Istio CNI plugin removes the need for each application pod to have a privileged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). - 1. [Allow access to iptables.](#1-allow-access-to-iptables) - 2. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install) From 36a41750909576b8286a34a5d3fbcbe801b9190e Mon Sep 17 00:00:00 2001 From: Caleb Bron Date: Thu, 12 Mar 2020 08:49:20 -0700 Subject: [PATCH 020/183] Removed istio psp block on binding lib modules for iptables As far as I can tell this has been fixed in upstream, if anyone reports otherwise in the future we can revert. Also I fixed the code block layout. --- .../enable-istio-with-psp/_index.md | 32 +++++-------------- 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md index 6cd21ae4475..07b3f104f5a 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md @@ -8,34 +8,18 @@ If you have restrictive Pod Security Policies enabled, then Istio may not be abl The Istio CNI plugin removes the need for each application pod to have a privileged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/). -- 1. [Allow access to iptables.](#1-allow-access-to-iptables) -- 2. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install) -- 3. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project) -- 4. [Install Istio.](#4-install-istio) +- 1. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install) +- 2. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project) +- 3. [Install Istio.](#4-install-istio) -### 1. Allow access to iptables - -Configure the cluster to allow the CNI plugin to set networking rules via iptables modules: - -1. From the **Global** view, navigate to the cluster where you want to enable Istio. -1. Select the **Ellipsis (...) > Edit**. -1. Click "Edit as YAML", find the services block, and edit to include: - -``` -services: - kubelet: - extra_binds: - - '/lib/modules:/lib/modules' -``` - -### 2. Configure the System Project Policy to allow Istio install +### 1. Configure the System Project Policy to allow Istio install 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. 1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**. 1. Change the Pod Security Policy option to be unrestricted, then click Save. -### 3. Install the CNI Plugin in the System Project +### 2. Install the CNI Plugin in the System Project 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. 1. Select the **Project: System** project. @@ -47,7 +31,8 @@ services: 1. From the main menu select **Apps** 1. Click Launch and select istio-cni 1. Update the namespace to be "kube-system" -1. In the answers section, click "Edit as YAML", and paste in the following: +1. In the answers section, click "Edit as YAML" and paste in the following, then click launch: + ``` --- logLevel: "info" @@ -55,9 +40,8 @@ services: - "istio-system" - "kube-system" ``` -1. Click Launch -### 4. Install Istio +### 3. Install Istio Follow the [primary instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/), adding a custom answer: `istio_cni.enabled: true`. From d40db359c4cc7ad1c755024b6aa5d140f87d430d Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 12 Mar 2020 09:54:39 -0700 Subject: [PATCH 021/183] Say to use --devel when installing alpha Rancher --- .../v2.x/en/installation/k8s-install/helm-rancher/_index.md | 3 +++ .../v2.x/en/installation/options/feature-flags/_index.md | 2 ++ .../v2.x/en/installation/options/helm2/helm-rancher/_index.md | 3 +++ 3 files changed, 8 insertions(+) diff --git a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md index ea0fcda275f..5dd4d41cb66 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md @@ -115,6 +115,7 @@ cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m The default is for Rancher to generate a CA and uses `cert-manager` to issue the certificate for access to the Rancher server interface. Because `rancher` is the default option for `ingress.tls.source`, we are not specifying `ingress.tls.source` when running the `helm install` command. - Set the `hostname` to the DNS name you pointed at your load balancer. +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher rancher-/rancher \ @@ -138,6 +139,7 @@ deployment "rancher" successfully rolled out This option uses `cert-manager` to automatically request and renew [Let's Encrypt](https://letsencrypt.org/) certificates. This is a free service that provides you with a valid certificate as Let's Encrypt is a trusted CA. This configuration uses HTTP validation (`HTTP-01`) so the load balancer must have a public DNS record and be accessible from the internet. - Set `hostname` to the public DNS record, set `ingress.tls.source` to `letsEncrypt` and `letsEncrypt.email` to the email address used for communication about your certificate (for example, expiry notices) +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher rancher-/rancher \ @@ -163,6 +165,7 @@ Create Kubernetes secrets from your own certificates for Rancher to use. - Set `hostname` and set `ingress.tls.source` to `secret`. - If you are using a Private CA signed certificate , add `--set privateCA=true` to the command shown below. +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher rancher-/rancher \ diff --git a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md index 655598c04a5..75e2fb89fc9 100644 --- a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md +++ b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md @@ -56,6 +56,8 @@ helm install rancher-latest/rancher \ --set 'extraEnv[0].value==true,=true' # Available as of v2.3.0 ``` +Note: If you are installing an alpha version, Helm requires adding the `--devel` option to the command. + ### Rendering the Helm Chart for Air Gap Installations For an air gap installation of Rancher, you need to add a Helm chart repository and render a Helm template before installing Rancher with Helm. For details, refer to the [air gap installation documentation.]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher) diff --git a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md index 544f21c6054..239ed927a3b 100644 --- a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/_index.md @@ -105,6 +105,7 @@ If the ‘webhook’ pod (2nd line) is in a ContainerCreating state, it may stil The default is for Rancher to generate a CA and uses `cert-manager` to issue the certificate for access to the Rancher server interface. Because `rancher` is the default option for `ingress.tls.source`, we are not specifying `ingress.tls.source` when running the `helm install` command. - Set the `hostname` to the DNS name you pointed at your load balancer. +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher-/rancher \ @@ -128,6 +129,7 @@ deployment "rancher" successfully rolled out This option uses `cert-manager` to automatically request and renew [Let's Encrypt](https://letsencrypt.org/) certificates. This is a free service that provides you with a valid certificate as Let's Encrypt is a trusted CA. This configuration uses HTTP validation (`HTTP-01`) so the load balancer must have a public DNS record and be accessible from the internet. - Set `hostname` to the public DNS record, set `ingress.tls.source` to `letsEncrypt` and `letsEncrypt.email` to the email address used for communication about your certificate (for example, expiry notices) +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher-/rancher \ @@ -155,6 +157,7 @@ Create Kubernetes secrets from your own certificates for Rancher to use. - Set `hostname` and set `ingress.tls.source` to `secret`. - If you are using a Private CA signed certificate , add `--set privateCA=true` to the command shown below. +- If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` helm install rancher-/rancher \ From 6c494d553ca9cd69cd0a2089573a1a849ebe9740 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Fri, 13 Mar 2020 09:50:26 -0700 Subject: [PATCH 022/183] updates to benchmark-2.3, hardening-2.3.5 --- .../v2.x/en/security/benchmark-2.3/_index.md | 37 ++++--------------- .../en/security/hardening-2.3.5/_index.md | 1 - 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md index 74ff4c693a1..95051435f76 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md @@ -34,7 +34,6 @@ When performing the tests, you will need access to the Docker command line on th The following scored controls do not currently pass, and Rancher Labs is working towards addressing these through future enhancements to the product. - 1.1.21 - Ensure that the `--kubelet-certificate-authority` argument is set as appropriate (Scored) -- 2.1.8 - Ensure that the `--hostname-override` argument is not set (Scored) ### Controls @@ -148,7 +147,7 @@ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--profiling=false"). **Note:** This deprecated flag was removed in 1.14, so it cannot be set. -**Result:** Pass +**Result:** Not Applicable #### 1.1.10 - Ensure that the admission control plugin `AlwaysAdmit` is not set (Scored) @@ -756,17 +755,9 @@ docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--root-ca-f **Notes** -RKE does not yet support certificate rotation. This feature is due for the 0.1.12 release of RKE. +RKE handles certificate rotation through an external process. -**Audit** - -``` bash -docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--feature-gates=.*(RotateKubeletServerCertificate=true).*").captures[].string' -``` - -**Returned Value:** `RotateKubeletServerCertificate=true` - -**Result:** Pass +**Result:** Not Applicable #### 1.3.7 - Ensure that the `--address` argument is set to 127.0.0.1 (Scored) @@ -1509,15 +1500,7 @@ docker inspect kubelet | jq -e '.[0].Args[] | match("--make-iptables-util-chains **Notes** This is used by most cloud providers. Not setting this is not practical in most cases. -**Audit** - -``` bash -docker inspect kubelet | jq -e '.[0].Args[] | match("--hostname-override=.*").string' -``` - -**Returned Value:** `--hostname-override=` - -**Result:** Fail +**Result:** Not Applicable #### 2.1.9 - Ensure that the `--event-qps` argument is set to `0` (Scored) @@ -1581,19 +1564,15 @@ docker inspect kubelet | jq -e '.[0].Args[] | match("--rotate-certificates=true" **Returned Value:** `null` -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 2.1.13 - Ensure that the `RotateKubeletServerCertificate` argument is set to `true` (Scored) -**Audit** +**Notes** -``` bash -docker inspect kubelet | jq -e '.[0].Args[] | match("--feature-gates=.*(RotateKubeletServerCertificate=true).*").captures[].string' -``` +RKE handles certificate rotation through an external process. -**Returned Value:** `RotateKubeletServerCertificate=true` - -**Result:** Pass +**Result:** Not Applicable #### 2.1.14 - Ensure that the kubelet only makes use of strong cryptographic ciphers (Not Scored) diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index 91cb760826f..65532d7465e 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -179,7 +179,6 @@ services: infra_container_image: "" cluster_dns_server: "" fail_swap_on: false - generate_serving_certificate: true kubeproxy: image: "" extra_args: {} From dc816044d7d3f9bc7d309d0171f5f15a96d072a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2020 07:56:50 +0000 Subject: [PATCH 023/183] Bump acorn from 5.7.3 to 5.7.4 Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4. - [Release notes](https://github.com/acornjs/acorn/releases) - [Commits](https://github.com/acornjs/acorn/compare/5.7.3...5.7.4) Signed-off-by: dependabot[bot] --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 9f22028add4..e0a4ab425b0 100644 --- a/yarn.lock +++ b/yarn.lock @@ -658,9 +658,9 @@ acorn-walk@^6.0.1: integrity sha512-OtUw6JUTgxA2QoqqmrmQ7F2NYqiBPi/L2jqHyFtllhOUvXYQXf0Z1CYUinIfyT4bTCGmrA7gX9FvHA81uzCoVw== acorn@^5.5.3: - version "5.7.3" - resolved "https://registry.yarnpkg.com/acorn/-/acorn-5.7.3.tgz#67aa231bf8812974b85235a96771eb6bd07ea279" - integrity sha512-T/zvzYRfbVojPWahDsE5evJdHb3oJoQfFbsrKM7w5Zcs++Tr257tia3BmMP8XYVjp1S9RZXQMh7gao96BlqZOw== + version "5.7.4" + resolved "https://registry.yarnpkg.com/acorn/-/acorn-5.7.4.tgz#3e8d8a9947d0599a1796d10225d7432f4a4acf5e" + integrity sha512-1D++VG7BhrtvQpNbBzovKNc1FLGGEE/oGe7b9xJm/RFHMBeUaUGpluV9RLjZa47YFdPcDAenEYuq9pQPcMdLJg== acorn@^6.0.1: version "6.1.0" From f84a543533c13459f166c2e0bbae85efd578d1c3 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 16 Mar 2020 02:05:53 -0700 Subject: [PATCH 024/183] Describe Center for Internet Security --- content/rancher/v2.x/en/security/_index.md | 12 +++++++++--- .../rancher/v2.x/en/security/security-scan/_index.md | 8 ++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 67c99950877..b7a56c2fc96 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -33,13 +33,19 @@ On this page, we provide security-related documentation along with resources to ### Running a CIS Security Scan on a Kubernetes Cluster -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0-alpha1_ Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) to run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. -The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. +The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. -When Rancher runs a CIS Security Scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. +The Center for Internet Security (CIS) is a 501(c)(3) nonprofit organization, formed in October 2000, with a mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace." + +CIS Benchmarks are best practices for the secure configuration of a target system. CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members, and the CIS Benchmark Development team. + +The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. + +When Rancher runs a CIS security scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. For details, refer to the section on [security scans.]({{}}/rancher/v2.x/en/security/security-scan) diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index f2ba6ebb3bc..4a5e6ebba8d 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -5,9 +5,13 @@ weight: 1 _Available as of v2.4.0-alpha1_ -Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. +Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. -The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. +The Center for Internet Security (CIS) is a 501(c)(3) nonprofit organization, formed in October 2000, with a mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace". The organization is headquartered in East Greenbush, New York, with members including large corporations, government agencies, and academic institutions. + +CIS Benchmarks are best practices for the secure configuration of a target system. CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members, and the CIS Benchmark Development team. + +The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. When Rancher runs a CIS Security Scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. From 92011309875b373dae7e68c25ce2389735ce492a Mon Sep 17 00:00:00 2001 From: Ryan Elliott-Smith Date: Tue, 17 Mar 2020 09:42:10 +1300 Subject: [PATCH 025/183] Add note to keycloak auth about saml metadata creation --- .../en/admin-settings/authentication/keycloak/_index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md index e7350e6c96d..33a12ff83ca 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md @@ -23,6 +23,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati `Valid Redirect URI` | `https://yourRancherHostURL/v1-saml/keycloak/saml/acs` >1: Optionally, you can enable either one or both of these settings. + >2: Rancher SAML metadata won't be generated until a SAML provider is configured and saved. - Export a `metadata.xml` file from your Keycloak client: From the `Installation` tab, choose the `SAML Metadata IDPSSODescriptor` format option and download your file. @@ -81,6 +82,11 @@ You are correctly redirected to your IdP login page and you are able to enter yo * Check the Rancher debug log. * If the log displays `ERROR: either the Response or Assertion must be signed`, make sure either `Sign Documents` or `Sign assertions` is set to `ON` in your Keycloak client. +### HTTP502 when trying to access /v1-saml/keycloak/saml/metadata + +This is usually due to the metadata not being created until a SAML provider is configured. +Try configuring and saving keycloak as your SAML provider and then accessing the metadata. + ### Keycloak Error: "We're sorry, failed to process response" * Check your Keycloak log. From 8bd6fbe8e09ee02fa52ea83ce0cf777e98dfac4e Mon Sep 17 00:00:00 2001 From: Ryan Elliott-Smith Date: Tue, 17 Mar 2020 09:45:06 +1300 Subject: [PATCH 026/183] Add note to keycloak auth about saml metadata creation --- .../v2.x/en/admin-settings/authentication/keycloak/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md index 33a12ff83ca..51eef1a1fd9 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md @@ -17,7 +17,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati `Sign Documents` | `ON` 1 `Sign Assertions` | `ON` 1 All other `ON/OFF` Settings | `OFF` - `Client ID` | `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata` + `Client ID` | `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata`2 `Client Name` | (e.g. `rancher`) `Client Protocol` | `SAML` `Valid Redirect URI` | `https://yourRancherHostURL/v1-saml/keycloak/saml/acs` From 4373346bdcbb0fcd143d33b6fff87043076228a5 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Tue, 17 Mar 2020 09:19:10 -0700 Subject: [PATCH 027/183] removed Known Scored Control Failures, updated NetworkPolicy, added to cluster.yml example --- content/rancher/v2.x/en/security/benchmark-2.3/_index.md | 6 ------ content/rancher/v2.x/en/security/hardening-2.3.5/_index.md | 4 ++++ content/rancher/v2.x/en/security/hardening-2.3/_index.md | 1 + 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md index 95051435f76..fa11bf78c6b 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md @@ -29,12 +29,6 @@ Scoring the commands is different in Rancher Labs than in the CIS Benchmark. Whe When performing the tests, you will need access to the Docker command line on the hosts of all three RKE roles. The commands also make use of the the `jq` command to provide human-readable formatting. -#### Known Scored Control Failures - -The following scored controls do not currently pass, and Rancher Labs is working towards addressing these through future enhancements to the product. - -- 1.1.21 - Ensure that the `--kubelet-certificate-authority` argument is set as appropriate (Scored) - ### Controls --- diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index 65532d7465e..ef3d4b471bd 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -118,6 +118,10 @@ metadata: name: default-allow-all spec: podSelector: {} + ingress: + - {} + egress: + - {} policyTypes: - Ingress - Egress diff --git a/content/rancher/v2.x/en/security/hardening-2.3/_index.md b/content/rancher/v2.x/en/security/hardening-2.3/_index.md index 3918cbefa70..dfa51e8eb20 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3/_index.md @@ -1266,6 +1266,7 @@ services: anonymous-auth: "false" feature-gates: "RotateKubeletServerCertificate=true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" + generate_serving_certificate: true kube-api: pod_security_policy: true extra_args: From e72a0a8c52fb33296d6bdab8796f43aa0afc5509 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Tue, 17 Mar 2020 09:53:51 -0700 Subject: [PATCH 028/183] replace Pass (Not Applicable) with Not Applicable --- .../v2.x/en/security/benchmark-2.3/_index.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md index fa11bf78c6b..cdec02df08b 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md @@ -773,7 +773,7 @@ docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--address=1 RKE doesn't require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.2 - Ensure that the API server pod specification file ownership is set to `root:root` (Scored) @@ -781,7 +781,7 @@ RKE doesn't require or maintain a configuration file for kube-apiserver. All con RKE doesn't require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.3 - Ensure that the controller manager pod specification file permissions are set to `644` or more restrictive (Scored) @@ -789,7 +789,7 @@ RKE doesn't require or maintain a configuration file for kube-apiserver. All con RKE doesn't require or maintain a configuration file for `kube-controller-manager`. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.4 - Ensure that the controller manager pod specification file ownership is set to `root:root` (Scored) @@ -797,7 +797,7 @@ RKE doesn't require or maintain a configuration file for `kube-controller-manage RKE doesn't require or maintain a configuration file for `kube-controller-manager`. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.5 - Ensure that the scheduler pod specification file permissions are set to `644` or more restrictive (Scored) @@ -805,7 +805,7 @@ RKE doesn't require or maintain a configuration file for `kube-controller-manage RKE doesn't require or maintain a configuration file for `kube-scheduler`. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.6 - Ensure that the scheduler pod specification file ownership is set to `root:root` (Scored) @@ -813,7 +813,7 @@ RKE doesn't require or maintain a configuration file for `kube-scheduler`. All c RKE doesn't require or maintain a configuration file for kube-scheduler. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.7 - Ensure that the `etcd` pod specification file permissions are set to `644` or more restrictive (Scored) @@ -821,7 +821,7 @@ RKE doesn't require or maintain a configuration file for kube-scheduler. All con RKE doesn't require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.8 - Ensure that the `etcd` pod specification file ownership is set to `root:root` (Scored) @@ -829,7 +829,7 @@ RKE doesn't require or maintain a configuration file for etcd. All configuration RKE doesn't require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.9 - Ensure that the Container Network Interface file permissions are set to `644` or more restrictive (Not Scored) @@ -950,7 +950,7 @@ stat -c %U:%G /var/lib/rancher/etcd RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It's presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept in secure store. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.14 - Ensure that ownership of `admin.conf` is set to `root:root` (Scored) @@ -958,7 +958,7 @@ RKE does not store the kubernetes default kubeconfig credentials file on the nod RKE does not store the default `kubectl` config credentials file on the nodes. It presents credentials to the user when `rke` is first run, and only on the device where the user ran the command. Rancher Labs recommends that this `kube_config_cluster.yml` file be kept in secure store. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 1.4.15 - Ensure that the file permissions for `scheduler.conf` are set to `644` or more restrictive (Scored) @@ -1692,7 +1692,7 @@ stat -c %U:%G /etc/kubernetes/ssl/kubecfg-kube-node.yaml RKE doesn't require or maintain a configuration file for kubelet. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 2.2.4 - Ensure that the kubelet service file ownership is set to `root:root` (Scored) @@ -1701,7 +1701,7 @@ RKE doesn't require or maintain a configuration file for kubelet. All configurat RKE doesn't require or maintain a configuration file for kubelet. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 2.2.5 - Ensure that the proxy kubeconfig file permissions are set to `644` or more restrictive (Scored) @@ -1757,7 +1757,7 @@ stat -c %U:%G /etc/kubernetes/ssl/kube-ca.pem RKE doesn't require or maintain a configuration file for kubelet. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable #### 2.2.10 - Ensure that the kubelet configuration file permissions are set to `644` or more restrictive (Scored) @@ -1765,4 +1765,4 @@ RKE doesn't require or maintain a configuration file for kubelet. All configurat RKE doesn't require or maintain a configuration file for kubelet. All configuration is passed in as arguments at container run time. -**Result:** Pass (Not Applicable) +**Result:** Not Applicable From 2f4701ba586cf2214949080e0b23b4df7db420b0 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Tue, 17 Mar 2020 10:02:57 -0700 Subject: [PATCH 029/183] update result for 1.1.21 --- content/rancher/v2.x/en/security/benchmark-2.3/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md index cdec02df08b..f383707019f 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3/_index.md @@ -319,7 +319,7 @@ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-certificat **Returned Value:** none -**Result:** Fail (See Mitigation) +**Result:** Pass #### 1.1.22 - Ensure that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments are set as appropriate (Scored) From 65663a64bcb5d0bd093aaf5737de60f5d2b2ddd4 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 17 Mar 2020 10:48:23 -0700 Subject: [PATCH 030/183] Quickstart clarification --- .../en/quick-start-guide/deployment/google-gcp-qs/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md index 7e5df527735..76c83050fae 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/google-gcp-qs/_index.md @@ -3,7 +3,7 @@ title: Rancher GCP Quick Start Guide description: Read this step by step Rancher GCP guide to quickly deploy a Rancher Server with a single node cluster attached. weight: 100 --- -The following steps will quickly deploy a Rancher Server on GCP with a single node cluster attached. +The following steps will quickly deploy a Rancher server on GCP in a single-node RKE Kubernetes cluster, with a single-node downstream Kubernetes cluster attached. ## Prerequisites From 465fe62305d9bd91cbc48d2e8c6093c1054ccd7a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 17 Mar 2020 13:00:17 -0700 Subject: [PATCH 031/183] Minor clarification --- .../quick-start-guide/deployment/microsoft-azure-qs/_index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md index 4ac5882d04b..dffe9a9531b 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/microsoft-azure-qs/_index.md @@ -3,7 +3,8 @@ title: Rancher Azure Quick Start Guide description: Read this step by step Rancher Azure guide to quickly deploy a Rancher Server with a single node cluster attached. weight: 100 --- -The following steps will quickly deploy a Rancher Server on Azure with a single node cluster attached. + +The following steps will quickly deploy a Rancher server on Azure in a single-node RKE Kubernetes cluster, with a single-node downstream Kubernetes cluster attached. ## Prerequisites From 3a7e151a7f1b89e050012260de9c47936066a742 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Tue, 17 Mar 2020 13:01:25 -0700 Subject: [PATCH 032/183] updates to PDF converter scripts --- scripts/converters/Dockerfile | 5 +++-- scripts/converters/css/style-portrait.css | 17 ++++++++++++----- scripts/converters/templates/default.html | 3 +++ 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/scripts/converters/Dockerfile b/scripts/converters/Dockerfile index 4c907fe4bbc..1a30b8cf809 100644 --- a/scripts/converters/Dockerfile +++ b/scripts/converters/Dockerfile @@ -8,14 +8,15 @@ RUN apt-get autoclean RUN pip3 install WeasyPrint -COPY fonts/ /usr/share/fonts/truetype/ - WORKDIR /doc_tools +COPY fonts/ fonts/ COPY css css/ COPY images images/ COPY templates templates/ COPY headers headers/ COPY scripts scripts/ +RUN ls -la fonts + ENTRYPOINT ["scripts/entrypoint.sh"] diff --git a/scripts/converters/css/style-portrait.css b/scripts/converters/css/style-portrait.css index c07b2789ef1..e6bcd2303ef 100644 --- a/scripts/converters/css/style-portrait.css +++ b/scripts/converters/css/style-portrait.css @@ -2,11 +2,18 @@ Theme Name: Linux Academy Study Guide Template 08-14-2019 */ -@font-face {font-family: Poppins;src: url(./fonts/Poppins/Poppins-Regular.ttf);} -@font-face {font-family: Roboto;src: url(./fonts/Roboto/Roboto-Regular.ttf);} -@font-face {font-family: PoppinsExtraLight; src: url(./fonts/Poppins/Poppins-ExtraLight.ttf);} +/* +#@font-face {font-family: Poppins;src: url(fonts/Poppins/Poppins-Regular.ttf);} +@font-face {font-family: Poppins;src: url('https://fonts.googleapis.com/css?family=Poppins&display=swap');} +@font-face {font-family: Roboto;src: url(fonts/truetype/Roboto/Roboto-Regular.ttf);} +@font-face {font-family: PoppinsExtraLight; src: url(fonts/truetype/Poppins/Poppins-ExtraLight.ttf);} +*/ + /* This lighter one is only used as H1, and in the table of contents */ +font-family: 'Poppins', sans-serif; +font-family: 'Roboto', sans-serif; + @page :first { size: portrait; @@ -14,7 +21,7 @@ Theme Name: Linux Academy Study Guide Template 08-14-2019 border-left-style: none; background:none; background: url("../images/rancher-logo-stacked-color.png") no-repeat left; - background-size: 10cm; + background-size: 50cm; background-position: top 1cm left; margin-top:1cm; margin-bottom:1cm; @@ -23,7 +30,7 @@ Theme Name: Linux Academy Study Guide Template 08-14-2019 @top-left { background: #000; color:#fff; - content: "v2.3.4"; + content: "v2.3.5"; height: 1cm; text-align: center; width: 5cm; diff --git a/scripts/converters/templates/default.html b/scripts/converters/templates/default.html index f895d65d169..edfcb20d972 100644 --- a/scripts/converters/templates/default.html +++ b/scripts/converters/templates/default.html @@ -1,6 +1,9 @@ + From e35891a44e69670be9c08f1da7fb71cafc4d51df Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 17 Mar 2020 14:15:09 -0700 Subject: [PATCH 033/183] Add space --- .../v2.x/en/admin-settings/authentication/keycloak/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md index 51eef1a1fd9..5f38f1ec376 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md @@ -82,7 +82,7 @@ You are correctly redirected to your IdP login page and you are able to enter yo * Check the Rancher debug log. * If the log displays `ERROR: either the Response or Assertion must be signed`, make sure either `Sign Documents` or `Sign assertions` is set to `ON` in your Keycloak client. -### HTTP502 when trying to access /v1-saml/keycloak/saml/metadata +### HTTP 502 when trying to access /v1-saml/keycloak/saml/metadata This is usually due to the metadata not being created until a SAML provider is configured. Try configuring and saving keycloak as your SAML provider and then accessing the metadata. From 42b4b52df80dc6cff4fc3094d4d504e6cc4bdf7e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 17 Mar 2020 15:54:55 -0700 Subject: [PATCH 034/183] Clarify private registry step --- .../populate-private-registry/_index.md | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index 99f5c66bef5..4e2dc902c30 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -80,21 +80,24 @@ In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS ### D. Populate the private registry -Move the images in the `rancher-images.tar.gz` to your private registry using the scripts to load the images. The `rancher-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. +Move the images in the `rancher-images.tar.gz` to your private registry using the scripts to load the images. + +The `rancher-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. The `rancher-images.tar.gz` should also be in the same directory. 1. Log into your private registry if required: - ```plain - docker login - ``` + ```plain + docker login + ``` + 1. Make `rancher-load-images.sh` an executable: - ``` - chmod +x rancher-load-images.sh - ``` + ``` + chmod +x rancher-load-images.sh + ``` 1. Use `rancher-load-images.sh` to extract, tag and push `rancher-images.txt` and `rancher-images.tar.gz` to your private registry: - ```plain - ./rancher-load-images.sh --image-list ./rancher-images.txt --registry - ``` + ```plain + ./rancher-load-images.sh --image-list ./rancher-images.txt --registry + ``` {{% /tab %}} {{% tab "Linux and Windows Clusters" %}} @@ -160,7 +163,9 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### D. Populate the private registry -Move the images in the `rancher-windows-images.tar.gz` to your private registry using the scripts to load the images. The `rancher-windows-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.ps1` script. +Move the images in the `rancher-windows-images.tar.gz` to your private registry using the scripts to load the images. + +The `rancher-windows-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.ps1` script. The `rancher-windows-images.tar.gz` should also be in the same directory. 1. Using `powershell`, log into your private registry if required: @@ -247,7 +252,9 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### D. Populate the private registry -Move the images in the `rancher-images.tar.gz` to your private registry using the `rancher-load-images.sh script` to load the images. The `rancher-images.txt` / `rancher-windows-images.txt` image list is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. +Move the images in the `rancher-images.tar.gz` to your private registry using the `rancher-load-images.sh script` to load the images. + +The image list, `rancher-images.txt` or `rancher-windows-images.txt`, is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. The `rancher-images.tar.gz` should also be in the same directory. 1. Log into your private registry if required: From 35e54464b38715486acc001251437109740c0112 Mon Sep 17 00:00:00 2001 From: Caleb Bron Date: Tue, 10 Mar 2020 14:03:23 -0700 Subject: [PATCH 035/183] Adds notes about PSP being RKE only --- .../v2.x/en/admin-settings/pod-security-policies/_index.md | 2 ++ .../rke-clusters/options/pod-security-policies/_index.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md b/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md index 2ff9bd75b55..7e741e0ae1e 100644 --- a/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md @@ -9,6 +9,8 @@ aliases: _Pod Security Policies_ (or PSPs) are objects that control security-sensitive aspects of pod specification (like root privileges). If a pod does not meet the conditions specified in the PSP, Kubernetes will not allow it to start, and Rancher will display an error message of `Pod is forbidden: unable to validate...`. +> **Note:** Assigning Pod Security Policies are only available for clusters that are [launched using RKE.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) + - You can assign PSPs at the cluster or project level. - PSPs work through inheritance. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md index f4567141247..c9680df8478 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md @@ -7,7 +7,7 @@ _Pod Security Policies_ are objects that control security-sensitive aspects of p ## Adding a Default Pod Security Policy -When you create a new cluster, you can configure it to apply a PSP immediately. As you create the cluster, use the **Cluster Options** to enable a PSP. The PSP assigned to the cluster will be the default PSP for projects within the cluster. +When you create a new cluster with RKE, you can configure it to apply a PSP immediately. As you create the cluster, use the **Cluster Options** to enable a PSP. The PSP assigned to the cluster will be the default PSP for projects within the cluster. >**Prerequisite:** >Create a Pod Security Policy within Rancher. Before you can assign a default PSP to a new cluster, you must have a PSP available for assignment. For instruction, see [Creating Pod Security Policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/). From f971750cf7472b4c172673d9651b466459d3d75a Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Thu, 19 Mar 2020 11:29:28 -0700 Subject: [PATCH 036/183] Suggest `--with-node-id` for unique node names --- .../en/installation/installation-requirements/_index.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index a36d5c1f6e1..e2335f785a6 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -9,7 +9,7 @@ Whether you're configuring a K3s cluster to run in a Docker or Kubernetes setup, ## Prerequisites -* Two nodes cannot have the same hostname. If all your nodes have the same hostname, pass `--node-name` or set `$K3S_NODE_NAME` with a unique name for each node you add to the cluster. +* Two nodes cannot have the same hostname. If all your nodes have the same hostname, use the `--with-node-id` option to append a random suffix for each node, or otherwise devise a unique name to pass with `--node-name` or `$K3S_NODE_NAME` for each node you add to the cluster. ## Operating Systems @@ -43,6 +43,7 @@ If you wish to utilize the metrics server, you will need to open port 10250 on e ## Large Clusters Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: + - MySQL - PostgreSQL - etcd @@ -65,6 +66,4 @@ The cluster performance depends on database performance. To ensure optimal speed ### Network -You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the `--cluster-cidr` option to K3s server upon starting. - - +You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the `--cluster-cidr` option to K3s server upon starting. From 879b719e6e3bbe0bfaf6b2dd66ef3ed079209363 Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Thu, 19 Mar 2020 11:46:25 -0700 Subject: [PATCH 037/183] Fix dead links to node-requirements.md --- content/k3s/latest/en/installation/_index.md | 3 +-- content/k3s/latest/en/installation/ha/_index.md | 10 +++++++--- content/k3s/latest/en/networking/_index.md | 7 ++++--- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/content/k3s/latest/en/installation/_index.md b/content/k3s/latest/en/installation/_index.md index 3a6fb03fa7f..68c2d7ffa8b 100644 --- a/content/k3s/latest/en/installation/_index.md +++ b/content/k3s/latest/en/installation/_index.md @@ -3,11 +3,10 @@ title: "Installation" weight: 20 --- -This section contains instructions for installing K3s in various environments. Please ensure you have met the [Node Requirements]({{< baseurl >}}/k3s/latest/en/installation/node-requirements/) before you begin installing K3s. +This section contains instructions for installing K3s in various environments. Please ensure you have met the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/) before you begin installing K3s. [Installation and Configuration Options]({{< baseurl >}}/k3s/latest/en/installation/install-options/) provides guidance on the options available to you when installing K3s. - [High Availability with an External DB]({{< baseurl >}}/k3s/latest/en/installation/ha/) details how to set up an HA K3s cluster backed by an external datastore such as MySQL, PostgreSQL, or etcd. [High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installation/ha-embedded/) details how to set up an HA K3s cluster that leverages a built-in distributed database. diff --git a/content/k3s/latest/en/installation/ha/_index.md b/content/k3s/latest/en/installation/ha/_index.md index adea8ad1938..eb945f74a51 100644 --- a/content/k3s/latest/en/installation/ha/_index.md +++ b/content/k3s/latest/en/installation/ha/_index.md @@ -3,7 +3,7 @@ title: High Availability with an External DB weight: 30 --- ->**Note:** Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release. +> **Note:** Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release. This section describes how to install a high-availability K3s cluster with an external database. @@ -28,10 +28,12 @@ Setting up an HA cluster requires the following steps: 4. [Join agent nodes](#4-optional-join-agent-nodes) ### 1. Create an External Datastore + You will first need to create an external datastore for the cluster. See the [Cluster Datastore Options]({{< baseurl >}}/k3s/latest/en/installation/datastore/) documentation for more details. ### 2. Launch Server Nodes -K3s requires two or more server nodes for this HA configuration. See the [Node Requirements]({{< baseurl >}}/k3s/latest/en/installation/node-requirements/) guide for minimum machine requirements. + +K3s requires two or more server nodes for this HA configuration. See the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/) for minimum machine requirements. When running the `k3s server` command on these nodes, you must set the `datastore-endpoint` parameter so that K3s knows how to connect to the external datastore. @@ -50,9 +52,10 @@ To configure TLS certificates when launching server nodes, refer to the [datasto By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The `node-taint` parameter will allow you to configure nodes with taints, for example `--node-taint k3s-controlplane=true:NoExecute`. -Once you've launched the `k3s server` process on all server nodes, ensure that the cluster has come up properly with `k3s kubectl get nodes`. You should see your server nodes in the Ready state. +Once you've launched the `k3s server` process on all server nodes, ensure that the cluster has come up properly with `k3s kubectl get nodes`. You should see your server nodes in the Ready state. ### 3. Configure the Fixed Registration Address + Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as: * A layer-4 (TCP) load balancer @@ -66,6 +69,7 @@ This endpoint can also be used for accessing the Kubernetes API. So you can, for Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster. Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use. + ``` K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443 ``` diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index d4f780d8dc5..3f1214fb555 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -3,11 +3,12 @@ title: "Networking" weight: 35 --- ->**Note:** CNI options are covered in detail on the [Installation Network Options]({{< baseurl >}}/k3s/latest/en/installation/network-options/) page. Please reference that page for details on Flannel and the various flannel backend options or how to set up your own CNI. +> **Note:** CNI options are covered in detail on the [Installation Network Options]({{< baseurl >}}/k3s/latest/en/installation/network-options/) page. Please reference that page for details on Flannel and the various flannel backend options or how to set up your own CNI. Open Ports ---------- -Please reference the [Node Requirements]({{< baseurl >}}/k3s/latest/en/installation/node-requirements/#networking) page for port information. + +Please reference the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/#networking) page for port information. CoreDNS ------- @@ -34,4 +35,4 @@ Service Load Balancer K3s includes a basic service load balancer that uses available host ports. If you try to create a load balancer that listens on port 80, for example, it will try to find a free host in the cluster for port 80. If no port is available, the load balancer will stay in Pending. -To disable the embedded load balancer, run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB. \ No newline at end of file +To disable the embedded load balancer, run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB. From b9c861a84f75f510f27a8724decafb6d66712f13 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Thu, 19 Mar 2020 16:28:56 -0700 Subject: [PATCH 038/183] Add MariaDB to cluster datastore docs - Specifies the version that was certified with Amazon RDS - Updates the Mysql tab in the "Datastore Endpoint Format and Functionality" section to include MariaDB --- content/k3s/latest/en/installation/datastore/_index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/k3s/latest/en/installation/datastore/_index.md b/content/k3s/latest/en/installation/datastore/_index.md index 63ef6baa32b..85bb151781b 100644 --- a/content/k3s/latest/en/installation/datastore/_index.md +++ b/content/k3s/latest/en/installation/datastore/_index.md @@ -14,6 +14,7 @@ K3s supports the following datastore options: * Embedded [SQLite](https://www.sqlite.org/index.html) * [PostgreSQL](https://www.postgresql.org/) (certified against versions 10.7 and 11.5) * [MySQL](https://www.mysql.com/) (certified against version 5.7) +* [MariaDB](https://mariadb.org/) (certified against version 10.3.20) * [etcd](https://etcd.io/) (certified against version 3.3.15) * Embedded [DQLite](https://dqlite.io/) for High Availability (experimental) @@ -50,9 +51,9 @@ If you only supply `postgres://` as the endpoint, K3s will attempt to do the fo {{% /tab %}} -{{% tab "MySQL" %}} +{{% tab "MySQL / MariaDB" %}} -In its most common form, the `datastore-endpoint` parameter for MySQL has the following format: +In its most common form, the `datastore-endpoint` parameter for MySQL and MariaDB has the following format: `mysql://username:password@tcp(hostname:3306)/database-name` From 4e44ccd6982f884dc5772c8772200f606a1c5868 Mon Sep 17 00:00:00 2001 From: Dacoda Strack Date: Fri, 20 Mar 2020 20:47:43 -0700 Subject: [PATCH 039/183] reference correct PagerDuty Prometheus integration documentation, fix PagerDuty typo --- .../rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md index 59a82734bd9..107184659f6 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md @@ -44,10 +44,10 @@ Set up a notifier so that you can begin configuring and sending alerts. {{% /accordion %}} {{% accordion id="pagerduty" label="PagerDuty" %}} 1. Enter a **Name** for the notifier. -1. From PagerDuty, create a webhook. For instructions, see the [PagerDuty Documentation](https://support.pagerduty.com/docs/webhooks). -1. From PagerDuty, copy the webhook's **Integration Key**. +1. From PagerDuty, create a Prometheus integration. For instructions, see the [PagerDuty Documentation](https://www.pagerduty.com/docs/guides/prometheus-integration-guide/). +1. From PagerDuty, copy the integration's **Integration Key**. 1. From Rancher, enter the key in the **Service Key** field. -1. Click **Test**. If the test is successful, your PagerDuty endpoint outputs `PageDuty setting validated`. +1. Click **Test**. If the test is successful, your PagerDuty endpoint outputs `PagerDuty setting validated`. {{% /accordion %}} {{% accordion id="webhook" label="WebHook" %}} 1. Enter a **Name** for the notifier. From f51ea346313cce991f3d02572c51ce032ca725a9 Mon Sep 17 00:00:00 2001 From: Michael Foley Date: Mon, 23 Mar 2020 09:20:55 -0400 Subject: [PATCH 040/183] Resolves #2370 - legacy iptables for Raspbian Buster k3s networking requires legacy iptables. Update documentation with instructions to configure this for Raspbian Buster --- content/k3s/latest/en/advanced/_index.md | 11 +++++++++++ .../installation/installation-requirements/_index.md | 6 ++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index a7b3a4262e0..20a0367ec8e 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -15,6 +15,7 @@ This section contains advanced information describing the different ways you can - [Starting the server with the installation script](#starting-the-server-with-the-installation-script) - [Additional preparation for Alpine Linux setup](#additional-preparation-for-alpine-linux-setup) - [Running K3d (K3s in Docker) and docker-compose](#running-k3d-k3s-in-docker-and-docker-compose) +- [Raspbian Buster - Enable legacy iptables](#raspbian-buster---enable-legacy-iptables) # Auto-Deploying Manifests @@ -162,3 +163,13 @@ Alternatively the `docker run` command can also be used: -e K3S_TOKEN=${NODE_TOKEN} \ --privileged rancher/k3s:vX.Y.Z + +# Raspbian Buster - enable legacy iptables + +Raspbian Buster defaults to using `nftables` instead of `iptables`. **K3S** networking features require `iptables` and do not work with `nftables`. Follow the steps below to switch configure **Buster** to use `legacy iptables`: +``` +sudo iptables -F +sudo update-alternatives --set iptables /usr/sbin/iptables-legacy +sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +sudo reboot +``` \ No newline at end of file diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index e2335f785a6..58ddcb2cd11 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -17,9 +17,11 @@ K3s should run on just about any flavor of Linux. However, K3s is tested on the * Ubuntu 16.04 (amd64) * Ubuntu 18.04 (amd64) -* Raspbian Buster (armhf) +* Raspbian Buster (armhf) **NOTE: requires legacy iptables. See Note below. + +> * If you are using **Raspbian Buster**, follow [these steps]({{}}/k3s/latest/en/advanced/#raspbian-buster---enable-legacy-iptables) to switch to legacy iptables. +> * If you are using **Alpine Linux**, follow [these steps]({{}}/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup) for additional setup. -> If you are using Alpine Linux, follow [these steps]({{}}/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup) for additional setup. ## Hardware From a364c2c1db2a924476d3bfc5bfbebbb2aa102c75 Mon Sep 17 00:00:00 2001 From: Serhii Trykoza <7215259+strikoza@users.noreply.github.com> Date: Mon, 23 Mar 2020 16:58:14 +0200 Subject: [PATCH 041/183] typo --- .../v2.x/en/installation/k8s-install/kubernetes-rke/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 5ba0ca0240d..d629d12fd2d 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -13,7 +13,7 @@ For systems without direct internet access, refer to [Air Gap: Kubernetes instal > **Single-node Installation Tip:** > In a single-node Kubernetes cluster, the Rancher server does not have high availability, which is important for running Rancher in production. However, installing Rancher on a single-node cluster can be useful if you want to save resources by using a single node in the short term, while preserving a high-availability migration path. > -> To set up a single-node cluster, configure only one node in the `cluster.yml` when provisioning the cluster with RKE. The single node should have all three roles: `etcd`, `controlplane`, and `worker`. Then Rancher can be installed with Helm on the cluster in the same way that it would be installed on any other cluster. +> To set up a single-node cluster, configure only one node in the `cluster.yml` when provisioning the cluster with RKE. The single node should have all three roles: `etcd`, `controlplane` and `worker`. Then Rancher can be installed with Helm on the cluster in the same way that it would be installed on any other cluster. ### Create the `rancher-cluster.yml` File From a8277e70669d701f2cd38c99d668b92a27994b68 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Mon, 23 Mar 2020 09:34:19 -0700 Subject: [PATCH 042/183] Fix formatting of registry.yaml example in airgap docs - Resolves issue outlined in this comment: https://github.com/rancher/k3s/issues/1121#issuecomment-581852683 - Closes https://github.com/rancher/k3s/issues/1121 --- content/k3s/latest/en/installation/airgap/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index 66564948a5d..dbfe7a38898 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -28,11 +28,11 @@ The registries.yaml file should look like this before plugging in the necessary ``` --- mirrors: - customreg: + "mycustomreg.com:5000": endpoint: - - "https://ip-to-server:5000" + - "https://mycustomreg.com:5000" configs: - customreg: + "mycustomreg:5000": auth: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password From 055bd2da562185381659696101346109d7f59902 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 23 Mar 2020 10:14:32 -0700 Subject: [PATCH 043/183] Say that important file names are derived from cluster.yml file name --- .../v2.x/en/installation/k8s-install/kubernetes-rke/_index.md | 2 ++ .../options/air-gap-helm2/launch-kubernetes/_index.md | 2 ++ .../v2.x/en/installation/options/helm2/kubernetes-rke/_index.md | 2 ++ .../air-gap/launch-kubernetes/_index.md | 2 ++ content/rancher/v2.x/en/overview/architecture/_index.md | 2 ++ content/rke/latest/en/installation/_index.md | 2 ++ 6 files changed, 12 insertions(+) diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 5ba0ca0240d..25c02ae8987 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -137,6 +137,8 @@ Save a copy of the following files in a secure location: - `kube_config_rancher-cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `rancher-cluster.rkestate`: The [Kubernetes Cluster State file]({{}}/rke/latest/en/installation/#kubernetes-cluster-state), this file contains credentials for full access to the cluster.

_The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + ### Issues or errors? See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/launch-kubernetes/_index.md index a231b04df6f..3faa3ac73c7 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/launch-kubernetes/_index.md @@ -77,4 +77,6 @@ Save a copy of the following files in a secure location: - `kube_config_rancher-cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `rancher-cluster.rkestate`: The [Kubernetes Cluster State file]({{}}/rke/latest/en/installation/#kubernetes-cluster-state), this file contains credentials for full access to the cluster.

_The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + ### [Next: Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher) diff --git a/content/rancher/v2.x/en/installation/options/helm2/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/options/helm2/kubernetes-rke/_index.md index a88ad2801d9..10efe3341a3 100644 --- a/content/rancher/v2.x/en/installation/options/helm2/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/options/helm2/kubernetes-rke/_index.md @@ -123,6 +123,8 @@ Save a copy of the following files in a secure location: - `kube_config_rancher-cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `rancher-cluster.rkestate`: The [Kubernetes Cluster State file]({{}}/rke/latest/en/installation/#kubernetes-cluster-state), this file contains credentials for full access to the cluster.

_The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + ### Issues or errors? See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/helm2/kubernetes-rke/troubleshooting/) page. diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md index 36f56180c1a..cdfe47dee61 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md @@ -77,6 +77,8 @@ Save a copy of the following files in a secure location: - `kube_config_rancher-cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `rancher-cluster.rkestate`: The [Kubernetes Cluster State file]({{}}/rke/latest/en/installation/#kubernetes-cluster-state), this file contains the current state of the cluster including the RKE configuration and the certificates.

_The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + ### Issues or errors? See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. diff --git a/content/rancher/v2.x/en/overview/architecture/_index.md b/content/rancher/v2.x/en/overview/architecture/_index.md index 57ff6e2c673..ffed8139364 100644 --- a/content/rancher/v2.x/en/overview/architecture/_index.md +++ b/content/rancher/v2.x/en/overview/architecture/_index.md @@ -128,6 +128,8 @@ The files mentioned below are needed to maintain, troubleshoot and upgrade your - `kube_config_rancher-cluster.yml`: The Kubeconfig file for the cluster, this file contains credentials for full access to the cluster. You can use this file to authenticate with a Rancher-launched Kubernetes cluster if Rancher goes down. - `rancher-cluster.rkestate`: The Kubernetes cluster state file. This file contains credentials for full access to the cluster. Note: This state file is only created when using RKE v0.2.0 or higher. +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + For more information on connecting to a cluster without the Rancher authentication proxy and other configuration options, refer to the [kubeconfig file]({{}}/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/) documentation. # Tools for Provisioning Kubernetes Clusters diff --git a/content/rke/latest/en/installation/_index.md b/content/rke/latest/en/installation/_index.md index aa3745781c5..2017df4c853 100644 --- a/content/rke/latest/en/installation/_index.md +++ b/content/rke/latest/en/installation/_index.md @@ -149,6 +149,8 @@ Save a copy of the following files in a secure location: - `kube_config_cluster.yml`: The [Kubeconfig file]({{< baseurl >}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `cluster.rkestate`: The [Kubernetes Cluster State file](#kubernetes-cluster-state), this file contains credentials for full access to the cluster.

_The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +> **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. + ### Kubernetes Cluster State The Kubernetes cluster state, which consists of the cluster configuration file `cluster.yml` and components certificates in Kubernetes cluster, is saved by RKE, but depending on your RKE version, the cluster state is saved differently. From 8777abb2c0d1fe51bef71f9b2c75764ae59a3651 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 23 Mar 2020 11:09:13 -0700 Subject: [PATCH 044/183] Clarify lack of project scoped access with kubectl --- .../cluster-admin/projects-and-namespaces/_index.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md index bf9c640651b..4dbae5210ec 100644 --- a/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/projects-and-namespaces/_index.md @@ -50,10 +50,18 @@ You can assign the following resources directly to namespaces: To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project. -> **Note:** If you create a namespace with `kubectl`, it may be unusable because `kubectl` doesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to [create a namespace through Rancher]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-namespaces) to ensure that you will have permission to access the namespace. - For more information on creating and moving namespaces, see [Namespaces]({{}}/rancher/v2.x/en/project-admin/namespaces/). +### Role-based access control issues with namespaces and kubectl + +Because projects are a concept introduced by Rancher, kubectl does not have the capability to restrict the creation of namespaces to a project the creator has access to. + +This means that when standard users with project-scoped permissions create a namespaces with `kubectl`, it may be unusable because `kubectl` doesn't require the new namespace to be scoped within a certain project. + +If your permissions are restricted to the project level, it is better to [create a namespace through Rancher]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-namespaces) to ensure that you will have permission to access the namespace. + +If a standard user is a project owner, the user will be able to create namespaces within that project. The Rancher UI will prevent that user from creating namespaces outside the scope of the projects they have access to. + # About Projects In terms of hierarchy: From 4c07572dd931e0308e2809ec2065e819874b554c Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Mon, 23 Mar 2020 16:55:03 -0700 Subject: [PATCH 045/183] document update per: https://github.com/rancher/rancher/issues/26194 --- content/rancher/v2.x/en/security/hardening-2.3.5/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index ef3d4b471bd..5ba7ccdd14a 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -514,7 +514,7 @@ rancher_kubernetes_engine_config: kind: Group name: system:authenticated --- - apiVersion: extensions/v1beta1 + apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted From 3ca137b3d85e024ec97dc0b0fdfe3b8ce3ca4b5b Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Tue, 24 Mar 2020 21:47:10 +0200 Subject: [PATCH 046/183] Add db sizing guide --- .../installation-requirements/_index.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index e2335f785a6..2cf42d59c06 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -67,3 +67,16 @@ The cluster performance depends on database performance. To ensure optimal speed ### Network You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the `--cluster-cidr` option to K3s server upon starting. + +### Database + +K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd, the following is a sizing guide for the database resources you need to run large clusters: + +| Deployment Size | Nodes | VCPUS | RAM | +|:---------------:|:---------:|:-----:|:-----:| +| Small | Up to 10 | 1 | 2 GB | +| Medium | Up to 100 | 2 | 8 GB | +| Large | Up to 250 | 4 | 16 GB | +| X-Large | Up to 500 | 8 | 32 GB | +| XX-Large | 500+ | 16 | 64 GB | + From 25967c426d80660a899cbb8edb7635beea9e6879 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 24 Mar 2020 13:54:40 -0700 Subject: [PATCH 047/183] Update CLI help on Install Options page - Based on latest rc, v1.17.4-rc2+k3s1 --- .../en/installation/install-options/_index.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 424cbd9ae73..f5054869d74 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -114,7 +114,7 @@ OPTIONS: --service-cidr value (networking) Network CIDR to use for services IPs (default: "10.43.0.0/16") --cluster-dns value (networking) Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) --cluster-domain value (networking) Cluster Domain (default: "cluster.local") - --flannel-backend value (networking) One of 'none', 'vxlan', 'ipsec', or 'flannel' (default: "vxlan") + --flannel-backend value (networking) One of 'none', 'vxlan', 'ipsec', 'host-gw', or 'wireguard' (default: "vxlan") --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN] --token-file value (cluster) File containing the cluster-secret/token [$K3S_TOKEN_FILE] --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT] @@ -128,17 +128,17 @@ OPTIONS: --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE] --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE] --default-local-storage-path value (storage) Default local storage path for local provisioner storage class - --no-deploy value (components) Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) + --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) --disable-scheduler (components) Disable Kubernetes default scheduler --disable-cloud-controller (components) Disable k3s default cloud controller manager --disable-network-policy (components) Disable k3s default network policy controller --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name - --node-label value (agent/node) Registering kubelet with set of labels + --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --docker (agent/runtime) Use docker instead of containerd --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --pause-image value (agent/runtime) Customized pause image for containerd sandbox + --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") --node-ip value, -i value (agent/networking) IP address to advertise for node --node-external-ip value (agent/networking) External IP address to advertise for node @@ -153,7 +153,9 @@ OPTIONS: --server value, -s value (experimental/cluster) Server to connect to, used to join a cluster [$K3S_URL] --cluster-init (experimental/cluster) Initialize new cluster master [$K3S_CLUSTER_INIT] --cluster-reset (experimental/cluster) Forget all peers and become a single cluster new cluster master [$K3S_CLUSTER_RESET] + --secrets-encryption (experimental) Enable Secret encryption at rest --no-flannel (deprecated) use --flannel-backend=none + --no-deploy value (deprecated) Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) --cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET] ``` @@ -176,11 +178,11 @@ OPTIONS: --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s") --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name - --node-label value (agent/node) Registering kubelet with set of labels + --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --docker (agent/runtime) Use docker instead of containerd --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --pause-image value (agent/runtime) Customized pause image for containerd sandbox + --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") --node-ip value, -i value (agent/networking) IP address to advertise for node --node-external-ip value (agent/networking) External IP address to advertise for node @@ -205,4 +207,4 @@ Below is an example showing how to add labels and a taint: --node-taint key1=value1:NoExecute ``` -If you want to change node labels and taints after node registration you should use `kubectl`. Refer to the official Kubernetes documentation for details on how to add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) and [node labels.](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node) \ No newline at end of file +If you want to change node labels and taints after node registration you should use `kubectl`. Refer to the official Kubernetes documentation for details on how to add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) and [node labels.](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node) From 547b5489df8c11ea25984dbaf914c58216d27219 Mon Sep 17 00:00:00 2001 From: David Noland Date: Tue, 24 Mar 2020 13:57:34 -0700 Subject: [PATCH 048/183] Fixed groupadd https://github.com/rancher/docs/issues/2331 --- content/rancher/v2.x/en/security/hardening-2.3.5/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index 5ba7ccdd14a..213826808ad 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -43,7 +43,7 @@ A user account and group for the **etcd** service is required to be setup prior To create the **etcd** group run the following console commands. ``` -addgroup --gid 52034 etcd +groupadd --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd ``` From 4969914f27bcbfb747970696b083993be0914833 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 24 Mar 2020 15:05:34 -0700 Subject: [PATCH 049/183] Fix list of tested OSs for K3s --- .../latest/en/installation/installation-requirements/_index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 4ba9252238f..bd0c6e4f924 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -17,7 +17,6 @@ K3s should run on just about any flavor of Linux. However, K3s is tested on the * Ubuntu 16.04 (amd64) * Ubuntu 18.04 (amd64) -* Raspbian Buster (armhf) **NOTE: requires legacy iptables. See Note below. > * If you are using **Raspbian Buster**, follow [these steps]({{}}/k3s/latest/en/advanced/#raspbian-buster---enable-legacy-iptables) to switch to legacy iptables. > * If you are using **Alpine Linux**, follow [these steps]({{}}/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup) for additional setup. From 3e5a43d9bc0e64a6c2c5ddd177ce2f411d18a6b4 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 24 Mar 2020 15:59:45 -0700 Subject: [PATCH 050/183] Add info about secrets encryption to advanced page - Mentions that the flag is experimental (CLI help also indicates this) - Explains what happens when the experimental flag is enabled - Explains what happens if you disable the flag and try to read secrets --- content/k3s/latest/en/advanced/_index.md | 40 ++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index a7b3a4262e0..37201774d24 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -10,6 +10,7 @@ This section contains advanced information describing the different ways you can - [Auto-deploying manifests](#auto-deploying-manifests) - [Using Docker as the container runtime](#using-docker-as-the-container-runtime) +- [Secrets Encryption Config (Experimental)](#secrets-encryption-config-experimental) - [Running K3s with RootlessKit (Experimental)](#running-k3s-with-rootlesskit-experimental) - [Node labels and taints](#node-labels-and-taints) - [Starting the server with the installation script](#starting-the-server-with-the-installation-script) @@ -30,6 +31,45 @@ K3s will generate config.toml for containerd in `/var/lib/rancher/k3s/agent/etc/ The `config.toml.tmpl` will be treated as a Golang template file, and the `config.Node` structure is being passed to the template, the following is an example on how to use the structure to customize the configuration file https://github.com/rancher/k3s/blob/master/pkg/agent/templates/templates.go#L16-L32 +# Secrets Encryption Config (Experimental) +As of v1.17.4+k3s1, K3s added the experimental feature of enabling secrets encryption at rest by passing the flag `--secrets-encryption` on a server, this flag will do the following automatically: + +- Generate an AES-CBC key +- Generate an encryption config file with the generated key + +``` +{ + "kind": "EncryptionConfiguration", + "apiVersion": "apiserver.config.k8s.io/v1", + "resources": [ + { + "resources": [ + "secrets" + ], + "providers": [ + { + "aescbc": { + "keys": [ + { + "name": "aescbckey", + "secret": "xxxxxxxxxxxxxxxxxxx" + } + ] + } + }, + { + "identity": {} + } + ] + } + ] +} +``` + +- Pass the config to the KubeAPI as encryption-provider-config + +Once enabled any created secret will be encrypted with this key. Note that if you disable encryption then any encrypted secrets will not be readable until you enable encryption again. + # Running K3s with RootlessKit (Experimental) > **Warning:** This feature is experimental. From 85c9601d0ca9c3e97dae4790bf6f899ee49a9743 Mon Sep 17 00:00:00 2001 From: rajashree Date: Mon, 23 Mar 2020 16:37:39 -0700 Subject: [PATCH 051/183] Update AzureAD setup instructions --- .../authentication/azure-ad/_index.md | 84 +++++++----------- src/img/rancher/new-app-registration-1.png | Bin 0 -> 118333 bytes src/img/rancher/new-app-registration-2.png | Bin 0 -> 227671 bytes src/img/rancher/open-rancher-app.png | Bin 0 -> 299036 bytes src/img/rancher/search-app-registrations.png | Bin 0 -> 41997 bytes src/img/rancher/select-client-secret.png | Bin 0 -> 257561 bytes .../rancher/select-required-permissions-1.png | Bin 0 -> 224065 bytes .../rancher/select-required-permissions-2.png | Bin 0 -> 399531 bytes 8 files changed, 34 insertions(+), 50 deletions(-) create mode 100644 src/img/rancher/new-app-registration-1.png create mode 100644 src/img/rancher/new-app-registration-2.png create mode 100644 src/img/rancher/open-rancher-app.png create mode 100644 src/img/rancher/search-app-registrations.png create mode 100644 src/img/rancher/select-client-secret.png create mode 100644 src/img/rancher/select-required-permissions-1.png create mode 100644 src/img/rancher/select-required-permissions-2.png diff --git a/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md index b4879220c29..272f3be784b 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md @@ -28,9 +28,8 @@ Configuring Rancher to allow your users to authenticate with their Azure AD acco - [1. Register Rancher with Azure](#1-register-rancher-with-azure) - [2. Create an Azure API Key](#2-create-an-azure-api-key) - [3. Set Required Permissions for Rancher](#3-set-required-permissions-for-rancher) -- [4. Add a Reply URL](#4-add-a-reply-url) -- [5. Copy Azure Application Data](#5-copy-azure-application-data) -- [6. Configure Azure AD in Rancher](#6-configure-azure-ad-in-rancher) +- [4. Copy Azure Application Data](#4-copy-azure-application-data) +- [5. Configure Azure AD in Rancher](#5-configure-azure-ad-in-rancher) @@ -44,39 +43,43 @@ Before enabling Azure AD within Rancher, you must register Rancher with Azure. ![Open App Registrations]({{< baseurl >}}/img/rancher/search-app-registrations.png) -1. Click **New application registration** and complete the **Create** form. +1. Click **New registrations** and complete the **Create** form. - ![New App Registration]({{< baseurl >}}/img/rancher/new-app-registration.png) + ![New App Registration]({{< baseurl >}}/img/rancher/new-app-registration-1.png) + + ![New App Registration Register]({{< baseurl >}}/img/rancher/new-app-registration-2.png) 1. Enter a **Name** (something like `Rancher`). - 1. From **Application type**, make sure that **Web app / API** is selected. + 1. From **Supported account types**, select "Accounts in this organizational directory only (AzureADTest only - Single tenant)" This corresponds to the legacy app registration options. - 1. In the **Sign-on URL** field, enter the URL of your Rancher Server. + 1. In the **Redirect URI** section, make sure **Web** is selected from the dropdown and enter the URL of your Rancher Server in the text box next to the dropdown. This Rancher server URL should be appended with the verification path: `/verify-auth-azure`. - 1. Click **Create**. + >**Tip:** You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD). -### 2. Create an Azure API Key + 1. Click **Register**. -From the Azure portal, create an API key. Rancher will use this key to authenticate with Azure AD. +>**Note:** It can take up to five minutes for this change to take affect, so don't be alarmed if you can't authenticate immediately after Azure AD configuration. + +### 2. Create a new client secret + +From the Azure portal, create a client secret. Rancher will use this key to authenticate with Azure AD. 1. Use search to open **App registrations** services. Then open the entry for Rancher that you created in the last procedure. ![Open Rancher Registration]({{< baseurl >}}/img/rancher/open-rancher-app.png) - **Step Result:** A new blade opens for Rancher. +1. From the navigation pane on left, click **Certificates and Secrets**. -1. Click **Settings**. +1. Click **New client secret**. -1. From the **Settings** blade, select **Keys**. + ![Create new client secret]({{< baseurl >}}/img/rancher/select-client-secret.png) -1. From **Passwords**, create an API key. + 1. Enter a **Description** (something like `Rancher`). - 1. Enter a **Key description** (something like `Rancher`). + 1. Select duration for the key from the options under **Expires**. This drop-down sets the expiration date for the key. Shorter durations are more secure, but require you to create a new key after expiration. - 1. Select a **Duration** for the key. This drop-down sets the expiration date for the key. Shorter durations are more secure, but require you to create a new key after expiration. - - 1. Click **Save** (you don't need to enter a value—it will automatically populate after you save). + 1. Click **Add** (you don't need to enter a value—it will automatically populate after you save). 1. Copy the key value and save it to an [empty text file](#tip). @@ -89,13 +92,16 @@ From the Azure portal, create an API key. Rancher will use this key to authentic Next, set API permissions for Rancher within Azure. -1. From the **Settings** blade, select **Required permissions**. +1. From the navigation pane on left, select **API permissions**. - ![Open Required Permissions]({{< baseurl >}}/img/rancher/select-required-permissions.png) + ![Open API Permissions]({{< baseurl >}}/img/rancher/select-required-permissions-1.png) -1. Click **Windows Azure Active Directory**. +1. Click **Add a permission**. + +1. From the **Azure Active Directory Graph**, select the following **Delegated Permissions**: + + ![Select API Permissions]({{< baseurl >}}/img/rancher/select-required-permissions-2.png) -1. From the **Enable Access** blade, select the following **Delegated Permissions**:

- **Access the directory as the signed-in user** @@ -105,43 +111,21 @@ Next, set API permissions for Rancher within Azure. - **Read all users' basic profiles** - **Sign in and read user profile** -1. Click **Save**. +1. Click **Add permissions**. -1. From **Required permissions**, click **Grant permissions**. Then click **Yes**. +1. From **API permissions**, click **Grant admin consent**. Then click **Yes**. >**Note:** You must be signed in as an Azure administrator to successfully save your permission settings. - -### 4. Add a Reply URL - -To use Azure AD with Rancher you must whitelist Rancher with Azure. You can complete this whitelisting by providing Azure with a reply URL for Rancher, which is your Rancher Server URL followed with a verification path. - - -1. From the **Setting** blade, select **Reply URLs**. - - ![Azure: Enter Reply URL]({{< baseurl >}}/img/rancher/enter-azure-reply-url.png) - -1. From the **Reply URLs** blade, enter the URL of your Rancher Server, appended with the verification path: `/verify-auth-azure`. - - >**Tip:** You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD). - -1. Click **Save**. - -**Result:** Your reply URL is saved. - ->**Note:** It can take up to five minutes for this change to take affect, so don't be alarmed if you can't authenticate immediately after Azure AD configuration. - -### 5. Copy Azure Application Data +### 4. Copy Azure Application Data As your final step in Azure, copy the data that you'll use to configure Rancher for Azure AD authentication and paste it into an empty text file. 1. Obtain your Rancher **Tenant ID**. - 1. Use search to open the **Azure Active Directory** service. + 1. From **App registrations** select the app configured above. - ![Open Azure Active Directory]({{< baseurl >}}/img/rancher/search-azure-ad.png) - - 1. From the **Azure Active Directory** menu, open **Properties**. + 1. From the left navigation pane, open **Overview**. 2. Copy the **Directory ID** and paste it into your [text file](#tip). @@ -171,7 +155,7 @@ As your final step in Azure, copy the data that you'll use to configure Rancher >**Note:** Copy the v1 version of the endpoints -### 6. Configure Azure AD in Rancher +### 5. Configure Azure AD in Rancher From the Rancher UI, enter information about your AD instance hosted in Azure to complete configuration. diff --git a/src/img/rancher/new-app-registration-1.png b/src/img/rancher/new-app-registration-1.png new file mode 100644 index 0000000000000000000000000000000000000000..8fed06426f112b16036b6ea36210d7a9d142bcaf GIT binary patch literal 118333 zcmdqIcUV*1(l?9(A|l`|3QD(tibACKCW?hB2uKMlE-;`a7H+KB;<>tGHpv+H77OvD2!QZd)(bZqgUMjw&Pxq;<{eEU} zpdvH1C-B*n=JX}bWsE-x?!5pW5+``K%$*>`#R=*7O9~DBx4&tb=~Ik+xw~?M%Ukz@ z$91|3>Cd09XI_4_)ViJ*J{KH(nWA`l59hZSHl*y?@6m@|1YeZJu67sTDLw~lMy(d$ zM>OTWc1fncNxMW5d}Y`;;aMv*QvSAU0+O3XJTFn+P_Lcbq(@V zo$51*VX#Wb_gf+3*PzOV7{HC}oo|)GfN%Y;C0Q)vs;h5n2e4a))Pwiml2WbH#^UYKtU}-j&-Kx*LTY%DV zkNqVckm$R`DOfdt@;gOVKIEBmOl(+bu%^D7R<6%ncJ;?8oi+>go3m9(ttbt`HRw83 zkhpbXRc!lxYf0@J6*h^Z+Aq#f8$NIFpWgmiy+Kt`cfd9}g0fq6MJ*)!xV0gzrxah! z32H8YhybobhFC1?Rb*ckDY_pPoW8+tC1;IT3lGza_4gVfG9@#(w@xWEmZ&cehf@cC z<|(ISZoNW98S@9i&rX9f`gXSHC&f=%SNiE?MfaXX#aLUlSBlh$(3oytA0l-+;52f{*;xGd62(Wk&+ zLrH1+eZrcKJ?N=H1=m$7Gj7&rlrk|?BcJd5yo_$;jiI^L%1}-dAMB<{ZPzO3a#mIsmpI>C!JZ66P znM~+Mg~zlVDl60%=XyeP2)8Lb3Q6*Gjod=fi&K>Rq$@DStj`SC)xUczETl!mpky z54oNw^ZoG4y}hO2bdRz}WsT`dSeE(6JK7Nsx>%T^md$iOiJ4v#%u8ZbW!kv8!EALy zIP@em?~_hN*GHOXG;Ckhe!9ORIYtB{_!gLRF`TOl{4j==l}aU8{9Y*c!?hdV zX^)>t;rheE5tJ+62anx%LZnP&7Cw#s!q;K~%1haiK6Ez>kJH~g!i}lI&8S*6*zxK@Q z(iAS7Evy*}AL|~A7V@|&d^hU4iB*njvTB@a*}zlQANeZoIs7@6zrWi)vK6-lSbnSY ztK_USnx?O`tSqo3T6V8*x-q*2x!JmXb$h)A>y7MLT|Zodubu2S?Cb2atcPu01*T#Z zQNP7U8Gi#t!|qCi%7t{ivAXpDYr0c1Z&QHA^9a5%g!hPulerWevn|A zpu5VvN6kd-o7Gn<$i|n%7TtQ?DBX~W z2ad5~hSG}ubzV(JNl~FgFQA@Mo>BzQZ;cM~59i^H9F1HD2Z#3$Yd1yFk(*Dq+z+Y_ z&<9+sn)F83by+{K&WZiHTS>2do$-zrTbr_&@>^v~W${Qeb3^l>y-TZ{Oh3QDzYXV( z*|n>e+yrnyTBg6SGk>TT`7gm^!qz z@RZ`tiz6NXpYWzLWuov=2D<}?5WBhrY0G9iX~pN4t3}Xx@G*55^L0sENmnRe+Lbi@ zp^71SDaLx6Mi(F-FumTcX&+bu%xJjV$kW8(>A&uT74UNQxL8_Vs#wSwWZFB}8zAiL z#}cj)_zwMcO4p&AK$Pr;`D)cf!5|A7jcXdM%gE_kcD0i<2YG?eX96eMB&9Qzvka;` z)PGVMu(Z>iF=GvmU4CHiFK2Hk+~}d5yM6rljl7NJFrck|DRZfEso);-J@gBy7h75V zO3`0h7~L6XIghyKxQ%Wua4Lp>y!oDO@7{=TDyF7-rXEz7)CbMI!}_p4astoY zL59>p2*J3%#X+t}@9%)`;KZeP&G_fBoALEeT}66%iX^u3T9q{Ue4sn2M(Lz`JkQr% z`Yh}$?37sV@rz-qHI0+*H&?$1?A*RBd*A$hx{YaGN1yD|?qBCC+a8YtZT(cPP&#@^ z@mz_;Jq$@6O14bq(tGt&s=>gi#>ErGnj>mBDbv3{bZX0Q#qaD$lp6F*ouG$#8=6#H znz>Pz6_|6>H5b`2EjKNi`X*IN>@3ART{|A{Gna)6XesHB>t#Y6I=jwk zoy%_cw-JDbrM1}EQ~rz$Fub)nvwlhCUfJ#`BeQ%w>3IXcnc<|@EQZE=$?K~30mfrm zU;Ck6ypBk<{W2_n{^$Hj(;`N{1!Yj->3U*3V%)nB6#F?gF;I%=wL{cO`QTSD0RL%* z*gh{M%Cj$VZOU%?mA4p`HfNIX(ZO6e-Qy1;I@>zTddtN^CFz{sCC2uchy^ot3ERQj zWno{#XzX6t35?H-PjJ4Mt%Nhc;>IF5fo|2rBveJB-{|T0D^^Nvt}aGyq!VO?JOR2Z z{~Ht=Sa}|gEjo)l=pykJ+NzCybl1WwsCcL#Z4slG(x}o%MADhtal}S)Wz{w7x{L?V zepzu}IW);9wGgxZ^%tEIrhk^pD5BAasI{91>pzE-8Sk~YRdkfDl5`46tYMNy(t*%G z_(>=xGG9G)sLR9=h7U=3^oPiC44S}me+0wFs%YoiR z$N}Tr`XWaI#1D6PHb7)ztmOK{wILrH_<{8C&~@E86d`(jiXn~TfPE+6=IL774d=~H z+!g|ScPQ{(paDsBRUh-`dQb9u+;1!@JcAK&1D@oQObDCfBAVQ7mO3mzXF$#0n|G9T zmOWa$)uIFPKZYJQ9qncAb>l`CGy-}q3P}|kOhoN&R1Xr#s~gw`esW@WTyvOuQ5P0x z8y9yUmLxrYjoYS`mX@Mfkw|4HLUG_k@kU5kcE36^xdoKc3SLQ;^E0TW_)v4{Mk2ie zg%nolwXBE@jDjlbkBw`lPoLV7l(uMf6NQb}tg1zyq^AXhABFlTQM4RssH=-;sDnzC z!{Lkyv&7_ufOnNP7dXE}N3*-b*4wf4=dZw*0Cv=`LXQ%@l8snempA(E6co%ne|;~# z)q1!~L2)VF_QOYyk7}w?=FW}+W){w$ECqZVUC7iF6f!N8bM+YZ&DIeMU zf1{8h-~aU(aG(2cBp&v%_dlv>aw|EzS#paChzLBtFL#Zbn_I@s!b(c(rSgANC;yYZ zZ{y+NA_V|=dwUCb3kx{ASpx(mB_#pRg#bcA{A3D#cV8zDGar5@_XmG(+Hn+SG#7PoIO2c@8AEcqyPH+eVmp)w*TFelly;6i#$QVUnKxRf#-n#YMWeD z=C7wxnzlZc4j*6II$Aopllzbpln|7V`CEnmN6~+G`9G@a|94ff=OX{J=Km=9kD4-o zzh>}1X7qP<{p~54Uvk%E0RP2%xoc_cpBTx@!EXCf;{*Bk@?UF1UO55s7ZEgU_X%d77kKuVz~Jyx#`D(^BLq{G9zc?2lhc@_S<)F6@4w`_`A= zV{h$Yh5dV7ytk8a>Jgtmwf>}{L}gv()%+0rh35@(Od9jYk$}SqEx4$xth8|dvjOZm z(Kivh1%ts(bqGI?nsgFagu~0ZKT}-3`fo3Hude-JGoTQj`|ruFa+^|L6>)p;Z`&d_ zq0n`iidC3*m5S!0&bKxHDk^SEXM|Z5u&{HrH2(-{B1XIjkdpyuZ0pKD6I|8k(~N}mS~GdLY0mer{rNB0WT8W*)|KqNPM%L;^JRhIJK>#ftZfOSw}mGA(S5zF z|6-m!qGWb8Ox%yBArm|6phF|z-oFN91GuYHN7 zwg0dc`n14&=y1Q$ty1}4h>n{Yd6cl4tLutng1(~9bW7`gOG62xf+#;>90HY-fZ4Gml%wOstdE4buvk~K5gPYWb5uohpBl~}$6Wo(z zQQ0sE*W@G++mQ(ggDWEp~f-xWPNilef5};OrWVwZA1Z>r1XZR zMM?huY1v{dgMx!O#Jb@}#rMaHEhXJ6m0Fqpld+B2|5vM@8=Gi7Q$4tUILVd=IxBYD zNcPOtEp2|s_XBFj!rZlXg3{|VIj{Vf$Un<$A?5n%spLkIL7TPMjh_7flCyEy|0}La zYNeA%gZt|c>TLLu$8;?}uRjj>N}xV7ea-R)WdI6VQ)xBmRb&j`%#CF8?wPip{Gl9K zOd|??ZWhN5CLJu{c_3pDh_PMbZ_nVk>6ko~y0_g?CqmXkiByq$tI@Gc8gtTS;9BpW zCJ3d40QVZ&J1q0^GbNSU1%Y|5!r_&HPxkxok(FweBdAH#ej>^A6ffklshKR{nthV4 zZ;q`{ciXAx?!$pE{3UnFJ7W9l-5RMZbrvv&1HyO0-x`k>Yvl!dJ>tALUKPT_32R># z;Om8S0xr2f|0o>3EU%vaEWA4!!pkA`CPd7U&jaY50!{VPnkQ_2T2}WMi&0p>hWq_;M-QGlgIeRb7%s<1YmI{Kn*z8O_$Wsan z3_b%On%@b)J&bo7-o|YU`MTN9HVIDkDjQtp%{L2fTkJ14vwtuehIznbX@=Tew$HPl z#I3qDt|wBi2hp&0V^)Y}M1xo(niTxxj z;Wby_7-#rRuXT^^O8o^B}kA`!LK5LCV%MJj? zhBNVoMu1mnCF@M&ZLMqdZxn7`o)vRWe5C5)dYC4uRq&Rn!D&W>7@&9HhwD9c60eiG)5eRh~48ZNDy$hDE$iksAsV9-*WMXaX8$A5$)G*Nr%@Q9Z|9F!Qiq zBNP*NI}Y6@^s9nB3ep?P0!XeZ8%)<hBf6H!~K>YicR^1Y#r{;xg%d)VFOCef1BnjJBsi{IGaEm z*BbE;qTkSH*M6^zcrN?7#c!wLCxTS=SZ*w5h1O;m-COJEnCY4kO26*MR5)Ft4*jn8 zo4xqQ6>pj}k60Ux5eFL9dG928krd8--|1t7I$r=6(ZcF0_&Tc7-%$dXbSt z)IXk(n$OC+FGqI1GJVQI9ZSucDqeO^JHPs^WLP#s!gNbu%jR78G7r1WoK^k}b`hJe zs?f%12FNLKQ9NFWQLSv!LIT%!F3DaEUyTY`$2KvloBlqso%J$!-fRaE@U-lSVb&6* z%dvPxEe*V+93e5s07c7H!9MIz21VL_{=#fibF`0&*x5p zF=YgFpgA(+3jKHKoxUwEtex)}WN8MSO@Ns6U6MA5Z?xa^o6mk#X^x(_HvS+)A!o7O z;lXDG{j0}|71QTAR|p)sKm0^MCuQJXFj?<%LHLak>%Ln>x+S{9&)D>Smcx~RF?%0{ zNykVo&__E=ok>jB;;?Zpog7hh2Iyb96V*HVI`zl3uDQUvoyE#Le*c8+am%8+y-QoG zQB|F%gW`)lZQWcrmLHD)v=gwCcY-9!$e8d~E|*FQO@Hg?VE|`Du9Sno5C-UUPPdHj zUZ;*5X|HB&)>*uh8hTYE5f~nZQce@ftEslt7G4fEtm|6)#S~5%Io~u1ftWZYR;w`y zy{UY_-a4j$AIURx{A{4{oA|ar9xIdaR-gmR{+HIbd|Dy)3Xf4%Y>aqc-sk6*^r^`i)j&IG6{4(|5-q`CiM4+T^NbLr081B$dt zZIVDZ%|12Ex08Wyk7m*nU1bFaFFrPde!mhrE3I3rFM-9Hq!_16KXdO3{_#(CD|a5* z%#DAUARI&|qC9RK@=DmM`bP*OjMH<9>het#?EzCLWh8n66XU(0Zyt&nh;y9%v>%r- z7Hb~$gUhk3@b#C9&g#(|c|~Y%?DP zKR>n8ud!?L*r|^;0ta?{A>1|r!{0CXnAdE<8x(6Do@^%+tV^#(%(zWk5?^1z1-BD**d2Yvv9m=;KZW4g=O6ESi=XN+wLzOWfS`x;9P8rH3e77GRFRAM%;>zf;_v+-+ zG>Sc{tXcY|DyX&Ke(8lFwc7KII)i7G?-u->OB>{0i433PGrE!8dBoQdAD@=BH1-WB z>5CYZW2JG;jkPeTH5bc|MikC^l-|8RtG%<&H|HX@p5+W`+Dm1a*UP}t1fq9c>*VKa z7H2oC33Cq$&iA6X(pht7jXypXUhsXrA9nqR+J4&777bxj;6kUISrp%RBDj}Slhm*9IjPWnxhXRJmRc=RWPWz*5g#1Yc98l=IPa1Q5o zuBEnnY1t9U4XLGsci?omZ2G=G))|pdv~icX*M!?KE7e;)!sON1j_wKrQ&95Sb%jES z)y|L>lL7At4uR9&MkhxF0qpcWPoN2Dd=q$3FiHCqPI0E-NM-B?) z6E1N`#rs7m*QAg}RE`=Z?YCsX$A4LVsyCeC?+SgObmlp<88|rcKKxxHCoeqc-2_@Z zUL55Iox9umF8I2_>1zm?a&+68^&mKZ!2;w|HWSV?s&93jOQ0+TXTwq3RCWR?(no+? zQskc%F`UeH1YAIPx$juqnQ=LRSlpH3!LC+|FUE_jD!lK9;oo8XhZWoQzM2HwL#CL0 z@EoJSAsn_qC->pWcFNCjUVqNiaMeLh+|UcFR*rP--I%WQYr(dNcxI~|IuBe3!8+#t+@ zL$o-Le&s7ZaHk@_(ihLru%5V5`31#mRBcmouq_G@_=rN`YDK3GdLF1b-WbHVqr16G z1OkZy9$ZWltgZb>=Lf9Ec*uycw9I05MggK!4DQdxt!E^NB;(1lUOPWVvXu71Nj)$B zkak9#(KK9~b7B6Vf1?4NQMQ{H5LWE(RkWk0vM*Dn-#AfeJlsY4Zf144jjGYiETw}P z8_qxm^9+kj%N`*#WkNw~zHPQ#AfGQXM^i#fQ^ssN=*hAoBX6MV?h9Q15Y(C)54=JP zkGw?5P;=>>v)wXRBOdt*%g7uSwgP4|7$w#zTC=X>Xi$4=|RHRrV%K&o=!+bw0cA{YVS& z4D?(6<{i&&4qC`C_YV+@h|Rpzc~S#JUKEa&Bk%jG1RN=MYo72!jtK*65)cB8sngHF zNAgt0?y(JfEmFU4s~C~Hzyq1lW1)2+EiM!^YrB7U zp{Wi|P!~QwrFnRsO{iEvHd0LUMb)b248i?5wxxFT97Pk78dcs3?8+PH1H>1+_UN_dBKKVFCHsV!N zb;n9nLWIINbRWQ88%hjI*z0C(eU%U`1WUx^&?rYQnELS!ULSclyNjZ@j$-qS$~Y%m zReiLN)?V|3&lOynDnmHkW_ccPG@ZbkDIzZfpS^qAW-h_LfGu-0vv`8A-;Zj@eh4I6 z)$g+vS5%oX{61svwL{Fb4*i@F^X*px=QSGz5Z{;#c@7NJ>No`$fs9-WFAk)ZYoi*& zL;{OF&I8M~a+u|DsxyP~0KUcVLh3!y|BJHeJHkWiqCjKVI=A7%RyM^u19 z4IaO)N|JV}LXfyr7R+jf&kM4j{0K8xdjvB26wHg;k};5m$nid2K@58ap4($V-Cue! z@#xJ@-9ez-)(kjn=ccV}&7&zj-X51y+M9L&j=+0oKUsz`q|F?$H-(cPfYF*L0SSx7 z+P-pQxPyxZe!MlM<>y4Y)r>hN4sjuiU2i%H2-y2s6)a^lFH)Whe^{e8Pb0o?r#iLe zBVy`+&*RV?FsE{@OR~x3a|aZ?4MUsz9o)cpHq0CxG!9dl9CC8{&N}XYrDbhecVN0c zZVEecNt5v@#{`l6*T`bsD60XJiq2C~1(|_2YmN}oWzS{PQoo*G?U=7qQ$s4yub@d`(?)Z6 z=2}%0>()TWW@zAHMyJOO_==;8N@A+p^oDP-nACWOA0Sd7DzXJA$^7`Xo6sO~q*vX95m%8Mv-=N4Vp-lVhlkD;?#`Do*bV}iWH$C$7QM-@d9 zPJrplcX~NoGk4_OMv=!McVow~la-DJHGESzXNe|AlgGCrxZzv_RxV|Ky9BFQZoGSf zYV$ng)F*T>wh7i{ozxRM%KBLt<=MSu;bjXgJC&KuXvnh){bw0+vh`inbqj9OSM2@O z2t4dNYTynkCC78Z1dOA~k{-G}StNofozANixzv^!Wz{pJN&87qSj5$Z6t=e-vI@hr zBa^m%Fy~H+@a{6D<*=PjAKYO$O4v9-{^GCK3}tINJL1k3@hV^+L1u z;1kQan!}KZSBoTjX?%Ph39fb}Hz023KtV`{?`zzs3 zS4YNSviE9D6@T|L&<~yX+6<5Sd$U{AxULRuP7TRU*Vp#Tun&(aIE;PTfJW3fO7lN< zCScv?h?|9LPYAZN-WVzA9;Em0I0#_T4g=MQXI`+ubCa`LiW^3CCB*J1vv_l>$JurR^#6Xf@w& zoU(quwkJyMgGqaBBC@{|MoYD=5*07gpU>aECbq3&GD>`Uk44zzQ_RG5;UpI$Z`Ht6 z`c!2TgH+?_AGRdu>HZY;Ry$w~=<>4PdPDj^qiPo9BB1Zv{-{BwCV=%0Js|(JmgZ}D zO(t~|_=u8<)n_*ZEC5Z$J?rtF`121Z@3~XBT%ZFho5J&;ck;tY#h}yRvt%#K&PlY0 z?akR{FGr&VY{JZMH5C5Fn4f(~C0hYV}^(5pTPI?N=;C*;Ppd8wgA)j)63*t>T6x<2^V}z)S zGt}gGm@BFYcNxra7*tL z^KFwXQkIwE(uuu~&`h!R!==EcE!WB8%^XkKEsxhz3itqYX|{rLy>)h?q1roxN>4}c z$PW_&&@25UvOo7#i6hi#q0QNCp@chpcM z6nuUn)+1ro{^iSRV+UFE9x!3r)dSz24GJTv07#tB`gjI`cod0FMiK51SF*xBS;53+ zg*8ItPIKVe)sK>;7r~Oa?*;Jf>ah4Di?oB4@Crt!#wTyMK=*LL4`?qXK$9CNLa&q! z>?UAu^1y)UTg~-ReBciopv>Qg%GV20PfyW`WJ@lKRYDwSPti6&uo|t0jDT9~iZ4Z3 zv>9IHkscA|m|6n%tnup`!S5$bQ7pDnfM0Rb4em7&aM!d;eVL zDU3cPdwJmZ<7e+LpBs6erv-BbRvQn=xa+#~(E-@4Hb}Eb5NIigYrS?BR6eVg@t`jkKRuHg$(O{^^U8*R_qN9#0r4KFhA7{NNO zRjh{$Z|?e!z*>m86IOOq@P(9Dn%Q=pphP}f-GX1Hky|flq}GvNxJ-BMUhhN=5LWaP z*tqNInck75WSG0Yy}vtY_2wfPT{kPY|Mh3b`cBmEKJ`A;iV7No;R))2rCS3?Yq`_=s&GF1d)&V)ALLjYRFfuuknD zj%KJ`@w(XW?k^PG9KuqG!=zKbxLA5tkvFjB{davWCN_ue-m60FW4T6zyoCMBP!4S!%x#i1>jmxX>BR=-J?T>fG@q$dl*7j7Fxh9%=l zcD+510|+PN*cLN%woa|i>6LrK>Ehl7VZVgM$P^V8A>$+@2!6vYrS~bJSm)J6hz`n$ z!wQ7jUYQvHJ--OB-Ut#^5@?EkGC9K_1;|ZxABUEkqjd#kB}ez&Fe~z_0$l%`DdMmD zSz$H(5IJ2!yu>0u{86)9X{HXqK(g6&+8z`86iS(}8kNfHzTr^e*@#M4-tU%YhR5Ua zBO%FDtcX*)9Qw;rh399CKT68vS_7ZCaxn1Ow&Ko-Y>(2aY<}z7&KxwEg6o_P9fy0s z@=WX^Y=5EXf4o+u_c~E56*L!nQ=l#!VtyVf#lY&3MBm!**<7rwbn=}grZ0|s5=a2x z%4APP1vTVpK|IQSY8Qw&{uDyX;OO$ITygWR@Jvq|jUMCC2^(w4_PBkEpyAyeb!Hoe zx|&7awqC0TI*sLvyUYA9L&}$V=A4#Sd*uom>tdmL#z##Q#`;uPqnN!0RC-*xtiQoc zdNDiG_mmNh9@}G21a@t_l}W38TMP-We1Qv%=ga+o&Vg?>-dl89^e=YiGZnjnlK%oj!J4g% zmxutwsP8@O4v8YnY9|AYy?qg!96yLeB6D)drvcbFs$u0jcdrpsu5UM$`CNNTaBey$S8bHsf}6m!S-TO}2Bzr=@KC)PRG zW@yldHoJ7)6}wtY=#;!TucL3CI@sWv^g0*bxE!}k9E36%TeI4DAQ2mJFvH`Nt$>Ab z97MH+?m&N%BK1mjEVRJ#X!K-*XS{n}xTpmgnu;r>-7r4N=ul0s*u|UFDAR8(wgmP` zeeG{??Yt(a1naZrUD^g5riw$1Gr*iIn@7>aS$8>-rm+nA=cYo=+fCK%U=&EsY4#!~ zbeB+fg-5*17!x~#Qxkqz7wA+ya5|3xoWdKCK{TgLJ4fw+mKbZb%=Zwvjes+bM2Ec$ zYeM&f-jPbKe>C+?#p#k*em=YU@anOW%XWE;lt;1Q`3aIs?doRg((AAac1btju731j z(t8<;Lh>=yZ?QSn7P5+ZsVep`|7j|Mfw5p3ap891QeKLeIz4oCSGhv_f^9jV!}4?^ zHTWZXLVI=p0FN8DHy$_uRjbsNLHlNOcw`Q&i=~?I*%Ky#Ix*ES5Im<=C8g@Q3{Cb> zf0Bc7_Xo$7J}4h>3NXzMS@sGqHXM_K*17A2lC9UC@tTuEOYGMjMyOqIxR?ph+T3;B z1MRSu%*QA$G6(EJk-alVH!wp*;Yrzjyol1-*05hn^!Y#lVZOeh++*{tH>m`4wo>WR zaq^YW^pfjh9U!IwWvOrpTzNh!07a-L6v!JDmDGVjV_s6Ih!(Vfp)OQjaGL$k_r64; z>e91~eb;oSq?e-|kDsTLgD~f|w6jiA9c?HmOZ8XzUnZ4iY|#0BD>-2(aftuC;k_q5 zOhipbY;ZIq44Zm>Hg9=s{GCO&STy3zRm6 zNi>;dC2 zvf4WRI;)oP1Aut;r|q!Ltn4&$t+yAw)Tfy~`N^1hTSE-uKy$ao0hZH{wW-p}qcXWC`SF8V_dDYnTOZ;7q7A>|Y8t=7EbWwpgm%_^?ZP8#JptG23h! zox-Nxzcr+GBqTdu*&s#S@=PDLz;ibq6it8>_^09Ve9^hxk^KdP1vV-rqnNU4476_~ zp#u!7R?qj&;a94ZJj%xUdzThkBZ1u}#I4c5^E3QvZCrh4-rLm>Tnq*Wu|OXB2cCXJ zTeJ!C*KQTD%rR{(xNpq~gD6J9pfl@y5hS8SJ3q)3@$I0==)y-4S75P74f31!a(~9F zQl_XXo9}DKZGvlyWxn8yByrL~cSeYbSr1*g&g6sNSR0R0XMmmhTb{yPsh24K5fxOJ zpsFM)OW1eb&ynR{qA_X@QpU?Yov1>|uo)Et{a?I@u|3`ub?qeJM>4f}gSuQy3oZMf zRPYjtUKVCqPHvcp`hFrbQ)@{0`0LOH{#l8AYIe8ewaVd0Q*U&XnRIAGCFuo z{%yNgeQC}0_x&;VN>*W9Esuou@VL8}qD{XdWnf+94ikP~3tU+f|0?Ev|3=@|M3ccn zuw}o4%S)5%uLU+#@bmUCT4QXZvBBxcBz65kr)}H*rt##=gP}tQyvgV2#?`1V{Rv~{ zJbV%>*1N0Ti_=02mNT0E!%10tq>dl6Mfi;SoEYDDsZ1G=DSW5C=E<-8TjQ$Nsqk}cz z9SD_j`sE6gUqQ%r3rjk`wpI+t^xc^Y~)T? zX#zzSr?~=dkbQQo`uOAptc7K4XE{ z+vDd!e_l*Gg7=1%#4>UhsRfpYYQP#iXr7BhZ4GM6QPUi{jj+l}E+FFzQ8(nL4^nkV zS!W(3^wmbLucTv6Jwj-+5EKYdtu+ym>mqNtPG9L1RqA74+QB{_#04dgH5`f$3# zb@3-ZyR=w-TU+E)y)Mx4cF7c)1$e7@YMfK+w0)i*+qnhY@Xl^go#13+y)$b1E0hZy zp+-)5@P};_g~(VrV~*6FkKy?Z332svBWQg36#QWXrOeBPR3PT42H#?!>yr) z2Q3r+s$r=4YQGx##KL89qzu#A`pi6T+LrREK-|p<)?86{$P7g&f4HqS{Y>f!V+bk4 zKmQh{6yl}Mqu+S{6j{N#C0P^-_dN9WJ%(?lK^N#wW$ZJZ2Nutny`wEpNoY?YSG<3O zZCUGwaPXoPk=Tipw$an(1}ABG>S?oh2)T=Q4FpuToh?Nb6o+w6qGlO2?OcpA{DJL+ za5yM32>Uf7V{E3m?rnIeCEWa}eph+sZe8 z8e6MDzW7A`f-4!sLwmkS;3W4kIU3l%*2Ts`o#DAUVaOPt>MW5yVAS zc3qV*?h8|Xf2y+>WK^S!f4qccan9SkRcAYEd)=vh33{B|HFme_;0r9|=$Vjq zw3?8ghf0x_ki8LT9TP${ULui_p&YJcIox)N^LRc_YSQW#m%6_r3vGM`f79p+XNK*;dv&$YM{ z597Qhfh;@ziw>!+pMdp#Qp_3?Qzl5BKmKz6 zKKZq8y|!JfD@()Uz~N`q&V*YRaR)8ph&zJ;u|gYVV19M>8L71~?L1WB`XUoti> z-1f?s9KFs}kK=X2to7EGzUX{={84uiz#}`!`&_^|1=r@07~6tqM*&iWUZsSV`O#0)dwblP%8XL3t5l%GrCTLsSufmfQL)MZwWn(#_W-m@C z8GFL&=6U@x4v&w`$!V0Eh`808$;2@b*Ia=695z<&KroShruxZ~Z%GS7M?_ED86lb| z%i=jQ7cCddG9;sIHwNRMOu+#!2%kRq1)h_Gm}8tHi#d@RQcw8q68|aR;wYw-lTHMi zb?P=PLQVRt@*(qmmG9}+ZMQ*Dx)rxH!JJ51R_yIMBvOTu90)S1a|%lfaBDeM6!Z?N zb+qp#XP;V5S2}t@xFq@>4i_p`Ena}K$O%Di5YKY#Ttk#*+RRcWJjo! z39h{lCh;4NKdc7xsk%j;7h%A=ZLc`nf`*kp#JCS6C5pw&*J2Jdw`1i`F=vwqfgjR1 zqga>rz3xeJ-r9V8xrz5N3XSqO6DhqSM~;tKy_nsuaGKwqr9hG2X$U4N6KuH?6>_d6 zG}~~O{|t`sTPNqO4-Qj&3hiSW9epaKPyo=nKq0}2On!tY(C;!7VmCO+7(n~{^kx%2 zC;A=w;>@JTAV=9HU<8kRlsl=g*2!ynI5?^?YuXJU=e@1M8u=uw*GlX9SQzCV15XK% z)v^|;DXxX*@G^^R+Wi)M>f#s1x8Xz3JbVWu4IoW>y{PT$rH!w<(Y!rBoGAL_QR0gM z4`{f+0WT!yqWIC1;mM;Ksv25#Pe0o0Yn*j(t!XkvjJ-nVt#eq*bf}=i1!70lTsA-F zL|x;G{p$^jH~1A}N}1(#RrmR$NfW?0LEwD#uDsfZ%onrOvxd&Sj3%Hb7ovdEXzT(I zBukwfWY_5SOs>70>O5tN~-6U;ZEVzA~)JZ3|Zs0})U_ zkOn2Cq&r0E?plC!gS4~=h=6o=cS$#>ba$8Jl9pOD+`0BS``mpzTfFzVKkj|*bNY{0e(1+WMa$9HLk)sPyeBW`Ws}M(Ta5k0~LtJwE_Kw(H zgY=qhXzaB%{;Z z*EZ5F|MQ;`TNBuT816cBHzbYdwJ4Smoa2X7;)*>yww-~!!HnmoS;IHPpO%ACqH&ky0v{AVrp?4_ivsTG1UBn8??KvTfw4gaC)EENbc38;K^?AftN zjjC$pv5~>7buSWT-DTMaqc zSADe6K^hF~g!s}{t-t3x-0%_oZ=WNcyRDiXnb)`+vvQn#H-7$#e(lVrH%Hg`agFZ9 zaSc5NA1I*!`3+U7ZE?xGdclLli3wv-2gRzEn?LN!eO{?H0q}oaue5G5t?8a16<38t z`NY_`gVyQe35~q;avV3gQCf(RC$&M{s{xxsjvt@Xv%Z&iKXb^WR+6>ULfL(J&>$B3 z-0y}O;buAOc)-XA_N8gpkX(ZEs4{EYrWS(&-sVAM8 z5HWlz(Ul=y4mY($c1l_r%+d#gHfJpdshpdET|*bPf`NsbMEd5@eZ0h_rowKD&VyHt5=1QY8L{z3-EqY;LN1`S~qW z2uZzj+o9M<8d*YC+rcy;&q{|sec@n`Jq~Z3x6yr;1pTjGlAyk#r5^i$aDB2o@%yvt z7#jM9H_;G#RoQJk9?KR#b8C={YEOQ?b6vcAtgJw7B=iL;6>1>g<(am1%fl9ER*iC6 zXXfFuOI5#frUIkols-qyYdT zl{R-+Eg(+{DRhPp?jq~L>fRy9%aneH1RSg@hn>U38(lK$?G+s5Hq{&5e9n#*m4?!o zlnf$sI)gVCISrwm5mWiD1!{^CuZx8$xbBl-I(9`y(?F^OSWP9oo}yWl#KBacEpJmy_^?0%x$#IK5tJRdS$B}_QZp5q zW*iGD4B&#}fU{FO*P(1sHGST5_60Xy+>m`yPV;HnP+8?Azm3+~{m+27_<3wYI^fS< z06`!hfZjJYuR+9SGqJY2KHnq=9n^ytH~+=IY3G5LSdWp1-+`A{NByhB+UK7o*8FsL zzrT*+#7sqXP-_(QhtTL`(1fA7=I$Y{Jxd@%`2wM`dip%Wu4)uy5^1`!B*WlzLN4jo zj(HWg$dWjAUUIb+^&;ijETBK5w=58G{A)RMa>Ey zJN`*9^x%wHdwgmMI#8%3Aukt#{}7ZOLh;^%RGH-sv42NK{`K33@FMpXBViK{P)4_5 z^+z2!;k&|kRGR;#Lf!vXt^aAv|L<0jwj5~9Ei&db9B!5nx={J;L|-~6lgImp9W@UNg>{n(xVzVO!z`Tx@zdT`69 zs0ij^9{i+$|D!#GM+wkPDisY&KNau(ENuMVn6JJM-<`-;xchG!{r}{J;KL+w5n?1i zf9u~5gABaNwrezM`mf6T-_6P&gUAks*Tw3U%2EB*;{3<>K(h_NSxJdjI=?ejYCW#NGQwH0oN`!hbWWzkEMg06do;+#{Cp7mN6p|NpOFQ>ueg zufHz7^}E9?0@n^DsyUdynTb9%e{!*zYX`w^w(c$!cus(oIzr%IWBI%B@h6*s20D=i z^wq!WQu5D%%aDNQl-dn4HV?HBS0kd1XO_L-M71|th2i$$>??_1b|5*d~=&cT#Tc2+F>$RbV!1-9Hd@e;xzSOHBpeqI7 zp(K3NP5g+!&2zU?x1*& zn2SY;*1M8ED^Qb-L?;!&VN)RzMn0lHS;i_?Yadb4_)Ph4H{c)Jtmt0{?M9(g#=`21~^)*wDHDQ>InZ;$X=5UTH+ovmv{wI?{x6?>b^*1eaA z0mVK9;vXJkV<#10B3#(?mz!!ho^E2v>0|4>_Q$qlfkHc;-`>1P4CyG;fb)7P5)5tx zz?>mIg+0+S#XsQb}-pyy9$h+_YxxKdPOh4R0esz*3XWPP-t;p}uyl6v}n(sQz|`S&nfvpL?md*U^!C;vdzUsaCi zNNYM*DuyEeT6@Vn2W@bag5P(S;ns4EKl1n8|IQ$->0%XOy9E&jSQ-_)Dv^1dU0=-9 zxc}85T3<|#s=jEEO#-NcwvFL-4BOv!{{V44xL#YZ=Da&uTM!C?yUl+u5FU3Q%jAG$ zze~w;O;@`J9D6H&b6ymav;C~ocKxVLdQPoZZ{R>U4zG2ALQ$gO`_Oz#A5$>PsPRP2 z+xRj)`zMpaP6v}(s2u6vr(>9qmjN6R8GKL*y_4CP-{ZzmnZ1N@x| z)MO8Az-D9;k{A4wdS}<6)>QI4IR5#ciTV}ySdo*3|eBO?` zR_CeZS}qHlYs>|qs>YQ4maRmY4Nz=j-QYeeFNE6X#)5WyU^r2csr99M%cn z88mD^3~1J)2A{*IwbA=Oga+W2Yhuw&o2(B2=B49i`N-~0+j>UwtJ-N-hbJ6oKNhsb z0Y{y@sIEk;OgJl2HA*VMq$@&sD~b7YuE&JKoQCPPGHu=kzP$V9WUVss9 zLQ|Q=Olrw`f6fb^!UqLV9K+#A(9EVS0^(D6{>`(zB7P5w&2vK-zc?!1(SQJC5o_dB zs+wlEL39^2TaP_%)5nn&h{9|!fgW~pkT*$OOej)$p>}wA;gA68+iqEn}KR`~-&Pczz4`^`F-xkTMzrEuKX=C|>^-#q5Y-f3}a{Ft$O)PT`oo*W;Sq)v6 zzQawtBsV8-h)oXy#;2Ue@>vxjo~XIx1YEtrJBw_SjxgSfsthDt@=@C#-xSI3bNAgs zcRyc05e?w79dAQiL9M(l8s$Id=6RcqX_HMkl9p+psy|i#WTW(n;EngIbjn&hS^znq zLgO7*VOE)Ly!88~;GQUh(tf^S*wWN;%h%q*<-}N=V>$fD@fKJmi+8U}m-qURzjkaI z)<*%6FQ0)ytA@3Orz&V;Zw$>9AvK=cry+GNPuYCEG%6YdjaN!+SCxi_$|#TUq|%b? zc$;O@)FurX5>9-4I#HmYc-gKyK9n}ypocq#*VU$V%xx)z93*^D7E5|sOEm}Ut=9`~ zce)<3pdzF@?bw>Jh;+UCrS9Vw#ArVTymduQw`x_$wP(|JCSMe*mQvYQ5-kB5OOypu zeQ)N?>*NF#^3eDx(;{w+ACoj}vsIMsbof<2ZbZk5+>pC*3;!v|+dr!x#fqDiTKBY> zY2`U&E~#&TcS$;1B;uQ#!EKM>EH5{r7peUIDP?QY334ML0C(isaZ&JdPo+scTJ==p`1{ym}-MTByp)V9H|B!pYuSi5lBL~&g39lAlW`7novP`Pm0 zpl)V)**GKQd1vjQ1?n{q21W2#CA@xF7nIu^+;)6V`I<46Ale^ zgaE0aU-c?`%P)uy-(j7@&8g3*Au;#d&W_$CA4UP`!)!aMH))@Dw@0xwY85%@fU2v|e zww-`P>3@=Srme8l8jiC#`hmszCQbj4fH~XdaOO6JLdVU#{kOOBg@P=oK#@8(Bonpz zxbc!pSm>jQVc)^joFyO6(N|=jj^(Ir!=Y6^&i(9Lc$fQGsmWUGuOE_r9RG2{9G4rP zVc|7!xT?ltiT07_xMCAvO1972Pq$1-E9cyT>pTC+mfx&E?aF&D)R>ipx_s)dg-I~> z(#`eU^yE~dPfC)gLD+6?p+$Z9n`hqbFJ}eny5!GPF+WML3hU;cm^P?kZ>~Bo2Hb8% zxv_B@ktG;-1y8EP_~bx+MaqB15vo&LWWR}2+~Qw}cslbwMwfoH=0G8C zB}CZGwzkW*-sxa%yts`JFHgPF!tARTl4|`ZZ6!^KovgoNUd2tv?ePcxcAK12grZF5pG6e3Q?U2-nHj9c#Ki4eD-icqIpCpJ^Z_33AO z=Pnw-6MTd$XlZjz-OG9P-)%L8011m{rVKKY+kzILR&J6AaoNG=a@VeEi>kF}9h;2X z*&mXQs=MW)SXei(k6!9iH+CAH-v8aZAwEeQK!IJaf%zv)$RVIy4^$S#XyhX=KkB*H*T( zkRVvIzc>?^l0VYAR5S3A9yxXX-jDSq-X{h!MISdes=t$O>RJ|6%vi{R{ep`mYDL4<-$$tN~?sr;3`a_kTTO>d6&P8 zI$@{K-#mvM#opmlg327JA1s@0cTvB*J?3?J)He7^QzUBc{E#iOi*Bl~8%2$oFMVnox_EnU+Db#% z@wClO9ZFw!d6BV_W%PaFht)YgtZQk~ZQ_h|dc;tp&vGN}Z5SnN#ja^$n#5H`P#JNCd}GmP(2?n~mXwiB@A zbb##b7On3F-il5|pNhYiHIc&>K#CZy3)ov>!Ts-|_s1 z6w3Gap4@bA!=HYO&pj8rD~C!@BScsAN~*u~S?-u#RsNO};GevN_Z2yM-G53u&)pA3i6Ze3QB9So4&~M zL>3lg>i-)4N&b3gY3);y1u9zt8tufiU*X0DxADca?Gs_FzWPTjL5W;*NmIQ^Nj=MW ziR%3c&_Ew(r%l_r%Z!V)dd0?_m3f;zA@V$}n!TGf>-r^hT^u+X9GTK{dNp)dJ*7E& z#ECY&`Rz%l1b!=I!)3i4%kwKnX0vCt={8s=nV>z&ofVz^sjPIEgN?x&%V<$hBKAN; zTfxjZ4qXwK+n9#n-s?4p|3zK+)|=r;`XZ!eL9*ggp&(77s*}T7_r~MXCY;scL>}l( z$Lv#Kq5|a5<73i1t=tp7gW+9b_XI;`?zwa>LbnES=gktg(T8m_{_~8tUmHA$C`gL@ zsU6r~UFy!-w=ryVY}nZCl&cvH)YU}EJ2z-9F7&Qr^yqF)eJx8Ouv$!~)Y`8vy!+S&zyi3M*S9xEnXKVo{D>15rfJypezSPAAWJB=>YLQ&B!&(M ztbMzi(2Ru2lOpGv(EM*0yOHCLTaQUWHEp0Zr$dd2T$!fI7WMX`c87gC1kA5u&2}`- zPiN2uk59vv_hy|gnwVe!C_P9#`v_O( zd`#;v{(yj?VM$j%`}R6DdgqdTcVYrJJIL_Vz&t`-EF6Db~4Ha}7U_bQ6R=Nev zoTQ}c&xFQSQ+T@6+Qo(4H?ukJi;;gcL>N<(9inFJcwjh~9zdu1DUrq0<~3yK=z5DD zD5cpqpM}^45I-qRd2ZoA%g3H|TxQBPLnw~*LqgI0P(rZ0-Vy_KG6FVvajt~bS5s5% zJV0-gS<%2Zb;UwBz!ze;6^BvJ?!Lr;rqy;sEqUgbdm30Y
  • ;B@4t6x1`TnZswMN zr&5?%q_LLF4Y$T=wT;~eC8ov{p8Q@k9tHgAZoLokJ;aL1k~fky zYI{-d*^aAVv(wQ`YkSU4ZaGPxyvRFw@pi2kjaS9=Mlder@Vumk#x!RFf7)b?v-`oC zIjc&ZN3~%h72)hK8nekcBw0p-TzdAAI$+7Zijq1{2#Va>X^Waj&b%dextFw{8Sd1L zHfh{Y6AqiyKh8I;p058MRn1%xi;etiP5baUu{3pvKZca1!;AoM)|Wx+8VwxAbZ>=% z*t&3FM#Z`!<;~yy+3Zy$zr1$4A!9d-j}{dsXbxZi0uaKll=Sf`zH6eJ14JZIH#fW- zExv~PTUCko8w$6mDaT1Rr=VSB#&H>1jhWUnb||)$8lbfdF$f!mTt7mRoYoo`O%%G& z*9jeUntS1GV%HN2J@j#SoXUptl<6NU+S}(i7HRJ3_a{dHVC`WH=;Q})yNb> zBa=aFiTVA5MCP1wd|Me7$GsjF>j6OYlvR!hwn4QIQQ9N*rWJXdRUeU~80+Hi3~ z35xF)PRT_}URBoeHErUOKEs3Kjzdy$B!DKlQssfPL` zxs$y@K@_$eL-*Z|ljvUG?@sTk%VGOY=Ld?#*``(6Ps0xE)vI2M_cK{7G&gJ0m1D=^ zz1uy8V)!f%pV3z(8x?XY6IO1`IJ-g6NmykB#$Vs8G9-KS*f}yU8Fko^^Jkl&+#&+nd7i@dlQAuJuNg_(! zf~tlutVjF%E^w8dH(*o#gD3i<=Jl}e1A+&(t20jh$qOVJGmeGIsk5dv^wUG5M4Sh4 zmUkga6}OG1Du&S43LU@OR9I)=sI!zAZ8z~90#)aY8?l5XsttYwu~@A3bsGs9m1a1TG?;8GskuBY!z5u{4=#U(&l zFa}0{aBG06Ncn=)Ykj*3^gWFRmpFj#%tVSh>$4ci&=wl%`%)-e)uMRYht&RSiHKS3W zmPq@eCziYk9jl%#PoV>YX*#c3^WbAr#O8{%!3XuBFr}By5R<-9wQ{kBOzPf3O=kz* z^^9V>gI~5d2hG17A7HeVM5 z>Pbb@(3Wq>Ysp_hmB8R;Pa|+(8+CV`R#;bxyxgp{r;Tl+Tac03!sWCLKzg5%s9c=> zwN0mOstJ5c;qU_&n`$z{$T3+&UVdOTqva%K7?Jz*Qy&5>o~&hL`utEpF`3Ze-W9>9 zo`3(|o(p?jK}l(uVQ%gMcFl1u=S8RP02R}(6__ZzQKIoyDS*b50rd=a?Bjr( zeEUUXCSylJZMAiz7r*YZnS;r%GQkSA9`VS`O17`pqGI?Jf?92DM6iq`4$pW(dT-*2 z*HqlX5f0=Qn5-yJlw%D1HOdUKQTk6o+D5{$!$tY#do(R-jaoN)cwf>lo^ie~BMFC? zfAlOCgrj+36qS(xn#^=wBNSIwc@zekbyCyUmkstdeaC)z5f zub$D*u=DsP$hJ9fabUkB<^jy&m!M_lcyn=dd&8;0eSOJo^z8J?VUoJx%SU82bZWWq8s7hhf>bMUz7X%WaDbxy&CugVL6sd~r(_7x2a0mV;c zEI&uVGLG;B*K9@B%C9|%KYkOg26BlxtLzW1T2t`dPI#tnw}OY|ce%u2u>9hZZN9(x zu7W1W1Rtm@7x4b>jn_N|0Y8Q&02li6B!9|x%5=cH&xX!jQ~0UE^)D*(k6He2ybvtn zF5cU<-|aFke3xYx@qf3=)nJ#!+-}IY{^mikCt$UiP2%Ajync;Gn*2;0!`hi7Lum)Qfads>DrMljUKCiH<^nJg{*H9i#q>pGEtB4$fnSQYPg_!1g7dGxR#W zq7`iZIwsBAo3by9{og%w_H7*>pnUoqCGr(ban!4z;+GiW{VK%{`Nb)Zam|i=-)dmu z+248f{CO&Z-{I8dx7zOB#M0%_8Rw+q^D5{DhkQ~DQ*HNU-8MHY+WDKuZHNyl0r#M4 zsX=w2Mr}>w*)n~h-TG+2hnQ4c&(9P|E(=PUj?3|>Cx_eH@9*I(07NaqCIQVG39t!+ zEYbp4truGZx`ZHZ$ICNQmW>Ini6w089@h|wuU)^xe+}XO+yDG$vLL!qg}|aT-}zF- zgaIC#$#8ajV8nNJx3f261?rXY>n_=D2%ulvr}d#MX{i_XQ|4@k-#pQ3Sj{JwAkY`u z2%@P4G%w~{4>c;A(Zw;Px;1|FrGI>14bj7Znz`X%RNW%MZd7!mdA+D{mcY85#P_gD zr5=&=-NE;PCt26gafzJ1r`#%jbq<@doB_{ly+^@YVVyE#s)QywuY_y(5*hR*Znk^{ zyV%+j&CrzKxDw+#ng|AxFr^nJS$8w7{6@-v$ZN0vobq25f*&!qp#KeQ!m!q+mxH1> zs@7q9s{j{U<&{VCDI{MCp+rY9Dam2hvEe#;tI)?s^P?ILGfw8g%{2|Kr%oONj19Y; z)HAZe1o}kOyKm;bv1{a|d05mdbw(3Q5NAw_>PvRE>kl=@inJOx45hBv1u!I|3B=fp zeoFCD;OA8b@t#nYJLvmX%sQ=S%tD0@&}A;EX-e837m_qDk(xG|+{Y#JLM7y8pDNB! zadx{rKiq;QxxIc>iO2ecs}ijfc_^Qm^f7tm$dICY%1YOC&|Z{(h8 zc0HUK1Mqu-uQRj36Dx#Y3hzHYDtCvOE5)iaoT?C9b-~dC8XaTTvhpXoxDO zENbITcYG`xj$6TL*DaKcW4(xkU7yyE(wGhvr(4aGPTC@L`cC2iWM_F}%;CqE+qF$- zeADJ-1435z6McPrmvwQ>#&WPdz*vS>Oqx(%9xq2}*@NdRYk_#qU~9R|7a1o#U#^~W zJFN~R;4&B*S$S#x=4jq$CZ5B_#oBfD&0@d|u4(@Kx-BR$V`q>bw`wCuK+IJtP&@9M zPh!w*tpcO$(QrK&nb)W2s`fHJny6EQYgXCybo8>nrh| zy?R^ZxnR`y`4f@T;npUn-CB5nR<_23$QNHoKJQ*P)0Qtq;%nWuK)a%bliWt?(S_pW zNcEb{%DGvfP9)w@|XB(?Ra3AKw+L&ulwj79LN0)2po zPF>^KuK3|sWcsR*C&DN0O47>(H70cj+jDcY<->9{;TXe(L3|hETJn68Zw7B}YE!L@ zR&s8Ev3~NtF&j$7wU5;L7o#O-j7K`!XBWU3$-MFm_?M<-R@+Jy>BRZ~O zT2RjI&SQfv;)8-0DQOQ{$5%Z8=xV{IuXiU*jVTt}f*dZ7``o9&35y8xS*tu=i93b9 zjx(>Y0%}UC>)ra*GXH^Jh~HRgekIPbP_}eKtJS)g{0Zd0tWSA4*4A)o;i*cNN^?E4vMnyT^#A^T;NzyQn)7Zx|%RLUyf`vUS4pF z(b97nG^fOV><^DN%)tgtd@o1xOFEx&EbGzingDZ?U?Zt-Fl{=j=am$nPa&NM3A2)n z!ya2RYD){^owVr_#dnQUSMA2dA?QLgDn4*2R7{npOLPz71t0r z5Mv|yDT|-zdPhDX)uTx$LE!~A&Dd;-%CxKS8*Eb~0CfM9!O znO^`LI+Y^CGyC*Bpjk*=xUeqc=YOKYuw1-ukrf;_}pg(#-nSnuC z)yM!wpI;5EsOc?K{OACTy8)u-dUn1+DF<5Sj%~Wq=X;fn=LO`8tYs^pMQhh61C9Du zi&ip=NC&fsN38*UEj(pL_u8@-T2o8!%BmJuSst%V1mDzdbUR01&wcas2`U49SKkq} zma0>$QZ*KR>7ky|lHzO(4~r>j=;Zm2Z0rY&r`1k76O#{YKCHJHUTyPN9vCSJEOJ2O z!=8{g>%_kd8Q&FK5Que_C-G|`^u;6(?l{+_Typ^$$#F~dAs?1|xFyYk2)8W6*ObWR zhezsBa*gO`R(MIbjg%+*#XNz}z$=leq# zi>>D33;JK(4CV&$AIN@v%}vMrp6_&{)J#4+$u}HJdHO4FNxRc~pjM9*s3HDs5B}D3 z`V=8>FYAksg+H zJ3_31QaTTWkHwBeOXb2}>*`N2R7`hLC4crIB@uQs;p-9&BPYw0m?V-$Fp|6PIX)@z zF4#N0LGGC0i9fw~r^>kenT(A5bh>?vVCu3R@SdQr@6n>sN)_wMaTwEtE6bhf)I~^b zMvkjeii9g^&hu@O#9}TmM6KK%8EoCrO<~AMQVi<%8{aKiY`i!qim!Rv(24W{x9D`c zk?&(9Pn4q0xLbmc?voDmL(qS#D-()%^#V*jFk%&0{P5t(Zu70p>yLa$=bwoNm)VN$ z_#?Tz@Imd#6Q_CE@;I?Ks0*Ep~L zW=N;h=un>Fvu}0rIUC$tn^*kY*xBo`iTlGejiA~Se$Gj6)#fxA%_!k8f+`WwbA2I(V{Clp}|kO8u~}{<5}(Fa!bnR=D~dL)x9e}?7{-TuXH_&8%@ZGtj^lE$fGEIhijPFkDaX=U1k4oigBD3Ojm_m$ ziQLbuG?Rd*C+D`1Zsh=6%n^x1?rN2YYP2ieJAMQY0}^I2$`68+zCM=q2TB3?318i< z!)kh1ri%Wi%PPnIJOpjhMRUQ zDGA$>Y^S3Uk8+$nDN=(KU-%&1CJD~=5YDL9LYUVlfzjBEaEx7QHn(UcokEz=y>*oh zZbH*Yt-`&kDA#K@33Y}Lcg%rz`uHk4Qo;#G6 z6p7gzu{fREwjlh(+c*p&9oeL0)pUMM*HqZ|tFg1Z8qb28Ok#1gf=TVLdvS2YFyW?u z45k=u+h8Q#+#uOzSByg6ks9|XP2-zx?}efkq@b3CHl@OuT8Bej>h342XJ8QB4=5Ec z`^BmtnxZ?4#VJlkN&V4^XVnhdvn)yO7mjk})wizRqnF8R-a^%<;c>$%&nORVV&6VO zhGeLilOYimA7S{j@0@2RowcbXQ)SSJ9*4^{KGTppvp$Z^CSy=ewTN!OOp%Rr)y7R| z(~*PhOVj3qA4n8D$fEB)g(IQ$8^4M+b5{g6{R2TjDMoYdhMGAPzmD2!>JKhoG0YQnQBS^5z+fNbcKA_0ic=kN>bWq3m>;AlB=(8|#DJqT7 zhpG7@x=PwO-o3ghqGxR%apWmQdsxOGVQtJcDrJT0*)9 z55%PgNmGi0+cP;^uneqGaMWAiRv|#(v1Dkr4d__{9WEb66a6X?%dYQ8j^v7NWPDHevwM~D~cFv&0r zEmr`$e^!Nh)k!l#Ld;b&asfl#^9pRdJl`feRHva6*{B6RvGpJYQh*=Dm|wAA62xl@ z1SXDlgNa@#!Knzq);o#?OIQaT1GW`#dXGRb)t6(MLlo*2BOnmCo4{_Rqe-BkwTTgp zwS>9{ZY3-LcGuZDRRVN&mt_ZC6H84_fQZr@?P4#F2)tPquj1_V|V=^cuvOD?MS$6eXc@Bbfyn#VW^|nU(B=uiz0q?e-gK!GpQ1B)3=v zeRo>IwBr73hM7vsx%d*rAh+|Ak?f$w9{};87(I+o*6i?&9lj`IrP7u=du`S(r}#K; zIwRA2Ji#*OR5Ek9&F(5y%P&qWQ!bG9GVuD1TT8z9#*td02{ELJ9oAdG%jgr5#=s@Z z7Fi0hOUy3=EponadvrD@rE>y#Xc^f7wk<#8D7F5EG+-mwu|5sV|EwcRr@s1_0tg2Q zNn43{p8tt92*yFz70KM=r7-EUV}Mpf6*$PvT3g~(O!TsWh(Gqh6QMVmY}2n_=-~U~ z`HAN0Qf)Hk@kXRI$h$Uz=rtC28PidC>Q8g?tMDWAk5x2m!@t8opnX*Q`fR7o@H8vj ziAow-R4JlUOCX;{R}l)>gA5Up=$6X~dJpp$&Hyqq0vZ4?X%gSlh;G$o1{%t6k}wCI zK~b0o554aIfxo@8m+WiX;vb5=i5HoczK{2G1D7XA%k>}v8xGpd)YVHXR;E|v)+1iE znAZ?jFtXKBWR=9omBtyckf3Z#$22{UP4~YKOdzK8Q|>f(PQLO)DS_J4uD-cAh8phO zl@@qFAv!JA*;OctA1b0Y6-?Tl?klg2BRcA)lqJxXUNnu>Udo;?5qu$t>DxWUN6k@2y<<>H|o06@<6q0_Zu@k=NY9*cRJe@F1qK(elrBpUj zXlOy4|I|BQojCT1dpY9|O*ub)Cu#oEnE}?W_Ldn-23J{Ao ztGs3h_dk>tN`<|=TU{(M$@HvO_?`3y{M#4h|9 zhJT##f&%1ivykeI)`O?}$0zGWL8UuM`U%Q+g?(Lh!R6c3OqgNe+EkmNH#Jgf-XAWZ zDvkzAe6SG5rkuNkd#^X%kvzB(VN&1879-w{Pc~^ z8ggxNEadH)^}^7-;5SY{hB8KnUdHPN@r>5y(1h;*joe3j-7&D^x_xDP2-9dl%Lz|Mhr7(4ScJIq_`fsvWC7f<{K$X zJ}Mr^-8#)STuJq(6EiC<*AOnR>`#m^UbZ2)YH|AIkjmtmnEW@qFcC1wC0+yfsINNi z!GjqgJoBX@eVSQFYfVp23{#svM8Bptfvfi8t1t|{)fYluHgIedrqrs|t)EY=5yxr{ z5#qMS8T({$vcGy!2OzLQz<4NhJ%vpiMZ8XRGVsD-vs+WpvK%q~aueG&fz!?!@CB`M z9de%I^PT;8F*ge^!D_N7$Y4R)pqPcnO{^cPdawt!I9;t~_Bz~fRK8fZZKK>;%AhxX z^_2EWVD-n>YwHDdk!mJXl}8KyQDG5X8%%9yQnb`A715Kl)~|llh2PtRiuY0Mv=;3q%ZwX}7*AiF z=wPYpJ>aA9ve*8z7r(j8EbVwM?g1ZDW@{btJR0lslD7{ zhLc57yq<)CMpqJg3ym;dkofxgjKiFrI8E_O81C=j>uU%B!q-xY@0fbEK7NZk4+B8^ z3S*&wjo4jUejAG)S4URBz9!4UNA=}nzY3xZttBAKP;7m^fwsS;JEm?~KMYB9J29@D zv7cI=A>wtZngW`Auh8cAFSUZdbpD?&^?~RYylE%#sRC&JF%NpVaN2Y#DlT(74+!%e z$&C8CL2LQ0?YwA*u;0K=Kz{`Yz$d#RbH6m3zJ5P+$|x;hL$@H1)-|Y=v@qixKAT0n zx?zHy7-$%FwGt=3=5dSoEts`QDDmihfyG(p?ai&4b-J+{yY`L=(U%tOGi2|JFYyj$SiJ&_F~O6rbmDYSw{ zXBVg2uBVn&^S9s`CK{h~jA|tU_Sea$Guv*^$qMs0OmEYx@i+KFNWd532cV1BfHrQ8 zg_)V;csAg^J{x43Py8?&bE$@tHENLao6`@gumnIiXw`jMO_tCN(nFF7oFf4E@99b8 znPSs;m-@zbb+CmN#8|XQx6QqOGd;!U;JZ(2e8mL*#9V&qq=6n3#LP-c?lO44+luRV z6mDMkYR&yl{uJq#ulw_R9-WWDzNwx+H@`ZG1W)kEJVd;Yo0l4wO?tJb3}5c2{?`O_ z^$%{BU!5d`4})LvKEF}EpG9iuZ};hbHVqJmh!LXUTURNEe}pgpUEKdJ?mxx+zmf|- z-Tze!aMk($gj(o-DxVPBnT!6vpdNuPO#r$y!s==t8u4H52$e3>O*6$E3AkDE*Os3`h&F_*YBjG^BYMB zHlbW)_xRJ`gRot~ymS4|a3okR^NtYIt4xH-}~ z4@|EIkb*@X0tU+rcPsqv->u}Is~`eaDEcMb`2Yo}Yjn50QPv zSKyV&)?heF7IQL8cle3HOdegIe{$vWAc5yuNnHGZN7wlTxD81Z zeKLkJ53i6RqaCop>Sy<_T|>u$|K_nG4HoqHkb%~Vzmx9>2#KLe8HIy0{pbQSnG}{jmYba(B+o_8@E*Jys2zrUj*irZY8?843YTfAcmO zKp(@UPR7Va0PYyBM=K^S;61D*y24Zs0Wxsv4yaUz5ug;ZWd{7YeQ6FL%0iIc$xuvG zxo`9yasT7A(|W;$DjZpIK~`2XCd)EhL~}p#MhQQgxwXbL|FPG}W(c%$ zM$E+v@k-Eel#ht;WANaUVP%R5amrG>O|KOi&wenIcCm^oI^p5CE}Fxrsv!pw4dR_L zLfKwh_74VdF14yS(SOc}z?_H+QzecA=_j zR@`z{6*W#Lu60wDV+$aU7Z+gqP`>qJVz9O&qRFA&LiL!Wc_#J5>D3hXPG(2_QN34) zGDZ%aqLt`HjHJR8?NiFMRpb9tlGPZ&@r#^3Eh9is6iO!X67nT4=^m7QUMNHMC|2fi z$j(M-AM9`=h*vy%7$F^tp8zDec*Yg1UT=4`Zo~ zFGX6A1%))C9;W+-^myDff6FgUB9kMK*4%<2#r~y_*4Q=Wm}-?QS#GdX+@oQUj1&ED z#9xF0Xr12oTwrazA7opm$YR|ir|e`DPxZyZ)W1nW?W1*hGRC2VN`k7&EdmK|@f zwLg=W9ED3tZsHcoo{deguj8qC*9l|@UGQD`*2#!(`iAYkN=`2G%d&NPAkc`sFYO2} z<;vofiXPSahV~!Q1t);q$F+G453#fL5DuuAGgS?Yt*nmD7f^aI(o!ZOO5UvJ_R`nIr7HY+hxx_9LXHm#U)%KIfA}C< zI;9wN3Q|1`L?@ta?|eRrDvG6!)fT8`8=n1$PD#uxJoqv7UEhyI^{`k$=pBz-@?=3L z)sxmOFMn0Wwc}7?VpFZsYlSBF6$lY%Kk}0y1;kqJGX@7{__?RN$}SvoNynxTb9~S~ z*tsA(2c1X8qBVQe5BU#e#s3rtodWYTJiZFxcSQ;?n7_Y8Vrb5CU5;+F`{c`3i?I6J zk2hOn%svXnu%q$5NLIUJl%i3HSUzrnyr1#mqf;;Gx2_Ud$9B1BxIc*IA%>2-sZZQP zJufcMVl;VZ$MHCA+1N(wNG@b%kv-}2;hg)nTBXG%mYPw@F*e7~`q={u9={6OG6hIH z>Cd&Jt~^Dlt!+_On+`aEQXYQ!fi{?`w0W>H+Z8Var=FkQ+s-8JjL3F05I5+Gx03%_=GQV(Wjd4@5LEFQ0a>rlKf^Tl z6wZrt2OT!xB-zcpPumTrHC$U&Y5B)_3~PnQcKylE;i%m#hBs2`$TRm~4McZ-Qiizi;HFZBmO&bc|2B_9@cM9l*wEKasHMx6#oP|;U5@kq z=DdBaJsS~pqBO~lUh`Pz%h5EA#H&4zxLShSo8O=GoESvn4eJNTaT!|7zf`oZO9vCMHZeq%)zY8VZCQIz|`Tbo>D^NY91(`DPfhBV6UdMB+;o00J|-ayRgkG zs8Ac+bZWF8mKCo4;(5CkfLT4YrKN&{PW0K$_W)+AF_tEbMpWy5d128WOw#LBh+ayp z_VV+Qw?JBIvrbxJ#~>vpjvXy+{Z<6taFQDHR)5M1QBk~8N6H*Iq!55M^TIi;YCOXK z1WO&nL5<1KQDqb{x?j$rxTLCmJsWwuj7|rDeYT6H0c&{c?G4mBTNUv`K$gu3eYLiX z+h;#T1@C_i))X-LkZdTjxVe^BWUuA2BPjL2N!0+rI1ZrnOx_-CHU5s|(Q|>b!rHA^ zdC!81$<9XG!QsXm)=wjjU+tN43oA99={FX`FGS4RlM@(>9&}g%w1jz7kT`^crE(=C zsQ<3XfT1F0j`YgWek^LlZMEiW5z_0ghy3QOs%>VxtIdF~jUw)nIv->7oJAnu``oaLdOs9noL<%#foF)FUISrm;dwMiMX;c^wd@E?@o3lEhc1I7al zbk7B{XbiRhHKnA)xEq?1?{_oAoCNaDwYpDMo-UG2f8u(BS^}0+;tP;(e&x*Bi`%(c0Bm^ z;C_|YIi=NiFJFo(R1K)QUia}FzC*`uRMiC2N_CZQUS$VET-9vUAuQ?vt}f@YyQYz^ z_w@GGMS|&6Ljj({Df{6r3w>0QD0vI#`Iwb6$^^A;$>Mahcv}^P)SFbL<6&~y;*#~e zfbtx5*Q}hpej_aZ1C1iNUGb7PG-Mib@vpCoVxfW)Uw=C9Lu8%W8_Uu~?*~|hog8C$ zYo4_4MudosKX3wqmh`NX_DXk*#guuaU0z|0Nj>Hs@Wg5e?8m>T4;nXqjr=4+@qnS@ zp~=1BX5a~wYk#L3hY3oSkOuBiEte+h(}qqiG-9>uBLPMm(eVAvmVQhRu*LtiI zTDSQ%5a4WI+N%`~KgZ&dsvxw9_S(6xM#N+=AcgNvKfL$XQ_XAro85ox2g;G;;rjKF z;D!l&(-Oa$9d)UK^Iw6F=OR)A=vG696Tap4a`2h8@|aDBK5QuiFYR|z@3A*-bG1e= zF3>(&y~{h_$QefJJMlU6Z9+|RvfKy3-TI~3+;{^rhSFmMD2VyCld|^Kz$SC%pAAx& z&%z_aXN4ads^U)cRHdlLQeD*>rer$Ci#snAcW9%XmP=JT4BArHwg!N4UUrd^t6um_ zyy1Ca7E8r^$jCwb{g<95H30jgOcopBruwQ_wwYWQP^N^|o~4zsmK&oFYkScpS8}E? z#m9gIX9|Q^jtZRK=nMk%^z)RC9R$;)Y=pFNjz7|L={+`b<7a`4keZbBTH8_Vfo_h{ z?U6J$$UA!E?Gy51wM^x-+gF!+evO}Q-&=Jz7?$NHgp-5o**nsJP4vG71zsQC>{|SN zY``X#Kh}$*2`Kh9yu!UO-`x(aC!^lxHg#$Kf*JU2uei24x*4`d0{5As#H%a8s&R8# zwl&aA79JAa3?6vVik1wZl5F6?6g;eaZ53?1sFK_%v80{;ZbrO-@0PUBM0Vz(^&?}A z!VsQ1*-BHkI5e<&E|j*7betM*$Tp|febci(m-%L4JM2Wqx(+=NsP@QYCh1SE+HN?~ zmGw;9YAcNLmujwXYQtp|7-aR7BBQmW8goO;CU3%W&+q4_c@_b;{^I*+0PGL(6tQHO ztIx8b3{@Q_XK_M`>A`60jmx97c7i2$iXqtKUsJVu*|66AD!tceK&Wvhyf>Nk*@so+IScswH(jFzX`G$U$o#%F5nJPvhEq61s z#lvmAv1Jf)?Q094|Fne|5*2Ff)X*EqPu-t>z<+#PI8V7{f%IEV6Wy9lfdW)&VENvg@3SCI(R2H~0Zp>L^Uc1F1=SoIF^` zjU}U223pMrAU!dF%H&LdQpnk%*$d+eWoB}-*Wn3;b=B*EM=y?ndA_eYS=6g8 z+KUThpc8T23y51b0U5_bMog(OJtXqR@k44(QmztyOvA+zeq+(Vv>OM5R!KJjt^MU) z2o&`as`o*J;d<}-3K=dv?$&yF;sk&sWEBWQ-9oiP^!_DXnY86`ex^`#iW@5 zSOnsu`;|i7aGF16`r>srwnm<13s|>qVu9Tj7U>!1dt7XY5XH=n78(+_Rhebxt|@rc zZ9ac;Pju~O*W27#I2bQxbd;|*VRQgp{ic#`(d?XcW&|XpkJ>aET@PER+s`DCEhWQt z4I2z@faD!Zs>l<*u082)4eYtK2DcGipH2(>)WfcBlGMKJ`bIF~rf+!yWcXcz$@P(n zz=nLxiA4d*$}(Sd$EL>tFae#ez46Hqd{Hw|W{XIo^*mZ%h=!m$0UZ!ZoVIpQaU)MI zad8c`&>nzYQ$t4r|B!MWHkOjdX(NGNsj?h(asbW=XZ=wAQqj~}i)Ep$lBG3?XYFck#}tM7Jy2FWeehBYwSG zfm|ExkXoTPJbNV%kyDi>mwV~%VIgZAgZscqs`a{T(y6clkZcJLo>`IP_q}O-*fBoR z(_nB6GG#6jvKFg5GcYSmC4`%0wr*GTZ$`1w@mPy&z%$OZtd7Y!KsR1IG5c{hC zDsNs@xU@_!;NNC{AaE7@S{*;sg_zQMMt!ZODE*QRoas1mq`e!p!tU7Z=h>udTIjJm zKi_mHkNLy*@v>TV!tm7APXhx}n{kGvFT6Atn9l14a{ksI=;s0+8M@AilFj#>=e|yQ zI1WVh#BN!k(^g>;xSuLvW|N@}4R5+A7S)E7}7*_U>iiLTqP zz1KCa2K&m6KR0L*7Dp_(UGwdU!$s4WvB6X4uZ=}(>VjYwiu^I8i_fa;bY_8&^X`Lg) zjp=drC>PzQqn9c$DG-BIq#VA|Ju3H%8H;ou!s^Mzq_-ggmJ)jS^U_9u-{u&*vSGl+ zqk|wMq<=4y@*Yp;r`q#{#hgXyj_BNXH1KL2%Q)dmhwB>Ppg2@$Kq$J{oWE`Bi(5+g zwnkBzqDG6~eBjw+wS{8-ein`($RH1g^^K#V$o^ZmUix@CDM}v82sg7h_i8YE94i+~ z3(05sw=rfRB=X}H4U^AaW)CO6C*^qAtz|2BvNeh1sFzWzd(x0QYTT4Y8rWqeu^&61 z=Ga+%LI2|YSXe1xdu5^H%PltiiMyd2K&o4GUt4W9XRUJ;R&!F!jwX_%BW<&Ao$Yunjs?yKwPvLveW|p49%=GVf)c;_6bP!m z%)ZkrU};#RY2ZPxm@?wDKZCxS2qttS^O^9b{auA-d7FdhdpdA}8^5ULE<@VdBfdT* zmp4^QJhmEi2d0mDK#LLOs;ES?&m3) zEC`k|1Kov-+Uvr{4eOHP*`lRx?Zjy2*DFArp{#bP1SH&(?0N@aOtGrp3ZH=KZTRpa z{vZ(-H?t{BXe(LU7d@z$cG=O3;$Z9EB!v5otV{1Aqp!A695eIyov=7F%hgW^ zX6SOSUcJt+6V$lS1g~(}TPZelZ4VnT^sjZ!r6M3(i>#95^kEsFOT>NFr4ww2Dpvuc zQr+e^*jq24ezN!u&`%^f{2R8|n}b)>xg<;T+%+Kl^B@>LNl@|EvJB~0r@-~9a*x3I z`c_c3yrv5LiU4eXUaW^GQB|6w8z``=ia0$?zfRGA5He~_{SuTRO&8dyrCV{BXnti$ zps^Tmay0rfC6-ht>Ah(T&PS4K+uv2Pqyh6rvsn_V22e+zN%nmKc(oSI`(5P1+JQYU zC5*r5?ZWT_G<@kPA+%gcUgJ5gmOnIuN2*?1uYWKB8N3bauXSHIR#gz}lur|xwrxJ1 zPyio|6{EBtHpDbpfM@#+B!KN%EonKMI(^jC)Q=Xgq++)B&&Fr7Jfy#` zQsW)~Td{EXo!WY#u0u`t^2#Arc}ulMUWOa9MR*2Hhg7JK_BjgxcJ=EK!@mMkUQf9V z12O##L#g|v5BmpokWhgZ9_n7$2H9(teuq10ybPKN`P-z$;Iqw=WRd_NL_|WMi8CJW4J4WC2 zy0-wTA*2kEM`W^-ZzW-MP-Wj{dL_Z~j0fzUZ6f{1cdD~uy`z{*;7vQFz znpAWdzOXTF9uNFm7VT5RlLG6^%DRXAm02x!+EEjFOA zl0K<#3dWi8yOQ_Hc?GuG)PB7A?r;(^z1sz{A81fj$ExMcIO1@cMK=ysc`4~-0noplep!p zfs&}240Q#j7=^Y_y*g_G?X_cqHc3vz<5&U0yP&5)sJUn!I{BWnA`9lm@?A((@NKG>gRtBwDsnMVeWVD)NXXKaOD?qpW}rj5jgAEps482A`( zA**30J#UNUO>i&aZBP$jwWKTE1`e?-kV@hS;Q>`E+wTf%eVRMG{r5po>phNs?s>Pq z&74jEvwtO!FGj`>Xcr66*a9!iuECu+92kzaVvzya_Z`Dvx?TJ0NV)x(q?41aE5`({=N?`23nmGr5Mz=<2Am%)r{8hYRx zlcP22R+u#-2s1$bW*xidn{BAHcd@Fw6q!7626~HY+L%&(SOQDhEK`8-rr$NzP#h_3 z6B8R_a9`PvMJrKAvFg{@EG^_6{{Ds8B>ACMAUGR^Rx&nu6BKeD_M@r50&JpDCK0Wt zDZ?ap4l+ioTeq_HYF>59D5JMLabI{BzS%h5mZ?$s(|9O4x%SGZkORb=3IlIIxc8XQ zzs@4wb2$Du{g&Ech;W$Xem>N=AVPTcwX%VQ12+zD|Ih}B=nNeV&R&&rA|gl5cxu1N zs$~1w?g3ryiJad1<5j3$bzg2{;2(}2MFFc?I7B=(pS9Nc{Y3GrG)DxMxH&EiVZB3fs+!kWEPw4T-^^$)IXHk#iV2>A-_E_167m-1d# zNb$_ltsiYO_!a$x?h{8zd~R$;0rooiT)b6tq1P~Vdy5o5lSEwXD>(U}p{hG}KIz9| z;XujEu-xVDj$1iAq#7%9F2Z11@{)ToQ+u+sc@I^#r|;ua!@~&y;?eH160L@240|eU zWN$PcQ=Mjz+O;=ytXW+e?+4YQ7jr4iVm&sGfMvy!4KH5RRlpopP=3}?J zG(r8!-jG*Yd%k8xz9q>BfiiUZh5F)D#4*pO0HzUTR7s=;!bsMRiumHtmE1#tr$jH8 zPS5q^-j9K!NM_BZ&4OhBtCkbU;Hj((d86$EoDijm>KdJ~DBdq5UA8o`7%)Ui`&G}5 zH3eAqvz8ui|M=&kw_gSP%UVmehd1Bh7gXIHPQG%CP|w+Eea4RZ8l18ZZU#+t;>X6p zO8|sh!IS*jlMdjo2{!W0c9qTpn-CNIw^BP!g_Wsv^ZZhCr6I;XMBSrnIXLqU`ywQr zY>z3ADQtlw_0 zQ=Nxj7ZsSuY_HY^d_73_)*)FwzrQo&Le<)$`E;w(eNTH!e^@+(ckMz>A#r>V(L{ou zHq>3)SHaKs70Wcuni<_n=BxIqD(%K8H3xOTNoGcM88OjHma>GobW~}-rg7(O3;c(# zQ%lxG8-qViJD&h=HP>=YFeuYo8R30EhF-2$;~Sq7VRl8n`Ut6TU= zeh%AnkYJM|)p@L?E!6e0?agD+nA+F(MrpV6gRunQ+T#T9Zemk!oLPH7`jX0aG~o3ZZgE_|D9+$YP=mj1OAY zzt>M$lpC9yg`m<98B8RkeG}goXYh_ycWs|L8-kaaVCD2Sp-gWg^Mh(Ka9qag29I2r z9&@wv`4MlvSt*W)aT7q26gg$aQ?9Pe*ZZ+*TRsguCnP7=F;&xVcTDDcH#MITL>=(! ztjdB#e!C6`;kZ-GoN6?^G6X;lT1-B+tEqLiGv=+BafThYVl+3&k=H6PH4g@v^Z9)} zX5tC&k!g)e(FcI}j5D3!Q_p-^#;1m}R+1d@u-aSYHXdgf% z`um4gT{^iw?I%Q(aDURfglsHXd>;Y2uJ?p9dL$0p^c2YWHtC+h!WQc5;+fh`p$|)7 zp4#F8-&g5CDZz;drw2YZ@{Q!9 zYV+vOqYCiwU*jWj864S~O`ADw5Q`_o%Pk*lqDA7JG#kpC@%f?b8;uX&KjZM8Z+Gq3 z9clN>86-v7E8D3b3v+<9^j**f@1uU@Up|wa&gKrxKS|?ptFT)6+EzC^VtqybHwl>K zeL$b}P@=X&Bp5ezer2sgypeAQbxJ`kzU#QR=!_wE!=w{QW)t@No@`sp^*Bj+{;td} zsQz^}!=UcKY%;`LSivQ`p_Zz1bSv(b>&r zO^g@)MDp-yzd=UlROiyz31KZC>*b&>dYd6Eseone4iPu2q@~)*fT*>CB>CwZpIu}@ z(br((g)E~?^Ql|fsJ6Tj6j-DFg*gckOz%C*4ov{XBD&(S2t;YrijqW!ZP&1Aj2 zX#?Md<~#v=g_qfGchWt8wlZ!}IYBJVSTE}xmk2@ep|S$+fJ3$Z z+Wp$@&8OVebvliUSR?8i{FgR9t8BiBicVu57PeYDoCQj2jj5}A!+Sr}nCnF~M~R*{ ztEHl$4?8_iT#uzorG?5;QN$m1`)@v>y52Co$n}ZWKId5wq6m*G&t+cGVrs6fjPbUa zPZV;o)&^%IoZxHqQz@nB7uX%RVUc9^IBjogB`WercL@-vIRi`|I|XiD3~<;+l>z>0 z1rEqYZmvTaKVPS>CM*%4Ep|-<41bPZt^pD3P1ItQL-@L6L^PnmAam zs;7d25hjcjTbO_cbMxji6r2x7b+6T;hAr_UrAhGXzK!K8QnzM2t)t(Woh@b1W+P!? z1+}V_k?PFK%G%>QF1+-km?Wuc!{KaXh?KKGXGF~6VJL$Sf&OZMza@?DjuHm^tb_}6 zA9|XnmwTg|v6|zYR@BWEyXKS?K;xYIMxPSk{l0&zsFvBrBEc{dm{qmh?~l%$0hZIH zx$jBzL1p>ncbrMbmRcTPrjj8dq1?z2;C^eA!%b{ z6RCX6#p<2f?ewv%lZJvHm`3;JYJ6}&)SoyInHfM@Ee3%KR9E=Z59NZfU$3ahYHITT_#T&CW4N;w_6fzbr4{%iJ)14OW5H9 z{Ks=!3cemyjlN4;mpeA+EJS2x&nvFZw;G>wo7V%}Lx#qLVkwx$ZNfm)OD(4NC6%I$ zHBVYcWLV9zlV>EfxmnQ09%e*w4l0(893TX!ARzd{QBSuAkFW zCe`EV&NE$4&~Gf4RsHPbq+8%EN>*L`vpNgYq!&3MbSg4Uql*wNR~niZg{ellc)7JF zPpebzA4aoITwP)tjoQDifE>Q=lWjE#289?~_(U_1JvR&{4I^#LH#zm5c7L!p;~`+^ zzt47E<7sK9?KH^S>^1i)^`N$9MT|oRats7bMTi-9o=-HZeD0e9442KYu+t5kVDLnY zQJO}0MB}*jzA=dritc7_5Ysx&yyH=K-YJJaNT9KoQJQ-}NcG)KQ8re`{3|Nv~=42l5#W{0RJT`x>xlMn|>p3G;w^0j> z&4!3I7V#|a@mB8XiOojSmHgsFxQrnlg~J&J<< z&5!V>8>7&J6_sOIxjhNvAQR1bF)ig-MUdt(a z_h9Y{_3GvEJ;O#;jdb{LBtakJ(ogJT$j7I-&1Z5ycUOc|%o}BWc}Kk+hqg&``FsbN z3~vx@+Ci$vKYTnh+zg##HF%)zb>i`1{_|&e&xK11zT%vw2=z;4wo-%CiS^|?Kash? zRBrzKM^IZ9(tJE4VK67V^e;KqZY~UlkzxtN@aDu-e72mM1P7v9H;bmaI_KE6=GLPU zy--Gu_l+qpZsMk={zP#I@7Zp3hx^TjHrtehtCWJXS?uj|WgTLso&|ku$m1XHuk_af zBFz`NM^tjFicHJvJC3oM=`?z3tS*kjBy~2Q*sRK5|JiB5{bV}}OsrpCmCnbBuf(XP zoZzW^1EyjZMfQ%Gk5udwEX_Mk`2uy~QDu-!$6r6cH*8aREE8aEa#-mBet^vA5gbUp zV`cx$pR;noz~I*^!aiAsS5IZI082qoyNH<%lxA%NXa>VtmwB!o0H6=HIc5=O=!}zW zZ=kEStMtyk!$o)P{cb4p{?bwC*>sluAQXg_^QMv z>T%C!KWZgu=0Y}0^Fv>I#L?PNOjXosK>tzL=wI*d2Y zR`6z@(+auvN?u?xz$c3|cMRj`pJ^S)L=PlNTR{h1j%{rTvlwLFJ=zNA2S zIf%4*9*Nu4-^gC<3VGw9TaUHSw$7(gcHbpQok`gpGu_h3CiRV%zNt#NL)vpa*;ZT| z?cgOidC1zEcsjv7Q|(Z4t|6b}Ax*njN)5+G!`8;F3cY*j>g%`op5oEB%%lD0U-p87 zIhKJ8|6mqLYNnUU@m#%d7h<9Nk=stZ)!s>yk0N8R6h0@mAqK=>58353^!LHGz~{b2 zzdOAYnw;~~haZ{=H^SoerbtDd4&*T9cGrCkbEW2)$`83DI7!Im?=W@xY~IMd^i8bG ztAGu{yi*YDIY?{V?LKK|O?~~i#`DRpM4X0KJtO6+`3iP`1?4b4n&hngR4AOZ%2^(N zN!O+lX83l@0yO_8Jt!{F(Dy7CNTM7z6|1Hd*}DJs8=N4%QZC^oTaOhzDWfHmR@7XX{7$9Qzl5J4e)E~d0K3IL% z!C&)i5xYE6z4n&=E#@~qho7(0HIT(X&KUq?VF2vjJjZ&##YkVB>$)W{a5p^lwIcqyzI#StX)UDWH9s%%WkAK`lbdI^fT7-`%%hntKH@m^xG0Zox09Bh~ffqEhC_XvH zplt-uT2aG+WDarl%CHkq8+RP{0l z9ZTFQFxdSe`}pAP{tb2pO>iTRN>67?Ykr-LJQsc8RtZ2^g$H!UllPgl<)x0gbEX{5=EftD!ZE3lz!88=XCSErI*B* z1WdT2Y)Ql06AiXMBP^7>S4@+2Z)R*#a-y}~s!`xV$tfB>g|i3uZ1FV>^}_ODwSKL2 zTV581*maxhu5H*$#>{6VlfrThGslUZ6kO$03&+3oCStC)FOY1kdngy@u3E^4o#$Oh zK}A9`ze>6XTjPFOe(-bl4ZD(-8`0r3OT5|Ei~iQ=7Li_Qtq1M@($WlyWO8PvyxRSw zNVTppZ@2PGWzmC;XCl`oSJZfxKq1Q}Gh^SQ-JD-w=Z7WDQ?eUn4Q9hB9aXx`ISY`F zPKOwnpiqrLZAs%8U)@_7Cx48z#gaIgerM`0`}Od8iqbm4OGN~i8x^jIzXnZYF_Ows z@Ck5mELWN*d|_6}yp>xcdG)FpVT2D1SaENxSV+1vJHhu^=FOJapveA6TLDJObZk*j*esvJv>K}hNRQsDR0KYqJZfHxc zlHy@S|MK*v5{FED6)?CE+_=eQ6qA%;hxKh=#5!WlWN!PMb0253w~0NOQc%m5mHO-TR#j53>}jaeaS?jwPp zAB}qt^xhP=05ZN{Kg0`Ar9gtP2G*9q&*GaG)4%9!$I9%FFrrG_+X^j{V4zybTl z%UQR)Nt4>qZXzx+5v)X5#;(7if?2|d=dH38^C3uM1#%+jPBzj?_BBxE^wf-Nic+T7 z_1^H56O9-booC?5Vs5e21xX&>NfB(8 z?}@p5FhCbR#O!#b&n&c2HjP_F=}tGqHE;dYZ;=QS911?JwOWOCy2Jq zi$#^>cj!LxU2Ri6z`(FuR9ptFVj8}64)Dp+T*9pvKW{<-f1!|ekhKxp0~SqVU)e@MP{7$?To(qzZ>;ON zanPBAp0qU-c{`$fu{-Vk^3bx%GR|~{9L?+=rU~O60Sr6`w{l88n-vm?Lp1nB-;o^>axK9QYt}m1 zm`73KPOEbEp(Pd!kBTO(@>5qk-_J$Y#`ZA^)9RZx*!98v(Oi*m8`$S!hU_o6; ztefrX{ajV1Ba!@C))d;sGc$v-!;rdIiTNv|yRq?we+nsW&8UmDGJiIfBT zhLnzJHuBJ9AGevcJdqYa{#1^fDX50*}ta;z&OM z9u&@&74d%V??4^IAI?z)YX{c>dZQT||1?*KY)axfJ+wt441Pv*=A458@R#605~QqmI(TN6 zQMBK4|2>C(uVmRdecD#6#$k!C+t-P>xct6Rw{L-cFkkpOyu>$J=f1wjR#NV`_sdKj zlFh$!&5mzu^DTiI?|pX~YcTAb^eVMhlU+W-8@l{PQ~o70{dk4u->u(^=o-h;&xWHf z*Cp$vO&C|S#^~wef~RsPwNd$Jz9`J@<-2)|mEuhfIOp)C0R`K5l|mcZTDW|bMBh`{ zaO|<+^-ripzdvki?opNS*B>LDH?Q@oTqrdjL{(Q_0A`w9Af)ckJV3DADg6xK5!G|=E|G8!7`;0PUOm55o+WGN5w`d`gBA>ctFEJUrt2uNJU)s0HO3j*`8Wl z$CqEeJ~4*zB0OCyQruS8!`8&lx7xB}YRE8~n#XWGGHd$^m6L|3@t`|axzRJ@W^vki zF^kZ}u@jHpUb@pK6Vmu|P;BzagFZ5IKR1K9q<%_SDgxD0&O%mB2`+W0N)PCKd9lUTqUm^i0VK&@wSL*Fr40j(idc)r(d2Nt%Wf{(64v_{~p%0_<=@ht0y5igf^@AZ8fHhZxJ^^bttB ztP=qlWYSaRufC2yD^V%rb?{TNV2K4^7lPrmm|~mOpyaE4XUu&29zxoL!GpAL>&URX zv=*Z?bV7MyHKAyy6fa>1Xq(2zUt1^B4-bP)>M{lbJEQ_ZRSZAGiKyt=`anfjR*$6u zL;RhAw9AG~(s@`H{0jQ(9+8FJ76*64u0eUl#Wx;Oj08}y?A#uCj7)Y|^8 z=&mcZXrleG7850gCHS=o9>6_1*erbrkO@vGd4XN-X8K3mP#83>N5Ht_J{-VpkpxXx zVxEwZKjg*vpA}Se!&^{yC69fCThg#p1SDdxp<5%x!I059dH4Ry)64MP=FB}rz+I7! zmJmVHqQl$37ah+4Pq7UE=ax?9+zj2iDc$NPN_902X$v?3MZhP|m#@4|Y%o2v;q^3c zzM7T>f*`mdqIIs{#U-Z8V|4|589<-(PaPhNME=f7N=!tP(`-Z;*ITx zR=@DY0Z<+#KZi1{|Epa|KBfDf_e#5~6%-aa?##eBSVbfMH*m#k`Wq>(zd^<$!22!@ zbXD25w{-u*Lj7-Y`PbPuaowi_Pl0Pd#_j=SI?s4d^*`F?-;f%g&H>JYmN-Q(4uGJz zbAzDxE%D{w^gw?dH}nABfQ{hk51_8{Zk$<1KCd7C$A6Ie?O#{Ru%rRa)#*k+{I{sZ zf1$1ZtCXKeZonlt0FMv$y7s2hPN;IO{=)+drvUC$zWn(d&=bp5pn{S;?v4H@uv-BO z@Qmu?`f4P%K*>OH`gi?w{u5I>RuU*q)%h0`PzgA|SCM>d2mQwepuK^%nErfv4`_g! z=iQl(B>by6@ZXy2W(Gpv%s|OZXF&IU2vk+&_u;6Uj`(kF^w(bjXvO_dGg{i;@4OgR zyLsXuk(K|5S~~!|h^yQSc))jM0`F(7F)1MV4_{F89{7Av)r=L-ouX*q0bEYVYySh% z?$fF?P-u@6*3!?ftLcFLz}6Tm^*@K||NB6%V{h;nBVpO7CzgRgadeH#N6r63jTWc@ z#fe36kKx~X(gQ$P5(513|3iQH?Gpnn03w3QN5?9B|4;AxSEasIzbQ_iUG~WT{boy@ zTcz^}YF{KxMo)gv{X1RZug!YXei@rUhtbfFS2p?&&-X8@BabLBSo8L7TmOGI{C|^+ zJ{8@tXk7HAVE@~c@z-JuAKke!{0;cIzBZ4x{QTcU%I#E~dUbVFw_yYMTb;MB-(Gf+ z33GP+_O{~@+qNC0Zudkbv58GcWkn;zMl$D3rJ>}tg{EtfU8!jEgYY7u$)0%(w!E`{O5C6&I{r{!V>I%cBgQt=Q z;{q6d*USOk8Wkyd?WjonhT1|}+vM?>Dtm+IhQ0gnl& z$3?XE!PT!buFhsgW!sct$F+xKeMU39hqrp@T&?2ny#M%rzgSp5$$%_V;O@DzzYd%| z&XN)IQNGRm5Vo~rJNnQ~4Gsd#`u%^@4b{|c#cB)-jNy{fn5OLchte043DMB{1HRbd z$e{nbAV6V@SU$-xTQ)6EThZ4AbF!O!a9dKpt4`y60xzOa7yY zK>gEe7%9(U&zNXAImh7~ci?8Tl?h_=0v!Ii6>634Ddd&Bt3F@6vp`_jNa zZ3@#{#0JA!-;|!Z`M zMd8#idAx*g+%ny8y!>5a=ZkCja}nv5=WwQi_^l<#nwtXpETP{B4h&vc}NUJNgF zqLg;LNPT%q?W%$!p;hH7p+Rl4J{4{|Gg)>)PgJZg9>msdcrr8m{n^7FNU@&?!Cd|07G1HMgvIX8O@u zBCcf#m>@ySHgO=axee}Qxu+(dRIe5X(q*d7a1hiSuV&FYKm8bn3)-14Mg!8 zN#@>hl)vXmPFI#a5Sw=N=^k>)@iZSN3^C3;eml(ROZSQG4$G2=RKY{!=ZslP^{yJG zhxM?r!d!w!4bnHw3;FySM#3|HGi(n=r*WJbkH7I%9o~J&z1=GA-I8*)9us0O?MqQ* zt14LTR!paHz!faLiEz?>b5jg9S@fXtU2>Ij4B*dh=;-jbAp3SwB zAmUl-W{dN2Bim&hK%W}ZTFur-*(4NHuHrVGU!+5SSP_|yg2?-BBb}qk+vvSsX zT)C1X^^Bb9H45^Je1lOptD^^_QYKF5jJ_D({#?k9JD)!M+SA{}BKNLD3=OUrrsqPG zF({s5=JH1UQ2J8mKfd*LkfQgVr?~6Z*~C&*P2PWg+@Do)E0;qojj@|r1a)tJgWs#? zTy%^6(Qe1SY!327T=p=IcP00+r^;|b!iQ-cckK8ybZCFcG<<$=xuH=Auz6WccQrt< zu5x<^;4O_^S&o<~JAoX?n5N)3YT^o|$!Jbem&2`+oZyiO}ikLOvd}D}N#NSpuBs z!gXIunv*$9IJ2gYQNjA|=Pr}GAu)TcIuSH))i1&6*>m;lAtv3P-<^9N_H*VK60{QY zgJf8SgnZ3ft8>1^g$YY{A9ofq$}rw_uH_;skUMVM*5k_1nUh1 zX9GKq`GW?xtF=(w0Fd2 z`7ZlhJ&}PwR#936{Y*%W)m-g9|R3NIkdSayyKyE#f4sO1mbqRP=1~@a*8%oT`ueP;1p2m^g{H z=5Ms>>3;UNHx^w1e)VxB>u7!gS14`lW3u`<9!JKva@Qt_P1md2H6L<@aqwb4=@*o; z1`6@wlCv$7Pub@@!1`vwHBzpe2>q4@#IF9JJ~#_-GRvP!?)%uT>N5~!tU}=iwjw4C zsNdth(qg~uO1(=uezAtI^Ib4anf7i8CvVm|-$@Y~{C(BSMoqD9KC_Y>s}^sB21SI= zrzX2Nnv40yyyK>iBsuGVOr-a(#1%92#-|TBxws-<3j6RNqp0BfNE@xOLMS7-LSHn~~5&<-Msly-o_n(J59j?yJOhmHY zTNcA9=4l7RfknIM?k7A}%cixRL@2t^FRours72FB&=F2TPsS$~vD?zAI6t_xyUpgc zJ5%xvTVB7!$>G{ zUk3)f;M$H~VCr@OyWDM*xV2i~FCMOV!Ls!i)04f)yol z(pjn+-9?H2;L&+E$MXp)KSZNVjkHns2MYl;u((W+wBsypt~$*RuZ6-y=$RnVioGsR z#J%(#cHZE!#DN*@QgND|)~(92sz9ev7STF)cyqFPk(Zq;3y7_FxRL!)psst-0#nW& z(Lp#`CgAmmqYuE}8VUSezjWYEQJ;uZ-MLyn1x_e2Z9ZeEsw}q#F!KnX@;~P_D?FMm z;e>_e;wIZg|Ay;+i&$gW{hT&>rQMJurr&h7^4)F3PEQ>@Ssmc8xJxM@Q{lBh?UPJA zElrU6?dw`*U<2Aum&MCgbRb}7w|gSm7PzTQNuXbKNn7cT%yiVF5{|}9lf-Syn(kF& z#x2h|ZnsZUk36;I!{WIXS@tek*%jt~yp=FHL*hN7plX`rsKoyr+WE)COyl0D+Po({ zy~DD8GNLE8>FS>SVB}~x)z*v=+j-&Y?g*=``oxa3RX5|1kMQ@;SO(oP^#>c^6vmaG z!Wt!ea9Qha64y9!K4+iZSI8*#q-$H}6${-NEDsE)@5~X{^&csELL$I&@rPf|?oYO%GAVM>WIsGyRmo~q6{|?rd6c+> z{#PQmP029xQ3s{rgy7|*aYdmrxLL4OqxonV%c+6-D(9c0qc1um(n)4Nm%}QRY)_?k zU1>^-i(&&0Sgd^ioC813__`Ex#VwQee=M9&=8J1d4uIKoibmDmY{G%<^X(Rrz0v5$ zmkVJ_DNmb7e<JtDjA%x# z4MIOV1b5tnk=m#;3>Z>0^ICa02-YA=N2etV4mf0+92csAeg>u$3YwQH54wwjfqsG@4s-c;?? zC`s)ap{*LFXzjiCp0R4w-Xjq)YK52y62hB)fA8<}zW?Ws=gITAuj^drI_KOO!cs0q zbY;&k4^weRMXgiLxXHxHD&XCPQfrDviL7dBQBWupfAN}m#VD5u8kOZh72J{RQ!ozJ z(zIO(D-v)pT6|eCeD})8I!3|S-L&pwek(<7P{cJc=e8M+a|^NH z{D6a5w-8QzQYjxUw}9$dO`=<~JNG^xNL|w1NTn`}ic5;OU-8PR;@SBbWwEKsyK3|G zY1c}J8gR!(SF7R*@_jOgl^>|!^`+03Q;G-Y954ZH1!;>3u)T!m9{EC0GH=af;K#p9 z&Y}Jv;$qNp(@8gDEi`Ah-(b{jn(|MOe)dU1mNk=+z6rvtf1o6F2fnu*bnhq-IDPtE zD&64kaOX{?j=%pK~(4R$jx{gzuJSuR=bI#$mpUhDt2^VIIZ@l*|%utFuG^t7o&@a{S1eT-#p&M+n$%O-lm&gi}cD zcxk8BK3lL+om((Z$Bbi{)b0WJjM%u}H3M8cS3(n^R6B?cNZQAFr{G;HF1jaU&*UsC znzv*)BGs(TtYZK+KPs(9o6FiC1TC62Y94+TnQfkcM)0)GpWwJVCu9;jxpmsOS zd%$0*JSoC`Z9`2`NHM7O`BGqD(sIoAHA{t;mN^2>^2dcAZUQKQ;heCay%ibqo$G3U zHS<)Y!1R!j9ciHxz=axnNP6a?o*(~I6+GWuejzZ^0czC^uH!3Ot6rmW=Z@j5(Bq!5 zA|Pg(X9JPay}zY0@hVdfjs0`h8zHV!6IL(jSC0xxWjY96R&qKZtI7%heYWp+OeCVn zKNG5GoB_gB#*~VV8+9(R2c|gIt)Tdr0x^3Je#uJD$hc0F6u2FoMobRXuS;2&CukDU zj#~2+!>CxHFh9jevIaahV247uL(@V*88F@ui2lZz+s<-${1BPEkZqjc9e7JccJDAs zX9Eu+={I$Vs$5bc^Uuy5J(Raj^!)W$yXBz}ZWe+|x}FC86ofqBU>qPf_7w5zZY>A9 z2?gG%8+OuJZX_onEp@&{gYl-WK5XE^u+dzP@Y&N3_@nugYYsW&_C@>JiszT~3|qp$ zzZxtQBO)isFN+3cI=V0Ds4ux>ETsQnmCOe0WxNOZJyBK_h4N_b ziuU1+mr$G)V!TDb+}dy?B13iqyUD?DXNSpLF}qzUb3|YSK5ridtt+_A@GOVpbTQ#q z;F!YAMHA=b9QQkm!+fHb!~qj&rJYgt!lM;bLru=aZ6RgZ+B9Wt*WLtRp~)0g%n;0M z?NGFUlS6_y`bcq@o+$Ie^#sPNO?>&*enj70&~SAstI7;8(9%#dxy*}@wovnSU0`7; zx+kRxXd(@fTiF@gZ0`Mi{EPx)Kd!U0)+ZYbe^!fRDYxs7Hv4-Hu0=4B+9_dzPd;q3 zZStXNjTf8FqGC5S5G^x-2ta4Fid^gA9|bt!L7E*Y1TjkoB)|fgO5we>_t3^5lfoEJ zYI3xM)6ZS~9gA;taXOI~jx7OelN5nEX-`6*M6|`qU9)qu@Vz`cBj(@_%qw=i?23B3l?=k5t(t~aKT02a?-2ui%VhlY^v}>=2gWWs_y(jUSJ#>Ca z_SR4S1_L+6kM4E|&*eW&&cbQH4+2p7!@;{9@b`)h0o!32&~#m+<~}hOk+~1wcQ)-} zZhY`Mwq#cc`b{PWKrg-UrnF3}8z^+25EIB%-q6t{$)$vztY!vXgdWOn{1!VQ;G=w@ zii|F5E8uuPiVe*YZHRe(Ilr5bd$)JyE%oPQ1|~{tND-!TAph1c^v9{ymgsAN!IpEO z-H9W#yv-*_VIOaO%s@dULc5}QjO>4YmBZ`@%HrDprM>QQOFw;vCD zFwwea0xH-8D=){XwK(V>KLz68j(s!0}jt)ETw0=wkG753^L{3zs9pabY^GdA5owwSkpF#2Mh2l%?cBBVr9XVGvKi;aG=7`Td<<~j5Zf<4%bEaCxH^qVP6!M z-KsOsk7;}{aOxd%fVtkW*oO%zwzN-Gi7c^!p?Br_iS?iU?-*l7cb1bg&GD%s!f^bs zmOOovj#`V%c^4cQe1`J~dSZUe167o+^KVi4hGe?86H~J#pZGbKUGvu%uzP}ge;H~x zA#34hgyQd1xS4YP#SanffKCgtHGhi#Yp^uF|1-SH^8J{Cw2I>GOwf^(({g33nMaQO zfg$+s5wTs_2Ot-;;_RLXl!!HdRYDUPh*%d~x~xvef=Y^%PNH7w?9XLo-0yeq4bbDI z)r;QN$>07k+d}|_oHo6mZjn0|l=3G0V9P^ig}ofQQb^zAO9BS#Vo0Se<;jD0+aoo0 zZj!RZ>8Jo9@RC*DcLs|1x`d~4dVa|AJ%!oSwf%*9=fKf?bRhmEqSvztJYVga&-Xqm z0mOBBI1*uR4Zc`Y0c&Zp8ZtnpCGNSf&HBHCm5*ymR>G_1mHf6$Uij?qYQp}kgqaO# zM8@Lcl`Vrxctk5`GyE7L0jId z>`v_f9eUIB$}Q8%``S$u`(74&NGk?{x^!Al#an*RYpVEKp!EIu1-5JBxX{WPNkNz? z`>$5>U?J{&b!E;>2h*4O{Mz>vaxck+4{AJ26u)vm*D!M+*D$^dj&B)Hs&0Ccb;I5V zsn7))aFt(7&n<=U4OYlOx)2#4L@D@U3T&2BwS~zB>emiz) z3k&u+X-%DB=S^!s9*|r~c$bh$PRqA-;I|{7u^B(UG$cxAzWh~`MMLMIhP4jt;JK(L zU&k?kDH}yz)$Lh)IF~ybke>=gvw-HT3HzhW?jQNfmyIVc$N?SA5OIxL9949N2gc{% zam^aQ6Afr29Cu=9E3NHpEpO2OylU3}JhOeq=~8uRmMsewJ5eXQdRBj-T(66yi;~ms zD6(v!zSe&{5@ogtSq+8ARt7`AGlH@`FAH1s%Uome&e>#xWPN4Xmv4%MDR6pD=}A1I zsOr{iF=sO_H(2t-d)OhK)!KvK9cC|LruX3^OreNSu|IJbGFxpEu)5&BULeR@Jb|IZ zk*qauS?)qGsgp4;t=!~kqJwGs-Z$vp`RrJf9%9opF7C*avYlzR>Cvvj-Qh&R_u3Rv z_3X?|#&=M-ECByK=a|+X11i*OhCo3yv?xkU`qD?|Bp(4nj3m@keeN4~i+ixsIJ2wc zw@vrKw-oCC z$h7cfkFi-tdDY=pf_cA3+hgIYZ4u%SFvCe)6>+8ym1fbTYqm%36W<` z>+kPc*sCkc;FHj_RFX=;*1ehO{z+J4x}MWpdu|qce$t%Lwx)K*JzKt!1nPXbVHk5L zGy1bCNe|OA_O??|XD-_A+S4Ep`b>B;HX5!6tW4#cBeU|~=UIHV|MleP)ZKz42r@A4 z=#WR~4c{bEDL-1UZ%S2XJm*7{FU01%T}FpSf5n{u@>5e@_wOZ+Et2>2puryMv&I4ME!gqfc-9 zH^}=b6UcR!L)hp|);}X;)w$94OXPocRmgf9iOPRa_NxlUcFcWWI+roFW2U3JC(Yr7 zF$+a-88-p=eL^{5dYb0aqM+v`nc^Y!)#kp0e7YOXEia~6)VkSsK%Rm7pxeq^NN#k{ z2Rg>&G^s9d1Wm^#65gq0GaVN~c$45PUD?eJ>ct{`nyh`k&U{TF$#&#(I{Ff|G!fA? znjJ%8bRO2b5KOjB6Um5pm!}Qeen))~Dz{Q5T~lbj@O7q;g(M)BJ*-%*UWt19wh|9W z2`cWLwCF!{Kj1{bED7t6DPHF_bIA3*xzZEUv*IE4q3iLQL|RwYshmtT%o)*gG#z}Y zo~$wr=8_N4?1~x#f7L6y9s=4#=$wNw%_6Rkdbcq-Xte9b`c;IIQ{q{T6Y=?agqK9(4c+*_TgYuF)K2_0>2i_36R`qHv)Qeqiq9?dFhee{e9 zVvDUCf<9vM_l|;7%a=w@zM9_$Rh!?x1Ho%BTCd1}%s86*MWG$B32s%IMpHNNy0Fs= zMEdI^ow@z14-w`g8wQvbNWk$!SkJV`p#Apk$M*v2oKtB_uuI7LoAt)~N5>fi>^@#I zSo4%)ti7#W5n}&^?sLZ)$cL~D0xQ|%y8o(oL{gMb#s5_uAt{phA=v%NtIX$G5WIz~ z0~<5pB&Q@=V(^|+anvWOV-{HjWi+$)UHXlA(JZ3=3E`x8^Q59Zx0b^bChm`Ma&)(w z3C5&0yl>@L32q2VNQqT&$4$$bjPTe}0($N5xjPccgq`ydIc*3B4#R9CqOCfV&~n-W z7l%NCjk5PTE-QQpd;qHkdlsLF7*ku_bM3A3z|)z4;ICg=a4<(!yycHG_vX?|XU00L z-7@cp%b+4&QghLx6p&q*bbTukM1;p3K|_sgYMbKm5y%3~I>kaeQH=0cz(1tC6QjH{ z70@p>D89!`Z)9~*NfiW^1l@3HFNGIx-wOBjM z!y0MK6|;=he0(!+!ti68gv`L5C^)z?+0jPMLSsO$aN!7S)8b5<+(6MdVe6oW`H}$;ai;@&N(4micH+~NAXx{+K zdf7cVaW^=mO_-pIC_rxDXEpWXni9eA6 z*}8r9bNR9oo*2#@RQs4TXk*yS>hHi~dMBR>hcAow4jzpV6L^K}u; z{uw4?`yzdS`{D59CJhl%y?aTHiyi|;<@&A0LV~+IQ5D@ndAlY`N4NJBg#QK`f}R(b z_PL)Oms7hdwD$_{ZLQzxDd{Bhd5DtZPwkj_-B9?X+Lxu(GL~6vl44n9U1y4AFZ6J2 zk4p9dHji8_hS+TAp4+@d)B__Ic$^D8)G{ZkUKlUH+cG@mbJ3iGEPIW$H*V*h>YeAK zYMrd+s^<4+uf~;cRyClr3#4MQU-~w@LiEd=(L@VE`N|b-)Q+DQ$xj@y8sC}lP&|A^ z9ZdXQp~@L;Cz-_nt3$Z<+hYH-n3@~eRoZ7S;pD={DeMh|Pl5bGufL?aY5!6u%>BuV zW0kh%byg%V7KL8tR`^ z)%UfleWj64^wnF;_J~Y^bP&*fc_i6UV-CB6TO-xFKh<5dRiQg_)lgn*s~=;O#bEi3 zBu#)xH^f%qv=nwWk9ePAO>K$t=TOqF>LtUHnG=YDZKatagaLY|rg7}aoM*NpmrqIr{ocAhcoY;E*se1tf~xURSX6G! zr_hfxYWc}I?ac)G*g6-oA- z0c>-ga!b+MWP zGj4T!=WTJK>2SBIw!hmiw@T_!X0)-_&IxDP*LG#8d2r|L`dl z!pCQeZ8bXijybaDjvplV{zIgxeD{on6>+nLF6^LV=AKRqg9Q-DI+>59Be*xzaLan8 zG!v$5s&3Xnt3~eLd^28X?j)ox#df)CfSoj6~FAII$6I{=PMPn!AEo8VOix@Bb&#+EtzC9=u3Y~QB@WCUQZ~T$OX7RaJQP^ zHgLn$*nW~v_pUi9`?b|Nat;E1+PHgW&sSlCOxoURcOExxH97l~7&G7NJSE3-D@^__ z#ga-{T;Z;W!%so&g$cv26J%}xt}?)@gjte%UfZ`C=ubF@ORA0x`AXda3>EjB(W)e- z(y=BXq>D8HxhK=2T7cC4uL&TO2gbRFHs!U3*%;^k4h<0KizJV7`&T+-;a&DllM*Z( z>kPD?i_fd*zPe5ep93l`KQWi9C?D3Z=yhd|^yn!?;=g>6m%p6QjwtbW60D;#1blSy zTWG5YbH~VVp7lx;zX{I0@vzD6*dB^j%f{Z;z9H*0HeE~^mWe{`m#Z?dx463C*`HiA z-0(yAJSb_jnH3n}9teYxRO4Zpwa5diD{rah0;Tu{Qyi~`acXS*$z7U_Jo{_i^g^Gi z*6H@bk2*%^8nkD6JtpcpJYX^lOo z9#}G8pu916uQ&)}O8Yv;1BQ%kA!|&nO#4x-GFl^Ccel~UkPBznQ*=XlCj<2;aFwbI zUU_Ai(|>>IP@S>SsagZpoQGo%yhbmy4mY0ZWp&mWi8`vGc;$X+m@9BrLr{V*xi)J| zo*Fc&j5W16?MT9xA{IMk{C|k{JupVJX!jkq0#9;~6vb0NhzvQOHqAs`y}OQgvJgrL z9clY47u9^O!YllwER`?OayIu0QW6g4O6+u?H%L$vhT@7pM^G#imXpwx(w3 z8mP1fncUx`4Mr*zrB~b5ZWmmJ_obCEo=zX#N1ZQ#;3D6Q8odu2BYI;9%6rA~Xz+Yp z9gt#XOk+pXU$h-xs9qCw>SiwxRUK-2Y+uPAMJyQ8|3-7nD2|pOg zvDQ3}>8o&e8LBM=3!t3I0=l&CFa9C1jQ~0LtafV$ED$HAdGLqU{<_2HijCRa#e2`n zihA_oj8;4vwosY6YU&+b9ub7`@5IN47Di4bY?RoWcw8Tc zL+#_cDs?wa(>^*Lk5N67w3=-Lk+0p6G~!5@F)7Z!VcrzB7MJxtFG}FS3?>7xCnUl) z{UAd+Ae$a+WZmNlvDn(>0GqMOD6J&Z|gq%my zrgwI|i>+XvJ9^i{b{gY#wnki^U_Prp@xVL`ejUxOavQ)x(&lRQneJ^7bVN{&|L(eN z6B&I?@+8?+te}iEIyc=bRRnZHGjJS2Elq6#NV(%;l{x#Zed^8HJLCP5^wl41g1U7+ z2}?djI1+FnPdW8_#%~+VJNuwhpJr~eoWZ`ijp(B0Ezk6Kz2MiFMrUidXhA0xKuc#! zHJ1F1{EyV}PY*!vUsLb-E5o*L(6f%_Ig`k!3`RWia}>MdqOtSqmqZfI|K5tRH{W-> z=b8hbf|QVS$6FcTSge&AiLJMg2NP4OScPcMr*q=j61H--Y>vC2CX z@RQ;=(n~v%(Z3p+gx`C;g*tIW@le4~5_zsNHmOf3GezwHV8H0KWO$69{v*Mvu(b}C z7PK~>D~5kG3mlnCiOtINM5?bPmr^c&T;u3S-)9_*W@;GMDd^$gH&-|W{J3(@sCqCH zJYS3S$+q;aCL8X33@1^7DcgLuLuHQ}EuX0^D!DOY^1W5-tUa*1FYNg7Do{r2%5x_I8jN2Fgy?aT(X?Jcnw`lnxCb_GTX%Yw8nMs)JSL?Yn zYy`zC+%)@G7{B2UCmCq0blG=~im=`hY059O+Y-4e^xJ6*Y7Jbf%u%LDm$j_ z-oBl}pn=a|N#gO<8?vZdEHTgC3uspFThZED7Z1DQaN{x~thiZc$ZUEF zhZ`b0%C(B=Hdr;MZKwM_{k-XM_5s{8im^OCleix&q5zg%h@D;z>6GqEH{y^-F(Opq zsYcf4iYbLz95NfT4SY!NI&AoCeedIah}dUWN4NPSw8SSZ>HPIS1&|cujWae>a!IG| zaS2-~%x-H&KG3CQL9!Z15p6Ej(H$KCcgKq24H^eaM47S3OKr2IiC|I5iw5+ZbXDFa z?dnm&#-r4YBo&POHWRN4M@M2gx-xutTSlr9_Y{_48i+P7LhukF#9-sy+HHoE+UHDe zxX0S<_We1J3=0Kv-NxeQDd{$Y_O)1t3`zciGab`dFSP%O>|SMcle6dqzpDv28$v17 zyyQnZI+L@2cPE~E0BYQ!N*eE|(mx{pgxigbf=_$5Tr}ahdODW*@~YDy;ddQY#r~|h zZ2IVXf9dX_t0Lu;@pswiUwgm-NjV;yu0}l$d`iyTkT^l+J=1vU{GbewecI$*n>F}+uZg>ZFtfp4Jg3#!wu!KZPC9I8D0A# z6wTYDE+9YH%sEhdbO6qY5T4ciXOb}s8K13B@1hF#L&?NL19y@~SQi!>04=q@!mPaO z3v0d>)cdH7ET=~NDbSp(tM!0`v3w#3$&vE(@zy^3B*0)i_ z?C9J4eC%>^fgH5MZ*NevZlSdq1LiJlcU}cVzB#Rh2s;z5gA>0C3!YKYlg9?t_HX6C zcD$r+E(NJzmC}OGE-~Cww<&nax-H!bTkSG|)+QqPml3N@$N3wEJ67t7nRTC7QI%Rc z>C>mJR*QkH^JFvN{>-UX==)7t-XuLww|2WV;$;D?PTdh>(4BYm(B4FGS1Y(EtAdt{ zs|d#9xVcY4qopK04nE<@l5DX!0Ya>XKZ{*TmTM6}Q3b)@uQmQFl)5QBWoYhF&OYtm zz4gUatcH5m{S1(o4eq2+IGa<7D5l7JS{QU)-C3f`qaY!cDc$O|ZBO~Wbg*edN`;Fy zu`p{T>zZxL)U%#`D*y~Tv)2XvUeLi4dKxzeoYkVW%>CCBGA3=)<(w6#SWK-t`%kXd zFk#IaDp?$7YueX?!1vEHv;q-djB&@6KKb*_~2_=UcT$nFSoT2g;g=$xjqx8Nx)(lFW=Dk_xK zwf*Sc0rcW9VlQaH)N9+6PL;7>tHK5CY6e!>FJg=V0-DipdyAf?Ml^qn#9+-Epc)n( zk69Q9?#IRM$rQF0{9#RJzahfL^M;C;>5mI_x*wX)P~ydAW2>LN7u#b1JZpV--9ho84&mQ$A%um1X80T9-~MFPE1K#xcs zkmQ>IlUd9*2bn?8eOOmN7{T>?=J#Fxg^_IK{rS$Fs6J(X`NUa01n(z0~<$-&lXfm|Vc1??Q z;1^?K!n)uhrR_JE+t5p9aMX+Fb#iNUWKh`n`+tJE8hej(z2{PHCMweNvOfKVdo@$^ zKa(@0x{wr~&Tj)nf9&n{qSoYmO3%-mIv>^f^Pv*i3q$w$MUyS&^k#RgbW)@%x4|K+ z9-@o>g}xLUKkWDw`?fc0!l=%1e9@WksJIHyb&iB4=x}mILgiyO~M=v+nI| z%Sy~XTk@IY!^`iT>Q`1~LN|>}d$qbdqsLJ`sUjLvA|e(n3~Xt|?{!98Q#Q@VUgLef zFiH{&1=xqgb^3KhRlsp?0C;Ri()ViQDNEZo|C$56W3?iYk@X-hEXjqz%j_C<@>oJr zxfMmTEBdAJ!_BXX;ez+_mfkP$Fk#7^@3oY^A>NmD8F5QV+B#xTM;%$9I*IQl|6+CZ zRt1Nu^$mJx3Z^PO7~79ibar0==5hr1$Bl4A^L2mKaH*qfu+GI#6na(Tw5EiSPr_z4 zxWHxB#F`o*DWr`Y#~*j=OROJ#;Kl2-%3dF|?Js-e+E|K)Oy~z$qi*w0c$FU3;}m~v zpvL<5M-ug8nAUbcWs;d2F;bCPOa$aOu+wEsVWJO)m^Bi`uxn|~&p{*D3yW`%k}eY! zY5K(b5hmZ!Mw5hdk-8oy)dyq*!V~8xbkdh0TV_lD!3X|wjCuS;$u}u#SevQ zCLVT7`GS*)@`lRgf~UrLH&IaV=`8%`iho7hEeW7Nrugdt4`|vnQQhuoc7L+rxA^4y z7ue&+bHFvAk07#vE3?{ZQqFMAkU@u>c_{P=fit8;>mOX`U~g29@hKG}H(Ur0=|v=6 zVw~CX{o%uFY7}=J2Qsvu+fDxE2uwMr&;I$WF*&v;gB^L}L#o?^u7Yo{M_;=#ssY3_ z{;|Bj(Jtc7L)yGFeqV~)(g%#4RrHU%7+F5Gl+jA+y2?md()dIsf#vfM%S(rh z+i*^kJ?6R0u7Y_2ZTYp^%FicGb=%6AqwTnE9?1e`2^Ra!-HelsNM&c{%|iK?C^H$d z_dWK-mePKknKhl?KVVUFaqvrQYbs`k|GXK%^5Jp14OOBH;Hf)FFwj?tK)$^*Q49{z@94^eK2Sv7Ibq$7aWem@ z7a6{&FY<9?GLm`Ms7sqZoK+wbZ@v&76V-rwVn7YSMCn`4BYw-ip&{Pj&91W#obm1p z|DCO^3%dNXM#wv^2j}g5Klwg-qyr%pqfL&S@%!Ak5vj{=;6LFwz~;)ESBccU^L0wb zAh>LtVmsiHo^7&Q`X}xv!S~5l)`Zoy0v}qaYk<1~dH&O3<%RQsjF0w#%$I97nm2Ng zJl>gxgD)qp8rnO7iT-G~MUu#f#g;)U$OkM5f8C5LLAKwcD}1TcKV8dkWTMrp0gSI0-x6W#JR3ihvK^$I^xO5*IQ8_l+cgwqH?< zDU9_B-x?A%n3iP^;g#o>R!mQ(%qeD$^-d+zSC0(Ut=Aqn@}VLxX9GS5F$^AKleKB( zkKRlL_hIb4dPmYPz7O8xA)KP`UUXadaAWES%t8^rrT9vAwcY*)FO(|+L(7|j5+eBU z(;w}OGqfu6zPZo8`ugw4Q~iHO{&O>Gg?S_jq?Wta*0_PSWE`2VNfg{g8OMXn2~i4j z-qw>5YHReyAQgNsS+MiyBTg$KR4}%xdA+(+8*Qr$`oY#msiFweHLFM@+^79_;OFg1 zqu{5tE3r@N2w9j3&l8iffbNathtU*rjQ4Ub%Ci!_oQH}j6$wZ_b>wTDv2c30s6Aj$*JNW@$o_{8 zMY=F5y4UGXly2rmuHP=2irUv}aM~1m7KHH4NLzZA-rg#?#*}XV(IEUxXJ> z49~Y!g4|eavxq?kmH`Nl4n8e_4*)-1HGg0#p|QgZP^V;z49ASG_2vd`kVoB}3$NC^ z5Gg8RHM8=T2`fMMYOVySgdI2GZ`w|J(YWhmF?vlcsXllWJU>My)CQO1{mVXFG?-tx zanQENCjRxyS^$b40bv;g|4-ZRXu?7=9%LU@uhe*y1}z4Pm3U@K2Z~jHK*o90Oz;-7 z;btE!VVR6m9pjUjn-T;O%6N?(<+FrRN++wB4Klcg+K|P7Hvh;NybH1mEz=vKuKgSS z(Kj~5_$KFH09_&^o-Q%XiuvQ(`8?9T3*WWw!aSYja?iKs**9Qsn zAYEB_w@V$OK5MZ`ImT|*V`VT2e+7MXdfblPw^)ZAhoa0jXu$q*;rN7oI-EAx7lOhS z0kY+WQpmQ62N}pm2=Tv&2Pv3|Iw`)s`?s}7X(4+wN@PQ~i(|3Q`5k)xHZuyWjy!ps zaPogiLh1JSCk-pYkM96&r)2+58h*M;to84CAet$BEs2O^PZm2H$!kJI$N~9RfneL_{V_;t@XAgRpar$^hLKK>cUEla!y57TixH!q_I(M z$^4x9Vj9qT(Wgz+N3=(OiK7>MqjrYy?)ALf8VtKruv);D?Ns<2{HQY>4e}7W@>bJq z0QSFCTFJ;g-~ah=(`vS>@^UtY90S^#F%fBoCJ^m{CArb`@uYMy;n8@SO_{}zub^jd zto5%{*f7ego``SI9(j2$3N-^upe7$MN7l62D{9u$s?gCev-E@H_F*je+L zg3s3jo|atkV+HJPJS2!8&>DLvJ6F!GO{!v5Jj?)MbElseyiOjW^EGN&6p+unkdn>E z5r3AxY_UmmF`yVTSd7{j-+*$!9@)=c#7;fVQy5PdBxOXkYa*&YGX3SOyc_5cQA!;I zNivr9+#)W>Vt2bvEjG~ael*-n5kc)WCpRYFj8#YYhm)NSjbiqpNAC zHDAWeODaG`y<+(_cRb&IIW$$sMQ6wa16T|p-_E77YIS$-*wKt#xe=8>rOCGA!Ka~L zai36$v-z`{s2bB)M}!*es~D-W17YVtTd-+okoWhby<1`Iu>LI%>433<9QXT2K;(7d zy!y4KK`i}7Gh(nO*ktScH8QxKbIpLn9#WI$2`>|h&vWJSv2A!_bNpnG8sxIZq>Qny z3iCg3*O#wx`Zd+&cC2TSB6uv$y(s>vm1-_iN$Itj#L?Sx(q(#g?lRzS4Tvq5ZS3A_ zV}LZ(nGx)@8}gpJI4tyKwCfpw2N*7_Ef-RQ>#l)V0pb6ZsB{@HyX*EO&-Txv zacD_|1pWn61!2?ka?gA#`}KV8FLw?aylfwi65JbNnC+FI)iF+7e7tg>t5Ol)^RW6` z$$cIjmoVxqXzl@@x3rC;Z3#YEu>cz%F>$=ueep6=F;yT>TToII<`picx^o*&5)M7- zJ;=~91r@PUy(dVL{tm`DXQz3e{lv6KH!KYp^>w{A(1k> z>VqJO3lU50!6r$j-w>^}cunh(1;>V?`~4Q^$fFWi2(wtn`C-MRUC(rk(U1MqiZmY2 zHpwA?EpCI{p9`BDAweWIR4VJv1@TJF4O4E2eS9(J@!M=Q20@t zPGE{RyQBo<;q9EUfg;IGxnsanBs~Dt0DBaUwBs))P?urBB|Y{&Dyxe|L#tv&3?+6HjKa zq$mOXPpwMR-+0ndANGJPF00mSM75&@AmfmSUZ7u}eKx%G-(L2;%ln%YV&*+7L^Fx1 z^Z7(>@9KpSh2QSGy5l>6-s38Q4henMgs=V&FO996%$lx!7_1!s*pDM#prg;%TK1H! z46beMG&zjgIW&F0Ne7;r__J5RZ8+d+*)nr{3g4E2AI^GC6td;PuP3Ao6?j6(#W+T| zrFDw^K|WUe$Q^NYu~;gshGU~%scEKPWjafZuX)Fc^V&~g#csDWC}QQ-2VfB7=;^SU zp+$4GGY65SoV>jkxmXuw!y4fZauLc5j7ypR4c--N@>Dk#4KV%y6f)>&vhVLB@qn@2 zK#^n+Wx?T^#(E`yi8B;9RR)t9*exv2AR`HMA6Z50RdoMl1o2&7nxoizicBe6yx%hW z$ts)?J$40P9!5TNPSEzgF1wz5AaA*&80Ui~Ym|b44>yZUK%(m{+2~Z?GDf?Z z(PE38Fq$X3_4CWDzIxcWOQ4TV=D?|3b1(ssj;KBuF%Vp1FV)3WuftG`h0y1wReWki z_mpqipW6Uiq0?@QQ`%+yzb5uUYB!;ege9aAIoM~5wRj>`P$xo}DBe^#Si#aS^OrGI z?NHdvLj|pDk*M~XQX=zSI@QqX+=rG<{0Nt}U;}goo-2&wdp5Su*P8v_fu;!Bi z)cz2R;Y`Q))JCZjE_P#o+=o8f%Z@+v1JsB*#bPVB*}@{ns3(re&oDU zY2o9R7L-lkjkd!$PfawmiY12woy7(iq{Bs%6^36J7PS@qlHDlbNH#_W_$C3~__whf zqirq0%G7&t#`%D9ELg!-H1G1wY3^7JN;3kK2Cw=pZXjWVJh3IetGFm!-h8WxEjcrO zwy+`gI`~7htqpJ9s_b@?W&hI&K*w>pKZUdTDwFe>3Vw_Gz8t&G8&57unL$+)@2Fp`)9fcJ{n?E+#@a zci~?!TQrOstChB2{NMI-7@4hP2pCRuDNlYZ1pvp0TQ(dUPm3JuhPRgipHL^}Nh4eU zmTgSfdUt2B^E+t1*$L4LrYsoqY2^dM3r$B6pFopFJ-1{GLgw@c`u*1;AO11~;fr4@RcVhIYdn3})LaCo9J^(0##?zA9fsHX|N6vdKtucjQo7ebiDT zT3-)C5qu{ZH0f!i>uOE@rz83oB~5V(a%X((4QAsM$IDdL7mPEf|l*#QKI`HVe`xxTgjHvc3_A5`UX-Z#XD zV-sO<@R?H}3MQDIJ;NS&Tkn+v=4U8v>G#N0g91=k>{P3M`P0BgwE|VJUh%IjeaNI- zv&@ii_jWB|Od+PRxnX72mDiq>$@VJ3Uyh>N!4Nn(+G2-XJ4%-dJI%vV!aB_@+A!LD zKGdhh?j4$T3*f>P)mseNRi93Y%&cHH30)8)p)?nn&sZ*+NlY}zD?xp}fBayD%6M9Xlp00uznG5>vrT5wrs02) zo#ETJ&WABoCdVEv5mErQpj=66spP!j`|%Yho%j|pgT86Dz*UcxD4onKMFO4sjU$Ti zHCbHO>_|3<%Q)jxuFB%5!{5Lk>u&v-4!3?2#_c}nWx_1q>3zV%XBUh(uLZ&xLu^*x zfW6e}6hfLO--Y6D0@^uRTv^&)3GTL(7`CP$RULW?+{8nC_Y*AF*T9>3;M9_JW!M1^ zjviesk`c93pNH!@0Z3Y8^MP*5A1-q+C!D%aCDin1zzWnkXz?0H?Jdc5l_e+2I{sy@ zTNSV2dyz-QUgTKe6>AHmgtJw+xzpVH%}N1u)D{((5W_clvX{y?v>aRr5;K<xc{nOHo61(ys%;1-%pedr{GcoVSpn&GI zeUC;sjpx0h-IWhVj52D(Bh6uIFv#{1s?a`1Q#Q= z=-LKzh?~^8OA&2fQJ#wfcmwj0d~%$y;-g|63g#Y@iW9c9aifQBdXRI+Q+cuarkwFQ zby&kYyYPeFdRySyA>z~-rOmg!y!l?&QHy;-h9%735@^c;W&j*^IObw>0*vi6C|Fphi$y#w=1o~z8hw6Z$ljtt-AzLaua%zL@JOydAFAT_EI0Y%&1 z1pnn5t|T*jbEq~yG0_ja>tg|RLdC>{#?un|ufbSW?K|sF&#U?v)woR!nc@YaBQk+zw?3A=a*&J}l zPr^T^`zX;PUk{`Vd}YRAGcE(xcA0n)c1LP5ND?5PvEl;557;I_VzbdTLbGNi!#cNSRgN z$51ZlA3JfUHtACu@H0GNB^WsozL&~>!RK}WW6`^c$(jVb)HA`wFDYX$Dqv%qUt~vs zH$3WSoc1S9vhKdh>BMvfQ=Y0liU4i#00mtd%1}{79k|QBTVun_#eVD{-MQQf%EYOn zRE?q6(?QUVgjvYK;>@!zpmGoz<%_=jvteaGy@#4e$X1oqJ6>M_6FWFY#qx`spausk z;W)oSG?Z<)m*^<@Q|ZUYeoJHmVaq>si~z>Y;}Udm<8`;KEgomt#Ru&0uipV5G1IB; zoUR^C9we{V#p~3 zFzqo}c=CtBy)@yh@Gvyp!j4JGoPjd_cec>5%N3Q6&}4pI-@L|7r5kX@FI)0Fe&Is2 z!b+7qcoJ{W&x4Dxt*JK9mfMf>{+3V)&!0H04f+=Yv@xt*ufeZB{~&~|OIDlBSYrDD zq&|1wjBy2A;YZ;RKV1wtv0c^y-VcwCw(R)wUv||XF>8lW^2X%2=f+_Em_x<%$nDC! z+tJ2UPQroGu4zN&C}QS7-1B_id$dM|DAMGf0aGPA%;lt8SGkaL;VEdI`?RJv)o(qr zQ*f*m;Zdli?hW?9k;$vPu_E1~q6_a|QZcvc?tlNAuJdmJd+r1I7P%z`pZ^z+#F_Ca zBkcxVWx(VVl8)UoMecv1tRS>S_d{R4P}rs^dGy#xD2iMEs*=zMDG*10|Mxh*?w#3A z7BKhI!Dm9tdIovOZaLqhmE2h6NCq|UCTf+vfpUJ+U3)2d0$6UGFVO1~5C54JWII3! zj-0DpN|QHgde+-R5_9#0)Cu<1F_S&leP7ECZ@;`st@8XhCP-O6tDgzhduLeXRZ)O~ z6q`@=br8oq_k&+S>k zqt5>QNr4GZ*A^O~iGgu(A}o5PaV`C#$r4C>Ro*|}?<87|pOwI|pzm;OL~DEu)3h1U z7eB`ldEA+eM=UFkR+yFIHFaJpSbJr*VOG z_B+82`4Ipzxczy=RnzmAl;%I6t`AO`JzGDZ>S#8ykJ1_AVoaRgFFd8o^Nli_979la zSe>?PKbIg(@}DXHZxELaX%=-zYyK(1x#{Yw|CY>r6BH2N+R}zQ67t>0E;vt(bu@-} zZzrLw%eJAnZ%1#xTcIF+!bcBvi*H3YRUU4g2Mw9en=E=S)_suwmt>K+YSp(|lSRaX z*J-a^_rL10Q)wOQOO@vQ`Ghy?rtqR?;@_?5ukj#`HYqi2ML##8nXtv>qaPnE;TECb z={~=gcZq+Qm(p`aPA8lHb+F?TbpF49vyfM>I@wb>zOF_Dmx|6UO_&nx3v`nkGXMP~ zg!aED8|2v*FL4q5Q!5mssYT14@`#v+7;^OdTK{YycHx=nETwFEHC+XD30Xs5nKhKG--iDm_P#r+ zsWt0cK?Fg-hA5q@s7SNWAp}H4MS5>RMLMBKi4cldz(!G|NJj*uh8B7#QUxLO013Sl zlF&kckmNhgyz|XFbMKv*KfkrUS&NlLPM+jEXP^D-=eNt*KZ5cwP^Kb#lj*#^KU=!m z&fdFS!+bxv(Z}z?mWNhiFNVE8^1ph+sS6x@AKD&iEeSNXiu3n2eQJlq8^=V*JB!$0 z5Eq9w_)oMep-F#TI{wGLeR_Vo1-KL5^LrTs_DvsS{U3Bp-eIn!(f8E~zoH#-GZQu{ z@5cOf_`i7tW@l`vaqc6VR_?^q%LthemCBojM{CcZy>GPL_RWuf4flEZAN9by4D`U0 zavHq(S=F^#mHwvo(9YuSHQ((gv}BAoAzRKqK9zI6n2>lE>mavTs;T*JruEmhjryZU zjE`t!>a-x*r9L9sq(2>xiSL*j?RvcRDa+KV2534zlxcWZYKy z&qlW%(eE{Hy?!85??0N%f2aP(V*P(h>gsa53=@;&ga6@8Js%wnsMwLvKE?lKLV#`a z&;Fj>L7M0uKlJAV{_%_FMS2!VzW=a6 zEHL;d^M5o8b*4AKJQB{FmHJaL{Nq&ulUDt+S^m@U|4#ZJ1@d1>|AR{YS3Ul#9{(tT z{~y&u>=Ww+oy7C+cxB>lNATUn4;Ky;6`7aZxNtu~B;T}fV=}{*XYl(g4*QL{ABKgN za?2wnnS*&I`Im1dd7TfH(|zy*CssNY#iAx4=Q0$1AtkY3{YtF;0f&erpsQ`s21MR% zT;D|@FJ+om`l@T6WJ#9LO(}o0%-&>62>a~yR3t)!&z@+TG%=M=-<`O3MgDDeKLB_c_cfd+`1ua5Soax zHg&mT@f&5}B>2Z>IEbVpYn~sPd~N1bF1Em>*s|imXI$Aj=y@PBlB!eNHSFj?m|Q1q zCV}HCd;Gf?6Zj(3<99Kp7;R_G`Bi%yc6P30TzE5M#a~@-nc@V_HMlrb|EVnfn&LmG z=|5_)$uEQvdb0uG^h>M)p3jb+y>>It z3_;|4F9fpuMQb<-Fe&QFJg|b6ZPe2!4UE`>%!hZ_g2_W>rMnABR0<2n>5fST9VS!N z9F7Jva2x_C2c><=T#R04M!3+5=4qba;+v;T6Gb9|Tnp*~X7Zgw4K6*xrZyD1!HE@y zh+C*=zgU|5ena#8=t1<}j+vas>_%(Xe5jOgv@=+DbA1x8d-1-ilGy!Zuzfuax4qy~ z|BcPfRN7XYo3vHDzrF0S>?uqc^6K~7tXQ551iGRAX*c{(xx3Gvx3ST_iMSOahd%D9<|^0CgQ3$Mjg|R z_?2ug59GXV7>PI{dTkIOhyM+bT@{$C;blMRUYwE*V~OC%k@>`rskxf6KYy!N(PKmP^Un0mkQQh-RQYRjIIqA#suM!X9tffL zPl`L;&zu6h?|+0ke}Aj4^lKTMKd!dFra1}_Ze6Q?1cNZ>wCnYw!lz^{`En^$f)Twb zAb7?8HrB%s0RdS647P7Ar88yjRCdc_f0BxRR#b$oyvdsF<|Ph)^s;dwf1MSzGO z?>XX_m9mF(?E z=2{s>S#!wa4YQb_Guu`6+@mW$3*WwEz0s!S7u*ukExekLiP@ej1@D8z9ZS6!lPfJej{Y z`Zz{se>{;@&?kCIt<7a9uW{yA^&hK611G1(&P3d6%5YKlQ=k4aQ`S9ZI*rAe98tj?dqeSM8z!ac!7 zAqfWWOw&1D+R3>LM(Zf(= zIu%%Vm9w%=`fI_>>$B}$7t;b~UO7}_9llbkX5wf+&^L(4aRU4;|a_*kLULNI>&M#v2dh8D!pm@{0+w7zpoJZ{xi6 zocq4KlC-YUhdiBTIe3yy48Fa(+^xl!zGS|pq1%{i$*)v9=4~w*62qQ-0?_ zXIFTmdt0C%tUL9Jl{-Gr>b9gVKRi*^9b#cJ}?eF{;8X{15Sc zh;X;3Yhi{tUMWXScdky;j$8{F+b?gJA}=O@=NBD=<7~mZLm{mEFV{Vo8Ky0qI~XRJv?x3bzf6)MLu65NdWZ*e7Vw+{PWep5wV@dxb^34`e%X~e`8FcU&r6>=*T!{ z-_xShpYF>XYTKbTh1+9TI*ueLxn#c&@u=J1TSusIs}C%`2&&oLk+-U}7^_4WyQ(hsHWEAS59`~l#_YZCQY}mGN4*|HF#7lan zEx(jeL(*mK1*vsEJ|y%!q0&tTv`2|{+a2X!0RM}9i2c_-)bNp$i4WJkvz(LG3D^sX z<}l7prYfmQTtDe)b0w*PF~RZmi@1&D^R~M&7j{(+F?MF7zQr$3R^pz#OZH#*ygd2T zA7BxkD{ki6oD|s)07!}J9!NF!+JX;r2`sU=`QnFlTs0f3*4uO+Ty;-Adge+a2cAoH zt+70KYaUoTF)6SKrCD!zjadUNK{0Odelf3p3jm-a#D_1Rj|+iHCl^_#iKbT2*oWKygRWGXgV;nq99~TJ z)@`FKakHHg6+w1B343sIPq9YfYoywqQ#AmyT7)J!8m49TxpOb&M1S5`gAR{aJfQ|u z=Dg^y3bIpLZ$F7r7pGlam?sZF;u+)X4dv2A7i*6w@?2^J=`P2SS~BqhE6P(p%=7T~ zXsSF)2I>*6?H8Sbko6xq0!}--_I`gO`Q&Y72W&Wa9O zWc1he_wx~1VE2S5^IrX>S_Yz<`{JAScP2%bsk;TBAn;yHCMx<)2!6A@J>(NFSBOT4 zgQ}>xTZ1ok>v;KHmIyWsDx|iuqojQJWQ*$*D|1$NcK$0$uW-Ps{w}d;@X>3|!)_wu zR39{7PpB~0r#L*qq0FtR^t}(BjDVE-&<%HYY=x~z10)*?@iHxKiNun=cQrn}FRWyC zThM-r%6xr;1$TCP@Jfg*qULOnCH&ZHH6+Oh(jg${7(#&$jZ>!%E1-w+JmFE&0hSiJc?{TY9F zLr~SAySWwk2LQ$A0O)dju1nGP=VJS**Xyc8j2^A~9!leWV07 zA8U3mUfO03AOMf!_oy>K&H*&oADUjU=D_Nm14RN`-IYv6Qec3JcjBtO=U4I(+t2R| zb)61d>dOUaNfQB{NkI(_yE|2Hx0Z$rliu^m-HR5|H|=$rPYBDyVDz={?d zd*#R@4g~AN6;|QEbjx6v0|2rH8fFz|M)|<9I=+9o7AqWC9#GA7_))G`JOv? zfQEcN_~N-kExj*Fllu>MjdrDFGCrx)jDO%7A}Wxit~Y|eCRCFJO)%C4Sw9x98aZ+%Zz6tx?R_CL}(?!@cgt;Kd&dn5z)o%`Zr zwq)Zatji12WjO1*rw`Ob+#VP;*ssuaB+kEtY;oz@$d5c3{nM4RwAISz z4o?zQF$)z3>kx8jE2DhuhsvUSo>0buFaC-d|`Ls`;CfRjs&Q>8JV=9tz zBE`@y(TV>8a`8k0h$}?w>`PfQYp+)fdy-vw?WAXvuph_RIhBVREVse*olNk|Mk}xF z{iGikzU_74M_BhK00luc9%=WpWI6bW9rcCjip0|wf~%i2tGqttTo$l>D+teXONIs- zgKN%t{P-va>F@3*+=0*FFz~J@UY*|teULz_h#@jreuIt zrKegHTA&@#qQQ<1;aq}iKP1@hm7H8FX&2gT$edPJRlvGkmwDE5wOD?f{^Ym(^mQZ# zqD?YvA!@LFQ5bVNhg?bHR$Wuyduqxi|3S-#)$x;e2PZt41Yj*ZOZ>=?6Kv|c(4lOA zvR;?U8MNAob4Y?diptjEhcwG5rW!`=-P9M^Z{qqMXl%Sz*)9d|Fm-eno1Hj&F^Uj( z4_0NzBKXVerl{!dJa|4Ct1yohXF7QFkRvC?eF=qB5h{cXg3pBY9)8}Dos!gEL!zKScMgZ{%c&B9Y+bTp2~1 zF?X)Cuif&HXc>r7objQ)tE5af_kBTgJvBw{53n<3-nb#hrlwfLqs1EH%~05&i;?o< zLdMD?Y95Y$5|yyH4@6ao`V_)k*8XM_ycO1vaxzAJyFtk}FBVX2vSwqhr` z7nn4dCKj?Y9WQnYxXnViQZ{R^vX^P^I-Dy$5S(}cExZ>P)+-+npX)2Uoe_=js|ma) zb0fOwgFV}XY41 z;{(#XRn}_MfF>nJn1kOostita4RLf>MTgMKCVenAu+d*phRJp+hP_)R_kc@X3-yE7 zQpUH<$wI42$vb&dZY4?rvm1OfRM}py=Nyl|dQb7>Q_7=qMtNM(g!w$#jPRs|d;9Rk z-GkAJQ?j&}}myjmzEzQYYK{Exl_UAz*u~ z15R7OKzpygFn({#1z){_U0dYeqnw1KPQe?yv5);x3bPpoJU^BE2Y(DZ5ahQz!H^Oy z-GK9t$xZy6-nst!-#11((EDqd)82du?D%)6o&?!uH6eNlv>zU0dAFRfu^sP-w=*hy z|KjOhf%;I-BGFnO%rYVy{>XeT2a?oP{-kO1aqz7yr7hc{i_Yi>%_odR<(gl&ac76(`gNy|Zc^7o7S7g&~kC)|m_-oq+p%ewy5 zQ$`+EQeL}z1yjW}2op1vXirAu`tnzW+h2Y1_ffy`!?HjUP?0l9!AgY-L8N zU1K@JBcMY$%ep%_ptrmcCvKEIB9C>8i9OB)U0?siZk%_&oB!$eBNumOW}iK>4u6U| zahgN64Rx?;m5yq|@mRhz>A2^bl}L2I4E+Z@Wz21?ajEyUHsICr26? z+RTD{V^>och!N5IG|xPnAur;Ul6#qrrcoRL3D3{13%v7+zKB>%+;GsmQB$|>8SQo8 z5~pmKs7Wjsa7!1%o{u}x^^3iVUFU4v>p_@iNy&!YC54I^vCR^dtan>HBG?9fb9w9RG#v^qJ zz8F>)5HYai-H}#dGNjkkhJ<;7x-t(`Z502J4v0KcpFL&1!W^;enX>XZ`@qLxR|A== zEM#Thl{v6$kviGsJ$$V7V5aN?6G{Dfj{GSw3$xt$oB#@Ft&w>f2+R$2#uCenqh)#o zSo2TaG0`^+%`AzA|h!<4_K`X3x00nc$Dnyzulx>%_eF<-zrORcdUH+uOoiTL&}t-zxJG3UO&qmFODCjV z721>KyfaU(zt61hRgCY85k|%{)D#p2xb!tl$OXydAxT$EiOq1cl$)8pBeL6c6Lb(P zxSne($cnj9v!=YAQR3%8g45b}s+zZ-AXdbb7ecSfyRRw2DIZ|(E<{CXznM|D6KK)q zc#VcxH{4_P$l5k3djH7x{tI;bQE;2G8%DG+far+i{oHjgbncP1i(yewM)D(wv( zG2QV>&lfRz!<{j~_eAy(pZ3|-&`iZ>vq!w67g)N8E1!kGp-*(fPg=Q}1iJCX86C{e z?vm9h$* z6IMD?(+XLxpUnu-oLEcb8s)D&B>|ora;-rea~hOq$>u4*$i-G}5iwYKuxg0;a@|&e z=7EEUj;a6iOQ@LkgIsP|i0_bznut-ivkH08h_I5sNZ}Iax$>6TaOe=mdWVer^CCYOym4Ra3E;dv#`ry-_m}P zwQZ(uI;bRw#|jZBnx1gD=X(H)LR!E|F0NX6rt@Y8@!oedGa1s=t<)&=j z%FD4!P`OHuiYhZtM~v*g!z^|eCYW@f?ov)Z|F*n0CA>I9eegNpmCwlw_ltoH(5QuD z3Xkco8M!`)fW)}%&d1A`Pxh*P)i}yx^p=yuQlIkpsWJ2&{EIVJUHv#U@wuesAl3_& zf+=&APgN;!PIw`+*6+xn z+8)I}nvd@kX61`@@2T`&P0^YFkVjw(r6*!@g{G!Ju;Yu2WBDUxICzLJt={+-u zea5L?gT?-Paqjx^@RdyVE$1b}tf95s{GysXy%X^GgQ1x+HRq-%GLVQvqRfvjsY$ZbYvd>a)#`df*qe{dEXD0`!#C4EI zM)adakJXWqiskI2y~n(^fnJ3owtxY19>^XA(j6q`8pmX>Fq+y;FcG6@i#On>gPzt>|gmDJ4CNMbsnll{FLJ ztv>|YGFu-&Sj2qXzMN?;I4hs-)pUs^NX|a_X?DfcP@*)seDsut|ee!wPRIZI4$Zg(-wgV)+KR4;Q1O{bDb zlkx0lcsPt>aUZZ}o_h%@`xIAB24mx_+^e5U3Ww~M6r#4rf^GQDbA*aR2aCTnP{&E^ z8)4jDHHsoU!g_qhoc`oIpA4<9D@p-dOK$FsRjc=yBlw7$t7Yiz+A7*Mmhk#qc!L~QYd%a%tkWFi|Pm*;=o@%QuT>l zq*X&O*1wmTbu_ynfxnoG+7aY?uqITCyIjFN=p42nJ#PW_KK|@U#}RPlzT3`-5j`io1jqm6b|e(dho+m}R1dpfyC7)B#Lc=O$%`i)iAx7(dD zl$}VsmgO4}b#6?jPd$Aj{Nb}$h_50&cDAs4><6ww33@TrO4dE5bxeE32vD#UI_?&F z)M!z49(-Ct;p;rlpXiA7FC94((7U|FDXfMAVjHy|9iIT%$I&av>uafAjS`&yS2dU- z?kTtoesdGL8Dy$gZ_C)jWT(f*`2ZGWUZI9D5xCi1F!3-Y?9|YDUibpLM8OoZJ-*<2 zWw>^r>OF+g0Yu$Kr{$(B#Ha6;Uyst_&Tj+iQ0s6&Q%Yi2w)QvCn7m5A?9>DaL|thR zl~7p$#O%g^0)hKYYUByy`r=FDJu0MC=5$N5%f04q(w$Yh&cU1}c@u9edsH{?8=>2> zbvPEk8mXK6J_YIvg7nN&-pLJ{H!r?P8Sq{@`I9PRo*mlOE8Rbp7ohLA+}}#t{LUd$ z&Y(>)BHpW}(f%P0g0xyjI8~=*o8;K)TUk`p& z9FZe8=lYqn=kEtMhlGQJtDwcy!_%1|De}RIxeC@4uutWXLYj(kX(YVyICH5_o*fSF zx%YC}Z!s0-(4PKs=+M&{^-QK$4Z&ngMgMJy?n1pD)xdQxaRZ!{ewweYtVep7&Cr(& z3%PjPr8nPvS;t9Cg;X?WdA9r5#Qc(U#iAVC0j1VXb4-@e#D0IWqLSl4zTb7pq+M|> zM?O7$IvgE%<}H#7>s!oBRBAM}hPAqlhon&v5kXD`xr_M|?M>@dTA5)dg0=>=2uOb0 zu8lV8KxcXU%Gfxj;vB26b62@#o2;bk(z4~{V>>e@GGh%Pn6jp+6BQV0}~5VkaUf(ewxbUTa5Bm-B6 zq0^{I0i(_a9vbAg1Ici9Yv9Jy(wyPu{URo8_g@hLh6I8^@a^)2RFIbM-+BRbCte;@jhcWA_XO;Ms7Ijfx5ou_+6164D+r(CEO}hKvKb*4Y=(%Uare zm)?g%hPHtv*bR)~7ETzfi@cmOxce^L-XwV5WXj;S_rlK-QO&RsAa`uJaRWv>~R#5q< z1Mwg^Oh1SmX4agyicCC!#=e-SfN!T@-ESOB){t!6B>$K-RIL0+Wulnf%iU^_$I3G0j9J5V{M%QhG!N6)v^ zuoKJ=V;xfcbdO(VnQn}+@~aU`(v!A_3IN9EH=Jvq ze`YThzrz!!c;NJKY(UUTZjM{Lji30P6Btn-;E?*&YfAF5sm!hJ+HZ|cC1O34er=gu zNJMLY8y;|#Dq0VYD?*p1Es6UmpghJN{yh%|~CXP+!v&IE%yiz*RHDmx1g44@#ke0b7eP35XfBCLu1plT=pCwb4O5MQC zo32A1yi*k@P)@>;i*fuxg(WKe*$b5z@--Es)|-iv1E=wjnwDAtJ-vDygd zE??+Er_Gio(=soDU1S(Eds`p2GcNA!#dG9@quB5H&z;rSmY9l{Ju5_YCR``z5ER`6 zzVkBNRg4s^bo^GYve(N}D0fcbbhoBB%+nD@ZHU zVURwn9PMLyDGNQ$0>hhce;@7obw49CALMe%wrR%HlZUN_tGyTB_IwK%f|j(N4({l? z5||f&AOQYVea`IFb^$vDoTuh#{kMyT#_A*>DOKPEzV}tg`&YdLr;uuuNYwUv4w&{s zS9$q7zoKV)7WHVTxP8Cp7rqTSk9tk=9b-g;;!c*TSGs|{#GUMkXudD9kii#vO|_f~ zxGNCCBp5IO6&MJ7my(MJ(9FZwOnByGqyxFGUR~Aone<%VZR zYN9UB&cBr?S|gi+kWy${6rWsFR)BBYJDg9dgi^@LbS@+=&#cCWFg9cyb%ocd&PHSC z5#fR^@4{1Kv}p=6dCnLmXY6{WMqU>|$?H0DG5LX%W%(TispDxE>y`V$tQA|@xXvV5 zO_E_&lYYvM7p-86zTTDX5;-B)#_7Y;9;12E?LH+Cg{=*ZRFx}V z`|`sWbq<-Xr6w1v{e{d3)@Ri3GCNSmE7G7|bEhp**BpMnuv`6bQaE>L_C9u~dHtdz zqeXrcb`l)*xFZwu!|nn$h!yAfkl0YH)07LMSA++tEo{0G)yaH=fr0GX#-&b??d`fD zKV`We)%mC(lW1FLFcQ99dyyX^3o26Vy=2Gf4>v>Cx{&ovEI>UZ0|`azF2XR)4JnLR zcv0bHvjy3Nxo_g3fl&=ltt@Yof>F@TW(D-eqiWv8oV9KVjO6XGqi+Nb_C?UxPiYm@lM|{<+{^ip4u&$_ z7CH8=6WG{8DnU>ytB2jYnwIGC?~Ff;*oyR;ABr1OpZ(~=bWu0i3Gn1%xeE%*`|o9k zWW^~0DDR~1=WDG%xo9*?>aeA&6j;C+qU4o+RjA*nsfJXaq=HUaxM6&j!`tA1S!lgS zJ&%AM^35HuOLb1V{a=xhjbsm`ebbL?e`8B%O}{+E+fkb%J@3$pZ zy128eNjL0m)F&(Ih>=jS9G}7}wrG`;SayQhr6sb(U8SMyzQ7pvVf1HEyW`OQ$F9P< zWI5Nqg0U}mqW;*@XeS&9Z4+C4X<|5Dr*0>+|bh-ifjn)vZ71ZHFeE5`4OvlyJ-vfuPsk`0&=U~$RfPcOW;Pcy04Ufpm ze~;-D742BTY=A^DUfX&nhDg#rsA7Fa~*miBs#Dx?QspFWEFkg;Y1d1>X0x zodAk=p|ymH{JhoA*B!@zV1PSNXj4z9nvLAv8ql*UbLh^y{Gx?Tq}b;OE@X`+zfx~N zPsfaU3F0?>gkAd!?zXa(Irdb9xY4)+}qMuI>cA` z>uv`HD=8m(1RN~+6L;$W^LzNO75Bdj;m<9_f33;im+C+N7y4h5{C{ow?_|>^T6~k0 zkCjWn2`Ev?jo_2(tlwM7Z}YmX`0w_mxC5bL^1VB2&D>T92rBNtqrBIDjI;h`8`Wn| znm=NW7_Ws@K5PyfJ;*BX;8y?~s6WhIPZ5k{`_oDO<%7_}my25t^O>1HWJ$Ve2lT0p z6|rN6+8A^E%de&Pu}hYOwgH9eJ28evMgvZIT&!XLW}2EjBE2K}=%eHt|17P4JQV=D zfc>%YVtC%4;jI6;@?QO4yUpNrP1L_OaL1e)f9*wUKQdhYCbK`8s;u#^orU~UU*^wE z!e7qCR}AbshXbE{_$^Wf4;4}dsp(g11;J=pVfzZQ}01)cY-y0T3X0lU0jXWM^`!Jqf!AL}8`>tLo_WbBuM9;Vt$}__iuxb96f3eU1X5CHSKt)@#{ZruUG{UP zfSvk>kURYs#C)&2&VSNjR9YeUft;L!*|v)Z)z`%iY9$w8m_VA|Nea;^54Fpts?SQX z7MK*H>eU8+ezpS#GEg!_cgq}9B@1OnPR##IQ0$us*|-aMfO3VidLfp-i6sFM&=a9b zlfkZ0z>{M-X;+&38dk4a*$?QHxpC40l4xYiHZe2GGA3IGI-3eA94+l~@LkktKGmzl z4^+W!Z&fck@Tg8lD7a-s$ajL`v&I}v8&B*wjI|46?Q&8ax~kM&5&RzI_Ewb;rl?2D zxlin%;o9i4b9a8{k^ogAb@ErpNx}uQSsvILXgty}l4LH?m>?f3k;eEQOzk+Y;(;+C z?57pRxfcyMlE0s!?99sNg@o|;A#63y=6lpv`zo)gyJbXQrS80pQL_^+HgQ8J1h9%9nzwN zpzWyr(!%O)d5aQ26#PH|@%GeoICXEkp5}+$e|@gBMxjLkG42x+q#9UNSl@cOqL71V z8FRrxj#j}7DLySx5M4NsWN%rq6*@Rfz+x?JYAvaSm5@gvgB!F03!pelW%LlHXJ-D4 z<28F+70%ltFR0C4(wWo{NU^DPn2mt$4w;r2wM8Q12xC&t;l;*7l_eF;Su5wC6#w)3 zlAH%t-lE*I$$i(4Hgc;RaM~az&icKSgv)8_INf%#Z2iS`g`P08!b^6#zme6ed>2!o zomA4ITS{%-h-R||P+_HD8|+MwA4zwbc!ktx>dO@loPxjqwy1~fnkj%=VnQ4CVo_fB z!eC@T(^4pigNf5%Y7_`gr7DqBZIOO>gvUh`IgVRdzP#r0j`skNcgZ<-dyrjL{w2O} zkOpMZ^UOv}iQ#OV{zpQw5pZ&;=Ha7P$S=9IM^3Bp!iQi#>lG&5_z5Uj$$5K>M8{CJ zX85fMA+5=f1~LrX*4Iz_c^z6ix!-mw+7{{U2-GaKm#W(ZN^2w0p6T!KPruXOq2l(4 z=X=fX7d|XPd=<n?^C+-! zBFE+vz5MpLBx*BE@$|Jttn)wtX&Xz0fX8+diyVLW<)pbw6x9~VxlZ6N)YEG?y_>m$ z73^*oP8>no29|(!8yK$m)v8Rg|K9TR@Gc(VJAx$N0nq04C;TDvGI=BRiD-5=D{_5mmfm5?=DiI zE1dbF{Oz?Bo5XWbrv%#Kg7!ur7#qj#c&nlZLAl&}B|kZfwB~*SZQ5J=gfy@C+GAq$ zLMhqA+Ut_7J@&cV)m2d!2SFqx4t6oLO%)kdTV$*KDYQ>m^#lm_}x1%pQ7Cx+_( z-fJ{>0XB~sBgRka^>N&L;jw4Um=c;YFPD^Ak-eM$kRteJUYJ!Oeq%db!w+3g-CJFG zQ2I4<7;Q^d5UtA6S-w)O^aCGcqDXhC=K$2L zHApqReRwGYC=jyoVb=1tuXcpy8X^yD}n2 z^NVZ8&6k+uV?lD7HW%)sn)o5qn{S|t{~V6C&?_#T1Bi&xEy$Y3SR8Gv;1^qG7NTV@b{P}&f!$|Vo!~YurOX$KE0=#-ESAB{7I9H3Jas0v4-(u`704$QaQj48}}xSvVcdRDt-i0 zEy_+y?Mv4)7Wk=aqmDYD3^ifU7{Vy(hj4XuoxHauQ-#yO1>@ER7h(g?|aLhVSNVe0`kpXT;px!}6OicyE*;QT_j?-Ga+ zD+(?~5Z1+GRu0uwY#R36e3;!eS7JwqiHDTVn?gqA$6OHw7`+uy%0qXy>w?sce1y9c zuD68G#j_bix&Q8`T8KhWO@t5X#a!M*?sYJ2aBk})=EV~KBJBe_9kH42ZRpJX8&45y z=d3lTjazV~t52CFxKfS2^TqvMOy!|kIUMd&Vwz#Ic>R7<$j)9K%E!~2;0s#*`lYGB z1#ei~(5+CZKqZ%%;pmnXu8TS$fg=wqywIuj@kL=#aH=h%w8WjLge=s91dqxC@iP3( z!q8EIDk*_Z#d*v3lebLxhrf7>B}LW}SHNb}$yG$dHq?mR>pyU!NR0f|aC{&u-KM&l zWPA~M7kN%F)5Fy{`?oZ?l1YY&5V;FMxa;%)P@$jNM6D@@{r(SH+WAq#d zp7Rm%8_h3@Fqv8!+{7bAI!l&2JFj>HEn_pMANxX!s(SWCOD@)LC#IQI;Aj$R#GPP1 zj7M9`8~I^QqrIXeW_=7Y3<)h8w%nezrT3>{p6>KSBhtq))5;w4UlF3crt-ZBNAnZo zHbcuyiw(5JP<%rdd>J3`z1lM5T|dRyqaFynJsGG>8V;=Vt&R+AS`HzqJbGVyIwS#v zmG#K2pOpOs(}M{cs0^cSK+8s|f4ZjmDy7Oy__yE2d4)6T4S0M(P`|aN;UC>+N8Lv4 zIa~xWVkD|BD`&)Vee-7AlgX5fl(x{ef$=(Y*|=Q(L*GgNorjE+ti9!c@tfzwPmRWh zB@LmBLKMD1UHjy6;O-^DvX{x(Wr`80@r zQm>bI8qvRI5kagk3ob{ijYbb$>qn_m+R5YOftny{)mu8Mb9e2t%6E=6lrH|JLuFi5077>X|1|8@n>Al~MOg zxqEOU!>$S;keqwP)GbB}H)?NMSib1Izk4E3ws;#fLLfX3$a;Q}?;id#rC0Z0Tb)?y zbp!6S8xMYyDHLiEVyxt=De_cE9Pk_m3cte3`SS7`@{P<-?Kl$`w)ut{Ld;F@$iaQ< z*g@J&O7zABUXk8)pr$f2HJ}q*r2~`Q=ushP@VfPXnXu0HBf33ImF~9RYED*S(LC6; zOBUI8wa{H7{v|tq_Le zWKDRkjLQ=G@v>j1c*Q#o5!{N9CtlRAW@#EZ=FwFF<&a+%B{VnCks&*_#SbS~S<(XN zn`vT*GTF4AzHadD-I|)Ivayu_>0`n&88+fe=_0gq(&qeeF5%zdLo5_wztATs;W1hf z8{m6OSX8Zehv^UG7wWrUYfnVd3t10?2gG<{Xn+K-8@F~A!PZxKtlKM(b?xB~_%opj zmiVoJO{~p+@*B&Yfg37?Z>bq$@Rvvl z4&*OTtce>>jk4o*JMdJ!nOy@h;K*;5NK)o z4AoPCx^oL-G&Pz&10GSu+5z3qJZu9pQ)JiuMd_ML_=u7D1Ut7hevh94@-M?bjdG1A zN#Q&rR<0`A;}o%TybZ-sHhP!Huh|bOfQpTy>JSY(-~Id!=Ech6uJoj$5aq;x2fIK0 z7k2}5s)MpoqBG&s>z>c1AHqj6o(r!mS0{4Z(Dghh-VNo61L4#vs05GZcDJ62axMMT z@JNGYH9zhTNObX6P0qYU^E0~o&hjvB$x6ehLl{kuZyZangfhnB)B*=<47C$-v6vpSUn%8ZUnkoKF3nNVi@le;-YC) zoywp1PFC%3gAv8{sZ-H}0K57tycj6T#SU<)x+ww%5ag~PPSX=}YnV<;ntY71g6+); zL*u~=rBk*W^+P#nAYIEb67E+ZFTg#WNI3vn1rLg&CVWy4tE4?7?yDVKR16B}pri4;^QY`n8q z3x6Gu&uev|8r~xz?Zo)3&HEgMuf^+8tW!b=*SE%OqVbnJ7&XIWP{x6Nj+H*JM<01~ zkoNi}PnwNU(n)8YSLjo0CRB2Y}ih$XJ_vvWsH$nkgxFL z9c-39KWnRnYF#i!;JuDi7zH$bE`*@UbEd~t+u64ng!t(9?KuBn#gMjT=uN54$}Fna z3wp456FJ$GWENy=YS~_{7WfB|lNFstPQB`z(p>4c87r<96d4ap0qh6Xga_6oVdSz} zQ0cN&19*;wCf@ZbsXMj}pzUv7+#l|prY+^>?5P&T>qfw%O(h7QxYfQ@!zY7W9Rl~9 zn<|vb95J|R%7hvT=ptmg*&T1|fF1XAU?F>Q&y_*flS-Ib9d;X%l&()0_fZXf8G%0& z3btO~lo6bR*iT~Ua|_FPUd?Y#uj=LE zn5PSVs@9H)b=#c8RznKph)vFMvhFga)YZbuQfPotd`$}#zE`)&9yvS9Yx^@&gX#^k zcE#xjj;c8Z)2qP^V}6^FD#PD`A08nXV#92L{hO+dl`$N{@lvGalNZC>ZrP3(zmO}! z7@G?7&gI2!quPbh6*=T1gnQ&_r&l~K7f`znh5NAup3Qp>)YsU$BCpuO5WO_GySst2 zpmi@wB&BFlWgB;0qMcJG395%};J>YeU6?#iP;~b$v9ZqHc%__$!G?r$b+2T&J{`N5 zc8Z7&GEDhS)1~T!QI#9>co8u?xhmX zA?c(|w4-l~*-rgC&>+!9ulG5seHX`lbiv)5U^59<7UKO`=%q3FTy;-?5oGXx+I!Ei zrnc>S*oJsO1eKy7ASwz{m0ki0DhkqjSCJ-7IwS-HDFRZICcR0Agc=|;5do!z-a_a# zA+!)e2<5*y_uluGbI$!e@AvDc_-M-BYwo$`9BYm-^s56DV(3>k7ZZbVro`fHNb^B{ zGiSmYdRz(lgOoce=%B)7UIXigC>PYPwbPD~P(>1xSHe2XiV7^^LnZ#Cs|3*wntz3* z@#(=NUFpNO;f?Vpom2@ATL@=a&d!I$$uHof#2iqZrWLJm>r5(IMDU1=FyuvE$jh0j zZ`n~WCZ6*_b!orJrTW$EACO+UKZegV8}Ie<`Pw9$?U@Y-2Z@Fc#DdKW*T5Sq;Al&F zp}7a2JA4j5tL!5x*Je%@ubR*&Phdj8e5(5ogp1WV2irNuT83&~lQMLhP2yP6sU_@7 z%=3uSAzZ?jtcMhTupvFVLGhBNV(XSHr!1U%^GvQbtL1v1tdTsySQmG??JNuQm@)+#l4YN5!chwb65O=&?ZE32&@c2prqN zA5kW6AI1y9oNV;R%}cJE{xoT}J7?71j;nZ#SC4m8gB#_vy1ymBhQ?t`WhxVnvpeRi zz6|m_QE-1R=(v?a>MTy6agF%)sOacWq8b(l`}m%T}>_YxJB;xT(6~>$0y4nU{VjqZcs>~^Tv(Uihk;!j-z6n#cqmr!!?;4 zcH7?yN8fMkW|~f1zPTz=&kV6)MkGK4^hx(lpM8DSnI5?d#1=zUM%N90ePZyyd&Sx| z|LnK2D=oXDH`h-hBSmCwA_#3{0HFSrbq##31o@S|Io#^0cunTen~C0cjd$jf5B7#+ z4=GdDj^6aQV^+u7Psy^nqKAqE@Z8zRpq-0#tqzJHTH>_s$;u6N zHOJ*|g+2;(y}tc`Nd71A;EF8PeD(4Yik83Ck`cmLZ79KMRq}f7EPc;TD$Df`I0pIY zNLsD8{Aap`2Gr84ek>i#v6y|RV5~>kwdZhTgh;oJJinHr`2arNN{3m6pd%?Lzx^t9 zFg$nZ(L(S+JN^#9;aPKo)C>=#6*-$V_#MO>?@K)+gm|!XdZtLMO2B)Zk=xJ$7ZnGU z&c3CMn~X!5{Tww5Sa!(Bf^tqXyB?f70gz7&koc4`jAQj((qfHQo$wf*)j zN<7%9r--L7O1y^D7m?RlzB%}ERZX@2J&Javd%cHkPI}8<(TY&6%F&qHW&N<;lC#x@ z-fBbvIVhj{&%;PqDZATr59s(DAr6HOWlvNfuKoPRa8p-Yg}aQ*nRSBB8DzXXvW{zqC-C}v%*HCSa zYGsNXV4hAk*?4zX(bVNdZ##6Eh0)jaD7%bg8QvaTaCIeQ2Qz{ya@*&F8+<|C?Uo(J z<0dB??7BJQb5-QkIYiphWS6e7$-H=gKjQPwn-CvFV5**a3wxv6_%lq|M*%cE=By;s(M@+{QSf>A$0ehP&h8@X zr0R(!jo^OU#^!W0ugr9Mjr3%Jy5e+CfiBxGOH5mKa^GTlF~5}5Q9hIP6#cl1E$7TVIdfK8N3b)R+d;A0eMGL0nXWoztH&*hM>XbR8PP%9hJ z@SWTYLFTkyPDfSta7FDTIEE9Liqz{TM}A@Q07gN9%baWu;9Re_Kuh5vrsjAbovo32 zZvoeEEP#eMl;z+WoFwcU+{LXc`fVIdx`%2e1?yf<<$TXC2MXtrC5I4Iz515<74mbu5tJl6^^fL)S2`$&QI71%t?|CmaV_> z$4N4xz=Mpw(BSLY0b$h~HSzR3hl?|zJAH#=RrO3SCg84Yb>-F&J9ME3Ly=xEl}YA< z8H>EMH}HKzdgCq7^!QqJQ@1i5{n@#Yps}_jR#!!jz3T=B)q9J{XfOyoT9_(5CLtJ2 znjficpWV|FP~8XC$IvgezD|OrQB`@g(7M0- z=rFF0&7sI5sv83-qxPKf((0Vfyxtvp^U3RzV>KJ~^)FMmj!(3z08F&!a|19kZ@M%6 zGGs`a-Y_6VB0b`ot)tgqfB=o~F^G9MaY2sooRgsoB5WAVyQk43=n>BOb+}4!VTT2g zw{%lSYPXHvp{16_wxeMUU{fK2XcrTVINbf069Dx`KBjuT!_hk)^u$5uYx~phAD@nE z#ZH5JNAY!QMjNGd21X?)TERf+rUoBw~vwoOU+GWyjewHglvmeijeR z<5jZNxdS{19``8CL*BWzu^~3c{Aw!7g|^nMg!_abCNdzp2nqh0g9s9x5u0oZ7@uim zL$E;T%*NA<>@WdlN_VpdwXjzdF|)1(<+B#5xNBQHrbq!t>Txs2mD$D+_eNq%f(8t$ zg{4&KB<4iwlE2Fp9`w*Ge3!MGI!F%!cJ3rZZC{bq@+ z>X&Zw_WF~N&cUJwP|r^$Itx;P;H%Qae2Ux-aMmYgD$0*#LaD;~>Lb8V@We;f?(Uj= zmhRfznVTrjb{~DXnb=yUmR^vSVt%XQBe}sm^%C!|-*-AEqF-zZo4veJ?gm8+csqsB zosQ4t+o{#TD5hyBu~Y5{HJOOmVF&F;wMo5#w>r%f6TJzdL60^kLN|TfXT0j2Mcr(; zIlR4Fkl_>8%vhhmM?Xu9yeO;mZD8{iOl#6moMG;IdDX%17u_f0l}oE(3!x!z2Wky^ zk+Ep=(X_Ovx3bL=j(M!(>JE>O%o;Y^qD4t!jgc;wyNs{)M8O`?(HYx^E}h=D`5Db` zm~VY#BiV0nLFFXMZy|ZRyTQ9X4YGJxXIqCacUzG<@6O|XKB=AmeBS;tZ{BOgGr>D> zX~txdPRPYYGXmv{9EQ`-F*(t*>p0LN==c&*S|ou~zahMnqi=`0(#J3QdlM`eq3;bM zb``%4=XNezUub7{8gXa-sEo1DQM=NwL7wAsRjgA(X^wjGRz%-k7ds9rx4#8d3QOXJ z+Kum}$W^-yt;Rv4M3!yoyZZiG?N_kO0P#q_Lwf!f&_Ej19z`qe3%9(?pQ%h+f!>Zy z9_H@W$GR3+=r$_vTt%;v)`b~L=84bT6<7@5B7T02(~ zwH~zIbbxr`Y7k7me&Tcodc;4py-n2}1^E7H2aowG_x~UWd;>_%6mi5qPZ+Sm0X~4WSxFEKA$3e)}kgGH{ zmzEsPu4JUPCw0a~XKlWEN=?E#eaSqk6h9SLfxXP_*5|Sp~|-;gsKO zsHDn{oCiQ9hIa=(&s4MBdwaOGX3OQ|6@ioW-Q6gah5$4uq8cjnQs4ngonO#gBsyU$ zh!VfGfO#MLMCD7hU^nNuyS=PL`^1q-V(UsjDRW{}=s8Jxk|O8J zSs&}y&*tM1z;qZO7dsX9qH4vqMhKhp8yi+(*8weRC+|X49ugcANjXnmIhMlx7?)DBINov0>q0#rj)KWIv%= zKI!e1kuJBv4 zEt9!^mKuIH<5E<8{e61kP~%p>CC8dy{HkD%H@d!)VY`{O;~cT`RgKV!`{AICE;fqS_uBdj2DAp6YL| zX8onA4eRrt1>ZC&3f1w;2$GjD@&i7bOEnU2Ch7T@x23~KaU{8G7L%JSGRLDcwR6rb ziPmNSBByN@w~rK>g1}!GmmwK%-6dpBcv^E)e%2k%UOeN&AhM^aZNg3L9ih+op0yKG zz1;rrjmoB&j(&ChRtvJc-MD?73aUPDDsIDG zAW>HWJDIE2tckq1>L1_#m433NMZsZ!A&DlS#=B>KqtN2)`JY?ZlS3cX<%uS&hr(yB z#tHeJ%RghuIZoDE%+tQwBG@!Rjo&^|KC0O6JyxEe<&L^kE8+Z2jndy#&mq!rnL|9p z4SZrBU!Q^cDlx?`xmM}Uxm3PbA&xKJO_Y0}xnL)8W#9+2^LNr6T4a66U_8;kr((S~CfzK#@~g3hGyeYlLx3E7<4(}H(DY-dk!&`xqY+VtI8GY24i z{d`ZK=Xdo<>%u-+$?7GG_=oRlc9PE~DHz`!UYpw*kPeZaZwPkLR?neByYcU(^@0@r z$L`U~84z~Y{meDY*|p6wgq_kirH5ops7dTz8ApwMo{_;N=T-7Ub~5cslW;t-nyX^5 zsh<0BDV>AJiOqb04(;|VKjcV=o$^RfN6h=@voqS^Lph_)3nla;kvqx0>wHjd$~j9$ zuiAGL7|L2QdrYwH1-yQXi?5Vpio6;I*CJMMz{^tr3ESb5z_1bLvW+3z8h@9QUSZD(~oy2ii^>pI_CDw8P_q^HuAl^d)AU8xhLf(H@>aWVaitg!+byGXl_Ag|_iGpWoz)yW*d`}HD^ZdG7@5T@ z_d5f-$LvxBjS~sEoqbBiC>&gfr-kZ6@sU6Ecv}N_jEf%hS~W?WD8;wQ^Hb);V%fV06DDsv4hfX0kgv7yx+5YS0ZkO;%BGzL zC~?0+|Qa ze9HAwhjIGF4R$wQ@(x>7HpF(;MajPMB(7c!DBkxI% zp3ToL?{;_YyuVamFz*#tGQJ+v2Qb8GvldsK0nJzTK3p){V!E-Xd5u+eL|868n^x0j ze6MA{=eKX>2X|kS;F+eioU}T+?EwnAf9y}s4aR)aVzROS@bF2h5~$L5v#_X(`1Tj5 zgl(-h55L_mKRzzA8eIn+Y#{AXXT7x8XHcQ1V=DIY+n6pLYdRiMH1^C(UF{$aSBSGq zkA?~|Fb6<@Tp6E(qow&mYNo5Q@0d^r4mj@FnKX{ z7P%1LLVuaJG?;?!)bAD2vo3BfH zP&8LAbw5{r24X{dgxM6%oje`Ty4jCOJxWE%ppt~DP3p(LEBZ)rg52_JIX;R{Q0dG) zK3SM{w4YbyPI^1wboayw!B5W~J=BQ-4ko%bVX4(qZ;I?)fr^Dtbb#c#;ZSUcTDgI9 z%uAUCg_)XT)IdYvnjKe?9A(r?f4#E1uuF>scOf;e=c<$ZX{-9&G*2kVpEq>IxDTl6 z!7%Ms-tI8n>3Syh6!&;Kcf8TkD7F0JfrdhI3!=WhsE)JH9(i2jCS7^HGO$6o(NUxUeBh=7&JNmyi^X*dy>OGJ{&h29t*4oeW z9W5&v62phMRWxRjwWd?I6s{OeZLU^0n6i94AMVSO193nC$A%3a z2k8g=nE9i%g0>R9lYL>zkrKDyi;#z;rw7wqhmlpn=E#{6u;3D2TT*5zSkHPI|^>FZNl^e(-NvO#ug`d;_Uh+BWmN=X#JVn)sa5Rl}1g3`; zgXJou*3wUX;>tIO&X44rFi}19w;x#ShNc$LOx8f-i|PuA-2?DsK&0D!a-w>IWRAn;* zztd1S@*EGik_1x)r+CiTH#<}tXWKT;DhWnwmjstdAPX4{$||_7t{q~$Go`7 zH=0e!g0ZDam`ZprsgI0EtffajTQZc7&3|p!OG#K8p?UPPnJ(16M9-`?-;$eXd){`U zx9afPzA(hYBV8rR?in)ju2fo0>YJ}rRB?C7Yig#2WRqW>)?y1ewz`eu2pEW}PPxj# zk6ks*UV6!h@ng}vlYi?>?%vA!sUbs^+I6a{yG`)LoH)fv&`%ce^(GD98f#llTI5e< zlH-9u9>v)t1UcyZ5U1$-$JXWgIesz!HVz4&7sd!DOJMAM^rZjWS6-D$S?7VV~4w{3ZLIPZ%+tsgHhtb__&Wvy0oNQ6qtfE%f-p zNcIxdkP9BOA1-$FeL1yx^^cX{?~G4_Fktjpu=P$87bmzoMQR5ax*z^(C}Nyz*%@py z6owODs#{+T8LOz+29ELNAgDj-o&P!X_Tm{Z!CUh+^&U3-FGwwa=b}6~%>eLkPN<#I z{l93Z|35zQn0WNNs1YE3C;n!T2M5TTp3eA6^Oqs^w}0RVol>#SD1(sJ!~q4bV=0;6 z<#ip(f8AC=8P5HYgz?Yo{k@*?np-a`sJ+f z{f&ZwTvcOf)ODqZ|Kp9X7!0ybM}#+roBl~7`fpeH4p@h$BLBy|J>g#nti7J!+# z``Uz*{EUJL<$yGWzG|KFav)E=`d7>yG~iQVpX`WSQJA>-_|N5(k2l3quQO@T9mBdc zB(B(-u!#5t5K}mhc9rbVeZqEQ}n~0|U1tH&VK)uzlAk%^d$edj<7h?XUjaX48NbQ3b7F%{O`4bTPa55^rG( zq0;Z@F!y>^JWyDSy*qij*s#J%9I|77tTMWC)q8ZOSCL+`#BXbt&wZn29{(L(E7AvbF6t8KLh-&5~!;BhYc(u>`lEYCR{qnM4EBO<3n@v zs->H;x+^$9F!%Xs*M(lj*nP~pueHN?CGXS1Hdnxw#t<+tJJ{P+;CWilAivz!^mnbv zeKVlwd}JT?CnKqUqckUeW70R7N%s$FF?t!qWIvd%i2(d{LUie{x*+Cbw-EC?RIG}^ z_nCwZ1defPbNHJWJxQt3+4hQ@6ImE1kR#|o9hGc6%#543~6!@V8As%E^6 z&1sd;x)~RI3Bv2~0MJj~SQ5FgOUEuf=(`n@zRM5jvTkf9y^+aj_19;LZ36>ACkQw_ zw1nvvy=ahSikD)0b! zMo_pFNiZF4T_db^;W7&O+P--+cxpcsBn?l5$<# zMIHhid@-1WA);GV1Yr<41DJRgNn!J|eL#%HyIY+?z$mi@)=;D1uH60%y+Q4%b@(cpJPnZiijH8~a`H8M40YVf4{F^+IB z-Y5$Eo
    4VJZyh0Nd+KmTQ$75~~FPzE5+Jdtt7#;T%n=K2`EqGSml{j4T?BjE;7 zZ5rw zMdGM^V5c3tVOUL$JYV{&sjx9gWRNQ9U`VG`4)~XHw&oRUf z9!+`qp6L#t)SK{Ju_yR|FM_%Cn`8ZE8#v1RqRq!(R;E(cr^tNtI$(17Ibx|8FSAyY z4Fbf$>9C8+8TWwUtiOt0hWtm=%OcCgyp61HaT$rFL$UY6J1hK8t_{utsx)=6H; zdnr2QOK}*u299_sb+k`7@JW+qu1eNclgjA{VWJ*p7PT>4Qr7vj3CJ>413Kg5OFYc_ zVIf?@*TR!1mHpg18fjYoPpbInoKn=tq~oLt*qPZv_qKUQ@zGq0K0ZY+7EbwI@4Z6B zO1Ob))_*7)@v`VLYdnjYS2HR!A0@rHHvu^K$Uj^H9QrPPChI>g1=y*6$!fDooY46Z z+Zz~14DxsRh8Y$n?}d+7McURHNM@WtdQT$4OQg8`b}G`zF5ms)&aeW$vUopemUDpa z9f7;*mlxN7&}=+3%5#X4-TFZPweTU}YO#Z8KFemK-JJF8S-RKkZ|Q26!`1-l<6%I4 zK0tJnI*ziO9kurp*^e7N)>8u{8WU~ztyDFTvtfMW1;9iR@c1dFh(X|KxhOeGF$lO} ziIzauRAP-vJCqEt{26Uscztu~a7SXGtbkP57O1%>WH3H8Ea6+_CB$m&_h6d z)}7MwzXZw~5-|qZ;rnyKg_Kau>$OW9N5yV{DjNcjHAHW=bFNpnwx^To4H_uhDY~ds z-Q2VTtQ1bjkE~+sF=jcpst4!?kKo$n0m~CW`;f|;_;3MdShnc#F&$Uf=onTRu!oi0 zHaYlpCtXycG6z+3fBU03VZrvWwe+W=Ezw^7g0SuO55T})xf%hA!h*s@ z9@&U%%&h^U?G}LG*!MyzKLH75dy7eqC@K6cJClsE`57deqBzVk>F`+a6Hz-EDYh2y zt78vvy@_$qZro0%Ew!|ra}gcM4i6qt=G>}tgi%>wbKB=w&GleylXzeQ?km^H#UYL7 z9JS=4lD{CXm$a>S8&3o! z?LznHpz0%I*O?#|EB6ls>@J3`ybbEV=%_zlY0v(J5>VhQLCEsffz>5iovnZP??vzb z*Cw-mejvM)oMw&8cou=ni3bq|r9sr)#wJk({Foz(-x2(FTD6exVIc`h*%9E$N?K|y ze2?4Jik63Y$|_}FY9+d)s?lt%yvN1PrHAIZpHH7#+J6r?$wc0>S2s6pkF)386j>29 z-Muz@Y5}`)D$|mL2eUB$xTW*yjXfc))tWkn&_?B7A_;q|5ya4R>vrDimEh^$PB|IvYLI)aI_0R&Vk4(;=&2Aomw$w2~Ok zJ^RC*=R>})PRHfYipez{H8r?GhqB%PL(?Z|WVAFH&m5eF=6|^U;Zl~u(;ESeSGcI2 za4}!G7+`tv%j3XX?4tM$t{dp9agV5_A6{kl*e%We`I)9X>-`lnSDGixAA(GSpk};1 z959WC%&VXZ>){!*rYbA(iIEArl_dL1LYK~5KXLNhgA=D1-ktdOm;Pgq9w-D-7X+fl zg6@(f(Se^`+>zr-vSIM5kMYHIoQJQ-MM}KM2Ni1+_ojN*w{_*~O%pA!YS0kN$;XqC ztNi++_Kc|=4x@#QaThHbh@HW5GM!I5C&2;6wQeiX(=7ILzEk%ovwU+#zTOWsu0o}` z6CMGhi7Y$g9IV0Uq#$AI^mZ@gp?5kP)Ff8_nZvU?D;?_!*&VSe3B%-8`@wnHL9@4E zTRpc3VY0s4`{3bMY2Y+J*T`P4#YEzRr3BTpeEz@UrVuO<>K^G&SvLSzso|kRK+67o z1e?T#TTh;Bos9a;I9OZ%Q^1?1^HU}GA?Of!KwVz9RjdzHdAK_t)05#A8?93(svUv^`$G zR5`RB6GCi_6se7I%HQ)SFA2p1^B6;Yu|Hln2T(;gJn?m=Np@qDc^uT?QAP$-+>2hY zN5DU$v8+LB?h%`A2ZSDz9owoWzu}aPhI(tUX_eQwyFanZc$^2Z&`kEzeCqdh`GL1i zhw8chBvcfZE+i15p)k+<4_+js8Zo-M{`5xpzTYA=v9oF5B! zJUNgI&wRcTwf}Bj+Ld#y>F6+%b-NV%I5wuk`$sMbB+?x)1*kt_ee;F(loomYFqhny zc=~e5a~~_~@Ba43N9pei_|5*twA}NOuEj%r0e4op7vxBbtIw+C!^Kt6>SSg2!aIRK zR)vN=Ue35iiMzbcffp||nv*(38OtKdlu^CwR~Zuk0*;edyTU^IKE`%th*Tx308rs+qkvO+!#rvxRQQzZtS z`R7COANlMBg5js!0)Nue7rz~qMjBlby~AQ^(zWU1AUC=ywDX~!C!K_JO)sPPVuax3 zj{3X31b33R62!C}sBufe+8_WR&-c=9bGB8{r=ERi?!fMH;P|SWv)-xFtShdU*jS`f zBdSZvl3_w})hn*K1?sh!+#FrkRI}S7W8!TCo2Zbqxvu0J?o7^Df}E&-DY|p%UX-l# zPT5wy@0#puCC4e?)|#oOEP*!D1wK)wVcFeRq2@I3%Y3FwT6hk1x%*s7 z!O`MGLt1^B(|liN7cMk(H3nh31@x=7Pj$AXXJyrugHE-B-~=FrmB3XPx@S#ClcEma zRsL3R7`^!P8I*4B6&$^|beJJIV3NM-n(T7q-V{-kKtP~-hQ$9{)N*CKVUO-P9lPQbQvF4NJWIeK;;)NmMe7)mb z>%ND;aDvkdJn|SPto7p3WF+=#j-P|a9#I_jCOg8v8pLj1k9AaD6LMk| zankP#pz*<~05?)f`N-$|cn@?^63q|m)T>q^w)#Z)dXZ%pKPk1#>7|XJDC3^D6B9-* zFL{SIec*|t9PNDQl??9vqF4xcmDeUU(cAlG@+$P+NmF-I4M2cc4{-01nOk24ZjIh? zNZVHj5q0KNH0VeAb5w8;Z!IkMo;)8DcU8_7x@C>7 zQma6(&8(}&^f$fH{D2tF+OgCo$j86vciX1^S|AX&88T=HK36k75?pps5LOij>hI&+ zm&^UzZJ8~h)2)iH5GOnAkpbW$Df%tlUnfSnJJ;pmK9w`p9K`(VjOuGBhf5Bz5=x>S z)kX7i!{UBrfo(uxFznHxehq?mC;OsTx4tFiT8i+stR^VE=T%ULaCcZ=TLHX3iXA!+ zNQckd2o9ZD`#c_dli`|zk&X13`zvL#`PG=VVYG+2&mhK4XG+n_0UJ|YBqbK+J8fBB z;$X3A*+xV`nh0MCP_>RDY;IGXo}u4h0-|MFrm6*SsP$*>g*~6cumMSbi&_|>=_0GD zjeRo1rE{hR121@dCSvIAr%u-bO7|)L^ARckR^@X(jKA7B!*f(vrSD6YIGeFW!R@cW)IA$f^9CMM?eW6s6&PQkk3orc8^JR}yr zE4Km^>*pG8q*5{}qKJTtBI(soZGiOm^`dNA#mSIWihEuCNArXxPI}|vo?R0NFg8^J zOo4NJw{rxIfeoiKKh=4kFu5*kRW3HdZlto^(&;JCgya7q@n||f4?jB6C}PWIJXCUB z%+CY4g&4cv;U4(pGHcHK-H$pK-|h7Ur#C*bIsd^dzGLYZ^)TmCXhC14KOXJWWJ+I3 z59r72R8|%Q{(749qJtB$oWnu6xpx{yxkq+2K>9t*SboZ)iHWz-ZYSbK^c|j{H(LXQ zIB{fj&%sGsyH3vj7m3;Tp{ETSx||w_!%3keQxD03d=ws6Q4mpd_!7*RvzNVK>iXHB zILFTN&VNaghqp66e4`brFWo74!(F#Z@L+S*83eSewWmD%U_KRLrLN}7Dnbo9)!7t| zPs@#ln3yQt+2^;&aMO96v=6~LX@XO5^unvp@aeogAdKrDnnkG1CI;$rN4@L%6mnL~L<-4uc(P-xoU|>s zCN9kZPV#i!zjf1Z9sq@JkrmS3fo;xjF5Qzt`10#|wbD+=u+~-M!!4;krjJBG;%I0t zW=U;u$ZgebD$&MX%sl7jv(DXx1oN|(R;w!E_9V{7b3Km~Z0z6RrwL?TeN(Y*;r5K( zZ^$o10PE2|T@dj~!eLzJpxCs|<0=23ifrT71~|(>l`+U1*iG?@F$yFQO@%7MKwDbj zP3(aF+2gYFr+5>LvRB93p&>NR!>P2O>vbUci!&O5*yo~;R~5au*2cB z46r&5YsagD{n?lE#$4z;6a-8qp)NSq%mjxekFyi)sH!9W%Oi3mc9Im@k;m&?%4d00 z8h(2XMR&ByonUg`pw?yK1+dL)?{{!Qw>2?3h?^aJG-?YKM@IfqW%h-4SGEq2rh>Ph z&2RDiuyGwLw|ozPGj%&FZE3zmdL^vb_gQDF?Z@ulVtB$1v_AuHLY>u>$cwGu$$Ibi z>T={qhQZj)t#Sf@M5Jh$88u^vif{`m*@vs|JrHxdvwYcL-`b6dO2#~R)|DOJ>1X_6 zurjd;z^TT(YS7YdVeG=<+BE-G#J95d$ny_$% z>}(9eVqZH>aqQ=S zN33MrX>+7c)0(x%Np*ZtTJ8rSCmA24Outq}+MS*jp>*^`iO{f5sHmBiwQ>Srhr@34 zskf6-n|0sskZi3a!x$$46Y|Z^3YM4E5)sN_8>{L_M~}M6v1j(32Iu0^*Ix-z2=yP! z!WxgUpa`hz0T;C}bhDL3vz`Q`9~9*_%vTk90DxW)^uEN^3vV(v;Z28FpQpsEKC>_& zGw4~5)|~zJSlFDp*5SKt2Gc@5b$^UHLr^r1dwBc%u?cC2LWFL}ZJ5w|tO}wK-pK3l zTvR}+@EMyqgPX(CB*l&cU?N>{q_!y*J&v4H-hP7B753iPh z`87t>E@rk#7)boK>3yWQK$HSN6AuA6_TYo-QYP2}_TylmKRDHS(4{2_4K&LiZ-{_X zvd25yo{2oq@c9r9Nc8HLT=N)x*$ViN>URO|>dHk6X(5k!pX-jO5bL}E^eYVTko(GW z$K#%LPfC{0yKn%}s|A#TZsx|aFDQ_y9%ZI$tq4WRZvC7E&~COIgSb4Om(0}@E-LP3 zf+V9@p-=_r*vJY>{)oRrNG)t@!LZ72ZzWIPey56E6>po;QPpK9cqh&4)tsb6+yd*r zLnr^TPX4DOzJ2Ca2@|s$*0D;s2yKm!m^2_i?flR_t`68}=85mUZ30f)6dJ8^v_^Ti zNq}jLHra21T2C6VcH#2_6Wh=4f0oxr1UHfMvm@`SNzMfF3jC5V4-1ZSYGC9IzaMSI zFW)e(VXRzej{g{w1zn*kCjv)n0%}qVu}Pbf?guR1ozN5ES`SJJ?*>)Q0=0>K)#JSn zzJRB~#v2Zs;=Cefx3Na}0U=ZO=WU|W!RN@E2MYnTf;=75B^?tk1(;dDR|tRq;9X-# zuViO1T-9b`%1Sv!7Qjuz?z@!U&)L79&67<>sy3{o|Cj6j&zF=>4`O;H3#ANgQc_a* zBY}=VGd#vg{!;WPxbHE`&?}>>x(2bGKh~7Ot<(nuzsFx}d0hL(s_2{yq&TgS`&`6; zwZu(s>+Ied&-KZyi650bils$zDse)JLE$lK(zZ{oXz>2!8k{_L?aCPjR{D?5Nx$)R zF1UsRaC3Db(!>bClkhpUZ+Rebxy8@a`oj3}VUROmNPINX-Bq~9z-m48ma*0T5^LuH zTM^6qN3FoFHuN>kYc_N?$qrU{ z$7;^F3|TYaRJL`Gh%0Jr*ZO|6ejWI(v2)g$&aYl&8QFRJeJQA_B!1p-8&H*CqL!ie#k9LZ4+f`jdfreTDAD#t{N7A}6t>Wh%T)+6h z=J|tN0_Q2eqXW;(gR41>octXW`G%$Q|K-|#@2oPyPbgThu&+J*%Z=ur_+#Ja=8xqi=@ezl7vJAlKff zCo;<}(z0;<^WA^dO8N@|A!X`TL;YV?;~&3X^wKUTXcaalC`HeD0{HXnvDzb;!i#|a E2W1a9`2YX_ literal 0 HcmV?d00001 diff --git a/src/img/rancher/new-app-registration-2.png b/src/img/rancher/new-app-registration-2.png new file mode 100644 index 0000000000000000000000000000000000000000..0b33711a38323f11796f16bcf9317019ae31d393 GIT binary patch literal 227671 zcmdqIbyyr-wl54Jkl-XCxO;GS4FN)McMI;pX*@t6xVwko!5tb84h?~zja%c^INk7d z-Z|enGjpH0@A>=k6jV{QrIzfyeoHDsRap)jg9HN!2?<;N{X2CeB(z8*B-GI7Xox$P zNZO}JNEmgt($cE(($Z9_uFh7r4wgtr?;}!DpJ~2YAQ?Ov`%d_TE|iA;BG&!M`)cH5 zW5>|Ymmi`(=YN#8a6z37j(pCH+4B6`S~2^Xu;5rwIEZI8xIzrt{4{0itcmt2pOIy<&3-eJVCnb@uP1QKjVbv1Y}nwKwkxi(Kbmd821t zDXGjE{^0~9$#k{O&xN^v@m0v{t#eqKEq&|OBRDOAsJJEm6!1$0>``#lk3oFyChF+u zmmE`DH(ISxiL-0;2&$ha++k`EqP~Z33aQ7cTw~;HKm9CVom!vROJgmhfmdsjI<4^* z4%zX35B(_rwPELJZSw``^c2Ky(*?4Ul7PP>q9dK$KoI~eN#o_fN&^vEwkU|nlu5Z= zmfXFE?qw8AS@TR{^N$W2cI6A@QSIF!sjQ(snT$dW4x+C?A?QYXiW2{#%g0UyCGPb% zzK>EL)zL<=#rV!xW8~8j&QoK|wK%oVCUz`^=(WOZoh%85IdD zifH`PsUV^sPY${n;-6u3~k^n^ErXYEPL6Q>}jPtQb=P)vz{Nakx| z=|NP_an-1Wzhl`-w#9QMqG|l;se#0<~T23u0MQjIp2@Q!#Jxv9M*+KtU{H48~rTbyh*b6|}VOlvA}9^iHJJ zpp$NtQ%r9%%t6E(_^!qzLa@B(vP zB8_O;0m4_Y>t@;?`Aspniqc6GU+uiyA+W;Z3A+s|`lwYqp!K{> z^RkDQhvbKxS7JEf<{K9-o`NQZyzIoy1Ug?ug6z8+*L^-ox44K>R7VR8h^(WW8Tz4# z<96W&;s;W!Mo|s~(#4~bJXHu5pbn#=+ro=PmwOI*-VtgYivEpNEp1m4i|#za{wp{l z{A=aUte<8ZPvv93tGLp9Nl28>dQbn|XUcL)ddh%1aUeCjCb3>UELEbB@v?=1(ncU=iwKfBtxesPuC zsv3?N+T6a}>e#wHZ#~yKC)^I-eQuO>ECu-`Fpc|*V>+BzFibq8@4Xd1XDnA6kvYaW z#w^AQjEdJI_#kF1&KJcLNqvfzPS&}mS6mV-F46rz9{m?nog5~q73~RkHeq&N5 zwHG^OZJAn^<{Ejfylu5D$4vB^HpMhWi}{%rdj&9iFdZToC%_T75&^i@GSi}+!JBC; z*DB8`-?ZDe6St#j^tU6NF)rtsF`7x5@v6wvpq$CK7qoxQ>uH}o=M7RfZLL+;qyM4s zgG)(E$wVo_>Wfv{PH1YUc8hkbcE~KPV>Uexh#dyy^AK2-vPrD{98x-u%G(AY|6dahD&{ zv1z^m?AO>>{~A0Cj$PcF?_WG>KCtGQmpXiVrRDphqa7}L&vTVW=0MI(rYs2Cv)NDI z@c!vy@%bV61~r@jOUPEpC5Jg1En5#%3z87VZLw+lWW;Qg+hW&#Zd75E*Gk+*-%jq~ zyX|z$?&<9QxVFAlyHYs*>g?id?E3IL@fzcr`O@dGayw_&2qLy)zF9w8GER7KaMC{A zoL4xo?qVlo9^e^p0B66|fJws@;CWApP`{$+6ZT@l36Aw|J|!H}tbf~)#2Z3idVRz6 zUc$z5lB1_(Eq|?Ut%RC@`rxhb+r5HO>A28NTsK@W#TC^OmEp@33aKdFmujSE)Kffl zOs-UR0l)7`Nq;f_3f@g6@>6`L=rMNlvAW-v0GFdyFR}T%bJ@exj6yY=hF)sh;i2oI z>+yL~?fm@EJZ-H>%jcyJ$KGU&PJv5A6CurM*TE+vtK*b0UXdJ;fvIcBs>z&*yU8sq zF1*9^WrBM}-O{Se-Z_U^hPg0mdd}@nBNlcRcG4u&Z2U(Js>bOwz=pT}{rj)QXw21e zZA^>$M#NYKe?DyNyEFOQ`Y52GIC=`xqa~iug=By-EHfx|WPS*@>N_=l@_>*O@)^vD zj-G?=Y}u^XoE`6l$33!Uv8%icOlpxA@tO<#3$F&2V)_=u7x=Q?XQ}hUGtF}~lA%s+ zTRXFcjZ2411t)%;6{AVRuOOGsE=%eUVmrP)*G2}FO~>Fnw!FN+j&5Ln%bEgp_30fh zfkZNlvz5)vV9pbK^vr9`^SRf>k^6$42Axi_7H@<7dR6iAkLBC;)g!%5h<>ey%dPR0 z@$ky$#Gu4ff8l%2!+Z5iO`npnjvr=S`wx}(5@c(XyJEXOHJyf)zOlS>hLe&&+OjXvCk~d%u=X{)pg)hCH;<}Fmi3U zPlwc|`b^(NqFG7zxO_5nh22inN?hlhO8g2)^sjqJJ}!gDTnxY%N^O;*hS#oKZ0WfcOE-JFE0)`^!&E>7!9FrD1fN_r3aQ zQPt=}TD9?6r)zCr?o#KISVvk;uzp~Sa)RCX6sd71nz8a zw3eD^HBMW>Y!-DkY8`L&-voUV5%XX7_qtEJz+Kv2C2vjhIk|+7-M_-Eqx?v@Ba!H@ z3DdoF*>(==;=`K9$tJ%bJM?>bx7CB^yxV`W*A++%^8etk4^!OKJNmjkl%aO=>lhN1 zhuekMk?x&w9lk_)Z$bwW?aSZ)C%yu$+>L5I?F#BJegim@f&(9 zh1Kr7y4M(l3{6ZhX#4jBzPYu#X}rvOYz|MdO-iDvN*7tipt9*kM@Irm-9NSCMY?c8 zde6-xcHWSm(HW509k`Jp?xWv?q}hm!mx?WkBz!C_C&p`2h4i%G#SVrk3yUpGdJkPY zmB)C?s)6rKZnj_4RhYLlQsbmPHDGHlAJF=TuIDfQc z_jde*XpMv<>Me}8bhLCgqw;oiaB>s&7NhyAg)rj!&utDGs=u1J+l$fYDydRQJG)v^ z@v-x=bJB=oP*G8dx>{HXtG|=|ukMKd#As~X-9HI)aCmunv3v2bJG)wQa0v+sad2{T zaC5UETClkRoZQX4*__;H|1rq_Kh8T#H*;6pPwuwPPE>!!HT&r7;Vwo)^Jk*}{`tpy zT6)|5&rD8k|3wypK#o68IJnq3IsSWWL|4&2cZF4Ly)7Md-`P4^I=La{5a;3-;1&I= z!~gNzrI(;N9P=UKYe%*^%Nq?9f5 zyd-M!bE29kDPu0XuQXDdjMS;6y5E8s26Phzs@c@c1)lIr)|%=(^;JbCWnz{Qet*(| zO@7?`Xsv5KD|Vf2V0BD>JO;alMnjhTJ@xLJM|&DUi|tf9!JP3(=zn`?3O_;R#n);R zw+@jHdiwtVest4HO22sanlORB#+O20p~VJiPlK4F#g z_hezqkfG2?KKYwNRUUm(Ra0IhcbwtxW~V|Xi4;Wp8}=ZWm!J4Dzo0bHQ#4EI?`B6h z8u%_)e=DGPNqTxoX*K#IZ~m;mlTQ$WMH@ta%Sx)xA3g+yefzL@=D`2=vYb@?$@LFb zsxm)8MMW(dnHc-OFxEE~30uZDR?PknPd{TwAtu83731*qKTPy*)YZvIV$0O(vKq+j zd?!oMz?|>`Xek^2MUaSR5&*>PD#@FkNP-7kI)2H`83NvS|~|Rm5-M0CjczXUZlTe zuO1m@`440wp>HK3_|p1)wC)cv`7iNQQ4~8#jWv~z68+M2wzpFLqikK}5iB&EvRwE> zj4Jx`Qe=izY!2oUPx;Q#3fJ=w|549c=@5FuzE|h)hnUi*Pk$pNorDplXtdLL<>e>OzuFjJbl-e1b0`Q(XR(6Cou)JU08;>me=HZbu&tv^Y2#Cl3rXk-0LQJImE z`MS5-*JZYUvk(72C`MD_4wxfCW<&PFo-#|H~ct2Mfn4iO-6pYM2t+D)#R{#)l zVu=8tf%R+~*Q|W3_?^w|blwA9IJu`T9dU}rtE~?!Ip8I-=>G5dc3NfXQp>jkR|kwd zD}g4l?fc9^=Rhd_n`%1M0(90aK{bLnau%h<<}_KyMa|u&9qCO^r)6eJ!@v#)!!}Lj z&NEq|!-nZP27=j|)XK|4#^q1avm0LW z34?jxHAYk?vfFU9qhy3q)VtBp?`$b_A2KfT0Y~V&>{~zGpS@qeMYhwFuP9-=x!@Tg` z>`_TeqEjaz5U}<+WOL)D@Z*a~53#ueHY{m~P~p!^KKre@QT8Oa39&hph?_wQU&Yx< z1I9S*-wjUw)Sw=)?*hu-^8YJTgDa`4miP zvf?bhJEJfleioX&++3Z#c1-*}|J$qiTFWTW^=N5(tBF(}rOfx$Z#00nM!&!vjNs;u z8r8cz?{7ao{iyGl-6ff=v)9?R3*@QYK#(e%gBDT;{Nz^^6yVtbv$H zm26BT4s&m+`)Xj9ys@uivG^EnwR6)V|GqnH*;j;i_a zbz4lIzH|_emMUqj9_Hw{P;Z5TM2e(B(0b@{Yj<=>*kvRX_;8mxUd|Gh-` zOG8U#I6>Hgdvu=}b(*kc+QI-~G>`)Q_?W=w+sN&Az1Jeb;sX>mPvl9<<~NHG`K z4|Y0M3AAGkr^w8mQ?EH3c@VL2Z--x@Y*)48D0T-w*n&MHyTpvu;tACGFx#U; zi7PaNa3w^Sz&@&hQ2p9J#?2rsjZ=7D9|t^QHri@|oGZggFz!Mj-s8BdsXU&C4G8qR zwFKOMi)wf;bQvoGbS%q%Kj10PvwY=n3cQ_>#vL9OSl%jOIT0wg7;idn0=gBzUT1Y5 zuJ>6UEw$FICdgqV?_#z7!Bkd$&4SM0PA7+6=~Da02iL4oE0VDVmtlaq(VDaH!bj?mG@{;%J`G(I5{E^zW+-) z-~gD%9Lc4!0R30fd@GBv<9-JTVytl_k&8{0M@^r>hw>pQwKwixSC!U8ZgaDg_m+826 zq%5H*WsaHaYzC^e>PLHjr0s4?-cn`KqU!0mYFyCywYXsDit_}4S6rpKt7;ecKOB%~ zCx}LN-cAH=6-qqnk?=dS&nacn&DhOdwOdY)q~v;~l0?LMf}0=q*Tajh#P4rx53zwQ zJAt=F*`JOY)d|AGW8HIm3y<3rt{fMpk~$E!rtUZ3rG)<&SFWy3;A01w_hGH}yOn=~ z_!b!m?4*aLzY?VpBAs6M7|C*#@&Lz;fj!DNhL4uCY$|2IJef5w0={?^ z(t7hxewVK-Qp(atf9@fpA&G>;Tm~wv>yn|AUPHPpMWHw#C4Ck27jMLGYnnd9oSo3?&nMu^clOtFJoRk1VRx& zW|-9Zhs%lvsU^6HrkZHT>u%3udn4)^o3Hbxwp^qzdnuqI?5YO-aZU=RfYE4XjU7)7J_8w@s1D^<0i0F zFHJmF3M}F{M5QTr>;4iqs<$ffJM9q;#Ip6P$=2Mn8ee2Clp{pwCF&EL-IBY@ing;l z{guGL9MU`*&g6%Eoim6U)k7cd+;By8l_!MrwPW+w7Ive3U&sE`m=x+#Mj2I7nVkX^9aeSxt2(0ELmTVel>rCFh_2tv0~C|v zqKW9YyU&+iw=l3%P5C{^!;ss=C4R}BVl@*cnDwaR@xfSxZ)L~PSi^TOE3@JO!d zF~<{pg2~xD@rQX*7GVNaahz0%jl+5ce8w?n2T=y*z$5-VzbVQjr6po%Mnf;7-E2*v)K(sw03uFF z?MKZEXS5&Ia`0oXsSCocc;q8++D$Y~P3Fy%!U|B%hzJ^<=aC9qB36@aVVg4*l;2TH z-h<6utwrAQ^i>||Iv)xzZ|HO-rW&>V1l)J~K667RYjT=j8;)>^@IYFT+6&$53mdL* ziWz7s=~%u~uP~FA$XcGoHefK`pM6Xua)&)Z5zr6dPW{a4B2faoEe5V*y^SY_FdzAM zBR@bBOb_ zun_k&PQ1W{=n`c>8K^TC>SvfnH$MkX7N-A@>Vrv%*BK+h#OdlV3-8?OK9d zrjIOM%(Q)10Lyo;6VyANbqtiT23yCcVWgxV^u11j)CR>J&$2427F8Zj!&~`xvMUiO?9#T9d} zS#qC#$aNWrrH*N~b)h7C)#D!WtlBfIyEULmMO^6Z-G$yUR?-2irPDv_L$z`Lh;{TR zD98E^B6f>DJ|2V|?t{kgN{iZg21!G|PXRw$S$Qv}%a0d-Z|*oA?pmT5_KSKMNro3> zI$0SMd<#0Bo6x9Pyh#A*h8+REy`9&4-?t?6dJ_#NnTOJEk|!P(R9)v4UNI1R8KY2P zJ${ZKqZ%8AYS2Uyxu*8C53f@j7gHyenD&{7jEgXGSOsHFLH9k)3UN>;@I+iiDjF!Y z&4_tN}0-_MV5Rm&E87KON_seiuuxVadlX?_j&7Y0OO ztvDRKx-}a32-Z-&b{!b;QOb%06>;MBIx6=(CWugCyRor81#2bV=Dlg=6iVz*@$~O8E&@*=9OM+c6y) zPPO^i zaaZ2pg7yyWUvM|o=OsJ@d=W4lbu5#T{#B|b;kNRk-j7y^+ww7jQ90?2MkJ6qUsK|+ zhQx(}9?@bf!yt!n(jrew^+nt>S~(~8Tx1>?ubRLWR<>!Y8NlHV0g31a$pzS0^=!zn zY*zi}m_cjM!}^MBDN|z`pBOA2{FLHjcWhS9$bybELv9_J2w=edQNj~i69(iJVL1w+ zg;gt@%MQ3F=7dd&!3#UU=3w)OQxb({a(%R_zOY8T->(i2YPdo#%BB`v;x5d3Qgh_H z7W~Y%wL@DBNh1;9r&O)*Wm96*$MB2I1Y|V}M5+!M-2!CI`HW6q5I8;L4@Z@ z=H83$`mH_u`q#^nivUW<`$L>Lp`s?Op>j33JZW3ZladIIP9{hj+uiB*-AI{6QJ&hy z+l-Y5mB8~wWR7eVBcF-}tW@+(WMI^!6H(pHvDHbA0CHTu-Au#XP=(fWJDP@9xkRhN z^kD8=k7HlJBFAc8GksnyS?EEJiEt^{Ix1nP2rfwte8Zsk!++YRS9T3YH4b} zQ2#tPO#-oX>Ey{Z!@}*l)V^ILhV#M}iR(?HL&AT(^I8)D_B*++n3}$Jz`VO8ROZ5F z5FCA%a{9Q5e^~;D<{2k&mW$QS2T0?&K5+a7&Dss>ibqxo8pgF7_(9=t8z{}O8Td)Z6Q=gqt$@W;9SJ-baqP=Z@N zG(c?=<&M&J4URNH(@=5T^Xwk2<}a%TIOT?^@Xr!@qvSv@rqw%?b6Ogy#*+F;ia7~5 zQ@IET+Mp}qt_N}0Qae|ArxeBs>3t-^LMS4$zdWE2Uo=zuY+O*^TK2HTLt*C|XW$F# zEqMR9!05!1aP2bjuVP&C{mNClAGIgAKRn0{^}QY0T_9(s0gHS(;Fq3__7KYKaI^ZL z7e<4Q8juVWT2|2Gu+`)(fklQg`Chj4cks?aYr67+qV&H8O5>@KOPE-u*M9anQCeQ< z6vtE`rL;QE8Ls-B!1j+ZJC(XH8m{uput zqBQ4$Xf~IL`zs@gYrnIP%_WOYdWV-+V8X$HxK;f7v%&G&&nP+rRMvyB)80;|BuG!N*G zQNS%TgxrfYc09L(ugPjWcK(N+!ABMG*4`wy%l+lIZA(R!V8;XkHv>?Au8*C}TX=`> zM4V7u`g|WQM^wl8$o~BGs&k~+Y4_B8*Fz&+0b87C-IxLbVk>;aBy@s;Q;uW6IGj~u zgvPqt*4X0GtEhcdMz!;96O|VhL1TB}XF3_Tl)Hfc1bXvsH&_N5xx3| za6i9_-R%~l%WEljFwil{hmuA=cHHjF=O~Nc3tSB|nuC&P>)w?dUQbWl-E6kFlM-;m z!b<>dC%5(FA_JZu>rQZ#%@E|y^uy$9L{^C9VdvRuGD*I3xK&*%fjdnuk*$vL8@VTo ztvowGM;NbDdwmP!My=)Jm+KN-hYS#uekVEqZYb$G#c3JQm1Z(9^$^WcFpfrovPHPa z(U2f(r)MC>yuu0;?R$)4at#f1S@mDxft=yH$#QZ8+^{v%)kuRKOq584e{-NXg0+br zk6mR$=hxVc5R)AUn4mQmsmtY2ZZeqMyfXC>UZGRM-W%X> zCjd&{P6>2gZsSs!mDC0oCte6dD)dhgyTka~*e0I5{Q1$zUheVsTdg@9vgp+#v?KZ! zcJY1_|2lwTX{{ML58eF0{m8Svqm#U@WIIPVMhNzd<`U6KRmt2^Xs`m235M`9Dg54xHoHn_rocU%?5TKmRBIor)M9?1U41ec zcr{TR(KdIR`U6%9yn6_ZzB00&Rw3v932B%VBZ?N|zBIrhdnu&RrNZ@O;|+NSFm}IgJey<5Ce@hO?=ZhC*kE$K~U<4G;KT zPHmY+R7$ecW)C8&eRi&#u9{7V#`%PXA3jC(Q@17M<|34KEWK#(u74+ z8GSs#VK-g8JR7sjwNPq+iA!Q(`W_SWc&SJi+@#?L@V!W{y!%~W4W$8b_mtmPpsYD z1X#yQbb08DPBGR!4X@Xms}5Qn6a=ij1rZBIL)&GqC~aVWuKFap;cNiULR086v#ti~ zWw*DRb+_)*q8w=Fd#3&z!mSbyFfYBR+|Mn6mD4H7yyON%_ zLIWK5PgY2DzHOmfO>t9GVj1+Ti9Uhx>&y6Z=D;0a169ckHe-t2ApSSoAlRvNOl*5+ z;IfA?i3;)|meQ==YqH z&A@mAFEMPja-YT2u04P((*TC~-OZ7N1a72lx}ubi4X9hOS!JH73D zoXiU=r%42k^f@*HPh?U*ceB1v~(c%_IZyxy_Vl((x2^@_x57nkHT$NJk`8q+F?Z}6T&PD``fV2%d9 z-{GV7ZSNw4aRd8bqAu~0W$2TM>UN>8E0FA$KG%^^a7szzZKScWJoNhSjCoH`dB3Ed zughnh_^J977wdN+T38KCZ7XB|WeX02Vxte6@d~YnmbrNN-R<3lx_^DnEt%omq4oVM zjt`oY6Q?{uomTT~LS$ocNNpcUr0H)=znW_K={B^OuRZ78Y`Y1U>*4E>bEaQTiR$5T z_rpn1*un295lTi9*$WH`hE2}xKAHvx@(rD%lj#1YI16?m^`)G-`4#>~JEjII zZ#1scJx3+Yp4Oh~4N9`_`Zz-4DfQ9!q3>pBK%jmXJQg~AUq2JGo? zrN}M)>Oag(oU}6P`ky&Bx0G@9nAiAHE6EiQ_bWr+4j>Xbujd-?agI*K3bW<(%T2+- zo#AQ&bx%aR2ofeV24j2}cW?S`FnAV=$|d$&FXtsG&9I)ue9Ua7gU0~NbZN$0Ah}R* zr|X^jI{Yh(nZIQ7n`ra~3t6GkwIfsWn<8iS#|1(#?!}5#S`ol)(L|kiq$5&(9wnU-1ZS}2tJPM8FeGODOlyfTL9mb>%g{)xZ-bKLeG^ zXwS&AH=4{^AANVdy>qQo912iXn?xG;DR??xHjnl&H zak&k?B{5xZy%au-2=cklbt*mZEG@Z?KDe%bxqlCCYFuu8=@Lh0;9*}@rfc73+93#m z4g?3#wg?hUjaR1qL&gdChl>Dv$U63K4-BaQDeiPp#Sc_ZM zhdv>xc+sfI`oJX?CdNbrsCdub1#@*7pdsD^6%g-(0H4rkUBalV#k1uuVnqbDC#7*O ztGo#aG?o2RSpY7b5j;f0pS)H=!%W0rHQ9%tCaF&*%A=%&hWT;o#?>Suvm$cO(Ops} zOCImLxE+V$hy1Lc;rP!%-{`lwar+1=3uX!rXh zHcHhdH0kw^iQT&}0`Vp|#X|egY}fU}q{G%&ZPq`L?=!^ij#$$(h-VesK=7 zE$K(NspJo_Zs{bgJZikVdZahxp0nY_eOeQQwU;&lq}I?iV=&$!?sych+1RImnZQiG zzRl433gA$8pabBuT!91|lw(=Xz-J|iK~|!<||%vUO1TulyeuUUe0gPGE|Gm)j18b?+!VArjQ{O$Wq0OedM>uPjbba89SzB$(rr zPJqT++w4Z7t<_n)!y;)z6L_u~Q@45O&GB~Ak<8!XeSN;U6T3XmMSz#Gqh+8)py-=zVbZ91Ywj1yY(zd=(>0=s9u9)CdHuvEswBWkd&K&_Wne& z&IJlcW{PK!x3B65+z(JM>Q}h$2f46?|6A$D=ff8Wcifki<(<5?nG?3mmoM#GKVL!;Gx+Q)$XtF}NQ{us%f>7+ zwavg;(5$k{^AIJcMzl8 z+NCCQ8vS*;q&Wcv7fV8sxG5}G3?gJz0TWdV>oqk2i=XkdXKC&Q!@{ubsX4!)O4qCg zPZS1}kQk`ljwk?0OkK^q)o6bq>;Pk$k!MEu(*YWyFjK0xyT8jcve$>Aux{f<%Hmw9 zt5ahRXuPP}MP3a>1qWk(*bP$jbl~t`_Wn*;|$eety8quG3XIqa`U2` zx>7wvSj_gE;)h-x3`*bAG`!2#kw1KbC~cARJ5O&0U4TH((ZAH)e>1sjwA&Wz9Ehog zgB$DRH;#r-#mI}@RZ!_S%dnLZItkF^R6oE?`*}i+rfej~zWEy?ypMbWxYkV5g3828_ zB=%<0oIM!((Ou%Oeo!k83Od$HwOgusCF=}E`?%N)&4UHbW~Uf8^94|!;*Rd82c1ea zX+-Az;|M>h%!1Cmd~k=wrzH_i0Ux{*-$I%H_92cA5dk=CsD z&E0pMIow@ru+2H>d8ZD~x`jL&%tOa-EJ`1-s_r=&y1OaptT1CWPUs200{0FzEqaD8Gm6wR zdZXci=p%*an6&arm;RUvnVd8H!{(Z%Fa7IFu4B}YSZ6~3sgwej#uNVdxm3*nr@ z(-e*B1tuOX;zSZ)~RSCYPL-uvx-m07OXzMRzr-ob5GVVoEeIk~Xtzm-z6M*5QC zxS739TfEJrvTQZtzkb4#d)kZ1Z_wM}M9SBqK-k4`NFc8UHh$BdwhW-SG6iG_{BZPC zXwj^b()Gm|y@ua24mr~%=FkT}OgmmB6E?v|W#?->?6Dw|yQw}*lm=A$3o?r;8CPD+ zsm$$AyYqWeh?m{~=3w+MiwCWH5U7awq>EA~EKhKw_#IS2Rh!xA^Hy14<|QroKw%!( zPKQgkPOKnitL2BnrFYD zu}PL6U{6t#g!Vp1qYY)g(#WBO_Tgs18irocPp5N{n$H>XaIja-769suyqISfcMwR| zsl&s}hP1JAxQbj@5gKE~Oj>0Id8w3MGt3atj(g>itj3wHd@qHmkY-Y|$|=`*Tg-`8 zNPH)@@4WGIm%kKi`<7XGA*9P8%z-q5Dr=-{&S8X9D^+Yl>a~+Ly1?FyPGQ|ZKiG}o zlc^732dGti@ zkR!Dk3{q0!rD6z%lXFFud!Q59pWeC{lPT^5AAu)5MNn<$7nt~+leu|~7DT0%0v&v^ zlU{q^#22f0G@>Px)+U!n4?$u_39nZU&fW!=$hGPzi4)?=YD zzLhKv$F^cucGD#ykB$#5_s^YNY^QF_ge-jhBQobsOuTXig-2SDYjaAXB^aj2-S(o1 z?StyVXhf_Lae+pq3=)1vLNm7TGvduRGdDASJ_D+nK12nlSeCtbQC#V)^IRltv8dek zKBL_6bjKxpA4}Y-=3v#G=N25;bAre>A^(C_-%}+^dh+=eXmQqwzNo=~<`)d@(SA%b z;-BNe`CTc(-t(T*VScftc(Klucj%`ozUE=GgV38M$E;UWF?eI7ycjkwI5Tx|sT#b7 z6PMW~GKUOL+MVSMvrGV%jetz=cE8&zL1_}AQZ6>IN6E*^DO7BkvS{;64sUD{#Yz5C z27^UlN|zm1X;|RRX_^rumLIGF`n5G2mTo-yty(DlvYkx>)x4 zNhAl^JO#m8!na&{?ax9RSKwEPjQ1Z!6Vrc*{LS89*KB$-?M0szIOIDchuzxkO=c^^G3M zaA(Vjc$cx`DlQ6II(~n%*(L?lBqnNC#9Ja1^>UGU7$yhE_=IBO?O$Lr%b}0YploQ! zK9^PsfN#UE@0SK89{sXKZ;&@rNX$db*{N$IYK##}| ziuajJm!Y>^Sd1I39qaz`*`+itVEbJaY7?H9^PpyO+P;^H*!C!zc>;+!iVQ$vCgfSP zJ9}8sv|x_&aI}3U!CbA1==yN*b-qa7h&V>a+=Yw(>&(Q2f7^J9sN==PjWgB1-si>E z!4x!D8Nf>2%wvdzBOS4jt8{iR`G_Bk&z76Z%$L)EV9MenQ*Z+6rTuM-_}S0%p@7A@ zqWQ1*ycADkp6Gv_e)f~S)k4{jym_gP^WyPO9IcNUm>WjPRPvvd7s(t=8&s+=Uh_)P8alo8se_ zFES=q_8*Ce)_W`l)juhIAH{_)l}%r?)Tt9=g`AffzTPXh_u*emW}$syp&@jsuMenH zTSH{TM4C)5c8Q`zva~BB+3v2u^9O{6Yb-km7yL^ZnwH=4-b#cj+D4Qu5r4koN{fS@ z!&3c(4?v9}SgYyn@H14-CY9jxn=EmEn2&0%)&{L}x-01!zYWP&_!$O0wgUnPOq>Mi|aVZG&3GmxZ#BTB@M0T;wz(GJxL7Ohn-7c+! zNsaPQ^~kKnh?&wW22zV`*xiAP@pGc^OadM6n$lkmql=9zP0ltb_|qhuRa^r#9qT)M z_M(;oL;;UuJOO%(C$se<8qxOD@>QI5t@Z7qs11x!2O301%eN8%w-4!Wqyh`=wv(fa zB5fdCMARzfjwp?A{jkfAYMw-x=@Xp4qwgRRn*+MVP|8b--f7WP`0!i0NZdFj?wzQX$SD~VOpu` zTLwrl&GPt--^1LT+0@N(uvkv7`n*vYhj3Kn`AkcA0@V1=ZF8Au8K;2$!}KnStL;~d zL>4_F_M1~hD|bRJr>2k6XbnAA#QPYS!r{3`^S?-;X12T_ZVagLwEM%%4`kb-Yo7D4 zf7^F8o}dmLl4tFTO|A9K(H<yG|>~gl`u!&k+cE9x@0aN(cEr z_*^^DHLnKbn}ma1LFU}PSNsyof5H;*drD?hRGQM0md)akENA|-Y2^x*nTqzI<5-;kJyD9fssJCnE|z2_Q=Jz9&Xn z`?HlB5}55hkuEC$iQ&nD1K40Sa7xkV!e;jor=6J3uF!p-w=eKF5P+S*SO56w@b1F72^h+G1L~VWlQr<-g0dsLVENttb4q5hVuRwzEGL-Uuw!bhE4y zyd<;VJC`P=3}`V1iTkFqDc@b%GpCt!=KZcRTDm48jFaeGYBaBpCRXOS-BvIHj(f!P!>eGM!^)>9c`>vwv zUfGV%fr&JYH6a{Vc*xg%{N}7Ku-!A0^;~#6M&Re0A=*63>G~3P{~h8yg<^P2@U&$_ z!|?$gVEtmcAMkChBzwNSIs5WvbE9LeBYorXU99i*M|a4Z;nMaKc4e{_k?-bmtqwn* zR~sRMav7i82B-mNV?0I1Ner$>KO>AyP=CtbWK>+zF91EmlmOF}A$y?~2RfXO=kiHg z!+DRQMC5nvmUC4uP`n8Bajx$XnU6%i6S=ODf`#~rU(k%^JVd`RxF$ewNa&8(J9zh9 z3}HIBqEvZHJ{6|fMt2L=>P7m$x{@|uwz}+BJ`04~8@ks~&IzT)EH=oezRPYd5ZuiD zz2LRla&4$vER+|(%#rO9_NQ9A%HyEQpChbj5Ej^At8wyTrSMsvySgs-K*GO%e_`=i zGJ`a-j*2I0h#I+q6PE|SV80~K_zeOdODIR~O@jpsRmNKc4G1VK?3nbs0@AYm&UtHP zu`BZ(!Hac>+DE-kzi>j!*N+J7ZF+Gtok#FKPn@N}=5evrO^jH;Daj;U94YOj)1F=_ zOZ)m;@MX`}-z_d4)VXx1{{7irgwy737WP`yez`4m5P+zv z5$c;Y&J?{6_B!Ubopnfj#0sOoc>Mf~;Ovz0sZ(#XW}$531y+J1SQ-1f^27Ai^|BX7 zg2=IMV*L8Nx&0`vgoE-|xzO>rRmAerC#q5wag=?#x}oV~M02GQ#*X-jX2vc1J-RSkttAj+W!jXbnkz7gD-cuOtmK+sL|Ll0rQ zg;RHraEUVg!mvlbUg!kl_i*YxFVNa4d|JhKWPcTli0V(JWu7%6F6}1?W`%tpqI%jC8m)J|z0ID7ye1%Tu z&0lRzesv_}|0*&qo6VRed#f|Fc;+0KB%Q;Bj(ijhG$)%dwejykbelU%WZL_oT-{a!H^wuPW9DT3FB2*dv?$>{qb9N~ddJPmo99G`ZJ%M{7-Dflv7Y93i$f zS5gBzp!`Iq8nhM7f!h>~5)3SbW5ue;4P1!>R-v8q(T+PaJdpk;^A*72h-Nbm+FVzu zaE((SEUn9;Vc=a#zxThD_ts%iZrvNOl8OQbohs6$(hVXZ-7qxLF?6SZfFPX$QX(-l z0}RpvN(|jGlpqW+ghMyq!yD&4?|D7v{JuZG>-zrjn$gGE`&oPMwbx$jzVH1BU;6b3 z!lCxgX`H1sYFtnaSVy0m&vtC;RzKG9!dnOr;x50;2p|8ztJ|u__E%sCjTPF~f8;T% zX*U|Eif^*;MbqDFZDvx`pz>81mD?!M{FD31mnBu}UYX)2y(=>M3}>-4ZU9!TH*x8n z_4m?{r&S2+YpTQ?SCCa2!8)8=XB&~JL{cM-hSEl}iGxi;G|#~tLLJM-pu5celmpaa z99Tf*amtRjvsH6>5eHI9K`?aHJty))NW7$7IlluEkHC$^&3yEvVxf3X7oS45?_^*7 z$23>W_nX+*E@SIsB3?PZA&n*gqTl`-OCXlW&v_hs@J@up#yX|VUx z58kJn!)s*?8@Y*xtF_eW?;?+xNS7HCsIe`E=b5p)OfYK4Qjz9?{+&9Is(JsonklFF z{xjuoecrO?tzINNE^}(BZ}iJKO`zGcKdFXzaF_V`$J=)D?uXU%f```n;^Irp=`${4 z@t25Qh(eVc1D+5B+2WoA0HF78+XR+RG$ri>H+M%8zudsYEOE$o+0iTpjp(69K&0p1 zT%T1jIiUIgay;`;9lD_td?H9EY9>73r!mBfA2V&Xj3)m>CD9oGaML5z*D{-T`*mwe zb%xwUCn@aCj>d25#Yyl@H5_7iErt`*WL+^Q$X(XyD^3=I_lNW3(If@{I4jucL)6aOTUk@ygrM7p8I z#Vh)Z8NPobB}{n7$#HT*eXLbB^AG^M$l~Bf@bL$V48v?R^#D@UiSrkaP0Q&xA_mbHazqd0f3;SPOJ(Ft({4e$Ym2Sm1j{nux;H1S?F_&cPk^CW1-|@D1LFb=;jjg`S3A4V%&zC%k>m;sW;4+wHxI7e6zAip3|XwRzcuC_a3nc=Hc3;S zCDeoe{jfdsW`F#v|1h)uf&T4czoN$Wq~!gB8XLm+8#VUfzo@Z4=&sw5hL(P+Fwk!& zVc${xD#v^u7Tta=fH#R2Ff2dr_jI z{Vy`A#?gNfbw9~pL(+UdD=*sW&9TeaPqd$%lEV#VJdh*ETuUt70TKLRX+8qp@m{J1 zoQxuZ#k{s^$Xpg+^*nn+txAk9b=R2e&sg6o060KJ1JaNc#dsY%-YEOuS^xk=dieeo z71(DL;1DnV|5V`r4>P)NP#CjFBuu^d@8IEg!1%%^Kpau@#GpI$ieCC9^P#xpQ0Di3 z-9J?L|5NRMKzT)P$B{~w`0p~z?@KcO{=6IuK<<|-Mwp)c_l*7T!@@s#t!BZ%vs2k! z&;HZYe}fGE^Y__QS1XIkokHsGH4*~tuAs}5L?E2M??R#^u*W5}E9G|mAy@Z{ud(>R zv*y8%dj8;We(^QX`D#5nPg)bD{?0x8$;&~n#0l(F%*cPy=D*GQuYXb@xLUsiLQ#+Y zKu!AtQTXbsIPVRB29F=X_J>sXuX+K02>27YNr9@_pU#@!-m(h^cor%VXa0*e|1iqp z0$1FBfer2mg}mxsSdzzoe>|u;fSg$$uX1o zKUnzx-R}Yx=1F9G`}czkC%v+;c7Uqx|G~l(R~8P9$Ns|+`xgcmKYj#Q_;{UDPX6yL z3<7jhRL51I5B|OjOh&+xXE8dLvi?)A@Y_6kV0+~rDC9_9{CyXeuNXPY#Vt(if4?@( zqJU>XlHEc7aRa}#`G*hLzCch^=(|sv_os3azd69blB)p9mI-v{@4Jx5dF39;FFscP z{mhBwxpEKq^tT@U*3_SU2;7kZmi*3`QDXAn&m8C#VYeiwcOa-EhL)3W&NKHm`Lh=k z+*Yw!&((_5?jLPb;X@t2y9=O7yn(c5jao`d47S3D&!CRz*~goRZF=zZC|u@l6~}#~ z!-*_wJC$q}jylWrl6OGLP~2vmEf%1#CN&+FeT;cL-`N{ak60d2=IfHc)l4zEfR=Ic zIsDrE4-i;8{VLqXU*yO|>Q$y|irFWO=5_G!KBhOit`XF2!a|_7DP5bjv`k^NhFpS9 z^nO=b3u~j0ge9E^0LpLDwBsYF3I;duV2=a-cUP+Ac+xEnE1j1ek@RoaoCaiMTlk{QR=+gQJi=4u67+p|~=@ee+*=WVU~0pg%t~80!Ji zbo3@^_a^{od9NL%%o$zX+A=Df9qxwY?q3=KD*Isjwp0<>+H_6xZjkju&3CSXIf}4| z%u3Uk#HE<>`)OrRnJs4Xs%8JfS@|E)Ldl-0ed!aiFB7Kub5-xLX7}};e!|)iUL7xO zZUmSu5H&nX_~JK&!3BoE!s{1w5^56ApHGUm+S&|;VVgt)Dp(=gy{R%Uo4oU^%t*}G ziys|)J*zQg0SRUK?%b(cNjs0HXHKxxn%fb@g=6W^7d@tyRORhZco|m)s#4b~pL@uz z``CZg`FMHPY%u$g-jCE~##Nt*D z@TI!zL1xNK>6#z+Q6Ak-JBgT&dF+8So0s0(H3vg^CF4$lIDi*NN6EXf2V=xj=g(I^ z883Y*aCw&XL(KyV5g&yZ0cMmYb#1!-Ut%Y%gYI{j>@FpUz+s`rWifnY24=7K$zeW! zxL7;)neDgCl7?Oi5Ih3zd{N{~{RmftJlmKS5Gc@h8}lufq88ksr<1u*C`xL=)MXB5 zut4%Fn5oT~y0YQoOC1lE88(r0-B&KT(@1FKl}C;*aXiSJ82AfM!NLq|6fB_5lsqW8 zmFd$sdCm-005z_=koua7gvQUc&XO&S8&bnbjP~wf&9slS z4MFaD5u4rhJ?e)^V`rMnf|GB&Y+o4~Ikwt)p-O9RTDBxIW=enr2!db0FCD0Rj;)yL zH(^rFm*+j7WMV>hc6x}n?do>KyeBb!v85CWW3hzftnLo*!LLZl2rclgHwpZU(b+4` zx}!xuY~(T)X8&zZpe(7@{@sOE~7wKO{o?_$Lw^HQ|BJ?6nXMdezh;{JyXp-RWogFUo~%;_yX za#Occfzl|4V*15ucnoJgqNaE=QcC@7UL`gJ`-8v^0F5)7_bZl5;n;6#mZbGRcgxwB zyz4S|3w!5uetXF;oLab(Winv$8LG5)yzA$86!yR!|KpzeGQvX_y_3fRSgbE9?$Ysg z1z{ta+^fNQdVpp}l<&b54l~;fv&XDkES0|}THrpb)`p`|csYruhJ?i%rHpm>a>_QP z^@CuHi>AYIuO(vW;&w&5&F9?=g1rtz>_c0TB}$k@iBXHJyQgO(kbH5ltr$@*XT_z~ z5K(frJ3mBsqJ#yIeXMDiGE}M~U`8$Fe$j?zyV?34%5Bv6=3di_e!=2QVC8C=@}E&l zi@tG1#K0~OTTo5lgzA0(hzpk@-K0Z)P@lha_8-abMcI$!CsTRoA9# z?7JQCi&JgVF5fBhQ#{W%AsTkUrd%bF3QO=;SCbkVLLPA^hG+ZZyA=i=qU9c{FM@Bp z_P>!*HVTArH3G^KbS=k{7GGp}5mj^SGiSPG&h;bUWGzYQm~WnWrnu`zH~7bE%%YcJ1S19k;GKSR zAb3d5(bK}GX`CkCS@90dp1*81dAxM6dFYI{&@K`jzXLtz^K|5z2yj{K*BEk*UF+ct zSRv}D;bB?chqEHPzXTTlXvHNYAv*;yb!*5<(>r+6K-}QjAR;!jmCo60#a!^=UiqDn z#h)KsEClEs@tD$jSD+)(lUjDEuaRO!3t?^=#mKGs=8mE?KRuIh~MDw+yXBBSht&^z0>)!h)$HA8}4;BdWjuI@=n|9r6k9=%r3<3 zO`7)buzbg(P&)p?5Z(>kwjpJx0Z8D&0*$zXLtOw1jXlqM{V>Hr?2)o%ou@cR3U=SA!~< zbPpDo4CsnEnVp!c91zu`od{bEUhYv`QL&DobMq}yAfr5-t$jRRzi$?B`_+e47kyek z*HlKnVQb-?zO0r$PS2j?S6Z@HoT&GwC-ampt%B&8Xb(sC&`0HVlr7%-(fmptGnM=Y z$4JUolA$Hx2F~3d$jrnkB8O0A>9h?;ivrEQ3(lz0Tc!aQyFrt|gdF?GS1QRB2e$Ly z$*0TQJ}Q7)cBRqNhVk_PGjq$OU6B_l_@kX4v$K=dXshR)XSJkcy&aDqM_Jv67I%Uu z+7@OBUu4rlRo!Al-NnrK8(@xpcsh`Be`&~T#Pj@U@m+DFz&o#{#`9-snDo}^%Mh1^ zVR_`&i-TIJx#>@~xjVNSUPV9R9M|xW*0Ae+A7$uMEv(O|9Brf=ysJ4uY`GfYw$43k zIa0Z__nC*g#Gf(+A2djdiAz$GYt(X7N8-zfN_&M!TRXjmB3vmAEp)p-z-K?RRt_n= z?}aYI*}XW|_C&F~H`#cgkg+}!t}l2t>)g{eS&&s06IgkEh_Q0>LNVB5Ozg7mv3ond z)H&q%Cnc(sOX(Z09g{c6rU4yYWr}4!c@gZ}FFAF3h+pPjir-8NZm8MX9k^t6&G0|^ zeiT4ST$6nH>zM2<)(o%KF>%SOVvp@d-)<%{ngm?oE0egiB%(=XeO)SBaUzzphq}S{ zk*q^G8i7zyu;%)A@?o3TP#igT&5DI}7|%%O95Gzhk02xt$9A%QAt+1OJW;fLjHSnT zl<8fpym^%-L%VE2tMh9pCtG3AZK@oVvx`$t$!x?ryZbnZ%da1H3BG*Tf>>lO!;8cw zJE)Ec3Jv@GHIUZb7v><=M?M)r93yL!$8+oRfM7`_^}hjB#uM%iKywcFg~Wgx(-;ZJvSt-SKS9nRvkD1Kt7j!7*~5xq`bH(}TixW| zh=5Ic_B@m$VSUj2aRP1WHO&o~b{GkrwY^wq?EYlWs>h40=b3?QxR=-jd9P|3B=;sqeewk}L)S!>!N~3w_A>8ilRcLxYTC90VRTP7;LLA96V}p(p z{j_Z94C8Yqt|N{cgKwNK0Qt!#aQYxG^?faLxNzzy z*u2Uw<6RxWlVsg$O7pHG7y*5iE|^}f&C`{(Jy7SVn)dvc?nY{$622Vv z`DVTi846(ata=ykPc_59wF+%>ifLjS5$>(0_A{RqpLzy<6x*YFZG7I9RTNM?3%e|N z$~AS0v7}#HE#(i;q^PMlrx{B56f6|me<}1T{_Rn0ZRp3sQXMw`;*y#On&KZfP9t=C zUO$qGQZxz0VUlcbeqI~#sbW{Cjp!+FKZ}0uR_QC5<-Qf36ksqQey(n`x+I#z?B3K0eAZfSr@BmFS2RI9XKJZT`ZT+B*S4A^3#{iFIe8IXKd?{rx^g&k z8ACvYvES+D?uDV6F3B zYL_MjDBkN>8a?4^50Y+ zm9~9l@!l)mHbX$I1hiCh_pR#yj482VOtEMfM#p%ub;%=XVvhsXg(viCPY95sFTkk< z`-yvLw)9*-2v{tGH>+B5VsEjmX-Xu+jo%ktwk5X00YV_pO*w8q61TCFk1!mK?fZ!4 zLLW`g3n<}3o>?$g``ArDM+rtecAiLA~wEW2?x0`*OZd=N(oxxl%-Bx{T z<^*8&h`9=2NsOK9cL(j13d7h1apiYKZ%~NX8NfE(6<;1)sL+hN$eiNpU7vGoKburn zF8vv`-+B^fbjoN4Zgm0I`q|H8cF&P^(H=xsZ4zXjhY8;hylgk)kZZmCWj#QH8^a6C zBxlZ~YL1i0r8Q()%X3ReMp|fyMPcLkv95h${EIAH6h5nVk^%o?gWBvN&Z6Au0vuL$ z&h!bW$}>GF5+aMA&u^UC&ikj8pJ^yfYiY(xT&Kt@sZ#Jc%-nWhHa}$qU7}J|3xV+Y zt4q8FiI3(tLlr~CVDP~cj*pR%Y5j(!jX-2w6SKIrnX?aU5KeYWOV1i;J@fVMLY|NK z$JzIU+ZYucNIoqxZ+}m+A>?OIoE2O3$qngUCdo_vP9hbpAjtwtE32M>zHf;gitb)` zAB5J&zpq0V92(=BfvH!!wbOs6DzrCy!m7wgCmsgMRNYQATfzu^yF0*n@VG76;$VjA zRG8mEy-yo4XDk-hZH8(S<_u@+?zhtYTydmN-B4QG-#Xk#7_^Z)T}C5iWduD8+fm)7 z{M30uAsnCrSV+bn*v@OD5a295Y0kz9xo7=1IMbDOWtd;?3BU=}%Ro|*?Ak5TVNlj7&{M4rySd`{ zI)euHt=l0^Q*44|Yz_1iduw`&nNzgmJuF=>h|N@f;1E0LhVsaQ`e6a0$7W3oF%2JM zG)(N09G$|S`xm|%7`IG-%#cxbPuuV65Ipge!tNQ17807X^VJa0x@&_lS$?}CE<5he z6qkb~jcDbz`dKZv@?bZ99DF(rqn|v8?{`bg^`l4>(82YWsl=C0x7G*s8FiW0g+?*^ z9K`SpKPumWPYAqrdb_**fcBz9TlF`)6MYKD)5?FMEZyLz??~`Cy}Xcfq=t?Xx)6NR zb``n_^WFSBa`Z1t+jsiM79?qI;}RM!N6{tHa;H6t@~*;0b#k5aNlYFTdzNj&Y-9X9 zq?RQOePx~6ZmOT}>xe0Y+wkpJsom^ww-Xv-*A-OnxTX2zi@G9$e2;2a;BDho&@?4eGi#p}F0A9z9#po;LOF~x@UjYw zHy-nBY>DwG=goM5Ib#3Wkwc2dJpSSHZvy%YA!4Wu;xYTu`xC>F+Ij?kq|E=bga9WD z1V#nJe>R;~?w)T*B)fC=1Bv%y0eTyY?~q4wL`)-gvU!h(kW2^`@|xSlZ!05&n4+@T z)RysKq9dHKIfE}ir20P-3fR=?6O%z{wjh?&@2$C;@)oy84s^;Npi;B(p0VE=NF4hp zg+4FPJGM@R1;oby`PaBxXFd7zKC3C106Q^|)mBDOvgcBs7?cJF01Vk3LDNZs|N*&%ceoO!|>9 zp*QzB)o3HV7cim-7#6}FHNr!*hBoXtMP^;n$Vl%>FPZg>R!KwaYG7RcviPbp zcY{dWxI1^Sc;X*Gxqov8G)gJhX8^slJoBDz!=Qhaik29qi?K2C$+Y){iFEfAwkjL^L0i?K0wteMO`_A15jqK8ge>pt;BY3 z@*#~n|NQ2z*v4nXqH8Fi2scLQz&poGm8V(Ee3zc6@^q^~%V~+y&jTn@E$&RB-xr-H zFo5F#1bn>`JK63jAnPETv)8j|4W|Ws3+cXd4v0cq(s(z32g>K!|l!E8Co@aP) z#5HW`E=q}=Io?0+F{1D}yvnG2G^qE;TIwb`$jTHsOtQ=r;I=PS{73Y-O#b1}RMkNCpG^Yy)~X(<=q@Vnb&n|1vW!KfxCRg~{tdAwsd-VOC?&&`J7CPxCs=S<_RI>IsVuu%0VVu5A&h78J$ZPTwV~D*m zGe8twVVxK-=k+ZtL2s(8-p23)u8am^B&rkiq5u%@VoO2vLD<|WE6ntiti7A2IiYU1 zSkL1rmabV6F)R1r>D~EWd}2IUo-?#PiMN`cPV#s!;3{`WCYBnS?qIl@M0~a=qSJq} zFJxLftCctokMtQ8aW+G18SrjrOR(NI8{?dQIvy)_WL|&%{Ool5*7@RsKn_9<+x&|# zphGm7`;x2m6uBK>M8p_;o+grU5OBOK9pG=(WQA#Vx*hPYF*nH2xUi+#4f(1}l7l)+ zYbCxy3X~cO{m`Pt+W?yeQ-djH5T!L0hHdE*lA^tV4lV2oWbeol$YQPp%MNE$Qk@ie z2;vwp z(+&7wDFzU(zJ29@u%A#wSa`aGo}XT~eIoptdtn|6m{D~0voF#sO4nxU^qP(e1C$$2 z*4ID#y8998`BW?ESB5Y*#wKMoU7XI#OU}ovRSQL=mZl&6I{EQVe9nt#8Q!syXblDH zDHLgQ-YK||7))4p_wbu@*}9_ERs^xoS7t4d)SuWcxzb~c!s+qLrK8Cfy$1b z;3jjniodopU{SAN zt{U@b-@EN}l3eElpLXEqnCFci&ZG4jX@?TL(~X{JcL^W#Hm)bF9-)?==y+ynKgSy} z&t0shIIylyjME!*xLY%D+r$>Nxjs9%?d|DUu?HXzG3rxWN60&KS}J(Sez!GZ=$C`> z9g8I@hpF*6vQHbsB%;;Tye9NxMJeV8J7d;x>%wB=pxNr6+nl=(fPFrI9riGiGvB(p zZUrgMv9{8@0bouND1d3x^@%3`m-)>HfpED84!5PSvBfmTMc>+a)Y?lSKfhq;s>0oF ztQsfhQp;jZRM^nj(Ajo+|LVyY*-)cu=tqs?gzltbOO{=rp5+vl-D46)oJDVf0?KS- z&VV9$Q=trv^&@};;7Xz(3hRa&Ol@Btb)Nr#6c8};kpT-mPalx6d6tyolC9vB;$=SF zVgmdoDrJSe`!u_kQa6xwW2P?CcW>xB@#hdbieDmT@TI(jajclq*bN#;$a{)DXLt^4 zvLwq$4gr^Zd;+|>Gf+R21Bf!qU39iD&rdX$3$kEvAYGmWbPE-wVQ0y0^4vB6)u^Gc z8ngkdo zMzIBm9VSWD`s2eFf|~J+#gx(?zqiN4!oaqS@*S3sRXA=s5+wH6%j>QFyU;F@%d{EE zVPZXpn>yP5Cs-d9&=vL$sK}xjDCKW)v1w6Ybv%d8BjO^1cKL?i}|S zVM?dsXxE+rDM2cKKvo;|11M5^A@58H8b3HWY$0@KI{-j0v)0Jlk5#S%z0vrh#H0A{ z(z@A~*OJSCwmgrr+I;egUu?Z={%_#Bqsxuio1dvPQ!mkyI^V8^_L-=g5Mkq}m~{g; zwV2^dy?DWJ=PCK!x6kez(cOM~>s_|py-=P9cMkk+Wp7|y53J~+2*$Yn=8fhZ1+(pd zbG-S*O&8^T=aJf!bO#aT;jvjw%i|A4^|Q!L7rg6Ocf_y#>yI126;Tfc%`pH`iZ+Bp zKx|5p+D((yL57cJ23n*M!Quf}{J1B%9ilfLyuOC<$3OOzUyG|=&P?9={V)FKxBvNR z)$2Njl*s%Wjej@!#|Qq=m({FmfgdmGDoOvRk>52uxQl@m;oW=_^1ogA{ZnE>*n-!m3Vb10>sV@7e)l%q?Bdyl*3aDkvOSzIU|qBhMUP_q)kL+@1s39n*~Tx{=zk1zn*bQ+;9P15 z_FoP3U^UQSe)r_{ziN++3K-{qPOKHVz!W2Y0pN}UT&Y=7J-f<^!RNP#2S5_Po7VsJ zQ-xQr4O7-`0g7hZAqjwr`9|~UmX`pb*xApY?X(w9*ebqY7#P^&g^9Cb&3U6rE2eFV zLx9k=NOtSZeWe=>n=n1JK5M|)5^Z}~!xjaDawgR{$TGtb&Rp;YV1~cbMBEMqPFM%J z{6D{7wxc^~X-Pn4agGO5mSGP5yXnC>Hlu&?ayTm4NK7e*mUH(bbW8x%T)^cyAl(tG zR^+vk%E;ER0sSs-bfTu?(#O*tFV6w02bVWG_3=!+VTVnAEc(1oMZ;yGFlH+(Vf+M- zNu?U-dq^0-*Df@qV)6!X3+>ak zRHtrtlJS}#$qahmp|dT&@h%z7jrAWem8HqG@YtC189G#$>R z=UW~Yn*zdmt{&4a*ESts~$P7aA>)c~ViMSCF_6wi?pk_pAV;yNQTtSoS4$!xr!cj4lu%gseMYS&ne4)d;6JfJ?49?;m{L1BUdu`Cl7u2eB)V2PSjrwP zpM2t(R9rV}CRVU#?W+3P>X4a;9aXgfkwg6>xOTIe8z-4ycEjo9drG+p*=$*Y1O`RC z`IGTly!dyV&HRy60#MJnQr4E!+3mItN(X(Sa>LiCI2oFom&aL`K`fd9ej zJkU+OPpx==vWD*5x(yeP6O=ievdjY1Shs& z*0!$vM)IzBJRS+a46=4#rzuB@$4wYF-N%T+iO_&eRau4+iXJ^!H8iIMB0C|~nfzTq zJ3zh|Lw6rT3NAj;c(nw)3^CnAtm+^A+0r*)f5L<*b#?F?fD-@M9Qu)iNxCam7ZluxU{}cN&pb6W;q%w&>ipgf%uT7 zwgE8=SlB@t6Q!NB0m5vJKij_9mi&IQ|K4}HusoT-j!?_!!6O2stBFmzVjt#ZUM}T2&(Yqc#8HC+o7E$2z*vIpU>y{;Z#HY^ zMeP7D;-#{3HJJl|3_`>q&*rE!C0IjvB4SI`6)f^N1YQ03E|hQHm#Z-M#FX|_$Dgnum{9aHi-Y1OpYPF6 z-y+uKhLiQ;6r5;7V9q*DnWuzs4G441xJ?*H3EGy{XboDGfnie&Oar58#nFfJ0Riv% zonEOtknhR#*&=T~s3~7Y^<5l}sw;=+IW+MA+L-KKLg`V%Lrq!S_ckf#kEC^s1F_>@ zPOu<*Q@PruNDUG%t4@kV0!~JR>6)?;PQ2+Y+;&%x z_j7^!N|c+uAKtn)+Q)|yE;pm@>poXs?h^dYdY?gIHNn2rU6~=X>AhQ-Ht&pMyQuZI z{Sg;xOhVzG;?E!&0+&C-#55QHDON6U-f@B0IdiH77bj3$!^fx2Es`NQDry7(M%_OE zM>tcoQ{)S1s2H(=UVmKQPmGzax0|vq$S67(kcMkm^rdN%i+H<^p`7Y#dMQN?mm1ZP z@tlXIF(Tv0w0kM?1AQF_W5=bYPinyHH5-ODNo5f)*dt^!XI8Ckxw;CEJ?KiCX`eDD3 z1W`*Noo)sU?QT8*zSNjDKV9ADm(4xtXf4w{MTuZ{Ez)a7+i563MV-hOtJMYugti;a zbj{5*RZywGH3|tDMIWYNY}A+DO$6tnsZyL>f?I`$YX#$gn#!^qZ`xxyh#DZ>B3}eA z5#&yA2T@){E}Cl=x!q}k9Dd?o@n%=+XptF$DQtaqdn%d&>h1@+Gxm7T%d3aw@VCod z{ST_LK;y@z8xCGcBGbo38B2akJ0NL6!$b#Ant3^EliiODdi8xWN>+TZQF3yCNJD|X zrmpa>L#e<6JYcI)1$8b(l5@pV*G-+f$FEOugS(@Zuvtc#eO7bA80H7^->oMY+F(Vx zB^NCTrn_^bCWCWTmC>Br>a92Dol2eq+P>u7u2t4uEP%E^IV+R`2w^ItHnZdq@ObZ0 zS>_fh&xJs#G=HC_Ohu&T6yUT@8_To5Rt<=v61rs&lNX{tKZ*x8*~gemL=<7=GCCpa zr4dvBwl)cHD`Ft&<^5dRb0)bwHBBYfm;ep0DhT={aSGO*zp|bH%+s&b`{T`1t^rA< zwR3{04!k@DS!|7AhcKmps5wd@cRTuY_a~|O>j|?m1cFp};cm}DOMQ7Vp&(RvZGT$3wFCOv&3!u$PU+C7IvV_EGqn6_@7rv- zyzuH=DlTsZ@vAPVr6`kx(JaSw!4Fbgk63+FXqCa9KS=0-Z*yn)jHCryc=^Mgc z4hh(2j8C1v+kq7J>SX+YeabgcH-6Y469tYJv#A%5AD|%=+NdZ3tGQK!c}g|iISb%> zYa_d_b=#o`=T{9a`-4s&8z@{-pVbV*-^ltiAry39XaPL(|4UgnTzhlhw z{3xr1j0#FgE)R&rtZ*`xM&t*DIL$%4Ee}^-u0VJr2fPd@iDV;zJ60@K-9X2-uUQIF zy;o7X=<(4rTRepf^(m1ymbCt%38S@j{*g*cWX1rUeZyy87RmJ)4H^o~wSr{zdQw1B zO7lXCWK6{Hm1#NwcS8zDvtE!CSgB;S;18k$cYh03e}85(UckaJ&+hUNAJ?5&y+*t6 zvlsFueoHe^*OfDkKTC$zuX>W3M@{1T2k7aewPtE3Z%F^9hGQFU1b5AQj60&G{CCue zpdArgOG_hz-l-vi?Mn-Z(zm|`68CV>powBQWXDvGZHbb%AJ^`s`DuhT2PxJhvz9kP zi!NAlw>2i3A^|-vw4qgYpB8Im3*DW@>fyif^qr;Bu(Q z@s9*2;BHYF8m~_*ieTE>9NtLGo6}027Q%8}&t57X^V^IT7OA?G-X>aW{K>03u`kh@ z1*PX`*ur+7aq86E(}8`0>+@nfv%gg%={s}mtA;q;RYF?WOm{%flH6^I`bSsGG)~u> zr6CV|eMP&caeI6-bYy;cMhgrieQ%2?b)Qj*4S&=sq81;ZlNBxTk3sDFa{C88b?MW` zS(B16Zg5%lSI?db7jf}tW)_PDKBA|>1&>aZWJ`0&v)ow3R1;;7>Q$j>9%<5ItPq5r zA3)LSPI)`y2hEr>NU=L8G}G;*r@RVDRpU+Nu4i7k?xV~EI{AWUOUA))&uQy|F|)B7 zkBmr5J4XcaF>a!HMek#e*l9%MQR7mnOQeiek|3$G9Ut+8EV6Zsp zjS5MxgK4vDoyVGrY_Rn;4Jk`4HnTg!XuJy}7ckn~tx$+gfR97q8A#$D8rLSA0CJBv#LIcABos-B&LbjPK%&==TFvXwQX?^`d^}gMg6H1G395WR zhJT}G!Z7b}5pAxK2665{95t3VpR5;oPu#*d@cw)4_ssHD>{}j9Fw8$ zl^=wkCRjQCv2n3_slFf@3BBu!wZh{ZXR${bX-s;Xw?dR?FCct_)t5vJY=N{ZDxG`%i=3 zffD3QYPd(h(N+8S;;?1D08@{8+PlS$h5c@U^xjwM@B5j0GA>124dWWh<6qIT*?@<3 zCCt+`PYTHo8om(?%}aeCYr_K7JuaBrl?b)i;b0ADnsBIJ%NJGO%Y!c)?V4+x^d)m; z_HzaaU!-1o1(}#tNi*5bhp1C0j@`P zZWoStZc!sGH02MG!Cr$0Rhfh11Z$Jrn@&29ClI1;_8py0AM!H`rnQlgM(gCK;2Ii- zESp+S+RR^{b-sMLadoC6{MwtwQ|t`nIS$u^V+tyF8X-n=DQ-K-P4?7TBL&La35R(p zhU-=GWu4RzNdFHFT>GM>+6|nY<_$awD>GReYi`=j^!nO_fr2oP1Sq$Ldlt1xugAi<2zXaTMQZXHY^%4>=#n_4{p8PV zPF{M%Kr)@HV6L!TV~Q34So>4ULtOOMCW-^}L%k85NDJXU(+`;<0gK^`C!?s<+!$Ex zZs%veo^>;!ZwSQx@Er2)uaEoFj8`W{h*IbI;e3m-B@(z?i^bn8u(BXXD9W|*6kKu} zl05>P3oJnNv~EVRz|keYs1Xu9!9SUO<`?^ou}oDB@M30~Y0Zr=QFAy^i(d1bf+$4E zL%v~1=IXt-)PD+cQn~a#eMvagBe(gZbK_{rdD$8@3hz~r~L6ZIs-MYj#eCM4~X?p1cn(aMEv>2NYL5aW<(+B8*8Dvyg(M^_e| zFWTzNG@H9YpLPD7btbSPMj=!lgGKFJZZXjsxO+f~$w>8@%(it}x$dQ_(Id)`9G{3i zWXGnHj7`xJ&sZR($6#kzytIx1a0I!Ebn2B0V8X60r=Aq`7CSG&KERCzD>OB|8zNK3 z^ht(If+y!a<6|67oflnkbgTn_*lCu5T44L<+rW~TYc{--t(p^cF41ja*wWbTMQ&M2w@f1gs6p@tyCrjh>Ks8<>u|7ed8ac>lY zk3;Xwx9!bMDS^^Pyxvb3L;G-3Yd!?YJ}f3iAgLl2&VXNDAXtTp8kWUQ(IsZu!Ja4#=YN~m zzvMYxY9aVuJ!1=fuHZ|)Udor?(NukQ>LlPs)%!tU#6hj36Ok`Cna*z6=tqUc{H(m{ zo-!j0IP8;3z&$6t1F^ta)A_wp2v*Pf5hWqb3~lBf{wGgfeSJIZ%rZMFK(?JASgUqD zjDPz`U#@2Rv(u7BWN31tL@7#&?vPf!0|FbY$+3gf`W0p3QaOr)oWG%f{jS8ui24#O z`^mdQ>eZ!wc&&1cUL)b31sBFxD@8!2$8||b*Uh^lqivca^Q3g>)az^Cr~Zvm*?irW zA7a3+4#2)UG7xY^0^Uy;WKLd-NZ=lItE|RFC{KbiOIH#_9#Kl}h8LGtN?x3|h?4eU ziCk3MP%}Ca%#7r38s%-KLLZ#t6MbvFu2@jG#AnDY$0kak?$xmdp{WVF30Vl9*6VCC zTKw{Qc&rNs1x`1905`^FR|`9Wo86Sf*n8gZP;*%u^-^CfAd9Tr)k0eZj*hC=1mWV+cpB3-Py;NTkJj685;wR*Bf29A zNU~JfBzU`(On(k%gt#u5ig%wM)V6G@r%ZwndBeNl9Prsa2P4iK3y1qC$bz^qhHM~R zO$vPTGH)kxq-vA1@#pg_aC6y`2(j^1=JM2z5*H`2EQsjpD4hj%0FW<5&bs7_arUKn zM38GhfasbftSOpAUjt0#0Lbcl*b+}!R=;+-|L}qKpcGwmiRi(5!P*+-b=~Y!#Uyqo zMBa35s%>0Qb2=CX%G${fGKQQKgZh_~IRH;YPFt(EQ>>94{WAaj1aXLEIgkjgkiSDR0Zjn%Qe^VA50Y5x2UWQ5A8JZ7AdT>1qHD&(Wm1`pOf zQ<~uHLfCK);2;GLrL=!PA(Z6NBuJ9VTNh7pGxu2$%~dkhe7f2?2^iS&YLUh&s6Ffh z`T$bTr$&DanYqXsR?AlJ%-AydbnQdH{5UX8TX7ItF%;$nrmNopN(FGg_{(l?p6SOt zBDz#$Ki8(6K0))P9jx`D5+g7PAuim+j&FCBGUOp~j#|>Q1M<098V+?^K*a1d+hins zp6SKBT6Ah?0Oa4hv(sSmNd+74hYt#}{Js6>qNs&+^R( zxwi-Smmak zKe3|@WTUp;qEhf;zxBhRR~uZx`kbt$4faDn1GRnG<+WgZybTb=^!T`~Nb+n992ZB; z9Fmm3Gkzn}^Ck5>+NsdbcMi_z#$nxnaA;}D5!3}W&Hw05NS~gdOiU_>gY6?59E6gF zQk3_r@>(W%@*vsnHrAt)2T_3gN(cAQ{W?*7yW~su4WeTuZ8rz^b zWiz<(;3)z%Wz1g}*T&SYLRvtp)^2t$$r4Co6iHH%4X%CysuK?jvlPcD@0$xgM z`MZ#6P1z8s43*Oh(LBAzmVmO;g+y!z-YK&LUpXN#tw)KiO|j=XyW331@>@&;QUh02 zYk$}_u#FdEC^R?vp92Le7DZOK`Foqi%v;=>8GyC)fgJFTu>#fO;fttIRm8rB*E*y? zuE65|Veh@8n%cVd(Ie_nQL!N?7*J6`T2z{ZemsDHfOM%rk=|6Aln}9?g1|wV(t;qp zm(WRU7^;|9b3OBUo;d&j z%_YZ4eF3>q`naTd+d59y)}UO zZ?sFFDWU6uviE_sKX&f;%{u~fVK`uE+#hNR+{{joWyfrO7yKx{)Y7dieCl>m!KuC1 zA45&Y769L=I6{rNo6pb2HmtQH?p*0R&tKBXrs`*^?gVrqNulJ{g4)%7=MhkwH#HZa zxB*xWCIS@I&Ol8SUY)k4YtB)^wq)7^;A<}(!v7o;O1c6Vb6BogacuL;gEJkq& z?Itne7j0DGb}FTRgz4`weJ7w4ZgS)1li)WjFuxj^6s;Gx5BTn`!|&@uj>UmW+X z!s5O?-1}?#z_qH-$L5ubpoO#p#!X_BE#4D$gq1dnmR?)`B&ettA60M!f%nRD?p(=K zWcn4-HpVDNGgiBm6GUG{4)Oj&<=maqJ3}@SkiyqJ>yMf|K6NE{Sw>^^%3neU;6&jN z1p3EZC(AGG*+2gS-!E~@$$1I9vo((?2Hc0bqba?h)nq27>G$)Y@~1A7vJcd*H=v(@ zHb6-o63TsXDp#N64Ubq zh?K_P@mnSX!E3$v303a>je#e{qCIJNg*+`<80qV*8J++Uw5e_>M)1a0vB z+8K0?Fdivki-3iC?Q!ofH=jNM1zg-oJp(5fc|kTRJEtT2XRzcR*!b)4grfek8dLry zhzl?(oVMK((2(Dp|2Q&J+RiaXh$yV7QsbwBHtWa|h7~aAO8O}Y5%>cWQYHWbidXF(p}$6m{{5>R$3X}r-4!(1@_u8`{f2gM z{`3t0`|v&a0<4_2$|#Y)UZnqOjdt7x_k+2!vH!GS{`&)Zs)4|@|Jr!;zwh!VQaV`) z?iVhzZRel=^%p-O1VEfh%zh8~@4Nijto5`2_ah`cVEgmG{^F;kLx8h%+~=O^R*wN8 z4(>Omt-S4TV((wCxeWyT^b5JF(_1|T7&o}z!nu@RwtUV1gcXRlf5Hk{zd`?>4y%bq z&FfS5&u^Wt9w-lhw1!Pe+_z;KojqthT{Y{lOLI#GTbU(T_5+QL2e(W!5bbQRlOuX- z23rkCM&(gar?yOfFpx*9(_lhdGuXVLU0G1@%9bfv4%$uB<*u`Dc@-7huwO?fc*_jp z10|zy?-b50ulm3F+(F8MQI*ecnf=P40!dEx_?Fpk5bznZ@s9!q% z$yiX5`X^)k$gd9nY=uxQHVdfz{||44$1H+UL*X1ZYpB27xLbda4<-5d3HPkbB;Z{h zmHuM==neotCmcnAj1&UU4>ZH^0aqNYyn2mp=H{0-Rn!6G<^yP#^7Kc9{kbjv_fJ9I zd-fG5cTQzKE$Y@eC0c%Ccf0)3h>g-&`_}lQeU?6h7rdr>PVe0555S*Vh=4wdEr|ig zbxFWdzJ#X#4+)->QTsO-_P@8<->vWL3~7@Ue9U6b9mFlh9CWKb|JavImB~@#1W=&g z2!zRNjsaTw{sgyb$6n`b!5ty`!nMI$9Q6jzbPNQgn!E2GS!}+tj$!Q?*^AsgGL@;6 z=sin89ypb-A$B|M;cr}D_Q(vM_)R(|^Yy#Pogo>z7(R%8TH7kgNR0hA1AUxg%R00b za08VjlUzYV`#Ft-Pr1~%?j~`%(@G}dPX#PSodWHUr|mwZvyY>6nGL1_kBpIwG_qHp ze$eRwTMTM-55%NV&{jMwq**e5dW)jcGg5i(*N~Fzkq;9IPwzB~t;muS;E(0z_T5bK zns%qRi-}%;n@x^I2GZucF-%F`%IGkQ4e}-1rsxX+>v#P7$&t!>{D-Z!sEmTdk4z3K zN2=f$-n-$o2S3D^1kbaW$ldJhfEd0T03RT%PB~Op)^k_n^9H`yt{S1RdgF_8VcmyM z&yOrg8k;$$&x8Jba0F_`rcsi2KPLlF>)YHiJq^|wb7+jNW9Fyj{&JE-c9PFfmE^G% z@IIdaRvMz+f5qi(Pdw>a4&Z5>P6V8{5kNROFju>zBi%hzJK{e~w_0!W!5!hU^z2Mc z1Uy^hWx$yIFbEXi#uj($UA%G5AAv>#<_+Mnq8@#%qXRMdpgAi6#G?-kQ&7jZB7p}N5DawrLC5Tn)b_wU^ zy~N*xv>yOJIt`fr(r%#<#zuiVpC~e>bjj}%qZrWv{H|P(2IPY8;`gFHGv_LkT$7_G zd8C{SS3+lBcU3NY=KToTWn?SctpJm1J?lF=LO2v8Z+m=1P3A_b3MQ|Q)P-=F2|b?b zzOo*NcI;Q=;5>gp0>I060D1X)8cI|pEXx$+2dd-34fyr%+ZFmXwsD1>?i#yDIAQQM zEyh4sL5knzSSdtb-f1a))tKrtU~ zva4=p((Rnj&L+Hcr-(kY zQxQuqJfsX>nFU6E4K(iVd^)85UA3d(4L@`Ksp?(M69d+d_CE}hM?l&H9XYCDt-FZu z5?H#hWWVX`&9gD4YvQ;5n)v%K1ZwbIA+q_4%Uwcm02^3l zSUoL)52(Ms_jvYydmE+GH23K3$`PH*r)B`4Y-YRFR}kksb|NTs+k<@Wf9a!4@Eg6i zqQhq4oW1dqsbcBv zp1f|@B@U!pWsn5vc;Ipx|9JMK)o=0rt{|`E@e28U3)=M|&WrW-*EqAFR5OFxUiM#T zdCsmC|CUf~wDOwqLkna));vVdct7=%+Mh@M|N5yz8UQ9|d%!~8^wx9&d4z^~;uIzn zFY95qKFWarhtlnts{wLvTPiSLgHWq9pC(q@@sn_6i1?X-BwY z$p7_a{{)OX9szJilPCW*v`W4`*uEGkZDulW51J#i$x6(&XaJwp#Pc=;~j2$cvt7DgLKNAtl-Rgd!(EZHvNy?poUVaF- zoDPR%jly}=(>XUmHdk%Bo6-=$32bO~eT;W5Fm-Vj$=1^ZbwGI?Y*XRM=yGUS$x-|u zv;qq%M?-G^k=f_XQ~-R~{D8o`ziTsr&!apC@F`)(T(F!pC;C9?#tY0&Fq~t`;rx1K zl!BVzv2ZzYsFhkDs4Ktl`{%~(WeQ#y zx4jJCF3Zzfy3%JpFyMRrssT}~dNOq+Bf*Uw%KQt-VLH>dQ?5So1roZC)47FK(OM$( znNnRvg&{%3h3E65p>SYKf|ES~k`PV$Zc?uI_dQ$HAx}V{y|jBJ9~ua7dNcrAUP@ z#ndr9=HcwwvWC;4(Jq#ZMJb}ik@7FMLPzTXNk{MnpF%Z|(m|@gD;%)k#-FUTBsLnKED8Q%>NiHS$JO22X^2o@P^;DBi&he4Q%)cyP_a*Z4pS( z!M3rc=Nxztf5XZ6QCCmy2MMaKQz!cH|H;dL0arRyfj1i)_44EvZ~tTmFIa?rX-Pt7 zx4h~exS^QfS(Pm^mU4;=_{J-0a(bFuUNsJGXr`n2aEr|FK-nFFki)!Fqqn@O8G`N; zqjzix-48+MW?t&==eN8n7J`sv&+pmdjsC(`2SLa({m=Ecyh;p$kniaq-V#FggCJ!0 zvLoqRUS$SB$m4I%YzZMR2ZQ%Kk{wEP?H zbt@kLc*P&Q@A%8Uk=|`bD(64!{aAr#P){=elUi)1tXrpkDagWiedOs!z`o-RKETgs zZ0?E;YRM6ER9gG$aTDMZ4NE+L90@?OqoDy1Z#HF3X27NN2S`v@;rzrS-?D3aoUUMd zuWWWNAg>-P0FssqfXZJ4c6pf?!_4-C4EBNGux3&Fw#4IZK=@GvYKq`6>He(!XC1{u zp)8$)^MPSD#{4LdLhrxwl*6_1*TJFK{U*16kq)3!D?UQd z02noUC~zeg`NRlV5BzfPc;y-Yy3Or^-S?Zk-5evcpLQ+eS(;43|nEy8j3$d>{XP_TiiWKud6!bz0xa#z{2O}3~ z8)c5&AsqRTB7HIuoSl8mB5gl9-YJl})*Hj?y=akS@W-I{fY`NH7fvPK`LIWY5+*)) zXGqel&)e0+uIk^#{zUzKKs)*XM9TdIr=_CXLCwvr7QvU~?hjdBT(tQtS%#ExdHV|y zXmI%^FlgpHnze?$33y^T=Av}-BJlNg!3ZD0+}N53*AA+ydH6 z1n6WUrr7um833Hsmd9D#)4(CQgmP{h2(P3l&vDUo(HjPxb|j%V&A!)0zMymv@vDP1 z|4?6RisVPfouXXJ-K4ssoz=^?$3K;6MO+A}Wv&Bv@IDZlM(W{SZP-*=aS@C*K!X~q=gDDR)_oCY7E3;STGHS zSo^~d~3Gb&{{YH!uQ*1ED8sleW zIf zyqzk??OvXFmMT(EdD?;fBJZh%;s}%|M3kmoJyc&0-XJC?@-&Y|Dze4NOkAl+W$MC8 z;-~)7L^P8&A~#Ia8IpzyzFtX3>UovjV1}H{{f(*2kK6#DfYcD)wsO|AXhzoxSjo*1 zE09eAhHDzhT0!p0+h@DSqadcylSLW4QxJRJQ4<5%5May-TqIL7Y~-2iV+nkEJ^RVp zrgd^Fey?r04EI(H2m0RtRJElkMn9us*#}Rz`~nVzOL#$mU|+)=l7whrm4FxOA+7DT z0X$S{4Ib|&C!nNT#EfQVc3o5_OKG8 z`aI}MTzDm)^9y46c8XeXSuUc^is>!e+eB!~pP?WLYMfGwK841xiSG(wxQfp8I!T0w z&U6dzrvk4fjP2$HqiQR`klx;M1G3jD<*xs0g7j`lo)+gTdcSIOF{a)*n2a;3V&i#o zEXPk`CU#cSEP9J?8>qy1nRz+iNu$M1Zt@K}ky;53Xfy5ZX}dMOrtPY7)G`Crc7}c- zZnffpa->PZ(u&oAvSmLSxppU6ey3ao;<%90_qm}&VwwDtnLtk(R%2TlG=4DP%Fxfa zL{Re4Nm4dh|53F|e6C-2!544S6d_FPM5j9ce!wqmcQ>pBV)!2g{AN3AQ#VVh?pa0| zgu6Vsx%qx4_e`m!w9@@Rn`zy^ z#i*N6+S1v6NZ(`o#O?y953h~Lhrz#+%uvLpFrO*lNUS8=w z$zWh7f31QJtgpcS^_%yBq+5P4?S(f}BeRub;V1dUNLj(PFR=Z;b2&xiNr*Y{oEFO& zfB-6a6gC%Z1XX7tO~{Xf;yS=t6Y&|W(Q3uT27wW9krA^xd~b}3!3D+uo?%|BTbt^s ztHfCTgCQ)BrauUM_LQ#-kgAo|B*R{ZJ8Iix*yxhu!;@xkuv0Zk5mfyZAtK~OqBPO+TX1!OLwxRi zr`XF%Nof3fJv@XG?#7vKGj4#{FiehUv)7h8E1<1_eaE)%-6YsuI2eKNC(jsKStDLXJX;bW;20 zn(yuQ?a4_IyQrgmt>uS?59ykmwI!<~f-p03ZKqu_L zukjVO4usCcWSLkiQd<8s(6}^Yx-Ah!v|DMQ%&2RR&RST}AVjo%1Yn4S57Enzkdz@( zn%yMoj?64XQJq!L0^@gqL(@1>6Z<+G&%gO?7sRctr5ek}+e-V1K#*rW1$WJf(&L-$ zJPPf%P;FD2h*1B5OOl^6?KY;SJsDlJOy~5bJXPZ9q^GzfK47tM0kyF_PeHN}!&U>3 z`-uwCQM>)Ejk4D=*@84olvN1y+J{7~^wN4NgiEK>9Gjq~Oorm#EDk3FFlL}0+02_? zs2!1Bt+di(K*J)t;nRph=lJkLmNv_4(r&qCuGxN4bXkGI-y6}0A;<*gJI1_6&1`wi zh>)RZ?;w2BoQKAHb6~m?X>Qgl9mrlhV`V{;5>Z4;hUJHM_t0#{o$FUfT_prHQG;=! z*TM^lHlYmXub$o7OO&^Yx^H9E+O?^aLKy_NlvKJRw`m|keObnYh+tT1iLLq|iI-sl z8*8uI1I|H)5;Uwe81lLC#yk+Ffokg=ZlB?^rIC-O7uui!=(bltJzTWaU;unxEqb)r z&>*J09F>MS6;G?NccdV)Jg(_@hdWk}i~f>?Ud2+Ek5$CADPiL>UUd&2Mu~ToC2h=P zx3|LUmi0S^{b3TKKc(E07aDf>Nq>qFstmJgKxjDWINJ@_BBw=6cNt%7)#@uVqS)dM z+Yyqv<)LfMY!{z*r6WstGl{~bP1*7#;m>joU5~GB4K(79Q)$n<_F6wCJ7WwCu<~>y z#ptfqmpk#-9KXLhUVZ82hsQan=8S+G&6EDANLBl!I3xPTq8)582C6KF#V9+326gDS zkvGP^FOf~{^)DWc(H-bx1a734TeY(p89AC-mWJnO_T9BK3vU*$$#YWj*QeZQLQDud z*^Kj6q*0NpS?85X+UC0!Z@*6%t;>^0y{gt7{lyTJ4=KEF6SOyv#kJSoz7LuX(X(-b z+hLCyRsqtaW0=fsBk|^FUxcbFs z7$vgckd?Po(;zZr)o!HYI>wDba?OhjvVh#R@OF}1`kehXCyYz+PzXg|f}C?H)+2|x z8lREhjK~YU)E@#fFg;oRa;IKy*F2%f)ja|iCU$@|8DXi!J^`S@!lsXNQ9I9y(l(2Y z$l6A!okw8qxP1%N1uCY3w|cF-QC--wzJ?mOlU{Q&p z70iNq1Hx-22`V2P_*i68x*IRWuubC(*}t_nZx>kWDn{s{7X^EKV%cJN}i#Se)$ zy<#*;%w25??6f*+-H8h<4i9wyVfBLH%M|@%Vy$9jhWNZHf2Vl#5IC?}HoAo;uu640 zXH35M9w!2~z9w+md0o+{A(&(sZBDOGa$ksZ=oRC=X{2Wk^P7A_!zo_Bjr1H-HnA|l zrZvI%xt($^--u+S*5_Un^Hn2Fhhsdw`uv5l0aXf4 zA~i4SG~LUu7&9$2JVP8kx--IanA_{{ZTtnXkXu%?)$P;GoS)aBL!Xa_)N;Ojgn2}BmV>5B`YUdq5m=w(Ug;h34YnHbQU zs{Eo0i$&x^L zkbcyo7kjRkFWW|wnmN|a|IyAqBBvspmw(=Pqxu{bc-I}>ncO1Zc4feES{xgN=gKh{ z@`K$*Dzl^BpNN?@;j-u8xdqSJ6LV*|YW3992R$^EG#k|TC&s&~ zY{&H(Kgb#u2>0cRe*g39Z)}teDyE)pH=9Z9_Kr1Ss;weLB9JxW1VSvE0}duSSEBCG z=Q|f?M{&0E>$#XJ9gd!S)4n&bc&xbsT1o+a*ctZFg7`@u<%kXwqRlSw-#L|P~ zW{UX^ylCzDsn{eX9LGI}@fDIqLh-d2CEiYhMzv3?RkM@#7qm*r8LMK=aId6hwI%w@ zBELv>U0o?^;`xB_z$Y|((>H&~N@sBm6Nfr!{JOo7oR{-KUAOj%MVp=C70D$ZIPWP_ zFUx3CX$1b3ii5`r84u5_E0pdyAnM6ncg_s=bxot(mF_y9b5Zwa$TWqxb7Dg|5_k18 zUK|txDAUFF2U)h7bW{6i*bbb8a#C`bC>BxTf~Mb_k-M`Q=i`-OO3tFD!DE?PiKr@r zy5;(>yM%ipZDEBuaX5$mTS@Bux-frmTKl7}w@_W=>0;;Z%=>yzD-rQy8`qNMs~nCD zn`Zm1>kNbCDyMU4&TtJznV9PC)WH>O+)LDMHI9k>I#W4MTOa#vF4v$9o|DN^&39MF zTRIKaMi(GjM|IS9Zsc9_TTVKJvtW8rE?oDYUJs2UW6-$ivrGCL(l;iha4a0E$R zB0enZ7oS~UB}A*edmCsp+Z{^mEw;z|tr8vZN$pn%FA`n!@dUft(ivaQR#r59e zarMy+=Lh>rvR#d$t3%xdhM!Y>T*`2E?rBA$`_W<@S^HSB@5153vCQiJ2J*gU!Idoh zd#7D7+5~rL1!qiak2upqO9Cw*dQr|erd=7>BIWxq*YSEdOLH%jTVGe4%DBmedU*Bh zq5G=W^8lxkm!bsE#cu}YeswNOo)e>twvbD67jt2Sm7RKt?@fkLLqYV zfH~)x()u=$bm9zIR7+rG5*8qf&2Q?Tv45t^)e5rUox1K|`_I;J9t3GE+G9>og9g(x�BzX1Ixtbl5D?a*fAU|S2`ql z9a)vL^w}q4UHgD%_X@3TH*0(t@3vyd`$=FTpt{`6>fUp850Z3jM!Cj#uR~Idm8tmv z{7G-)vA6-BYXsP&@#poj|k-Hji;a1JSvU+I2D7RCl%fc6sLJ3ONMD)#WAV)w)K0 zwMe{_i75?88ugm{2ISY=N^ttVk#@qmS)Sykr?)LRH;H_&B60zjhz)liAE|K7(CLr+ z4^B-r(z<|ylLpViWpBo5uxwj&SKcT;3^dIQm!)UI9i^$}ru~Zi`Q`+jd}{vKN1t!& zaOdg!o!qzSUEJgmyv4Lu4T6;4;%BH3Ac!q2W$C}3_SCc5c#^payjcu#m{Uwn^!i8s zoRG2Z+@nJJ*MA@Hx_Vmsc{u=8xs$517qe|rI*~H*AhMq1nUt4|eV8+`dmAps@7b~B z7upWziyT=KqeL$gp0R#&PdbQj^ZeTQC6F}NjrCf}IV!rKBFVqwA}@Nzta|kesDN)6 zy)%n(&xBz z7fS&>PX*%+O={MXg)!pX*gc}t0j*)AeLzYhv5{Y{9HS6xsnv36h}iVKIj2_i+Z&ES zJMO_kowPfWX8Od#ywrGvt{7{5y+l4gY;4WkYjeZTJlU@-z`%BOfaXP)%P*Psi#OxR zch3*VpS?>Gb7fU4xkcOMw;#`5+#t>z3&~_G4n*h6Y{>jZH&?{*DGoBr!hD{!Z^L*` zZytX}DeW!RYgTJ=r}AS&aDidT35-@Y!<@~-E9EM(!~mby$E}ml{uO<^6i!|}o7-oT4c$Q&$jbMz8ODEvAgeNg?X5y-2!=Xb|9lugPCx4EI)8i=Dxr!y^*JfNt zu1A01f_oc+=_#?)lXX_aN8TuMyigqz=Ofi^n3Uk^OfxTP-E}PB4`Ggzv`e2U-c~{l zSsZVBZUu!`Zf=a1vZYPL`MqdEQYx)k*HASQ}Gh4p&3mOHlV=J#^BL0K;Xn{56TA%n+^zd2v3ADUrOqN9P7{#OW{i^;6ZI9X*WGb&v| zE)K)0=OglzGj?DDiyiOAlrIpjm69W31ij=5g}qMx5>pZBaD2w9 zwpjeC-nd508xqJ!Cf@st@cR{&&{T(2iHLRyZ*ca!TW~Urwb|p6d|sUu4>t&aO}5+b z##jZ28RNV;GN%*#TAK{vgKCuT6*m9DTJ$sck$jLAgjRdxEFbH&vY^c+mY0ku1IOsw}D_TjNuoC1_?z(%&=Z_y+2Xx2ku z$xzOWw3+5!VfgJ`IhI2$-4(gHlFVA1LlXU+wDvw+A5(_CSWt*DEdgb9#60 zD8-Osre9dMS(WdZe+`$%^fMHJQ{6*%!dtEoPg%mzpr1CLwu|aDtkX|ijEKkm%weqKIxyUR5FCol@;s?03XI%Y$%7s}nf}11;Cyyhy*q_sSiRl-=N724?w*$3 zpj5-B&#=i}((7;==;YWLY0y{fLYLWaKQ$sW1Gb(%xT-Pe@- zJcfwiqE?|6@{Y{hPL9uDJAB)BI&@z8I6ph!=nB(%EyjZ-N=>FMyl`=R<19 z>>FzVk?3%QBjXu&E(YP&jL6E5GN98PyY(}0Vpvp~YyJiu`6zdPbZpoq{X1o^>oNYe zWRIN9RV{}YOMwGp{-?gs7cN@CmHd%Y8{TCI+Uha^leC6KJO#D{d|*>h*etf7yt-~B zZD}5WDz#}MroAqSF|PfzW*It%shXcD`K>CZH)35`?SDo zK`|DG9}aHYC5J>MIfYd(t(h;a35b-IU80q2=xxI;mRzEI?Or%_0QQmn;QIIq5eW}G z^KC$5;0ANyq7!{Uc6`{Kut2FByJSupRmZoFMJVy%la%IkQDcuq_Yd3kXUurv(O|a< zthqlJ@i5z`wFBp|D3dyK1AEDr%q-K+w?TL@%QiN?=A};$UQIF}Yogm*nG^Q59oTQ6 z=UH-&vh-@BWvmdjnwC^@K9E8FD$7Xh&Ac=F9;~YTd8kj+lE`ZfJJY{_f|#Lj-d?N#T16`W>Pl`RSeSh0h6Y5*Qso6{lM}h^fhe$ zP(_(juM~C;v}R2_H)CPk?B}vxY?z3kkUH-ABD+(kqC{QYJ6gE?VD^xwTVy!D(QU5+ zDQq&So@!l4N6`JGy8G6!-7VE&hFGWp7*x}u%n(( z(jWvI^9?8Cq8ggA7){|yT4}GETiFE&y%@65zb|2{tU@1Ngm)D_mVx`qZes$;bq(;4}eysmJO zD0uE-30@{_^WD2R-=^sE!eB_1dhEJ)ms%`7{9}*M3AxPCjT;KPrq@@7?!L|yCMU1k zRJ&l9eMDP>S2XEvI@o8bhlzdTJm|KfwI)7ZDI#+ym4rXUP?&3O$|s`yrTv+&oJ9)T zTW@?Ghs%}gL$6+YuJ>9XZjiq8nqcASl93UkgI!3Rc&*uOCE_tTXTKZS*E6i(d(E~e2wn(Qt{h%kB@&M~IH^o#RR|F}eT zH#hf{+W)d?lqKb7;I4HgqA&X}e`sKWA&n|U<&I!m=DJ(GvIv&3ciH0l>N5GAvPE2U zW?|;^I5+x{ci6NROqcof#r7U364sX~`OP0@ef9g^+<+gLn~GQ~AtoreH%(h7z0Q7@ z>)yPMxJi98c4f^nq;(|#_*K^Xj?5X6DQ}gd!m;-OTIC;tI@+>`{|x_;7IIE_M<~T$ zXOe|taZ0me{*OO-EmGeu(zAsORP?pv6uEb8{0IpfAOC{t{>cVI!TH1<;$nwQPODSh z&?I>uM%`&p_olITYZ2qSJ=!3iCZED+4mZM-XRwRawDo&4J1gu#0iu*?zEV|uT&wpZ z5IWqymL#$opBFDHLr=i)Q#0ig7%etw7qN4I{5X+N_9jS890lgT;(+P&pGQ#oZferB|$_y883)FGio znC!;sYLZ>T_}aJYOU}Znf|!7k)J~4+tMkYYPB1>^-gs1%(H|NrS)j>RFj?8{kCV{B zi}rAT06g`JEUzk@b?&~6ONH<|3#+&z*XO2)!F}7_W}_q-ue#)>v(j=xoRJQwAtPQ% z+NZ8i{B6How5f^4oG65S1mNroKdtm2A%YFzC|P5|3*T!A()lIzT;_&@TJ_}--Nhxn zInGWtl8oyO~SOxT=w?Q;V`f7H=ZUBMaW$?$iP|Pbi&H80i)rtar0aQ zA!#hRZx0uL=qirSU>qaqs6X=dfw6b1~A`AsSy zxnfL$b|w^DHxO{_KM6im03mU;0_;s!3S~-fyi+CDswGV#GL{Bo{e0IE_vd~@WZsE| zv=}Yv>Ohgoe2P&%rLL>Urt_ND4C$G)r9I%hSl%D#(Tc4oj9Ml7`he!{cbc&KP7hH_ zh0onwrmx3VOD@$DCDEcH3SsQU_~(9xDWAhd(8x2E>MLV=#CW8n07EI~9?iQ;S`o7_ zMj*ptHr@n>iI=R2!KrCyR~=RsDBTgwn>Y7#u?8kPDj6=$xe?bAvJ0t&gc513x}g~m zy1KQq>Q}NhH{@u`-MZw2DTP5^Rg8+~j4$4fr4|j#HRi*3r@4-;>5*7U{yuDIRU;O9 zv&doe<>`2TH&tN;p;p*=^UdSp=Z|M-pnXcOYoXpcWIF`yb(&y%P7gMFWi5VIxblJB zYpn-b!urod3LJmyVzm1&N}y(GZC}Ufb;xzAS!ccjwH|<3B}?{g+jn1at)<6<;rW?S z#i!Lf5Qood>#Nwrb`3d~){zZNLz%5QCDJ17+e-zA`EE2XKMzdYDq zJD$EW;F%)C3G2WwD2Aa?H=&m#FF_RO;Y#^32Q-4WKwiKK`FDN*F$M2UJDBY)C;w zDs{z5M%A`(#p=*5WS&9*YN>B!&0tgOp3=crJ}-u2xjn^7$}ZL08V#<@Uc|W9x-m4@ zE-P(6uS3QYh^n1fhes*i+N7$01W!Ab*z^_VrZ0u3#|ULKRO@f1KJ83ia%+&rlWTRc>RA6^tffCITxdGiIC-@!OzAUG!Chf)W9kLnLm?Koxgd30 z+?S~7U)Z{utZO^ffcN#RW&7q!9j&0@1$pl3j7L^*%5qu~a4*c-Yut_K{<_8)j@-+G7Stb<;sBB?o3 zGkQ0DS>1&Mk$wD%@@r@{(7GqT-s-!n*9CtNTc_*{x~%Fcx)m;?ikVH`w?m$tqB%Q$G&x3MX%aD-FPAC@eZ zbM00VWIZO{l6!nuS~`q&yuvMll9p9z^Wv`*&&@BzHl;z{&fI%BErGUgs<4h>{V1Pe zk|S(iYj~+O*FelQ-^1bL*Xb0~UB2Y-=ELX;!m3dvqVYswlqT)>8|)ETs#=pTadQS^P<~mqrjQ@>4>gq z%}~I*)PC8`m61BeYPf|=OjCh+h?#jpT!B*398e5jqkNxRYij;=QHriw>bfba)_f)6 zZ8w}e2GC2d*1dk&^1>!V`nOFzQ8)N_0{GsNg7|X`nZ9M`r~Wco z*;*_8o*56y?4&tua%h&Db>E?ewZZrgDU7nmZcl@YQRwB;vMVQP{H#CZ`%a6Nwp=3qhB5tv3Sf9-`IBb|RZEb6u^fE=ipD!n( z-v%f<%LhZp4ag=nS;#N6C>16U4+fk%Ge_K`ks`E@S2}ODq(Rk}*sUa-^gBxC_{pnL zSqHM_zOMv*kMul6TX8UU8`h0NCO`G+GZmy>iD@$`E39)>0ECf0_VIxu3jW1@jR)D2 zoJrM|)X066Z_zJRayx2#=5!R0Vy|U3aE8sYQ7P_z@SZxs<1@4Kbw#lrX7Ohnj#c~2 zC1X{r_{+<}*7H`Xv%SSF<1Dq-2Clo;EsbYt#3eciOk5~ zFFKz(&Ur1u)D_#y&SL5@0r6M+Dqkn}OO@Ippf~%KBDf)^W`{sy@$T$Cd`3(=0E z{B(P&LYO$;rB<0o%q*R1!L#rCgk@Pi6|)+Mr?XW}XlU@+)Mc%*GxWlk_li*|{#PFc zISxj>L$3ptr&~=)dw8ErbJpjWRi<2;{^~T^NrHjO2+U;Gd|($TlYLuQ}Riz?`&5DIG47&UsmIlUzUJE(Qia`)O&(MvBNbsnHGs-Vf|R4^a#J`9vPOU()} zYdq+$;5MDIsCc!4inZZ`Ip$dW+9*1AYR-Ppf1tDhz6bZ@`>r!njPrYLSJ3FE_w=U^ zRDZxf>Niji{}0mK!QGsldk@~&$EH~HMg_8C_PLmdy_orIyJ}b?mQm&K?zim|GJ~E5 zlLHm*SNX<|##(xlR_z-icS{B-17T+0E%MF~CxuwgP!r`xOdxFXy?(H$PD%Ji?b!*J z-J*)y_=`Fsp1mZgo_g(Aw$9#>YF`a7@{eGW)vG?m*KhbYRw%^O!-l+n(gK3g%^xUt zb`9cs+%E1p6OptRFstomU;M(jwG0SHejCn#3^rp{R6ep?y1A>DO;vF+R-Www!^^q! zhQ7{@ei0zasJqwdlZeIs`YuZS$rC`;?QS*MqxnKvZii&EsRS0XM);Z*MW_h|mhno1 zakYB|&qP?aX%jww-XnCs4ltP0B}Svv<$^&MDEIE`s3Sj1Z#>Tfsf}fhtkAVm_5k|8 zFb8lYR)?gTA2{S@{!kpc62X92a=$GW#O9d+V$i-uf1{GQ)}pSXz~qzj4Ie6v5KjfX zt0|kdT>unu&%U>ODnwF* z;S7&dCTG5Qih83f;AxFK*v_%rf3D64lE8HlcKsl`13BO+UlVi9xBP===0Y{mDS%~} zWXXbLyd#@S?YjI6azOMI&*wf!vOSIdSqU_G0(`TiG0g(8b1BMtix1aBu!_JC{1J09 zXV6WmeOIjO*j_fRTxIp`s;l9W{_34w(`Ayq zTKMn8VQ$~KS=0Dw4a?Fns+kY8+=uWCoNxx2-$jC_3h6q0m`HWF${ zC#yQ3A#E3cwdFiu-{Bnhofl$*9ff42A0YKGL{Cn6mu+?1ijsO<6}dUe{pjKEewpf} zL!nOj@Tr5!DY84cL~k4nT&o#=0+fu>*MM3s?=bs8$G-B}pgO-5;Q<2o&(93_e*AE7 ztUM)q^7^@ypl~o1@`9*Yna~fD*Q)VYk%9KO)jd#!pb~L=l(<4&8WZ~0ABa~~W`%d* zGs`CD0`1BqwVL&Ge*Vi2#^4dO_TP*CX=VJmM*iogA2L)9wtJU za`wfhecke^UEqdZ2mko^Gu7dLi|K;wK!x6uC#GJtk0E{1aIJ3cvp!1Xf2+P^w1MxhG&B6M>9S zYJm?v?CrNLSGe^8J0$segTx1pfbxAGH28E>!S`Ny#(qw)GrHca81y!uu}<7tr?_uh zy&}ZnZfmH%&<=ic|FH`v0Ygv$a^zr#rh9$?&L`|5jT~F15fOGU!bT(!xTOGs>YkfG zGYUg2Ql@wqt1U#Tu+>R zE6-2X(Hr`A57=>{dbR_Cb=Q2yl><*=jLovOF&1FzFI2M~EC+*+Gxn80qP2a;FP(vA zB#ulZxO0G`m4ku0^#9&Xf7-{C$96E6Bc9(ZmGa&vB3h%V{ra#_&hshsbDsU)4X2(y z22|)7v|xkj0N^iw0F^a2=Vhmi`duOCbP~Trzb~*`%*gxO2+0?_uu>)Rv5-&xg3HEp z_!9%ByOZ{@uyFq#&#p6vBtjHl0u5ikO`IVCb{`2Vmrp;JZp4kb(42 zH$ef?T<*03N>9tWCqn#x7iI6dPFt&_S~ce-{`y>cl0l2lQA^1>m%%#gB>8G*2vjs( z0Om&4G|G!o`*se<`ss5EqNZ2o;9ZVGEft&**SAaG5vEco@9q$k0JS?H#R2FBZUS$QkwlL+ zjpiz7G&r`;OeBCsA3gw0A5KKAGQd0AOGKhkW_YN29K->Ci(oJ=^+FyHp_(G{KY95B z9^?mLZPjufc$Qi0SRJ8D-qx2WQ7)HpQ!+>)s}hVKRy-vu2WrSv}`%uk@B9 z4YA6dz{u&S^q^>;ujtd%(ik%_XG&Z3+_ktWU_` zO=J6T7WW#@jsR<@;zCm9V)k-Y9Ti|98RiXASCb zI!JBDb3;ouRWE73wD-X2EG5{k&A~2Q3`~1Kcaao`79QHwQ-JV)fI(lY7<|tr(4X?I z4S-CEd`e&-p=aJ#eboxiiqE zb0!0lx%%6`e5lRd036&f*X+5@7nQXkC}n#%Nedf>4>TmgmlZRhxuJvUrq{rDLD9W_ z+Mux^x_dbkxp^9z*$l~PM}PrdgMxUW8#MF-n(F(}qg{dcS*GAS@J=4oRiiN_R+?(j~GfsfEBs6r@W)y1TnUq#HpR z>5fG#YQZ}%&wb9>=icIZzP#fd&v^G3d_cTdi#4x#&H11IUvW8jig{@yNCb*i1MI3u z3FIczLY5bj7}R5sW+KIdh_AkErQclWxIeI|!e-9Xle=vBh86Ur9>05Rr6!!|xHYx1 z`RL=#-VQ~o#ZJAm-=n#&vD2%ARI}EUlK^m_VsqYG-UeFEE;(}O1jN~C1|kRK%11xk zb5ndgJ1Pr##_;kEMZ^;#fkqXr6Y7PB}_@W|FrJvavu^WH#v92VY>?K?}Q z7IXF6pBDQ6Rc|-kBz&~rL(v?XKSe&gg*tkLkW>DRxiLu$`@ITEtX07L{sM(4O!65X zq1kXZ0pJPx=J^pb-k1UP9f4p-CCIq; zhGOAQPnU#Pv*TIkAR&Am5VwtG9$suq$(`J00u7R-*pc{;e)8p`EQm_Msn-8#w8V?qTNpK`D?8{cm zFG|5ZgVHlZmUcOOyHc2J8cFnovSUJsF&lAznr~XMeJvvb0|u{BVSdPBj*!>pasTvn8vIZ!R9>xQ zv(vy{d0V0}2eR2(W-Gh+$k=!Pau%i^FNXxpC9rroctMZzXKbS!3Fn$I;A$BM7g+ja z+XP(p462*{xf|}CKzodsKN%6Q0LFl<5Ruan_UmRK?F`4okf zeEQI7&FSd#O3s;}f*r`?d3%Fe><_8NoJTOX{M46Dt%dj(R<|Da>1Vt|J6VgR9vz*h z{ed6iNMi30Bw-IIsmZG1pmL%y^0)~Ld-zn~t=!gV|N1>%5llM~)e zag{7aTNrco8!SPgBzre(Z2D3n^nEeSUAI?({Q(YOUFk$D0sDd<@$l=P%8E?;llqdy z1NSU+1tWR{bI$}1=S`$n3hi-yHR2pT2||L+9$ro3D5HVy(xGlx?=Q?EbtD_G{c^Np zNofWilTjcGepfqzX5w$ebUPxXf$5GnC~Q98cn)|7E5^00roin}5<|=jn?SDI>>LP+ z!g^Q+PP`z03oN^mVnvU83q~HW+%*bOhE7Ppn;_f`LV9nq0CR?IphQbI8mx|Ba#NfP z3xp=3ipf_iP+~~k1hohu3$WNI0OpWB-gqQ$D{YtFLbjTak>+!Ntu{^-KTV)pm=(Hk zL6&6#6Csv@=H@Lh;(XG{ji3^X!15rJsRU|dfX_m~>?>WQL|=`sGecGppf^qcf%Gk8 zcAN_Hohg?BrYP(HLPZp3JJaCt98he`1k7;=HBfE|5>bq|fq$4=<_pxAa(Ry^3et(Wy+S}aW@!~=0q2&tkTufu=$!_)`Ab?z+9syUgW@wu;o}Fio&Q0djWC1bf zuRzJ2(irA-jh7CRr>tM^F6*!Mhnl^d4SV1yYgqg;&h21ydqv*8s@oyngVH*kR3N(2 z4hU0A=?4Ls;MO&Py*_S{JD4w3Vh_*YjdJK=X?(1_Da!|ZC7xJJ2riKw!F0$E8yxk=*1IctYd69*U+ zJ_jgIes&SfFB_9pSq-29rUVO1iMroNiN`&9dUZ}vMeps{0#Dwa7v6J*7cM2>KZM0G zospZdbuX5Fw2{_}q{WM~PY%V%d@QMHP`X72B_cEdwHr(hkh->kFF7&yI^?_wS%LNe7`%ydUA+nuU?TP2 zb#5nV;S->TItYJ~V7l_s*4*c!^GpzHfy!myG}#zpsO@%2CZ+{IA>=FYDSRjeoS(WJ zj%lE8)t|%FD_%W^xU0Ntg!T(-7^15Lw`k=I#T0csb@*(OPhyN|S8sSj?sg-2k5d0E zc=~f;KX$io&jXUJuv-FyexqmS9cpzqf7sH4&n4t`I-z%lh=g2QIq^M`*t6tNNoWU9 z9~44p>{7*RZqTg`8SA}>;;E|d{`io3qaLC){;-oRc-|bLKKbb31!tr_4Rl!wx`7j) zG602brwgIz_m4oR^$j>c@qD^@rfd8ojY&Z}nc_Q$KfnQ`zxjS!t3Sx<8|(2h7zJki zg%#(L)=c zH)NzMv0Dc`6r1k)-0|eRV6+N`a7tVgGQjMIJojn<+tcj2!S+n!bHE4bwpxZzL(}aF z@jyxu5BgfXc2-=KQG@NegVOvT$Y@tAAI~xcEo83H1ob`l>QY3!u)LwJ-m-QFqqUi# zuHZT7#?i}sdh~Dt5K>m+najT2V;lqk#clAx=WPhiKAB3-598#hzacORghVb z-2{4kp=l=|ih%@byyXe)e7^M^JWsMCTyxS}?~9HXk4E2zjR4?+G_P_oT7Q8L^ce>| zj;+ckheL?qbr25xh1^#TvHC{NL)h$)R!UVu2%vehS1KxhvT z0+?2SH*W^dub1W5DF|n3x*>iiIKna6pPPY~f1ITk0-`r)R~aFO>oOqtt3#Xwkgh@q zx#cN@K_vIkgJ}p=eh!+vW;)?J>4N*2oNbA7&yY2#)Nao~MD=&@!6ouZ1y&0IWydL9 zq8vbw%mB(hmpJi1hQ|xK6_q%-Nd>-#$Un_svVOvHx9`rF1o!gWcDFUWI49Q*#Sj~D za8RDZ*6z#i4ycc*BMlIO2f<7!)#VVO()Dn=;MMo063VP%bmc1AjBC!9jTOl?&azqo z_cAn14Gv|K59}XCBT(N1-A@giD?DSI#Rn37C^h%_d4=D0s5NTntW`~|u0*<@?Z$T= zmm-ExGFxzE_Yc!}>8Ss(y!&_0v@Zp{UD#rfCBODSlb-Yv^ZmV*cHK(+RKqts z0wCx{eISOgWq!bQ<_K*X_Zj5qhQk)rpLK# z>~uKS&A3(E#@4x!L3JzQc0d1F;O_Nz6tP86ROMy$`4)*PkQS4E8=OC7G zDCxsg;L?@WeF^Zz^0buR(CCsyMWQpdGrh^NtdpVr^y;_KOJy6<#$}&H8H$xqOby1Z z%e%mov2Aj5&{W`B9}S1x*f$!EGARhd9-F5X_77p)Cy0*z zv;j{vBUK*TQ0}72O(f34o2cr3wsTRb)37uIiAQEe@*d_ zH%gh?Jx)w5?X9Q}Cu(xr8L6O%L1yyOa-p4Gf=L&P+LfgPh`&{wZ<=dPInHtpGx3w~#p9)(EcqG+$m6O(Ab9WuRgn+7s z5UePxdO`7kJELju{JSiMG8B!L2D`FfE1ZChiJtsbq_-vNg(@8D!+;r<*J|o06(B9h z><;GyLSziSd}HMr5RQaXnulQrhV>7~*Ivy=TOek`U=Y2)_fvC~Z@L|b_g zitK|sAO>{~m~#6e4i20))EyKWNn#Xj!8RCvc808vObzkkQQB5&q^SRlh7-O9>X`#c zsrI?+(h${!%oQQhUSSRRRwYpM z5XPZVeLwIa6UWGz^Ks0A)?TKDcRTfh6p4Xw6mx_cE^mHmpC zVgVsaLwAa?=ZRA$D@~vb_yDLDBt0qcldIFx*vowL9kSM4NItUzWF})XySRCqkE8H? zAwJ!sR-?WhT&j2=x3W66jlj8}o!MuHE(@azslZxAQDwo_Wu_*TxXGzs-W5{F_8623 zjNA1(aYDlqdY#Aq2^h`ntQ2iQC=xea_O7}9G^>Ay#Z-;csFOFF$R5AUELP(9g$lmoU)-3>)0%IR|514P{gN@IGcRW%LXZtk7NTN+x`j1nmxXEmZC zccjyMYaF`xSf})S^&|-r_zxe4CcQ) z?68f`U4X-vkfsA~d-aA@-4yPfFVeXvX2HDW>U;zKlP>`Pt(O^&Kb4^!&zIM8z|?nD zVBLxySg)!PMLyUkTB|RtuE(--JJc|Zh(C@q9@U_1KWVX4Ywr#5+wHkoctNXNI<`US z2Axv&a-k%No~sS_C3B3#V-?{i7)U2SScVmd&cUd1!kAJ81DC`8C2$_$HAKg9I*|qNJn)kz!Rl_xvftUN%^GH%`1MumkmL zOG{7Pi9;u!2{VehGv{r%=4wVl!2bRH?wVGKaw8Q6NPMT8Yx~CBqIpuGN1*9fELNtz(1dm!N3!kNqKJBQ9@Hly- ze{eV#7zvd$SZ9Q%yY72!taw+BijI)=dmH2BDO9qlE$K+FjqrfXGI^t61MrNG)JH%R zw}Hn?pF%57iWp$iW&79K&S$WN+7P+KD(^Zc+UjQ36ms)N$mo1yXAx>YhN7o<0BOE7 zSh%xZ0GK$bvJrJ>J98_u79F1PR_sTnUIa2n!iigh(c$T&=4WGt_T83)1`jskW=xKc zqTI&vTN#eU2Z_SpZ~VON-#39St&`9e{UmU7KsX)$-Ixh~hEA_A2y!qLD&U8ozGjsA zo-PlI?A)@j)+PIV;NksxSV_0>1;P34oY#7#A{*wqyzY1CiX5^IG7~(*b0c;StA=By zU~41xXP^wrPiakk#$bKt(vB5*d3CRl^&~chxtV-ta=%+*9IpyP@s{#e;~LpG{>QdG zwiYVY(Hgn-H9*Ky^m_}(Th3;Qjr_Ck7<>-b^xQX)9EVK)=X)z|^-6DwlweF_OWj0I z5nH&$219UAR()i}`VZ@mpcV`)W;xwNg`1q}W;bDkQuuG;)w!#3AW`(2 zopo|>2Wed$2oUdL-umQks^&hWxpsS;LBh&!D`tnUKI{vaB%@Y>wOeXu!FHv(LQ*71 zYRoL4{E2>iQUj@MLZ-S~E_%iz8bGiI*<_Vo-MMFM9l-=2n$=@>9ifo6z=z-_%;e1#``NaK7tt>kPLq$D6beK5oV=C zJ>5w<83Bp2!dMa>{Rlu^TgKM)zaoye>C~aOrIhKoQygMWA89Q5Ey0m_#m#BxCH9?H!VagPLZ912~vg zB}oDcZqD)Xl0Y;Ii|WLPJtZ@)f@ZvGL#Cpiac(R~e9)M32+;KG@n^s|y5OL@gj*u> zgCskupFX9Ng67VAJOPAP18&i&JIMO;T7}btaqC`08~M8fjL!6Uxbt(tvBWoFSZ}Rn zxZ=$EGiqG*pU<}i6LqG;Vl2@ zjMJU4_k*j|V_zmLGJSfRBYEJKk@8E^vbQ4Jd*2|o-tDxK#Q$ip9R2Z z7mM_~4jLs$SW}d7^7FiNCb|U=8Xh>A3BY=$=e%-%{OjT_;4^l143=9@4}fw`FCtCR z30lthFQ#sxEnjeRP%Fr~TL%pP1&+DtPEIq+AH{j5)fap*;vq_@sEQlSHq+qzG zyNwVMC5F~@hB`4B-T@5R04I;}8oRP?A>I6l(~U=hKkt|&Sm1%GxD74}mbunQD1KCX z1rv`rj5EWm{*PYroC6LS&WwD$-V@Qr5Ao-xOGZxfn72%BmP`BmDbk|A@V06%-DG8nI>k&&`YOI zF9N}jJ(k-ZB&mbd{&qR2Bamr4z4)pdQHb1AuhLxo&Vk_Y4QmBqcyo^FYfu|w;P*C7 zvsvNbn@2Mr2POdf!V1xkB`~`N+4&zFaTnBp813*4BqIU;wy@b)iP>lxSer0Ka^Va< zr(bppE>x$Qj2EDQ&lPYEk@R}uoTAHL5zAxHKw!S~Rj7`} za%Q3jiU*1W!P~mgK(@UCrb;I|9xmG<@{Fz){i^fRm#-8Q6dGhQ?0Vz zV>J^jU-J!XBPyag)3T)ecuI{-hhaV!!u4(~IZ&z<8Q9fqQj7Z4r=3>X2`ph-ya zy0vW~i{CR@f1UosoSXL;^G#UbnC=#EA((YZoUAX=+b|gk*d%~+ryfAbJOzV@3+R!u zECnie1mGeBKsx*QzId4!C9a4FF#mZAes6CX`QM%Mrl68vIIh zNs&s*%0dJSe}beoSqzQ6TcPl{C7xIOj&@-Zox-i&mxxxF{g7fRaPd$_0P}zY%uX3J zKA7fd)w=l1yHRmb2!Ymg(AD*Hv(QEqWVn#F1`&uQu&g2E;z=N-KoeLA)k|gk zyBJwqZ*mF?+cGWFWE^|K+2@AR$Hej2{ngItbN6BfCp zf-R{V&MdqfNPJTEbpS5mS~OvA(MxkZdQx8%A zTX_jevq-X4!HCO71KdMSKuELCG~LvdL{a4f1^(Q{(M)qw8i_&BGgMRLt+C)_q#-dW zl8;v_h*Z@ZL$)ti6r_V8P-hj_N{Mj7On#IsO3kIG_u&;Pg?eFjKBm)cA0ZinJ0Sb^ z5$JI<8sEhB4M94lqE-817vB0ar1B@4lqr;GjP-(>y<)JfhD=?w=(kHA=xE(NV_?O3 zf>3Yb^ftZ;gk|Ma`|doq=(5_H|3j|+Z$2MzlDO4cGZX9^bPNrK7qI)8pp0kyl$VCD(u1A23VaQ{FQLP5mIc(K1xf(J z8CxeGN(VIN0L61(zFz&hOFynh(mm1(DEJMt5T8zXMGVUkj1)$;gz6Ql?cg`YSMe!$ zOZ;2^M|C!A>@tM~qZDd!2=?Yr@yhcO&r_sdY)+3KO&=+QdFv0i`0d@4|qAu{)Zo(2v86k_PUFpyI4S5%J3)w zfltOC!FsYhoU5e{{A!v(!raj21bLKNHD03!xaV}+AZ5(EmC}WYNxgsyim!!Yeq5I) zs~w*oCs9C;+YbN^w7>^jzY(PxTyP?x>LUgBj`vA8|IaJ0e-Ljx9zcn$m;ImK_~lhS z&{d>a^A}9ue=O&m9$?ZvFs1SRWrC{RTX0p6!hQLFaoT<|hZArB>48gxTJh;Gui^k# z*}r9Q`Xy^rmI@3!4%z#Azq~3Iiksz7X}{=+`teMdqJxPn+b2PI<0pUfznDzRSHV@W ziBfSt-{t<%LJ+H7#KpoN@V3#yfX#V}^QP!8ui}MLa7{8o zXn&3v{Nqg5cNt8Y=!9Upd%wKu@2U0UuKiy>wX%|&`$b8-$6r=6-vP-t&jGUgOsTj! z9CNWJmK7!a5B0M@!OY@d$Q4P>CdL9svaneCT zSDksvdvCa?+iH6T^>G z`BSiLUWGi24grFp_bmdD6t05)k;QU=tL_yNvx|7MRVOL9+TMUm<8zRoGsa`(>XDI0rKSXi;Gzqh27*+{WY~B;h zGDv9sk3`kn(%~YV(R9yU2%S3w(!N`A0{cS{6TtYy?pzVo8bCn~)#P^7d2{hVrT87l zj|ia9_TrMCQS+s}ga@&FIp5fI(5I(ZZG)b)4>;K`m9^rr)&${SvH}7;NC};&mal6y z5FwSiU7GL4Y+B|CoB4V*7>}g_EH&hX!xIqB%;s{i{zIo@sjoyP+UT#D@*^}JIFqGG z!hmQHa{tMTXpR`;6pav6C;>a)A3sjNW6y08Oy9mW)`VjFjM4`iYBoi23F-ASoY^w8 z#Xd)3;i**7((4y>bB|w+Ss0!Y4mOrx_&7P*3F##vLEt(ka23_=n;sYSBlv?Twci1? zJ@?HZkQtBn$mKmj(r9fuoe=6oIBx&+dIBBm&#Da_(F8LLQL=CStf{3cWS^sf9ocPm zLy1KlPOUjmRLGm4FOM{f-?4d0c4t5Y2mz`h^eVxj976rWdag%tn8?L={6?;C+56!K z(}jP#0pmGjS^=}kpnA&4DjE?jl3;N>={PM5>n{hD5Uc6~fw$(MR+fT^I{`#4-K*CI z?SXvU9m0euU<=g*SVD7?uHp&L(Z6m=Qs5ARqT1pInLq=atENGzz{r_1;Y7O9N(Q-& z6SJvB19kEbS+`UBpj92bYK!4^N<&oMpv~MDqhgP+*Pz=58H02oid;T$14X?95I}8* z#-GyQtE|BD_dy3Jtu-FN@heOzdwAzRdkWE^r?3_r_g9kV_c~GF&k&dZMW#_bvFi9d zK0jnq`28GJe?F47a>^QI4NMF;3BT)22i#U&hXe%oMj)f7J zY$@LSyTlXBtjSPUsut`gWSZ}=j1GW{Y+A9C{rM09_uipwc)clcf!x|!B+@Hb2-p;V zhs?xOn?O&I*Ns1e`oP za`&>YOn^M*_5BJC0cQz}0B~Y-CH2MUze&enU^Wt&XP$|STGlaf-cy-su&ZY16uDBO zoG>QPj;-X%mJ*x3Hq^YgEGyutjFhh>@1taP0hkq0PuK1~BklylaxpmQr5gd_hx0c8 z@(kElw=PTPav!i%Cc)BENOxg>Esqj#Fo78gjRiT)AT+aL1%0K~%1jkZ8{VKDaG|a-VKP`J@SRoaE-Q_QN<3Fy91RF>Xd^7?Z}=EZQ%miW98t2s?8I5Mx%=0V{=c zH2iaPYXPxk$Qlx6y*RiD-0vXM8H?RGlG^(3V5z8qgj)gicrWWYw3qQnhI<)ppt z7agse2x-|mg}(yg!|!0J5&~4xZ zn!*hl+z?%kVxV;>7cd2loSq#gp(%caHYKTDMa@bI5aoS$vza&lICnLXq$yi>^}K3x z$Y&^U|FCt-ZOi35NBogY%-}I^Cc#SNG0()SCw=yrHTM21!K!4Rzjm&nW|_kSYY9F_ zu4L<>%!8iP(8(s}}W!%Uem(s+Jp(&%`9F6ZF zZ`$5@l98Zvi&)Dtcq$!{$2?7(RXv4rI9iBI_i!jp?@;TU>lhl&^4YAI9%5aV2q4n;vISsiiiae#qD_PSh^_>&StNU+a6;Y z+QYs&hL29)+IX#3pClZdR|q&xYyzLt3tc`q4BeztBHee)J~rzokjv3_{Yl*~OB>YH zWj1ynhb-*o_MSYV=MDEhWQ8&4)=p(lk8@^d23boKl}OIq8;`8Hm1sE)dYw_5(pVp* z+H;bbVq-@HLp_j1bL-OVRBEq31ju4Nm2TJnct8J$gLIzZe&8Z~7awU#H$n>QIUX?Y zL`Zs~X*lOX)}AX5#~cC2jF{4WP?jg0LTy8ueK~TGh;Q7cz1q3Rwq?T(v_1?^x+Vof zFX_>fUMaI2ke^JXlzRC6)`b^LXH~7kM%*Tn0| zds3eD*-fs})X(<^c`wO%UQeB;cy81hlX}%i-;Xu4a$L~OVc0(SvLbFLEB5ru@Z*Y2 zuJAEsrxo2~_!3Dq%e-QyHE2`Wq>B0xA3e#=1HGJ77;0IZXf5(`qEr#m&)SdXww7vs z#pJ0CTp)@|X{Y8)a4|4DJ=R{kc4e*BF{3u%@#4p(szc|Y(BYBM;k8QImAaRx+ySl} z7uB1$iw1qY3X*{lf4jI|NQ0Vjm3phQPGuDI(5ljrIraL(9A3 z1o%3~p_!0ZNuvXQ6VpTpz9%{~{`XovncrtEw)6g4Zr z98=QkdzqF z+vkA6^g7xt89LOaV?86Es?&ol!)?*53Q7V^+WJM-`^BF+&{mkjrN7`^1zM!Jhl74l8DAxfWgZ~9DtwMi$R(~YX!2vmo* z*QaRN84{uEcd+r@s$S~^u&c#E4X&DM*#x?{#JS!W{wg}WEA-U62Ojre6NtMM{V(jofCgTE}S0LRYe#vo}udlRt#CS{k7elweBL0wA5-XelDG zBc*1)HGce9gkNH#bAFIDZ|yfU)0oB}{%hGef(NM?f#5_U)U%p(1}jfL&g`C1szov3 z?y_aS=Kh2}QYOz4JzJA&xs$$cMv;A@HIZ*GG?eoj_!yr}BD}5fHq=n30yNU<&y5bZ zznjhQvupuMeX;GaizqY^ob}Q*wx_fDMycC@%7U z0t!qBoi5%zX?%buXtv#n9aMx7N`(JnY_7o-7z4ka#3m=(=`_xc$9n&aQj6(TBI2a+ z`FK8+cSjBiPBn5s;x=~V8&KFNxv(aX%g<|4sv#V$lRCFg8&_$tP!x65=2i2-lG`!+ zw}yQArOvn!ZZgBth8M27oz-*-VUh7dj^e{6)#4mZw(eG@Y>z1~mD_5@d~y4>n&PlM zl17m(k13v$>l)A2`AA;xf!=V7z0ToGENgy#sM8^8>e02E#|EK}j7F63nQ?x@aFU6f zp>o$VxK7}wVvR_fpoa88x8AX~X&%^Fu~Q8V0q2cGCKOq;2zbFp3=G5+qB&}&i7%q@lpJj{PBha zPaWIEuASOF{L_^joIsZy@_e= zV8^I~Pt8P+1YGjK$!%ga*Knt`GG2j2{e1s5oCOXzgWC;(h$49}26<;(oL0UTE366x&*+p~Lm+*+%4=!w3HLiW(74 zt6el)3KK6MvKnQ#*%ksy5`5t=t;^L;#1zV$uhXd_-6MTFa?oUI#Zw37(EU~|#^*%( zYS_oQIp}%6bmWPw*VLuBa$eDG=X>cxzZv{Ob@2&-04M&QdZjsP$i;-|%5$fd_&S1P zxb|Ma_1N)VTtq9d#_z1~ca6%GKdg!|vIL7>uMw)cI3LgbEJ@IEf9It8xBZ>Kdc-yG zOr#=pGj$N?CgH~sn6b46pX$$Fe&JP{$`OelrmSBWPbS8T7oVy!esdKd+;~`@QHs;G z20vCdi|U%+KabaVd-fi04lYxuMBgRGrdySaFf`{{T_Lm1w`A3#7+k`Qc=LZgG zoWCpQDLQqyW;;0DS~ap9NNL6k$XH#REIu8}YbH*I^0iudbf!za8(a4~)cgoi#t5X( zs(sFXQb_|8w%Jh=*78a=x+*R_()P=vo5+ev+ zFor0RFW$kZEX!Xm9(x#$wZ+NNiPfCTay&Fs>24TIdc-NZ_SN%t9i?#ykA9||s>4DQ zk7+h%gm|!HjZUj6n;WQJG~&yu=)P%~l|=`XwxFvxO<8ryBU$7MZq zL1)M(H*eJd_YEQQFs+JXOzw+_!cta{G*#;Kk0%K=wK|6!mm$J4CebjhrifqakE?rT zmj{WM)|A7?)LO^q8eLsp`vJ;w{xYZcILhEj?)eJb7TD;7b5;*}Mo$$^IlQ!XW|U9u zJ)BBxwTS~}Gf|lo+0LIE8=VJ;(I4=wlkINI4xVr`n9n6yZI1zxuP3|i#OhVBhwtFxaq2*f?D+igp-5(k=0 zev=;HQpgh*9(7^!H9q^6kPFM%^WVVEvMi9qP{HLlyTq_nD}MIcB_$f`c((Cre9y2v zFzDpe!xseJYt?0y+q=NZ=o$C*bdk!}#y%T?7=+xHNUf2yS;ljNV^tK&^E#Y-Ede7- zo|t%2&XMoB=R=Ce2B&m5UwnR7(i4vL)eT;n7bDr9kb}=pyfNa$6!@*ww3;=>m|kPj zQlWH!x_Mn)s9Ej-Spu>XoKC~>JG5ZK@agjXwX>uaY;(XckGfyXo0AlCIL-*=i z*C)`KLykEAE0sCdPwJRIPt8KMUMzrqqu^iw1 zO~7oIDYx5i^Kog3qT)2e*k)&cFych`!{)RX7CytN0g`Xu3hzPoojQ13{2@DWt`;iH zQTO~AY)IzChFZP;&pK$v9;x>f=CO&mW>Q2r@Hgjc2OF@%Ew?4(2?P)IU-B*CA0Ph# z9vrX_v5scrKN`Da*)JR~6gh0AuV8er5g}=f0#HxUsQoC&T^Ek>WYxJ}BhGxVRZ5{P4Twc2&f&KN%N;v~{s>&N{m@$V%N9qBtvY{hAh?NyN&%t)9uu4BZG9 z*K2MgPL^e&!O22By?5Hzmf*%dJV-abEzKfZb-lnfEBgVi$JSH)(z*vLor~DceoSsr zt{NNKv2HqtjT=d$p2MxXtI3F?4Wrxbkw6Azf*MU{L~OUlh)k5blGU?FypJUfpJk$T(KC2Lc8-r38qGxE`iWmlzwPMd`& z%Oa~Hqb)2`2ERf{G5Fp~(Y!(&?>@gjJRHoWdtac!uIS_n4%a zs6)#5QoF$Vf=5v>Vvs+QMTe~86%d&{J6&@XLCX_Qkk)+k;%$J?oXj+`SNy~68!1F- zPl;O$J}Eu&wHVsZ&@d>{Q`SCucY2Sc;@G7>LAN9BQAK{#T9rRy09W(97WsifnX?da z`>olQHrIOmLo@fie({@D1s~#jl{!<5a`PNK_F7EuoqWRl?cCw!FiXkv%T7@4*QtI$ zV2K*rpuJ2--%=v=jVa01%S|5ja;)YAJOE?N$(oT)1+kL zUoz`_oO`Z)62R8{5W!NcWnY=PL*62vXR;O=5~ip!>070H_4)l=GWyDJ<}Xb$$vsg*Wbd1-g4_ev%&tTS&&sSw(XAsw%MjybKo^=gDY@bKEd=8FbliS&4@(J#c@A+E=etk{UIS`%MzL8xq~51d*8k) z0J!4~GN)r1gwn|^)T!d0*ofQUS6`b$znwVIAl`BN3uVd;)t7MR!(8Nb&tQz=*E82m z)`oL2;P2!)kZWwO{Yg2#w4-V0t6x8ObnKEK5%-zkDkB|71$aQ!$}C6OuWW5G6ShD% zQ}mM(ELgX240GVd9PU7aB@@%6j{~jT{Pwta-iiMEh2bFBqdoj+?AbmRU!Mc&8dO;h z>Ts#*foM@hM$TTbNPVZfPe}NToqbA;`*}Tu;=Gan5g5)gRqH+3QNouRCT?uVUyD$~*Gy zXLH);dgT)`5GWsEd#lAjyCyn2LQOByIXgTV9*uATU2VJljc-PglbH6R&uCc2A226P7>b3zL44(_reLhn9tR2$(JQ zHXTd`c$N`101fqeaPY846sr#%>GRu9;j4<~P%Zl%BpUswbm>5K!cs}p@mbxVag0E#!$NSlb**$m;#P18KXJun~ z?XMcjHDO%M{k`wKM!v2<>y4uTTh*1dZ`2g8IwA!=K5_W$Q^EuK)fMx*btd6^U&w5= zNAI$?1v-cMX_c4;H^x63CfhFd9cwdHkO%4kA%jRYj^W$J2U9NA)J!9q7R-^3L)4#q zDjU79$t_&jhTpvasupweuUSSpB2B6I=P{N=l1c0YethGltEMCw7;T|CJ$-->Hy13+ z;s)Cw{ym9O4nI=+h<0@{iatbMHh<*7_Czt7$(z)7;E!~@pDbkmUfn!qZzUvV z9DayG#~G49=Op~v_9D5DMi~9VuOQz`_@bGw`Z;iN9$z-4)3oh~etiF@6XM4Y)opS5 z6iOB&1Z?Hd3oq-_frq!Y3z)8Y3i!Ujc+FF}_X+zCp`R}T|5zCkE`t|P@$~*JSR#S& zN`nHFa?VHHKi?kO4Y14zsT>gZ69al*F@Ocy3Gpn_RC6^mn+7?4vQhtg_ZHrPUe)!B zjK|MPt^Zt;q(ZURaKl0cy8nY~1;L2<_I{-QuVWh|EO`?=g*1L(mR~UZ z|9*|Xr!Mpm{5^Gl%-;XkrmhE9j{>J{zZ6H_i%e49eV5|bqxr@=^7S9v^;m6F9H)!o z%+%}4%+&KE%nEn07K768WkUT|3F`?zqW|~xAqNZH;zMG_^yikvxE(xBJG`e6V4C5En`8(Gtl@flBB!V{oO|JKC~Dj?Ll< z+?Yl4`{|1>H=5w(r)nhEu#&6gzcqQ=lN<*A_q7~sqea|=jlx5YO)u1*j&tW2RNX0z zs?^W7h5Qpw(OOG_k2R=9lFRq6k}bY+JNkCOW8)0iJfc#r#C5lbqx zijJNv&r-YI7P`d5;d7Ar>dQSQQJyq=Wimh9-y(wly^dV4(Bxc0H!`6!KWLNT2{kQe zUVTihm}r7(xQ=PiA67YRYG^|2Z#HRYA4Wb%^RIp6qHjEEaKge9B@SqsWRjvN&Q(fA z1=)zXR?aeGG(HRXA@aOF{IA{Mum98sIpyR}`oED%Z-m%#$RwUZpT5dhT$8 z0*C3N&~y#xCmI7D1lP%WwYB6WCx;o~-7kkcUG%i^FQO?N)ET0tik*&(r+5}YIwB{z zRf%F&!QQ7h;mqAL%VRqZ`!SVb5X%z{@mk!lq^Ujw7LYaInp!v<)$4S%psc6)l`byY5vaRP0ie9-vsGsK2(X$vo>PEyUifzfI6 z7k*q)8qTN|-O(Y1yrT(avWkR_?Ix@D_Vsn`-uus4E?jyOd{V_h%E9g~QO54cR_o_u zl;1KmsT`c_<5rHxT)j}f4|Fu{q^=Yhb;8KjKqm`Fsl`ZM#OcG}y~{7_ zDzizs?K1ElnQmV%o^;68ll-=EFy5UY(i!578R!_Q%pW~{365d^-p90@IcH0Z8> zS^G5yWYD~C9yH)ZPwjCzLM$xq4a#wWY#;6ztFkCk{`tp)2_oGbLG{P0rh|n~uxsJZXBrLSV>7=AV2$%UZtK)CmM#Z^Zu$4WYo@Jx;mU| zvHCT8DQ>@dvn&S0b;xEN9sx`r82{IHCt25*!q?O)VGhrad>7KJ#vP1-PZEB0w?#z5 zs;Pzdr9hKqAo#KT;!j~A2sE?*4`W{)6xXutodoyb4k18*;O-vWli(I0xO?yr+}+*X zT_?ChaCZiGw}EeSU%mIvx!Befder;8dQ~0O_AhHf zLh2$jU50YGp7@{22rrule7W?Cm=@53%GL64=C+s4>S4Qb+ef`l2DUwcW%s5Zc`h5Z zWhn7kw6%aQ?Jv{G`;B)CdR@9qFCMg~DO3Xp!wrKZcs!k0+ye$dH}iS+#uuGPU1oQ@(lK(L+bIYmnjQX;NtWQRYvowSf~7)>s%J zCxaR&v4#oZO?h~IyilncW8!*Phpuh8$3w|TlhdEqspY(R=S%c6tZd;@OT1QEjdsnr zy|2V~fs=M(f_SLS5f0Q;wo!f@CepUwUsm(XAJBuH00P)U_hqk=u_$daeiWIs>Rys8 zMmd;f(GH&*)^ZfOPLk5k{n%UjJ{044Ay4MpkDtHqp;%a;TBC$t4aI1=jZ7Oo-kw>} zWU7>n4mIlblP1bBnNEDK0ie){MkA=S&DE4rD|YNy>rj_~SrfZV!js8$-H?gpMSvg{ z2KMGTe5uvSs{2J4_f2ZeNVZsr>}oq?n4#r(U&>?{&|kOQ9!@ey<}lU2p0gkOcw^q_ zr%%&VJ28>bri$4}N%Nen*j}P3u8mgQrFaPl7c3fzX*N2!b%k*z#~fkg=vfU!Q*Ni$ zjM@3WY9gH;1$%On*ss6Z+#8@z<|P8wFVMU*2r?WDrXA*SoMoiK zr(T}#_-7OSX6%Z2SnQ`d%a-(#TzxT7@_dZN!_Y4>gcqje! zz*0!^hJ8iR7rb40NOb){V+lN_UR1X$I5a{rxIgY{QZ)%kv#EsDxLVGE4K9|?b>+kY zh~L$q>db1NwCc|jj4zZV zNG*W_>-Dq->I7qXc#>=RPF_^ygwDjAz~m!w=gi znm?lZ_UkTq#~+Q<${5ShiScPpQ#?M@<#N2w?9k+iskf*78lVI>M@^|=e6;FztO8Su zKT4f{7%WUKY-NCD?ZuaW#p)-|xBkPKRTiIsqL__zHScOOl#xxS|6mqE}R zy9%vu4L;&|oY+`+(^dT<@^v(led4$suq8KxgP6$kiiT|tG&Ku-N+2((e;H9nlCIS(am`s-(_`~bw~S7 z&(GND6?d5!ddcbHXR3`U{`KBuX21aD`w;FYU(7*lxQoA@`V_yv+@9DeNgw{8>)k6c zvs5*IE7^nmDmR=wW)({8SBL>1Z5!_-4$ETGm25vvJNfvqjuT+@qB+=|1S&SkfMS5) zHh_X=28gX8MTR#!rb|CG?JJ348fRDBRMm0l%bo#Uq{Q)xR(*lw`>3Ir&n>kh&kq+F zM|6b-q6uZ47~EbrG(OXuc^PCJV(Ya?u?lUrqR$6wg<^-Xh7RD<2N@+ziHXhEzD^ti>EvBhz~6 zm~yCj`Gm4DMPGz*>Tt$q6yC7DeTzU=tJ;*@t$+|JmnH$iW7*7rrTq zH}zL!m)RwMu-2!>AfNYIb)Q5gx(zMC6nwhPnYSNn8wR#+qxw0!p-=}!IDq(J5YMQ2 z9KSH{Fe%4+jQcAg+-9R2VH>Q(n8K|)W}84;=8cx(L+ZSAmi1tFCkv`y*Kt1+tFh@2 znf$TXYqf`SCkD9PeI zlUQ7;kwR`cRxRx92a5`Pt-d}3wtYzel-~TN;67$C2hq{yG}D;)q|R)brR8yzVf&JG zv@kn0Y=hr)f`Zk0g;SDa0&;%AxE%p_a92^Od~Q+-?_UIH2p0D@2Rjp7V^;ZLl(vdv z4z1A*M-7WBk1hpiBH)1rqL^CCG^X#VCO39&fIjMQ=&JZdP6Z(QC^|geNAx9+??TxQ z$UK($o*(VEy`CR3FrggR3v(h^0Q7lE)7s-j@u3p5g3{8&lwLQh>Bc8kz#bzrEOV8& zhk?81r2S#tsZg}db+#Jc9J>QRmDgSP*tji%DbVWNA|U#U>J#S)&^U9DmEO7bb-Bfa zwfSG|q=?%F;rydlZhFDCdOw}2e9B7Zh9PavtM+a-Y`mpOA#hi>r{v*GK!GqWmnGaJ zK+UK?*yoDneim7QOz=Do*KLH-vQKZ&+(J#zc+}#{?qk@4TvLW67WcxfZ6C>I|B}Qo4GxIY(Sk8uhd=&Ij(C`ZCCL?<)k)hm2Nk=uPM+@co1MoEku zYq-+OA&kv`WRqB61m#loiX@9Pz4jNj)T$+ z(}wUu-1E}(NeaMWiFCWZJXsw(X5^k^TPn?Cqqvdx!IJB@n}{N8UD7Pviyx_SIX^uwBGuRBJ6wO~9yIyWJ{hmLFBEi!mfVgL*e557HkiLf$O4X5-Slc<9DZW z%jsfDp1q@LX36|4lSC5^+N||*lhoElvGAqLZdpNB zVgkrM8>lb^q}^^@x<3|~wJh?`iOcJHEjwEATM^^z?4)_M-}MQWJBU{zmayR%CZ3>y z90}&&uK`U|_>1^;#wnlX+X)%QBtq-PcIiZ|E!A-qZn+pvC2_rYC}iL{SXQMJ(Ar(B z06p}_rQp4G+r}?w;irFWqeJXLG8J}lo{oFAkw%qT6clm7Q|&(Wc}S+g(oExVg8#LL zz5pl=`Gn|VIeQnZ%2yta(a!vY-r2#dxn&aJ8@zKv_)QxB{2Kt)*IAlp61m=H1r$T~ zO|U}l(U=zJqaYidKXNReYQ9LY0-mmCI4)Dwxlx)%4B}#?n{lmvVSx;vxIb7fzNekQ zf@##6l(=M9;D=b(0IpYX2{F`7Z^rha4bN^3B9Z_ufsi%?f+gdVt=)OY8l2roS=Ob9 zw|rlriF}{H6!3K2d{9xL@BX}BqMon4=;W>CsTNBgx{%mJ0Cu?RQmDUw<1?NU!LMVu zM*%$D%m+j2qjMij(-*7bT=oZEAMcPmalnSowoe|Bk9^kli{zB!ok7%N#^^t{>Hm^- z9&rC-h@P{hJ>T(wWBYRpNH&&``x=EQO)?+1zNLX_B5N7 zPp_XGQ=2QM4UxL0F(U*?_|P041EHiZWEf3-CKUsk3*r_QzAzBI6#yD=PgH7Mjwv&^ zo3+xqYYb1<3h5(K$YQ1!VfVHGS8U$tDp#I`OQOZfbWyv0CxoHkolUn?Q+-|FVSaO{ zr?64#`)^wOSLESls^{%N!cu)1Hrcc?f^?p%wtZ=%OuMUu25|ja1~(_j_5pLk&;Vn; zr_K1l+3+^Z&42s8^xRPLB0QwhbTQ!A{xW`j0s&4Pcx)XT`Wcz_BLra>V( zOBs1ZQ4{9`6tt2Yz}Fab6*+i*nGS@vhwnJ=k#lB8&8H`N7O%EbMi8#M{x~b5E;*mH zIn|F8C%ta;x?-PQP)B|?-qy(5mn<=HKWTIJ83~@e?}NkO;7ey(_efxi`->RWk+E%gE%qL<@ zbD|Vrdcs=k3KRCY?f%&rF`g70N_-tCH?>-u1F1@VpIR|2NzOTFAGjO}LE?4Q#Ugz; zy1}gh_(>^XCk3|QVej{d^5@%xB8b}I^9%Kuy-$k7x&`hr5}jfdq00C2lDNNuPdojLh8>otdn+bk-}&HnUIo7?U| zqV2o{{un@f)CK(KBAj({Lm~H!>j0&}qii(fRxHDux6~2v^g( z+}4M1rQzz>la`ifAA5fV=tiR7c1e{Jz2%U$T0*i{M5LO>Rr+DbiUp3gp09yE_olp; zz=LP@fp^mgdVPz{OH0IxsO#zS^^~ZWcfz$kL+x={AFx{|1P-~~j0d4?gH2^*UVb*s zvTsRY+0&fv_mqv=?oFlm&lcnOhPnm!pMV~(jf_k<0rv#o#V}}@zV+e`a`xll>E~;n z4Zxu9Gp8FeYiP4`3x6R}W5ol?W4r^z^}vgi!b62jel^dfZzRvd_li5w(0O!zXU_FG zjWE&MnxN6?XpuLkxW91m1`yBQGa_cMrX>VY^a_}o>N9!&*B;cEjam~jT|yI)?E-^b zyT0p!e{0qRl7B;iVP8m+Csp2HOj)eFVB1l6Ea2uiWTDr*6kby2|8RN=Wc$h_o@zCN z{5NxL=jkmcs3LPwu5nKO0WD7rNTU^6O?HMh3i5|=F)b05PN1kkmy7Lzvb9@qg06}N zIOid42BgjLArNE`U`~4k_vJ04{2|YLoa)nN@b3uibLz$j2Qu7qe?I@F z!#wTJA5P!vp_6#MP|T0lyTd;qPaH1P$wUe+K~b$=FWHOQ&~(i!B{3X&!#&nv?AY{rj${e-=B0U1rYXyJHK<>04wGEaw)l_%067ZnVk5nT)Hkxqe6~L`?`DiMW(zFaKpe}L93F&L=K(mF&$;`VA1=#QPlQ-VyQ7z# z=niw~;}ygpT%Z^ORM!Q_u=kOmOw>Nq?k);1zs|TAGgmfE;6OSir@OZ_-FdoreN$#T zvkd3;+=TflS00gu@qWa8!It?VU?-kjH7C1s4eqhImZ zCoG;i6sf1@tIk^j;XLKJcQaRIViz&RwYasUps;}&3{whIT@7(8i55)@}Q6 zyYVsUDaS_?f=dfJ`y#5R3(<7LK&T}Uka{4Wowi1@U9t+z(kwOjl(BSXJ%aCo9y}qj z4v>S-0dGI-)qEshk0hO6v31mmu1BND=@MS?hJrK7MU4+cyEz?J*9Td4lN|yU5;~@E z`~7)qg-Lx^wx$z9z3(KK(j~Q}CJPQu{|(-8xU7_uhUZ>w_?}c0z0=5E3fzx_cDxAr z{40X@8R~f67!LNv-7sAR)#wWeSz7H=7PYy{aT9}wd+Y*b+gmwo&Q*efQ(Hel_sfv? zQnB>6x94$K7(wn^x1^aEIJW*Y-lwk_V9|W1gYjFIG{8j#sT*5og0)fQ?w2CvTz)D2 zc+Rnnh%{bWu0VKKc4FO$&fkufi;~8w0yyh-2AAQ41QiCy{VC=`s&;oLBguCe9G81M z>x6LVa02CeiehQP9@C`vJYj%>4^^P<&X7sW@lp>fp`G4z#L^rCI8`cTJX7_~LEQ$-=Xr9L zEKjMFizXzfepBNLsmQg$MZYw9T&=zVfYeM#edItIxjyiqMD3ytQvd0swfiXLa+k`F z?5)3WQ;?BlJ7!Nzn$9_KLKgZ=l)!R*0O}@V$wA%a$$x047R|KM^@K#;_9X6tpw`-{ zckS2TQa0oskambId{3m?(EZVKCDyd9srKoL@VyUFp6=xxfI2m3YN%^$-LXUSQONb| zM?X0P^pg<6|2;p)r8^z50% zAXq&v%A`NS;-s;u9&LGNPCYnlY=#OB*(PkPwJU#Ul4qg9sN2##5G3$D(t7@3KJOBEu~ZoXBLuPKbEKkeFlETzUH;xTqVK zG9_G-l@W_Etz5fWy1U5kQ=8BEA62LCNEHXpS{~DgT4@UO{TRH-mnG^oTFZE68zFJd zSBLnuq9A$f*?=&MWAbf0St9q zA|>oyHZsmj)`G|@-JXNR2alN-+r^Ji(X{T$;nX}Pw!ri~=MjwNIKe=voW~$dvi#GV z+dlHEN`WB)EgX#x7p&xW;2bVb0?NRJRa$rS+9VudImcvm6F06_Jii~qlp+sK7!BAi ztiXNmh0SWjH5$n%O;&i2tIebI2`yYhkI2v+fo~Dh^6lH4+;&F8!&&>Y7+>|oD!lb0 z3{zqLfX_sZx(lzvod!w=;Yb<)%WWAkc`aQnDRjoyd`XA_^ zE!J{5I-S-=4A!m}xV`igOwxMDdFcLg*ExEE4u-m4K!53w`0<(K-`c2BFYy+I_p{gi z?4kOV9{vg6eM%~d7(C%lBuA+HJhHT{Z9jim{|CwB(Q{*hjFugOCni^6$FHn8jQJ!G>#<`yh zU@Y{jQ|s+*YD`IJ2%Jmg`5nxk!wPm@rn`CS_P(9%(KAY<#(d%NT#1}vsC*;NEBzVD zw6JW`byY6lH==kU*iWh3?AbT1N=<|=p~lB*YzAEJn+L+E*%K;?h$p24 znOF=$y;{K$xSP&KAl$a^+qbBWsrQ1T@nl+i@G;1IxYFWvpB+{<@ZK?4Hcp(u`*0nz z7~mLw7(x&crh(L0e?y;#7?6SKzwD$Kw<@e@8O^VG zYVif$gmHRiFb9C+I#Xk-rbJg2z7kJ@v9VP)!b_g*7>h@C27#~=^g1VG4bF{-7({!N zPTyGYy^U(^A$Dxn=pXn$y{o2 z>5=|7D4r0^h?dL}FZi8IyL>#)A5ucw9oMnf z_Mg6qf+ydfA+KiwWCL0L$_~vgvK>cM6ke!w3qrLR=PCoy2Sb zJ=2e?0}zWN;RdL*vAxLxV`}TSXt70rVn%sw3OAheo98a=@AMSb11UOh=m&4(N|urn zw%?g{D{XeCnZi~<(pon!*<0~N(b%{^cO-#w{%HloRG<;J z7iHGZC7OrMC6srNMTDhO&`L@ow<4|o*Dd6HHm7G3?_E1}R|(T^R)#^-O@;-$)OcE} z-sJF_$a8TpXM$&q;+?3DA%|kDw*=wb#(wBh2{VSe_0G{*-+I_CQX`D6#{K6kcW@d-sKSK#kFnVEvkbV; z3Xe{dhB(u3?~W=fKNnQn9H~=i;JGtT} zikN9An=`2D-Bsy(-+}FDf|BZ<9Kpu3b?=eSIZs=npJ+$xFr=-u2;;0Yp68a7Cq{5U zp=#a!jV#&PUJiHCh*3%cW>;|3$9t7e?eG{J`%p9^5;*a1JCb*@@!}(X=epsF4Mavf zMuRF1qFWIr3(;hWC0-J#a&Uh@0yR$um&F){l*CYh1f8+L#~XAIN1-%83jFNzxq>o- zN#t7-NmDp@IG2Pxwf)4N9><#Ac&gu=9{0NfdBZj(k#7`H*SX4}-KPb;BWdx6_Ze#Y z6RTb_#}Cr!m5mf$dJ@{tOi<*5du{X4GYEReL)4}wFdnfTB9CTd(RD8c~4v!i?98IF~|)^8vnqPz&5Z8!!}yw zvk?Z4%nq4Fs<8Uwz5y9mcO6O^&gdBlU^J73La`18o$PYik2Hisoya~3;dyZcU4|%m zM1?D4R3KQ&?KC9rG>1AoL^^>R6liK1?=f*y%Ii!#Kbx$2^X=PRZKBC=&KfIoq&Ev* zT|`s@i4k#yQ5iVOsbUd&0mD;9*VmhS0nBQ^N5|h?W{6^tIf+I~=#jDWH!Nsm*h@iJ zuO7|lg6$AP;QcV%JD`jDfJvD~=39%dTc0G+PWNP82H#uQ!&M+LzP|Yel@wEdEs#); z`V41CP=E;_$3nbmNQG~IBR(+sV9=Y%IUtk>&QXxsh29HIz&2V8sstfb1N7V+@6WV* zrPXSFJ-tLX`b_!v zJ$f626r~T+oFGr%o;)xzZ^9FYG))AP+Jw}8)EHSPVJAGVuK1GAqzBtR(}Fq%mCKYP zk0w_XW$~k*Fo#$hGRElzR?qJQ8RQ6fG^lF4Lic=6u4m^eaM(U+PI-vC-(Uuwko#zK z`0=dKXev!Y36Wz4x(euuZimZ<_kBD|ue~lI1LZj2#zk#HZkoZ~EZ+x~n1}`A}_9$K4iyfI3Lbj5vi33tMoBTR>O*TE-q8$FTuQP_x-qgqY ziwSu4^dH|W0_%l<;-D>UewbmFah4SpsKeq4E zXZymCkO)c@GD5tR;JbSw+B|GXy%yH;1S>m@KFI<;D)2jAiT)mycS$j5;(~Mnf4Xh3 zjhKF$95TTi0{m2r{v5&EM~ADEe}zfkNrv$d;bQ;|q6422X{FLEQjd(+WA>;QASt0i z=L{TV9p!1+tC^?C^_6f7yzWioZm-~-Z=>wQS9*2{R8$So7<|v-IQ_O!V6yQPJ7~-z z7``)*Hr0{s0HuiH%1*z^R_qp{C@Zy=XmdRXr8q?TZoNI-k9z&l^UdC;rgjBB^h+2$ zneCt6m&~U7pXzx+?<l8sCFbe!7cp0(# zu#VUxykLrFo)8HMsHgEjee}a$?yexplj{b~VOxY}68LWSHzzxTQzy7rBwz2jX{&pQ zhuX?|!2Ems$VR`{atiH)y*`SIgCLUpXRGYdd_$d``@*K$%?_yT2o#KwVkf%WvtyMG z_8uxy$x0HJDCZU^ZeC+`9u#}_xyuLj?`Qw?Lcm@fLf4bskXnz_?y^a!1Pf$e;)w)j zF;ICR>EGEm?+CrCnXrPY@}+KygV(5E&D9iM>{@?B+vD%T5Bo;c$z7h8gzwA7oI+g` z^-&ryb7Wj>UJn$d6{-~x5nwxw`Xw03fJsRcew#T8ouvB zUeEA);x72(-MIs@ZpWw2wHbS6!sf0!4E)kk8KK(5*b5sP-xDa73H%01>VLZny?e7jolaVR!0i$?!V!>eGNN6+gWB}neAaeqK1%{88 z7HzgstKRWHs6ZNgb@zt>;R}9Sgx#mdxu1B_-Qb~wmI!wmU2f?o#}!8|>ZJ_86bCBl z?dbD6MmFoi2J-VPZJ{i*oRTNev|dlFyZ*4s?A=3~qq;aGTm}a(wa?;OUsr;)!+{;H z009PL%dd+LYXGkC&O=;HD;iXoqvP~t(0#z#E%RHBy}Ft7AdP97VvjOCHQD- zF_vg4pr;F4`&BL65=%P()j*f$jqeNU$|46xKg7)M}|cS7p0tEjztdJNRvZ5Z2R^ z6;&5;nv$Br#rv5%dJD-O-Te6)vP`1D)GUV2@kxNlF%8Z~cnBx(FzhE8Ph5fOk@w`3yE>vxJi>rH`LQp!tK8O#l|ctm!5H9p*elh z-gq)QR`{<_7sv^>eJM3W6!PR5Msj2=20y{R5sjrKx^L99YUidFwUNyGjHZ}JFE$u}8t?Ur}Rt+g#7Qb=%1kx#+)H3WK;QnP295_-;DWR>CX58G)v3gi9 z#?N|Jd~_jgKldkVdpo72nF}xk(0Rc=8i$<}QDv|>FHcY2x!ta>7-e|eIPN%oFEn+V zj*D97TreTOSh^4$c~KU}dJe=gy*v>7Z2`dU@a;kY5~Y^C<3p(VQ$)U81MA|W9^quo zj&?rKKtH}NRj(NaP+ToP>JE8ImmilL4*zsiP3o;117bA!<_V(}fJ1yF-qv%|;_1i3X>F+20P{*T^hCMAz1(lh(ztHEnwz%-`See{ zHt%Hdw95z8rjGrLG#-N33MUN4axrk(9Jp{XuJ(vhCO*-ARA5N0D+#AzuxWL5uhD_9 z4C7DBx3I(T2xsm~;|ZRqTvT#zstlrU$L$B@e`>d~8K|_NNX?O1zU0fIGb)E4E$Uj1 zTFy^sD|~)>0hB%-{Xz;={-qiuqucoG4L1Uq?o=>}&7>hKfFN%f>=Xo7w=|*+n89+3 z)@Ck9aUf5RhhzXgJj*{sa=hGE3P@q%JsM;}C(gEC&knVP2*`B^_ExA$$(Cm#F2d5(x9^JYzueR*(Loev zzL{(2x+__vBwV)xR(d-l>q*{Y$#NX?-M3)yP@dPS!xv-w&LFA}uDX#=SSM~16?=_a zd~)sJHu;Tsu1AA}a?TXYveb?2`$@osH%Z%RS-Dk=1lT6TjQG~WaviA;m(>R+yviwD z;>G+RfSgGf@mi$hJpiViSaNb}So7duSk_8cp7-s)4o{JJket|&Op?m@RiF1TYhhP# zwAnck!v^FVAkI}H>x{c+8;{#HGEvzse?lpnf7>3oUq4J};#dvi%KT~zX3{L2LpAMR z`6S6p8h~!=TALW^KY~-B!+}IDRM*vCTe8?NgtzRkWOUoLz4la1ZwfKUEh2eMW4jqR z9&IZ_tTz*Q9bq5(D}~E8n-Du<^$Ff?z1v`lAi0;yB&2PrWKqMYwKv8Lt zeHbyvNMT*1kSsOTq=P|E2b$j!PY2bp?lH7nP9UqeV%gWXVwVv4`K;D6FAgN&y6d>F z`wenC6|tl~c!+=1`n+u`vBg+g@w?D5w6%{#SMm#EQ_yX8V_s1gfc~*EAry9%Bqg8p z2xxyXh`13?8C;8JQ(M zH=6fEtKLLN-OJG%09{058reEl{q;+W%|^C+}+a#nIR^;{hrB2Z>rnCY*p9 zTy=5Phqj&cmgVydY6UHYA=wQHjTtT+^@6HW94#`g%(kvQLwv{dEuz%2bH4FILfm!h z=Pmq=8*^aGp&Dtp?X#EKnv^its_2$oWD3}6T?I+CAzqy5`h-SPrF|H^*dvtAD!X%$ zdmywV88dMazjZ$q_~prW2oWqkiRBpEnmF=O{t-z(w7Hou+9Sla~whL8OHv0<-Qq73WbZDszw zp|6DyI}-Xnv6lglZSgXtagME2b?B?ZZH%d!*R)0WmQl@j0o>=y64QmvFE0d^?MHsX zd`4!U)elY2?R?HRpq!n0-&@6E#2B% z7VNlI9d8T*qMNrGR*X{2ic0Rbu=OsY7704F2!-(3%%-U8sC(%8nDio75Et{0FuuZi zq=puwU8J0_mqao;Bb=GI9_KXfD*U=zp%8xKC z2K7Ba%``wWi$Usc5qvWIe$iNZ6{OeY4||5wnZ?Kpsr|A%Ov!&hlhGJLW3ADI7$^9! zVa(&uIPb)QkPg~w5d9gX_TnRkN%dB+Zh4c{YF>q{(CCZ z*bQd6_VMGgjfG6ofUZNv*4b`uU*Y-nrV#vr`Nx1B<#0=Sx{M~Bu9|sNI`~1DlVKFg z=cZ<&^bA4zhk-gu7mi(g&L`RYT)XY_(%=xnE0%qTc4wX`DaMD{&712*IIp-k(85h# zvk~AiKE__$y`GIHo5nMpI%_t4xF+lqkO)9Q7;IB7|6T`97E;F#j;s=W_?l>oEeLRC zN{xGKtu$;5&_h3skQ6b+fOL#d0qs}(#r&e}0egUPM)2uX@C>l7aRL-&#~}*+fjn3g zf~ia*#jhCDf^S@t(*6bGSKGAUZW7s6U{okd;Q2_UGmM0=C7l^*Nw11;rq4yE?z+Cp zV3WP-x@ZYdFT%@$=GDl**Vjz{$`eg#FwskpZ7&i>HqszR3`qK4XqY#FWac5V7}M5o zHD5?DQw@A?_6x@+GCPUSIEfWQ?*sZZ<*%qhwVHUu_e|tu-t4Kb#E-j6j^aaFgL`2ukr~R$h^MG^EysjWPeVfjG=~7=ffuV;&*l6baJ7dY_v6i zGH?cr>RomQqOn&#ct?Lw46Rq0z?UZ@y1wqRSg&k8%Vk)TL&`_%r8dx zH*p)m+e|SgCMA}p6oVnuP%!|}ak#XQ38?i1FV{X$*l#IGB!7@gZl-KFB+<I=T?`inUNb#4`Fd~!YGu%pcQI;RmHF~F#s)ZalVJu@M$(OcH&m~c?jIBo%hG;;nR zvO4VFFwn&(`E-4@ze#QMLpoqM1-N@c1DI-6`hG5uE8FcnbjBu+z}nwTZ?#P&CiPuP zD#5C?x-W%utcc(Lo$Nwax{r=DJPxq|3im${RP2Yr=^(S-fi1~*(XSRYD3U`76Fa!g zwj^0i{?r(aXN%$ARE~|P8>eaG)Nr%1^pgJdb_3Vy2(fKhlJJ*lm2(Wl4NOdU16LLj zc!2<$s$Z*8waY@sB?DSA(-+|p$d;^3u>;lA)lD-a^MS2}8s!bs{?qvoV?H2$kVmHI zokxB1h>eGvL++i5P+68IO4a)3+0ICs$LUh;Z(Sv@__r`-EU6AX1nyy$&d{u$Ax~R? z3IrT1fE=h$52E2Tqh!gs3C|i)`JI^fFHgo_i#vb0jwOE~V15nv>*xCij9>2n`Zm1YI z{13RQTOz;^vTle=?Yt@lIoS*Yzs0IqrY8Url887tgXV$L!590>mc(brT~(u`Zf__{|hC z;J>Hh$FHSvR=d6=e3|^@yD+49N=ptV$-TL{$Rob z;MoI!22CGi#_ONmz)bj9o;TAAiqKHw!2f9xTY|b!UpSKaN;%@()ANA;;c%uf)Ckp3 zeA5pULJk&w*Xv;#6qM5cduskQd%u$dh3eR_){nEoiFq1{g#ipN6nc0BZ8r)5*PkWl zRlJ5Sc;4vy%cFy1mX8#2VI}|YbA^=OD;@#q4o02n^1`whH2FAiBpuOlJ5t69U3EL* zPq~H}RrAf+g+;^9?#<4AR}%EkB1%a4-G6=Vx>Xkc_0lAAm3TH#Cc(y5#mm;vG#GyX zG+0`~ztMgEry(jt^IowGS*$e%o;N68ErkdQ)W}+g z5Arc>v)ADq;s9n$X^Pdp-P?dj?@zH0RrzXe)B;Y2AmIf?;ky$uQ_Y3W;7F!zLcV^ z?Zne-Bm%nlM*US8p7#T(XJeBifcv9G{j!rLtKJ4h&A^8gELu&uf?w#7k9F>Ms`>T_ zmY1=oMrpLPUbktxfG{M(8vDUqpx7o0Dfr0;s&IAZ~Z#nvh$v_vU=^a!a)l(NRv>T(0=yr+C&qcff)3ulW(MR zD;5gR8bRlZ; z?HK`&K|Re-J8bf>+ZaBrrv=$K(KO@Fq&i?W796puK!Am zQ}vA*iD(e=`xap|QmGhR1mA4mBT3*fxy!v7`XOI#vEFEizCji#xkfOy-?+idbOn$W zL*|Bs`aJo;mL{cGz9#i<5s zkR4I@b2NjTf}*65sB*iod6!DMjU{&VN3Ewq8;WwQOx9;Irf(1a8-$3ceRm zVI9q3YXnQcl&e*Bvhg0s8Z&)!5f8;PH9Kix^eVp^b7zXSd;~m5*x`uXEAQ?KGDhwR zORWW-PWp^Geb2x)#9SseHgK9vztue>#b4`&w_Q%i80}5u8O;hp1`ZpZpVaf!nmTM` zjW3Lh@h@ox6F>%xcSySS%%`6{S=lofZ}~Hfqq9r^zSj0A?=jQEQA0)t^U_lgoYW@l z1QCJ#mZ*7Ak5uOx0DERXDy?!kUgF;N#Z+JeUi*yFNSFPJ)A?)uA^p}n8feUmEL947 zG?<+y8E2G4f8;7Yj)IjAD4NVq0gNoFOxWB3!=LS~7F^00TE)&}J=j>VY9o z*!%3`kYaa^mTfH>uSt;a7}t7E;c=1Iv_iRSz8x zq1(PnH}a63OHWbLKrqM0WC+~d!!8=CuG zaNzfApYd;Qm#dXoqQrYW+vIq`$(-gY$Kl!fn_rdoY`t+OB3K)hzqXsZHb;Xb5273o zl55?(S3GXC8$?5FPfO`Um7bp(QliMk8;KbKryYYoZy8ND-5d|?)#@!WO!0(N9QP*X z`L4ENib9C1N51@jNud;cY-?6wb|{-v=A9?oF4m+Pj9Ax8BWA_Ztv!Wkt)H8OGNzs- z`O*X6^Ihv77YrZHGo~n)s3av{d!}nU-FfAgr~M#NERb)C^J?Ym2V%8>bTC*FCI6l~{ilu_o4t0jB+y=yeLf#dsw3Wd)(JAfXtp}?a})V$eH*>F|> zF^)%qZ3OqVT8qztraj=;keqPDOsi>C7dPKck}&;e1>F(I2|n3+KAuTjq>iBJJ$o!W z9zW;-p4yD5))p#H)e{yf<~5;wHbjGfQ<%9<+D-A@_M$bB4&cjHz`b9Xqd$acNTFlX z%Xd2GenCHse$Ap+zA_r%8D+6SJIFn@Vt54{xl{bEcX_#{9G9CVk}wr`ik66B?*9B5 zs?v44QdUieLgVST08*bSwhp|8-{n8G0Lx+7!tl-a*~m3U{KiHC?2~$oLqFqAZ4&}y zN+bBrB{i)th5_+Mvv$a}roCO8E2`J_6+r7qk|6P%<1@Yx(!5QgC-qjFO29e*}zRTPId!RwY$NM?i z+CB?mZq(VU!II$@c|er~1Hy4s+c9w>4*}xFP`7;gXJC~$sr)7TbA2y2Ms-#qwG$Gj zs>2NI{6TGF=8Vn-xC@8AXK0PL>}E4;btzY z5H`U0>*1CnSp-FlvHkQ{(%C6;jr*Nl!ZnH8q2B(i^%}A{@Xc&ib1~GcKgaF0C(NFI{Q;5tu(0pMDc=DjBZ%HZ_qCWb0Zhm zyK?>PTx<6ISpjn#cDc$NjDy8b+TE*9;ExZKuxkY<9CN>A>yPx;y`Burrb_it1$MvH z?9VD2ZH94hNX*sCHql&sC*ayQ2RfH1BxF>Zia|;B3y`}V)-YuDPW9Ybb{=jc zm*9B@bV-~bG`+8$jSVxsDh#qbf*DmK1h!53Kqa2)hT;6jTvQ=MWGjM~G(!nq;9eLz zx*ZtWeT8#eoPacohvA1~!p#X%^OKe(a+_7k?}!nFPk_^<1>m#k)?hQjiB0rZmF{{fMaj$=GJBt*m(wegiv)Jcl-Z#^*^%A?J0zi^E>bM zx2GTa?l*utXJXz^eDl~^$z-V(Z~rxMy8&TgDYKZs9r)Ml@BJ=2>6_s&B-SU%T^_Cb z|GtL=i)3!0h?Oxm{-$xU4boRi$C3Uf_kR@EX`@8ORDkz7<=ou zsJ^xRUqM2oLAtx78ze+pQlz9CrIDdaq+w`jkOo0ox|^Xv=^nZ}hvB>VJm;L>`S?8N z_d0+2!hzX)ueJ8Q?sZ-7YwaZ^p`ll(&>`$J=j@8+IRPi;nfV>smOKD2Wm|a4Qb^ZtCy^EnOqF&CSKQv8Dos;02m7CoC8|y~b52sW4KtNkZ|FO*uWz0#! z9WEjf#{sd}Jac^v19~hctmy;Bm{mZQK8JdSWtAtPdrfs?0Cto&)5$6M>?183DFUkd zkss|K0iIe0D@2O!t#r1tLtfBV|a0UO>;T}OBQ5gOax4gY}k3d9m{xk%cetV zeMb+vm6$YgluPTR`OGlsaM(z%NRWD=RUNf;az`Cr;g@e2_0hX*tCpi|;)**}tUIxI z=zTS>=^jp;15ugj{DDY+P8})3R64hh#|)go*Vt>c_5P9bjCo>%ht-Ee7pwAgnO;iQ2mwL@^qW#6Ug3H<&9palsov@p<_J@ z8NLX)Fvv;e4ax0AJzt8b$@$8U+KW)|{tDf+7IOU;pIce_QoVXqj-CYL_qBGWI~4Dx znvAtxnZBbXkJ{+`FzWA$Rh`&Z7Q&F+N6LDn1#cR+soLkyHy_YMJ`WC0SmA8%Uc)VR zte^qay|V(6bA^?Q4i9;aeNMJj3O~-0<2V45dIF=_85h%+s2{Vc(X9L#q5{JK=CSLy zb*XUPlrQYsaDYxf7|KX?D0luGgZd_q2E+Ipw$S*2Q~7}U!T~$e+4cc3SI3Xs4SSQJ zCASRkVIk%I#@6PpMn~wxo^t4K*CehtFIhQA1ng{{FS0I#S(rTW&E&|-CWi3sAV=kTQ3(IH)KA($v<`d!YOXp4momE>Ayc>j08fNi`)Uc1kc(FSRPPee1U-- za*+-lmT8HM3+8SQJoKjq_CroEipYO7b%Se!G?ACMj3n@}*5`e0_ZRG80mqw=QvK{D z?fR&NTyfnzJSz%&S6j*c*1-eOp?vtW7+}%B{UR(fSrh39Eg2hTXKB-a<-l2qNLWW1 zCe((vE1T7ahXvt$@oX!VyL1gS>b|KidTWz97b34iY?DwuIn597Wn9H+(DCMHsCFkd ztr;Y)+180+W_m#hO>M{EcxE|7WVF2=&#iWp1ryw^JYx>K0-A}7%xjY`pZeaqVI`3I zd{QUaq_NL^OvarRN8Tx!(Q-bSx}o_IJ$hIrQFPna(z~zD$2U|AHkhxJ?epl43-m23 z@>AoDp_<0h5ldtp>K9t9kxE&paUwftchMbKq-DM#Vu|)0=#ksQOw3V=t!Y^y=Z8^0lEF5K)QiURKwIT^MBOGuFJoW$0T5rR z>#gpeKu&1j76Z@#Vx6ewxPq59{mOJ}KA4xdf%g4+#!vS@w}-PgB$>tUYE{JyMCkP; zeYQ4>Gpr%vR2qKDH7t2o`1X(1APf5AVr*vX+It^gj!wgOjV9yA0QDh}+;ecOR1b)8 zA$&f>5x-@9x!CD^%53qe1d=LExlp|=!_#<&tHn)Y~^r^j5)VDW7tQf zhK?W3<~b+7`|^5wwY#)|qj7IsF`M&(D7KIC`ZIexhIxcD=)C-yGmuW2Fax#CrixHZ z+Z;+Iyk6-p9R;5Ny;oTcv8%_7tH2<5?FDfF_P*W~-8*c@#90FarlC3kI z{kj7E^Y@eRFjhzl>|_AlK0f(;8Jf=Vwd<)1r!V|H@%2jZnPH`wypZpGz?x;QkmrSs zxZDg7i;exec)=yU{j`h3QO)(DuhHpv%%_h>vps1gir?rkIt1pOCb2}HsHbP)N@w2H z8KstU5VCqkl#08R{w$&=tgu;{IDkyjBc;|E3?#{BE@{AeLV;Lt|q}Elo zw7#wSo#L-4-J*#C2w-1_S48(*)BNi{*__HDa(A%?Pbk&##ULK~aDQ3zd4*rcOIk*dUAAbIkXuY;?%>3dW)&=)T=4zL)k2syW_BwU_bnl6=|kVL>c)uHrkIQoNVA zF5y+JSp0;J+5Dl!F|%Eez5)4Mokxiv?>oaN^R%ledeIrtn?487CJH8UI8@4d9XtP` zkSKdu!*RoIXm)2l&{)aV&BAJ3DO)Q8Gm7+w?ak6b{979j8(42LE=;1v!^cyFT@>*3 zCJRO;&|hEg4e$^PfC;e;A@S_#B8@ke4Q{VWD@8$LVP^{798YK=5^LlvwR93+pPQ0o zmYHj}3{>VsmG_W()HAx_Cso2)$Y@n=mUJjX2zNMuINus3{j=tAZ@b>uZz#v+h7pb_ z3p146sr)YABQ_SPqmE=52doHpj-1cp;ei*-EqcE2j*oe&S}LFf{{aT3Q6w ztw0zO(9&xl-ZwfcR9kntTe|m2JUvq>_Vu+HdQD#zQE)KAL zz&jW&6a{IY)q=dHb9#SPD4<(ANZu)?Wk;A89#sCl#!i2 zsg^!)*Nsi_cG_HWg@NZCb&Q>}w5K#aai0`2qL*+Is~-_ILJSx-7x$a>)l#TUkrGnW z4`O#Ww`-9|brIpXC+Nw|f(mkwK}TmzjCDx%J#j3+^=pFbCP z_1+95xQ6R%j!SpeEd`n1qf%g=FT6ofsd0^`=K9D`}PIS5dwsIJGC5uF2nv>>_UWoF`s@ zAt9QrzKq^)5M9t{k3@RV=EncHo{CI9hteHx7HtvI-2yuzV3V{eUIU(s-I>;)up;1NeaKMI_FdM zEIa|Bj@)28T3>bc1jZz*f_lA9#encuR*8*3ZUD&12Uad3>$k}6e3~InZLSypGWS~y zo@UW6#gs<@b|f0n{0tt`k$&83P{D0hhP#>3$Mh7S=l+EI-RI^>TW{-?@(?GOpD0dZ z;d`-u>F^rs2*feG2_xLt6%T#Bb?W-MzkGU3DkIT_1KP`sXeP8i%%9A^SX6!P7`yV7 z!|(u9WwePJFRRzTb81RbMy(`Ys{xK)q!Y&W-56YQJ-vcI?GbaXYQ5GaOt*VzA3} z6eIq)=N$nHs2z7hx&9O`Bo?}nl3Y6!3xmeSRv;?P7 zo&;fP{FQPWtOIC)tz?OP4kziN&tspWvJR}A3P5j{%)PtL6DzT5WeF2!pc~u{y+pVD zj2R(oIJ@cFL9-!jq)QVHW_OIne%0eQ@v2^}25W8{Iik$rKeQ=+1;1n|vsvv5U59fT zl)E-^S*^y^^@*LNyDo-u*7o*FALqUK+Q>Em48~$Q2I|Go@B!E=Ou|MlSsT^l#ekx? zj@U0+0>_FwXlRS739a?;*L;&G=5fxD0gk7LCjOSVVD7XQ);|vC18G!Gf@nM`T2o)I zY*l=B61_mL#@`VnZu^4Zs|s4_BZNu12Zb`-!TJ;CUqt7lBBa*`C05fjFUIhLuMyH? zWqJ~qur(V-pF}xkMMU=^_Sb2UT*dv&eag9N`m;$?IPjB7rr66)BAQdQX6NzE302g) ztfnLKVs?6!Xo0nf-bQTQwF)58mXhSX7os}ue#ve$cd(=J8_5QyI1Oa%kF8!2vWQf$ zI8c})ilLscDg}>yXpvVz2l};w!Ly%|ECMi?HV54GD~igDg=00g|!}hgu4VZnDfwOWG-rfKCFXTghV|QM9Arbx`};AP*uVv zu!~il-R$S1LvWDm?>k#M0-zIlR+6tWSW<2iav>s&>fkZfXQm{>U0|n z>0D;R2s07Xgw*veo?ov0oG1EUU&?1d9K?bimb-z2DU{O!Uy{W$%j^1E6xpW08`_O_ z;K5hg$P-chs1~EA)51w?JoQH*{N5JbTS2uJ%u7YB+?Pd3!w$zY)nuFQ>%k$^k&R`r zX4^?9mKZVvVp`~3DrU1J{q`>Pu5}A zWApgNu2s!IS{t!Xv=qlD+n*`*$h@6?+o#cZyA1xmmkPqKxmNWGE$Z@U|BOU@9&qD_ z;B~YtX|CEFHUk zyb!~|N(FQ7Z6yze7j@AhQLj!!i}bo=CR6vS%;yCSqG72T$Tut6YVqPj&k<>vpTTY- z1~P3QSDOeZry%l+s&jO`m6HlOT_BzK+S1eaNV)aulbC-B!NhLX6c$xqulsOC@Lqq`VKYrgqmqho?x!b2xfc|Qje9M0JY=!% zQo6F9&SAanoKQ4>PQ@rpO)tRc2G4!llc2z;W0~e~?YN#hn)ztp%B>fNTJSy-Lb4pu zAU7LBGl4n=EKuCu*X&vo9Y$+Q>k_`cCOS+noO&N=4w_~w`MjQ;X;^6`uKYG?NDZzy zg(`|Agh`u_t9y-#%QJ^H$pv>k6%ATqBE&yZrII6@Wu|ghVxcmd$A)JeMkoqPzO|}V zZ}~)vwMy@3wCL6|#u%w(&04;W$uR?;*^sj3!F)?3FXFO8bW9F@9}iL4J}gN6n#snq z=s1XREh0Y?PRmNHJn2n#H%J>vK;iw>jLK5i3qme!?b0FW#_-!Ws}guf@&Ptlg#y25 zZ?#DB&98D@S+;Sowy%^ac2V*^7PjV*Ni5uiBaiQJ6wL!oLf$pw3W-9t>2pbn^Esp= z$wo7GD7b|_s8UazVS;i5TfD!nGM%$Do|#wd3Su3Ufac`$>}9w=jyV-)M2`MO!VjMoO?Cd$2P@^bH|yOR!;#pLJQZB%4w94K;ehTz{>JcMWEG9i3SXCcuEhkJ#JGB`MTR0-F?Y#J(`wQ)2$inB zZb=GhH|BnYC@V)yHBnM{l(aSQ8?15S&_SeLX_PIK_f34;Y(7^W7g(e8to;;I9dIc} zxdAk*754!vD)F#ykQLJxA8{=BR}te?&Dn{N9aBxF7wXpN>$n_C$OrH*>D4_iL*Io^ z5(Pu3#L1wy=R5nIu}-OI0^U7c;3H_z5tg^CsJro% zZSA?K`g+Foc;uH5ODh!35HUzLuPJh5ubB8o&aW6-VY}aTWnU5{^41wUSM@g%%u1qz znrz%@A_*p+x&d@<@iX~n@ZlO|GlW6bQh3!q>#IufRFI@DlZpe346N~L=B{R>TwVpz zD_H*pG(wv{9^X-^l+}`}Sln9eL|9xBdl`H6`lQm(E>u3nQU5E@UP_SlR4YXgA=awF z3uV2YDo_jRKW`=?QbW!^rk!m+pSl-WT@WOGo-LkQ38+&P)n>)u)EQ>Cm_W^BlLhAn zTjZw(g+{QRhVdxi1cdFpm3tOxx)n$DQIOz>%lsU9g*h#JLeay5{~i@3|o zZkx+NnEYk6=NNOBg?Ceq1G`cQ%3$Vz_Wv%xVS6-bBnEOuD&G5Gw zyI4p{^JoTdhU-~K6{PA-lGiVHQ?I{a#PD||Koo+Kg`6$$WmaEDU@x`CA*~-y?(Z;V ztVIH&o3+ zqD&!9^c^o~ou>${RuI?+x0yxSj&|~Q>tTLPEOzDvSW)!#yO<}B?r8+puXO}7 zByVOQwbgLkJK9}zTjV?CG^qthiw5LERs5i!6UpG4_%PGEF>kc(7_Y~=N1LE%4t)q! z!VR78wJq}NN6uc1>C}6#xI=@SyTVC}BZ*%ME6i;c(JihZL}O<%CNTdPiD?WPD_te) ziPUbQ(?>-N3XPMz(o{1ItNZ7Iv+iuw#M-&j_@|@^^+D3~+EnSz;~cG>rmU_H53lT1 zq{ayo4n=M3>*%y)$WszV^Rzb|Azkt>Gm`uUSwDMPM zWHc(KpWk3!E7zMjZbzq#Qn_!(51?_p$$7DOXxMwmkAH*{yl|3lD@Q^Sjc??9Ey0Xt zPIYi&tdqMsHKGN_98+bww#!1yRB@RYNG3|9SE#F*3+URqm)g# zV`My&Lxdqf$=ngb1a&YMY1?>TX-`n9luldTaB6mB-MvW@wjQL^jv#R3!(tE+lHZys9hm`ilr$(0Pq4;@7@Q)cVfujw1lmbs59hy5Qw!}6s0QI7(38O zcsalGEUDzTyFy4tX`jzopC@Wu$~6+1Cp0Qnwm)?Ws2jJsoqXR)Nf~z0+;1oUMAR>4WQ_d0 zkGl!e_u8H3>m0|x_~Vg|-CBm;(%h9E5b{Pjl#`F$_TH@M;d+AYqLm5uYsS7d^r6|@ zB-V(&Y;q>P5y#zY!4ys|G#C*fBOpIFqGxSwk#5my%k*Tf46e=rDATn$6fyj8hk2s3 zHJn_XJ+W@{lR0tgBq@WLh*oo$NlRQSOzf*W`u%>L!Rla3GTg0_-K!-!oOsmG2t621 zpDM-^>bixJ;-E)5E|p%T&yW!66GAGm5$*KUn97q&CRl35@eS`yh36spcFVCLD&mbI z+{BlzwO>q()a#@_syf%$&%ueTEzm!r?0>b}rcr-Me9kAS;~BB}uxMD`2BafS0zpEh z>I!CuQJfd6pQ?H@JX0!6d!NS_r2C~BGQXmrY9dX6ZXs;8vd?%=zzY4{%DFvEz|w=+w=8t6+s(2imB_qvP5WcJH-Iw) zE=^{LO2vrCLDK-4$5s}xPqTf~SOn$0-}dae!bGn11iCm3)mRu1mrXQ#);g`+VLi;k z>*Hfmn8Vw{Mewko?|o{?E%seV9L5VxM;l#32OkrW#3n^uRm08nR6WL$_g(VEzF*{b z-(xc`a;WtSLwLgV=5~PyT&9)FVbq9_@dvz;*_GNn!RZ4uQlJJV)czpO4Ke@gO$v(C(BKHU+E9=jEKGv zPxMT5Ld>vwJ4s|_;CpxOWPF_^6%5XI4<|Ta+Lb%@jcGeVP)vpX7_-OElHWEq2AnHi z^hTXv;0c{?B*ja}+3uW{2k^JO5J%|HmnmZa0;ogt#XOJ>wW=w++CsIbP-qn_>L!45!ro>4Gim;~Bca~fnw=oA#FQ`N zlXl)D;1#u!X4ixsV-a3B{iK8f&2JHma@=@p$mYw=;9d&ao~H60)u3JxP1WI4fsr5R zUG~237ze_Bf2a1U>+FdN_o`?(2R}ySK3Rw8mgvS8C(4s*KG#J836*Gr>nuZpUTsGW zJX4B3Y5}!K-kLwmq5GvXw`BJ$5lfo#NuA$YKi0olJI!jL;y>ZueTn1 z(nq@lb${vp!fBhErGEKr(fVSrw)k>ob<0##^hZa|AjycS_1+kC)=D-!BEa>lTB%^7Fc3vWCugZF|6EEr6VJ zTB-f^)7o*197k7N$!XnjOfD_mX0*UoJC4OP^O{IR1x&x83yB*|WIR`j^rV;F$FrnR zOnTh^#A%8FRPgP-ghdv9G8d7Havts>K}opz>O88Psd)aJV;4nazn%1I<1*R0DIi_! z%`=tJUPq7FI_gw0%Zt64v5F9G%BGx`MxqS*xX7rC=Bnlq%&{kkFRh7;2yq~~zhO^x zfB)S|q~ZJI`w*B$dwlO$*kZQ22*|tpm~0LD>Hb6aCrekG1><(U~yeFJ=^>EdUM0_Jwpkq47qcywzRq3bIkm^=ZUF0RTkX`%MeDxU;Tg(%J?A|*lxnzlXUOlQ^jS_iZ7 zEVh{m?9k~h`jL7sL}73~z`+0z(CzDgyd6cqt_}PV7o9d-0|!c<(pYu4u_XdXsy*_` zRyOrE1}Yw(+Q{BGcidi7z(33t7=~p~QmHALw?ek}8R;}Ufpk|p*&l8hfWeQ7GTbQ( zR@^I}KVP7R57A!p@rUt2k^y4;;I|)I_%&G_QkV`A7sYvqCu!amOqeZIl#D|}!S)T? z`Rz=T%PTjgjdHX}KGGM=%RhMF^&YiGR*A~dSGecVcc?uLGrvCSs>LvXhQImFICNrQ zfCMdeEBBq5ETa!@G<$M~EGvhWu(W1O(bgzC9zp9SNHTYN%$hy)Eq4U0mg9wd z|K(Sb$UjFSOah4IDK9VQ2hb_FbGOhGh(c$p?Q99y+(!0V?;l@Gf6bEqfvxlghY9J) z9?P2oKcpXbHwzX!6fPRf(fVK+p{L^OzuxYvSxjjZ#$=H_zL5mHBHY-1)ZY{nhc_PB zID#Yxk3G{!B6_ZcDVCU`q#y!6OnO;CI^jy0`30yNu20q~y8beU%mpIv;QR9-`2&*b zB>0`ZYp>gqeU#u5kn}f+KOT?yw?3HvhcJnsJoxR=6AkA`2Q4&vY@aKv%9<}&6wU!v zE$tXuqZG;|E(S4o^;S?}HuiVG8umQoQG6=-e!Aqyv?uyMEHk-$ppymIb~t8#t{eAYzGEWVCATmLuj`sJW z`=+fkP@0S(9h`i=;rq#^kVvDdkJA|pgX@X|-=wxD1N1maSlUQQ;?c8Y zU0(Yd5C6^?kbkH7$6e#4UXhrcY7WRn&8E&oLbXBOEC}7N9~GZuS^Z3WA=^*k*oBj?vg9*-gzK%>X<)^q zK(kxki6tR>F}?_OJ~6}s=racjdWnbf3AqteDBdc{rl15K}d98}XFezJolZS+EN`JXPXyamrg?>Dsv3*jKMy%gk?S&d0P z49`4S9PK8z3Tv+&X3UVt{nBg$P)y$#NbH;P-=4@n{IqRJAMBY-=%F36fF>A^IO6K% z{!>J?DvKc{AjoO_^Y>O@&A`#FcglMo6BWK*>?G~eLKWxJGxaXz^{dPPzNbEmUvM!1YfSz_K6WAOKI%?)Y8&Uypcf8KWOu_(}kPXI{V}B1?@4 zT|OTxLUt%cKmf3q51x%0{&6|~nk)b7<_jYHUi=?ZG<5dkP^Gz|{ySTsZUPmkk_V7W zO~2?8cQdKQxi5!W0d_r$?y%?V6zDSKA}-v(YU|i~p84P2o;@{(7o zB<5j3mhOHYR5&@QeFp!GbWlo56#nb)8F?A!AUO06-i(wC_t(G*4QtV9q>%y7Iv_p9Gl5tX{Cx6Z}+t!r7L| zw=49vN=E6SjrI_T%*xxJ-D5bhJy25)*hefgssuA9uXvr$xO&YV?BRg2@`GLdH3MO( zcQDwZARQF8+GJwhQIP5V0Tbv80g*^B>YGxIzi#qcSlfvBy^USVHp6LmqG8g;(0kx- zi*hO;G%jqmzFhiM+FUjR#Pj7G-ejY$g+JQRqLl@6K3KW*j8tq3fnC$2{JTU)sY#?s zzfe@V$T(cu@0NKqs%p@+S7=$#Elv;nmh1fOnVevqYOAbgp8$Md3a}-kX4D~9*7pW# zX*_?xE=UY(H`c2>XxRNq8}B{rv0G-};M&?_({$Xk-mw+Dhpmlw8@R_brFu=HYKtz7 zu`?wAa47i5ML^uZWE~-lN?U#4H~_)HeakJ`x4qyYX1f}Hu6|$!E?T6g>7%gs%;(>?J)}cd$5=_F`enRIDf~nHx*zI*Y~a+Mf{fLUNRpScd(D?(2X~#);e$X- z;l`qh@V43M;cl5LD_kA#*CT1EE=)dndLH5x zyCIqrMMgkt>Y+ckJ)ifHtt_zb8?3`5t}{xogA54Q%=#we?YkP18 z7o~_D8kF{k^_5Ze`eL*FC+AkEir^xd*Aca}+|Qjj)X2E+8QggiG|?l1*NKKcTtEs- z>b1-7GC)7uQqzz`u)*Pb9sY*@IQ{NeMl+^y0xXjJ6_~Gp!B#dnD`37AR;kE?um^k! zIXvl|Vf^C(-E-PGca;1{U}+EH+nSk0Ir- z=Ugu5JRX3x&YKUBYwGfCGXnMc!I4i~PKWpf=I3_5hq4Q3BF>4I*5fT{&mONgDoXX_MHY{=Z(0>oi)|KhU}zDUX$*yHMd9_w3y8#t)Z0wY(-Y|U3n zziG6Dq^>>v)w&iQUs$vlB@R!577cK;ven$*09M?AuWSZnsmil;Sq&FL6-H0Qf;im( z*8ur}ESZn?%tPvg#NPM~83|*8Ci8dkpJY7iG_s@jX+E>oU`y%%kBdFEhxBF(41&|w zdVM6t-y&8OX6o{za%i(zSCEpN+5E)re`^`KR9;02EQUB?^(QjIr$lsYsW4B$z z^Bxw3c(HO1sfb(UzMzPB`pf}diY&}!??jpt+J=AuotmP)< zp}(~EVc0bLx2h0BPW#lWCoMNStfyxaJo^0=r)EIU>bnL$5GDK}k&KXJNynUvQ4{3~rWfvcWi9G@nt$z?j?qdtuenH8WuSm%xo{v@3U4G+wSV4 z?6p_adCLObDtwf1M&qh`zU!J=#f*ZR0^7 z@B(ue^tt1QULD}fg&Z{9PA&wLABQQPvS8jxx0DL!5bxpHmK;=04Jcp7=-VnGTF9iF~hZG9M7udg7M2?;{h7?@^J(+-*=4YCw! z<{C8i+CL=~xzf|$G=4HhlD*L`%3%#~menqG(vADET%Y*HlnJ3*%C9)6`1X5hm@ZD| zJH_bVPO@sp9|}$0eg~i1qePf%dxr_jzh4kOI%pgycOo^uwtSxZ{Fw(*9vq0Ol`)sl z8O`74k{SD6js~g8jU7Uvo#}ys&`q^wo9dl;G~XfKn+zbJ%%&Md2+1g;0PbKJwpdt z^Nfw2i>NgN2KBjhJf;ec*xsM}W%UV(BZ4{?ie#?nq{6(#ufP<1EICUNaeO-T)nAcf z_nGb9#4;F8a@Tz?sS7-dtH(_rXkwhIF6M61mm@t71YSoRpeBDV!JFsxq%pQ;wiK3q z9-VrLP(|M~)J5ttnuyk2rc58n4Sk)%-?sA_I(6OarmJFK#|0=vP|Q`|39)2{dBeyC zkXIO@0h84;ST+ndFPU=b@A(iobpO6xOw^n2Hy>I4qL4du=j>;SEzWLR7RZRgC@y>3c6m(|jH5O=IyXX<_ z*($;9cN8~bG;_<#rvUog37vY9ZIZ(Ply?BgJ}A)ZQ`p08PK2{7uF$!j2~GV2J@0y z_7wL^ubiai;yBi6wt~?lzeW3SYkjUvzg$bPdl$SZNJpAXV{M)p_fa%i#>JzcDKM>j zwGZfGNq2kh|D4LMFpHv?`pVO@KEd%iRBKhyg;d}j&8PKBmg}5N;pv<%0PV5OA_M~8 zR=L6E)nxBF&-SOHGM{;vq@Mqi1|bCWSQn&CL=})*8(mu&&R?AYt96&b;9Y$3%Ug5P zNcwyWpe|0-hi4Xjto=j@AR&5=aj5vGjsRFaZ3}cIzmuYh}Hvkoaog*bq0;qrAZ**c2CjY3Jhmd(p8^NE2_mJUYBH-xb8Y^;zz>YU<%v(H%9A?RrCR0q zkDsqs_eh=oZzM#&4N!X$AD?D*W6BJDENj_;I4?`0Bm?jy23jR}o0{M=VBb>$3@ZkW zUUb$>rp^Z_R_r|Hfpb3p)&l5JbY4eq)Dyy?~F{3D`3snEmXJ=A}`BLpLc1BDDv zlqjs+eR#va=BSmUwOSU1++tYhQcp|ZbYtjeqL2N~Y>@9YV~s<=$fDaR1|gyKWU2lf z?}zC=8~a*O#bD4!l#Pu7N?)g@K*f=QHyJhnDaq!;jBEV%v}u&{*<;#mvu13O+{-UhiLO^xE>5at^=l1D# zoB2GC?KKdj;2!+k455ZS^V7-BjkfE8%N^6kKOqq!EdYh%@{=v7;|fI&M#A?oW!CqH z?XcB2o!b+lngnQF-jt!|i`De~nuXys(2X_n`w4HYtx0RWY$50hu?28s$ZoBdq0{Pv z=qjq36NE7@;GP?{_LS@${jS_s^6iJTn2m&)vbtwRoIp*bz= z1^^-=^@-#CN2r4-Oy>GxK&1ECB|DVXWB^rx z8!=5g)#e-TjPgEXQ8-`x5xMi`AoJ8x6$LXbJ;yJ-f_&?x7O9?!R8Xv?#bDCG&XZ~h zu}p`K&{Ab@Vis#9j}a8w++JF?BlbB#pW9(&jX|W%OiSRb++{O?U@7Ve3>09|U zfwkGEj2T833zzm6s9?w__-%zLrVCqkffM2OxFg3p2pSA{~xT9!) zdrK|Ml5=iYi!jv2sa#^1RtaD94f#$VAG3r%T{{ywY=MGNCH?*l8$osTuHn@!zF{ea z_uv@VSL?14@(^LKOwbRz0*jenpOnqlNr2b43~>Nz1XxaJ<|6r_Ut!Jz+7qk_4t{nT z{N`Z`+K%(v7hp#W0S9%58?WJG&Lx0L?Zrg<@t~n^v*=FvHlgd;{Ii;<`$_N*`}%7O z*Dq972fym8;uiScL|VZJ1xoutgYB^6uB(F>Sqd(|MdOm$u2rB@4~pIw@#^I-2l`V& zJ{_XpXnOIl*Aky0M^kU6dxAx1ESg@1jZ(VatY7+CiV(aOH5A+A4obM*5LN~}EQ_JX z2aWfc*Wu}wCU!7DQ!3+3G3X4x9^n~$j6#M@xZph?U3x7@cmDS9y$}XPC(hLp5UkLa zO5|x$O5(bwo5lSiwIT@Xm3c&*`x)6r_=5;VDhM59cJ@Dh_EARWo4fM#R2RUP3vT6F zN(Jau3O+|Coz}@25^cTLNX00d{YyN3OCAeHGhCrV5r@6yGbsg9edy(&O8159U6TZ-Wtw725!Wr4`sk5dd|1$K2SLBx4IYVJv{ZTsfEZD~39 z!gi28vlno+2mj9e=iM%phn|l%RQ6q+kS6gsfKaTuhod9`$`^vbCyg{z!m>_nej@1T zWcctb3nH(|f zIRpf>b{)H!uIx|)-%gB;9pAeFC1rEHrrOHQL<5g)b7ktfJ`$xus?*Mu+CfubBRzRF z`GQ?rrf&MtDimN40;a`$j6<(2!hU4Kybe}&>~ad{r8`aca{aY*tQSdECmB)yl0SKP z#h^VSLScB5W|qK~Ix2Ei%}O+Qy_rsW7A!me607S5*qzsg6$fOCQz11h`k4w7#E z_5B^|N$h#Y1@lBW0GTyfLFA8C(~* z#>^lRwy9%nge?NC9s#Z}}uG46(IS0bLhk`+7g^Wd^!7eJ^wIJW) z4_?CwQt>cZbp=Qvv+XOV746@01LlL`6pVF(yJDaARdT?sD&C?^sO0-UwrZ@g-FkQM zRFB%(EBNswJ)z;6FW6_vc?6ZQx2nkZHAD-rh8Q)~Szb95tjVNs%5@x>KE$9)Z5dE8 zk5tu1VFRF$%WG#~%yqID(ei>;q9e+S^OaMY!>WFb3JmP*ypMp{XHuuP zhH+(fRc^ciDD5H?CuD5-(rRp{~IU- z+0`Q`?GH+bOq3IyQ4`p)@sKWR)h>zDu8wQcZNHcGOyK$%Gyr~wk~FaQn&N!)7mHrQ zr)`o{m~SE*S3z3kjooCbeSJ4EVK64KI(SL@9zGo(3gNzOl0w2rsEu|3p-Ai{p>6kz z1j8H=dqiizLeT{Hu2c87!XMc({4>|dHc0LpZgwI9Eo~4J_yEgFt6q;j6X#Jr!lq2) z@?+8D$l^UNHYEz z1jZbwTxc_1Ezw`=EnQ({Pk*e+nD_&D5!v};U)8AoNABTk&CJs&Z}Bkg zT_43>&vvU`8be${-zC^ z+HLT)JiE=J6D&QMqp+eBJhBTo#wAsnAuHj}WnP<2P8?c=CoZ@sE`TGSiq``KE1%0vtdjX}Kix*}J5o<(-{ zptwuyffo8iN4$y2%?}UOpkLp7yc=~*i;{(H8)h7P$%}Ih_Q!}1R;@~u>z52-4bWwC zuo*g<alL-0WF;1R-WG`I z=9DUb^B07r_X%aFW$?7A;MB*94{v)0zpJ`HUXC&6;!OSa1krc_Bz)zlm-VjgLEzKX z=MBBT!s`M0im#vQoi(Ngp$j|(Tc1SWE8eFP8{!X<=cl)viadU<-XImJ_t7&GcAT5y zZq%>8+uwHO{G8<}Rqa=kR=%9#>Y1MX5nn+gN=n{Uh<~}on{2UN|vLNYRIqeQU3t0kU8*E zz47-SPXVIjA_gbtK!k_2G z@sanQ;$6&th%4tslkQC>b@;2=$~;bGSq|ZGzkta3jds$KStmpjE)33pZZch^c1%wy zw#z{n=1!9rde^#Yku>j}{DMI901&pbUvc*+a-jcH|03j?a#Eg|P~?7{buABQ zCU{T*W`K{!Cs$(Cd#+GD9R|H;DiT&O4Gvv^5u!lRUNlmEd&B=mTX}2u58BE~c98Qy zTTh{_hjI%5z&*xo(CMkzagxMvy!i5;Nh?Jqe*Yw`e2ijl{7v7S=r|_?4voC$eGU1| zr8PpMXW3*mOm{$@!>!yxylWKL9gfbu4ZAq<7pe(aL`^%11PupgOjoLmQGb=|u)OJT ziKltXueDHk`9a?|k4aiS+J&}LRs#vI4MtD#oUH(ICQE(s2(i=qT{agxetBFL=9rcv z;A3Vlhs{g9D?dMMh?G_A84qWaN>t;kyQD%!$?swkUHrb|p}}uC6wPW^AoUATi{ec8 zpZ@1j!}>j*R*Gh?8F-iJq)yLWf*wpDlV5(riZn5yE`+zDE=f^C5!#*`uE>0lmvE?5F-6Ikd<8t#0CdG%?tkstRUuB!L^fgb1$$gAN zX;HQOqITuy?YkfYb!^H>{g$67_?VuFZT{myC5R%?YEI`(kTaPF=Nkb~>Y_Ej?7I07 z*U#5t=r;|4;(&=BJ;g298?cIN96bP^I7kEPJCb692%I~r{FyQF0Px=QS-CcxrM?2IO6XD-ciXWitf$@V`f9SXwMcH61I5m4-{q+kPzv z-`*XN+;lO6x~B`ZSV~c`5`KTI^^O>Hnm#S~$}`}MzbMBQQ$btUk&|%T?_~Uw2;hb1 zNv5;CZr$cvlb(KBS2uW|*BC^{F?%;UZcW1_{6(7-}1 zWcg?fz&Vvm<-y(M0Ju%fs?yd9%1G+w>+*eD{g^mYkFAH=_q}g|P>M-fqOk%4hj=xj z-+;&nYw2UY*ogO zPa*Xc$_sHJ5vL02W!E~c!z(YERI0+6Ifpy}*=oY{U0K@01B9ZtOND0Ssgh4K-k((_q$gEU(*zJV?=gDBG@y#8^@ zpUmX=N_}>PlxHUX21na%l+<#}y|yx*px#}10}f-3|C3xp_D)g zyTVR@WZZvvV)5eXktA)r;&EKxGrt zP6E8XokwqMvR%iTZOPVHs0@+HP1DR;TQj>F`sVkT93tFHVf|)g?MPS$vmtifezmxS}s1BZh?J4BsFJ< zB6@|jG^dZ{q7(4v0b4zFZ2a<2wcs*woWcS9+F<5Kimc`X0A&%WJtuX1Rq*k&l~$=N zbMf<`0+uJ;`p!_UQB5F3e1)*5P|_G<2VJEzLtWgK(gzlnvTc*QrIFQg9Tp~MYcpiD zVkH@|uJ30ZcM^Uv=aYq|`88h|r`eGbMt+m)iB!v=OUPJl5>5)mKTYh+VZ>TRScK2e zjI=TDzX@A`=Khk5Bap0KS_$;vDumF7XBlF9z3=VZ-^yKLwY`{zIo9R{vuX~&KVM!a zV}_l*=I?&mlUS;LSzu!5-Z;&V_kp}$nRtcydaUPGZ%x8)l6XM$Y^4M}UnOKFx>DBY~mzeiwYAKS>jBmG&a;6tjg?Hm65 zd5PPHF-=nJ*OZHX-FA*4y$|UMu8q~C8c4drA-HPG%o+6Ax94IsgL==CBHi3>;jcp% zO<}Mi8e&6eh-Ylzzaf646)?e@F{BJ&4gvT9Ia!JGnw4QBh|@SUI8WHh+E{P3^Xm7- z^`s1<={ncqAI6W1(?|aO?sunMjh`0T)1o<7J=-2W{@Gqqp3q%~Hmrc@j|GR`)qSg4 zr_7{K|IG_#1)L)1?> z|5K;gg0R-p(9XxRwJbm9)LIT#-)=~vO1DQolC!KAc6mPMmu^MZwwR~bL3v0rd&}$M z%GE_yN;5x7URURj=IjDj0ktRz6AA3>2%{DhgXEQ3ZhH)qH{hc2lTb=OMpVc~I-0uHTN-RNY%YrUn=RVi(>@vwa5r-J{)-nU=wH`W7{T%7TwJhOg_AoVr_&2hjDQ2(F zJPtE*h7Nu>Tro}S_K4OavU)$7h5VVT9Vc?PZX?u3G*L0SV=SQzDIa6av?emc578Yv zrOGO|Nq-w8S$y$BskN|hM?zIvw1aw2WrXj=`bGBMuO4!KNjG0Ks+FST_vSNy>>#E` z5T%i8r)AmY6PVm5h$^06c7d za=&`g5BDfrKR?Fx&d>)J&N`Fc=Zqe#f^o;sO~1}RHatCOEu_H&?hl!Kc1KR$9UZfl zBzfrc=(|4Ba?D2U!ZKjKVu(r~p&a>c)xlLWw3?=Gf zj*&dQ9E<-#9{DBqiTWg{%7LR^F!kn0>uRx&R}=}s$uD22=;Ri+Pdj|OHS$TX`NoEc zcg+;!vdl;%bv+b4qJ}{FsKpHDgKXvVwEb;+u*X0w=P90jrQ?tUYc?TfNr}COlFFER zrGWKs5`H56E!H4gg0v`y-%6tylwOCVC_4Q*2B=a=P9fv>HQ&E4~c$+2x(~b$4sue7|(Pk8% z04pDSBJ<`Z&8%GdCdEV1=yiKr?$g8vl!3MQXnvM^UK~r0T0bsSFj86TD91%Kx+znhJV4d^iT_WrU0&d4BfR6KZ~wleB|>&6H%GU2KFuWGX77!O_rr84_i zxtFY8&JrWq9*2_bz3g~cMSHB-cCGgLc|zqa*X$R{e#@4;t(Hf9@t%p`>XRrZuUJlI zz)7Z`tR=`?)$BO&j(*GGwZk&)ep_w`GUq^le;bvxCa7C2*WMQBMqW#EcY06b$_ zzu0{XNe>(5FqHttvjMPrm(RsPb%3>Wjhan+&fvax?`0f{{r2Z?rGXEbVDxd2D6cy+ z%H3{9&`uSppJDKyn(0MLc_~h`hU8tG`bnyE?5Ei@n!BMC66?nKc#0f^s2|8%Axb7< zQ9wMLsgS$VVo+Y~Tey0^(uHpkY~Ta(HCm3$<0D!ymDb3eCtrmo52CBt+oeWw52Azx zoAE(EMpRhYx{ykJrp5eZ zb`xOo;47!Hls*HQ7{I28XHoiu_Nd^F9K>+D46qt^RMtO#56vNus zh6bcw&M`j!n*b$|pMd!n0xCQBgxqM@Odi2Y;W_eC&S7!`DBwVQhzAlZk`#|)PqvPP zNu!uh4-vh!&hBi4Cw4R7k?c@!lu9zH{dskuR$UTJ`nP7apeSVdt_n&w=tzM54}{SJ zA)6>i7(K|9>(zvCg&$l!QSJ*I1VD7t(fsm8woujQB@g&KH%O_uQ~B3d4Q`-F_k`(# zVV`QxG(!!)We@&40BXGO|04iu1F<3b4|k{+4v+4*BFF&wr0F{6G+{eJMXe%*2{;Qn z>mX_*FOQ(MTAnhF1*?;Gvb@f_I`cS9y-+JDo;u=g%V=8^M8&7a<(Be?jca~gPY2q~ zcON>sm~>)MYbuZS{IJZZ=nV2+B|5DdRz<;KZH^|(XE)j6jH}E}IHBoLh&M)ETBfNeD*W(1<(NZ;wfAXZ z$Lc^nfz}f#{pRyA<;sRjejwEZEfMoW04+%nc1!Zk~q1YLH_srR!QhzPj z>zcErI5<3tlK@1_LL;KFYRk!|tJ>7D+O~vRUORxYcK(M8_m3%7V&e8IO){FV?grUX z48s{cfiJY;oOxSDcg(h?a9|vovh6{f@Q;vUCz4Em4PTe}WPYh5z=zyK+57h`IlTr4yjUz#T zcS`}v9(Hrp;OQICR=BTbp-x*=WlZpA5QcqErH*6t%TC^NwvL;mSoB~b4-0juoP-i6 zSG_l`^V*v2auW0NQbaF=y}P9WF782g;{g2 zsOH3kYQEm-47=SYnC|xvmKY=bJ0(+~BE34>GX>UTAqOJYzffXe`FpA%CexQluao7i zDrct^ulSRt9enwaW*n`#_94t5_zv^2=F2bd^+s5oNg|fSdOmiOkoApx^tkriEQG$2 zE$k0QtS`aseeRIzpx>4fQ=8iI&&I>hEKMrW5k2!>MzeB4MSn0^lyhRs^DkMlU7q5O z+Em#@IbZZekn$@u9RK0NEf)EwP7m6Ln3g~f4n92@3ntIGa-ZwvC9d}`@7%c+dHx*9 z@;pw%=G&J|iaR%0uUxzI{Q6_o$_rON+%vkh4{vtGJVwZPT6uWxFQn|Q3zg~%HVC;6 zqyn!wdq5`N%Q7GL^~KdhO6X;}z_2={G&Y-C^q)@}mLYGzsWA z0;#QAs3EKQ%7i#CgQlT96Fgf{J<0W{+$p@AOF$`R>`~k0=*S+LiDBg*b2MI*~S_9D}0LNFj-@JZ8zl+~uqh*|D}V=o<@4GCxsdM5eA2@&Zhp<; z$>w7oRM$3XjsS1^iTWI`#I1-^*^GaO!!`HCewDH<HNMi$2{OeBbC9vxMy9PuuC z`HBpR@zIDh+DxBGn?t_TDD=KPn0?z>w#e+}Cw7$nzz&-BkW2IjM7SCk$;*RCh4T4= z40QE+r3y8Q{mOYw;dF^`|YXHhEV|z?4B*ybVVBKeFQ{8 z25~u3flfA+DRYhZUH$t;r5f+)+?J~^D4SXM50>V|PrfK4R;~06(s}P%77KRLXve9E zaZEhA4_1HdF#O9=?3uF>vwz_Uc^)R8H^IckdF}lzu^TfkhvKEz=egjGRJeWL7R$7u zy@>d!q6WyJSWW%6>f1F4eq-8@4y(8tIRhiR>t7Noj-8>#l8gLj339|~4*jqyrxAPKPhJp2_*Wv~T6sz9T-jhBZ zFe;t*5_UP-i?D6z);1G8qwf%3G}@_co8FoBkeTTU51Ep4%BWnCLi%jgJVyE?z4GX-iT|v*GZ}X`RxmKV zKG(po=!w=Odz#&@8H;Guny-&N-=WCMohqC}p=Vf#k3`3;`AKYC4GJCbv9Zz+7e4-K zVUa;`))MmFy}z5{v~bQ)VL`yW*D5U#UspDbzGJvkQGSPZN|0`r&FL-U?f4FGjn4|x z1TL;lv)tv++0?VLN-X4YKni4NP8d+6HAxK1bvBE7}V?-rg9|vhr@=zq5t}-`gNHJEu-4 zvQEav$os|Ea8@_ouB`5K6ko2a7dQINy+eK9RNV3=HE`^qhURgw^J~2UvRgdr8A?ML zFC0!y#8n|SBVbaWJFMm(t2HimDHBmXb!}_a$ZabJTldVGk|t5G1z{LM12Y}UtpoGU zo_3x%Y`GuS;NvF5^kxLn09g(~i?mcybwZq%3(vrO`Ks1&(5y|R;Su8n7&JLSY@XPY zHQ~#`8==%&e1em+ET>C(jI5n&whrQ3Fzk#bvI#U}e$YoWrUdiqz*|$?`O3_kTs|EY zSIHWl{Sy1igD7%bJT1K2KZ)=`e>Q>~B5X#O@1Ig|fn}i+pdmLMyFkQrZ{cm@i4Mh+ zQpvr6I=MnBho-}+44OWn!Y9HSG;laj<8HLR>uuuUPX39S4462BhH5qI5yod6!Qthz z+r+P+`q!e&zF_}}4f-38e`IZWqp9MRi`}>93SCQ3Uj}Ka)GMiob~S(+s#|XsQluO) zE;PpNl&YK#__``n!;4gFx8*=G=L)=L`uO=$shwfwnR^Wx+7jC`i1B)}ZLE!Zu7%QM zTG12tozk51xpYs)h@(UJbt{pD(_@kLo)t8O;Wk)rCFk+tsKqQ|*+OY2t}fSDLS&%4 zSBle+G}MU%X*wz>Mq> z83Kf{t7T+6_uK6)!Oe5&N)T7HX9WWZfO~FYv&KhI$y`esYBF zz}e>;RqF}!9s8*|uN>iwHJ#^MTbg>D9vb82Fq`A%?z}bEJbB|wUw92FFjgriK22}a zX0#jVvr!SZ$~uehIE2b=;+btco>m4bKVfGyrxTv&|1M`JTHgrgXq;F&nrt^jI+eNO zTx<#F557ajE@a0<|6iI7Xf@9Br)Fww2;^`htE#;M?TOJ*W$i4tPL8xT1#r@&T_2X``Cwt6cK)9dzTps z^(@05X1aHs5Z*ifHe8z&h7S*)XZ}vzyZ!dl(dYC}&rHstC8pBh!t0v35vw3(S^#26)c3 ziW9qrl19{*O4+;qKjeZOV2yGZ2R)1SWnLM=xv5(S%1dL+F$+F&}ol%6+5oYRKe+R46`;4zgZS4o%ovG$RTDbF`f=_%y z3AOhxoiz&uq0ra_Ii)-Pj3RG!efEdXfP|w$Ja(w3821Gbs2K@t)8UvJdXzUx(Q*yd z-=o@K;;(n|(ReG|J3ps23J6@6%L%g+;nKjgbG|%b?5F~ypWcsK2q(=MZSp6XQ_XXY zJ$*=MSwI6Nip?iI#D2hv6KdM1tZTlDU`hP|cutnElFubS5L{mbV=JJlN_5y4%e*d(UCIY&!+)hV4Iu~3jr%_d+v|m`I z0YC2&L?2ZQlfh7eN~6R?&3<;rR> z&*GV60YL#WER)^y8m)ny9oY|DSz#>!;mnRbBjUMSU!1^&&Y0mlu>K<930Uz?4jF+_ z%dIpy!8%!dL#{9b3O}z9zL5nrMo&sI?JbP;tOS;LTt7Q1D=9d4x{tA*FZ9*ymD*{{ zc`$qay7%N*qzAX-lKpGqHuiP|+I*%vQ9F9BF)7W+-^1hc8QR-KpvfY7$ zv$tk8@V_@EeHT|pkLq;3Mksxw3Uw0|dkN1Hvm(9fq$D<=_19HUo2URB%YI2+ima7PS z`^CB~aw>-Vj`f)MA45+mPP$M%x;wQ%s%~p}FQ4(N@N9DBvy)P)@5%SzhR*GAEiSzv z8V#wvtKfH8BC?oI#3#tqLTp{3zqg<;{ji# zG4axVu3`52?1#elbqr{6@onKdpiHc8&+p4@?J}ar-nLixv?*k~@S*6ZV#0g$!9Jckh~^{=Mh2T{eR<9;LCPgCTOhoN4zWB(R&2cvTLwqFyvl%*wkk zkqPy@UPvCJ=k?nhp#Y{)Gj=0GWIlt&kI66tsQQFD0E5q63S4*)jRX}8%)7YisUD_? z0nlW=IqP<8__(Un%K-_8d+vKLA&59c;d+`^%T=KISqXJ(5GD1j0|GiO4eb^pj52zD zU<(&->_r`Z__Oy28Qp0(4UW-}7I$Nrdl6Ve`X7pCcWt5p`jibi{S zeIT4J%HdZz8}fQ_d-xWb<{OT+&X${#rQp|QP6!zh{JYH|H{yi*3XpKGJ_^JNe5xCy zX151*fO@j0LK`FDdnP;LWTYyK0*0;8j;7PtYT>2t)a%_Tfh2gIT^+C>(_RQOgBL9T`=vM?i@n}%oO(;$ z#`%EeJ_c%~$Nm>r`)JSU8LgVYmm1W^&5B&^xLpLteNk4;v^h2$nQmFgKu-8-3P z?!=aSOFvTEh&CmH8j!+9%wc?sX&!;u!&1}ap2dYPSWb(o7Vqq3DNc6RZKO->M$gd~ z%(FOY(Pz!j*-@UKFA(QfMuE-L3!m{1Y*fS-$shNbp*W*y-|+f zW^$A`{H}Fe`|kZi^uy!=3p^m7yD~EUF?8Kq{NFj zPKa<{rTUn`Ia}9uOYOr>3F6y!YIK#^9vCa77s$JdOfG^Dnlcw7cJFtouH-=+ET&zz zo6rmNF!!MV+f!%bETWVfAfco}XwI~307YQjrUlV2VDxABB>9)l4g%7sE;d_BVw8sc-gJ~NsuD`>lGgt^H=M}AB-)UeoVsl ztZnH`&15K#)wD87p%cB!ewSt@UaufH5q)J4hoa|1AgwO>Tu^It8SFk&eGg+$DXCF- zvQ0yWklIN7eli0RKBl0+jR(akTPQZhknQs6RWlj_FB`CPhC3s|gv{U8xLutpQ|<<{ z&;q7QScVjlLf+G5>*Ch>`Hi>=oBC5Cd*md9KDHEgHED8Od{ELX;j|q{=_^z_?=eOU zRd>4C!VfwX%_Iq#%K)aQ1n)CPtZyS`+U!o1Ictv~z0VCt2_Umo?c+fhL_2p*Pb*GB z_Fe}&Vqr4!l`IfAaj95byPT@G06fU|k*xN-Ve8qBGySjCsbVJ+$r)9PoBDX{-N>fv z!ut?yJ81QSS87eh49J25>e0B>K!k*V;EkGN#`mVJ_F7TnrG>|8{Y6hEZ~3kUjDHNP zV(vtI<^B%uMfBAnx_+WgEQqy=C%^|?kY^3jWNdGg1f84! zJmQH==NG0IHaq2IX;M`nJZ3=dZo0lbeAu9~%;(88iyBeQ(O7RocjqAk7*01$<2KOU z5HSoBVBMEFP%XkMNT~4Y(R5^kgYJ=jUljZ!+=h=h%r#Di8WwsJ_!Un71?VX|Enr;1)uXZLAk@`dAOdtd=D&Sw72)Lb5twgX^1T>WEvGr1JH?u71(2`c*0;X&^K!j& z6xi|(G!J)SP^M(R6nv~+bGuK12**9FU~e$nls&e?pDe=~j`04(+jL90Tf{ZOfxk^- zF5;y#M*0>S)7!x(2sxmv_(}K2`zo((-9Stkg|SKsNw~K;6?Q=rOT_&lY5KQmVEeiv z=Ojc~tR~xuwiPCGr7nM7erKer+w8>LJ*#YiScu4SPaj90iGQzJJc9}Y6Jp(z6XL#I zkY|~$Ha3vEAQpDr5RPu!qOZ%vGI1QrB%}Hp^vB)RWU_aiJ_uw~J$&?{Sh`AGdb2*u zjK6sRZ!P1@R@juk=@WMe&5f4n;n_jHShL;vjI4pu`r_yyGJTMjgTH4bC8VZzhEBY1SZ}*i6V*8`Ex! z3oSqy`LwaEIa>l>{buIY@+nW;S%P4E!pIhQq%S%)k8zEn}+&<*qF)A-p3N8*k!x>Y|>bQ?lQWyy0t@bCL1kQ<+R)aB70?k90f~ zQ&E|3jN5M&iUC_s*cG}tak_sO+`-p8f63{+vE{Ra*sYT*&ZZ+4SikpCu&v##U~ zAR~@?7?<|4MdJdCYZh{UG5Ej^tsLwI6NKTE-PHG5LRTAy#U!jZu@;EU9?jt?1~@o+ zt}<_OzmZT=mTHa6iBZarl=hY0G(d9AN?%MP-(}hx&1R6ym=zHMh2`?3m8|Gl%?E>O zf4{F&iS}3ak(ns%KSCk9?Y^8AJHV%=jrmIxG#rt2gaLB<$?@UMrRxln3_EQ&v02>AO=FM9?3oth2Kn z3XcQKGLf55tI0Hb9g!$elXteZc?g z8Cti?ro9SJPtV2LtYUSXypP3BkFJfpUa9PTv}SO%0kQ@0HQ35>4>&!=_J<1Sn{ zPgBp+KZgptD98*Y9-6bS?eo2V2uTlkZ}uO|3n~K-PZK%QlQba+M|~ z2YRbteSLm6PMTgE5X~c6fBz~Bq5#$BZ*jsde}>ghnk^++r&H||9gVM+J*KHSI{#J8 z8p#!jH{x*cAMXb6gD8r^? za$7@YEml|KNqn51QNhPMh0OD3E6hkb*kLbtJsu%es(nhzdDqGV*C0xhPhQ5&I zk82d#Y+jWi^AX(+V{=M&AbO3r>z0ZbSw@v0E)18pxV>ifUI{Ch$mwQYwJWajpzeth zA-OVk>p;dnd6?okVx+=4dPj-q55~W#zDg$MYiu_y$b9jVEX@Iu3Agw{jIxu_({HUQ zIs??sdC4m5=Owg8fZq8NJ)vWtikl_0YY(X}-Ha7?^8CfgYK&&k zyvLs3Mt1s?3t++Tp0=dC(o@_y3E(4WS-kt@o9S~z2Z2k$&<%?e2$}s_bzvs8=#$C2`dL2RAJ$cQq#>0HG9@0C zbW<}>B|>4pBlXwQQx{Ug-pSN4u7+J8xpEvNuSuNGGLJnkG4fhcd|#qnSXAzUGN^vC zl_eg7769~djbF=?e6Z0o8pf}O2;Z1^B-RV^qJdh#woyA6R&6JWd=`BW=RRRObIskNIOTbhT-N3^>V@%Z4W*{CVu?a4K@!)-pA@$_K73PvYpuOA zA5riD7T5*J9WUwQkgBfq_1Ccb<>EkJsUChF>kcY^JJan~6cejogq=6^5 zo1X}HpiS5T6IJV_(xYX+Xe^Gm+RVF8QqseBj9(`~;#I)qb`iOwS!>7dD}mx4B6Gfj zGPXuCRvLj!BIq43b87Aj&I4u=*GPY}myH1CjLdy&><6Ip{*dOeP-l#!+M<+|F;b$z zOP!x}esvsz8NdmY(GF8weuN$R5r@gv1KI$yd$qXzhL#@+R4SA89dvd<0GKV)HX?Ly z?L|Rdy@ai?-J2g5NSb&L0Dm6jP`$uyT4;6$YL8-za(W1-=4bK$xy$nvExgr4+V91% zx7!dGdmZQ$8^(Z6Ca5r8VoSyiD8JywbqvV!ZdYS|QMW9Mknoz`8d$zMA@scc>|D<{ zXU{Z{jPko7cZs&hXM?YoFVDzoS-NM^OqjX$kH`5(y#PXb{x-n8zP3m_N83H_0d^-w z=Gfz{EfDJD4aN`?f-mpVgQ*Pyz`XYYBo$`n8rZu-sg=bQu))krS9B?WawD9t*ZY!= z$MUU~=mE3m4-9CQp-BJzys?f2gt);AwuVC|R10s_quK`SS*gEQNfP|WP z_|-dxRo`nOeP|0hBNrgYW+N7x)2s75ba(F1MIMXO@te!ftUQ;A7~A=D5qNU>3xD&& zMma!&PirhZu1l2luLk_h56Gn}cjC0!DF3US|F_GA$Ve`InfZEa`qF>6q5Rj-3jvve zZ?m8LU6cN_bw=J_UYlO`LCXK_KL7eI_9ly#u2PurKl|=q-~Xd4|M5|t{>qIz-Sk)g*^pi&QFPGyY)|r^dO=GGXgaOP$bWCdpEvt&t#e?J z|C&$99R)DC|HB=7fTnY2DbfAM?xY0XOx2Tz6N_H%mi;%+^lv6w z9(k?O@9XArNZtqStlW=PllvK$9OAD)v8$xbr!%4aerLT)qnZlhsIHt=?!vwl#5+dU z+!r`ufbCYx@3E`A6s4?3u~Q-iXDl#a*Ss(&O`FU1w|5&7B6-aGXvTH$^HQ|h!gXWE zx_7mh^*DvaW{lQK2Q>B=OPj(s6#8>Onc4lr$s{vPy4SJ-i6Um#eehR>Blo>$f9p!W za{c+wlE3{ES|m2qHAod}=E_|X?MnO-tTPDW063Y$6!6*2qeaOIUv2cdE6o1R;RZ;& z0xlGLoBmTt>_9MjIVqrp{qL^5c*#fW&&BVq+Pjg0*tpVZAE`h6`z8Xas5^?a%<#FJ zjtD~9DpXmgb*w;Ww63sN6bw-5+FO$C2K1}kw9Qx2eHSP|O~NwxNq9fagrW8MK`9)1 zqonDy_)nMHGEso$#DE?4@>0s8$q(*9Bd~6+)V>#IpNwY)zuV?dpgtjU@Z!10%Vgx6 zkP`|ZupmDLMJu+_H1lgFj|&a@F_hG;7a#0aFh4{(ZQou`%F_e}&cl`&JM^IG_-eOM z%cq-89~+P`P+#J36kp9@2Wg8YtlY-H?+{kE^~I`dIX5LY2ytE|q$%^@Knf?9q> zO?V_OKpEJ5Pnv7K`*jA1@N>NN^>YFenKuDyJWw&p z)|8`M+5v-Eb{mf}U+2V0nxcBXV}Y_Q1xri8c{w4Cxc$D$bB{S^tts=s%c$raWC3=C zdGTtNGW`C6uanh%{;y5|at|{q*<+Nqz4pCuK^;v2nJEQl{2-i?wpPzlsqZ}URP6iv zHQ3kBBo22U)dQn2#{7A+MzQA|t{(?!Na@=h5y3T2IdG%kG`Z-qC(~Zt zM%%mYhfYB{nx>+C>dP-$gPLBdY{&tS=;);nx8oo4)_`GiwGl1bg%Ol$yu+YW=MI>SlpI*OCX-ZySI)D$!D)tbB9y5n2()*EW*SXb9-5mC%^ z=l)S^FG!O*#p&FHuJUk{u(3!esi49gAL=M*`M*0m&~HhyZq}A*g#si##lR8JkDnV) zxB{(dR{mHg5ShgSC2PLau? z`^y*n#dKI~+V5tla<&JgO`4@d9hcM6FL+rfNdg!l8chAA_(n>G%Ckoi() z$)`TrEa1^eW*vF~-SRECIay=UBb2tn$^eF`=8O`s>nKrqY~q@H@V#uxCQ*L8D9vE?E;?@fTdrZnY?q~SSnU5!%XoNcIld~X>$ zdI}u2E(04m9QzvK5rf-MZydw|Nvjg)RNgJr?a`dU$437+Ye8q*GzUnOu&-NdQ5npS zi(!&an7#91Vau-fD(@`b(LKr+)5=zkkU9JP_I39| zIpoDG|A_a3*W}O4M2x_|yHr#~|0FF8dZm{n_99ccXs>#fVyTB`@w=sf%c|-Uxtu{Z zihw`L`;bA{Z9m3=iP)TM^pO8?#bUfT`0?++=bWiO)JJeu1;VDoaB5lc$M&_at$(YK zp%)QvZ`~=N;SU}OC&!DN$pbtYC@T~k0p2g`lvQ6SILdH~ ze$V97mbyT+2t;~k`G4`5x2ZiE@NBh8kwH&y4Enyvxh;#+Z2EeqPpdT9C<3E1q#ALk z14{GpW%VAU6w}qreZ?c=S;PQ1Nu{%PkXgyK63m5ApLkQK`-!NrQ4{kP{5@)Wrphfen;qd6s!#BQpnfbvxef|)4u)0JUE zr|^?PqROJ!UGi?ci=Wcpk4wWpMp*Lv404TrJHu`}Ik60Ve&rQ17PCZ69<((Y zv;QE2l7KzA8X*e^za=Y=pmOmOi`P146)OIOs_Q6 zl@05r;I4#e@-L3Huis8NHeB6$J8oh1@$UN7Z2^l`0BauCEVNmJfEIHVlUqxQK@ zUu}u%YJjXL*82_eq=1Ls+cnd~FRo{%i;w0)=_ZWq>}LwQs!c}$Riz1C>M$FYN{Y83 zFP7J15&8z}B@WJO=1gXa@tkw+4SJ=&x4X2~TYT&TiXw5~Zs;i>^iV@_r&nj4#!*M zu5DCBKuM7j5KvLNy9Q8hLg{W0Y3YW60TBU}Qt9q4r8}htB!=#8sez$m|K@)8_r34) z?d|jI|Mz_yb9m@6*LYpm`qf(JI@h`Ml%JNwg#FSw>!dY;cZdjij-Q_%3$L)1Y&6(#ItZ2*U_r;WyU_$G%>rhcM!OT2;m zwl{AI3I}?18V)iGCJ3qRuTGA_=XSev$f=T9%S}wvT~0(PRQ%hl#$k~?e(vEaa?1Ra zH1sYB=>{j^pKy*;FucT!`8mcj*ec$yJ8$8m(!*#Ppa`BUUyavoYdPMmd#b}~UD$+_ z_#_+D5GBzc(kqt&nn(4v<)@xohNt>z|t*JFRDw{;lf6Ex7Mmn>DSBr*_H7n6oZTwR%Vm=Pj)qE^Rn-p$m8}=WF z6+M2DDRe?PhA;>VqZ@I%kM;9)8P|Gt>NqHY>k{xPmC1sO{@?hqY<`tEBr{Gu@BsWR zGSe@yguka@$6m$}3c_;+YAo9G6)^OBnXx_sT^y3|uYg<~ceMEdoMkBDc+sWtn0|}P z(Z}FuqOt}1l}&O7zfsB(w^ckx8KL6Fj1V+P(eTDAD=G@_@N|~qlQ-jLG0*uT&P&ar z3@FBrPPdOyF~?$zS*TMWY0GVVvX}L~#9w!%ytCJ~@$|()w4UY$@+vb=%_30G9wq`f zO2ielF5lhRT%XRwHKK|vzBLb)zi#L)f9LC~Zt?k^c^_Vyz0rBcgFg)(K(mP-DMya$ z?mh1vGpu`qOpf(){dC?e`EdNZ#8*t5Gt^dm)^0aR&Tg&C8VO4QVdROKZDY3C%0|y` z45>y|CGiGxq+n(7?!^999!h6x5NNoET{3ze4>qStXlp9}TwCgi)^KC9o?5G#%eHEq zqlX>)6BkLQd*92Cv|5K@N}y-i9AQGDOr?Gcw1G zww&msIp-`a>+?P2!vC%B{OfaEgD$=NI&Zw!&f=q>S?u!j9pW~#n1;C3xZ}PwCGpF8 ztxyg<&55Y5wkdNy*V+OKw0v(X9;u1vik@#Ds|xPccW;>D2DT3!z&%kT_5n%mK93c) zynLA$%LiUKpK4^KD2Z&N_O^_gRDtt4|DMS>1!gF}X5_t(^St3#DOQ7k)k;(WhU;!U z4-e~iiMf13`4n#i(V=|{X2IAsIPo1Up4(+7&^t+3m5VY_0>U(dA$d!#*1yH4G)E@^9>`*yQfHa(6L^vc8u_`?z86;Cm$PEBgW3qZp6R=e=*3eX&H3&-98L7(q@Yr6 z@e~wtXCr4~)cjI$IT9Zdh@C{a_)Jq-o^LZ`wxnVZXg^_Xx)6Q&C`akO!-XK|g7ed1 zw_#Tc^K>E>LdZH-;b098VV$qYGE#i*_ci|d>7l-&i>^G2HOH7`e|c~{`s zlN5dS{NwUsu9Q?40 z!u&?)d(wtuMVKIlFZ%d*&6*g2(HSE4kjN8#7R4k(aE=(q(+yd|#T%iuc1?U+Yxy&gU@0L0nv~;wk~}A2NVRB5ACYctc8FI z`b0Sc;^IIHJC?m>`4>>(HaL!P9oh>JCnDzQy)dQmobNhUf_Cq`jdoT(ET9i*iiyJ#Fpu$nrY-(^6h5J?4oxRR z*)FUZaYNB< zf)G!p9aKCzr9@_e$)KJ+%BZE&55qd<`6LkA8U*J$(GGF zEFhuMtsx2iNHrZ}1BsfMMLMoOTt0AwzGwW5wfP*(2xl!xKxka#v-vSnRqW64#l6@A zkRw7VClS(Ky%OBW9BV^|$VcNQgEYFh6Hos2{r}Z4D*%;>s-k=Lho|}brvnIJG2PlT zM$vzFm9ilK!#qV)|LyJA*nlar3c_3e>|KFd{_{{bZvA5^Fxmc@Q-Cn=&+7YUOZfX- z{%1@0XG{3!K>pwU%RgSiKVHJ$%i$j{;U6#Izao==wuJwGYzgMZC>UrBYYe)JTipfC zf=SMfcg1n#+VY7cQmbxX{AfZKJAz`%x+=|I&_D1P{g^=@uJN$pd}XtsgaB0YIM*WP zE_d9G=U~T0%+27}R7ap4$M=owgh0?LSQK5)qj7NhUP9!Kd@ScETDgW{}38lMe(oF!l;T@LZ>Nmyx?`~qWc2L6D;QEhA=$?A=}Ct4MjN5H=;8KM6|S_s(q3r0<0DH%=1VjwJ&%Mb*(h%C z4K2M=@8$&rt8{Z1nMm*P&VzR5GkD%NIQGH`Fkkc8E*E0sJmp=XBwULn8AvzpV z`3K@Y-pZV2y|G+*CaZ9ZvQNx)GzEg7^R!vCe2WO?K5uWg-xFJO!6{|q*+|Kz$+%Mw zTbqKw3<*eZ#Q3a<{{ehSWw<@buAFH|3+fOY20$rcbAI5Mhu}{2Qmb(gHJQ>5YPaJ3 zU2+2#mFlhHIz;NI&|2aUx1S$t7uwLzcL+hl;z_j^&%;aG(9Q6c)6%|5s1&(0ibYmI zA8!1x1UO{Od#Fdleg{>&KHmkZ#20_=>Zqz9dn35NfWq&|TrjhJk^v4^Fhg!t%&jue zydF;qYm?Mt;5l{x1&?`V_?v0Fx@~jEZZ98{&-KS+V-yJ$zm2x;9X0`%^?_uLd)EK& z@Ry&EW@^zbsWZ$*sOQP-3#iov?06=o@%X2}VSx;w>lbp#vCImPk@IEtBVO=ZtpIwD zMfLJGImGm0;J&n$3d?*%j8TzG#pV*IK*JH3c90ymNP#gIXj^4Py{9p$ng{rF_J(9p zeLh+7zEt=dJs4_aD2wDT3a&SQ0p3>4+st@WSxL=m{P!V6kt|HBj_6#J=ML^QrR+H)N^gsy(YE`2fY+hCoR|2yfBx#AD7Ss$h#C4F&TAXIiJ{bH1&~tO^?dXHKDsw=$FmO% zF1CSAHbY-iGq1l%sC4$m@iWnhuyD*UbED(q=&RCJl9Czzy7u1~`$wyKXN ztwlgDc)A{bYNZsh20BkXUE%9~-z#TfHcwvNP6~^}!N=H_acdIvKp^TYR zS=`>|_uMGOT$Bko-m#8uKr{QmUf6-Z|Aj-iM ztXr}WKiARi)ST-UiQo?Rcc1mlS;{XcezoNexK%}wm)1t-x*ACge&Mf#%IDsS4>Wbs z`qpzpw*157Ccy3xW;NUGm5JELqOuuq1Qb8l`m3`ooo?o#3$85Np+{O%V$=n2wa%}V zS(dW1d67F?-E~!}_7mej47WrVj>8KtWwsz-lCb!I?A%=N=hi=wPg2Vz7?Yg%UyjSB zu7kXHE^j><<}Di7;b3{o*n2FUrDd2%z%9_$)6UF5XCs1qSc~trMU+enRhGt58RgLB z9x$4__MTY~wcEPvtO>#l=9nD8ptLh?8lh0jy4I8P`qjfo6MW>})}IH*H;E5o1S)l1SBl=L&A#qbNA9GAksEpckesqI``lTIaE#&;-Tz4(wFDGlnpl+M`A#nB ztglt#!TT1g@?+9d{K+#&z87n9OA6;(?!p+Q<4DFc>uT^5=AQA=P0UEq%EF$*Wk+3u zQf2=J=%ltT)h^J6p~j|mQP!XU*?b+pySO&m^X(EmMtK?IHE;vt|q* zv!DAVb;|p#Qd4-&BSnL@(g#!bf7?o3-lTnXKSNJrQ|AOeT zjxVp7ZD0GOAW9pHNA#o{K9=5Mxf0y-(`#xxDLY01``J5ATIFc4vT|VRX=E2RuRI0< zGe>U^JlD(SuvuwCNhP8*ydSP$t`AQQ!FOpr&-WNWR@vCE zw#6UYeO=^FxugLbG+QFCMcXglLz&|N1lmLCc0lRNpb)RFBi)m~e+jxJ=b7eo8UhI( z<0!M?FErwto1i^oeyHbM}1ulS}?OBOb*H|Mr( zM7>GY(o(p%V$~&D*#U?1>2C3cvX9d~f1{{W$}g#vE^E{NS4J#J_VvdtgefudD;8LA z9_u|%vk_a(c#n8OSu;#Gn^W*VG^)}>$%S7B(A_Nk8hQIVSD(1H}Fjs7P}?F?7XAej7hh136Nl7{eiXw);MRQj9tVbRsBZj(Gp} z>Veh->SMdd-uXM*IWUj(b>!CwM`8rf2Nlb~wm%?8NW6kXT%?-xpZ~6!^D*d?^SNf6 z4B93N$`2Bl^=K;z{1YESLJdtu%j{6ce0xZ9|8htK8un_IXqgIz(%BvBro715Aeryp z)W`@lMVWpVF^(^hHl>x#V~zC&o0kZ)r{zT9>-T(bt?L$L`rAX#bUOq_ z&s|Rg-5^eK4F#ovK@x2EA^Drn=5 zoxAQdU0=Z)U4|3{G*IyfH^%t~W5Gp3Yf&0imHLC@YiX}vjm~>f=gET;S7-Fi1}`S1 z_YFFqUcFJVtYk|a|H`T3#_maJqpSMn1SC5SNqeXItYe;cd0~T>92rze%Ny?;CUO2_ zHiMK?Zzk;S@9pBqAVn(;s$;X zi;P+ts)N3;t@(TD+`OyT*8!U5S)0*nq{={=Y(8#z{`^S9&*J=>wkdn58JjFB)zCj( z;w$uAo7ys^7dKG%CWCyevX0@#;?npohGS|ka$p=Adcn05!*o{I`BR5b)R$F<(q7F) z^yFB8l+EIl`%fG_N>cQOD6&&+64NQ}$vXF_An+6@w7IR%aO{gixaA;k3iow)4}M@d z%{dg${#Ak1ruI%B|}q|S70?N zTMyOtR@r{lbEm5BS=B(#imJ0;l;o(%ANa>$y%n)(@m3nLHL@?RkbW=aHitZ6Gn~c# zYsq^F##~Yrxso?4UAa?unf~|7i%W-zB4zblcLWJSI?i>AV9ne|W^kPM6Hff2Tv?sU zVyDXyR`$=Y6|=^5tm+l?rF+y&jKb0lb;R&f{*Vgxlm2_f+z6*BI|}!`$XG(l)Zu)| zeO{OAXM|rrx<1o2e!RFB+Jw4|{g%x>bW#WZ7m9zg(=Q!brLa}r8J0&LomG%CC~A#e zZmS|Dg}iLMSX4?1`7uA@!eg(;BI<`B1})yFqC*;1o)Q6NClIG;A%5;MA+w=2Mzeds zQ`ACsO|6-^uf|!p0d@{nlvz=skA6>f?(An9B)re%Pi`|2dc)rS-bSF&5IFqB=VT#B zi*IqYA*JhBe=oGYLacyj+>qNobl}y&fF$8aVURBVMzoQpWSM;?2b4E@7hm04Z}Ai- z(sD1Hg$1gwHHbA;X-N%UTgr31zSMK%)!G&v!K>V$I2r>>X`EMQos~KhHop%(`_op+ z7yXD5D7cCm#lCqE-K`t6QegW-c+_cM%nY(piu@SUuj|`@CDn3oOJk(V#~Fx8Xl*jh z8re>j!MCc)q62&_Vz!ArmkM1y6VjK`x;kQF{%Tai`3v5|ZpF1n?_WE+yH(YCQWlF&G zymPLd<Inijd&>ulxd@UL`E8Bf+|tB&UV3C-C? z&2$slSzfPK@f3)GkXGN5H>EP8D_zsj04J8K~%}QO$;oT5L$6Dx|q$E zS02igm``l>&LiI!SKN}SxTS%jB*Byn#HZ2}k_L4pZY*yXP5=`vKa)bp$#kT&l6Ez2 zvUT=}SV?Y793f7(3M3f4-5yd~;xKPsY5?W>@{0z1zb9(Oe_*1Py-3~0ka~gIRaL>T zpVs@U=cKbB?`wVUyw@``Ov*)34uFch@^>CZN`+2J;ZOKLe1uT%2kSmkQhQ7KOj{b- z8&1hLr}6 zTotWt!lS-?LG8uks6uywb~9ANNGY^p#Cra?WV~Tk)O&)pIr|LIv^y^gUo~^j9_0so z?p6va7a+~;8XZ%@Mhz;|=edmVO%!i%FoG+xu%x9XB}D;DVq#ci?`^Ib6x zPdc(5UEjre9e!bepx_H?a_G^|e8 z-;VQ7pA71Q085-@qav(Yz&~r~1UNKBy8PBKFavzNyd^7*g2Y(98=vONSKQKegu=8q zo_hU^Lkcc`kwjZ#wMThbHMZM=2lbIJs_lyDjy7-Z1rGN(((@+ie>t}VwByRjI*{Sb zUp>fP$~o6DgD7r*$<62lyPTMjC^JJZ5|1!xwLjA)tsOJjj@@NQ{8FQ+piao(RURMR z0ICjZS-0>@Ls8wPl_4NRg4izc~z6Vx+BIiWORij zPpL=h4B1kImc7@K>QsN0vFu;9*BP^`lIf}sVr?;t3Fb2m}&L6$d(%L5TN zo5{BI+>EgNx4o4pQ%w5Llobb*rDdBUvv$_?n!C7Ba(+)S+Y9%_3yh}(boJsY5^u@E zCHXB99i{EsPS9I+#SCEF?G7EEKXhomxslOX3OC^W)l}CG&zKK_r#?!)+PLK6@9)S- za?`b|4885X2zy5Gf%lu1p`SPP7LhxSvN^t^62I*h7|^6M_)E}e@OZ26@>fZJJ?|*j z0od2GJKt6I9Qo?evpmXh5(Ckv#?|Jh>{(L~*16TrjaLrikeqf_PY7$!H^ONZc8ZSxi2?1Y_1w{4ynv{Ht=8(-^Zs>YikQ0U?L$b%4Ns*sTxnf&H znxk~|JExhhC(@VI0>M#_two)dyISYr0B#@NKiev?cvd7|cX>4Be4q^=FvRSW{quxK z?eOUyoK{jy31*gGr>V87gro%th5LqH+aq6(tA$dE2ru+~PFH+1S1mA;+$PLo;I%<` z6sjAjAxpzJ7Fl|Lujtb6~m&Jg290?*PS~Yg;wL zU&g9s;Hq(EDTDjXDkYru*Bb3gY{m6C$^tXqTj!58DK0Xp;rAIr3-Ks!y?n$7MAUE} zd!{I%RZrIe77waJ+W|F{J?@9gQD)|Ip{L#AkTsu%vvhj zP|$0@?y03D`#x}kzgx$%$MbY0#{Sh+4a?2~g|KMVgn5DkK>Y)k2cgD?>w|!nti`Ht zeLwO}egeReSuPn8%%XMZS%Fwvz=mlhfZKvHb2Me4c>zyjiO!C;sj?N5D3gI7KFqVB z6G4M98BRr^PLrkZ-rBeYlf1Adg=D2@8+}XvO11Mac+73JRB+Tf-uxc}T*F$moj~0y-?&<~8-+5QbfT z93==!eQ2vjzgsrozn|)V{%xBXa6t{MqqpCR_<{5rk4@!-`Gy-csGV8>v4{00|9!@{ z%oc5N8`O$u=+I-{4;vxVXH^epF5pchy!$8cP8v{Q`O@1<@ASU$3m3l2$O8` zxs2DP1l8vt9Rli`={#gq)B>z6jzGiK+mN>oKzOI9fm7~(b4&gYqbi`)PHz8IDv?Tk z8}th$19f0UoIV#PoTgo09Qq;0w=pvx{NZ_k)QuJ(#-5L|=>ourQbd|Hsq(%ReQC(C-`iE#!~)2VeM&-UlzBi;}YXLyY^k zALy5jz9Ho^ihnBWNX@+_%8)&_zv z;_1N+ts+f7{LjhrFE#*Ql%p5XXg%3Czqy@6YQ^m)%|fwnYucx?W9d2fra}@y_~UOMGHWJUhB}_MdCkRNzbWwTU3Qt@6^mnq4~D_zyG{`gT9t4 zlA!B9UDRBOqA%tFR_=8IH0X3UZn?Au{XeYHd`JwQQgnq#xZ8ckRZH6}N+Zyp9{7I-9zgS6 z2S2lZ7q$zON9uMsj{qRep6EKNgJy2v*8%Ojy+#hQ7ufkg{lgD5{*yw;tfx@_Fbb82TyMjjCaI z(zvJQw|vGG2WDI!I23Qx0aZtl0Kf#PR{O?@g{&xnvDtt+^bx_k5T!bU)I{65tBCtP>E5U2Z6888;qgaZpb~ zw~8w45@?d$CawHqZT&684&wX;jn##&yOn%YXX=g{b|EJ-yFLQxVxlDF2(m0x7qFc@E#xo&m@di{ta|`H>PI zR2S_e*RE&37nYX3WBULM>bMXg#}kM5-0Z{h ztFAT=6Z_e>r`;Me`Ox=lCBnL$A24y7mHd|X)VkwP{eO*6NC9pH z(kOqItJsgf8Tb&QA0y@?KHC|#o$iPGik6>SVqY%NUaynTc1pPP-o7bcXRsdGweIn- zu3=c)#Y~|1Jj=YT4ylcERu;L*R%z{Q(wbFIJ=Pc9nuIzp6c-H?J59ukAapW*;eC)W zCu$Q3%2CA`rJ=w0#_(n!dwzth1j(r?#O}oEcIZh)c(oTKPSR!refK@L+%ao=z|#QZ zaq;KE#bo|xLA|(K^SmF*CCJABeDtWexT`~YDHO|knj+e@Y}o$IlLJ71>Z5liI~`sD zatOPSaw5lP-u%A~U_8a&D9};84s57{jlK&O+w6Tmm*xC`f}^#V1=|&65utxz&{1)K z$R^0aR}i^FNx)#>v<5qxu()Tm#m6u~dp_RDtQQ?9(z)=#j+6S!KA60=e7PtO8gqo1c4QG%u z>OL}46+cTbd6XBLf>oF5R9RD8Mh6y+j_F|F*o&Gt4XW9I{_?RO28eIYb$^dWUHQV~ z_=IXw%2JK`&W|h0p=(2CE5lru-rs)>RyAF2FU;G`%roIW!Pa{vg5`5QHAkSVy#T=1 zBdXvg{wtUHnqogr+gDcwKuo2}gsF(2V}25>W&IUrt0)#%dfV?|StLBmr+aOLB_}rE zR}+2Rtov3GbJ}UXfF?p9w*N`VWoKIci5@z+tyRD481B_OVfAs(7fc1b*GqfYQ;Ti4 zSA!+g0OaUFWTz&C-kO%Qy1nbus+TrqpQ??LCRu@MWm&&*V^zP zUZ|Tr;P3Hp2w0S)JsWs_Aw8I=Os^<}t&qtYNZLg=`#J1oSc$|6)MtpCky z0w2|E)ChVkh9aCx_?<_myluv^FPrsiJxluf_(x9hOqh~&e9Jd{Ioc2VE#l4H($|jx zpmRgy!@$QEZSPCm)wIVaGFUk0k0R9+RT$c=>v00{O99Qr*`ui+)53d*THY1^gO!>S z9EZNlE`*QJ^?r$|vSs}cRzYA{WJwLx4%j*j-4;!wPs+P@+xz5@zY*HnHgVL~h^GVU zM{7JI3M=ni5xmjF+x3x~q-I*L3IZeaZurj#+vL3F6q_N{!_itwUgn!(%c_0Dg|hm# z;iA2LNBR0Y3oVNtgDdCs-zH_MP-`j5`z>Dv>0R+sgF5+;A!%G~D7Rw79_G?!{cTg2 z2U{TRFMoZQZ=cW_-j>($l7^N+#e+BOvWYfwnfyM_pQOBgs^Iov#VKz*?ryrXvdR6} zBVo7RWsTVp^FC-oNw=oUiqw>9{y|-!fZWdCHtScd&3--_m&Aw|t4nKbf8}>5Arlqx z@}Yi<`%R}3Vy~&GSxvq!&J!fqxw-N4hwK}#p7~6B{-niq{Ch$dm;4?wP@%gU-$L8v z)tLWuj8o>DWxX8n7oOPPicgw$TuTbzx8OK%9cb_U6#mnsZ2L4{-=ngWA`cUXZ9w=r zcp2V@elnmQcrGp3pomRWQJ-m+X0JcASn^+ns~fS4(MPonhC0Zx!QC>1V__115eT0 zoK5$P2Jbs@4=AZ4_daXYzgf@OxwY}JWFD6aD4cvOQNtzIcX$rUpLtrr2}uSjK*RR{ z`-f>RBO#u|pHo(c#otXm+M@es2d5`fn8h#hxWQ}P&1Q^n80D6lXxjgxt zz)Zal8CxI<_xKAaR@vrr_6ctlexH0>5CFJO6UL!@qYnaGaJ#T5&xlrj%2!HLznpW4NRgHYZ z;_GA&&`<;2?3X6fv1j&+n-!lA3Jg*C_ZSRWAh0!&ISNf(tE|m%V}tb9`XX#&E=HX`aQh!-%S( z{(`i~FG1?Uw?y8}iB7JP!nF&>+q{6v0ki$WH98sQg116?c1LfJUVN$V{pUgQ#=U@7 zjVGZM4o&AX96!V1nr=5%cp;#z)WtiOG|?qOVdvJn40uDwv7MsyKl`R0o<|2pT#Y&` zW!jvq%ZTev3=7^RTdZ1X^{2g#p$uG&B)O4OuwOPOzf{$+5ccz-tZ! z)ZP*ty}0KBsUj&rC4{A~+&7nFvC8n)VV(;s)>sdF9jiBBTM_P0c`bkw#N=I(f6;T{ z#nvF9bj8-ua<+3yA>>UI{%?UW!Mukw$JLzy08i#&u~=a|D6th9IOAy?&4;TEm%R=U z#^NVC{lx!VH*gE?p_c^zC{|Bu|H|1svm>ZDkgXH7FowV+cZhv`WzW7+uUa%>(&S=xgTu`Vw!8)9m zTb8i-jk)=x#P*6qYx!exLSU#IJx5V zSHmf?_YmoGT({sO26ntVO0Z3}g32iX@9^EX(KDUpfL=U_5~t7qxd+E%fsq zog%X;BhMLQ7$aoWQrzygrW;CjUv?o)a&?H`~XYc%NA(Jdpp-Q+lqgfV*3zPGG=@3pzF5yrWtEgL({3di$FW06Tj9x!4L^R!naTXG z${)2>CjBEY@|m&H5Vr@2_#>Sm{-6$x+EG!)3aWc!WO_C#m}z#AT52Lxzm<=jWartMPXugRzghuQP1DT88z}BJW(jDW`Un&>A3=Ilom)V^pEH zQ9XI`%|P}bv;V=($*~-uhi8_Prj^^4s^{3;!0i8pc$+3tq}+BhENdVv=>r=ET{-R2 zZ3{lJfVtdr5cEvti|3oX@d&IWKGPY%3^B=CxuZY0DkYX`+fhsFt1Ao8>dK#cmenqcPTU%Z%3bRtNW20ZX~G!qnb;F~!m_gAg(M zDK26M)r4+-+Ec!ysUyb+VVk(WeQ2pLAQC#wCq&45XXhUnMAJ44S_7Y?4Ea1->QAZ& zLG)D?9XKzn?6_|Dx>ym@u@_a*3+?>maw#|FEDrvm6-j+$HfY!CLDq31Co|?_$&~oa zU0idA$LnV+m%dKI&g}E_YB@%-pU)F7C~6g&YW$CdJ3@-C-mJM15TfMVp<(zdMB*wF zSc9n{({177aV3i%rH%Wnh0b~dk!{|NswNH~15P+}W8#g!(*tqyxS=EsX5WX2G_|4r zyL1b=BKik)V%`mg>}+_fif`17v*v15nrd}%7CNzXP?XPI{oSvgB&(BMbYPb|i~MB7 z=pWQJz2uRP`dW7JMV#^&Y@13+u_T_Iz(MJSR9Ve$k;0ziIcT-7sza+Z?M*KF0DVY7Ixu+Sru*YXcuH$HidPm)QWMGV8CqdVjPooWaB3Ie?8s~l%wyg{9 zubXvxh%aJV+skStrzG;7>jM)DtA=R~YLctK$v5hH*R(cU^8AC9rM1br7zD_M(6UGK z6k+ogy*1($-PDYaaXDz`@cHq8ygF;a&2?@B%VqGC-!1{pY4aQ4_}p(Ii0pP`r=Gb; zHb|cvluS;MF>v|l{A(I8x_vAh1QKPI{to) z7_GR{Ft?pDHbAsFWv+yK-k?qxb)p+rBWAnk5A$T+i7^^yqkJ_XlD2swHX zgxwG3N0r0%z&>MRy~M{Fd5i{a+P$%`$1#7l(J3-(?HF4u-r%#>vTz8Eh#GM&r(1m5 z(dB%38*_W|qyKWyX2@vw#~kZ9mb=hpi!pAQ{$8UH{GTspo^%R6=KmP1&usttF111r ziLXD^5PZ+smGzc&z6d=edcdsrL&&gs>90-;*EM$7!@!I)L}y2{FO&Tj4)4*94rO|_ zjB+N0)6r}j&I|U-@M7CHKhscTjZJcp5uR}uYIg*ei}#dP+mN;Qlz?I-S4|twrcM}7 zzL(*a;OW2+cTMbsR{vw)0b}n);uLMBzs|VKY`Y#h{v@IceIWm6gGlQVKZ==8G_OT` zHP$2_CnZ8z`3a+I!q~_Uzb`yE`OD0DGkhZb>ZXZ5P=^5=-o~f}uM?^ES0*3UJ~9*s zK3soIywjO8a)p3JVfa;}3WgCHrdek)<$hoP#kSiy*^61JW9s$G+pV(Z125yG_ zk_1ATl%g_?tJAN!@126<=|Ei4caK) zlgeO*n)KAi^N(~e2!rdp4N1CtDfTMW*w6|6&RP=o)?$(I$G6mm*&NqQ&9KW8Q~e0d2Vy{F zNO`GRJUQd>cZ06rO4pb9N_R4fVXeI7Ke${Hk_S7|roSsVGN^0By#7wakK?cTTh`KN zz%6TGgi9vQR9`Sd?70`_NB3jTwj@SH- z&ekda03LCgze3XAE!dFKlY)*Lx*jg9gjIj`T$eswn?}+c;8ueCvr_SI0vDMBEs-i1 zVyc~t$2+vC2=ZI^`n_MNd7{GhclHgY6|O^v_$gypwQ>&Uclb?rPBSXJ)3#EHQNb9S zdu?qswzS1h1tw*!>VyqGe)1kUdNz6UfoyQWdC(;(cuSor{|&a0l>A+IS}-Jt73N~J zWbTs*8?D?>caO);a@jihFv*Ne7p-xtoD{0|PpLjn&G%Kk_AW{aONu^~A;vaLf7wWdTpG_{PZ z4B0E(SP@}O^i)b%c?vfK$Kc$M(i}RI)60doDJ-;rmn2=&nQq3$Vk-Dam~7u#@BaRx0MbsZ^L}ku zoJ60ni2qtvh8%5>v9b~3;vLMIGDw~wo8H*ukrw-V1_4*{ebiGwW8-Krd zh=}7fS%heO(8l;*b3T@zmQ?G+hlr)R@TecXNLzJ8jc5^)Vn}O>G{oLEeujDMU1A}; zmyUU#6c^i$B8XpbsGFg7kSA18_hkz{u2SBQ+=V?|7E<2(&ZN(V0$<$9D8UvUF7!aO zytb8HX;e{S@^QmPub3OzlOhi+*r>)!1Ek1^8lLtyj@AZ{j{juufn_~T_7H}| zxjIp_&U}0vny%`T-`L`|P(|})3&3Tx*$V(uDiEVtbiE*HadF0SXd*5V8m)9>l-Z`Lpr{MlHl+m6#tye=sB0gUKj>1r3{n4YeZe3 znDL@WBh+m9$E2USrl1WXCVLGw#ehd%`=yMF?vt#K!&kgX`R_#=X>NuGl3Us+wKrk) z7(87cs~4^5hxJ_XcUZR!W{!W{G;nDQ)}t>h#*5kHI%|(Zuj1psS21lxmQYf=vzvo) zK^N`*Ff|}mJMdY4n-ryffG8DLgg(aBiL~Kr+kHzIMR8J|=leMPOfu16(%2TE24AwW z4+?DySiux^7BOD3{t{?QRLwN;XitH#g0MzRpV{4R?}Mw*G zU|+tS!b)wlrg-BmSkTB4)Ob`MykkAx6{Me{VP@-9B4J?2Y6FrOq2J0Z>KvMV8DU?jM)w`&L)$uwj4g@eJ%U(aAAcTkmf6OizSa zh{V*72lB%hM+WCu^L@PebqKy5tcwxUS{LM3jFnaAi$-?-{W^;Wa33VFQ?6t2`hDw>E- zJe=(w_mY>CdMGZ2=p!fb@Wk0nbhTL3Q^=9;wZ`_@%o4L{jiU)Ne^}E7oxPZa*~$xF z-Jtlf7qO5p7QMW7S$k+Lw)&gDtt+YGVdX~2qY&UPoTP<4**@Ugx$SjN-0b~&AU5)T zB9T43&R*Q*!O8um*war>3?}Z+MTqvY^V4WN_8<&+C-Sa*Ad8ql_hlAKBn6R3B4@pR z0Ni3DPFlt+or)~EJbn3KI!>DQa|+L2!Wl`L-|@nYCFo}yC3J|~`W_s30zW^&>J`hg zGpTVV=Q9m~nwNs=JDg{CGVr|u3;b!HjhepyJ`tPdn>c9sSM9!jo5#>~WBl#2fS1*W z?}{DWl_#0xW-3pMqTa6(O`y7|eokc$!A=j^lys#lcrrqoiBG>~*U0%4ByZYDRghC! z#B8Y=KE^}Jn^~M>T@1sEh8ZP2>Tm((`mFmvZH6y_F;jX6d0u;u0sic6v`x!c#>VgEk$6i6jLCO-5*|mpBAY((F*R zwn7rsLe#kh#1AUbYc8uadn{j0mmzcKBmtRerrP$nZJL6m$w`K3I&rG+>m;xU>3aKUJ(S_H0sJI ztgCFB%w&k^EE^!$>cJ#twn;E{P$U=hBPX;CkF>crv#EokTT@z5Bv;~2bZ^))aGo5g zUCLZ0j0i8Rav{fS`<0|~RDqXQrwYv#_|BqmR9^y?QPxo=eDX;5;0AF(?1R==EP7lQ zZVXm6Jt;$vXlsit#mwOnc;`#n4{d%{up-~u=0bH2OI`Ijm(DJxoWyh$!jcNMFOwdt z_E4jP%$^5++4#MKcJhQH`?Y7xsGzyXs%52>P~0*<@q53!SV(|s)^M{=e+jXW0f0TBkeqjagx=;)R`KcJba23MR`T0 z!p&R)G~IhcrJ1h1Et@^FH;RXf?~c&N6e;07J%9%kLj(PQKC3f1V2 zq_%kQrap))0L%BSHlsB(#Sy(wT-tcEqV8Wl`HkqKbj@($vPrB^{j0G`Xt*m{n?;NI z#Q5ZnKd~4dMkpB^gZ_0%p=0Ro&pkfktj~##%Y7dG;%;uQy+kRm^ebZi@3o=_7l023 z5nddzDJ?DQkT>P$#CO_Kr7inAPu0JlqEF7c$ZU+FJiJ4Nt%aR^HW1k#A}~@?C&_kg zQT?puY~62_Zn@==l|evJY1#8H5wW3kW@Xy?6+gnpAU_EcR{ts%mW^~oR0ewHnEAb6 z9QrmBs5jiL|4E)dZYSt}X#t#fac=h6_B>A#`zFUM-Zpw};F_=KhF_o%&lJ8%-8$y* zrEl6OPwd0BYPHAcs>Is;y3c#B2n)?+bOmGM;Gg$453@E-1-FSi^h&v0t;}-n*?gt{ zeWx3r>@nW2@cYO2o#EP0m=d!I`7vyYDxN0u|Dx_aqnhl#wO)S#kLLlLF--ixRx z9Vr2&3W$JoLX*&&Qk5=UdJ9E*hagpobSXmU2_1q!Xy?xJ-+P>QKYN_V*sJ&Xwec>4M9r@A`GeiuOO-^Tni&Dz$y> z36Hbiwy_U8TK#6D3R+Gm((q0^Fq}VZd?AnPFM~Two2m`HGX+^GnF6|(d;NXFM>#94 z@fm#oi6NLhQ-0pI;UP10>d>UojtmtCEdpD5JvLPHAT9Cne0_5{+c(=6MWfRATFFBT z^IA=WmmIWT$j}g=Sg+{QxTkY=h%I*~@DA;d*lZgK)moU=1hp|Tn)^bR-9HvU^^f;%@Lj+Q5hI8Lf_mlDM|^G$*k zjvu^CxG_)gt5)qxOMi6x%-3| zVUpsGx!xUs1IAg)`*r56f&+YH3q9XInMfb|q>My~k|_-FE_3M(kt+?0;2QQ8qlY(F zCar<6;?CHFcMq@U)uW_ zexCWhDNrm@cr3>|_=Rr2&ZoG`qdC#?#iad$D&aXJU)x3(ZsQGV>ncTWUCrd-JiWW` z3kxnqw&p~UdKsAL;l8?^QnjI^DfLlGxuw((yo@Ow#ygU$FMjj0L3v~pyi>%|_ILcY zMt((q?=N&voict;ambeB(f=u3(q&wDixo^o@Lv8jt#)<9fW_a$(cZZ-j`vDthe9;G%e8N+Inz{hypn1ZL`d-NsKX1)L6~m;NC-3bF<@*Ob$7EIx zjTkjQNRw9`1F=^^UokmVSRke0-XMHL==Jrmz-3wbZbMKU@z+c`hhqMQg;#7Y&U=hN z_?awEVBIR$BU#z4z02d@Mx|CA%i1yK?k|hC-hTZ`psPB*pDI(F;_@4B$7NpCR6440 z`V(P}P5syVR$b}ZMQ8D}tLkHM-^un=;f3G*-do!wrx`rCoZMDGdNjs@ia|v`8}R9? zJZf%iBzpVJathmC@pr4mAG-vcOf?~qNmMH%^c(j#x5ohNc;^s_Dg}EIlXr|uzAq4F zBBgVpu=*EMs#ejBI(5jq`$CKpn~i7j38)fz-nt0E#1YufC#!nWNRh-LI8I_b2_g2( zUfI~xa6SR&X5)<+)%4N^H&vi#uCmmOXS?>4=XsAJx`9g2AWM9lwN+1JwAJ;WGv_c= zzo+#@^Fy{zZg#@8>JL~`P#hB8W;Hi6oD;~UB2Ln09}g4VMixtp)4KPzKTgws>Dk?> zwECkZKZq2ZQ$7nr$NUpjjZ)!NOI`@GJs?{}X4;IZkPMGI+CZ<(SJU2AMOvRXxDILM z?(~*9#KzfJ_@Y12S-omp+o==T!HUyIl7sHucXR*o>E6U9k(cRz#g+ApiqYAgVm*8y zZjIJ7%6|{bk!N@zR6fpxNMTejM+kA)|Ik39PI`HNGa9zerJ_-?mOx4ST zbPP3;H=UMGe`Phg6__*`5$F*2Dm<34STeO|P7(dRTAf`xZB)6m8mk0OiIW?LzIQ5) zRP&o}C@Ui{T}w~AIoH#n=Vw;Dz+Hca-teOcBOK4+Tf2NC`JM{|$J_`_SB1V#|H{38 zHLqxh>OX$zg_EDUvL+jodNyE0Hw1|BF0)M(76e(67}cylnqwH-U?{>P;_}f>=6in# zVuo0E);q_2Ci~R7b&k`jgog6J*J{!@^mPkdj?&f!20f?a$3P)>$Idx^D*&PNj#m9p zkbO*INAGeJW=q((;X_>~d0&m+zRG1uI3uOpM$!s612&%j>R@l>^%wHjnOD*5M}BWz z`WmV2z5vWskl%85$VzZNdcnWMTbZRs-c};J_4XgANju{$-tpiFkRh`%u?(He_}a06JTO_{Xt`Ioj<7gmkXbfM1gd`BX4>)=5opO}fgZeOB6 zYxQu***j^Mbtza>`IB7VW%AdAvK<}nHZ!$FjQ1};!}%O%uq~t=V8^-%*lMX&^l5}p zs@;O{gGBg7z~6GLFG6-`PtUJ9O}s{r9jL2X|9tYhD4ivBuE7zwDha8J;AlVEEr`95N#z>PUIf_4o#84Eh(gZ{0N zE3zo|jw^xELcMo%z$)gs2f|y}R-EG~CoI*(?yEMVYAw@c_1JZ7Wu9PM@$XoE=(;SrooHHsJrxzjgE?JoLCZ4QTdTCJ=ELwTR-^J z1;+W9`PZ^Q>Fj)0JXw7(i3h*#d8_}WHFtx_bJCAIU7xKVtW>}`jj#p9O)7cFx17lz zit-kai?@`Y#!YI!GFhZ-191Bu`m14NKSXv$YeESx+U=a&Zb36knGKQ~Za?cge z?Un6f`6>Qt-7lNa9AeKM0e8YuhrJIfSG79^H^vf6KK?Y zb2Pn*t~If;I@*G!;$C4+HUH-s2K5LG{c7p=hM64=d!Hdbg-bE7FNXsk3fHv@62SQ_ zb{YQ(7A1VJjEYnj6->04BpqnYudGb%%84E&of2gM1Fc@UjH`C_0uCO4-UPgGi3~8T zRmxUQE?ouZxOKj?QZIL{DsaHyOp0c);;?+j6pPEr)2Uk1Mzct(vRo!|(@eYHcD5z9 zr&D4K%e=q8rI`c>_Y-ewiQW-m#8uoM76FYy9nJCTf?(vxQ6z`kMb@sC~+!NDSpqd~{6z7FIaPT&2p@HZhzK&qCK839oz;H(n4nMi@DAUfNXd z>t#I3DaW7Q2eyxOt9p8|0fKAmV@HINEDGMcdJSVs5bsVJ>;RV8Yu-VU0i$G|O-{#d zB{p^3cn!SM(>0RDBS{$31<*KrrWscd-}28D7;vA2Au<*-sawLUTbptPAoB0q4G}|A z4P|5UHB82{kI2O*ga(R``VksdAG4p2=v84ol1-QgOV z$(`gG&Ds-n+&I~$UV7U!T}>UGZ3NtbT!F}dHx!!e>us1NGcu?>_FZ+8fekPGBs&>6 zLIIKC^#!aev?FIdr6L2gNN(TGuu4(upKA# z*Y!x(`?HmKGUGl&&d^k?;__QWY?3FZVIuO983cbkWg$Z|wTiM4jn}sA)U=i*5q^Le zs?f7$O7gcVqYAwI%ZEAZKkNNpaNG%!xbjVCUi zKe>4``%B}Y4Hb!FEsq4XgUONipV2@$u3fp5CoVEeN;5gV7K)Z4i|Xf}@_agH&=Ejd zfzEooM#rdoFupex@*)pPn71SNF5pw5P1i%io%a4~kVSubNNoQ-M$v-?k_J5CEt#^& z2gbl*N-wUCwl?q%z5PZhZ(P!j%7L$K?<*sQ(S%A@ssdg&s7ORC4BzF)CNB_lxY{Sj z#EHj7L=o8M7B&AFPsyZx_@e~!-73_7|hO%4@r%Nff1|hKPyr%$)(ll zO>c%uEbN7fTYB8vha5V^xno?VN>ArPn;O?)I`!})g|^ksdZ)F1p&DV!P`9L3(QXeb zWE3LsH4kDVc?G-^J8_;_U1r`4vofU*i+xo0l5{ncLc?hgExfEU3?B#x)u~d?J2Q4u zS?)6y2Itb3Bip&ku`UWgTJ>`* zGxchLqT9@Wif*Id8slp@du);f=5&XvfpI>PgLjveKVcA~#|%7#4Yi0#*5a7uTW??q*?z#l{UR|ISOf1FHgle z!B?MUYz$5A`T__m-alQWYvaSdb~7AT&zoZSm!)GZ zhwojGzh2Hyt!|xYy*VcWCkr<}OpAjIH)30WE~1P>N>1wo`;%v!^_YMKshv1qzdB7w z#2$6d@IbS|tENcDqKv|HZ4I<&!#5s$A)s4|zP)0?fdzb`IKyUdff@CS@_8*S?vU#8 zYrz=D6q~J?O0zFI@fwEK@fx!WC0oN!eU0_7!VOnQJbp)yQKnP%-D#<`Wcy^0mHqHU ziG^1^(kX;zevOX5*OA7`K5YjOA`pTPEFz?d`u8voMBckbMd?~|SPX4w^)-pycO~MA ziYqbhyTL@Hz=7HEvKYePhSHnT?-WF9}s? zrblygREl?leyrRlVstV)N&t&J;42g8>7x%G# zCMnSYcUf}(DIwc1hVsQIfGy^ zqN05%s{UwUd+LkzgYaRe$vxG%3EA@0&g~o!&7RV#FF*>>!^J4xpEeT_FkI7R>Wf7C zZCNl$^DJ{jr1^9lx@G(4(+^XB;=a#nCPZ1KM3j4*iZ_jT?4PLoQ~92CzM*QE_sBEa zo6>=q8@%xcke^D9OKvD8DIJ!oN{&cyv|+AitnYYCa7M9v4DPiP`HgUse*wH?1}7Gt zQX7lBH(K^W#FaEcZOL+j7Nlr<+=>w^mJ=Vo7L3S`A4*gZ2Bj19rjo@0^pwFpPRjFj zY?0$x@O~nV;N=``(7g&!g$)f&knCgGC`Tbhjq{?GF-4v|bI3>+`ye}y44&M_{dteP z{4_v)IqNm_822I#Uh~!mCarV^ z^W(;L3>97{CqnOqF`q4BWZfUWpHM!U5^aeMvk6@=`kmeKv+}JsO{mMJ&ea1Mb;cb3ou>85Yt8^(h^^T`fqi)@ZuhML&&051bLB!vtB1$M}(v}Wn zY+g2&BIsqBrGg)6`C)LnqIAi2_R+2Ls+LceVD`^0{}ta$SvESSnq04b_#Qb$yQQl(B@R$hU+o7#E&N7dE8Qv>( zcNSpyTkqg3|LQ_tbcvAqZ<+Qw>hPu-_Ye$aXVjdJXx}ZZu~7Butw#OC<{4E}Mpl=k zKQq0*pvMLk7*;p3ZEd%g;>(kE-fOl?;q1dtrSZ5-Eyqh@xFxfJnfTnz@;2XGzXZFU z!YiZHfZ;Kr{L|=q>Tkm(xKR%u)onFCeosw%*CaWO7p63PLyz){2Sz+JFxm4G(NVve zRmNhhtI-WormGs|O;~wdBKta#nvb{H2b7DpY^QB-FH?@hkygJIuLAAw@N}|J%V?UW z%+@g#@AI#2J`&c>ef=t%7&dDP%VV0$=cX4y3JL~3)>s`#A0ySd*o3A3LYcW2?E#ZT ze6$>LJ+u&T`c{8m%mma_Fj}}Xg12F=Q-Ug&Nlo^tK`q#Kx=@b0`+61bc2#ztPd3_Zl{WeXTEM1Wt`Y| zKEZNozBE2TYD_Bp+v4Q}r>bmfcTkg+#^-2->Q`Y*4!nEWz*4*EWM3A}iX^iS=V!!j%c zepAa6Hc1MT*>s820n^0Hu+6y2jGa}ZjbWdh$J1dyTs~6l*bjJ+0^v z9(AiQn32YA^8M9(srj1Ar=GT{Uk%nRZB=6WRpB^+6=hh;{R|vv$M;x zZZ*oyNw}~wk_Q$Xzq<)&$_BrXf(#{A(Vh{SN2x0T|wmt1Gn7K95n?7!!fLN`C(#JnzF`UTKFi@1sa!Z(oxMsnmoZjA&qC`WM%c3Ob2au zJ=5x8WpUX0mn|Mux>}P0czL5lH>c}Q($aP8H%}4NGdnwjM^I!Stb&@Xgf%QIQ%-Uk6z}O(XZLlCFIPeO8EHu@4`^TbQ zGUbR7=V8#CrM%!<7+M)$p7is{ZJ`$ntEJ_4RD^GR>V0sguQ^?;+NJ zM6XnzV$6O%g%FG;bw5EBPq^iO=aX@N?8;3x&J+palH%oQ4%Ke|#8Nt>Nm*(+4N!ic zo#%x}PYEa_1GD!XP7}UdrVvp7NVobdR#+{={2^EtJM!5LeeFrAQ;KN=^rzxq0Fn%Q z=yTAm!93scBt^wqM9QTx?Drwyhi-K;1V^Y$Iss+yiyUEv6z54&HzPUYfw;seRlbJc z2hnMpSgX17XRC(&nm!DvkXYvfQnU*9JF#fYC=u~uUkuhZ14Wnc09qMyEkeE!`6xAK z&J~vs+OwdJ8a1YtRbXTUxF@VqebsMP$)Pud-iz&xWIae#&PpyACD~5f}|F0j48c-MF(EA!w~bG zP-C+MM$3K(5IF_#(aG+Wl@8mJ@kt>^4GC0mwk)*GGmn`4;bNlS29Glc7ERgdFBeO7 zu^;KpAU%ZLz_dnCYJ3O&AJlzGshUW4 zwSTvzrgYJX6Q5$-iZkighPr>9xk;SUMKRns-sZFr3X4;Np^M_~?Q7aezrSPT(iqZs zw~=rb{2|-kY44ru_z{YY*$_SzWX1*z}%8ck!9FD;r2+zIM_$Gom-Ztc;GTe-RRTA_>A=XoK^%0jajrdE}SBtTN7@bjSinj8o4ulThNf2Ms%m5uVB6ZXhx?W(u>g$2_Tbbciw_nQl zRvjxi^3l+5>2a#uCyel``MF2uIP&=SPYBHF{*j4Inhf>i%ci&_;IqO;`&2$o;m7IhCsYa;>5rV>!U5EW`bVZvns@d2p59-z-hW8mqA>$opGZ zJ3ug0i17esGy=}LQw~A2S_KL{g1&+0#y<(&ufs`umF7ca_`Uj6AE%v@Ie+8m>R2o` za{o-#oZUlA{kO=@520%0B+Yc>2BjUB?Y}-FbV`i+TosE=?e%({G+u5ADTRGGUgF((lzn@~3P!;3A7ca0av)HM{@?iM*NwLc*NEKf=3EABugmW25bu|fmEFJb)7G2!*zH!Y`d#%f%f!wb zYGw_006DzNpjW{x{@*5Y0E7hIUy-mXJewfv5kcuKUqHsCPjT`C${cor3%5;hP~CNZ zd;L)5n)E-s>ACbR+F&=$jd}?lke;;Nn z#EW_~`ya$6h9dBSovz&w-Cu9Sy8&(d_gfDnz*O&^UTaFn&(T)^O5?C~*C`Qk>tUZW;yN6PLv$M{cq$e#TkcGzA3tD9vLB&*lU}HXw2~w%&;yhPTctjSe?cwszg{C++%NkGU=*y2 zSF4@a6t0gzH+Z8v%x+Br&;_}J-@wPpAf5vwlKK!5Z*YRR6r! z-Y5Ql!%rBr;{Vj=@DJzz{ZIdY{Hn>|>v)!g0U)180(^f-$aO=~{}0?ofR&<|q59o< z;JKS$T^v*5%@PbM-#neREh$TU%BCsw+4KSfMQSTU?lJE9gMuxhCG#iz*Id?p0m)_v z6wr?1rI^IKfU>X?Ak#|s@i-fh1Q??5O(3Z>0BB{7&!?K+qj6t!PpqTctA#c#s72ub zDBT(F$;x_OfOLL_=6Kb275c>Y;HXi zuYyDYX`LK@=e4+#Bz=t6rJ}Ma;qTbrMrmzlJvY<$Y{M%-0SyAE*zFw9H*6$ zhinQnOPS793X_-HG!Dae#`p!vR_rQ4#||w=lY0Q>f=^~ck@8j6U493Vh`}a%j4AdT zbqL-!#pM!!#>&43b}suCzSkaO{iQL+PuSkvxd4RyMtbb#2Nyb-I9;n@ht|`zV#KRj zTG@`^1$>+V3x|Z#t5@mmn=t+KX5fj4oMAATHk`wY-T?Jq9&hQw<|9!?w%!=>%X|NEmsdLh!~m#CXDr8u=TK7Yjc1>H2TsTMte) zvQ|^9GiWnTe_9WLYOUzk@XHc_cu5C;m|JE<0pO0OC6I~;l9CsH3@hy|r**G*+`YQF zS1$qet|(wH-A1wi{6tzXof&*GN#6yQv47P?kNjn&x9ol)tQHUN-{@=224X%Ysejt|T0t*!!tAW+VI3#VNG5eZgi z^s>YgOgiya<~*(C70Jy7hLpUs=eIX3s96R9u?{`p$P=Mbfwvu!*)pe0m1jvZ@14#I znNmg7yupu<835^};OpbK=I?K3^II-|9jt$xDdMBMKlHy4L}moUJSiW)$)BSr|4A$D zVIBJ#J`6Mr-WZ+CS8xu7-Ha&`GICNG0MS66{O$w*jY#-B8XN;MiS1IhNLH|30RVDI zLe{k&mH9&r7TY&f@Cf?~0Jo>tc1k%cf0!~Hj3-r?<1f!9g0RsS>=et$rk#D#8ri?o ztfj3u3|7pAk(>wxbOwCz+Vo;K7JIy>i04@9AKf3vXiYzObC_Q71oQ@RjKa zP%kPCgU$o&uUo7Qp>O4h8U05uWZT zSgoA~y(XXo=7>xJfHfFVBTv~|;AS8nXY5B>lY4Y1@HIQ^067^x4d8&eJ*2m*brMWZ z5J=$2ZR(6*Jl~ZMj!GBt%%eQq{HW>kroHaA*dI>|*elto^S~kIHeW#QrpJ^Zk15RQ z1X?x1O9g|Jkh!zdVLwKJUq=7~r)rcH!-aJKm~f?TPmo=%xn4CB`eehtf4?IE*PQH_ zl1+T}oZv3Sdp()sh9%e2oPc425NHcVZ^8~1Yr5;RE?x5Rflp-9-O04}%tK8` zw?+lP!L1w3oC9@yZW~`$1~@jT%&XJPl0_|FKq+0W=j90i4|R{T;zmyYTP)4+QQvEM z!eoSu0d5$5gV7HtPuxtf1xDlZ>&V;b&i{ALmV8CnVvk(BP-m+-=IRMn-^~;?6k|}_Tcw= z-=h*!J#y_SIPg#?*3&&q68P~{A0%G?K0eUvXw?EFhcEyNRFXguAge4JC<8~4nM$Pj zm^UcMA*1mjK?$rU)4V!Xf&t2S>v2&IkVGs3h|F3QD2`5GU!V7mLdyy8a#`NIH2sVC zL{=;ZUnFFr!GjX?79M#6;r;rz;fXBX@aY-7{oOsx%kiFykM`hcs_|2R4ki9<=03+^ zxDF++D_(To3E%x-3O6!dhFO~xiM5n9+s#>_9zBpU`xp9npz8)uN~xGAvmC#!&^c@|Ckj{6F2h9Dt(xqs!@n>}48ipK zhXsHO$t_SBm%Q_vEE=Y{F7QRT>3Mrgqr@`b=WH3Z9HKj>17bcJv|i8XmYKgvl_QqL z35lGq@ow^i8Obv{2JtOH$xB!9_zzpy7>SRBPQU9p*bj&=ox2o&ysF!mmI;#35+G+f z?Qn8gmxvW|iy#{;muL_fzjw0z<X0KO?gt`g#`^DWvR&(1v59!AA zNe_OP;}Mm0{$_WJ{qWNPGt&}tqjyn@9RB!Uk?iOe*_@p|T74h|okT;2jj>*%wSiSj zX=_TH^YO;3z5t7$V|Jop1$ro^ArrZxoi;*KNfxJJ$J9ha%^ulX*z8p1HMerVRz`y^ z(y22>V$bx)ZBQ1-`3?MG>o|CLpTRK}mR3#I^&;{1RXnvA1&$8%`};6z2Vk3~Qpxo9 z0T3h1H>MLMuRy*Hg4ZqpgY*8ykG^w)xh?|Sx77IZ&`gt_o3u43W;t114^heqiiRp9 zx6etn6kgGdROSNwSO)e8B4Ec`5ShW?fCCL}?Tc~Q^3TKG@4RPf%@+$EQZN0&h4H+k ze@;77yS><|Y9gAzxmJ=dpOm>z?`n9t^3ipMFSt}qd`8^)dL0c>vWKJ`5VzFGe!*xe zyCA&&bR&#`1NnG^av3uQEJv;y)cD}TLo9%z<#e$$w4U)1`&ZHquzBP^&mj!Y4GN^G z_{6;rqA~M49WXV4%}vvelaRTuEMpE8=gI`aOB9uf#Qy+69POmI{sn@mr?ojF44kl;>^!<`Urs6sCiGa+>_UOJIxF`(|V=HkI z^mO|v*rV%}RQ0i3t>j793gkc+w8_%5X>#0XJ93-w8;u+CGkB5t{f6Rs{a*n{_#xg@ zXqE9wSEEXa5wABU+;bFe5F%IOlc?_zaPC%M!-9jJ_uohVdZB_VTULj+`=8+Xb+-O{ zZC7V)Am^tC0%hS;ZGsXX+6h3B8%5z#F29x6m9NJ#NwI{#n87NvYKv<}FL7=6ldxZ7 zmhYbdd=jO@r5`;@HdjbH1#3Qfn|H>g+W%!(V1v%%8--W*ME`^WZ$HuYbxR-MMxx0d zWsQ+Lq+pCE>?EX8``VGg@_sHy*6veQnVe>)zL^=FJB3U<)rvYyJjp>lqCe^dL{`N& zr7k?i&lx(l2#l5%_0#p=jDC>|yW=jn^OmLy!WmS5Xu-iRq4=l%`#XPv-?}EbWCu#r zOVP2nhxX1=7tZq!kbdJ<2mUQV7eTH0?#aGbwMp!7AIZ2XxE(cyf9Wf}e&`$F@PtpJR;Rw6+ddeC zCG_?LyqE4>*mx%ozZ0IQF^@I1-(;%NqJQqyRK2}eplb3X{fXY`Sct@k;RdLm$&Dc_ zUw%-N2ggj6)*-x;Ta1<9{eZU>yvKMYIFF5~qV?d1o)#X7xjp2aB4?FlRi|Ub-aQTO zV~zLXksApSL3h%R+ZdDv)Q+LTm`p-`90b?jSMf_m$Zb;&@>e~db;7)T>GjDa(w%I% zEBDa=@fO8Fl2tnT5V-dLPx@v4=XN#CyXFe%go+#CKc>D7nnx0dgQe_1w;@vGjp%@A z0qGAkcO%Lr=;cC9OG~56iD~~V-(>TeRveGErZa7PCEohLl0$wes=UlBHt2*d);zgk zqGNyJ0dhV3_43oNoRn-eBdAFwXqZJ+U>Jh5$KTZ3Y{VahVTNM(fZmm^M!k}hpeL=V zwa}6}=+S7vGc^b2o~J&r#c+9GP@dUZilZ>@d3b6VPD!dm38cS)*p!6Kss4WBvWN$g z#g>7i#~dM!V3k#(*%R`nVK<>Xb-MPPlA)x|r-pBS2l6n~7n}iQYnD{s4I!d2z-x|8 zs%(fRawWPwUj3sXx|K-Hgj1C_hGUmY-V(L)$TDE3R#L*C&>6i*!`3}26Euil&N)$X z$2Ip>f?Y;)hixubM$2rp8)|sk)%*Al6aR9y7V89+BF^$*t-$r;Wy;c~ma^rfbz#ij zYsw8GklSa6>07cQF-vxHRZaR6aBuZVVtPVMu?J1_Td!`{@irRIHGa#AdqsJvJ^ws(EM7-D+$)=XDIIb1-r`4jwSF|g*}!?%5S7M|jrU@?Dm@WO2c&vL zX;?@R+=j51K0$wl?zu))CyXA1t$+0$)NG;Tvyp4(r-`c*`XLMqJZRVcx<9To8(#$1 z^Y9)dk&l16@xt2(U|}I&7q+=QmZt_CT=SE;|H`ku-tLTbFv*BsV_uC*6Q-!@Kut4U zAQo%{|KD5o0|7t--6$nvESnls3VA~A<1FxGzID@hmk#WZ7o>sFD2G*KkMFC2NH;QV zMig0leI@GCONAEqZV9t zkdG>8OK9p(X;k%djU@^CC?!xHgqC`)eANI2v=+lg@JIqK4Wgnn8WB~{19aV{A?SE? zo}XNGSwCf?E?QhNFUX!)I!U8ja;PEq5N7_8|8t_7&{I&uQq#p|Ag$b(q8@Jvese@# zTYegyhk^Gwm30MtcPRuHtE&IPrmByjEfb+hbi75<+mPeeu@`{(W<#kk)78__R?MMzskdU4uAL~ zJbpSC+@g^$VBe@CW*nJ~+U%;F@tYCOrIng=6QJNsW%E-X?nsZgr>m^zk+LRIDwTrC zU}2a@N`ou33>w?Mig|aDaTr!1>ag?X7uL-N$t=V0lRsf~hu!1KI?a}FKY07WhDmB| zdT0tTBulyzZ_U>xa)D!zj%KF6bZOM2U8-vj-Ki!QoZlP%sDjDn8p3~)I@8?d5_>{Gqs!|}n~1Kp!{M(_zY+|0jspZj0&yN@$74?N@* z$v5{~s_Bl~?>85}htkSd$tqG`G&<$Z<&spJ^ie?=p9gho%C=B*#7OKJ^?7?Cr-aUyK$-0P>!r9WVW zqnW>iCJiXVttg1hm%^5nM`IKzTf0?3w?vKRZQ}c9j_Rs@a0jY@Ks~x_xQP!%eu+Wx zRKTQ=DzfNoUVnYFv)w@kv&jx{9kX@FSDaz4jiedT0x4m}Pw_)?*P76=yLki$cfOCp zy8~RKlQjOARowM1UM0chm0$FsbAjR48M;C73B`)e6(W#5x_sLZ*^fT-nf;U|r}WpT zQBBe z;!>mvt5(kQhtcKsvl__vsnET#E}gOR(;^!UkEUXtSL+Gq>oY0gN%rk`Jfc8TMiK!s z!L3SA?PwR!YR~lmF*4!%s(u_FX8(q*K@mero|yc2cH_glt6^3k>*??pydn<>GyhfS z!uKHnROe@en#1=8cLZvJ!X0H+!0ubFgsPqi#HPdF(jT`>Mi+ELUs?4Myp7V7PH&jV zkCzs|Rp4A~lxGL-L^UZm5lW8EGe%Nc!;?3-sb*RR5DUZ~miUY<}7zV#kn9W5)xUJ{;2Vp;0H=JIq>& zH~}Mlp60pqku^vF<`urD@>As)6{Z|beUZ1H=)3Or1+|%Sn!YxBx=*iWGkvzx@mC`z%O?k%4^y2a=fyFE1v z^o2u0oya1|m4rbUGsV}xX?zRYIrDy1eA|CehoeJTMl)EGSCcwLC$bM};K?gJj)VL@ zuK}|1X@4(5C-f<;D7l=SYxgGB9Vjw?J`r&+Dv7pjwJ~{T^v{#0SqUTXgYsxNxE3k@tNt1p3nbcS?^_>X2pLIc`I9>Tg&#bSd9~ zgIyvzwV+~*Gl?}u#wDx#eC+(7=6_Ugfl96#YXF{cna~F-ztq~8QRHdq4#hiFD=no55YT3uR}4L1BjWxjDudRdPzzGx?Miql*f1maT( z@{La^CssY(^V%t8;9#FaHHjLDs?rK>ggH{A`Qp%oTYMdG$df>M3Vv~#_InfL-*-yO z|BgBBvn;)U{M3x%rgnEQOZVOMboFOl4VJ)UtXhtIfV-JotRrai5teI1aacV;DT8jA zuFZ_SO2_8Ep9qCHQ}LTYf^bj7C5O`3DS$Hl#T+rk0s4~5HAZ0!F1=}01ZST$)D6`ljH z{|L25_s-q$#~{`Uy0zJL=7ob5^9xno4n(P26K{v6&cu!G0%aGFUM#*$LDR1U(KS3F zx9-myZrYGTV&b5Csu?z?7WMc8L#?2Sw3+MWM55q)Ue(Pj%YsW92Xth}y*cwjuLzvJ zhj3j&=DwB*#rGZWJ2+(R^=0(T8ea`+ja##WG;X1qES}z4&HL;>t*8I@XMiEIz<1z` zfT_l+e-a^7fjoir1Q0^bJN?OhbC6*KbmS@<|LA(8!=#c&#O3<^PljX;)uL=yq>d?w zOTnw$4HDr2AG78<91j<1L8~LQSHFjS6J1T_0k1D=*)Gr{FfNLW{B3@T$*B?O^R1ZB zB>E?kTNTJqFFiW7fxZ%yt=!t2dqcr#%7>>^$WFWN*matB_|mz-e7@<1sT8q_AA^>P zB+6@E7&n}LhVkL!X(?D>>;P47wlZZ)KiZ=!b~`4`v@?8a)US4Ey6a(Hv|#;?u6jx+ z4?Se;y2qR3=oVv4IBvZ`bcr$f{nSrF9DVrk{Zkt#;S&FE()M^;X_5JGEq$kS9)zQZQC|$6VuBMp=jo3{E8H8g!DqVNYeaI_=ZUaD7-kLJd^vkbRMWZra}*f`!8`3L688 z$6ccdi97_ZeL4{cj|W$5E^12k=K8o09y0_hPUGwGTpIfx8bjZf!Ibg5CZFS_Z;69o zA}tswEW+GB&bL`6{cbMbc$v{#1Mi)ZL%L@>uMQzX`#Cc-T`Fw}Sxr+eO;04Ar(qtX zB70KE#uTl2a2n;3tTyPHxLnR`02=r5vJpr1B63)5AX?)v>=G6$ z0C||V5O2uoS6`>}-zw$IhvZAX4$>NU>Kl}iD&D2$d#}dgO8ge1&DSlzfs+oT*tt7%+t}vAW?Q{( zw#7q?T&UjVVRd$l8lKk6NPJ9f%<&s!#i6|B4kDbipb)@hGNDzGXou^~d67}1v@CZ) z$Vg`EcFap(8*ded86nQqqVA5(??X~{y{(p%8TdgiW;gyxG;zlzC1Ru5*}B+uO*3Ry@Qw4q|fF)2A$zS>JziQ zq9%r2gwi~*Z%;a|893-&;tBWWY5ig5@k5Wm4CE@%09J;b`vEd&Gt$mw<~I%x)Gyxn zbEOA=OPi($Ab7#}Nb;1yn*5e80HZ9v#Hn?nmggk>&KW_YCEVMv_J_y3d>Yj&5{f3^ z2OcTJ{%x&Nlx^x^JHbJ7C(AqHM*{)$8?PD(iE(`&YjmkOKX|wCtHwLe8}9*3edrGc zlPi3u!K~*Az|K-VN^R;Jbvn8DI1a}|x6N(ourb{R)^tL=e3*b#aGo*I)`Y zUaeq6rv)_x@~R$uRzG-Y>f%fC@${Sfb?*UB!PCI0<5h5Pfz+Sw(DA-;-K!PL5F_Im z_t;8J6P64+M8n%c>jsk8m$-dfEe!jCB(xw0XgK9{LZ(ZM`Sa+7_BUSnYG19)wBt|B zTKY3IHS~{8IYC2YW%A>k6{&8iALI`1+N*5^t5R;*6m0$Q(69UnNg#U6>Fblj+I3%&h#p7d{0Z~l*eY@wd zb-$y$6+_s>yQgic#+)tuDf)YNN_T{Y>`DQB^Jt{BkU;V^+WiYEa>T|%Qd2mQ-=aH! zELMsq_~*cf+}krc)s42jOptJ5zJbE~98H*!jd}ur@5rt^LX*hQpePz_XEdK%V>#dq zgb^fCtsfvV-^J@LG(MpccsxVyj*=pbK|l7SsDnSYVfEg{^UCTJY)~@A=9iicC~C-P zLbbT1WqP`p*y>^(?IoNQNPYKJ7|D&89R`neP0oR>rvWgDv}p)=k2bq?z6T5Uj8@zO ztpAEgNy~Sa0q^#_#^-;~7tRKFs6FGF^io&W1JGsGhY_-P+7+wWAg>%8(EkOk65v7( zuBG1u@GUS?>ZE+=_7@!5j{6VL!lm?5FqwJMyI{%f_J!W+7F8I>cMdY3y|E==dX^{CBg_aNBYjO^xF`OiiMWA7yi?=w`61G+n(HhVX$Xt~#*mTzx=wdil&-m!=LnFZ+aY5~)i(jDn)W@K0R zUQH;B!#aR)|8*1RGb<4U4yMZP{Q?yGP9s6ANIs}R>NuwIMWU^-mrh*)Xrog z{z(a`F*bYd$U+EzGXF`89r@$XZQY7<-tv<$(($#gV8f@{n=4P|Z=`;5XKF=* zX!i_c;mZx4PMXMVdZrb{ zv@~+gA9=^3CMS5GNV}Bw-M_Pr@?>SUl^S822HbQ7Hd7opr^mnJ>8&WC^&ktY6nf!p=xrV-EU zY#R0SO^zqLaE?-&c2r{>X1EYJu~nAQ`24Wuu`^;1hD4foY{*fsJ5*1l+LI&L0h#zs34&+B@+ z!zXl#+#+LCoV<9X);Mx$1S>MAxF5Q0$2(j>iio7DrKj&Gn5miwynXROtu0DivmfR5 z#+^DM%xbV?0*Y@*y+Z#v)eDWy5Iq~l3dN_3&$?%scqSx3DWCEl^I8HSY4(L&kz=am(?z2V=5h0-2UqDdUH(>6lU>xLw(W2 zAsH_8$h7aUhV*Z8lppfR0Ozi9(I>I55sULOl&b(zkbusV-zI?w3mU$UDxdKDw9S3# zII2h3Ve0C5eepw!^HxJ3e2m);V4L?F&!caCw9;hdj#(nD&VS>aWDd9p+rLX zSWe&Bc`yC4iTT-g)wah|bDslPA>n1tcTTd!c1$tWlfY@&@YB5Z@J}xSZi^L!=bi0; z(PJ}9_i+^DN4!2pBk|(i^EM|{&ogTHuV->zVJH|L366Y-obX#N*rjk-&QBGv8sRX? zKof+6d+b?mWHO&<@WWDz&kIJvt!n281s-Q>&_zmPcv#y_>UI#l&A;sio&2DnQ|7ZG z3>ULXBOGTD|KW3NI+X$680h-K#zPoi>@Q?x=zH`jO8z>+{^E&VIQuuYB zy?Q8yE}7yK{p}<pR-+c`{|w6;sDG#DA%ycU}=|<3M9>rfB(Vr-_5SG4o2NE~Zn^qW!=(@7W_chF7UA0T$ z$5Ht7Boq>>Ec(|d>{D93le8_=-@|W@`xv}k8l%b1DN@q2N{c#-WdkH2{9QU9O6Tei z0T)gZjE!;pap%2;P6~RH>ht5ZT2Xm@I);3euJ_!4n15sfNWQ6 z=|aR8ci~!rB9Dm>(dUz|gqu6;rYP|v0Q6n-M19=+k>aI1@SIZF7wcQ3iu_MEe>iS=rh920MH9A7cAf& zu(FGg{FMo&oiGV=sTgO;4c#3{YGuE7o-!A2>q$9Q>Wa;*2vCP>PlZi0LZ~ETmyS(k z=I6?Y`BkUozKzJdqDJ03%*7W!c^hl>Y$l&AG!;`f%tIR+_h9`|dwx0ijg?{jBWE6|G zXqwIN$;Nk%N8wgZ!R+>!W&N0>eF~3gjL3dfB_m>A_R(_Ko{cpoBtkbM;)8TocHWKm zCK)OHdZr;+q4gE2@UbXU<}J&)q`Vg2^`u41taxteVTBh#o85rHNjI2!kwM9uKAR}Z zX|zgLbVt|0hkX#&CSfbKKA*6Kv@ji`6RM;6%if9g#Er~%$!NjmEismgth-%6k1llEj9)$JQD;fBt!h>?7rOHRuO^!+v(b8^P{m8Q}Ny_g?u;Pc$A$-3s z$$t>gDaV2*(uG~cG_<%_Ip2*_Hr?HO`y4JLEd)Z*z7$*lp-iE$c;Z*T;{3PUJpX*y;d6ly)AgucYl*6a8$t{hR`rQGhLg5QoZiMDR*uGD+ zw_wfz=s)~a#SOn-y<`7^I@Xdf!AOXug+|1wot%CehQyyO>Jxd!*-S~fxgn1ayN^^nE z8-@S3$W;8mvz)KGegCB|e@OG!E4A|^KEe5^SdL$#c7K(i@4K_$*?WSJv;PkxAxYvB ztd=Nl{Fi9{m|(wN5u_zOdqSS_>Hj?v|5IL){{H_`d8cD)<8|HF_T+zb{i^zpV`*Qa zf2g+KXj01~sqZ96=HTvZa{b41kF!YTAgidM{ulMUaTI8V0a@(KHE`ost*+f8W!3Dh zLT7$asCLp+i8e_PZvr>mz#H0}R*e3kvLAU#x|TIxAo$BaDf^KANrn@065Kd{g%q&X zJy_=g(A1g>By9H!9E+<8`P)A%i?8BYJy^)C!>tzU?ot>PjeFPY7V4h!a;EIgM}B!X zry$9Uvftio0BIPE=RXd;OHMR`LAQIkq*1}e9g4rNs~<0rb-FFC)dS>8Qeor9y>7kj z`M&@-rb$!q(lr!FL@7`?N#eA#LU?hHydZA;{Ct2k8w6RO4gL;&Wi)^Em!7P=aWs#? z_@(T2tG2Gc>XK_sK}*5`Rxde0n)qgN`LrfS zNG+oZrsHhZ|gF(atyiCs@JXCU8X!KAp;P2Zc#lGDi z+WM>ICuKcF`sb6{lcWN)#!STP53^`W%H$e6!SWYdzD}aiH6EM?FMG^LniMy`IdlE4 zI*)&nrq)kAan64z#6K6r2cQKHnNWuVbrXmoYH0i2KbDqYRq)~eq{m$(0$lee#av); z&F+JT+6B?@e~iQ%(t7&Fbm8N#8v_|I+3#CzAEE);fEcvQC%FDG?1CcT!yzGEM}L|3 zA7unU>t^44PXI6buY=^9cK-+PhR}e(w<9SHHRkE+r$4&-QI|B=b&=E~KrSaq>l~fM zG$;VZIOa9^;U}oHr22B>D5W1?*~=ev$~N7jAe- zy^f(>lycxwY;E|p7l6l>BGQ*c>8FGRu<*ibX#71@hNCL`p8$PkA9N!P@P~E^Sc+;paIayckuE!?mr@ML)3GO~Pb@ z{V+2%WF|?_VZ5;bL`~l`(Hq_fW)|hY1nt$p&()t!J~JyL1$<&?>YpT__+iRkuFmy6 zz#DwVv?Wya7&Gt{=;4Zd{0tIgtXI(kpu zER(q6B<+QJKDRxEK5Vg%T176`Q^kJn(5T=qY&@41@G#cCVk)`-Q0b-Cbv|kEpIXev z&h?rj65OqC3lUh_1$L_K5O5bIuK^6i7U<4UdY0Sux*!46Mfu>1w4^krWfDCj@_@M1 zxw^8^HWq9g%qETEGty@Yxv2q@24~(kQ_+U}ZJAYUQ$+xK8USdvARwmzd(vd5Cq_xA zV9glUK;k~OZ46o+A|-$YGYYv=-0J1b&PTa#gM*Oa#Yhx@{nwKqsO#=MVkDPgOmvE6 zN>pcFd!6uAg`*4LP@7swOs(@xP z1BUYl>OVFu_)pvL7i(OU>P${!q~+$FdcqFw2x?x&J6ldVeyyvq!<&pwfn1Qh(lLd8 z)dR_$uk3Gz0IQtSkXJm+4y|*pv2|1wf7X&%v$PbqxEm$lop}p7+dD$cLJ~mwMtRw& z`J8Y*CF_?OrE{CIBu4p*&&Y@yZntg*+fEUw*ca{bCUCh#E5);)qxM|7l*r^@ZPxXE zCv!ni3n`o{r5r)M)B`(?mhZE|r^TolkxCHMC*zB~*S?FYZ(#rhqJbip8_6Z6tNQzTm<_Ts0f>B5HS$Pd|oFXBzl4ZrBANVG-SoxnK?mT~~g@ zwJU~?v~N#Q8gr2_+1!p>#mwuu&0YIpHnagrT-_Y-P<$+;jE-U0sqVAga|5a9CI>qM z^Ow*YPlGxU89DCKjC|;xrK%N2KzBVo&Ag<$=`;q_FFVK?izeqTb`nHIPg!g|GpZ2< zsV?r`s$}KGl^=^IUn(wt*#NW~<<8hZ25;%${Ir)QUh;=>g^&$Mcq!Rngznf(UPzqN zv)c9GS+eJ;Zh3XcXU{G;sX!+Q(rSNV#5XX|#C#2`dJg$7Deypd{AOq*#M4Ze~>l#8w*9WsG~kRPq>UmTr;BcX72LS zFv-mmBvP;*Nrli$u_343*1Huj@;@^YK*F=VNZd66n?53-NqJG08IkD{d}bqoFbf@f zYNkde_Y-goervPcovj8uVLe_d3d*2tnF0v7InN5H)?_$sgZvkx{Iv?rG5z#bs^7JM z6mSm^@LCDFf-QEStH zfmB(+I8zeJVo46CPYf%=#|^+_+CiUag`a+<58>Bj-cI8-sZmD^xDA*ggo_<_K`Pp% z{r#;PM8F7;ME&y5hT?|Zq5-SU8x691^^2~RVUi$WVMy$m+$Qd!C*P1%4y_DO760hk zQuR+vp;c2=PxdPqPEvZ}hYNb1&P9_6CTBzjgq*nSQ>)^eF8^(3j(J!!UB$}E@4ftm zg$f+29rn^KW*Ga553qL38mTY=)b>@(NSRtXqII)sao7e^2Hm~88bHe)SSe@f4d(hy zGQ=lGB^%)Qu;XCC5sfXTGLg_=0Oy1mUw|F!KwZ&Ae1g^#lEg1aG)Ky#Ct>U(Vf-04 zl|HK(?Oe}gI~w8qEXJIKdr#d^C*#abosb$8J(>P2g(4hV*)ss9RE^SFx4iVZuRTrX zt#q#XW57@wltjR`?bB5BfK6IbhO@kQf&g zuVu3^1=(#oUo&dgJ!r~``uWrmWryR_Cn7CjDE)f9c& zh^mHMCU;wH~ zO#|Ou*9|DWhMX;RXuKaOGq?`UZJiTOCzFlfQZJjtL)^*~bvBVQ4>27a(%ZFf)6qc; zCjDQ6y-ZBTNQ+tSvl1->Db)oX`mV1+k%~88eYe1F4#x~p26`4ebbI7Qn6krX?LCNe zH8wEW{Nhw)YiMljp0CM7l!^}?RyK;Dm8hucq@P;AZf(6P5-AmygYRjtt{m+g%-}W= ze~y55Lx*@q9}h{nug}agsmV{AiGF(KzF4@1wv`c7KsiC7ckbf;qrlDxWAU})VCnOz zwdH#(3oxgy7&L=cUiR;zp9&tN1)~4>ox*>w*GbVrc2#h~rXg%=SXm%~QsaQfQ^GB& z+(a1O)`1;ut%*_#da+Nz;Qxlf__l`$%_4C>537tY>89gsA>y~!kM;~vw^FGxI)OO! z8-Q=X;*WWiE|{_r^|p7W(nK;a8CQ@qyVS9AIQn%fo&JDT1(i?_AY zAh?s_0g)G|NNaT}`FbrOm0jXmU9xj!h8zQ*_j@a@Pl^$oZ%AajS5BTzrEwg1y*S6O z8t<+KReuG!a?;)J**)#eq4lVIPY(Dg8(#|gulK_{HZK>G=wjhJN}4JxZj&EmX|e}u zNQ|hm=u;fNuSg8F>3C9xq%fOmY?@V;@J2Mf>ej|Lp-w*<*v#E4jAG})X)Aw%DuRj# z9rUIgz5X>2u#`TL2$IX!P4hWUMyF~T7{NCB@auBJvWf9={c|KX_RVEiRmt?sN)kiw z8xqOE0ItN$79EWLxzgs8S210rYG)%Y7wu)D=Q3o5UJ%j#r~DC0MRioD^7&(lt-G2#vz0 z<_63k2#3UbfAutG)IV7=J1sEmWj`I2`%KOA5lwqXIfR3`~88vHE;DZzx(&) zDbjZ7#OR~MPD-SrPw*C|M=6u(SV@iU=>i31Ma?VXTp&hC3%X_BH{T6t_mEBwPe3-K zIznk3UEAaqMVv8xjxpKLR~P(>BY?5r!Sab7AiA>pL*wD=PjjhRJ$x{^;&! zmCFCkwAqi8_fYMPM-^_52U)~NJT`(%C3l$cRdU(Js|bNScS8i4-dvnhV0{;rK1`}D zfVL8i%FjcCVgkRx!yjs{;K!_XZ3~;|pNzTT&a^s>^~~MXRNe<`w0dzbOkGohlO5kv zruyo!thW=151aeb;tHt@z(jM1@?5U_jMvEbWUG~Z0CMr49J)V5)Y5Fg@9hi^p!#i; z6so-Q0RTw$U|h~@K-hz~e34Ko!09{vp1iT1R6QVR)mjY1{To2ySFD<*e*J0);hSb&5(ct(0;@&PxY`Gbi1AbmBglhRtB7YP7OLc@$S(`L6rtA`{3(E zJ@vg#Q6CQt=Y7<}p{}$V)aTsUFcxucvf(@;Fe(-gnWZS1IFtHAOQ>Y!q4tPB<* zyDVY5h4CS4}ZN@(=X~o4BvYasVeEJxq8-+1-rClV$vO8-@IeG!UQaXWtNP0 z$PFdP(;obEIQGnr*|iUDn*%uQZqXm}%#JQdR1Q(JECTnWL}b(%J&&1RE%4rHcJ1-~ z$a;reSlF?ytjR`|3);?CPWOCZpGhO!IW>*IAsgn5on(~H)ku-Qkd7995#2oN4&a3J zi}^RLoqg$}hUCX*w&mF0gyVXj5ja>nTs|7xgy?k(o3xRFF!q?|>@v>C09JQy@jUr7 zIzB}%2aLlO*85-`hy1|e6&V`(BqcDsW4TNsFjRYrsK#!oC1A6Kyg7T(D>W#68hs); zH9|;vi#_QVtTc zY@cD@(z5s5#P4scqtz_}-oJs*tr%=IUHb}O$YyY{oB4=K@OW-$AdbSeENa9p3U^=+ z_EOl0+?WJ%bxf$0^!DzfZfat2+8W{hK zXP;JDw8faguGI?eVP7X=zSam?ka=pYEqQBw=$UfVs-aYL$LY2_^(ud&MM@|hO%GQe zR%b5?zwG%rdvyRCa|5grGHCL>`&X+MT?%Vr0{0VUMWiBc#h*|J(Ip}653*FdMm-X)}ZxRiyeIxuME4k}aQA?9>^tKJ;Ge&)ms zK@K&ca_lCt~<53!iZT87u=_fUvS?BUW0HiuWio=+9qWlSnS^z)9Vwb{-SM=({-}v< zUf*LU_`W2Xwb@wYLz zC!zcMQ)mNXX=o=GjMKiPTVCHSf>xi8f*Ahc$q-Q;4-O|LjR8{@g+BXCVSnC&g)fzKew7H>_esMl3jEqd`ZI-iCh?ak zHX~;gDzShWXi7Yg!@)Z-uTJg9^|~aIs^>(6-qUis6?cPL3Kueby={Q4Y6k3LGX?Zp z6%Kk^*#x|l=5XqGL(JtO4>u{+= z+Zr_+3O9b#_PFuZO}3ZUvl2TE>nz1P_i(|Clcn)#q6*#zJtE3BglV|?bOtOOe+%=f z3D3ZWWwc72Xb+|!ZIz?QQn*G&A3%w5*xiaF?aQKyzXFvJyZ7Iw&Eef!z!XenfKgcd(2 zu&xBydn_CicVijV;a^*2LAtSX1Bd39^)IKqEN8{}%pX2WhwZH!=`1FT^zM(|aPe#x zwFeahldT3l3oc8E3O`g9Y12H~jHDGb&w%ArYkOhk9Z)*v*zVca@64j%wl|g}0*bag zhoGlT@{^rcdNs9szM@@KT(i{2T(IWaIrDKPYa^@c1iC(rB^#z(WEwXX2_t%#4WvQZ z`Fyxc*hcy`tk7PBZdot7aHE+0msto3e%O(Q@)$DlHfdwq#6h*)ArZzVT$uF1ghxWY zH$2Jmk-Hg+EJmJ3d;l~J$d zh!?IsbUR76k=A$r^%1hW8a^`J;<riN8fz zSrS?_$9{Kf_^HT8=u7$yX47KTdJ7`6PwxjKlQmbFtmDjddhIJn~$mPRGt|oWx z+tUh8m{9YKiDvjz9IC5rLLpoq7>zj@@<6Y6&pL$^ufTnR6=A$+*WJoJ<8~OyM~Ls$ zmHP4ntyfJn@ZWsHxi;5c*;YEc##bq@?dd5-oEuD2LU|=32jF?im^{aAnF4t|y&*MF zG)LHmV0iY?Kw$?vv~1U#iNgY|zvJO=FCg9XHD+jYW$OgyIYujeuocrRd(4IgPP5Ob zT)746Hh5dIfMQH`2hR50_al*V-T~Y+s;&s11bMxz9Nvf;RAhf%RkDY+J}l>(8+99I zpq%?4Sz_m*z3S_X5AIBgshts|>Oeyk8qS_kXv(LP6URObKR+(F(JM85ao50L2nSc+ zcao8PP#Q0-uFZBp(A1%cdQCDCGxkSAt_|bDp}dqqJ3{wUE6;MzF41#H1M^`-ae}TQ zdPB2CHTEV4@wFlQJ37CWl;HJ%2+8sp0IpPWT22WTF7-FDZ49GuYU}r!45y(p@?4RV zYA+i&bz47yJaE`@`zWw888V2+-8rYuy#waps%mva`3Q&_SXt;BbLnc}qNg;|QaV?; znT(Q=fvYQ>xrH5LV7px^yzodghz8Px?cE}5+uJipt~En8kuj*)=bB|!y|19xta$Al$H_DmS|pU41hGh(45fDpa+30zW*RxfQ-NF+o2~O&3}}mza?G zjAefKxvz9$ETgr@i2h=tDu-!EYS&YiT~tb+dTf;ICGT%V13HPxJoGRFZ~i8;t<5 zAYpyQCQ;t^H&sal?wnmwE9X!}isJqdL7S_5@sR_M;f43(s1%2BM7aLSk$U_)RF4HOuJTeGxk|qc7>JG zhbF{jW^*kw-d!40Y|aI)(wpMatFuO0(!}rPTSDH{`ovO^*T~H>;utT7TJ zS{PfU+p407#0eZdk4L;t$11PkE{>TX^WmUB<+|fekF>%&8I7EVPT(EUq6mB?R}3~9 zyXh2xfsnl16yE%Z>dRn|cIR0d;*fKju3pN``lL+%F{qQ)JGYrILy&Rdr<25HX)a&RpV!V)mbUKd z5Mz71GPRN-oP#u*1MyF>cv$VQ@|H5y(`K{H-NvIr7#-)uU76GnwRNj;4KAiL&>cJi zanyjqiYP5j){Rxp$z$3`KY|7ECb-)9%q`+Zn)?vg6XdU&1?5kv*)4Q(crSXWw@dGP zW*OKY?D1xoci>575BUhg7Rnk#+rT?%8wuKNGh4s43=RwkEO{0!=xnOlFyF$3eLoym zofFQd=+E4He}CiZ1L5liF{Z%1Hh)1*kD(v7%2*{e~>VA20_zO#d4?ros>cu6%F>YklY6j<)t+4nh-Q=d!a=M5-7LLh7O zQP_lAPj~5|BZPI7rk)v2~? z5XWmH?loeSS+c3ZAvRNoUwO(dTw>%a7~I8*7EG#(}+Gpj27T_;6c1>^M8 z&)57br9al*bt*0iE18VQ!boAurHRd1H~ecQFTXDD#p?0_l&-PZ8l#+Pb1=TN zdgcrpciZ*XX~ne4Uc(SfGs)j_ah6O1rH|RTp|0AeQ?hL} zGF~?4thVz*WlZepfO}u)LDoRp?D&#GrLh_a*!1!(F$o7DZ_-!Hz-;o1R$~@SF>M{N zDhvF@Q!n)&Wan=kA+l)ElW!f3*xp$kkT7){z&)Y@PJL)?B_~+Uj@N|BvIP}gmf>}?NFxH8fAD30FBoj)PWyp* zv@=)Dj>a*N_H#Usd$Cl$$@~9Wl;!w5tXBDMhMZfiV+*+$$UwYVGZ5z0J3L!+AdV@w zYbaRE_GDWP1%mg^!`8SZ7^Cs+7Ql9E(ev z^1*m08u++NVPiYgl|{6w5PwPL#+WNoWnTPqgPKOYKP{%v5c@Vkp?B?UY@M#DF2kZ~ zhMUDK(u*Y}!d_YVAT%y4)K@H(^Sp-e-QIR#& z9UzP0U?NQVxd6JfR9B+~<-&_;DZ_s$%w_pXdHY+TW)h}{K9^50nxUWuxZ;a81M>x_ z1o7MI(nM#&O^7Jpk#Jo$w%)Cy7VV9R%5wCisZ40HnX*shb7Oxc49g_!>}Kc3gzf^r zc(Z;vasKtVTT2Bf09ZWHh=R}JUccnE=`Nmd=8GEL8b0-nh7=1qLbd()1KGV}U^{>7 z1l^ezrs0xgC%%aQ4?%LemSFQMh=EOHs65RS-_B+_)^+mhF~?)K=(UPqV24#6op3!> z4s9@F_}+c`!zD)x=MN1=8tox2mf`6I{xlIF=BrFd%&eSg0L z%;jhB%Gsoz63J6N5+H(aXA)dMeIL3v>vr~3za^Vt&iOIOWG|1n8HnqzRkvCi&3#3? zNb@Sf?PovrI@~Hvl5*CZQv4B7CuRz!VSh?#CicB)PW~mmf^+GOa>Erj^=?e9M zOw&$REe2S`m`cu`l=s0fNlgY2bL+#QY_0|d5I2LWEF)V;Ey$n|EY3f7Vg(mQ^D*}G zD*x9vWMQjy6}TV+{JdTiNQpr#wR8833Tr{0E^h+UU1Pk zbpxZ|6`$U=3nJq~l>jz0ypQ+n7s|0+u?oE5>66E8X+wz0g(h6DzOiY>K7}+Vo$zfi`8@$}Qwp1~c8_wc%Q@(VWzmtTMug1v?(^QRM|8wZwAZMU?I-BW3JAB|F41jNJl9c&4`>?&(^ts{LW>>YH z)j=DmjKMB+c%Vm1AG6YTa#p+!W^gdVU0N|~C+n}45FG}27^TB1HS^fty=DekB7sC~ z3h)*~@`#ac{m0#GyuD^`YfI!vn3-*1Rzq!;2ot-)X7s0?>FvCX42{Zd8xCVF+*|Fp zwjqWx3ut#L#!IQX?P^#_fw<@+5A}f;q62ABLae^pB1QuMo)Qr|>@ZPkf1Raa_&SPa zctw1{6c7DWw7I!!h2`xuT{C-Yf(28QWiD%?(f8`8;UOP`)x^$r<|s0IG?7?AhbUc* zzY7+S_;M*w8Agf_H2L-(8*K7Jbb8a8)w)4lTGi5`+qTIQ*&(pCIB|J7@1!sXun(Sq@Y5nM zN;3FS3e}C}ao67R7#KopQ{FRv%gKJ`7rQf0YfmF;PRC1a2?hJ?zCW?ph*XSA)F9anfT z71imjIV!&~xiGNcA(ECPPfiE3l6Tw5j3w1OHM6sTXK9Dpuvbq$VHf%K;CP&MIofeL z*226+N2W02n{|5-emc^KXcNYuFzs4>swSVT>-kZ74vFKbgUlL|-FX^3O zxsrl+X1neoucpDevKvRHI`BC^W!NzB3==VZYb^(g+Ab?uCm|h`2Yf~?azls?QLdgU zRHq2Lh9=U9dxe3wowTXltMP`*nTG8Y3cKPXATbvE?|ZWSCtEH+&$vEf9_&>aJUI8bNMC6Y*NWL zkEJS;iM9mt;5#?rMjruIu_3s8>{QT=O3VBEN3ylTobR zdICV?b5V)aA5_E{oIUw=f*(D7$Kkl8YuqY2*Z?p+%>FcNto#6Q_}=*l!b}nJqv4@4 zpP7DHZbW8eJtYY7uUAhJ1g-+5 ztQ6&=(*~mQTIwDPXXh)A);J%01i{`7v#NEk&%0l%N;4!tA>V+WO+|T5e-Px!HVI6& z`3WjPD$jlNbl^jR;<#tlI;FkSkk#E+gKnIoSKaT(ESgEkFDdG)C?qO3p*8Kg2INSbgHu`1WAd<=$psNI($#37zd6TnaA{0r!h;u z>u=d|~KUwpk1K*uQw+y@N+O&Q~Ii8o2B6kQ_NppTS=`=9E78uZHMbZ9`0i-Zkj zaIQDyo-%!0&^iypTLQDZP=ZOqjIGZV@y}!;5|~h+Ms@m-1OS2JOASTUdq`&z;0dTY zd6qkF)F5&P>}zDe?@ZkKtA{O7s&g}P$7hGVcLxD2ZxJ6MttO{#eg3D!0#(T9Xm4q|r!g*pK3(cFd{O=`du3tlU zY4fJZmq`Qo)e{hT&n`K5JeY|eFf(d!m}q_jYQ$e>QH@m5rYFThm1OHGTR6bR>N04k z>iNqLdQ0e2kigVE2d#83pA_RK-Ku?m7PK-q78@d?Q5t^BTOi~{_g5;4V2G-&xK&T8 zvvVJa*^lf6(yTC9GUb0@S0KSpzL-`8&628*E;@(Y{p9dK+e9-(62#;2k$t3$KqjQl z(FokWABkV$K~z*dsR2MzdgNfQ7ag5+3H&|?+%RW0>61MVTNgr4Y6D^YQ8Jh&oF4KT zrCRfENSikn-vBnR+n&p>*=)0yNws{JL5ZC&3zA->RhJZ)k0l|L4VF)lmUGZWt@H*F z()FX{)~C*LXC1%&wDGN=b#KNC5ZLlJav4f9xVm`<-1UE73wR3Y0ZhBJq&bd%8H9#u z3;~wm?75_@!xo)z7LZBG@DO?kB-BL*tcWlMZg4o_->!mKZ1IV>22!u?$~@j#$IGG> zsoA7FPxMCfUOnvU0}~$^4cJ{r(n;hB&{oS5q0)P#7Qc)EGN@KwzC?f6{D1uLM}nBe z74K6=z&~FAg3IpZ1qw& zDfn?Rq2c#t9JU3FFv$u|svkXaRwgM~#`Kt+_coFC=f;2ujrdZLjo#B%j_W!xqlZ#E z`w>bu(Go(%mFRruBS5a!A1qer<{o3aJzqPrjtCv*502e7UlbWT?94yg<6l{;6!e|N zWq7Nz;`ESO^jCAoi2(lPAxYx+m~nuv;8inm!cFPH2_uc z?B=c6ox~kyJ+nS-8-_PB8g_SX{!=W6j}C(YDs@;s1{(InSDrG^|3#Gs^swVsNOtV) zt=oOSTZ?}v^ik4a{b;-d{$wHz{*^Owza4`2{L8@DejeTLW&L;6*&%7#L3}uXR|{)` zUxhFs4-dP0`Zu7acXR484`=xwk~{qcyyPg?^pO*nyUv0K&RB5=zB`B-jL#qu}bv`h!xF)w3IJ47n~U8}4~(?#|E@jqVuhcN!VkupM{ z|F?=qxo`cOj{W5y9vA`<|7D2(t^cGZ#PI+b#4gBZ9uC_tH~;w4cNmD%`h57&|Ms~q z6(ED}wxUX;XxP8E_D_HIl8k5k`_q5C`aj9a*BqEbYx61%kk#>bVglBIq+-K<&;A&w z|M<;6tJ&YRsuYN`kMr8G|N6QAsT9bT_@7GsV!8gOQh%D>|1OUISt(#o{vWN>Y(tTuDfRTl+-w*m*se>EBdOn#rrjeI)EdR;6{&6jX9a#QQR;&MN_>Y6t z$oj>EhVy?ljiJC2L)=sUeQWT?SN>_gnQnm3)rBZ@|JUz9z(O-S^Wje$&R^F6%L4GZ zbk zTlL7#{&{=w@eGAAY-2&N?yG4x(Y(&Q| ziNLB*AT__uGq?zA_ACmCgLs>ro)VO4*;U z{833z^z;Un9c6Jm zKFgnJz9$~1(J^*QD6`w^lJFgM@!$ltZQGv|f2Tjm@TkE0;~IQgYA)v_pu%lVy#OJu zN7aXl^N%6hG@g7e3V8&d*C-uPv1IEe$0RNTb z7|ZJI=?)ly8R|hWj~0AxY#E)%A3<@E)oXiWxsFEa<21+!78aGDYf-gcb*oV1%B zFEuue{OM2SZZn*KU=x5C$8t+ zc0G5*=sE%R8^OHQwq$R4oU&e0KxI)cCBEh$Gjz8Ac$EJAXi(dAfh0-~tOxHW=br5z zdI`YO8KKrUOvKy|vEy;8MF|)n5Aq(Fhw0J&+?emSQ>2#C+N}*$O>Iow(iDFq9Du=u)qK zdQrd2OX-}$zZ(3y9d*oo?K{IsT%z=v*Uhf|*J9qWpzd-Qc?e3+9bfT~0nRniTpblU ztucgsnQ}os%!}Rg$FVi@tshy?tW|vwRu1x?2=y@0^IVBF*<1D{_g>0(A3+i!eJO!* z#wb-U0n~Kh>`m+5Q$M++_0wH`bgc?lWA`i7wDU^`yadnC;gMeRg*0#8FeFry$;C*m zI=*~j-FZUBsn30Oo$=?$uF2Q2s}CYImdXCS&AqIUwBmaed*!y{v(6IXS#rqk{7I`8 zpFWVAW-MlTiY40ol%9Atdcc()wYO^cbICg~QpdV#fu5!zpwpN|=DRJQ5}Ye3vqNg9 zJD^@!p!&k|3bPGorc@;H_;@uQZTKWRH{pJIbo?c1@f<{os8pzt>FX;GQZ4>^P2GAgZx zKXKmp40)jcopw!yKOGj5mdJ`#lkUqV6?Z;Qyfd@6#>D|oQBQ}gl(+4w$+x-Qt%Wd7 z$aGg}(1*U0F(DTYw=C^ry&nN8VKDtPWy_X|GB63np|`uq z>~*LH0V&9?wHqkkdF@whAyPurP;2_YTdDPD7xjs6`-k0ypWYw3WnHOrJ(Xq( zF#WAOiMOMtV$v3-Jf_Cvrh{42oKdlUwx%(2@A0>fqT#rykwk+@Xd}(F9*lj!@`o^q z$k49VIr9EON~fgzQ`hGP2VD5hb9LM&dqMLC5WTZgL0)vu6yn!wq@_U#n(vbp{0p5_ zfYV*KemY+IgA`6q_7w&F%wj`tM?SLCI_i7aI4ECn0gZczC+<^U(*om96=maM=$Vwk zt+zK&qo(2&!vxnMPRHxgB<}Ps51%HEqDrZHmrsvh?oQ7ZxS)nyiv~oZx!OOW^otq&Y1xcCRbOmujafL0R8^bpC0RrA`KPQJc zoctoxSs7Sg{@8HFHc%TD+9{QSid8~<7_%5vwY3BZH+fK<#jU;^Rr+#!R+oX=snck0 z{ycysWOE|Wr2q=Y%!9r|^_@}bfbb?$!hIa| z50y8(I^I=aUo`Xz!!MQ0Tm*$~!U3f4VimdCa_BFH(p(snZ@oIc1U%YSbdbYJSz#dfTAMc$TU zS6L5!-!8D^_MkMq&A^KgOLJbA)qQ4%f4eEzNqNPGoH8 z#kUG)xT{z9cCjXk7(-kNWG0(GzqwOqOBzql2I6G{XR6XW8+&h$734L%N1UVc?m|l{It6c>jT>n4z3M$S<29Mj)vmXzRiVCPW3^C< zqwyxRH@?{D(+uy7Vf?KGtUIv`j%5-Ykh$1k;k&_T_ zj<33jT)b-*QpJx!DN#A6CCSRo4oTOitFgU8Y4K9*0HEu;F7%YRff3&V#W>u%Zmmp4 zpc_ECyr)u<%h=0_H)s#v&@>M$c)4R2ov{IcM@c?u<-jSWbJ(Qe)T2E7;3f_psf?Tl z`tfs&io-3a?QWj;FLoF5Ij7<-J+Cgs73&Z(Ljm~Y9;PB|PQ6o?H#^`{+YOLB|6yHd ztZgJ_uB1)u{E|~M{GCU=xc&iD*?sr?t*wl-m;`aKO)FXV?6D|;u^PCw z_m99)H*wU&_qqa255FAFWXirHs487U)nksX>uuNO zl@I#;^sv!rhHDRvL3oH)3Gyc+|Jd^6HxZB_MSIs>r^$V8L*o2Bmg0a*MR$e^51Is| zqFtslos_YkI;dVstar^l`F@K{rPE*Y|7-6{1KCWw{-=wY(M1y1%W{6yfhv!Dl>mZTPsfe2XpSsHY~ zdxh6=s1O}_Bv>&-*6gUkpM*40 zM^0_~1#GoQ{oA`qnKYI#F;(-Es9yurR72W=}-G*g>JJA34s$oTmRa&YME#e{XI zkS1VeHgBHJ75oPgX&N3wtIa4PEfo0jJZU6rUPK)R`q8{FiKVc3U_#gsE>7J^WhVp} zMljtrZ&wqg339ciy(Kp(e4LL0B0eEQ_9>F^H$5u=>WtL3&C-Gi(K~bkHi};qN;vqH z=De)TDWxx^d)XN6>l;d}IP$f~a`K3{zD8>5nfVtGO?a4D$XgwCM$2X9Pwg4Feuw^5 z5NyCm2RTy@224xYnb#zB!KMDqDS^&tU|#lvbrumd2P6C-8m7 zE@54%VOX$^lW>MF>p`GsXW)H>@8xul*Cpvo$Ao=W-EY^|ZBl;NGyr%IM)G6^(5k&) z$Iz%XA!j`D*k;+9J}lHkXQ8Gpe5d9z7dK;R->`TnUOFO2WzzdB6Kimg*4sf`3g@{R zPS42g|C$C;0GEi=Gm{ZGR(;@onR=6w%!^pU7F!|X06amBGE-OA&haif^RPbj+lKk- z$dF8K5b4JjTt^Im2a%*Kkj>4r-NnlL8wriRG`d=97^~l{`CAMb;=Igh{Hz|fT~3yW z5zb0KDgsiW!=0A3mI)zY!TE1Tk83iga>Nq*j!MSPte^UuPidPy_+ut~n>qiTz)*M0 z@L@cV*(iY3yCXwOu$b9&-n=n>hq)!26`%Rif_9aberEC#0J`$Ji3a&K;LE{zEh7a4 zbRj>Lw3=}rB4Jr|7cLFquxAud(24t<14A2RQ}42>4#Y@cveNwbj+DD+%)O`>(JrhE zwM~1=Y~gDp#Jj9+D%|13xmByhAI)u8YA&jxZYp`GMZnb4r>0kY1lxE)d;QjhfobG@ z56+B&_K+d&4XJ*)wWw@z3yUs~0Wt2_oNJ;nwWpp`dN_6IjeTdW_CxP_SV=&RfW$Wn zf)-HQnVFcVKF*W?!Np_sclNq-+^-v<3jlNk7Ep}8XJjxECjeLRl{U-$!m1b?0#lao z>ApDOSt8-ku0nTgpUVgcSD&SYsRX)4x0l@Iv!_7E1`o6sJ|F1lQ5h@1^k8uE+#>6t zHcW}E*YJ3Uu;PUS!Wx-N(}ZOpBz>80dCIE1Qz87Urs&iKpaH_FQ{HKeaku8$7@HB9 z7U)rp*jTO~UMBAKAwTJQX|7XN-6Mp`Pb9dcHeIN`z*X@w@lY8sLZ+w`lx%Vi zn9hE&449!%v^rju2P^mMY_5QWZFCRuhOY;B#enqPW>P-j*jgDP+h24cU8BuC2a`>= zYbJr-Q7IqYaHr0WNqm3?WU06nm$~dUiDgc1JII{MPf5mq9-lOLd1QM?Pr%r){}b~N zDkzj17=n7<9bh`3X@SyA2?~{;#}!u1lc*DS%TYePuqlFhlg&i33Db;PK@f19Vpoiw zKJ_MTsR9#*#jc@r)GAOu_8r;y3_Jlx08d6FZ5ltr3!7apsarFtZshY=4*KC3?A`3tfOd3iwU~GoXh9^|5 z1UjJTD6%7p)!*&JY54vv4K?`+jUQw&;LN;v4m)uC#L@$`30Ljvzn2AwnTnmd-M@Ht z$*j`k5Z(s;2olQOuRNxa#`W4;6px@ap)j>Z#G#Ql)5X)|9`&(E?sluIWyZ>I*@as_ zK%zL^tMjlM2ZKj+5EAKXQKiit*b>X$y;>d9DtPz@<@|_~lf5CV`RQsO#_ymG7P=+X z02J+Kkj?vBk>vnCOgf|Ck%CrsuE~vsQkyJFcJEZeSrx7)o4?f>t03q3gZLfHbm1vn zvGH2LuISj6aK?yARlF&z^sMC(mzcFRGj6AGsj&957Z-|HENs_>qV6Ny*&u8v+E0D3 zG9IMnq(ZqdgrN!`1!nVZJ(lCi8)jFncG3y>L|AJpHVnUx!AH~Hkq0062OEzmHZ-+{ zxbQc<5qr&*YkK+HjJp>hArM@6s9vFi$d7r$duDxw9Sn2!hLg(>V-(iP3{g`Ir%eGn zGcPw73~P>rVW&UA$JkoDrvmCtrI9L*;hY%96B0PO4_D_U`-R4uz(FN+2nG@mj_E;! zLswC{JYk>a1MnvL_gw8ayslHxA!tZILiK{#jJX(50S7{`N3~M$9fD*Zc2Ze4C1WzQ z%GN1>hJ9GqFyJ*sGR;!YU)Yn;02~jzLcXip@^6$ zn!7o->G(!=S7?krSR#vI&K(QG7Kyj1$%fuC$jwxf6Y{t_Bgv&KNAh96$pYxTMZH_rb&-OX-@V!_HGL|xqbn+~@cx{h3+mjV4#{JO z27j5`cP;Qn86sreL>6zFOvLreK=WD)%@qKR>9RUW=~?(vJ8r@)Po|BMyuxtzNgR{x*t>Rz*f5&k@kAF?`>I46 zUEkCS9CdAWwyt@@82pXejQz$D&v5W+%Vl}UW;N7NJw>$pB>N0us(tC0kYaJmXrX6z z;TStF{1KDLqngHkb<@AoUTy=|EZa%%EC&8>1FT z1DLy-Gu4#12bE}<=BhrTnEVNavP~Wv_khy0jgSVavv_zX#hpDm3h`$>dc0THQ`|{F zYq)57RJFJUrkzl#ImK9;S>6$rH6{*6B2$AzIayx~-lRK2hJ=h)wFM?7VSUm%zqtgH z{VVc5B#N*Y_=2x}DzR%>u!2JWj_|QDZn-IFyraPt za2uj`R-Lp3C{w?;}K$T|B(0kxy|aIK0_<1oUyNA%wYV@h=ohj_W`^)bakF|q;c=;zUV;Yr?vJ@$Fz|xYuYPA zXIDL++3rorQ~7Jp%3&oLm;?nhrS#!VbF;olnT{n#Qb$jaOpHQF+L&@#cN?TRECfw- zbs-v))Sy?>K`Oom;TnizSD7Zp{>5U^ao|D4sd~FGmo>@i!VqM-Zm()?@Q9Wk3`^Y# zWr{G;ENl$$cyJrp5zL-zdQkJ0x!6fg%uiULbWV?bVbD5Zp2QT&7?It`%O`yc?IFJ) zkNAbp`tb2VIpKf7_x(qSM907PJ|WqW(W5WUKk&g9B!YW&1?0*f`U9k#j@3iT7@pvM z(P46Mp;1yeDra@*!?e0yXv`CZTo3_DSU6hCsbPE&T)0^of7saHaz^;AjlRE(qoY9* z%}!=)5^JwX&FH`#4n-_tlG__RGC;(R+w73)9CLHmnSK^Dr_J)BJ;_1lhYL*64d0YO zr2JIt-&0$`tH1HnOZ$KebkM?V*?s%q?JR|gwBoRd0b}CWavND&x4D$nKU(VtcG?V7 z4;yhHr|i`WluM;9)LJV^`>(mIksm?@LVU<&9cF98TH6{jGd|>~0@Y5(ONK3v3IlJV zDpaI`eOlogY-T7fP}ZmRSRmyLHZhxLePnr4b8J)*=f*cPK}A^1C|0ivjuy0ZWYcky zN6R^@@H{f7P-M$!e{gH+VE0hN63a@6&s@!M^PP3zWZxF!`N?oO3IY|QLR6N+$@AOM zMl7h|)m6dk7)@v8v%&}qi0{(ipoS%r}1L9 z#%h3#zPUVBGSEw_AmV&U1n`2YHC*SIj1dIT2c?xU3JK6=HDVE-IpS9qh8(gvfH2o5 z$4^2Cp#H)u+P^C>XgieTRzBsb+}NfrY;LnWrjE8Lo4R-2rJ@K2t;&sn>OdUa=hv$lnkq=22MpzjrA z9G-h%D2nRAV>t+eYrS3vpKrutau6K0a(5=E#ByZu-A{h%V}8>n+R$_rr36Yw>JZ7& zetN#FF>zbD3MRHeoxovx6t)lhsoPE+sVjCRy$^a}kK59OfT3m>->|$#nCdKrH$5#t zF8^J=iFFfgtX&kXFoX+3mJ7>RjyUwo73C7jXQ~h!YzU3YX*^Bys6Zf`iS@)fP_8?* zEOvCF=UGn3b3$_mt&?gT3(oK}R|V*tJu*=89R)l!MYPR#`G_*mG*Bx}vaSGR4ARJbaeEP zh|9M$c%5HO4WpvCoI(6-+GPKmH&q)kV0OUP+UG>g+_x)P316A?3Iw+=fLlSOMZ$(6 za;s)EGp>6KTz6SZP=8gbtFW}XaJM*=-ZvUTS$#K`bA41U=pAD;ZE}@~w0oy+`{1I; z*$W4g#0@VY^0u@d|C^6c)Ly$qT zV}y<(I%LoBGFVe9xq9N&A3`uelCTz$F-lC+PL0hn$PEomn+kSs;5UBd&U9TEzSzmvy!OWj%LCA#-d&ae@a54IzDJ{l*Y6CH%wivFYy#eVnD>&T+yf^f|RCF zn?il~DEt`2D+OY&87s@0R#S?}@z-CQt4Z)-p2KZfQ|6dNuka%&$#N#PO#0^zA!18v zTkY*|C-m0n;sOFpeq+q^BIbqJN*ye131htjTo~DFcQ=kocAS{i{F}X(-dl~x{v0GY z12Y?`?Ol^|gMA+nW#gQ4c=BL@bB^7967TYvlPm^E5!l=m6E8Nu5Bh5yY%j~?yi5kg zCLbKOZ6H#lyp5yW>bKYsdtISRT99sA;l1_89ukPQZAEv|Q-{Kx8)fa>kyG;&(R9N~;dXY`o!-3GLW2Nz1VGFh7CI(T@eq^d9u+)TT-1~ecy9*h#mSFvch3Me7^%KGwsycrrSp@&fyq%4l2A zoucMzyjH+lo}Ls`ncVQ5XuyyQC~RfQd738cTH>X6VbbixyUKB>@SbNNT~HfivAoU~ zYf2jJ3CBdn-L2-VmU%6FVo7gREW4twRm73z%RRIUr6U-gSU8l9S(gL-2AHAcXz2+lBUz;X^ET^-7rqFDg6} zw*>P%0>>xVH340$W6xx}yC$J>v>XgxzN3R5UBQOmb%|Tpk%(-3c|YL4KYNtNdK6QR z^zG`d^31-*p4=FhNhu|!UolrWPWn@Hw^Kkl_xmmEFMRU}bO4<+DgM(J_vg+D2vts` zQ+VB&C=Cw6Q3PvERK{vcb>Dp+Qd5`Zh20$e91Gx3=3<(UX!1%E12YbEu1HgkR#F|< zh@==bHud&W1%4|~%{U$8=ry@qwmMXq=R?`FIe!hb){n*`wXz*1qcMpG{0tV)WoV?# zpgDshMTvGim)7I&YaiEZGk2?l1$f>iYH#(@zxu%nhjT92abx?|JvzUm-Nxq-Y=NM2 z_A%gb)#;{CiB}-og`Ao&L!m))@~aLhH<+P=y*HI^3!-vz5?yeIwlI5nQ-+4%;-*Qh zwdhAeL6Z~xSv(Y}I4;*DQw;v{B^jfCwOs!iuu3p*@5#>#V}Y3Gj4aW)6l+Jb>f%DXRSX_Ptw~UDILi_(adp+T&dOr zrsSc36uX6*;ouUno_j=T+PX4H=s?k;_~&-Dr*QZV>fsfI?&vCbt?U z~Qou|iq>lB2LE^z}p6%RDiPB^a94K{*y zf`k#(eh<+x@LdnrWe&D$gjiDQ4Tsyo7sr8s`d`*W!gpVIqZ-izvP5UCJlC2Ih%bCz zFMskfW>UOCQKb{`7*ftbjk6_9qnQ5*5dQd7%yUT#XlX`KvL#t)?eQ{kDc)8!=_D|_ zRs6S=zE89bjo6Mi%t0Li?$UvgTcFQ=F;BGP^{Wa)T{gTj_6jfO^k{_in3@M~-}8Zi zOG@?F6i(xjV=%Fl{9a{INefku%479>YqyuQFSSRS>SV2NJnL(n?4enmn{?$C8K#G# zFAECR8uSuy`)>4~EPMMNKB6gFH;fFQ`=RJqYJu8(V_rcr&y&UWq`>w>rWIbxR+b?itBavrlVYH?t zLBC@RLTeEhIr&(6lt>~f6#~hMVU8Jl#)+v%d@$(szH}<&!Oi$}a${gp5zgusOxm#x zR%DT2!Vd$|N0RkDR@;C@Vf3F0yf4Sq<*j24ukM;@(MIZ-^; zqNct|y@MzjNqAXVEBy3K&AoJbt4E!V_O8D4N`f%AcE!IFVp$t^s=s01mpR ztqBaZ6iObWGN!K0^2W%edn}tuLM!;5GC)3C^V0#{M!|A!PROSFjAdsddgfQ z#SM+oFCSK%E_yRnqh?C)C|p(BPO|O&t)wyD2AN9<#b%q5uEphOoV?lP)!c6?ipolr zwjDP~u?1^(lqQ!O3OjCjF38npsw(B2@+$KpC6rcPa>0298J`@UC*6UMIOL|?$*r@* z_9*$bwL30sZjKPLI(rlbCxUuL`4W_?&i6EjkdXoi#rTBV+6#7pya0an=r!a6iehIo zwvDj3y!N@XA!A1XWS$KXA=+mf$~QOA^qVM4;PuZaWMZpkeWe>74VXZR9}=vYd1K^f># z)l16ztL~F0$VyY=JqSD)+QjWBbb2fm=p%#->>wQe*}eEOxwkp#w%}AJFreh1u=kH^ z#rJ@5mN9EYQ4;1eoNUYkq~`Aq$2U6t^wUpbMc1$DSb10LeT)()7n*%7{#XJPDt-oe z)B|iJuWD--(5u?eQ!Du)NeUX1*RLvD_cinM#w^_K&Qr<;epz4UOm4yND{`CXi8q`3 z?#oqO^BXy5x}-WZ?$2w~Z>2c|6cU_z3Ee_l11+MeA1`!vA%CqX)Yqhy-0UxC0tLvz zlaos{&|4$vHwZ}%-KylbH8(mHw1WhdWgk})vW{XW!*1-9gMDn~tvJc==-mU%J%UET zhT!MVfNp+EG#KLPlv4>JMqLJKc|InDZ+fTGILwMuDGtT^?C$UPBEZQ=@iP(6ve&9Q z15MB$0dNt=(;LwU2Nio}n`*IgrdCt()~f{XV%Z5h+ja%0Ctdnt>hRP6@GCp{o12F?XX0YEz+xTt}YmIz`sjTR?{{GTu)cBPq8Io zaf0L-x-Z_1Xg$cjJGeq&nUU(-ia54*x3l`#IZH9uzlv{I7!ZyHY&+fiu;OnMV)FXD z_>IhU8^)>1#VY?G4Pps^3TG=^vdP*6%G*4NLCKBmD#E9y#pLI!)i%U|SQ(oJ8pBre z07Z@ZtmW1cRi8_J)%yEp|o6DJ87EhFVX|Jsn%T4q1o4vP@W%~ROqXZo+aJFOAXNO^8}6S zXR~IwdiREeYd`G36!Sq z=dUk$vG=~{#^*?nhkmrC)L(X9@dusiiVhL5Cq!H48~!1@x@G`I=TYx~;=eTS{tV1` z0-AKA4>y!}_1Jhdfju_eb559sLWW&Z&-NjTXQA*}uGr$)-V(FMndcz3 zD=?n`e!tU?HGkq`5bol+iNN)5G5{!ngBn89b71)VolpMl!04i808$|ZXB%*2xUvsP z+MpHYf_XxgHoRH=n#|Dir;wMzJw&v8`oWGIwx`qg(M#MNe>DG`Xa7>#xT0};bx!5J z3@{Xc#tYf#_&9=%Gi{O!z4i1PMxSqDZS(tE_F3M?n%WqPVMcSO3!MJ9TEd?qiudYX zFw2wrcdMfuJtm<*BXhoA(q6y;l}+_sNgqz^jfiDiJxw=<%-;gwYFdu<`m= zZqY+Kl^w&b87%-#e^;tW1oP90{^mC^IKeFz@w&&^OJ$=?%A3Rb z=F_`Y*VyhyO)6)9xq%|_>=Z3srgtsR`#%Xi%=cM!{p-n>fnbd;?QkZcY6U*OCK94? zV(UjtYJV*N1@rXY7af`XAm>8a>b~H@*A@VRB+%0jTnX;1|G;~^ru-o8Yoq^#*g`L* z8TwZHcP$eFoz{R}kY zPag5_QI+jdfpFei+Wa_x6LeoV@Y3w=U)_a&R~X!S&lT;R?f%|H_0RkAXLIpKTzdZV zPFMHJft&~b+6`@B0CNJMa$Z5z`@E;R8UH|Kh{^<*T41&`r1RtP$>i zy`k7nlly1kCsTjh$-lC2-&vqRKKpLFz+dk0XZH#CLGU|J8-D=4&s^hwS=E(W**iE1 zNwOP%21fWFtc$z}C@V3jSnLjP*k9N3r>}>S07gW-Jo^WH!9OkS)(fD`Pw4yMtIPk) zD?pMWjsuJ^tNQ-GHXk0k5AZayF+x)0e_55-d9xix7^Z|CTi>Qmgw!OvAh~~tsvJA8 z+-m>u@t#1Zk2EU#B%>F;8E4 z_|u-f`+q(v_O}oB<;5gBHug&;?EW+G4`y~@1c zZg~Z>f4|<~%Rz-**RVq(M&A1+VpXU^R@BAqw3;1Ke+GoI7im%z3D`z`D)Ep7Oz zqc1l74?Xc;Ck%A7a3g!J>PRZ}{ael7#YFd}DudG#ez(%uT{%!Ku9ywTqbIWIzX58d z^G0Fhu4;yA36N=#Ckp*{$l9+;{sWm6KxQIAdP_eIkhN(PKHB|i)&LpUja28qL)LOh z@*l`-05V@R={;QxAZwN_jM)8Zwg6cene^FzhwQ@{$$ucT1IXefCcgwVJM}zptJc=PH@`w>0OoX6(63TV@Ge1`ie7`>1_sW@?%G0EmUQ|PRCwxo5Z&oM+LYF zY_;AHJrSv`eYxb;g!;l%`X1t^^x7fsAUzLQ-*B3<^ViQ2$ADKZS`C-V*~7502~$li zG0EaKd!=)`nxujFhuMXPXNxaLI#k}%8|Ppea{X(2daEIX^?^^OEjVuKSn11ClbOd7 zOv4&SFiw6e-<-971*yTFoJ~-8x>iD@nf)RqSw9!|%&_DYIAjG=cYFA-`habd<{8Q2 z+EYp*yWchCkGqxtcU_IqQ(Svp)J@vNwBh(U@r$p3 z;$df_>58>wsypXV4k(%a>+VN+@em*}J!a$jqRBeFDK-PYh7Eo5TOpXpuMJq31-viZ zcjr@({?+C$(Q{wk=wfNT#Y9_|k_3^4*~&ip47Z0KK}rSn5}{w-?~AN5{hF`&LZp7` z&4ZZ_ws!{d%qu-O1;cLxb;mc7)x{C6@|@^6QT~|F`4@{M%1p_0`NbtqhH4`xh9=q; z#vY!dS87!{CQMYh^%dvhW!H^18QNhPRJVW*1(T;sP4#Wrro0_C=koQvY|G=K@Q#8- zDal4Qt(tC={iT!Q1nmpaNEKPeaD|ker?>a>+FAU`iwc=(gBeY8&~5Lc*52Cq_?qL= zh}oqUNRuEll#{h$a33Zs*)bR(8NK`QH381$0ZUSPwj`IlxV)%&v8$0zZ&7WgPz++` ztwlyhq^)R}lJ91la7L7T(~F3rjLN2Rz-MM3Od*NJ3Q-WSR|N)trx(W>P;nmnl>lFA$dPR=?@ z6fe@GJ=*Xfq#AF!Irp>dqPr|@C>VO7lTk;G`FSwdih27 z|9u$$`k~><&I8RQ>zL1=iNOroDRQ?ajdLD-bU1HNoj_XgE~@XXjf;PSJ}iesNAf)n z*l3XNF7Iw|2Hz0YlxrA*Gkg4&GX&avLoSsuJcjNWNklPCKw3)tnpKhw>a!$8#r1=c z)zdW{?iRG`KzU3vPEppRj`4U_lP_zcF3cHgC^>OWhiIt{mp&)^`b%-PWZBj9A1jZq z+05YO;uOn{2D75k)vhf(t4REc0K$*MKA${NOQEJ7G97Hrcs$y zrY-qDxuNzk+CRRoNiSG;WNcQwUP+W{>A!}0piYmtXcS?@W9qw29&_GmqURF6A*P<& zyIrkC)VolHRg_zkn<}0wLCc<=2z&55W24T(AnH6hVmnw&ghkTzd+)~k#L`zfl)wB< z$b6uK`9ONM`(oEe!`$f%8=-tRktSB}Yj|&0DT=cdhQGYkF)hwzZ){Gd52R9B+i}Zn@gVsx5~cdJM@tke1+had2EAB#MR98 zS0{|7O_}AOP@f^JAYZbG?5}wQiYAO>*~|QatK4jv>9!F|uI+5DJgEnN&84)f;mzj! zp(2-LB6G@`E<}kD5sUTSGbWW2ujiwZHBnH9k^Z_O#jvmef^+)`qu5$;s^jY5DM&Zt z`*neECUUZcrm&5;5emDrIyaVEXtE=+#-Q($-U*|SBi7}GhNtb}Wm4A~>L&-g4|V8P+`ZTQR(NVn z8z(Y@$zzs-v1;dd({Hk_f?ed`>H>T-KKcW?yP2^F##u2*&&Um5AG0LJ+Pm;6PPeq- z=}tiHNpfj!pI^*=b;L6`?+0!QY?zGcTAzLHjj^euHEy5en?Xbm80@-k7XMK`%!f^z19~1O zd#2j>-B9{6liHF__;0UNKJ~e!rW6++vNu%0-ZvW;b>G}v?yWTHm!S5A>GZc5Pc9ba z%3qe&cTy^z4+geUc6h_`^kbIeBu`pZWRtHW$6S3#B+`jF}n7tSlqJQXD)wfo9 z4#xi754{XgP9?w^57*v*VRKGXYhziGH@1&FC(^k3p*u^BG1k`lq|@M%lfuDUeNih% zT>*Q02harh^(@hTZJY+RGoR3|v{3hjfH<+#$&fT8%Cx<`_$WuNOmehOVj+Dnx%q^S z`4I`d>$`?&?gl`Zr~G=cBfC&T^7`qHjc_e(#&|fv;w*jXwLrhVX=hJAXT_9|FE&r| zUy3W&Y)BbR6%C+_N`Z0PGm92*vrEiW|LIgTr>fB-@TSNCOkhIJipddSf4g7dTZz3; zJN!y#C7_%YiwJpk4R@%nfSwf5OCuOX4Vp$Z#r7#onCjT3E;*&I*=t-6;p=_}Gs!z? zH?w9NZQsIxZ^=k@&=(8ib~Pny3Oh2ZN^&qu0^_%TaHhMsd!8Rbk|u-ZQV0{r6$qj5 z>KA7bU}`a^JT_=DG^ixmc8Oh`Kd3DA`rVJUgSjCUOU4MFw%DAGR9eUnoL_6{#T;@> za0*MhoKiwV{%eS5f$tR3eG=cyJ$d}?Kyv-Af-Sb^}cjJF_I2Ld?WiG2P z*ti_Ez~vOK$M@6JG>>fboo?y3TN^E2*Vz`md%NShwx(44W%iT4Ccc`R;p=OOHedL{ zrJk#DditF|a1Q=PHAwnB`)P&Aa}h)cU&bfYHk05-M?-shEZKaEhXfU~1MnD`*giDH z;Dh1ZoQe3oDN&zlMpT6o;r8IQ8SG=f$+6E2$8{g~=MWhBM`%`hro4)PjL&n~1dA*WyB!N=#J%c%^ZdO%O~ zR)-T_zrFQ)z-XD}vQ3_u+c({V&NDg5_V4@HZ%HGuc?P)cYhCqsZHAWCX`-SAkkC~& zfiHfj{H8E;b3P6ji>Q?mjw?@=iEZ6-^*+Sv%C>6?g~^5m_+3&~)=wa5rfX^2-sH2k z+X!%>$vAgAdR1AQPd@l2TuJzfFvR4U_LT)AtOLf-j@aNi@$Hqw%NuSIsY~ccz$JF}L{fPx%P-bHKAI)>4CuS1#UjbTCg+`xP)DiYpD` zMhG;a%PIWRTIK3UzM}W$+sof#B$Ade0cM9%`#3e8l4S$)F!zd-bQL@p%Og2ac<6RH zCBzyV>(R9eSa5n|hPI<0<9m|CG?C1y4}c9==S~$KjF(0V@b(oK-ofWWg+aQe!VZm? z8GKo(Uneh_R;(Gjq9P&v+h5&{f1TnhAwcd0^TFG;{AcOy{WmujEZWd|B_fi>PKgv(tGsbqH^S?+a-6(l3f}8sGV3lG}O^)5p zQ|mL#ixB7LS8xfJVVW35*zt7MGZsfnozzC^e4V@SL1E)cjPla>fUw<^O_8xa(%S`UEYU&jhQ?V1 zuR9-}bJ>HEsYf)vy&n$wLaN-FSR3gmoKcWX&aIJnsyIy_dDzu zKW|HV5JTv#?elPt(168pz5``W@05qi98#%914UkF*J&eEe8zyA1rQ`+M_>|z0Hdvm zwzOTXf!JFZ5V;H?JXyX#baFX}@h;!A6LaY`-x1DKHGU`9@+f+`V7-&~`^Bbq_e*?{ z2G(5i+Oyg`CLT1ElwtZb0wp4-$yy!uJ}M=aj-W5TUhY2CTUX>)&6c-<0O>!3GxQ&P z(GzsN2ea=p>C>p}_@fOR0c(Y*t& z0VCXc?#8>_$u0t9NaMn913S?mcGd{9JDCbV*3@0NJdgyC6%-g%?oOr-kWCmD?HPOt zkfpd9mF-TZ4UloVi;fMx0LY@x85QkLru$zRq2ryi@+Hkhih02T?t*J8+!SlRG^Qf868M9 zIKWT-gLwnSMwJ7y4pTxN*wvN%O4nYzmxCaRC?iwVxySuv+f+V=RJHa8iG!h^hRuo$s47 zXPz_PoICUH{@KBBjw6m9*$)kQb!>!&IR4HU;m^fY8zQdxdQwteP* z(CxhuJjr|S-Lv*M#mjr22YMyeK8E*Q%~Tg|CX8?go7`JV!vh2TMKB};qX1rdt9QRN zdMz{*9`48T)rH??~;PqCEv&#pTdtxB$I7@K){@9=lNT%*7tprtc@MhF38PBd}&ey_j^|I*l= zz=~aT`n{2p_4}ACKY?ZP&!2ee0VI}R+k&q@fwQf1=90&hQm)5a6{EKpS0_M}gY5FF#VOyTKb(N=cv0|i85?Hn=2uoLr zyWf^S$$^eC3uml3r{D05jTit5`12`_p5TtEydA|bp^zybK#DZh@# zE8;d2H&a6zdn3$!#T1udZPnk%)yjoza*Qzv9(2C=oX`C2Q^weLm0*95O)5?Ic0N3~ ztUrN;iaBFPBuF9nh+^tI%2bm%Bc^3eI%4o#y>O#qq&BZ#n?x;Gqmz7L)N3F|K`^Bt zVtOr9Av;E(6;M^+{s^%v%rBgs zMm!{%d%gY@sZjOs%?+W93EFtbyos=n$auuMNiZLV5gJ`T<2Dl?!3I)#Z|bFL8)^^S zX2?bF>q~SWl2<5%rc_zq82V*|62xebK8gMMjYLDvAoDTNuLSQ%%!%^#Z-u>gNRfr+ zI`7qEsD}vN#ci8vnemvQv6p5LDZT@~1>##_b4ENyl$vQa4Cx>aIp}!;%k2s46*NR-u82mY;zSNtBc_s65M`$We|WQ zf(5_|#tkOhj3yrnrb$30LQn|hrHr7U*~5-Pl|?x~=?=3FLoH%bO+OUFpt=5T|84bq z5vL%#cD}2Fq_6EgQ=%pDl;?58d$HzPQ=Cg}ce_ z)sDpe-rc|5>)w03Zok&NCfJWWL@~@h7eDyJJB#&)bvBZaFGA$&fSeUBTO51GdvmmF zv;{OAv?{z&+{up^Y&d0P$pea(PS$xQckH5!KNva~h8UeRtF=!x!3A8(Bbp3G491n> zM{zUOmT8UYZc*2t_pSD2KfcGKPBlr@{D`c{Qq`3+oN>Sx&&wLT@!j`c(^Qjs9(%s| zhvtvmAG>zPb|Q9E&4G3V^F}{7=MCqR=e?`))yd}z?D_0bxV-Fh7JVkwOxhdNbZM&< zs@at^m5i0XTZLPt1H;mKwA!@dw7xD-J0|hy3yS-oIpjWxJ!Cv`ziGNTxgjS~d1HW~MWjKr#`BA?@r^nL)_X7FJ{caF zPcoJ=ys@U{`sQD*UhR^-tNz~oeY#|(WHZI=*ec6b&sxA{hzp%;uUqiuM_28NHKXV4?afboPQEU9J09|& zJGLzSTn%V$Zo*q#SdCjbS{htAYdx{%ToON(xYP8n?(T%hJagXVlQ@uakbLF?AK4sd z?D+h0wfF)JeL#%F$Kbc+cg_8ngOsB?*)S<8fYoNx;bQpFFt5$7^V+b=Fu$F!gSL~@ z(|_OToW;x8<7I1mt6`&f;@#EF)%gACb<#cB{l{Cs)0+Lwm}}4l9p}XWz@pX!cLNil9}i1r;1SqRo736z`l-(`TET8D3@pAIT8kZ67Fp)bmdjS-fn=HIsi%OP z-1mSB2F+`yYlRm9Jym1LBkvAwon6<|pu#}^zI#LcnwIm`C+7V8;O^e8g0?LM%DT%Z zEPT-vFk3sbss5tZ>KU^4mKTcm&6&rtt~!l&iYC`j`|aAY_3HJ<&doF3o&&uGPuEAI z8KaSnFG(RuX@LUIUZ>A$SsH%jxfpB&Oh@ zFl7svJ*$bUi3Map+#X_pnT<_o)~)%}xnsh-z9J`JpX`dW{qSGtl4oP9pnq9DFd6ji7zky(2ZeaIg#93_F=j_QLW5*!J)5bHq4qNZ0($${M zW^3`OcBAwS^j0Bf!}f{xz}?9rLE*sdK=0@D8?3ecP15#szl&SQ`13ogMshQ9plDK{ z23Y6Tb>BGxz>TqlnL~O*avJdVX|E64`Ec;!2oOv-87Lp92UgtGJ^Qx*J5%-I&-p=g zJ{ADGJHsdQK5~ux*_g0P;I{lEKi6EEL(A@{cP?yBHw_+oZLIpFt8 z1-JqD?pb~K;P=$j2d%)qV1`G#hvwVtm)6K++vH@b+6=*UGzyzuR8+Vw@n-}(F1Q;f zI5`eZ;p?9TnLR;Sy}>(~B7S-;a2n08u+!d%!3ms8$_jJY)WRVY;sDW17#VHBl1Hdo zX`DuTRzJBJ@^S*A?;?C8;d<_rKY!*@{v1>z6Wxs^w)&j85g^}a^K#*r=4eVdZGD{d z1}Yu=iq#HLI^r%h9OlHLy2$Ce!@=Rx{{6oCq(*ZI2lp!9Rzt@_M@dn@+}V-E)WX@! zlEuf-1$H$YoRE(I?9kED!<53u(ZR`Gz(<(sA6E##j{i2ZQc?Wl5)XS}Djg*i3Q1=- zOA2llE*3T_5i|-43L!TOD*-hrnSbjJ`zK6gQv0&C1Tt&(F%n z!OFqG47-Ba-Pg&()Q8#0o%)}H{I7AOEZxoBY+XETot-HDj%#Y>?CBv)MfLYa|Ni;s zb6Wb?{_i_Ex&IqkFalZso?&HYVPpOGv0+_>{XM_ zj}HIo)c?Naf9R_Fzq_(?vUB~%uK(fGzjYO2{Y%1sAnBj{`bR5_VIpWktpCn@5j2*F z(OB4gkl0EoYryvKe4d3bSJ z-1ei%D_j*^m3j)Z1iF@jx1mFklswpT?|Y5Rt}#sBa%*YyBGE^ELzJ#BXrRy$Q#oS8 zHKm^!Q$c#a68H?TUdRlb%2~BK$M9x(fdmflTi-)g_YEfX{Lf+%TqR`TX~g~q+b4NP&P~t}Z z61Sy7Cng;x8Hi91`M)!@QVPbB$~od{bQm|0{>hgpDKR`8HArOaf;w^L@$J0dwfz4J zAy?Sb7h7N`DHih(12c?xdgd9X$iEXa6C(hYygO$%ktHgG>L_P+vSK3O4&5A%diSoPjGa zF5Da`w1oYA82QwHdltE;O!Q=v*7-Qa(JK2t1<I>pfbn z+w|*JA*C4zQ)yBo>>{WMaHt7ll<-eG%C`jdumzRy-(OHiPZ0f80<7qyZ^hYN&!xFm~k3G)%ua>PDQzS18UO&$9bj>cf5t5v7? zZkhn_+$cYYWGme4RB2>fLs$2IR|quNSg#@?UQxda$|s%W4swGeMpGw7J7lDv3{tmOZMd7FOqJ zYFIq8_3IJZx)?Om48^F#>5<+Cd=(eztG;@0OyB9yzT} zlQ^dgwuFt{l^lI{V`WfNcWHsK)rOtQE6rmmr3&}BMeKo33^N^`%@WX&yQLmTNDN`q zAbrYSEV+*5;qRaqsf-vdl7&`*G_lmIZJ;(<*m_$GrM$PSDel z+c2s3Z&bP*?8KM_b?THktOkhxI0;5LO>uxPLwXrdt_+KiDp~}pGuiQI#lJtwh{sSz zldyoWFpsqJTu8zxwtz2a~g@I0CwI$LQ>fF<=TieYu=3i?J zC>qaOU(=Jl6!LvX@QND5HA)5e-R7$QdiQx5Sw=qe;NeQYR3Y8C->u`K$M5=KcR2j< zin1H!u)}EPgc%pBmP_J-S-(Xto=kWzim|qyV*6#BbL#g(jlShp?-w4XZ!pOkNYdRr zwH&iJUv(bqcipv^pR3dh)A(Uz__^bh<8h+U^mli&u*v3W?5qELr&nyRGdr1E zy1LYGL><5@ic+3+za4>yUUFVpE~C-7)aBDKPR1=C6tImrq6-kI&Q|8Ss7?-k@#k+a zm#v(yP}R}-B*MfSMJd|zP^2MvOuyU|*qKtL@k!4hu$impVJC?x%{Tc!&z{%{4$Que zfT6ka37G#_l_OSl^6=0Ay3aZED6^MP$g@5oVsMvF-q-5_DhZ)I%rAWALlz2)wF>CX z9+z84Gv&&;5>RonDUnX2^DcMILW-AKFl)~eOS(bhQuJaEWczwvTWQc?s7N6}OlyJ6 zcFx90=SSu5=t%b{o=zQZ$1UMcJ%Vpx7fA9vER*%ueA)2h)6M-eC7W@)m&o7Xmeqaicx zXV-55!5)}gQGU9ccX(Y#njfUMlGRZfoo(WUtxU{Cf7IXSu|42bLjDS6(AZ{q<|7q} zR%`8=6+(Ne{hS;iqD&>a0L*@xGR#p02ukF1`|yNd7^WspJe9LM{)zV?*TSU=VF-` ztYxI7mDo7Z=mURk#s9HU%%dK9Us?pdd~Uu&YQ{=ScJ8{8VHBNy6Ejllty;t=uH(zqYAuzk2M z&Yyx)2Rp71V8-t^Q{zEv2)YT$S7VYo2%ud!k{AZ8ZNaEvT?3;acpy^C(bztyTN z!f>$R9#2qLy;*_Hy4>H_I2nGc>y^?apss}kw0wHwWnBp*r6(iy8ssgvL9@3`;1`N>u^IQ8~+(ao;a=^EL*o6;~vIz{+j*)SEgzgB~zCpcY$G&WN?|#Dv^smqpEKcX~(e z<+yWn_k>gRBa?G|ijoc^Fj}JM_ODAho*x^zJ41HR^f)yL^mHT??od@5{ljyeC4eCR zgov^Knq&mK!~k3B6&i}qpQA?^BH5G5sq-;S$lLY~369g1uE$97y@~+wsO+g0&8ofL zjc(iK;^Zh4CoE7N%p;~jX|s1|OwIFnqd*spA}aJ;9bm_`V$bWu)O|3Sil$lRx8CT! zD`Rgck&6A9cbFJ*S6NUL)grP9)0dc*YPxo!eE^b?jajVzC& z-HB1HnY6Aw6J@u@5Mj$t{h+5$ar~h1xAd91|H5pGJ^fWpgAi!$4-2YhtWZxK$zGhv zwthFa1k3%R7Dlyp>4^)I@?xs~zVk1VKLhY=kWrKUZw1sMFoi{S?&UIo7aPI~GI486 z)_J;`K~P`q43(@X6k6Vjq4>>@h8^G?JT`Aw{QajW>b{!S|30F`^8{Wx%xT?jEZdnU zYN6M9{vp+J`+xHPx`xzn(qZXS0%PYh%6EF8Px&GX zdP*JiRC`XVR^fLlTy3K|Tzt36!Dz&6#zL1N0ryMh3l~MQWQm}0_l96FKkZhaPLG=< zgLYx)F7YNa6MxrQM|1NWw$(@fxl;k9sghWL@C05 zt#;ccK)reY&q^e9USU{$z@yujR7-m5ttW-1*F zuq+-cN;Btew`Ujf2Y$*gy}H@0k3LGrEIMhC^TS-uQ&^DlzLt8!Xa@Y z`(B~bD-!0U%roBzgNDhyM>{W^*cZsXe&-4Mc0Q>BqFH{hEE;-S6u4|w#kA`-S=9wR z9r5T7`+}~S=#-!cnbYS;wER zFT+NlRDpmWoY6&XtbrpQE~6j<(I|UE#v})@9>(N{218}_HvOvR9G0fX1Q*`S>;!-U zJH0+7$B~v6El&vUrfOS2x_s3pbI8B$GJhoV%1ED>d_!z8dHAQLM-JUPl#tFkqpA1D zeC6)oEb%X0C&eIE=-#{KpEij#_P6Hosek>{iI~CIQEq!XjSDo+eb9!lY)~%G#FO|^ zq+xrxp?j=w=sH;DyC?}sZ`C!0hc?*UjA z*>b_M=DK4#ij|f_rM}@S?f6{Qy{~grc-dtA8{7>J)C@U!z%OU z_4$Ijx-1uLNYLjNt64Se7VnbUhsn0&63?w5tWo_T>4g_Ep!lJgbedCFXa@Urtty|` zx-&Nhrs$ImYry{f<`^R|14)N8G&NFcgTd%S7v+COV7^Gkgaje8p5I?+4B}S>!s4Wv zz5w!E%O1{ND)$=}P*HKe{p&QM|x zYf6P+-+n=kOVfAK-EJ02Vk5*s!Zcv@-s~P75`I3lyB-!@Nb|pd%qyH|ONDH;=r%nX z@geMZuWK&)FA$@Auj{a@^v(%+>eMD7WOp@FXWY9#5VTQwz1;mAvgU0pZs0<3YRJJ>#npgW8XXuPz#G*_SRi5nV&eY;c5XV z>?t*WSiCQdST=e~AJzL2J`7SD-Ad||MVBx1`MkY64-eXDE(cj}YrBs}4enAc<{_3& zW@23?FwUX*id4fJ#i}n1==(}6moI|YuM{&DM@k^OFY2&#rS+w6j7G^B=1;^BkVAI@ zkB-pi0)64T7t}lZ$ZMfjM(gVxa_+@AdJ+|+bzckKS({WTfZ_;_N$!)ZbbJ{bED=TH{6R5EJB12x`SCz$@VdGUE%I1lWr4 zZ00EN0E$KX(G<3AUW8vZvl`}x)Jb1$-G6Rs#;JVC0rWVL?Zy=S8pokVfbSzKBPEm> zfuB^04%qB|vSZD}yCk&4BVM#|R^l`_?{{qV-9C>6oOTO(kIDu^oA7>jT-}hJJ*-Ew zMldLeWyIwkicjVTtK{eeVPnR3L!WwWf>^$#*ua)FDs6i6ke>YH)2*+B&Hi!KM0)UZ zcEEG~i_R+>@?s42V)561+HoyjS;pf~1p6%-deuHQHpWA}@GPNpqs$d#f51_lJ!0Q& z%m6{*Q6bob_Tss~iGhJ}9q7>M~g) zm+`+89SjwXeufD8F(9*Y<=u%BzUsU-wE%zUnL!%aDf!~1O( zii>072tRCuJFkjUSg|+5lxvJ*I#ZH7aehvl_g0L{)GeDQlOs52qt*q*QJJq$Z7I$N z=2`3vwhu-13B?x}Pe+H;0X8TJ4C;SJzdHgRSJ{sp{)sIy;KvE>5w~4?5Pj)VpA=x^ zq}MAT$K?tFH|SZN{Lw4MEoL!U^q zW8%1#q7L*OW-I8r-<(pvo-P*P0>BU_yhcA9XF)D3gW-5*D*EBgMR9YKEAv73Vc{KQ ze%=eIrwJv36lZ~l)Eo5oqVF$vK;+HX-*dAdebIA&qab(V+T-*?Ji)tR;uFMU79RNg z1)$>DD0hF2wN0CmceNoSYu5Szc0_+OyTrbFr)N`V{U+c}FZRRY=L`xuBfrY~YT&PU z;b#Y1bH(TZzkVWW4aoZgpM%Z~8JlA?u!gPJ03~kNZNxIQ>?j^E^1auFlR>>$1fPTi ziv8+_YosG`HA;Z(PNxKWa31#O0Ri}xH`3p$1Mcp+oOQS=RK%m>eLN9A6QQ2{`h0CG z!}dZ@EEQtdgRRrOLm%Kl!Z-a9r$7;}r7-rR5D%cp!eA;->mfdX(kGG)U2wi(H}D$p zLi!=+>wZ{by1`EKE61-}gj)FZj4w@{7k5u@LR&?Nst{I0@P13bTVNCfz-i3dt-3nS zcX#&M4d6GagFhDMd|?Ma8ozwpBrbjHnNDPhO7Gt*(SNF1T#fj(Glmg*|i&9eT@}O`F1FG|8Kc84sGkx*3u&wK^zMT7Z9Dtz`q%iRr~H2xyhPCG+K#7lUBUQGx-FHJ8oYqm4B7oYwN zt|J}%7=svN856E43Z}@$jON z^v=-EiwFiB2(agQ&!Xw`DYrZk`fzO1uy_SW$TPH8Z*lTh_K# zkD;~T^RAXslTvx1TAamI`-pkQFac1r)gZz%i=$(rU7u7@)W8}VMvjvtzw4s?&la6MZGhvs zh5YVb;SpGy?I&W|>WmAOVz%n2u(3qSpx8>|vC!k_|qrEMEwhiQgc3Ix5dC940p=e!2%N;@XYP zD%Ul+lKWaH+06eCHtO8zW*@c;+kbpI$?htFvfbovlJa4rbw3@;=p)bRzOa$G)G6LZ zwNSpv0n|av=~=Z-ea_n!-ERC|AXQApE}@cuBcB<*irMS^_QJE(`$({_X+RdW;Lne? zzVqDOB}BZgJ5rpOG-38kt(IeH36GRGM0_qLg%x_r-S|-|xLBO;U;H-%3tyE5op0U{ z7@=h59^$xj^;@t)lcq$_qgw-SkEferiB~VRS6Z>ohApPNWhmZp$nuAEeM-1+4!bl8 zlCi1#b9S4&>ICYK$pj^^zazsBGI@bcf5Rm0;sf%9)Vm1nIV_pHaP>~io~~gLQf4D9 zKgFHT4315qWOdcs@ctgqk-D7uQiX#SLF>9Jq}u9aGrKcry3N=FSx|VHD2`uYGjE`@ zNMWjeIk?|6{zke2ywe1>xf+q#tmfrhdZ**4Map;{?+vocQu}za$%^O%&p9pvC-MOP z#itvmYy1dz$6PgW#qG}BrQ#c&gWj9I`(`l?&$rsFip~k~aagU)o1(WGI==6)Ctra|2yb?^^9*=CL&2akjKrw+Mm=;$kN3exaGiEo(CTWnY(JjG?6;mFl_E z3As~Fxv-U=%lUmWxSCeaTK^79G%Ph1`R8gauN7wO$^2N$l+HU8{jbYkq zVOs!yd`#SbLKk6RBZa`Lk@NwXcugvQH0s@@LmXsV;~hy3a*N@>PaMYH^HG;c$2oiww0GFq6&I5hg5ZxxU z8Hql4On8@ILKTY3&O~b7@WCphKpC6CsIK@z?2S%eF^2v`W?$X2wMLEP_n`>jI7!^GPLw2Tw#E zC=5nk$x~zBRe|n38*y>i7FJp&FdSDjC=kN?QFDTs#J&t%{EgX%5gff!Il->8+q#SU zNe&7G)Jr0en^|-GKi&TKDic}Uv2Rt{>PbVReNZ5MIW8exCmW7Sz(`y*D z{aj-SK@!`S8TaR%JeXm6Lv|7-B#ZC*Y4LWR5xqVNNkbNGrhO*?0=!u@CO-=f(T|MS+I0s1bxN#?5>k9x?;q>qMg#hnKC% zHlnPbZIOC=EuJX3+Tb>dn>|+}OEaV=qgs2ubce14dBiIPBu1`AP^4k|{BT*QJAHjl zesgHrE+%%0CenPd#vk!m*?%CHv+jlG38m|wU}hz}zp7^SV*agdEwEMu8qsY0 z%S@jS0*!Irv2V$;Qqh?^9*&E#MmkKenah99(Ej)aNBHKw3H4#4<=9T`2Mcbx92W@` zD}qBg3PoSIex1{;$ogeXu8@}wPeefv0#?jc2RH>3mqAsjUQD-?Vt5AwNEAk5#~5pl z%*se|D?t=yA$ZxE6@_tkjI|Xn3K>iE_1@!#zi;SgfaU8sV#T6%i_{v+UuHE|6pG$> zI0am0dmhqWL9}?mL0iC9dUjKZdXp(*RGluDXYzXx5RX2Gq6biyT=@;#Vz74#D=-#% zFGye1mQ&Z`XItPFC2FV}$P!Dy#zay;0t4v~kGy@Z2xsNBQ2R)>x3F5KU^W3s=3@k1 zn2u;SxRK6)*yK1G084c7+{w#v23`OQ;!MSD;t`9Ol=$9$L&bSAc0W!pi=mJnmAN~D885J zt)No0fR$2~hKd%HbY)xDiw&RKjK7un&>sb2sAcjO^AOGxaPshOjuVZkqbN<#*_TE0 z_RcAeXN!Qy6J)i(l=jaC9jZwTP(G&P?oc@Twk0W(WCg%Dp(e1rI-!@Dk!;&t^&psP z?OIRmCOEpWho%FceoXGgx1Druxsm)yO1hi9}+ zxcEUq?YvX&nt!f&!%n-ckMh5$X^G@`#lA^!m0rt|c(?94Oqzx`WAe`2)qrXrzdUC~ zKD&Ynevf4d0S)uYfoR^V0$vhHNYSiAGN(6#eR-z&L`|XapD8d2yG0gO;fBLQS z;yGI;UxRI-PnHe%p=PFZjP;3L&$y{UZKYY?W~Fr&eP9A|znE-a%P*nVQf)VRi;12D z6aMxgnDB%5z0M8PMIH)185nS5-P^_GBy4nR`x(9akVBttq&MI{G;zOqpd)g;T%+$u z$o)fgj-%C4km4XO+jeNiN$EqeEbrSA&s;!Vv+^2WTRh&>RGl%ve6KJv?#f!dViWt- z?GKHS#lE2z)?i)Alf{cBU)=Pj37YU1hNGrLnV9#Kyc<5n?=2A?S90{ZCUcq`jXXj* zbGNLrILk!Y4i?CR!B=-t^%Ui|bM;AnXWIe3#R(Mo*`S{Jzp0JAwa$x{c&mf*uGQu$ zq`|HYp}-E3)sE)aR@XlG$LklUGRJUSY{t2pI}cP30AH`;F0R_U_vy97iaKXbs(n+m1J^Yg3b`@T}`u9=;V zSZ3cHysCAnmG@f*9iPG8n|S8?5(%3%O;#h@vgBu}KLQVicsuX*CqCyobo)=`GIA61 z-0UE)ZX2($aOIJ) zc=N`D*xY)``Gcf;f_G4DmwLKAUXB@Ixeo~wk23{tvX0#ke;$n+^tjpO@fugE7ZY_J z7#khuKl(maH~pfQ@fBAR@JjIluDgcn)`9Jt2}Zm*4<>l`A@+5t_*QF1+%Yt!4BccF86IP$a=Cu)hy1V!So9JHRzDtwa9|P zd6;ymQ#*$CTbqw9pv`@4B&zjamcNMnTXDp56yxo%&q_M19Lam#GhM6&&YFqxZ{fjd zpz6!_^0gvhAlr=if}1#$*WJ6?<8WI1gHjd^tTe}VwoHr-V;kD#%lwOkm%=)S-8hY9-JC%feA#e)4>$XlBHR7C;t`6UFfB%uGTSpRD>{> zpvU4r^+3jA%$*9)xpDigadqoa#v4 zT}(0JoI#+^q%uBTl2szzWxh)vP@Ck?=+dDncRf@FYetwPq4DPI}63y#L}U<1p0+ zrWlBEA;*NrMPaC#ucZEtMn#EHv)EW#ozE#deuZwT8D>%mE25BxVQGl)d??RgctN~2 z@#)nC@WXYda?DKs%|U)T3~)&neNU+_)XzH61ez{%11j-8HetM@ctX?-r#kR&laQsC z5)0Y)*3$+APrJuH-Im7VR8*P}OK6$D5vQ>6`U{tp7OT2_>76;1OQW2~THey1c=)mS zBbAu@bc3Xm(wX>GJ|juAtV!9a!7F+Wui0ZAS9HY^C#N7MvOni_K4;vvo&#@;QY>Y@ zJr}Aj^k%rNUqoW1bNbzRbieK4{jh2YL+gF|KTp5~dJY`qkGaZFBGy(wNTW+9*18;q zGQGyRUI_UcZPf)uDVYKxMbXts2t$LGQ^MAWO*}o1vd@#b=0DoD$epu>f|-xOvLaV* zpmf41ch|*qsRj6PPn0dn%eWLwPp{qf@#1FLVa4iOhc4Y#tBeMiwVCYkZ1m zv3=L11nsz3Yf~Lh#JsLi{q16SHWXWW;Jq2n(BHOw4w+%?Nq~VsZ&m+@Wg;*vwmlwp zSKaIx0}6k_a)9`;c8f~xd-1uv6`TuBi>8Lc)keaLV;gl~sK4(ZJyq{5&(RfT^xoQI z^{8dy&I~MJ`hV0%!2ZJJH^rC?wIxBJf%Q7WcH}A86ef}2-qS7K#xk6ZvZ0+hey#Sw zkxs7J4c~)Yj_SX95&9S6(Dd5pf%3FPVGeziAX+_S1OTHIIEq!O2fsew@|g7QsX4?IJItr7c7z4&&l^DE1(%#S#5HLnp8({8!Y$ z0k1povl5Zl?Y+LrYAAT6)mW#Rnyvq1Vkj06(R@haT1hxF9cDikE%<86jgk|stA*xn zZr}zEVDYS@$2|t90Mz;##8vjow1fC@%lVHid3f&No7p=e5y#7|dZsypwoPN|Kv<$^ zNhsfOjW4CM`;wi9XsUZ?bXFKseD$mht0SInV(~T7Qiq5kAjk$5qKhy8y5S7HO#l`P z&0};f7oM``-9DYDg4CLhiv>KdpZd8e$wrvE8vSQ;%7c1+kJ@a%t^mn0v8$Xa_~I(3 z?;us zl@HX4&BH~9AXq@no#j2><9;wx6fcT7HV{p+T_y+GOxI>|>N#v6&%J$prVM;~%T;Fx zc-ina{`KT&+`VFc!V#a*i(o@;Dje-m@;eA*K7KmX>e~sb=L2ohD}@<}JUe6`v>A0% zk@3E*JkJ1~Kf^;p1d3`KNaA$G!E%mJ--pXEzGJX>-c|J`-!-CZENx;vH?vvygwJd0 zk_PZS9@v!oUd?^iKHefTTb6||X z79#P|J9^+h^j5%Lk6u^oca3Am({ZUP9uBNlqMU$NFSqRTI!?#!!oI0%GlrvV<5=9F z-fE7bbQl2YscAyoT=S>)Y{k+~o=}h1;9wk88&jOD$qJDX@ox-6&5--BYb#2D)#mf~ z`25CwFOu9%LS*R7>iCI^TWshdWej2KJA1TQHUv-#T(C{u?nz`r}OYY%yimBYFS0u3Y{#I4d-^G zG1c$#oE_@C5VUL(?uy@0O}T;E0)dM5x+g=9EW36k?(~(TrHbEcKT8Z z;YcF@w%TlG+Y5#L6%lt_pg)5Oo2*_HcG>sAof$TLxSnj1B{zJx0Q^&2d@%&mAkG;@ zNbf5eW&TRmilh7AA~UaFYCY2)&?;k!_?9nNI#@)wP-FmIp3X_?_qKY3 zMX{}y>SLW!B<`U-GNhqvOARus9{~mi5OXS=p!19`rC+-fBNbINXJ%NJS+|l@B;b5t z8Zmm65NP1cC=|X$Kbi1zo7msJv!>jdCVk{+SpECRfhl7JWILpGQM8JmaO4)Dd<; z97$vnjyas}10JAGE9O_S;RxXeJrpL}_to%g^;Qk%{3-5+!$YBRR1vLtxYK9N)wT+< z!vjj=iez=Pr=e2KPc$`}>{O*<%vs;Yi~8MqIN$Bt8{-0A5AUc&98 zG_!4yyN6Q=lGUc7yWhxclRibfsb;e=j+~HurG2UK^S5oKX{Fic>4bBtt(pm}#?X-Pg0|LXmb0Y+4L5DdIzaJDfpm{1jK zVe!ENI;{ec5I5|>^*v}YpOpWF=A?LqjSUL+1D94s&xzp0NcNr+#B?%g$kjd~7*60I zI=%I;yFx=uQN^NnLTF|nlSbfLRtg@()AqqVZ`;LWHU8~4m%8$8P9}9hllZrN0D{4n zYGa&N`~i?#FV2vDJnTzYJ^ZNz5VYQfO$U=`lq=O9{RPleUHsCw^-lCKqM+@c#)s9J zVwi4_+p+%9wil@8m(5u1nicg5k#lz3#IQfh%g_DS+I_(sV>13`4GTPUV^saabbB)4GOs6$h!R_BX{YeA;Cx!FA7 zuo@WVo6n22d0WVW)szY9<)NvsfXI|#N=sL$ef(jmf(te16F&QR+4#Qw?fpV1i4-Pb zBTguE!SA_#Ga^5>OPH0sd7Ib2=}ClqR7mpb729wdV?@ zF@dF)%c?;o8ouI$INcCGRM(Af&J)B62>Wn%;p`3h@fH~&3)@GDn1d!PcY1{d#jcO+ zu??Pu+Z{6)Y#P}HL@We(D+_I3-CY2^RzrSb+t>qG9&glHa{-ET#^Jty!s3bODx4~I zySz70SEXZJD_mU%F#|M5mvVC*T4Xi5I5nPbf@#LK| zL`82T#?m%?rZ08Q#Q1=%RlRWgq~rd4FMN_c=WDV#JLAENjR@B=%gegDzZWJ8_mk;X zo8?jwDcT~N-^OUWNUWP4N#m955CVP^A8{$s&=URfeR(<=$OyVg2ZX5*bTxTZ8`>{U zEf>r9M!DI1UA3lX{Cz~?R~qOq2>iNJkv~TN`zc}wR69w8tsTHh>HIGo=B;U%6?nOM zP|zl*3^eTUK)vPNj4*Ha!NtKIzMx7yiPzT3Gn9sJoxJ);MKRI)<+X4-`t?`!&nj{* zhB83~sI0o_iHWL>h!1X4_DxgC@i?e4gvrc?oh;4Uo+nxfDHk!0_niOOQuKel`JonX;&~UTZCIP`8UuJBugxKp2Z`P3-BWa#t9Oq|NBO z$3OKxCj0rKj_!U#U-@{h(gdPix520^)bROuv5x+JO?~QVaCA{-^u_w=CU>SxsqBO{ z@OdE-R-}A2$|lR9^Fbl~{A%a+*s}zK)UV5guehseQjfxXh${`9r2>X$;m5d|w-~Rq z7#^0MthJZLkgiIN5|@n7>vO`qn%(_9lKQh;*c&K*BYPuCrGd`_gF0Um2C!IJ=d02| z{h?0vF$TW-tQ<~jTC6@dhcYuTpz4DE&}ycHbf$2CiWQcIl;^P5a#y$FhrI@hChV-9nv*h|4@{vx6}nAb8kI?u;=2vjQ`GxMvFr@HjWGA_&Vn~+XV456gRAq~;=u7jYIfP@RJ~XtU)Q?>;Am$s zxR{BAcM^o&al~yIHRrs#fJ7)>5(BGdDX=jO`p4@F_eZ;rfoA8iTk2q_5rVrpLI}t4 z^_V5Bmb!hz^!}ga^w2NSspZS6tgQK-Y45)jt^E@j^VBgC$GR$GhgT$Yg+7{9lOb4| zLwdWMt;#ei4fXGUd%vf7932d)Xxls&m?~kBIziXNZv6hlCS=kdvjg>5`_~wF>$UIm zDC5^8pCHdH-t_;6z4wfYa$DAgMMaQ|5+o-@q8P|IgA!G8XhZ}gOKfsZl2xKe1_238 z4owE7$(bfLO->C>rpbISXP>>#*>}6vUgsP4{ySqh81UMmYR;Nfb5_;!%t@86iq)ki z4{q?>TyPStb;jHg6ewL^R2;te4ey&h6r;~kK{h%}IQD<^YSB;g_hF9m*n4~C-hAzI8^h%aqANe7X^AQnGP;W#ZO`a^NHF={A+~z8V z&u0AkRYbr<$swU+R#8l<*~ihPm@c=Kk1yRNDuR#D_eh9Bt(FV2NY#T$L#NU3u@Zl0xsaGv-VqXpeYJy295Wx%}21+n!&^Q}2C_i3S(n{rtUziSZim62=;pv0V3 ze=&W5pf3b4Y7Rf&VAkCgs;s06dhKUS360mFx_L?=^M{o&^1}|mg`br*$o6WeFpvv0u;$2;I|EpCKXY5Lw1 zcr-;LupN+ji=0%F4cdnPBRiHvy{z$CCB?4`CNtL3C%?GOa$VD}G5E({x@}7dp_Y>a zu>BN)DDc*$*D|i2GthtzhbVUW^0etyX? zsQdcOnlbQr9pf!4#0;z_c~bKa=pw;0LvLpU2fVr)W6j7m8nxl z<_G5@`L-rCA3bhe0Kgf)817GW$9JyCm*8NPAPud%Y#gU-UX|+kIi%1$RE+s3-f+@@ zSsY{Vj=7|kn$1T*I~n97KS!MXYT5W1FZD2mEMfaztLg~%@O~ZA(2~rZQCS-sC(t~J z!EZqYiNkJZa5iq@VxS>5kDELSGzb@_lX$IwHg)&Y_3=MX=KE0Tm2Z9tAUj0NQud;8BD&$# zGwbY%hJ5Z7DbJqJd}3(PVJ@+n80wcGR=O@nxhUqv`>Ct$E$$&ny}i;t9+l8(br2H2T8T}CvNTqJCddU(T#q|iURAANad zTR#|2Y+9Tx^lUjYhf((pTH%$RA=&XZ-c)YA ziPL|Dh%s$UtR; zE!UqH#|gV$bfufrw)2uuKPZL#n)*SgIG5f0U1Ui3dCl{)psvI5FK za94|r3M>K7Bi4SNRGMlv0qgOHxv9d)yJt8#O&ev@@Xvn1wQF+;xDr1Vk|=@BgykAp z1D)jN#7^Ws0i?q5ji9h;(GWhfoO^(%U#R7osoqC7yiKvS+HhDvq;g zd-R(Ev!aJigFES$bS@Kln)XU-T3o*X7dwR>M)_;&0V!ybSrcs=@~qpswPwBd@`+R* za|ucM>NdWW(>KD!s3RG1x^dfY*1`zwTZH4EDbVBI3=g&H3F`*xCEVo1;l(9Eq6lxf z^B-*vlAnvDr7W6hDUGM18(V8`Pv1^KDn>jT!7rAM<9NA{)jNwHBHDs)VUSx_(!VvP zCM>!iLqoPle_my$omzHpSMFkPJ&NG&+EyYtTMO4@>;Vk@HdQlCQXoNySiRgzF^d*7$bLQ}bv%RHKP z&Sf?-tL=*x!EFfL>SYRz07bn>gme_g$0%yw#S0KJT~Sl1Xq$ z7x(i+@Qhoo=;=oJZA#-PyT|d(O;u~L0IR^AcGvf;N3#LeCN2{F(|pP+{of|)WAeQ_ z8iD?5_I`<`7U{15LM@9+J&UA7O?-kiMVLIXBu%J1=?ameKh#w2JzlaPhdpd-Mgniz zX=gP#@vcQ}B4j$wI#^&-HYxS>3%z6AjF)BrD&%+y>CN}WJVc`7sq5L!$@TKfIF6+x z@688PDd?j>^p!6gxFk&s;i_%qesvn(v{8a^h$2MafQge0td7Jhrqs zBL|J7!E}0I&N*1*137tp#pd~~v^1&txztnLHY@J}o#J>yFzNy+=e8QpgV9KbZtfr< zW^pb#pm+!S%EB2{V#3H4?X)vYsq*8pWYC=hqXB`yzi8i4l)GNsECMIm&?xkQ!f*R; zt*D8O@~cHZd_GoHW;k~f-j~S4v!ws|`7fdTc;WfV^vp2TP+}|UlCQt#;vh-Bn!T|t zQ$~PwiTX4 z5@CxinD$t`+{|qP>fA)@?J6XMu6bb`PvGCx-Ag#(Bqa1bvt6?=(Kw1Ok5Pg4r8t{= zy3xySq8_f`6#x_W4gqawXO_+Tsneb(Jrr5;x>;Z=6K+7!y!X>YvS(b zI8IDQvEghYWrTOg9of$U5|kVwnxb7@_&TWk>7j#=#HwiRJ8aLdkN-NCO%Xn1`#43x z9fr~g{#;1B*T+(_d%Cq0=d!t2VO9J|0sv?Z6@7?tw7i@6;dJw9FD=ae-SBrUSB8Fj z_MAax9eirr_6Je-YFlZajI0OKWKx7Lumtnk*)E(}oVi*|);f+H5#0aR+#S{(wkx`c z;e*raDoFaT9FK%zgYXwGPXj1O!(PO!{q3BWd1nBa(k9=^)XBvEn$pL)#II3;su=(T zB46j1Oqr^n9+St!Qx5{k3KkI2bHNbFEPL9Y+m8KlgnKL9*q0{>XZ-=h@wHkq7IRDR zB2&c1#1Q)8bZP$bECi3ww3t%Y_+K(HegV&cePJ#NV`qbGdHW5Jt?TvaLXvsvlX#R` z0ui0?c%jAZyVL6Bo+}x_*k;_;dvtI_`?g0sP+%t5UwJdR~j}TXJF%uAKE>UB77o zlGObhO-CKqzSaaJD@wpeDKB*Pp+l&|YtlIqhHKW|AMXOt%#SQly1th|9Sm=ue0p;I zcRSyIz@;UrnE!+LqmIB?kE-|w@QHV?KC#vOKSl*0Rk@mkt950`^7_9k@UOM2zdd23 z{~I02LdGw_964WwXR#C(@iJFkBNp=Mg=bd_)cb(g5kGm*!ujXQ3IB~^C55OVN!$h)n3Men`qEdzZD90_+rF&umGg`{cW!JtIBAXFz{FG0sXu4 z-yq5V+XoDN1PFYF@&&rR_47j24^LybugHM@;y=GwCV=WDb`4MKKd5g0t*C!{L6`WI zXy@YZ@c-f)u3pAyiVLV|3iT)d4Fc?s#Pusv1Bix9n}{c_|7D#3Mj)yyGj=rs}^9?!SHit6*UCUw!A)A^ji7$94*^L;demU5(iP->K?&tb!YNZdQW* z+rFGXdYCVHMO!t1UwGqBz2-k+!+-peeH)9uH-?q2)9g3#=$~KuUoVj4AOWn2WB)qp zf5HJ~Aq~i9G4#p$*8fDl>%eNvmgXrT`XjY}^E`$XFv0&-3YfnCovDAA$NwGkn`J36 z>jfo=fU8Few55QC(RF;W3I@y;wtbKTU^O zU&SVGSO>tPU}k=T`_9~4DTIiQ07k&l{MB_JmNcHLGcJT)k43W}{)^J1{6~g$@WavA zXt@V5NwrhBuUDoP#|&QU1C6mSN8DbII1rgZ5p^>1$8S=(4512FHJ7~=pnY|;o34i= z?!^R-)rBNcR(%1{XO|C)fRlE4~#LUo6@OY_rB4 z!YXVHxsxUm6hQ!8P%@um{(n-He2V3q9|(EckAm2J&P~-b%1iB_LG8wA!#S!lWioog zXYGeox=oL^Rrr_c-FkD}_C5pwMINp0ri)5`u9YiTGr)_Gbciz6$qGN-Udx?YL|%ee zfE@3_(oNH-Q?!Vls(4aUz9`%8K;-{z3&Hl(FZQLZ`kc&4A7AgI3)Yv|%*EHL3UOn@ zre%I9x|Rec*~VREd54-VsZpaf_76Vsas2+cH|XI=KvxQ-TG9m@G$f9d^&8K2|j z!1}0%$_atc$!e?gY99G>={MPBOro|E4vm_!dHU7weXxjW|X{ z<-fP_nhOecKou#-g@1N1R=2$Bw(cx1d09n9x(zy;4fwf&iRV6zeB&1Pa6Ed1JyAa? zi96!@izh0NWI38wqTOv~>easTvU6=W?zAsGeJh*F+}e}WTj-F<3go)3s%+*A#@J@F z&9@F+gDpq9Ixo(d)JU1AP#N(_t9(Ox@$bbSP+fjffOlPh5fuvW!obrn5U|@s#$vi0^N5OiM||Y8y4^;vzZ`cuY7?@uNByI+8>? zpW~&-GVcZ|r(@f*BUYCN_=-joy(Q4n!U1$q$r*dWn=YR?49blzZMSuIe^)tuH(5dJ zb~qu*c{?X3bbB?+YH7>Ih;FCmBR0NEcQq0n!xEMEriiyji*d%&vE0DJCcZN4s>Ek8 zlJ{9)<8vjwI~A+z-G06JH}Mbdc%i2e4wDvc@lGG6dj~RL`c}_MV$xxTvurVtM$4`& z>N~4gw4a>dy7(KO3tQiAHb3F`faytrLneE)~afL9`Ma zIrj4@*0J2Imyd6u8GCm=+d`PFmL{A74-3$B$>%Fe#Ex4&b0#M}s~comrF-%=Yua-U zZz|JeljsYiNxZfPmy`H`+)Y}eksqU;YPT~KqFH)N2@WDZG?o0iv5%^EtBd#mwJhcO z@l&MdbYJ%>i4IZkL>JXNH+7NA;rgS8T;&Ho$% z>fWq_R*=1(H`b?^ud#Ya{;pd(x-{w^!Q)?l$&mtfGdWU1*j;QY#;jjy@IE?ir9NO$ zu%*~2Y!^b_z$vc2PSmu`g1t>Uq$&78GGZwV8~*NmAcJt}d-99^#fuiMIxc5-i(aHo zD{l{~*f62XW6Lx_$apCuJ2bu3J7PzHUPz1Hb#^uO<%RpKpV3k&4E`MGC0pthpn0GH z*;%N5k?^Q#obC*tvWkSZGlrwMu+a2J59zyu*}5%<#ri#p;9i>^H`*m%7L^N(k5$sK zk%(qYu7+4y+2K8WI!Bw7vlj;JnlH72f7hz|_hZ6~Pm+3^%*v_tGBfU0ETDqQ!Jgb9VV|d+jKLPrW9GR?p+_>sI=X+m{y@>Lj2jP3x?IZ85z3cx_@& z(PI2D&t|4vt$a+`#5esW{jP-mm=|$R7ptb$gHtSu+)(5eGp;6Iu9y^2ni-<5@L+1-E*JRMZm@lxeW5TY{@?J*s}QqtV&kgfV%D0_3y;dc+*t08Vm=? zg7$TV2DM{VS*G1Tb`PiYBi7b8KYuAVqIX}_5!(6bU*30>qR&#WqtFSIOqmmQ%6kMr zGv1A(U-!~z<9djnyf2`Gpp|bjdz~4;7q`s#CwVu zJgnselv)PwrFm72!X1xy>xDiHJ&%j5J*Rd!UgCQofbpf<(yvBiTxu7loq@JuGKs$M zkUO^x>NgdpE>Dp*@CsiT3uh`C??{OCKUfR zg^u%JU6c1avK!y!Q-DHD_%FBwf55Kd2!wapj!W+5$OPggU4@nK%#-v@FiZ;w)0>H& zK%v469ZJWu^35@EA8q(>ep*U=HJVtWCmzT_ulG8C8@`xA!b?z!qd%zT0feM_sGF$M zs=V95sLD*=i4spQ&E??DX{2X)Tc4d5#K<6l`p~eF^MT=|Q;Ur71 zC;`3ES5Q#<4y|ssg}ND#G_|q;X0M0Z{_UqCt^2!;VWV2Kr7Yck_CioY@0itFT(1ZPphi>Az@GqEIUa?^@=V07Apjd!6=`KDvA_b8^J zH_Bc+zxb&H9_ddXtoh^rpurCL>d^B9+vPeL6pPwbXhUA8BU$8 zevz#Y9-cvscXu74FCbCuKY>zft>&GdV%`h~tDka3Ly-!OD^(;tH1)~uhX%HV8P=aO zb$a}+-M%GhSBr0J=IfC>NE3%gI3ozJN~oywz?aA zboxhLq&DL7d6C2t)0Q(0`t^L+up2-hNNfVb?oYdvt;Q)Pw#yyZSc?+64w5S7k7sft zUcRI_Unw@^`$F8GE!r+-zgP{~dm>dINjDVQsg!hriQ7_yxl2Wkn3w#C*GX)pIx)|{R+V20<=a-0az-w;oPkX^8f{5ANP^GUip{zyE&-O*3>Fl zp0-cG8N8e_HFebGZ7(CKM?3bBPy2am+gmE#4;Puz?@glRv>>4dBgA`68I0GGsNi_0eWekn5?|xJQ|QC3H#=(^<6yJ@JS<+B&f~>LMpv1zY{QR5!X{bo%P_>tlA2x7@UQCh}ja?F4=Y`PTZ)E5V|a3?L;Q zDKy2*tw6b?hq|(bP0SiUJRGO+*E2KT@-A~*#=tP2i#@z7#j1&eLv%*X?tD05(PKj~ zXED@dWxV7#q7K}0!Vs;l9n}7jjrnXZ%_`#hYx=g%FUgY!TBt7_e1jOxiYoDg5qmgZ z>&bz9CjIO{Q+Gm|8M!nsgP{+jIvQ@1RKKU1dfi__XvoYo#jI9AkNA^W=Vt>e6|Arz zDRk$<=r6#w#XR5+73^c7X@}?__-5>ou#*ni4kjXME1e(v*k-z>A9rXkYSWjwd9m}M z{;zV0OSjsWKPPR!)MG#<$88LjZk={bUO5ER6--QWHw(!zGj&~T5rvptdpm=f^|aMQ z8R+H|aU!Pm#i=*kbGjgk3GAUR=%nCdg;l(b)cpa$3%QfsXK z*yO^CmQETB_)}}A_EQh5nX=V47T3QdTZh|NtTy|t#_3h{SZhAB-x2U~SJheMvpNi3 zho>wBfj4RddA&VdIyMN1#m@JI`xz{DHlT9hE+IkM5OJ3M!>ME$GXb;J&q@?QK^Div z67{V63(-OuIP^M8L0M;nG>1^#khsWg@Jwg-*oNf(5TA{(K!v$lM0?1RUPTDN$r=cB zx|0h7$ZMGzwW?>WKL-GyZOP_UhkC~O>D~+1onM3?{gplhxy}Ya47W4Swg4OxLcS|c zkOI^S+!+9P!gcNniN5Ll`1F)`?d3)G^C=l4uS)Jh;z1nLn8?Q)R zxp(RSS?^|aFZbeHJEX^UGG=0e3VLy3$~1yy|5)Aw10sc@p{Aho<|T-aAvtufFD~P% zmAO~W$IyQg;uZ3^!mwL5b<(>$d8Vp?&6JqFer6#!`CXs$2=M{|ZJLK|gSOF87Tx;1 zX~B-tyx!-%u@sqS=4dXBbBkdIQT_&ZQ#VI_7S^Y?cq4tR*JvMKpHdGY!f)7}1Sm83 zk)P;Mc~RU3TXlAEn>>Y>dsEwOlUOT#lq!y+noZ*eSdMLUx%cpk+k_Y3*jwZ#77yOV zGHy_(AB!E$LTt-ob_YHfJZXAN972R3p%7S=8a62!cIIVEMdgZy?}^(Z<7V&lpT0m* zk7yO1U!IJ89oVd1Ir!M#@(fPRqDW+eOvPjlcuw;-?RLp0!woMX^}7iJ2r#6=XH~!2 z2XR1R9WnoATu|zg3Pt6T;V?o=;)fL2N+Gor5bnEGkolUpucFr(BWp%%+c?&Bd!>)0H-hDZ#9%=l@E}Oe6 zajMj$2}2|+;#8=b0&VN#iJ&Z`Y4;Cwo`l#YpYIJ`f?7PEQV>gL$=mEs2JElm2xcWx zK$qf|GF&#FHhee({j34P?b4xFlL1*rM9^2$HU}W(zj((x?6ZwhXsq%uSut;dE;sG zK2cx_d{k#$3Y*yUslFVLfHXBeFR#>&z-Ehj&%ny8VGlE(s!EdgV=*fGWaQ6zb1#}s z)*f43U0K~+Ind((ASx?}Nk7Pn#%q0PSKVNnRD5|w)F5zqPp-D<0{YMzBzY`HPR)E< z!K9MmIFtK*vd}J8bgCn^2+5-#>bRtL*r$+2onKM2cvwj&11Y+jXlT^^E_m;=B+LUo zAA}IESx@``)Y(I(Kx^|hw{BTojQ_3q6T_G7z9LoWf;X3Foz<_c0!^Qdb$H6^W-SIX zm&Qd$b0OQ6*WKRqK8Yu=c0qeeQ8zJDx98(QGYE{MxCSl9OCx!YJl6A_jbC8pWpV5s zA=xhutl@>NU34HOEP<~xr@}^HV#28ePk^Q4#D?xWO^Uw z^+G}Z&t|ZT9Z$y$iFeR0af)YK*o%IpffCMgRIpO`(`xUXMwV@TtS;L(SClRF&Wfmy z!l)yyCLQfUQ%Iv;`u+3;>M@|M56UB`o`Ez_T&PBBP;@mzKZ<6MEI?6d36JKi^@-2)J29D<+u^u;R&ave#3wAe6O*1Ak_5)#oYu{-qeq7E zIuzbgXj9 z;WgFgKJ?H6jqacU^*GCBlc}l?EnmNbv02cr;HmkOI$GvYxxMyLa+g|Bgkb69Ry!ed zZ2!XTi{gYW;s3(4H;zZD)IR=4riCMVrNjB##S%5){{_`8p99=wfpzfMDeK z!d!*nek=y|t6U^)US**_H*brxi1UO)PyZa1-sA~b!v*#7Vf1(K=@{L^;yXI`u?2fs zQVXKSWXH-f>sh8Rl;sf_^>ZADzAUj~&farjA1YO`=+RqWgYfYKPfB$xBux6=5Xm{p zQ8|{p4?M~0`?Q?Xq)aFAseQF8&O?;qldBay+f?O`#o`q7(XjCSR+-^HziPlVMe+p) zbF;?No>qkuNA9~d44w$$mO(E3*@Z^5r*lxUt-FBH<~spVMMX58G_MgZ@4*dTaRUW^Or z-O|3dcu1`LOu>PpS=L9Eqb*GAxxU0E)3FR) zWWN0tv9lbdt*uB52afC<6)dCN-MtF1BATdEolWq92_;8VS~HRJ2dSw6vyops2Flsi z)wZ@q2|o=KJe+2r&Z@CR-4Apz4}^RSi-pw?oU!=^N?4yJV>|8*lrA~A>^Y+rqa0Nz zw@7d9L{z39z{qczT$otbInp>HG+#Nw@{^5XJ_k+prF*C_e2kO;&|j{@HEv`pUOCRc z45Hy$o7IX3!=C=Fe9B|$)o9yG=z{Frra^5hKfP08O_FhmjFdUa z%Eh>@RT2|mR~X&%HRM!ETrq~w4?9rBd&T?xVe*XJG^11?DwhG0Wys`duQGOuQlDP= zO!hX@b`s}3V3X-3SdM*1Z4G)#k~Q6+shqVeU0lg&M&tM?iQ?PfUVVt3e9U8|g(Ha6 zQms9&s2TFq)Pb$hSc3prg3Q7%WPDO3TC!0L=CS-w}X#Cnd26l%Q; zpF`$U;BQIM#)Ef+%G9yf?J;4O;8z*fOjIuqdz0gmd zP%{9iZV#A65_(kZDSHPV!8{ZuI~U5OqpogRD-{5*oA^~9vP(Ca;oJ_i8UJF^$#y8x zteu{&`Gj`v@jA0lCC`*4Q_hTJ;8kp6iQB}0VM%qWH5YgsAbRSwKfOu@xQ~WCH#D6g zDXS%NzeO8NEC2L#YdK#Ut6H>|axEZGo;oUeP>SIzf_R-H^aD8WMB*)u7-l1h{P5FE zk)!>Vl3wVVM7T(vS24p)TyLflyz2l!=;wNqB8=8|ZoJe@gxb(pjjKuzl%4g=2~$7S zsEGOTZZ0a9@fStWmpY|kIxyPR@tlt?mPW%D1qagYk<`CH2v4W!V7bS{rIW_0qr;7BS_d8b@!7`iraKjV0=UKafbDW$QOXPFyj2q`i zaQ&cY74~&t{gOM;60I*rkf($94VI&W*&d_ya*nOU=I4HF;i`!ETokL16*mRmKKMi&i=9~t-@oji@oMgU zIeN+
    wy{9jtT>rb3G`m3fU^P|?liyZgC8si0)k zuAgVB0~(spT7?HM;n8H{(QR^c?>!aXc>S~;3w^XiVS@_60u;MkC0@o1byq}SZ(Q`d1xy!HD`XdJGZ)}Gs|p9Q-7Fd!e3)N zA{Q6ym&(u3UC1<7H?pVW_N*00SfCwJ0xyz*sj@YY4U2>o9vpHp%k74Nvmd@GKEEZ( z5|e{gJ~OW6SK}SA9J8K`AqUXEJ;u22^a_Hq|E@(yg0pt5x2mj-7WlyjpXxCTA@p17F=;x$S&4F2Q4g_e>(EogVC>; z=+ZO_sqick-ZQ?HKKt|T+k8w5Ba}TI78(t7oUk`5VI%x2xzV#JisC`^ieFr&4>8-? zawWSDk6JGjlZt8`fzW8=rw*CzDN_`Jj>vi3#um18*#1-|2c=0XcLJw0# z4$O|t`!u>oZ*7sxgeiZ*)W;wWh@cAd#Kgcn6Lmkl$}Zu^;{|_vsF%$kajOYKDYGfv z6`iOnx8=zeYfBu~MO*@J(4s-e4fAJQfeab9?(p1s7=m|4DUh}=IVPBEg_Odmils{f-sTU==g;u;dVT176UFN>{2w^S~OwepjS zrBnI#1Gj58j_zG^v-~uT%CRuQX!m`b;{7{$xp)>Lw9Kn_G-T_j7#}Z8j7`PbOzm17 zpGRzI4`TD;NG4BO&DXRK`Ck?E(*AVQz$s&+_XR5YzEq`z?qTd?Pb+V`D(t=I_^xQ; zt~9~pXO2?NB5pdTp6d$+MjiGl>wQ^0rf%LJ=;huY4p`;dMAyiz)~ss%madJ3e%& z$9=M{E93Fwjwf?pE>4a4Q*4X{N7SlhUX_tk$qDkruDx4F$4I;w^l&}zUz%{#N=sgv zSdUvS4zX;B=BaN$WjdyNBH@SSppK1R)|>AYe6stUQ8e~lO7duS_tQtUl-8(e+fTmA zZ=94b{BW$S9Z_H3*SI+E;9m}5sWF@A_B_@}SFs!NA%3CSBzk6v5rSlk8cg> zbX7!~bX>Zd#Oqz1*Tz~#6MxOI4{joYLc>`w#W&;SNwMUrg*c9dSZu7_6%InDuXi+1 z&LUUfX5M^qWm{G%e#P;jj-?fVHm8tZ%k9nN{d1@8sd<86?_0>CR(cJZWE;DteD^z! z4SM4JdW44AI{D@Tf2_29m+YwHUGiVSJnp5m+hksPH8o(le-RevyMr`ycY^=8A$p=d z`yR(g)h(B((0cI{EU~|gCUp6p3;{7!HQXyB?&pZcf)UjmAT5sl5YiaE%)woZ7f2F< zO#cNi5z`Wp6nV}$5lp|mM=*nr2G@QbNG1cAotGS3$#oZ7rz&iQ+13d1<4?NQ=#jpd zCP{_MM^z%%FZc>(+#}01F2Ft;nhPP5Y9e<_0eAC~z9au!HlDICTSLpi=2o{uhM8k0 z?yyqKvn_=bISCWB9bWXR$DGcg{U23iw8(~)&HF#zs-PB-3DT>yUz6``B+c*flH6Ka z&1%A>J_(PIAZM}DG`WGl(GQlKwRhQ}Vnol7N<-WrN@bk4=(bIzkkY$44x~8K zcZuDtNcbz<=J{6r=T_ql#in<9?^}`Co%Q|rR+03@sz#^>?z|`yf3BM)6+q`S?D^0{ zh<|OQbpEwW`1SAWBh`}Xvf7jz;ig-09$I%D{l|qaj0qm#(cN(3ijWlM+Lr#l8p6~& zq7L6zt5=woQaik|K>c^7N6{0qG!34TUAO)iocA1n;rL@n!!VM@!|6cvhbDF364`@F zyH1yc2wg|pva(hX6r!+Q^~ceuU@S@Z9$-pdQ-EK&A?$r_(PW8#QR~ceQy9NeV(lI0 z<7HX=<`H-!PD4#L$IEr$4FnSoyLN^+Sk zdv_CASYczd!@>9IaKXVT%5q{CpL9eHzk3lY?&yo~ish zgq8haX^;F=l?ye6FN((4b@Z3xKJ_L(hRgYpv3bmi^KbWGJNs!RoE zaGVi5S@lT3b4+`8B^g(Mvpw%_>3r->JzE)3&#lU-XdG+7rmh<}#@LAA%fdNlmY&!e zVaZkxujQG))Tj|UJC)li3~te-NeSPouMe3%;oNcD%76ZkWTma zBgG4ilyzI=F4PZ@pzkFO|m|#-o|K5@*~B` z`Z?WRLYh(1!EW?T8|_ND#Rd^xUHoQ|0#1!(J7(f|%b0g5NgY9q%!Z)Qf>W>1Y8AfG zZS6{$B5W}F-i+-9&78#48=>hh*RnRAS{W_HrIa{!4ceLc>08G?Nlf6WAFG0MFF(v5 zBFH<8rr98O8TIMQ(7qY3=O>`vqgUVagWf1&rjv4sgz6xvKl%X`W#>h$j=H>dBBkST zTAz_)4d(JD!V?EVN?p60C*nS}-taz$>f}_D9}b7c6D^Lq-{j~@m&*g*c)r#~c(jG2 z`_W`9$;u16ve2>Y_;o##gI)N=T}9Cypz8gaUT`}ifx)s!Pl#lf0&qv zP+-vw4GL9z1a7$~3!jE+Ev16?)k8UD*Z;PC2R872O0pPH{`l301YFVt2$TjTi%(18 zIbUg}-VO!r$8Y?t7EmZ^0X2|jZgsr;c^>Mk>-h1)_&!hlXdA$TGW zEp(4=lCyYtC>rZ3VuvJ<^R6uo!QY7ID&nqE`Y1}O$NBNn@vu!9A#~^Tq?`KyFhi>n zv@@UZR3!snKDq_o+yCXY-@K+Qc+DVG369H0bf`d2>}P@1ZGNx~?_?3UqU}W+fdd9I zA_bxMFx9iCdsLbEZ@YulM(1Nr?h+-J(2sN}agSS1TB1Ex%tiyRARJRY@uBOzQs-eN zy7AzzLw))0eK)aOl-&diE`O%50ZT~xSV7JVcy=a`-n?mRAIsl9ndu(rw6xf}>zBXU z$x-MdDA?ssnPP%|7qMS878;4iTDn|`{;FmaOkmhlUvB-BPLTo-#}BCo2;f%fS~oz4 zSZhP2|9*|jhCB>LQUA+d6@`)PxVPs6Cl%U0Cgy%L$x*a`?(qh3bl;qMsHdvojU6@d z-*z9X%@I7*u0Ftw{BpwJQAFhW&~xgiGR}Dm>w&qgd)3?!$PfhaFOXCAVL7n<6WhY| zLKg1dNHPx#3^{X+k2J*}Ge@x=5p*rf?Es;J;?2BQgFM`m2cIKmy`7 zoc?m_|LfAH4j;T#VQpH=Pk{@7HquKiYJacTKi{DM70V^cLRi}U@?P%|K_jNCiB$jB zt$%jn*LObV6hJAsmuWt}{^K3QDxjNK35$FF`j5XfxYXZ|V4`K2k2B(3UYfIlo0M;g zFopkyDtsn3$Z-VsF;Q1@3rA) zqg{C*@wzoTqL9mX8UfRbv6hnmQbjJM^&cIrh6KU3Pi1vEZPKG4x6bf+(EZ=&!XNS} zQ3X$8*|`1j(iDpEfO#F&ReyitAEnm;Dcf!yBkHB}-auB%q$cXsKlaZEGV!t=IzQjZ z3ryIkGyr+^_jCQS(?0LT7Ps zFs?$=?zde~%@Zrf6k>c_u33ZOR{kuOs+!$nUa~J+ZmvzKf$9&LMu zOTkh^LpMsivu44+(op%ChwR(Ow>mE4S7#1)hY7jOB3ZObxxbpj3me$aFwMxlOnxqD z9zbR^Q*Lj5Tt4eJgSdmhPvFv5C~4tppa?q}jN4sa35Uy^b2~e_aQo0xN+dd0*eJBg z@v_Dh!X_F0kjrDE<;}4d`5jkzz*b_u-MDRNmh;xhjP2$0{ELY?1LMxGiT=B-qE2zd)~0hwDvuMc`^p)&`63BsspJSW9Z&j5b*+x8u7-hb z%*TLfz(0_}h5T!t{MFb)3cyefbu30J1Cc=8aJqd!gFPxIO)t8b2OM0xXI-0L-~ZKz z4-NeefNdDbC`~@{p(l#4JDTCtod!&-L9ULvAIjE}uZ+_=fC5vp z(8YQcd)LiDgZ~1K|D$}=>)lPEUgY|{ZaPMWVK!m+!FaDTB8@Q~Wm}+I6a>(E*{qi> z_j`Q>-EBwu=sDfKr0vvMe($-sk+p);2YOE;T6TXGy#?**K;+mEq5(DY{^8`k+`@u* z`)deQOZ$o$M#la+=`Nv6ia@SQMWEd{;&v3M>VPL_u;jo8VzXo(U^EaKaSi`R_CDug+nh^d%;OMiz(-k@dt zmBFDj1C6jxiirE;iq`2u{FtASB~M2Hxpkc5np3SoioiguMWGd|=P8fuEkaSRXcoOX zl`y^xpVPw@V&ZuPZ!KD_cgPJS?v~Wm=O;XU@8mXOEH)Zr7{|bIGWAaQu|(;2Q^5E= zBpxQ(P)y=HZV5`~wWX&6W5;Tp&nWneZ0e1B*kTk!Mws%o2BN+z*wB4{XB8blrbX#i z=eRbS;X37Eug$;z?L^(9Bd0>r6I2MZZjP@G)cU5U4%&5b=R=dHAa$Zdc2T@GN|a3~8cFFB3k6u%XY{e_H~n3fEl?`-hLU{5C1N6G{#*-82zoi|wLaD7m_kIc>(lUA0`JY}V& z&4$*kKm0Ll-&9fN1i3T;O|wCl&T^dgg0CtvM63S(!~BtzU3g~)>1GxFzTprup2(b( z5;zp{hQBnP#O~4VS1OR2Nx8Lfek%Cx>)=kOK3gn~yy<$}`wvP6Hs?6>)^X=&OEuSe z#V~JP>5V1|*%`Oj&C;vS2zIPaDeX?8x2Y@c)y?%GBYK>neXl8ug3q{SY{N6(#d>F}hs|%iQr?7Ow_C8DU zOlxy^?cR%yqD}OL(ym&=wvr9Do~`a-mgK{#@4JSTAJK)X&we=BjahAE8+B%!0If*B zfxep{QeVksIxP{0t0uhBBYbZxOu#%&JC&Yj`Kb@RfZyxxvc871$?02N+nM1Nh)pc^ zI+JN$qbesqSW6B}1QR(HBAzg&BQq|*ju#&uH(>@DQ%Gr8?^lt#>`uC)w71jqN_99N ztm@v|?v&+q5A@!s-Lj5Skw5Os_WUuz*2Ez!ah37B*{cZ6hrR*r6k0G!z$)EN=JAg% z96$VV9ZO1Cy5af6eQB(HSxhkE)8>3IRwkVv(dqoUF0mcr_e7Q;- z%LrpI!B#|jbY;i4x6BjVUPZ6SiUhK6emUCh+~~_}MRU$4cX>9{%-S@EjUw8I6u9hK zE22dXR&KF`ky7_s+LtV%XR5&>p2pQifpCknwOItyeJ%9H9RG0dj-V7(!iZt%O)fJX6`d!6-H$Ww(RmUNIo)F< zaZr5R4>@&0;Tk ziY4BCOLz0*EQ%U%gU)SpOFg@j)EHnV100}mw4PM@I7H9pDuwezc^W9z^I}}#wI0X$ z8pol6&oWGj?=m|?uR;-$#->}{JBKf3_X#z0e!|)P(b-8mXRT>^cdQ0m)Gg{k8rCWM zR#F+i=@h)Cb(T=WPcQwlop!&lKCR8GM@)T5vkuKCMzFGFMLho}IbgNP_`Cs9)`P=~ z=yvBjNUbZP-lA|tU^rTIAn9A%lIHm^y2<(}^B`TNBQnkC+~4 zBy|(9;(Xwr^dSjbj+D?pE_uh$cK>?_;dfngr0CS6t0d$e-|joaMJ@wHsF)trlnUq( zuJi|PtLMrqf5hh&TBkVFd+l`oxTat^80j!HQXY3H2$u{; za^afXel&#OjO2k4*pFAl_?U3@o1P6h`2s6=uK2)dRF=(&;iWz z%*$<}(dXuTtVWQrz;UZ+P3McNU7s{X;d?-z7oR!?kyXOyI(~#txLF8-627oFp%we% z-ITt!pShe_lDuo|Shs0XB8~B#!Fhz*Y;iSEjtfJdU1Xx!@xH z2q7I4<|&f+UIN9c$1GqO7C98L`bUlaaYOZ@Fg z)2$U>G9JreR!MT<&MsNyD6mQ}F8qoUwm+vBeoL>AIyj8)WVF8W+GrXjaX5tDt=sta z%3ywhY}%wC&$qeyL!R~vcuzcA?rfa)Xk)Ze=3s{e0bW(f;@1^cq8Hc`aIpjjPptY^ zP*O-t1d1uc>*bUGF{V`Y8NV)+SV~!Lgy%Bf?w73QG9Ac6;PWgoPlA%sE52$fLC zGWI2FvhT7Dm26qY*tbEpv5jnlnc;ipQulp*uCBYs@AseSF}>%!&v~75Ud!|Oe2LoP z%y>>7bm~-d0*vaiitlI=CW7(`{wy+dMbY1!Eud}|f^5?B&rIs7vdlQ zZAtH&L`p9`m~ML>_xMwsSjXgYi*XY*GaQa=K`tCzMC0b^-6o+5ue&iN&(+$?q^u=Ex)vCRE$NRP~CNfhX70$N8-Di)Dc-z#88Z%*7j^pqmr%1!&i);D>jqmZ1p2Xlzr333!Yb~CW8Yl~ ziJs4zTk3567Zm@pu>cTJjcM}b)&ku&-=ub}$@1?(VSpx`VUkXby5h$a0WgPx@-lAA z4=&9l`92sbcd*mmcrDQuQsFGfGb1BZ9J3%~Sa?1vV$t&Wdx=MVVleO(DI4XctV*CN zz-6$-V_5pgQ0&U^701Rie&O;gxv!2ziQV-9TrU+M>LwH{zpUy{bz$DL>-C!9;y{Vb zBeqGm{A`QuX~+%;+^WP4UKY>n9H%JHiaSoI5^DI{-I1=Q16s_A8%d`<<_nhRz(J$3 zHr!iTUNsl9u$flWg;nd{uABzsu;ZSznsN)0Fig5esje>Mw==Dgg_1-r%zhk6S_(^^ zG!e*ZH-)69z~7r)@bdSdTolnV0Z4cM(&=JMO!G1Q;!uh9M;r%hp4cqy+fO#UuDDZ` zaoQ99d1i8vSk#{TwnbFbNT=b*X;+hTY!c~}fYg!oU}UR>IR)pb;mv+@#{pT3+k&cTQ1yE1QBa*}+EV-jcVRq*3+FrO(3R z?(kl7)^JuAS=*2I8*(Fy+D%70gHHELZ7}DKagPOcUm9T5(AGZmE!1h@EC>fR?z#`7 zCtVT5!5~L`bqgg*Nc&bB8XhG|IcE|WCag!BbhQ+?fpn9juN#?2h-47061%S@YF1-{ z*laOt1}JWm(Jz3m8Fj(4CSFKL2wum-z$!#lP~sJ0d=_$)Y8Xrb&NJ=Nlgk z**2JJPZR~ru>v^~xS?t4iXu1EmJvIE4H?d%;J#0ytR$kp$Vxqs)niBIcJ4U1_^t+B znmXai2@})B)_6LVWJZkS0(O}p;MN#?AT}*t&4F92sT($TCHVkJ2Zg3`GZaD`L3)yT zCrhvM$0OoB^6F>KZLy6V`}+Yv#QBHistwcETQ(}<9doyl zi5+QeHbl7h?_RSCB~9Tk{qWPQu(%Z_=&vkYoyP2qot`%W=kd+W@VOp^<+a|*^KVtl z&sI8T9Vaz>2oUxp*zMmIu<@H8h@ekz&pWd)(7k^)(A~ptLC@WyPzmLn0EYcM5)eHzMECUq1Uu(3SYi_LDIr&5VKj@wb z*wjktyvW}8AfY|ucnmNYwLS#X9ypEI7)u861J^s>dW~3VMoeFAB1ic`>EHy|FCV|f z%CysDQMxpYjV89uyz|sO7TaU!Yk5*ql_@(Xpkl*fpw>eXzy?M?wyl~=$Q*hyjy-HK zSY}lqNeCMbH1chBXGWIZ^yFm+&2knwI!kLPk`C1+?rYYr_7NHdPjgMn?BcVbm3kGf z_=M1RYhknrui52F`y>+P=b&*q+8n13r-G~$)7w(b^i17d1J1O}0EC6JdHsx^atO#+$#b+2s&hYt!>+}4)1 zb-_pQXmiC5+zPD#m6;y_6;Ov=w~WPO#bGZW5eD@~S2igTZ>8WrU#qw$J>%AMFV zcPu-a9nuj+yjKh=d50Q>LR!3e0fpJL{QPUC`PUo@vIZjyB!iF-Cmz4aQ9Z`K8mYMX zopXmz2FSAbTi^3m1VReAPHpL^fwuLUk}dG!NhFin)k~l+Jo5lyAg)pI8H_ce!90$q%|+H`4+Fi1Minj#vjOd2_gYsHZm{ra-$}O+j;swUJdlnWp&e6q zg7jCv|ES-i*(? zKd=rG;toeZqQr!&ms%?qwe60!a9K^X(+3%-hvrw|*Mi2G5D36jTn4&7ubB97>3dH# zaC%jl0M;CZ*zKAv31JmA6#`A4KFkOS%aUt)@JYT*jxE<$@mNS&%?@De4t+bT7tEs( z(+Eh3f>`1RK_{S>n_qErf(6$7A;PJ{ri5{>H_x?YZhoZN7?X1?Ok_k-2DdZg#QZk4_mw9{B39d2z2TOyUsN2d1ZU%X{Z~ za-7sRW|rkB$_rgt`l4w;K!hW_*USt0_06g2P8%Q1c-bb<-`i7v8b}sA?|o>7(_!I6 zY~0l`vh@O&!e@BJm!R}byw{E(<-(Uk04c-(k&+_kIlW8s`JZ(x)uOwK zRx2bi;PT_8reg}PaGrbVHW;)XF~VYGU#*97o#{A3A3zR@1G$3EY(ok4n03se!kSUO zx%Z>N(pF)XwO}vOIr?ndX{28#aUCcbyk?w1uL2?EgFg0HXU`-W965!0prZH|a3`Ss z1C|S-3o=lVrm|(h3_|$Gxh*>YTSRaP8lA`av+dTvw*#TZvr*7ojVL=a zImDAq_2${`EGTl;tBE^O_47-{&jf>t+OSZ?b9&Q-;V`$E z=_)^?|BysdRwd&UTHOQf?kfjRz-3f2KFjFHnN zUP}yw$Br~?*^&F(5mQJ)C*lc^kr`e|Z4a-eCY$ev2Hfv_(=CuE{b^- zI)&0*b+7i5GFQn%yVk^9#nLsLc6v>k;Dz{ma&92O9Gmevm2C}J-PvCJF_?p@Tywn+ z7Yrtr$zu)CTR+(U;e7Ai=XjfIBe?Mq{luHvxJxhmEAghthl4IRE>Enadg(*&gha`^ z*^C%;Xzx4pq5b)l|7Zau2~pMU2pt%CC(9adJP3NOObi_RR{NHoO7KYCo>F42t>;Rs zjPA)(2h(3p`|j-xUs0~TdiF#dBPJ?#hfU~K7(LZ3o!nNq5(Wb9HrNUy?dTDpcF9;o zkNl#xPgw+pv61stCW}=s?(;q>;(18^Ej<#UTCu*fjo%5aAugcF=1Y*n2ZKJ6aw}#9 zBG-YMlM7bHek6|G$F|cH3wE390w9E##5^=M;i(HY50SLxF!BSAT3;wFiimHEa%l`X zb9cZh!7aTHwsv*_^^myWacEyyhes{8*i3ww1@x1dOD4MDVQk7u8cQhKfv-L1PULIs zQ&v=qw299Sa!8Dc>^7dWaide_zl-9rIPrA9rS)Ss+P#PTDV^u!*$+Oj5)!1JqQ@-S z@SZSdT3B^ENcFjMihZA2y`_H4R`}#5T6TNE-b>xM-8@90Gy%tCZPu_B&5l{_;;+E1 zJRm=WE$9-zwc#>$7CWB$>?u+?6!o@rC?!}?R{l7FLkK6K!(nl45S2GQ;I-)UEFoXP z@+i5B$X8+EZuLRALIdkR#VLFpWwT?DShd=zo@=+&#^l3<>5-rhzsWDMB~rRC(JOZ+ z@%@ae`>MnuB7ZJ9k=re=uVmXp5#w=_(I>iLUYvm25!vt4euJbartX=C!+Q*pWTPwN zG3_6=hrgE%qU>{mEULX)i18L{<1D{hmKhh}+G|Ht`@=K4$=W+2=DxajOy4@@KBGzK zQ|cMpPscXAz+=+a_n=F@bNoH-xm zeGa!Z3cBefT@{N}J{vW57M7&r%jDC~{b|*RnSGSO@}}y;5Wns#zG|da+R6DU#0ZeY z@Hc-+t&cU=i%Kb^1E6?+psP@B~=4g4iIj#MQTZ%PDyWIxoV)PXv2 zKy$}vjo$K*L#dId!ZdSZe}TQ{oU#AmbJxy;DUaKrGk{ zpPv-PzVd?|Xe){ImOf0Crn5~th5;a*X2hdGG*%>1;g8I3yVYZ|*9wJhZwJxG!RKz(Pltl;~3U`p? zQc4^%FFi$IS|XaXCb!3qRBjg~jcgr!Z?US7+It=A%k6osc-%r*BJ&3pnEwUG_L3UT z1rBuS_HrcZ=8RMIY)Ck$yG;e|We)yhll5_22TxS}8B&<4Ho;|#5wJ!9a znpb}gb%Hd@jbf(lJsC_&S9b*F4T>Bw<%Qs%{u3U!1Hv`Xwxc+N&J3bcI zJ}JB8=;y1vf*wK4ayjOADQ!TlzSAQo)c8MhrUv$Ct%#MG8%BzW4*qDL%NE>;R`noR@t6bZ2nWmak5;K_H+y?Zx~3F`HoA!HJK zThESHYQ@V+J!%1AaRmGg;)m5({&X$p>2AOWCdi-=CtvBrwYKXH<`9B=`msJ~FF#ex z?kR1p`fg?%x)t8Al2UiF?uaHrie*d42&(|(Jk+MeJ<(h5d)F5R!$LQ`?Y4>PESvb` z@pr_x7ia5%}VUqakqsfye&j#_F4^)WUnUL>;NlLN#t+sOy#1j9A)phF&VzCS=)8?uzf#aZ4;3D~cxEzNMB4 zQQtB}pH9XX%#brJus}NQZY-(dI?=`q?>pmk7g^5;l((@8h)VKwE5x+tuiG)x^}zMt zf)Xx$O0mB?Aq~1~Dz}rKF+RFue)vvk3FEg->RYljs2%-fS>uy#>cm{XVN_AOK)VqimVvHs^}x!(6i+rqhq5|z)$hWUYxV;Ty=k9mwBf@XtwLe6BK z1oh0N1-f`PP_5xgq5&yb>6*wkO&w%wo|%cMtho)rHqO4HP`IPkwU_wSvicQMsm&$n zz(7c4OS!}MPecJI#A0@*d~1_B>m)ovM73e@5{fY`Q_D>OBAap(zCu@!LNJxIbwC+c zN{xO+GX1cULt8|S`_PkIwk+L;wxD#$pb~My_?QQ4a(e)~Xp@9akNADT8TQr0*cqoB ziH{FYt(v71egKPLNyk`NKN4({!*r$-hk7N(A`iQo;pWc|_zk?A@w6cLc?}U%332IJ zHfli))%vUMsHa{?ZixNPM*`Mj`$uREv!qwisuy<7AuDW0Xy(VG&A)CSzm}ElH2AQ_0k~5M2I{S_|sivt!JAHXCe9 z1Iu|Ha`{Xhmr*?tX-XF-6m>?Hc*DdU(xFUEE2({zT4Npy9K<6P#jk;qBNxoqQFa4q zC(Y`$=NqagFEILRe3{cN`|6Q{DZXAVZ#XALBO_sEbZsTAvX~|_5Q2OG!U0DHT~MTl z*x5_$Rb_kc?kU=;PdBAr_$>e{z2cvhm{uhFb<_G}Jfn)0 z!Y1g+a70%3)%shSlPbfBAivOI4K%v-o>$7uZ@aDcTYdh%eN$QXRpz2)O5({wcUu^) zwj7Y~pWi?@5W=_#Ry2jvg_3LhdDFahnMZaE+qzh7bXSY=^E(vUWxofPYFNF{zP`YK zLXnB*F_kkQE~&2U!84$OKoLT?tx~A{RrU89MwS&@n+=}K;3ung+5+2XAHY_f28v;0 zMWfSWW{HdOxM`L$d%O&anG8p;aaZRF+3z4$yvlIZDfoK$UMNCAd?9k8dYs_L*~Qk1 z^-)YFSXI<2?`)M5b=zYtx&~$^BGYiKc>-R9hYBQuc?B^qn_#bo7tT3;>i2@L(&&D| zuhdGoK`m{J`qR5eGjnQnv^QT4rFj`Ulk}`OTSfn#2=~-edzvNpWcn6GnmGEm^d_d& zT5zm<<~%RdW|l!*D^hG(#WAZ6B$>dMTJw;QJyT|L85c0+D=s2!gR_f~dA zD%-+6I&yO2NEwc+u!nm#OCm}hE9y@Fgs^P|#Vn>B>!Y!MuFf+YU(jwZOxUi1DJBKYCK~0j|I%SJ~ zf+&Bj7)S&n=t0SclYCQfx8%d8zxPzCK<~{WE{Rj+{!A*cZW1?FFwg|@QL@cvuevP1p z=eLWx!(=CicCGYh;*~q!6Btp$rFr-xv5a4u*~QG2#(}PrDkX#SuEibau;W(fVQz*` z29a!q4H-cgOl%tT5{-6+CB6mmt7fz!nUs@@99evOvn2&)w4=C6Y|HM349j7fZxCRF z=U6|4kzk4>u!M!){^cGnPKNXX4|RytXyL`!9S{Npu9y~V_w~wgiHJ4h{caMhhKNdo z50I2K-4WU#IDwdQcUi}lE4|xb?zulO7K!&TF?&m)zeW8-hzdg=SM4~zs709Gw zSVHDzm27>@Ch=)>uh*WLc-N8r!8S4QSje+f>TTixNhuO!~J)i|fN{lv?WVL#}elUFFa za(0@KgZxf+rXP6DE-G_}o!8puZgK;OO{TdF3kxIDFQ}f`Y387NHQpQ{ux@ z3){gX9%%SFl-f62v10X=2>YbH%ZMn3cHY@CZgXXt*c7(@ohpbFecu$w@TIP9AK$6T zw@NE+S2b*2oeQ_aCY*9Et}rr^=-Bi6eNGx$Yo}&s)R*~_?s^pnRwkTV62{pk zA3L=c*TL1t=Bm{&Ip^`A7w8z97{%_bZ~xY;hXN|%8yPpM@yz9xM%GPRU+u5JW_8i+ z!NWUf4^bvn-&D!I8w%eS4?|uxdnL>(qUV6T){FA&;YacnRWH+jw34=a2-hoGX{*-U zcN89ywL`5^vn|rIQrHO!q>5R$9S;A5qPevdkUwgM`y6>u&Hg*F?ENRQZcL&LM4F+G|=nG8PCuIC&IC`HqH z!rAsZy<%G3@Xe5Ya!dyEjOpm064KNxuFkFc>yFJTNINPRDG-J&u}gF*C9m5Ri9*t3 zq_FW3b)=A*td*|;v2dfOtY-3bC*#dn*wAQNe4yaD;ZZEbZ|NZSqPCsC8fuYhy~~wo zpw~Wai5Wp4e0+AbBbJdJbBXS=ndjwp0!3Cv?bku7?80yvx6QavGHlI5mJ?!Y!Z~oE zS`>u#i@dJt>wSCd;T_#awv=ftkM|bwk001wwh?=QTlX8 zvRl<-17zr!i2}K#@$k2cH34$D?P+aOhlh(F74fx^VQT_7k9s^aqj{iB(N4m;m8<|* z)Il5Pp!LY^CNEY=Pq5E^3@$+IBOG?V4qve@0+rxYE9KyV-*3O|{SzavZf&of5&p>< z@1%L8^r4d>ca+Ljn_KqKG2wNPtkAm1XT`d`CnUX$TV%D0DRfR;RMtFoP~Xfmq8wS;f(<<(|r#>aHXTeT;!^GIOI>(u3rPuniMX4>9VRv6%5{KC)2_jnR_3A%Ne z?zuDah}Sbs;wVU@I#REne7FJ{4!+oq(JDr`=g{0ec>1DP!M*we1g%Ijv_?*eT@Q1` z(dVsP$(wWJq+S>YEBxIWra}Sq5wi0?#mLdIR}R|zX*rdKF>`n7jnX4d&3 zrRp-!sZRr0wgDB!HAR-K2L>PElJ^S5==n+mG30Mz3qWuhna_3FwuttAX7qaCFiP)Q zg%%1@@~GN{wDBWXt6PV2_a0KHkFi|Fi(k` zJ9B2y#~HE=@X_?2k7Q^mZa#RTiBTaAo0T?tyLJB3{rwIe zcEvRa=t7l!ww~G3A1@?&)@R8RkaH9fbm)}g_k^<4ef1mn+#ZrwU0<#j)MzcR-H~0b_K|)AK%{YAnJOF_E#T^ zhouVPsdHRq)w6V04IBRoR#OQ1YXvcPzL0G;iG=4na(7o}&@SprzcVM?_&}wF!$nr( zr(tDNNgul1^R#fmogukHS>e=-y8iWe+s~(0C1m%cQV)Yz)lBCkq|=j1~z34vyF+CB}rD`9)-$bOV9cz1hxfcPp0eyT<(wHpSh`O3t@~*;NqZDigQrU9gKCpFRj|9 zZNOl!$K^Sk{q~Bb#KOjOU{PM32YQ*L$gj!PV+L;5#d1!`L&Ex~xfSEM+WgKMebV+T zK`ewdzMzGz(+}*u!M;Zhh-`k|%h{q20sVr}VoRTALCYw71|t<{0Z(_trYE}~brG}eLk0~X z+YPSAJB)$k=FJa&kR?x0JF0L36%X}hGgOqT$&!!o*kQ7uYl{lql?8XyLPefeL^UXN ztH+$Ua8E^tEcs^JqPnf?!jmO)R}njN9V;==+E+I;_YKpOwE|}CvsAAM%l2B0-nAT1 zx(W|Z?1oxhM=Otx+Yy)1PdnG%(VD9armb~Y2*KA+3~Np2Zq9nztR+aoLOE_!+76Xp z0LJe69Je4#J`H@_dmu#!%X^csL>IH>7RVsbsXXQdI)R|oKjYJKw64lS)*pQt_PG1v zoZLX^Ol?_>x+17~eF05p7vjDr7_x^1&Cx*x)U7HD46jLc)LN<(CQH?xU1Tea7H1VU znrQCE$LPZan+z@NRv4JoahH^mSHNx|V+FNYU&XC>~rZa>im5> z6xO~Hdz|FQCjF~&oYY4pW!?1{wwZXio+r#)TLXZ*&N$C@z2(}YEbB7Q2l_~gAZTGa zxke>7e7H_T=1l>`@ygemw7$N%95GOUyCOs@Y83GMm2gPe^n{zU9otV!6z@4RIWB&h zo@&2JOYWU4fJQ=)w6**@xuyHKMNYwkCvWP(~sF9+ikGRYR6J;_%C4+v@z`A}R2fPvxa;1JMazGv~y z)E$rWXiV6-2R(7V(@GW3=Gn8l1*DpfwhSzTOw+yIaIl&gl8IY2J?lML`t1tmw)#P1 zvd#y0#%)%&4^kbBvj_GrNFpZ@ULZ4Lw>i+$y7=JEN1)2FPnm<#p@SfIg%B%kJNs>o zJu|lEI3{|o+H1a`;f9#{>wOYls-Of5J+-Qkf?_CUulM8xobuTSMwCZqceOa)tlDdp zU<$ZXm^*&of6pS*QSwg8ycm_AS!4=TbD5Ry%uoL6g*19&u<8eES*QKJ{0~v zyAc8f4|$;PrTvr43Rr%C?VTL^{`~HD4JqaH9v8-A{{ry7LBW6eHzR08O&sYY;?h+V=Xmkmwx$tRr|TAb0BoYJ3e z;W9eQ?6KLly#F?YWeQjL>5Rp|Pip5S3hB5l>A@~rRViWr(W6IIfw89PW@rKc;%yi@ z`Dy_TFn~!)>jP!pFkUU>Ilu+#>kXyAI)0A+KYt~WC>#d zp>LE5C>$zQ7XP1*s|CdOFTLiR|9R@K`TE<>HJX8dcDW1>yR8! z>U3jwt^e^8zdjb;0u%9Q{@CpEUE@Vk?%7Fpm9;+%576Ey#MaOx{#`1gw+ThNAksao z^f%Df-`6*dGQL$8lU>hCX@r7YE`w@){w;3%H8wB=@AF`FLoaUl{CrS7#Uw7?Nc{`Z z^S>t0(TppPN{dHy`0S|zt}R=(m8s?nE|&`LpX>d69sclq>#440@<{rNpK}{VncID8 z(tq3nQpX!NYs2=hNH-TH<{Tvp8I&p5y2d*{RL5bfGfmcWO831>y)(XV*VwNDyLim| z$GM6{)I6i2&#$5yK;xS7ow}+fmPD?p#wIO8xw)XK_Mc-b7>l%_wT;vvIgZGoO2im z{JRDHbKqYXCT@?a?KD_5exW&~YvgW-l@@=ZG+kVGZmw(rc^zWFN-`D!HjrV`UMT0G z#^Loe0+g6(fmVBu<9dH9A>nKK-t#d+-V9&geyVB}uJ1my0@{P!jQ&tEl4nluS2R`M{`Z+hb6KGc)hSB$r8H7oP> z@{tpxM0An18fq&=2x3!;m9yF){oQk#SZU_{T4#Q;G&wL>HJ{o+X$d3w`PCX{7Du5J}Y_u znkcSYkmz&2@WAV4kT6aI`T#nxuA{qK{C`a7gA&Tf->}x3iLvmf{Z7-RIS@7eCnmo zpsW#AYHQOHX~rR-5vzw7ZK`mtv{)E`c2;}LI%?{h6sTT%&38aPT7L7;rSVs^YPO>c zV9#ma0lVaOg#6@hal_wVwx2u1$(uL&N!h%CD4_;p#+nm59x9cMFZk40`s5g@MleuwB=f%Px3jmL<_@=?7n?ug91MuiTTDWdJ zl@^70<+=4OG(ym|sezMo9*Oan2ANuEHRU=NTz^pwhygFUSA0SNAFkJNI=;oE|9b;L zHM-Rj&iw@WXW*nH7P-eNcty6K5zzp$e>(GMcDUJyT{5ut$+7`(H^04JN6{` zNj;+?+EBL*VW}DFx?+w?a3-*a!Lxy06|_PkD)WBK%%jsM<=?erA7xzx1r3jkZzH!j z);idff-YIQUmFDL76=eqTEUY$-DynHQq@#Hs2 z-Q4~#Hp-merOf#WVYWYRhwd9(cq*-8*ML(`lZz5=8kS0BUO{ctkEyi~&c_Q)i&lIA z*gODF2IhTjvBu-0;FvG7`|Za0(;n-uPCIuA0cLXSFYtRf>z$0+FdrZG&XPHJ@5@Kf z^r;{@WHU8$cF0P*{TT`n_+(So-n0!T$_3KMO7RQQc;Ek-R9iyj#`Yw6;^b3D;wgZ0 z6AmOQlGcMYwhmgQy7dL=67$}{ntWvVeF(Jmq@*ZP=H0p=3@ zfoOgP*7?U+KSnt&Y1O;y^Or%HDhKpmv}F@Zg5BtbZzec=mu`%as+@dv?qs-E4+B4Zt*@qfG$53cNYJs7RUw1M_Bp&At%DZjm-Wz+LFJVt47s7aqr9 z=NyY2@?3hjE!|Yxut+-ubxo0&&G$aTW#Odbh@0?((OOoWGCRkK7bO{YvWy(JaIFsp zifxxWt_Z3Gm)Sw(q7J9$4*leABdceQ$Z;ad4Y!Hd96+cR9Qt8w50H!l=u!?BgIkqr zUp9WkKKL;n-w8CB;M~8L(Vf8wS}fa60s`u%Ww2{p6x%3_KrD_EUgjrTq4Wz{ek7>(`}lMLGR}T91BDBoO=#;`qvjI@{PQ zwq~yaihzwzZNgaw$Z)!b2UTMIVwKm>y61657u=9rO#F?_E=3|~<%-E*F>{4;>>`z> z&JkL=7|BfjKvwoCAEj(E!qBC4ePRDJKpqJ$Xg5z!MwU6Y@JLw~%gofH=(;p~HAkM@ zzu#N}i2lybb|dnRENQ6|;KZFs0SDJ+-`uX~)8D+g{}VB&9&7Zk4f7aT6fM%zylD&N z4?5j3uKIB<{72_|J12^JaC&X2E7hcJe)#fN(|!q@!PTb)Tr7;AqGU@V87_D9Yk{My zRB*B1s&b$A31Qs;#OCB$-M2FgK8DgUG(|>mR|&ff{{svx%1Vuo%Ho1(gJ+H?X6fS{ zTQ+8HvVqOh!`-XoFPQs~`{YnZ!F~4Q@83x{7>xQ)X5!%MKt#g^P~U{Y_OnP=>MFQ* zg|SJvtJ{i7Prbda*DQ*-CF%RxG-J|rMq59@-MZvq{wq88;ZuCmiqB*{kv|1r;YaK|tK-z52@>wpUkw`q+O6Azhui?|Lc2f23 z7>5jX6Ei|v^3>~+2BGZJjBOXUH!iiQ1si%g^Bj+N29$FYlgaGMy_aOETh90$rNIxm z7|Y3oskX*QO_ZUaBKWGJCW|bI-uK;$!)H;%;od^)?za5xn9-@&!F}XApIfZ~yN5m1 z;d{(oVhTC42pQ+tJk()4mr*A%uze@X<9Trppd zD6PABu@Zo0Hw6v`u*nwdhUgosf90iYI^fG6(aGNpfd78y{%z|`00(1V!oldr$fu^wD|5&tBQ42+}{OL=QU#^q#1#wLl*g$rIxZkOa}Z>e4#y zMBpftg$E;mBFPzOrKW2G9n&KYp}EehB*TjdPww40v`<%(r5O9GU*T8MB* zb!=bB$&jK4O-#6v>IAt|3o>asaI%S)`LVJ9Qd6T%)+QnLmWuBc%l5?upI7r$5rAPN z?4uNu%dd_z0P6re0Q(S$_BebY8u4T*nmYCF=jtMGXA2)U$>)k|ny4l)g@$R_jdv0W z&p4itezZA~*KCI_kqdw_hRk3PZSG7qi2VtUdm(qJC^|UaAiia>qyAISuxBr21F}Fx zu1B`=R#*J(Soz*5A2r$r08%LHbqr#;NlzvvV9{#}*3K1@ z_HMCxw64XM?H00f&&x|r?inT-YqJ#!#`KHX%$gZX}5%t9^M=&X>(10J(!64M(R`R9Lx$TfS z`1jsqeZrz|)smpqTV zMz$pN9{40#;Y1+FHI43#4-1Nzj#RnqlN6S0cxBv&qh{M(|4{L*Vp2QQb>a9vr}@a+ zPfe115^I@dmwbgKHPW4sel*q_-iKT?A>VxziZx_L433(=^FAn>qP8$_wJ5c(q{O;A zWTnk`)Q6wMbXlyu!e39k%czZ!OPbrIi}=qzpt(7TAb;&Wg)cn6wsJ z$oWQJaVd{By%uabha~yi_(mkQVFvJt1nTF2G2=VrW<~51$Rq;tyJO3V&GdSlm7q*+ zTfqwlkWKoBMA!eAmM;e;EJoEFd^B&*HNMk*&|H|K_SlRx{uspHDXI4-H|v?*JDy$- znm=1%5@;voWANtFCk4la60?tZ2j#u2Vxx2dhuSLf>-3Rp1vcc-1CS>w?L?&Bad0%` zC~TK}|7shK(Mp`Qw2D@&j+_V8XZ3`2UE)l%m7bp`OQcvXDw_l+TPzUTi3yrI3LZ`2Sbl|BiC%tofEm(0X04hA?WJ73w)gSJi~I$5t`1&3y%QwCV%rt;XosRj8%JGupI5 z)^O>0dSS)UX`|R5Dwwt?v>-i4CTFz}uCkRWnNAc{6+v1rWA~X1nSBnMe`<2buUi31 z93Mczacx|DmN6|mAEzrCxg(1YwgfB=IW%;dTgDu#J1F9T_bXQnFtu`Va1KhJlmi|R zC3M^D#}}XcKQ7Nd5>~GcOqh%|Q37roOmD^HueY9y)kjPy6h<9lJhY&_8m_y*?K6WT?p8oSX6Y{i<#;p$G@cPh499S@zPiH&sx^A z$(2^BN9G1+Yi_}4af|05!a#T>B$1NnvO;03|8!?@354i+^ZH_qga}pD=O5i)F^9!j z`LNw+la(aDK6H27+=^T}EIw26LVO(4mBhk$k4-+QD6z_fK%O*$=X>pX?T&kV%|@?t z+BzuHxX=Ie(1&3RJ{_XJe0vB z=jEPuxH2OUNwNkFp7TsPGZJK#K)cZhFT-+(*R~68#MAz)t)Y_Lv&^HEVZNhgW9hT+WGywJr>VKD-w^O*$m!mS*v+;$u{)Ta1*pH&;@?0Y&+8$bVAAnpBG7&s(W-?ks^uCGP;;Rzt zJM%M5KMoRq{<>o)z@Gh|aZ!jD)um%kI(L4si90Bxk4Pf)O}BGE=Tm~5Ra}mWug2nj zD*XdJwggdUBFLfgvE)K-$H?@Z5(^1^|C)|MUIry5;lz6_=r67J?$&P5J^tW4Q5 zTSB78LUE1?c_@VWp_`osrM83TK=Af9*3RgWVd}Rh$-IwfgEZr38_ON&nzxC)5kTaR zn~u}u=##_8-ygO-F`vp{y<}yCUUkJ*n`!Hvl96ld$?-5T|LV((U>CC0< z=*H{)7twREG)3t*YbIa4Ru)7%-dKV9Ue2wsep@Lye2^9Wl+*1&8fpCa)uKp{%v4tH zxXcncQ96ih2AUhMc(gV-;(w^H^c9LB#(_#-3kY3J#9q;)e}QK8Zq#w?N-Wu)u#~#{ z$?_5|H9771C*Qa1C?SOik)=-{rxXvj1W6Y&J|G;?rX_OaB|O~N4mKTRQQ-pA3n=md zVYzE41E>`J%=;9}W}t^i!tfIvym=`?a-W$KBf@*MA~VTA2J1`|?g65+1T7lVo2sVZ z8*MiGGDCdrE%(`_FXw>@m^U083#nma7yoFxW)#~^hPrOfxGm3HWvWkxryEPnJovO$ zJ=qxa=7y77LEeu@O?31{_*c*a771tDEQ&qIKEO|Zncv9n`pPL;_|=QwUqB(|N*FG# zv=nd$n6)s7W`~t?+q*1u_NyX4O1i{D24B*Y{LDq!s2@RW6~S)qDlzyj#VtOJmkPdc zzlWE-SG3mzGeGmaZ(hLt(R^QWzlwM()qUpxoAwWPDkqWyS)1kXk2>dvrs!JxN^k=! z+r(HOci|iR1<=oe#y&HLV6;Sy#x0vd;{lJEMs4!pT@ZTIw_e1gwZLUsZkS*J`)$tT z+09!Ep;p)W^@+zthR&2>YgA0#`MXyDd-KG%$Czs;rL$p%m0GCaUAc+Xkx?%7hXg&f z#p{(wihIjUac@%+VcdV3)qK&v1dC`PyJdyCnt_BLPc4Mm9kg!kvOV`_hdQ`E2#lvlo=5leyD1ol?*6JzOn)V*4Z+;); zj}#u{x6XI6N>*V)R-5LjQ{i;vjM{s0zAM9!((Yu*e{)K2;8C0Iefd_Ad)3QM-TA1(IodS>1<;7m0tP>Lye zTCl@^S`h7%-f_(GKWGq9!_X-_7~iW*cZFue2#MDLk208o>Go? ziuAXu!GUuJOV{OyIgVnIbnFp zuU3j=)ctY7{;wFY_f4?BA9RkL{?m*9Q>3<;QXFzjIe+d?u0oO#Wpp`}!Ogn~YHca- zOSj+1rTw`^z_YZ|U&*}jA>gU^cQ1E5mCww913I_&9lqUF((7!?Fg|b1(Ohtv?N0kxkPPbp``JszI0&q%QDVuf4%!HU?a(Ah5lG9vY@E@7rG6>eipnufGlql z$B(yv^$z$ossH>*RW^$CO=))?+8xb0rR#!6dyK+w(BZ$&1UE$zGxRC^{m=3>H$@cu zh`afF);~>qek3r7{+7}CU0rzZ+Y}-DV?n?4$N$F=*G<5)6=YKP?c=*n82hCK@Yj1Z z$AQ6GEQVmr|1gzGT$D|@-_YO}WYrC9ozO_8KU;6%Ij~IqmwJ9mwR@kX2$(nW@&9Wx zieD?q*G;jA+0WM}cP*k%27I1B<+>j5_sRR``5sQuXSp$O7~D61nO`^+<#U~Ka=<^o z`FHEAH3hTxK$NS9VfWp2D5v^ux#Z%1)jRvo2q`o6!s*=c-F31s0{= z`_mXH*DrDVg!UgZu}SCY!#~!BnKu!2L>5f<7xt)s>)ts_*CHPh)y!DZc_o^&Qf@>+mhW8fFE z=3kfUsA^6hnww?LdSJnjH%ArGj6S5rEk3*7l|KF7EW z2{hx>huriV&j!jHU%U3Q3IKFN6B0xyA~3~3;i8eC{C9}j`&tl23aPv}a4hv+eL&KG ztt#By+nwaZZc2bFKf6~<1cpM;TzFoF!IwN z)2SnG(bw?@6f*@o{YS%+FXiz4g*W5srZL&`j214w@Uhk=ubKzw7QCf^Hlb0p3KSxu z^obOw={E8EUk}E*0wiuHkZMhB;m_O;AuU}2HGs;Tkfib?rQKGd{^rNbX_x0~28vlxdNZC^%Itz{KmHlzhmg5hM8)Ks;4frdriKoc@DhJF29V7rY20o%*ZX zio!+B6no=P4ZgndQCs057> znUvY61kG=Z0mV->Q_&Vh`6f$6BFz2PpWgG)l0EYD$oS7)r6dAYeS%82u^Vt^ zs;hts7)|p675j%fSv=4R_**bL1EkC&PnOZwIs5%^1AL6~oAX8O%T@1$4w)W4-;xZHzn(q1s9E zmJPE;s`z$A3K^aSaymm+y&Wx)qGiM$n|`00G#_OuCPLLG3K}@Vt}tCn<*HN_5bhmU zyYP1REcC7x$hT-={egNG+1o~#l+YnN#$eBZ-UDvz{H1B3O4f7<-*D#&U6NkWR>SOh zc{Wr|#w3NYicXyVY#Vr$heP2>_TJ%ec3uB>f{-SXNFqu|LqzlzooEp)ks^BU4AHwtA&BU`ccP5w zeT3+}P8bZ)jX{jT7|grpO7h&-?|!c5I^KVB7%_96bMCeGUVE+e{Vbx>Q{IjlQsRmx z(ut(ruL>Qb;n2EGmU8Js(L-u{Lur!hw7cN_oIADRa67x@DqcpfO=)c;5b1P*``6BL z&gK4}+3y#@R$|sm=ZVfe-hopYjJ=wm5iko%!(UVCjN#vBoc-7bm8d;LS0Q7359XLk zL7}?)k3iNnFJ7EZg0@}5^Aukn4ZBf@sYL385?~eTgsXj?7j)!ENutjGwWNKgA&HNV z=h1KKE;xtZa!(-dU;vo6S(+2Tj8=wj%eN8Va@OvpVl+wKsvQ_mienxbHMK2XPBcBL!eqY~ z)*3n(`KGI@%5+~>qH%3*Gju5wdhkSKd+que`Fmj@N-a80>VBL+fA=U&25qrdB2dT&7!#%UoP5akY#IxS74lp+I+Pcn2LR$7fd zDlIKFf>iIA^7}sd9JS4;rlUPPJlwlrYEXChiIFKbCoOf*&MvEqha-=4<&SIRS9)g? zphJipEPBDi!m_^7;|zedl=lq4yufP20w!PC?&;iQmjnx{8;~uSt~P`CR?Xo&c4hbF zMaqwz?5T)Fij;DT!3UrY-%)fvXPO->e5%{6y+pZEtk}VbL1IC1?Oh$twX^Ua@1t-1 zu4irKIuFR%fOH}o&^*@k#COOPeL)3QQUzu4HY<=JS#g{eaqbbdWFhMU=0%=z&sWi8 zMK>px8uMbBJb4*`(^VKIPhCquT1u!41THU~!&v(Ed|q=?4ptF>RXPQR-JIMX1C?EGJZ=1Nc%#LsrrN(We?|wDR*eO-cX5cOI(nb zYriY+s^1eHRG-%mWlMKGr4@Kis;=+1)X=bCWTV^e&mhI#H>Z2>Rw*An?4$0{Hryr~ zoJlVBu6y*hh3*|H?ynIeI(0i z&3TX(sSvUXU(B8V0q_{a`sdlIn=EQ6_lTgw&dQ-X|Ctsq{Q!=%8$hirG^}Rc>z%Q( z3+PlnL&F)h*qeyR0*UfSB2^N*>bZMH&-W0ezfiN(^LWW@6$$fIHu$I;-_IqvnWYfQ zxV2ul(Kbb4xw%V9C3am+^3dsJ0{Mh;s)R0`;74ypT9$_n{?+B96aN`tD%{+3vhIbRW!){gG9kF;Ov){9N>pALqFNb1y zG2Fvex9a)oHFd7yNon}Gh)z4@N|arKS0q0Kd0)8R7QZJK$MHqeHSC z7P@b(_ZOvH<-?Wvi73x>s&D zf65N!mb-6%2*7n)uIxVeDN^%8@+JHRjBBnvw8|2D{D4wu@_KHnkB9QKMV-^tBsu}B z4!|6}LD!T)_1Rfuy?SmwClM0ldA|q|aF*7nXj_LcoO*QI($cbW8ldOObxrjEZ*wOx zXK<%3=m5yIKsO3?)Ihon1+iiJ@=uViH_tNbO|lN*>lb^vok-iqa_g21IThnQdO@2K zw1erC_wJO#$PfRBejeJ9{y z1ZpAW0p?g8qYatu3H=Q|Rh5ijcgaoJ4Q7Wrs-d7M$9{3aW3A5xpHQ*$ne~JLS^UIK zE&foTcJR^HCba>)sTws$>> za{GmAXZQHd5;dY*!1$x8HpOM1Kj%b#v8fJD<{}}G%p;8 zticUNWHN2&RLn`FcOHqW47@Gsw`Og;veq+ATh%YXH%3OSpK`Tl&qChdjiOPdnz#Aq zUc7x#z}s!y3J=1?26;i*(=MU64l-REXX|NvLzGX{ZK>YX=CDnS$INc6^fCUWfbDZP ziF$`Mc0W!#6{HnTlUOYa6=6i{W%-(LL$y&rbU&KW}UQPqf2mDcGAK5S2VThik zbz$G4pLL0`!Vdz>ZmL$`{#M7WmU1Gu(*P3IZ0cILJxpdmmN2c7Q`g?)70jz_-6r9j z*sO-x6q$rDUZKeGMA;|O!o(-d{7FwUdMu~gk0YV$Et8vMyVIU_&FBP|AKwBEYeeR% z2np83r+S30I`kq6G@wmneeZCY=&o+rUE4Pb&GjPGwwSVh3HmZSamGb*-c5uZWP43S zBW!G(R%~zP?N{J*Fml#m_w#ei@|Y8QkA6>rpIj5;I`tYQr61EIfl=MGd?xj9?z;fH!OQ3 zppb#OyF2-0IDzYM!9B#Zao|dv0fP#iD$)z1qU@Og=kw8RR_?j}Se7Jzx9yJOlk>{_ zeyoxF%ij)^g}&Z?YEAJ~O<>NqZIsuK#q2P2(J=~#tMMsuOzOnX`F!mQXW299)0O*{ zb=5VhoCI>O$CC4baUkbaM>VzpYf0HY5u!nvX+?;J$XS(8+YRQx{ zUauzLX$3vebsI5X*sCcGt2_iY2ji9)xA7EDJ~KUNkjYU{^=*w1tKs_vi%j%;$aDEl z>ls)tu6JSui6}kQ{pgiao(PGjMw4#I`cy+qQ3KA8=7@A8??DFr9apc5-U&B6n{Q^g z_i~HR3JMuFex;c%lm(q|MOY>@q{mj?T1dKmi?+SF*K)Y@JcYcWnr#A1I>PJZ1EWvi3ZdbIrpbkF^wZ&ed@o0GF+2dF{2wPjpWVQt?<7=o$~heu zW5aDZl%+#&>oNJEdv2>%jYET#K=-1`a@>czR%rtk)w!|12l&w{Fa6n-B!h2l$|5qQ zmm!ixS{0{zgc6;d)4042JWn-L!jI9$j(M+kvn1=#PwmU59#yzyG;PT);6J%29Q>9G z`8_xzn~D<$(@IcE<1N<#(_wR5BGB$#!EE@ZN_aP?O)pmhzG|!KnbTV~YEb${a7N*_ zD^EG%({Sw#M>;A{iUjI~#!b%|y@5E_)x``Zvvy_T2f5DHmLAl;yKF}8ck|-Ih9>Iw znnw@MD-Who4?D=otbEP7`9787r|A1QvF<=cbvC0;Yn!dX&orQHjmfSxkXek7o4Lh2eagQJj zYFK=z@oM*K-vn3Rrm2t2(}--9dT{0I6-$OYDZf2o!JEqHs&BD{V)i6 z+fJ3VCJyxM5%R=x<|wU{ z>_%Bk%L*~Bn}Jg(=uIueD|xsbSu_m}gV)ORUHg`WE;zx0X}CVExCe-jsTC0W?4uU z={851I0iM|zA9&@nkZm>WnJIX^(U#OQzETidrUr6POrTp52B*|$}mSxgFF8es6qZS zxFCr1P}gtLxf`hT613OitZG5{0Ys>gnu_Q zZJ&4%B_pQEMuvpAj3ML!Qfho8bX>DEi%zbXsk>82sZ2>&nE}C&x>z zg5zdgP4=5sTwvznfEp~47GtZ8I-_O18QHUM6Jui68?%@z5UZtP-8!O1(=#B!>$~R_ zFK$s;s9!z}fvOh-F?e--%`hFYQ6DZI)~B`Rorl}`RN!}p8DHTp46RZXW$Cy-<>9mK z|IX=1(O+SU|KZQIRx8sl{7gg-`NYKp9cG37+cNY#7qJ*og-}BK&mAwv1^@)o0Emh))ztG;aJHTKjIcGil)^Yiv2$_(h5H1ok8!?^~&$ z)73mIPqDliw;3t{*5)B#CYu!)L3A9hA;d%~^W8hxSnQ>HR04Vn+B=-;?ku)7bD~}@ zvV=)Ht^KsnbELkVEaF_cGRfu0cXKiEt;^tKNe3X#%C^glc0w~bsji7U>ytp}+*(UG z0;u$097~$^B}@nj&vC}t(si}=E6$NHg2nhEJ;hL&xmxUqPeK!ws9>G8Wo^(U>aR?2 zPU`PBp5`X_vbv6H4=2*g3IlWo+C%q+vCv`x(rhXR*DIuK3W68It@c}}tK#xU-?u&P z<*21{Qe1O-90#wzbl%a?I(F2#D~gR6d_pWNzZ#q)>Z7^2{-ngf6wT+_9MiVze6FDz zU6SshdkB~wirCdJ{Ta%ef&6yUlZ%7aFNdGkj}+^Q=A5N2v`t--gW3uV0)aSJPJvtE zbp1dWIG`eMCeToUFTU4o{JYCdCmuu`EG&iU8MEHK>7k28LgShoiCrjkDv4)RK*dJy zFN>@Cz<+r7W*@QKnO@x8fKGk_EY({q$J#j;T^MwUQ4kl!I@ES;xUXxKf4XrwcuX+kC%NFb%!Wv`4cR!72*0_vRI1B{V z>8pN^Ry;}=uzPcMh3~fE>O`-VQvVlmImxMc5F;+sP4j+W?Y@gv_Y z)a%yZqK0oex;|FWZW-0lpuY?pqZU`-ms$*ldELMS^i~1A{-o}NPCee=W4TDi^Z+w= z=8Bv82M?O{AhcMwtI3WUE0vxFr#`O11lxV{uY=1 zL|TFDdq(HpCtCrrM+T(X{MXF~Dp;EC#j=S>yx;7|e)!^6m^z5aULwqH+g;l7n4xQ! zpKWl^%SHm-NV;0z_LF0L3 zl2y~k>0`ApdX8^iDD`vV+XE$HF!bO)9?^WZ=ReW{fYZZ8Kp-VaT@UhxvE{#~nI*BpcBj*x* ze~6OV7DfU3g?a%7ChkHbe!VR5Vud>Z&>MLeUl_&&9r855UiOa`Xt4G~A}idsTcgQw zNN_UWIT3l~|Z$Y7*ld zZC)(3W`{e>q$Zt8M7b zMbKRve^^;Obyre+Hxg3%G*-KAew)E)SrrFoQ?D^IMHB??bQqEzSGMDrc-lG-XAP!p z{I;`~?#C=r(U?~;Vx59fS$WDNGFt4J-OXO95J=B5Y2Zovg}oPQVgF%A%3)1EH2Q8u zK}W`u;CY0v54+*(*NPh+CkE556ln}+CO&GjqZPa=?P)!@65+}f-ohoS!yhI?>Ro9& zd4>G0MM=vOI3u%YCAy@cv^s^q-25Y4)vb3Cu5T{x9fPJdp6z(Qg-%9JU~BuQEgQ0T z{Dh^&BlQw*r|$AgE1Ow)C_i19s476m%aOV_?jtmKu$6%kd)at;`$s=!VkH|0td{VG zsdaVbrg!AmRoq@Z@B?MoS{uztjuZ63w6%(DViGKc(47oNsaR53PpSC*zGs@;M$%VD zqTs>_N7l7EThq)L;xLPWaJrSOrLLa@V~+xaEmE$SmzRhin3$U(FfTpV+42HnTHZ-%p10>3m}-S+T41IjnZB7}a8mekNDrV& zWdV!k8O3&QF}2BK_JyR2j}go|`U?<;4%FVmT+sRiN$4To6xAC}yC}b%)0MhySVKsg znlh2=b{0?Hb9dJB)E`WIn0!!)!;VSOp+mlTJC3kSW4nn?F-|CVU7Ny3&zGrox+-)G ziCm2R`k&;e)cE;4VSs`c@3!mRMZVxrv@8k2}Sz9Vcf>z~Uz zvZni}j0HR*?sq2(zc;633DMJtug(eV(!6n zsz>Rlnho8;Uw1f#L536%3Z=`|D%s1~%dC=@6X^VMOjhAtxPzrJ)u4+h%b4|I&^a!u^@d(gj=HucV z9}^mt?Zn2ELeo>IAX^B7H(8UbN&O@q-^|QFGUp06&2^SSB~PsJUC!gw2X-v)#`bds--g)|biSV=tve zwea|U0PSD7fnQmuJJcjO0g+PB&Z)z=QzWO9p?3@sht@sI6?H5_C|$z-c(mhuxB~g& z!lNER0^Jyw5ENxRrQieqn!p0>>`z^0Z0WZqad>dXHu%)HQ!eZLRE|9+{&$1M7bmPp z7T>}S(RQroRr91z+=rBf7ctFW;uW8`W>dHn3Huw#{V7s*g6t|dH>~| z=Am`OF9**K@F4L39ubNiNn@?BpNt*{J0FY%+BAj z@+-x(-RYl+e7j=_G*-_jFY>fBey5oWBoT@b-b7B}lY0roFrrGgE9|AKyTJLc=$5mD zA1~U;QY=c|d5$x&d>7!WhR;l4F(g7dwe=)wlY-tWOqA7|q_+>6s3p_p>O31A>)5t) z&m;ws@9gc&>0f2iIGViSXj>CAIsbps3*msGCX;(mA>(uEVvs;^i#I=v6&@{aW|2gD{QeKZr2U8pV%6S*8cwX|D z)wgTQAhMmdN#508uyWu)Jvs;r4_X{O7(B!a8RDXga4Mm!ek(>|g~->(Nu8Wi7ADB* zeBytiTI#hv(bl#@I-%3WAM00_ku%J-!r0w(Uo{^@CTHNM-~!UW!Rbwv3^r%J&I;IU ziwwcqMvh&ed5L~^&}2=ih1*9#(G_I~h=0+k?j5KhSa)^db%3v_PqDOfvt5k|=t@{? z+wE5bnzA&YdWPPkKL9tYA~Ey$DqWb7KjM|9ZONy)+>lCEnDwivb&3rO`dAL_EBAD& zxo1OZyY8IzKgHg3_Ro3#(e?d}a^HpseZPH%L4wev?wMtQaN3KaoOQk`5eOgPA;iX6 zU*OyR#K8*Oh#Gz1MjY`eH01EfoM5T%vxhScT1ynYBVXPD6uBIq3A5ocrxI_^wb+F@ zy8hE-r`aC6kf>d{^90Jux0+BzjW5oncAY$!33zZKCCrCC4wCj1esb7y5Pp_`6QKP92*FMy-SIj^|w53VZbQmdBU&1UJ3gp#O&GIhM50q@@ zW=l^{Sboh5kZ;{_`+>bPN6~ouwAkPQr-30z+`e_jjJ?mXsx$2LH~6M|%Z3i-ZFVP~ z8;OstXDUpN_S#fXzSaBXaK0;PTBMxOIF*r}ywu`+C`wbV3fE8&XK1o^{ zVW~6h=&cdFc#^SJp}PUNo;op`eC+J(_d(jC8SJV3z`V}GK7kWY3bHpJP`N#~?4&ZW zOd?Ks2T7#n9AyunA!V{q{k=$BRRAEKwQ50BfwX!`RyKFa2G$Sbewv%R;maao2@-4%LShr|AB&2V+D6XG_VZGswV;j%)@OHZ5Z)}O+ct+?(GvoOCH{I8 z)w~DRK^EeNOFo0BC|T)SM||zFaHqhDI7IETbEJO%ozU-Rjx;g5@<88*sgt3f6k zR*+VQ#h7mgYuw!w^>@@a`tc(M<~ypiZnIMHqHe{+oG_>R#zi)b=@G8ZPBN_yc3r*j z=T9}5qccZwMOp2+;#nXUUkXx>JYP=~@*cZbAI<^CupCj8)HH-}33 z(a}-A_pFX^&Mps+rf!|_i^bBJD!aL%kgcsjuI`vo?dFkyB_`)$yNdM1&>} z71UOpTAE9ea8Sk%nf%U~NKxtlm}<2~-}(#K!Rj?h3O}v1SzMMnPem z;4lN16J=Z_Hc|NmFLqAlG4_v3{8H^8a0m#$^HEP#2Q?|{V*;3bUJ^T{)D^;}L5`wk ztBW1&;DdFEKM;{eY=n|pGfo7565miel5lFMIUWrl-{ZGM7_FE3l5IVm-qSd_e;kCkkr#_+$|YXL^b6Lo+vEomq-?~ef~_xts#Bi3tdPjfl|V$p7R+1UrM z;+nTJkKrhglMKp_#o(j64mc?>a|J=R3kd!A&#%*i_!`F_5Jt7BNkfKcSd1Yn-*I ziq|{00A@}V99esFBE_V*6(Ap<)L{BVZQb`#;OG|kW!RaPmX?^>?;@s>K{eLE^FN7) zk^quH^FS)`?XYb$LZgSK=f|UB_3TG(lt%vF!@*~8Df79ky~J;n(L%U&cDvZ25BpQZ zTTBTFvKkVg8pg;Ubq1Q;L-S*v%6CsDP7l*~u+^Q>ZX)kYXMUq)uzJg(GfuZWm?cAP>1ARZe~7b*m$3KHG584cmAw8ndUka- z2D4u{Ram*5GN^qQ&bt&F&pT%Jfp+YnkJo&AoDEiMBoZaB&nmDBr7e>fY%X`r?PQJh zHR=ye%$>54q|U}49c`G-d*3n^%->ac3VCED>CL@j8;V(Ie8 z%!UAzo;J3Ri`~QVCoqm~B;m+4c0|H$G@x~5Wn~LAZhMDvW=Vi^3DLQwuVCuJy9(BQ z#GPr$r5C@=6dwA_^XW+;5st8FX3Du#4@78kZj)_2%mf z#ln#R#TYv&71!7ds&VJ!#BCNWrZ=uDLvqB9TU7}_ee=7@)bA4YCiGT?CEe>HE=G{L zH}^eQTouS87q4#ml&uu&|CJ^|m6W$z;Pt{>Li9xIw%0Ml$Oqo3TdT40fLo@o1B6RV^!=-C10^!iYEf zp%i*J`uVvW=^hi{rdH!~a)K$Et`Qsu1p!q@1`IR5~W$}iW7lPP}!$7YHdC=wnWceO#@Ap)|K#NyF1Guha z+uG|BWINBA>bdWV4)gOB_6dzT`s5_w*syO5B5?8U>gR1j(GIWl(>{8-=rpHGMdSyc z%igkrYuFxzdU#!0MM&tm6H&;=qAYPOwGyLi`BDLuY&}^xmIetnu|_QgaXrz> zjgGqej(L-hMYJ~Rhww|UW1y18DGZUWIGjyy!SvD5X@|aSu7_0DKq(e;D&4$I-v-0z z>?fT>)}7Qi^Z1%%LW1PrV^JSNclW)OIEA!(C*x35=m&-O_?=TL1~=3PC-2-|Gty$u z)fL*Gi%g)8uNJ|Z##0pV7&lmJOs~5w?$Y+6Vhfy|bhYbF&%>Qf^ngd+2i2Q6Q6(v8 zSuWaru$8E%rxT4f2fIVy;a|IhkR9ZhZp`K|GGL6$V^VoQt$8jYudw8?*&jOwnv90m zxJsL5RMWCR(aKLQ?&DW@(4&xfHF507I~>--5malQs=}Gpd7dHE4g))#rvCP<>0aEi z_;>gZdRz*a8dHME1XLr#y}?Y7%SC4_P7Q{_%eqh1%Ayq)wI<0hw{3FSH6*E{uRT?~ z^82!BQY3?hEr-6YnHUdrdjA;}s&*cNSt8?nv$s4nh7%5iKu+!+ex+cVPdozqd4FUU4#;R zz^S)dLlVkm_)u~e3!f^EC-%Wid$X`TSNDihCr{oyPB%D1GIeysyun(iKekwyrjPJ( z(auOa0b{f_hdML7-|v|Wqpf$G7Io1Nym#^PDoF%?!(zX+mYByE4(;9u#Z(Q=qsqxu zbYI|`Bu9_>WLL;i1k5hEe}e(r%>an6Y3-upozX>R?5t4byV?*&MN^gwBy2ZlIPITi z2{V_{vKWciKN)BWk~L1WZpF$2m-o}D;e?KZ>YcOng7+pN89Q%5#dd2}yri#>L2b<0 z;p#a&DBxn{ezG^~(Q93sa}Klb%#S?(p&-*2lS9>p_3upG`dp`9iSw6E6Edy!)ezdX ztUVoyu;bs9B~>Cnd-Z%Q+)L@Jgx4-A3xgX)WbdM`+QJBFq8^xh94Oc|Vv?=yX4Cfku#uFojuX4=v>?H7sInB3X`HGrZh~V+GMn`nXJ|r&w+FfJbB6ewgBe$U^sy;l=H?N(^tjdP@?q}}|6#Vz=`JtS^f?H^KO|k4 zC|txJ7t^^spOiQ}U47#fKU&}xG<@rFcR-?ssumjoy{BKtP?UPE0<*6O?cO@oo$Z*~ z=g@~)dWUmr>qiuOiq_0eDP<*{gI|gt<9f*@GNOumB#a+T_x(Ild{L2^cc=5qRxiQJ zIG|^RuOReUk%jQ$FJwWEr(;NE!8fHML{T# zeVEKd5#*;q>i9*q?O`)^%LZeP-by7uQk>A8;GE3iJMr^FX9o!h8)wsF(R}yUD%|g` zQ9rNKvYD*@f@Z0`T`{tqXH>Ub3_|{K6xEfV1gzVrw9O$8&|&My`Av5xfd{o@VO0)7ai#_y1x-x_pzXF`u!$YMb10A7W2CpDsB7Zo(#Hr z)&|r^%R;|QatnwsWO%CTC2EO{?_XsFOuDw%Mi5B-6~ znAYzm%^ht&);X1#&IwzV;_mx`{9Jg~1hvC_m+FoSslm?*b?2K-aM-t3UgMo9KVE9G z9l>qAq%ES69t0Gzlc9{pe|ybT7492cqqiNU1kKv&vQOBVAcIZG<^G znno%uO($o2w5(=uO~QL#-lF?n%3>QbDTZC-cDsp;-LJFyK_PX3>y}i)JWcHOZ>7&V zO2^u2LOl6PWXkGn1K()#Z_Y(?LOVX^7tH&g5_&kSs^W@%V)FZxiY_I0*4e?C4lRF> z&yYSvxBL?;*%&iMQ&}nDGvSC&W(OI4gSS#wyy~Q;CGhBy9$BoTG<$7mcYqG3^SRHr z5;Y((yJ>k`a%w~++(I(Ew zgYyDSTx5^%XFr)k(Op-$AoB2XP`~l4SW~mo_B)GG+r2NQjKip_!s|@!?^m`DJaNmh zXruxHVk`I7*=fkQU`a+=tocE_blTaI)n}}{^V;4?DN=WE07>g;5)s+0QR zB{%ggE5(rWcQi>%**8s;Wls4ZtoDU@#FIy$Hy21S;9S#nP55Ef`cLM?4#42sCG6|@ zxa|dap)OI*54`q2o_n@~4=K&ccpGGSRs2ZR_`femDlBeG{cxGtK%R)beR|Cvaj;!{ zmeA@8b{)?|x1~u}Ba&A-61(}*XWFM-3irgbh(0j&sG2A8s#B3LReh)H&`gAo4?$kp z?xvo)D7|gs8MD9~$8MU&SLwtonsyI{FMjUx35#pR3@+J+UipVgh9yDl2R*EPA5YcV zqYnGujETnA;$k5Bpe7{Rm9SZ?{Sm({9(hV^kc5A4Dbd%9S|bK_v#+V1kC4}{5V0ej zkgBXx`^MwjrDm{@5VfJFnIzdv2op!?9UQ&vfi|N32f0ftt&U%`7`njTjxIj=16IOOEyevgbiLR2beN1`cX%C(T#zbwOE^}pNKvY|0U{Kq`SKd@TTs~U2)$~4$fU9)9 zT9ve1#*O7%7GByZIL_PxQS&NJIqVsCS-y2`Ebsc#a`VO&Emz-;8d@aeZYc07=V zox7Ny3ryVyhM1|l2uvqWLnzzU+|~8hv}BKJh=RO>V>xcvQ(}rgNtH4Gaf<);(;ayr zhYY$9oALBTn$3xnj~4f&Ygc||)vv5%#jO04^^_PlG!k_BkZi0xqi9S0TAhUTTHo!t zsGr>mb3ZL|pS7syf%dE~yRXqLJ2AfiD4 zL06UjGq(AY8iW0r2YK!Nd83)oswH&A>D!#Hyrr$%5R(D!4^gIUgfFB5NwR-xilZ_<%bQ+hm% z;(|I)-1?M4RopYlphKG&V^_KqH1?eIeMJ0e?TzLXM;{3R=wP+KI5INd8e%EPIc^cq zJ&4|~icpSEj~3Pg#mVon_BfpE^~*$ob!%pVi0wqFX|U7!q^4Orzz20#H>?qbi@}y;c)2>Uxpzt%YTlwz)9Mk{kPX9W! z-x($WXIkh1N}o_lPD*|@3k-yCG3OY@Gnt7-KzeGiedCu8=L<_lpORj zO_@C9(w7^pzwrQzM18AcKoa@CO0-WAhpeOd(eLNeL2P|c@AUnb0Ol_h%>Vu;>Kd^B zuD&lh*}uNcC8B0uPF_*^&v5?lw}3cfKCxrKGbV|h~Bh6Z=m@*k8&c z{q^D5%HXxSOH&@_zg~<;@wh~Nuk{y=Agqh{{I&+OZU6Qy{?}!tw!mNAwv+o~OW&CR zP%ihMx4}Q3^BUN8v-_WCbb@FiO(rJ4pY1fjqhi52pn{_Fq!eh_H}Zr*Iy z{`t>;4<-k3Fk^1XiT@hRJJQ70X>X;U|7~6WUzhds29l^wiErlcU-ujJ0vP@yRCwm} zpZoutr4x#W;m3}#+bPOQKl`6&D>X=*yyYoTzb2GaJP{9~%wR_MNBaK{9|UM~L}Wyx z?Cn1`mM8W3L`tD{oydgjAJ_i>SOp@80E1JvBYqE#)L(EG#(V#YPB48A9%!k@yrs~u z+xEO3W(8)Cl=Q#0C`eN#;#hL1Btw1`hNRhpCwi$bMCTvB(VzSIOe7sxDMao3`b7y1 zFzWF$9cv{2I(R3DgZ1XE?B(BsXGwfre(QnvzYiV&CUiEwGKc;iJS*bhVP`Y9{`C&S zi3^TN)Ni)F)Hty}#TtXP*1rN1=7Fgz>WSF=?m^@C4&2~v6T^SSF+KjT1-fJjylJiG z2J`=#SbsAzl6*jERJ_X|H}PxEH0gmUW5V^eO!Qw@(RV~Ed_Z+}^p_|i?KW}jB0|qO z|3lN9|2)(GB5#E8f*Z{0Nzc0RZx67E5j?r4`ly#q5qys|25VA{?PvRF;Or4qE3lv!h9M`OiaFA3jpQLkAQH$1qCKCoKG{I?E!zN;uz3P4YPS@Ll zt{Wk!_7f@fb=*&1*dZ*31&XxvY6-=kfyidDP=|Gcv+HcPNS)&4m1 zO2PhMid!Cb`L{tesFHdFoX?l_(h^#wqMKQEiK`CZkAC{G_V@IKWz!1#vG!WO2%F|8 zXg!gltly~0pPa~v*S#$KMe`bo8pFw7Y4894xQz!hif+7r*Z`$O`(~H>%?J9A#r*vz z&~Wyo*bRW(=(pGUYdd^=54`Kr8TR+THkCh%{@(_NX!+TyfXV|V>Xc&Q-OJOJ9ARr~ zQlDRNa9zHe^{BuC0O6x96TOeF@SNoTdguT1QfeApEb3=dWVTXOH(>XL-+kVtNH~H; zCJ1yddAF4~hn^TYD6Wg?e0>~cquHDAJR<)oqAP+~lh^QpKftzA0xjq&<3=t&O<4Gs zr~YTh?=1AL>;*`Ugm*=EM=vgBDNp69PIU<<@G3a=(?6K$Orcl**R3w>H1USQnj))^ zdaSn;AQ4&>5vctiRmjqX6wic?^ne%RnHc-^N!y{%&lC8qo;@+^wPMAtGFO56eM{QD zdV9kdemeq?04J%zgl9&eFX4$+= zqW&?ME@~jR|03uDAmGAf*Wg?NI%@kt%kg;;HE7ZFY9h z38gg4wEJ$QId$qZmDmcBaJ}Ye|L~xf+2yFLf2>=Mrnd^4$eSI);BHcJQ5*i|g-v%% za*jAN$gSwT5phj1P2_W0P6z#9D$Y#s577|ag$K>yzhFoI$G3UN^XrQQHkOPT-kYq# z7CdL?0�P`VVPKI>^QlV~?hRX^L%AFU(@}?sC-aO_R{Q(@~oGlc+OWw0yh^I|%yj z%uvSjk-pzcR7&k<1uds)KPR~v^~TxeS8{vpu?Ww7tl3G@D_{Olo#HZ9*cl`Jb_`*r z@1p6Q|0HvsVm2#xgS(wm-ezRTumpH{%}`yT=}6>MWZk*g!tGqG$_O)PeQ(-i598td#~E||xdBAQE8ZC*YR;V)vPU^q{I?>x&L|M-4MwUu5l>9|eLmib_h6r!U`q=RTFa;FqS| zgw=p^&D3U3fvBPw%BS{YJzXmF=JSKS2JSfuiF!Q5v1YB*!_yGD)=cAuu0Up)_sa=x zns3cl@`%ggR^qrsfN2EvMMV64ZToNU%Wvpj7_T2Ilh>x7ay&2d`pYEG^_n4|YPa_W zzs^($jUg5rf;+?SptAuE0rKU$;E>@@v|Ks1{xR`=y%Ao zCu__oR<4N22Z#>7K6NOJF4r0=x6F>a>9c281^}Szhah(=4WO}-iGnQYnsEZ`PuoKK z!^kP`cDOH%hFcC-cFl!COHsQBXvWHTcIl*t^)2Cp&Ci2{iX7J70aQo}RK3L$ReXg+ zZjyTUHp5ee1pdGxPyZFHSw~pN)=KV5MoZT6vuUThjz>7>-dDvmLI=SRE@gWDJF~%D zW8Gs#q6_}?SFCwlQ-p%NkzAFPIRl0j_-%4Bnf zG9vj}$LHsWg~GDc?}nb`M;>dSZKEA(<42BDLk{#=ev*!xp>Do9b0f_;ah8eVwh;D& zEi1(S3YX*tbL>c2%drOBqFt$jX=S<9b2%VuZ<`%>OwD4_QDR7MI$6z82}vM)H@5B& zfb)mFJvSlFFv0~h>3DNOa|=l*=2;Q4%5S%uw#rUlWn014=^?wg>-Klo6?GXvUb#c5 zLZxsbUgvtqnD`f&5mb0q!aHpAe`e57?}1zhkXB5P?f zH?=sn$!5$DBn^Tj;ryvblCp$G=RK%nf041rr_W&qi`w2{F$5b4;i<%H+(Y!R?j!O4WVBMGo_#74&D_I$D>!%yb#5 z=(7H4Z%)LUz3219ty-Av#J_LV>eo$4)PTptGUuy%SM=`MInF#*&7m)7Lx+wV0q-bS ziF4KW@OhhBDn}xS`Wfn3F1f6XWW+PP`gXxkvsL^l*bc$|oM`aL-Q{ZRVCwSO3jIsWu+C*4P8zuv63N{(ODT5RhwJRsKsrvOfD#4E4FoO2Z7Rg!jnp8zd58t z(OUo5XDQj4<(OG|zPWA9>SuC?mFzP{Th;GFB_THeMj6h*f)%!#78JcV_>ngL)Uf2w zZ^s26H`_9Zdju!hH``RjZ90DY5F=>OihLO-2=+@$kE!@s8fw0cRhL6-@cgKTZ)9$Y z6$`-E-(d+MUrF-W*TJico4wT>FbIg@DELsxMz@#7wTCE=zfd*JH8){R(@Af4z`~mH za+vH&Id8+^ybTt!S~J{$U!QXZQ%c$X>y1)JbAykI-@Wms`+aVZXf*bMfR8dRQ1O2vh?ER6SIZ<-AK?D)b}6way9R zv6HWy+9&%RLC-57_0bqlkr^7A==7s_ar*Eg5H{sGOjtVFh#opj){|egd>pE}POue` zba$YqC(FV>K&e@U1EyD4S_|oe7%DG_L70%5O}bwaHwV5!pcvtRZe=((U2J#K&(Ppm zTzvdZ;_3dOFx%PxW9Rbx0^ydy8jn11Q(P$pCU%kMR8aAZm(P8-ra&|#g^*LrvZpnWmfNLbRD7p$8eV{i zyulF-QCbJ5!{NqeUAsalbsADu9cf7zrfs#3iyXXRqE^2FN~TJxUp@LNI% zQ&97Gpk|DJuxID1eUo!tx_t&9Avam7&uIjx8e3P?ynSy^I#?7!MaVhE!{*Qym6_H?tvBZ0F^tXh>*^opsVmvb7}Z5{_672z6&ER1}YuT%a2Od3*K+G5T@NB(`n^~1!~!OX@L0n_O1ItttB2>`?;~3?%XU`xVKl( zSy}>IU7X6T%1?-Kh5wJSw+_p4>Dq?{K|!Piq*EGckVYx#P*7UByIYX%Mp{~=yFuwj zx9_eO=egtXZ>WX03Cr^KE$K@0x}G=eF|u{1$2HP9&6h zczF0>u@>XUuF%?C-=R>~Cr|;cx%4N@R~Q$OZp7yomgQGxEA0;M`3Dp|%mzR93-Ra< z+SK2{REN}YxSVQKuZe4D{`}e>`C+bG8Smd}BqVw16{U9|lnL5z!9L#u$Zc7buow z{}{+ntYMDhpcAiH3mGAf6+Lm;?@ycvaj5+k>M~+{P`6 zq!*Lr9nU5r*tB)FX6$aRja0(sR_H2d%P)qtR;91^KsBDSYjUStLPvd}_p_^2;j5>u zPd;Eyx%Tn7sdX1wJ4`b&3cL_1QR=hmjm7;;pg3QC)@Ie{Io2Rxhh*T=6Uu1eFkPRv zrC9hqaH)6$uixr*%#~>0l@H;}Rtnqo;>0%{>m6Rc_U@^xw$znvhm{`0u4G=GdP!GB z)0yFHg*?$8^DRXyrI~(7R!R@2WB6RombM$Hc#w2ICxEnK=gp#$?i-)lAo3{nddIcd z8osO3h2=uY5bp2=MjJ!n%I&CkntfC~M&6Q-DlXc3ho3nH&$wP}-#lEK4dJ6xPr|sq zX}jV%bF1h-ey*rV;%keqb!9wk==jBr%ao~U({u8OdoRo3!1CHHvrV%xLmzK&%V)?wXkt~(sTD&=wP4uQwp?c1DdvTJyK{E1)+!PUjD z0P5bShdW5sKW(0WXo||9{}{rdo9VJQS+EYO8pkPk&+3Y~eny zwfgzI%7L)Dv5%La?q$sS$y5n>b~S&-l2cq~zC){wAT>t=fX10k-LV_Bg9 zK%XAIkVr~Eoz74l`SO5=eV9(E-Y6&kkw($;qM=hzqIice~FmL72`p*|1lUyx!wo*yvW?PVRM zEk)}8g8UBa=JM#i5a0$p3^`dJ=8$DCXsBo77B)>B`H^9>QuiS2Gl8wjk%wM#54=pk zh$Q;yNC!bf;RoISpQV5KJ0F*oxL!HN?ki_v8|t0xzPRX8FsN6@XATrTDpZft_MYfy zZx7|jVQ)8E%JDk;rmH7bb1t7@I$b?iJ)dMDFi3`D+PpQ1D4NozMU#hINs`2-;9 zx}+F+T-q&-=08vc+0i-C$-}nZTgn z;Oag&9a=V{GH+(Wqbp6$Nm&2r<1l{W3nWYBI0z*54(#TVAu-U8pV*KOIDCIIk2j+yII1al% zq8JH!Uk~;qO-m`2bz)~q`1BYIXn*S=!0&7wZZY#QYS8^joOgYg<){g*Z0vd^U!=*w zSQiP1VY(|eR3B~*y9c|ygJlJk=`wN&p9lHWm>l3 zU-(?~W8au{Z&8p#AqY_eXpvB-sK&pV`rFmapA9+S=)$f|7ss)fOt5hKW>D=mySek} zh)q`VqmEL#q&OW7BP``rjKsza9c_wF?=J~mVr@OodqB0Qppbg_Ts>9#2DU5*lrCY_ zKHXK2EBodrw?}@HQIgyzj>hiPhTjDWWh!(OwT*h zLGfbG2e(a>jRO_~sqZllykm(g(#>XdK!J(-z?o!MY$#t|YQ`r3TrJTS3rG>qRSi#t z+TPb(HIscvc@2D)RB}>}{^}POgD`++a07!&HbNi<4!?lJi#(1jrlXGK*h$x%{`89W zypf}V$VYJPsf~>2YeC; zO-B<4fdsQ7c{ySWtx=2LaxBY*KHXEPvCN5SFdHoioSl@qxqjGjG`fSe&CaRits5qQ z+{5EbT5);J=s&_yjazon=UgD&wRv4+xZPAXXl;pEvMJKZAt#V;kOs<{YwMs;I zg;fW@M9kH{u=vmsludOEqw?p1)rU_x5fBzX1vYQ9#*B^~tIkNa%##ef zPa=e>RCY5}Q^)10H#g_k7m}dRt5wsCmg_lH7S_|elUfI#faf>YCsxg7J`D|xczk?( z2e6RR)*sZ;{~9uoQy`LmfFdR>jV#=&jQUtTlHgiGy_9>bSVvp}y)A^0(E0eP^4Arr z)>a=8bHT=?=z)Y%Avdi^*X7!*b%HBfZb8io=VmLUM(m`J`*5+6kgSdGYU4Y3MeQhD9g-82D&5oMxUjoULR$ zIYhuTMwsL<9Lg;8@Pe(W0!Fo_xAi2VT)VpXUWjaI@19eKBD0xV?`&w&8*J>osQoS$9{WWF ziO|VeOIMrvo%*FY#@E&fmeVQY43>-J@$W*yu5X(7cG`j_@nTqIRWBW-lkl97nlVrm zHK0W|ua7R(D$SM6+wjG=_CG>#NKFvf44+FT*R$Gh7A4$>9IchSnA0M^g-vg8X3Y*HoG;khPTMa+=nxEpatE`tt#`u70cSURNXRM)yrw+06x%l+hkGHsUX!X?79!)EM@e6Q1Fw$5=0hTNdO z)`QlxfrsKFvC@fPYd+8U8ey7tFGbG+Uh2hw3Fn#4j8)%$LKM7fO}S84M?r6|T%ulI zuY`={b`G1_4C*z{2FF<|E{EGqo{}VTaq;{oeYD{ge41%D(-nPF)}LBC(BetXmhw;W zvUJwdS5_eBot2+W$OUk{FSLRaL8hZXBgwmh8G;7_k_k_7HzOJD)0{w{Xgu?z%ztwu zgP@;|>DNSXBbyB`DoMcR)f_!V)vfhg#}I^+)jKwf2n!>&QZNgh?c5iN~4&g0a$9&g&(>LaMWW=Z$M zy?#}(5sJyVDYekb(UhyN2>iz}A$)2D@jc}ufH!z}tM;Y~rs%cfITFXOk79F%qe-iw z&o!W#BlIbe-JGml&krR4g*djY4P+-AD^!rni(_YdP1e*M8#_>LGPA~RIzU`a6e?)m>vwF3VRlwUg@}M_fui|Vajpln4zDWptF@wMaZD9xC%61z}%48Jy zvHIX9!50ZDqJ3=Z4d0d4lf07T-sI7P+BaFT5dRGsj#wN08=uP97ezs(#)>WUugE3Z zLwghT#%*|<*g|8}uM;aZ()M!>(nXaswAy0X3XrT0w`+QOLOB>)CcQv#WpmalL+qw+ zrm9Ur)id$%g`V=~ z3ZfCpIDhcPA$&^sW%MI5G|2;MK?E;3_g7`~$}nPtrB*AGRwvfUu^c9I2?NKwl5)De zGoY@_vDpq4nciMr`$?1Y?9tbO0qB=_Gc=T#R#&GkvI=aXmX?<~fJRmzg>3e0nD7ReIFSb|^-UvG4Q_Q%TPIXl<9Wzepsr3$@ho4ug=%wno-vSkxd%B*Z zn^F9cH?k|1>qPoO`K5>hv_I@}#_%JFDA=!$X_Xc!g+JgufycqA-dHxC-HvSg$(v&N zrEBU-ZRhz>+t6p7u4}fe;!>th?-ZL@0O1V7#iyjBr_J}D1txMS(?;qT7;O}9HX|4v zZ(c}nRIYmBrm5q|O3hkEcjHakY70vp&6U#-O`-fw)%Lr9Q>Iw8C+{!Ns zMV2~sH5IGuC#Y=839IyUCNg4}?>E?I@dBQ1OvijFfl59fc&7WyZheSH?Cib^E9=(C z<(UtOv(vCZsac@c0Bk2gN@S=4U;kBI-os~h)}miWMxJj3&?lgA?FJAw>#I5Ld^&CF zU0ezpKh)w~$n8l`Oj*9KzN2$4C}A%G%JEckraiq_iV0(M>KZ=8EXh{7f78-(F>SMe z|HAx>WFm1lZaP{ThB6B?1A7;G?1mpE$Zj32x(M1+E>AG;Q#3L0IXa#U4i^h$LUL7K zt+Jq}%4W?fl_(=WTu5;2vR{MZ3{EmGrQ0b&FTBan+EHzU%W6ULBzXN1=8nH#+|SHs zsFH?;hT8K-Len!|gx^z5RF!*T7-jxqQx^g8SqnN$(2enRBZ6Dkp!8^^5uD>^9xid- z^HrvfcJm>w59pGLjXCe3$`C181E0>B(@5u>?()8!OhEL~OWj2Pm~SA#-)o zzVs)`C+)lcL`=75qF{)NTXnlFJiH&o{+_Kf553>6EfHfgJ{{dccC=r@&pZHCrr`E9Ij{Yqn_H8%TmvW<}-t6`?p zL`0sadfGF!0w9VKR86%$okQTks_J4>B?r&=@apnFFqVyubiK;cL`NrH#ZJ|0XgHD0 z=R672M6;|qTh8@8)(ll2P6{*rLmxeBpi% zL;4(wS~dJ0eCXf*zN3(RZ;p7GVDHiFt5`xU?+`d$gW&Rvx^~6nU>V)==IWt~I&WHS z+xjppxOkCH@8dht);AOKU59+<*wtaW1dgx>rer=okr_v$K;?;M1(VQ+gxrhq$gT8s zk!B}L?O$c5S^2D?n|V$GBg>51&NY8jQY3Rz(>JKlyj1_5#y4Rz(fiVVCGmm7YDyDt zgtBP|8d=yAjEowW*KzMlGW*qLi7O=eBoa9#qUjsn=GUdLCtY1MI!=XhF0RS4k@nlg4%(gHoczf&?hy|RqL*DplHi%%XqY6iM8i;_|5j=`wvijvkn zFj+Y=$f>Ga@+d_-o-gTZ9f!xfW*$}Uo_P3~`=<6L@C)J2_xTnFTT8J_wvfvBCF63F zc>S21y*76!o|b_@F0Z4y^L2f$IivLS458?A#)v6$3Aphk|3@xM#nJQyCFpIzuS?~G zd`&h+BB)=&_FWufoONQSB))ToXV@dF=UxlCYb}3-@ur3%PkKDx98tpa);9LBfmsC^ zE34=i=+NY3%#`ou<*sQ#Ir**5<;ET^8CewKrly7sy;yWerCQVP8&v(9f{8_`N*@!> zBwo(r=WGe2Xcu*b!)-e_P^p!?JgCafeuIN6ol|G?o~wuiO8;oR^{XGn`+Flws?(-4 zab($hbLQXT1)pp{qhh&k7Spdk4kSpNposC!uAfmvKJJouyB=_#OnGS7=C$rJtY!>B z_~z!5cTrjN3ky1*7X50rzZIi9#JRw8>(2X0iMh`s%zMWnjqvD7C`}!|x@f%!Ir*i+ z%-E->mz8l$&R*d*OSPNKyz)^_#o?E`v0~XbB2(@K8)3A5WOQjXi+5GzcWrM_XfLdw zCAdYwnqlU9fX5gKPc*mSPjfBPNqjlr^2@e3cQaBVsa6E`3%bNEG3B22uT+WdSU~>Z z*_}`&O}BkAi$FRQgl5(9NlRXW8yoN9JLMg=78v6XU*O5!&UegYvKf?DM`1pan@A_p zs|0C>-AgKO-jLQP8^>#lz%D@Nyzzg&8467BL}_Vhd-73RdNuQ6xekS0`zb21vZRLR zBxavadV1oXwTL=A|Mz0@9C?0Jn9iph9InG~kx!Khe-+lA>3%8(=}oB;$=i{lbFrLu zKKwhwX(0+-{uoD^(Sd%^_KjD5CT=WNl(iDc_3t{nly&-3RTQgP)Hxogo1jlh;Nb_| zLzhks)8M+x^xT6_P=`UI-h+WBok8#;nQ2BZK;(5omyU~%chTK#YDOo-WIIHMy2?14 zD7$H&s(J|OgK*1>J=9T@5!Pu7#stowCOP@xe3HuRbBXa%0}th8Uq8gFQbs7#Behsj z6!B=!rC7cFRO%#iH)#H(ml3+xV_L)e6Glf&CQ9DUC)4&drP9UwjbJK2Iz(qmaC3;8 z;|W8P@!#FMfe0gR|2Ga>bHm!twGg?dH&U)9Tll&%2|P&3fdP>`6G!G-OctvlD@x zTpU$b2Bm|^A+zj^viEuA_~SYMqaLrhjEyGo8lAC{FYGftrN?SnkU z$6=zc&_vt0`xXvnjnp@$juM=DnWu?Qcu$;olb!lXeaae)lC6%%S57vk$riBMprPRS z??Iz{ya(e?^fO&F0wqpY5cMbAqyPD5qI>`LpPixn=$;fhtMdLZ|NQT-I?!;^hS&@p z0{?vN-(MrT=lr2psgVE+Yr!!^*vIyzc+_M3F?_hceX@C-v7^p5Xtz! zpd<|u8y9=r(b1#NpaI8CJc&>LJUH|Yd}uvKuMpv%5B+hFLv%ofHeK;kw`0+Ph(@t8 z?A2XEG(_jOmoxDsyZy4hGw3M`Z}J<>-`eyC;e-l;2GB5qU*2j-Xawkag8d8lzf1!} z{5Xi9qd~31PoCV0#tI@DJaM_ZM1vR$8t~raG4}aKG{zvIMVbxOzS!$7nFc~+x{T88 z{?CIfFyKWTkC;N#yJX4>x?0xv8Sl4DMZl29t0JL)kNFR?;T{gujS3z&?DoB&c+i2? zEjKabJ7fdY8~xc2oZD`J%7)-GPcfi~|Ip6u*Z377Q#i7nVSc+TCLr2vTNzG$hnDK= zL*|+#M1%gH2fq-YfDa)je1!kKPX3@g|NWr5w=j^5z`@hwTT}1{ow?`!UtRl>3mKx( ziQJ1jv`vNqOa*Kj3DNH%iQSv?3;%$4hd^=IA<8y+6G?EZY-r&3GYwL--=F!zKq$f-K3Eb^_7Z4@o)w2AL-T6zSi0%+2{q@ZF)*=l7XO{GOtN_EqJ9O>8wV6d5qNK$q zh4^>8ID`j=#M%}f`CHk%K@Wr%3?JQP_$|@+?ZeTLDSm6$Ym$$?|j#Y?4i2#vlW6%@mTbWisWJ+gdd28zaplkP_kD|bc&eyRw zZ!N@-7DT2+Rt$)DiG~=6#s)4v_jX82kPWNKJ{<4~|MgAxbyTnpcwC!rtv-twWG*r$ zsaWn%o3D@tFv#$JYY7n{=)f7A#jW=JaT&89K^pK$rh0a}5QV|A$d*kYd+--k`;RgG zubp$u8pza`^LX*`9WVa(Uae0AF$E|h8sv8kQ3pCm*q+H~9Oq=B)N4+lJ9vbxtb9v0dQ<$aZ98sI0&o-}4&3Fb1z9ZeOAc$F$o)4e;_HPs!vF;&!7 zZVL){<|rr$LgXxi4p9dfp@HAR`_mjDCi9OYNJr;Q|Jo+xY2vxw%T1V>C=f8RTVR~E z&QoIP!OqW@_HUoNJkYBISU{K`KUhbt4=2|Ya@BXHKm^qqmrc8tAyp2g$nmI^D0Fqi zMEvAxr@|JWlcgZMeWRej{QkpUo2^N9yHWLqh)KO81iAAoB1j8b z516gKXLtC~>ET>ehL!l3yWXe{=Sq9%>r%c*h-lbVvdb}D#iS`+>eXqhKL+mf%ZHNI z3vC6#$(<7oYnh2tLRed$pJ|@8@nKfIkxpC(e3;ARQk&}&r5!2e9b$PFTkq#OzPwbo za=F-+$+?%iy9iF>7NF2=5W|F6p03zDM4R@3`44}HlJ(mn{Gsdoq{K2KjS;igMyVHl zD*+_$Y;PQKN3Hs7O&fwIJ;NktZY;B%ECy6g2GSj5KOZYsSR-HW)E{XsMo6?)@w)KZ z0R$ycvDx>JQrnFPlR_7JLBl!B+rK_hR5NNRz(V=?ijU;?RI(beRXc6R?kx8n38Xrg z0aucU-PzKX%_z^=qNZIZ)fey$gn zvo~*-G`-!@c%^*%gvVC;v2x7AhEvVNjiI##A{f*kuVbFabHy_0ZI0z<5B_>TCpw^y zcXK`}ck+qQ83$t_Li!SpK9R=rF`P6Bt?_@%5I+G}`}_Ci@3JlWWH6mdkcAh=kSbb% zG+Akiulz7ZO8GFw$*k2%!zqUCW&vsJthtabE&0$%LuK(e%XO;9M!(EJBsw%q%Jur7 z@6+yL?ZHHKPJSH5rqfngZ@$w>9;xz{H%8K9yvmXY`#qtop|AzB+M+D3!=HJtP&_Ft zDw8h|eVe4w5-ws6OHZ5K`C5M`+ZV5G_(9+vaQ+$NtL z+sumwvl|{fuF(+3{khx>jf;0a+w)SBH3AA_)l-TU&lixmHqlSEYiOnw^-OjiJRTbd zd{6f5I-L`ReEL5}uiA3HVPcSQ$FiB^P1=kW5f@`*MN)HPGit`hGioJXj8w4MO;?+& z0mi8er_CZS)63Ig;t-Q^gLT)luJY~Orid0MC4WE~SLJlr?JOcXdo#{1La2-Bwp^XX`Qod>l^aytcP%R;t)c;=D`U z_9M2YEZR&K*bbPNaup*i1bm)b^l_K8Be=vlZPQF)>lyEO@lDo5)0Mmg68uqjI*&G5 z>wtdJL};qKR4ZY1*oYuLB|@0@XmH^*2hxiV;&%HTCR3(0Wxkz6xL%%7*|s2Sp$Gs- zv_A9~X&vOUXzML?2APf(X8dq1lE$PO-D@-3km4zmq_ldWe=V6%IZ=1eD^_uJEUDU; zG+7CvR!gQ;I>8YOT$?|;L&^smk9KCCpAHKKu<7-xV0E4)-_TlxXDwFr@hVrNOO3VS zTfX-CO!cVy0kF%qFgR(u+D+bwrpKG(rgM#6KazXm+3f(!;Xz-d!nInp%UCeidFh~( zl{ELBr(1dH!O5uKwd)l5BNC6u>#K{Ji|v{|Rm+ZN+ko(EuP;)P#xW>R>-J*w$1U;6 zYfxxVdM0)+&}n&L;}P|CsTW~&5cZAi%m!R;OdmEk@A8elYA z|IH=-mHj})&dPP#IP^&t-`3(KJIBf7tZSI>+t4VbF!KJ$ z4&!=>TnF7-)9N?pWwh=-%MM+1TvehGBb6^dEsONexSYhlTusq%y}39x?FdKQ4(3`G z(y&fbZz#VOP!}0ZYfC4B?q8_JOle>3cd9a}$YW9R#CFbKcW*jcn+6QN*Bs6UQUJj|qNsLx`mkb9ic4rt@cn*F!{sws`+ZPq zeG=d0uwQlzkS2}tH6ZyOkN;u2_@8qjqC5X5tfX2_hfv(ZV~&=hV`!)x?yCJ&)cmes zo`ghGy?|xO>2Ed|q$17eHzp_3Q+`hJaB%Z0hKA}wcP(0J|mAp|{_^F@I+Mu43-SIeAB{HAN()G?wrij6scj5KLteu6?sP5F+iZpUs zS9?`uPXtAQMIu*74heVF%{8nmOI)9TQJ#mwsVE!S4B{(NKSqPHX)bT8B|*)4V&8n7DCVY_gkb;Q0f!bvk-YaIR* zKz4vyjD>aD>tUZgg#ICrx?AN*QBZ&W?PBJn9?Q#wvJpL&S3iKR+&tc_-a(rSw@idz zctWx8!%GzUVYTP!e?41LCW1R`-*Zv>Vw-?W)3XUlQtmJV@%pnK3)AhXqnEYj2R#@K z3FXk9O-PfS0j$S|gl8p*W=)TA4p~Plc90aI$R*z6dp-&;hkLZyPDL#kx?oEdk_&@o zoBLfr7!Kg_%&PJ2a#2|*WP`X01wESqR;F>-eG;*=v%V~^ zFq!%C32q%FENqO{U@?+Clg~N%>%SJIvnax;bdh)~Up13zJPUfKHr`}XSC&lQN`J6Y zfV`q(NQ(VK>vXplb%Siq4^F3-w?=a@rZ-X9(Lx;SMmFD4B~dil`gHQ=H{>y5D8<+<@~-D9R1+Zxs{EY&U|8l$h#4X})Rc zykpJiK9C^1?0Q_1e0HHr!Phe`#RU;U>s0LKzxe5CdCbt2-drmdoFJyu?9@+Q?S;5K z_6m|7etQi=N&J_~0Lv3-L^Y7((BsVRCN$hn6OL!zr@T^`jUZAJIC`HYOji1`xJg0X zj{WHJr^&FUvfU)^;1s%+p4S3}oykt{WQnDAu=#EdfE-T`nAA9A6gDR1_-*MWt8M~} z>HK}bf3&p*i=r&l0jw#v-F6iQsju_toSG@vn0!CgKamak$id;<(f#F4sfBYrXf77 zUT-&7X%*gvM`w8#rL{WiNIjKZihPrK8lo4_l+vHpu$IL(At&u~6vW4!x6BQ;I z4kY|i*tTjT-ywyTX;=cJU^YhNdImf;a{0DN#=~VPITgd!V3Z%bB*cz!G!Z>`4w7|F z%tZ)dc`!nJ&8ltj31I~8KiuBz8f7EP*-K9X*>h^9D~U8M)NJbI#P{6y$z^&Q(NPnv zcV?zTUa*l{rUq(S0t(La3(e8h&(oh71(Klb9KzJhZtynI5<8!9`$4mY27z*b%?QYD zXt_f6au-s{fS{UiZJUViJYHgFv^T(m!V$_Se&TzK@6D@QHY4Hh{?W_8c5f7zi+H7X(<#xm9 zljAt)(=-yS2lUj)ipgXH8J&(D`CP*;B*bvIHi@$SMKL7{~g`&r=pkM#VRRoV$N5jBLAu z!fYeI#+0IBC22g(y`4kRAKu8t(2HV3ozQLS8Jsq?T;DaH?WSSH$;?92kJ3}o>u8YM zRm`l5ELMN#6QLGv z8CdYjWzDlhK?1oX5!;|rHhhaPU|~AR!O{ik{c6t6<|zD80$14th?;-#v-7+B=k)9( z(r11WlC%cy+2ZWGr)E_OuICA*OH(NeQ$8ip-h(w}6&X&eZYPomN;z%vLtkQnti(TC z3Lgvk5)YOoSV^_O(ObOq^eiHQ9S@eCK@=;jeJrwmh!JEzi&mt0%7Va&`I~Llo=nZcCFJY~>~Kct zbFh1IO2k+dT|GgDR(A?y!n`AP2dU@bW`(^14A4CbO^FgU73jQZF4w$B-nCk#UjyqXxT#Q6dS@c7bdkf5pUcjltxPu(x zvy~I5m-ZxYxIkhEg=rUEiHIHz35UmDJ(Y$*kV|>)=k&T{f)x+5o%#BjE?Y&0S#Yzh zx$4O_-S>#<-*a!Xv6<#94?f`HUOTY0&D&h4LU9w?*42S zOL*62I9&DdE(<#KxLx5!N>W_u;DVEhxF4UeDnXG|tMQ;{g*-N^g4$w{kwck&Q8vgf zLn0I07!mkx>S%4S4Pl!AuAURH+D(HkXDc}|>SS9p@w2#n@yx6Q@IffLNvjfO%5Z?H zu5uCTRhBw%G=tLsIv1d^9tG+nSGiuD!$P&2)@(&TeV3`{a58Pz#38CK+#8y$oMb-_ ze^TIf)s?4OGa{M9JwDs#w(WY9qh4jt$+Yzo@LgYh{h(agM&Q(awLo|SXMhi?K)W91 ziwigxxdHfyc%nCDKZBdhJ^`L6qC^!a3aGkHFfeR5&iGAQx#>Spl<~9WP_|vc+DJ0PjN`^*} zfeCQ%ts6U>H=kK%HX5Nl0c6}h4HgTnAm1Sx)?yH(Hg33HE)dp?X+Wh7 z5b#~o<9f;X&saZvzefQ$s4Dx*^!rJCKgO};J&}i8nWdZ9yG1V{oS4lK2TYPfC-o~q!DGYfKIJ*Bd9BCE}!h&MN6ftUDhmszn#8#Iz?;PR-O?9%FEb^jseyJ)vd zEm_~u{ArO`F9gZdD6ldT-L4N&c5+KHb=XWL9*4(rSed|)vhkg-Hlpaa26k$Fde9>t zd^#+vEXUg8Ym_-`Uqd4H%NtkM>(Fj;YoU7}10MF2dT}V*)fX+f;j->{qL{Kinm+FmO$Ix|;`j}z zjyIw*+OTqm!20&#no*kb7`R+?Mtn32J-zU!$!TFqm~4ty`+xV zkaSt}BaSW^+rK(Y)KMu5=!M};ue7iCsplgq#{^Hyj%pb*D=At4YsmQM&J&kbdWD<8|5hcA-%V!Jw*l*Y(= zeR-OCJ8!&__9<*_4o^t9Wu0PZ$3xe~tt@wqxbYFwHcG*4bxO^Db&1Z-)EVvLsd(}2 zo#@_RC%pk>no7d61i0Y*hWb}hn`n zaVFRG1nQNm$mg=0fU4k|rP@~EhWq`8!WR1`-JcoL{8yVp%)_gGc_0)wyAdKH7?;;V*wxLJC19B0}~qa z$4IIL6czFV2c#$3z#*irYk@h3`uC;C1{YbkEBJ*@wS<>>wQemo9aTzOFw#g^qSv{q zRIXMQ_sc;B72$Rtw^iJYxeQ}?Yp!AypKaas`96w5Bl1%Q3b7ggC;NV|sjt;dzJ?Mf z^OF!rx4>(5y^*H#Pew}1`ue>&xR+Rm_iV8*)w1?PZAqViEewN(%@g&_CSwotJM06m z{sV)?02TrRa54-gqjNhS+-xu443}Wk$dk@9*Sl*B&8xr|-t{a- zMb04=N10l|H$;Y5bQwLVS>(gsn+ENAVC385FlZFCpEq3Yx9fH^NyDNi#sq;YQu1-j zY#U87Hn>9?MtVoy0N#pjF#%!2y}>5!py>UJ*&ALwWpI5IzV=65o3foWk#%*&`5Xu* zyUAp?J=G03+QY+Sxi{s|x#wTuXe?)C6pd>G4&o5rIF6MBtKw$UqpZL>IlHQv$L3ggwM+>?gPi0PB?{{??=s6z6 zg}*ooDC?8zBK3gAz<(d+fq^hqX)yVpONU@H#mNj8AKDA&!~RbFx9A*L$#THLD4d2o z!$_-bKQC%qTu|_Op}9AIq=AD)mF&yD8BXR~xT3?Q{*)(~y!Q1%7&$k{a;L(^t`h1E zAYAm>Pj)Wm987DYNC}KKg3R@T2NK<riK%a&Kh5Zrz*3i1Ab+I(4P9!KX+B zwM16!#OO`!tn)Nywj6fboHrX6owD}xwyiEryf8#Rci~stPQ2B_JJBFTLHZwFruPd_ z3t-k~XnM(cQm{{%3uuP~eh6d12!TVE0t!hv^$D5xvyO_2J(Kn7&)kD*Eg^QMs}KxP z{ipE?+0M;sT&W_AY36TZd=_1nWA%h{(-Q(Pb@*`0az%}fGDfaO)tu<4-lOD<8Q5K8rPOMdK2t5!G+rM^#K$W!AG3c?U`svUnTc!l6eO`C`r`v zmCf>KMYw~v+q@_^hh_4amJ!lcgzSl51)ZigKBjpZ#sHRi6NnMeUR4?{}BwqKC0qqap=`W90;eL&v1j0Ouv~chH>QYOwXiEN0@8D|UvkppJ z!wA(`x0_4q#)t7!yK~}AzW8jxrnAI?*+bLN|TKl=Jr@sw9jIG&8@>vypS>z4s@%%*ISb8f#qz8Dq4A=oxgjho8Y& znFlZ~#W7q-PT7&DgcZ{SoKiA*oeEx>iM&IdtpnSQPz+rjE#575<=>6ZlUHB-VD|B6 zXi+F*`ERb7r_`^R`Vc{AhHIy`+%zwl6`aG$@YP!WzA~c*I=U}@xp2a}ULY+QKSMcWg>gr&V z-rW-`=~QpRK}aqeM`iHP;~u-kyx=GZwNi#+kyHX>F&2c)-0Cpr=X5--H?13Qg4r8_ z&o#0I7QgJ+EB0!;oo#Pq!tI?ljFTIRWaoiI%T6ldYAo?e(hzPYMk>Cbkd6K{AE&FM zQPuD~w2n-9d|tr)1md&SUp3nRU*FUX@VZtff+W7qs<>aWsu#mCnhD7y?fB;3q2xCs z?}u>j`(AWNyN268AAQLe6(35q4qEb zuD8kG@F)C|5In#eGF%Hzi#btJ;g|i8Kq3nc^b#fa9;xOFKF!y=DY;iH3}GngZ`;1T zCl-D2!3!2VnmrHOAtH!lGFgsDu3Y3rh}{D2qjY7IRmM@T+49!mq{;F?2zDsZe%=p+ zsP>BE%MQU6OcliD^0nH6`}g905vK+Nup(7D$h9)76hH=*w;MtcyV|4;7Hr2fe46#a z)yBq^ETY+}3dvtzzu6a6tx}ozec2Id_Vrk)n(LX4T{mOfm_Yw=5c|yP^U7b)^sh~@ z@&6uuk%@pr;>mgp(}&YLE{1*U3{rKOFbE5P-wUybJKkIKY#H36YO2-hsNKfZ>z`$4 zqv$8VfGuXfmutrp^>uUFe##Bly)CzZUPXV(d!OAm{-=N*r{LQ&qB@#l!{yyZVzR6+N82NPoR~kplo%HoQM;sIb5jL-3zaZ7~*T0KGC+^#l<* ziJ#+ryfy1sG2Px`+xM9pfC@((7K2n8$2)a zz`$(wqG00eRCC(G*pHHB2AuE<6QxwHPpD`-zV?Ce!sUDbef2^x*YnK@Sv^A!pF}ay z%rb0VXL}Z=z~yA4#I6{&q(scuf&v2GkEskg$(8y1QIo#X#Y&J5t;}9++s(;P>5P=V z|BD~&9*iYeg5d#3E00Lb*D};A<4xlhz-eM*JGZ2qo)XFZKO_F4flm2ut|M2mL^yewJ99s4R5>!h+jNC$^=iG|GH+peg(SQ#_5iUXQgorO=6<9<7Qwf9%OdCFuLE}DQiH)Mu-D>XA6y>vam}f%hJ#TdV%G@?8}$oy zeYx<;H@QOD3zOg(0uK6DX+Gu$D}8pVHMTZPM^aStQK?L%41du$79|J(C~t%6#Xk>y zv4&ov=0+v?^bk3piKi17J&&KSJSq2tGTBgNzni%p;My$&v2)VMbv#ojZ1kwy72K}` ztmJiH4st1L0O#>kqT_mYf4yn0dc%z0cR}F^dti!7nkiVRxU;jvxUVl)_-cTmegS7x z`nWoY$Ekc0gz?b5&{%&6T&0}V?KUFh>-8m7bm2t3)EnlnN$n0C`P?>KwHy7SgKEo0;Lh(pmXOI z3Lyf>N<`wRC=7|E>sX=2cC@moMfeS1P$WsJa?UnbbKD#&G6nwqk?BIrhO1Q(K1;yY znHSHjC-r%K1q99ESHgu$QK7_>d0nRNBXgrP`nr(Rhn*Hf&XS2LKGafcqXp_H{q3ui z8zXsE^bMEAkS$L@(aORk)3<;?+ksk#gHx*G zzhae!$${mYfD^rilKnh|V|g&=XK%CA8MO@vy3CmdI;N_u-r!H?yenX!>jhMGNkk#!#inu0x3hiZeUJV9Ft3rC`IC8`Iu%v zE)mmFFkXz1@RKkDInPgOwVH`)E5OMr}Yqg9i{2H=}A6L%Wobl3IXbUR+Tt zi0o6pdO23`DyD5Gp9vxJQbqZYQ@$Ajio~Olj?SYy$|N7W`{LKf`>9P{yMEAaWsG3` zFm(C`E1~hxla8r?yhx3-M*XtfG8a1)(RD&>eDu&Z@j}c(E=Q6Qknb)Be{wwk9mGQ;;R)4DfM}Y*j7h3J1bV6c-uy3gDxaYqxl1|ySh$CO19iy&EsumT z`hC)SME>)s7X@q+G0|^J@`qhiUl4+gB++~G_McaO9|uM6!t}BjL#%rFP2ny6vrrTq zE5^yjI&Puwe+0h_LEy*hiQ){u;m0=+Jm?K?&@eh!YTk zSr*uPV*5Lb2Nitis2%(Bomo5(bagxmui|YBIMm=b;;_}&U7&o!XfUL>B~ioM?M4`q zs*+~T>~&Wbj{{f*9Ra@gek)ru`0aW-#!2L`#=AeV8}Yx z`lWqq$0$L0ap}$<0g-pj{@Y|A(sgDs*jo#g2I*;kRRZ)~vo8o5Kr1pwxfP+i3h4P_ zY7@sDcIKx&&}{?m`pooO(cnNDY?TQ|xkEJiKS2X5`X?IP|2+6%5XiXLpfZByju*e0 zL1fAv@&Wl)rcmI;fqMy_es{?f33N64e!Di*KPHe8uu4dG_M}DLWxXRIKw*O^-`fSH zKLqKy;mI5OJ7j}`svp@Hu~#y}G1^>ZfWTI%T5h&pU$4qsA&=np5%#yFJs{Qr4*j2- z%b&3Bz~GIe>$5aQICQa9Qt-ZC5|&a*TpcP0?i^<1@lO21BTT;)4!B$6&JVExQM6-s zWl{yjLcH6LPc$Rk)1omJSIlhmx6kosI?E1TJ;D4vx^SS1qRWl4zkmNWNdL81evUyR zBa8C%oK;%d8mZ_u*ZGs|R-^b0bb~vTC?mJ(@f387k!bU;F?V2#gvGw(dQs4fXsaZP zEORMR&?%Sc&lBtnjvzX^R5@)gL@B(x-!!`J#ff$opMjDEcl0u2JLM`4GMH?WdAyq#AZCBq2HKN>Ap+($h|+8daT# z*yQI&m)+}K`0P%mD~R+kr)$i%gacPMU8%K_ z@a*(9>mZI!gT$$y3hsYpSoxcqy<7z**1-VEaSz%HVh|~* z8d=Gpn|zS%nDu(CAt8LD$?`cq!kyX!sS}7xp`?#@GSPZK6tM%tuRLF|q_rZf*A5h0 z&!}07R-OVkv8boPpE_U$)|3Xr>D_nrc5gGTQ-k zb`@~h7{4-V$ALad{{Lut55A`IuY3D9qhmuwqzQ;o5s(^11nCMQok;H>B@{zIx|G0J z5Tq)-BfWPL2qj4GAT^Lsq}R|BAR)q5+t3N#ei-*N9bdYJJTBag?C9&xtU3 z6?J>V1#@cev)6jD5m*s^yfAB$HGUje{-@LU!_m_JCEuW5D=A4CBEXwuP&6*(57S4I`bK>2z5ux!M zPsaE&s#fCfsj8CMIsfSBtB%<6WG)$0IDI|7yf*Nlw-ex)@;^VLl24@xTb*5z9Fk6> zoRaVN+8&nufl8LTysqW^=xGJU>KG=mkw}i3D+_8bzy4u&jQ@^Qet$om=^(4I$jCqJ z#=@Vj7T)q;__w_Pir+6i^&C-po(Fooep~S}flkVBB&rO!;8x=x0gwQM|)o zRBF7?S#!~MfBWRuW4E7wU0nX!>ZEbEO#X;~$1=?CGQ8-HF!oIKW9HN zvDdEc;+|S89~uz!PeH$D7jU&sv6~kt0pFtIniz7k1<4)Dy|ET+L+QYjhmh99zILEA z@)g^D3Fsxg|4g;oW%8cx0))aCJ0ieQRfj1rBLk=^GO;^{((s#+;Wwl$4Xj#sDRy^>{Jp)c>GYSxRG9MfUQ7v=?Wr zN!9(vj3FZNEaFN2s}16oq+Bti#1KBPT{C?0ZU{0F`-D;ZPhD5#`HknH$uEv-Cl0#N zOFq2T7TE zny2@<#>Ocm&Np8Yt{$fU?GZbrlHYrtP1HOIKs+I_5O>d5rXC+HZ18-s$1HHsEfiWt z(-Oi>5WmyyeY~OyA)1Qscwe^)V;~IqJ0ZuYP_OK5Dc&=zn6U`c;=m$Jr`$(*1zp!!T59jc5c{YVa zcj`fGGsFL70gO*l%bh=9-CAq4DbYJ72mxYVrcjwyRlw=N0KiPK%?2e1o9K2g_mrDo za>NS+UW?N>T7DcT9-$(E32S-5krE%Qy|YP(NCKLfWxl{rsZ zXvBzt5fu&FAkTdNV~E(6pr`KF$)deni^k|PjTaMr)d8npRNveus*NeWj|q+a1iX>H zpVtr7v8%nn8jxf3FHYM);1C#4a_VzP~eY(n_c2fw2?e61ii&&+gI!WEOo)lWP= zZlTN7^47Y(kY`(Yt2ec#Bmf#ZbaNe8Gl=_T{F&b&-OI4hKQJzF0C?eY1#eAsyEn6X zP{&Esa-E+QpA_>iLnOQujPAk160HKIj#NTV!vFa@@8&NQGoZCzo^)=izLAmUIbS-E zRW~?5mLcze+c1~Z$`QWSQ}P?Muy?VmWrM;*p42nXp0oiIC3}0aytL4h%`t-yrC+`l z@Kd6LDogD*_;c-p`A-8KWnhyH14@h{dmuG7GNW{FdL=MWjd@3_>SnvJ@FA4(W#!#{ z`(aD=SFN`soYhtV+lK5PChSQFx5Q(Qh2SS=U@Z>@xZUS#YHLSh1)tyFtaBLdO>Uui zS!Q2S3>Ul~{zu(j;ok?|78$;@)6OErRIH_0!f6Y=q!Q8wJP&aLE%avnSmC!KJRhzC z(1B2p+AeyHjS@vFR?|wV6g>R>i9rmAn|zjb`-wd?-)FZd`H!C5hagR7I>^)Nvv>3( zEvA?jDss{;`BXuUyCXFqGMRfX-LYi5PJv61D~AkOz>#p~e67brpTaMQ$>9%N(meXI z3k8{%)Xy3?n{%wk`t8&SQxEfIypoLsNE5GapZ*W*rCZ)v%jiK~jQ7Um6N<}0wKWgQ z+GB@SH+@UXx0JFbR}cNOHg1%=T>e8pEYLhQiwazBw(8C%paR@smjY{!$qjyiD+lkq zk_`A=L{m2x%@GLuaph?)|2x68kGW)WHc`HZ`>?Cn%z&$M+m-Fv#~cK!ljT^5?mlqK zJO&NvF)zP-`FzV0=WonXsVQ;93DYDP6Wss?KzAu#&A{nV=P#d4GHE1TLitmX;*pJpvB31tbi28%|b!hUZ3j;l5u17XHHxdHG>J+O4?=w%++3@(|aiqAG2~`p;Jm7 z_c{46Y*p%`!1fVQNMw%FRgk5@Eiu2Nu<`eXx3YZ0>N~aBbDXxw15XN|hTUfcZn2X9 zCMy0kNKMZ;^kKWG;NRapq7^WYp3?LnD;aFv`A&6E>AYA7O*j{iKAgIHJw*bp6*ugK zoOZFA`fZ`=9(8gU%?FLJS2U2{8CfU*_i4Zx;X?f>vjH z<8#53x0$cqUf42ci06Bkl8wt7Z9bbJ5iKR&E4&|`|G->iQyTkyRQNp1p8@2aKO0}gpzYq4Zm= zqAiv1Vh~!GAj6}-=BjvgdU<1%VBsabj z3C9nd>P*kJUW9nscIk_4jTfOC4~Hty+&<2$z<#c(#*KU_o&5i^f@V_zYf|GKIX-2| zTIT%ZT8mcYVK95bc|0*Uve9wmg3r&tm}lYyVC@@!{53#p6A$2C&Hm(#&Yfuo_C{a` zjYm3-iKhW-l$63s1ecV%@07x7(j;JVn;v1vOKSuySARU33n#2bwLVx&{A1@e$}!;J zofRn1bo=AtDo5w%;DhKQO0<@fPESdn^5I|LwzF;p7iQi(x1)bMfF$q#tWlIohFNZ( z0fqu$+iPY$ez;ns3)Z6h%a2bN5Q9WQqte4AHGYE=?SLnN0oXSlvVddqAmdpTtV6r~ zYefrX7BbVgTkhEnYKc51NSfDSWAV(OD6PvBno>&;X~kEyAXnag;MOtFVblY>QxC8>VPJmA z?9^fTuN|Odcw^ej)P?6?{Jy|=XB%J>o8JLlj{Oecr92$2)iVdi;KiS@=XP7@7{G?w zJqrkXx39xd)Al<*K3%_Z>Pf&oy`B2ZE!!VJ%w|Y<*WJuDx!EAvA?O&;z|o!I?2Vac z%ltcZY74!f7yT4AS)Zj8LSE~A;sQu13n!8-r-MJ0#$rDO=H5CcZ&k?j(pOVmuP=yV zPHcRDg*nd@Oe65Xmzu>;cDSO}D2dSqS-z+DQW0iLCTlW6vyZ!PF9FgAgAbj0+z3qi zPaSOa)(VQ{;Zly0fh0(Z;+@0~-) z-9PQ3tJ0BIVA7lUJC4kK5BbT*ySsS%AU9pBl`{qUDP&FgVXF(hpLt&Uq@1z>4%)zw zkQKbp6+TGD_L=y@*33;0@D(=zFw`!r;VgQs;COOkx*4|n%N_Wa^NNA)G=OICl-aIS zD)d==GJkm!|ES~~tccxmV7Y0JFK#frLlMoJu@_hEf?i3ePOVp!J025M#(aal?t2gj z_D+^`%{WwQZveWy7K{kRH&k?^m*@esp}}P9u?Q;`HeX~ zA{|gBz5mdc`n$lTXPobnoonGb>JcoMk<6O|KwYzYrFIXnEtw6%CFQJ}K4v?A#LETK z$O!sdTR_oSAR{*N5*0K4@Dl%F@&HTQj?hf%OiZaSUvk3v4+6Zp92U5F-hX=+{fG12 zv(@!Im_1&+%tnd0Apx8`S^)H`Jx5vy!{XmbcZUohdk`-(m|Dma6=yQzGwzv3q$YF>)>)nwLzXU*%6n?Y4613ZfP?vOR}WZ5)y zzCyf45&z(({EiP=L7nS)CikLVk%s#`icqYW9N$I(K-R$DLIg)A4K99Xv=eUu_?#~8p&ylZ_8ieK5fxc0wc=N$@t9c8cLqHawWn;B zR9wgYXrlWusXH3U?)^NMWpVeI$JZ(xOtN@>#?j&v7POoa>mMDbwX^F!+mC=`2<_)3 ztp&)sV5m4p8I24Q?H)W?G1KXEJN{T+fuQM#Rm%*iomkxEILP3I*X15x)oPid#B_yM zEP3hSzPV?{uO(0UjwrJSJH&ShE&K8en{V`g!(_n9(Ot)N(Tvz{P1yeCmvfRUCM6n= z;n%+E^&I8{V0_SHY<1UnWbI+dRgT5nYxly<&o%oWU*GM<&Bu9CKmS~{vY6e~O!%5Q zIthCER{y<3_^{mwslG|F8!zr|SsuHIg7R{kg!y_;ZRz3sbPICj0MpNK$g!v|W2`*d z>THqSWmxXGwCCp;mV6JM4(!qhmVdq>^vhj?%be_bUE%BR<+h_XvbK$`rh>R@obuorCpc5j4rY!I zfZKh816bAoOT5;+`JLF;0DjYl6Lc+#K z&b_yND+|6+Xj2#Dq;U;=YGTGfREpQcEb=Jb#*1~-O@J_C0te~4P5U_$M9m0(?3dje zMKS3S*^4q7%uA{nG^J3GRz-EX1@DKczvxW7Pes%q+svtiY;0QGv`;{O*Kzt1$GnMS zjy<1d(v3Ea^!O$yw*xOlmz{cXwzR(5cI%T|k;HUE&RQPLZ(r9&J|@vp;il!PO5(k- zSm#k&nyr

    8Qx~E^5ZTtSd2q2-*C!`#f4Dd?z-~9BXisviZE6656FRmyn(&bc89` z=xLa8_{{z@kIe59J*ZNb7vMzH-pU|;ZwjXj<&4YnM#a78vs|~?QmVp!AVP38&k1|? zW753C38tC6Q8OyY4F9TPzF1@eZ29Lo#;XfwD$Mk9^Zh$!W5;~JaziclCCPm&(aa6% zvywNLWhNmgZPnNN#~}JicW9#f7&6NHJ_RL`J*_E{t##k6be^hGI}Vh6<^X=Lp8Q+( zd3y=|F_s#O{ACQLuPk7=wzi{%$KhAqAFtz508~;Z+qp zRClvB!5|~u^7hT?5~3n@vE7CZ|K;%GY^f);JNKagI^$_{E|Olz5j+uTvsn$7oR&`Z z))I)W_4k0!(8HZ`lu6x z`WR~WZxT8FkP)bAEDDxBi$wi4c1l{}vtVI&tHMZB%_@8s6f8d`?oy6qk2oK=$PWId z-F$s)?#Tm!&8`M|yUObjKyi8w$^cA)=)iK=RJFb6^^%lFT~HXkSQ7?^spcwXNCtoY zUK`e&z#B!kR__Y>chCmfzY%i%@cNb4_2;am?XsBy{&GWXYynI}B zo~(>BcmIUdy_G$ie_-BIljM8O)Qd;s)fAAovX=q#2ppsA4hInhD=F|{XHmH}BFS^?W^ ze&IamGpq_bETrdI@fn%T(r<_nQz~~W_F>PRZHxT>zD5hzNleX$ZqKiPhobXGH;y}w z_VzfW>|d>B`3U6)`g)D_mF`KnWZ@P3?Yzr;`>sIrf8DSGsH=n0Gv%vU)(>bvn$g)g zTk~g=1;e$%BVSm#d*Wn-jQD&GinzV6+!nIu5HEb|fZ-&DDCl3gW9P?h!l!l6?i#>r zug0wFc!q>Y0*eYZj6nn|LH<{Zta4x&)4Zdf+Z_q>EWD{@a!ikGYR#V<2vaZe58p#U zWueZnXQklMpDNA?POmsv)SZEMQ|B}m{fW6l2@Ew)L(8c}`{*C9~wVml2`|oBj zztk2FM)OX48IYe7uZx{NEAL)uk8irMbsrp$YAxGe{*0HvE>;rtWvZTn_rr9Hr;y4>A?`c6fg5RYTbjd{85B5`4d+Zji$qO$Sj!I$xfpE`Exk$imYZfPfy*ke zOZVBERr;tZGG#9ZR)e57HzNbgN5z-#EC==8-WD9+HFXh)UCsNa=2)#)i9`ingQEi0 z)b#KWoZ*01*=aWx71g!N!)fT--LJQffQ(f^6KfCTcs{2GE`Jy6Z&uqXHFwaBUJ7^$ zw$MN{k#MkfV)2Zf2)1G-NVI9Mt*2$*A;jEc^e-V=6-pyu8tgejesc&ulCGqUoa{S% zn7RitKWZvn!R@ygUPWzr<*rd3m0OSM3p?afk-HN&)2=uv#hDhw=a3aQzkrhYWL1{$0NZb(P7VhXBr)9JkX--vYm%SW;^zvMKtEQJ zMZGNAoG>?C$wy(J3a2~!4Z_?zfuGw7;T3LBcxE$7yZBm4etEpg=u^AhEO$))4!yJX z@q~QY@!L8}3Tj(-EjJBNE>$}8hWej6CKg%h+b{LjsNtTC8rHyXUykkQ%!k&6!!xJq z_X#$*rb&oR%{Dv!RTYshkRBectzOhUv2T>7^_XI4cR$%duvzxc7YOkQzs#C#XZK9P@_z|4s?-#@$!vTA;kye$qMzep@YK z)>p%`L1wX1rKpkrtpb<{@xg9u>^b)M{fN zQ+d5!QzOkqM>YTYhv z0W{z6f$<{NoD^fOFIP=|gD$Y<#I2itW&pf5HLU^XymDOMMKfA^e7$ZNgz$};1-` zdG=Q}ON7qLigEU>Wf~FDID2$gU7or3=i9wGzoc)}g&_V2_X+<>tZxHqW`Z_&L-@N` zpGJcyDOgMXylS^{R(R9@O2W+K4=C3BHQ9X_>Td@b%awEGO-Hy+jHh}?sVJ%n40hcg z;j*IxeyNGyBi%OzO2l_!U#V4syAKxMBmy^)*xTi9Wp>n6H9^1Bs9Dj3_>RHEL}EI5 z!dqUQQ$q7B*xc$fZ@K4BlX6|g?H(=?d+(&EFUNt>ISs>+``~s{>;u9{xHroqYbEJK zeLEIf`GcTSV?!}CSzG zp}>ZVx`JM^ z1#%}l>#nhcUX|Kb=!uH+@fgq4U2C%>m?=urT^A9%>LXH@25E$ZwdB#JmA6N)Kj}4_ zno{=dLEDtWQeOq&Cr92(JuN*ztuUFvC>+)@E=!=24vGB=vMziOX&4Axcl8Jd8Fb!I z=NQ|IWXp<9b01Sstvss-w=rEcpz1LeI3k4>3SoL`ULOLnZxo@5T>l?eu9fa0X&Qb{ zym3kqUa>GdR<>UOw3YS4V%F}Vp!f8rm;Ajeo_&-x0X&)jRR!AyQjNr5CcZvB=&ywWfO3P`9v%N8J`nNs4-#v*1kq=J&(KNX}K^ ze|=A^5(B(UjNdkgVWFuGkB6`H;#bYqWj>Z^1kcbJfD>=a;xR`vDR1C_9VGBd{??`x zrRsH`eJ0mIR;Q@DLNz??q`C7;q$|U&E{=cSa~nfc8l}!9|$wF~115 za84J@zhl&GB|*1AbtaOp-)sSG$XVig+_Dmvt^1uSxT!Bbchnp|M)squ;hb&NNo!5{ ziKy~$l*bIsCez6Y)xD*7CePJ!0qLUdhr+P?S*h13MRya_IJvXO*CLm*hQH)`mrg1b zfjW*r7#pn_^HRbnS$+n4a%sFjUK4ND|w8&-D+PxU_ zstNwKz1qU(JZID1G6~COk8z{MmA1gFdhaBdx2+yH$sZ z^n^~9wvYpv9FSPd1W^y;Q==$N{PUSu$x^BLrP_^ zQ2^b0iT7@#)TvN+r*;sN>o44fV~k~k$Np<*W2oWsiV)U)!hp5qLc%L#sLW!xcoXta zM*-7cp+MxVeQh0qa8mahsReUqFG5Vkul3?-e@|f6r`cz6#TUE7ta;rISD;q<%m2u4 zv?pI%eIDQIxKs>UF;%-s3?-1*gZA0sQkkeJ?fBaFlRLS7N5Ie@m=tf< zco(b)bg%Fl`~%((I6S>))Zjie$t(2e*ZWBoCoglAm@4ka?#;c07j%be-;X-oTU)94 zWpz|yp$3D3L0g}bMNMDzs^pVZO-n@*s#dt@#yK0tulBXiBYX1&_Q&}sA6;a4mgVEd zPb+-cs!{1o`wjW0W|`CC$eH~^l-@H!pzz9#OorX}0W0^q!_nns@O^l{f~EGgRKq!& z9e+PpfmM#I+rhz6uk$40s}22^h?=9-w1n#j|7%lCXXc9|UWt4^Y8Ie)U?RHplgv*r zd9&M#cGhM3x~KnFGL>j-zHYZWO_nVy^N*c;?5`!%Z62smt+T}1XsFOxAyd}aCPF|z zY^jYqJaE`G%0sD@&X>LJNl*)Jbo1xc6t#E9=+BYlQ^gOGu2*H)#V&JM>7P7Ufct9_ z^zz;3D|t%SJ)Y41nwsNbfGg=2Xq(Bz=1+fP1nHvQH-~zJ?!u%VWJHbIw@;B1yj?Ym z&!I&5^Mrh-C|}F^QQB;j(q93vLz?UEKa(!~T2$7S;dLaqsqD4NlIh3?MBo&qAi|HG zUjJYpP8B?A_!TfVN%DWscs<`)_;c^ieEE5f%rc$g+EGhjOl0F6;Fng@un0D)Qv6e`;eYgg5!o zq?jEu)~sS$9Y!_GXqI9zahpLV+lGrGTR9AdyRrihY}RN7H;Jt2kNuWbTW*Xexb5qh z;uUv&+!QwVPk=L+9n~Qi`LtENpJkU`DgSl;FutJ+xhArtJI4=iF6&)Ob!VdiCB)G; zcJkn=+NQ&pf4upUd)b=lI7%@i`044~>skMQ$qHq2_z~^x^@xPvW}ohgzqq0Z4LrYo zx7=!$f(WA=F!1f^eR~Ao3z=<`fq6~gVtT;4GO#i+64tlJ;s8|btNsIzW1IWl*{^3x=%2+&- zTzZQsBt2V&(2Lxe@huIiw+mO*e}5m7z@%eXI`un<$!gz$5bnBm0Ff023dsM?k6u#! z^qSTOuS(BS|HqlTZt@hn2`pOfPTf7Hme+=yl2(=^sLV#5 z-e{HeB55=HHI6~kl*S1z(|dg&LR1PvVlh87QW_j-ow%}ns0g>w=nG+<^qvYKaKn0b z&-{MC*t4l4cQ~G$1bKgR*lbKoz1`b86r8JsvxMl%Q^I#^YoA7+n7;b?U0k_`M+wn) z(E;tf(hyn$sRn0ccuKE>U%iBhdi2#*u+)P?)x#>Kjp+PbHEFs#);DFoD^EI?gs`TriWV9(_d=vq=tw@ zz4pBLx?dE_qTx$;Uw&xJmXzA(0`FC`wMB>NX&v;UQy)?wz1jxSWZBieiP38Ozj8ul zrhDb#?!q{xRkl$?rGOm0i4K`mf}@ULeIZa(67ChbtR1AT@T|lzvKan+)1T>TMrCPn zc}h3O!f_r|;}Ty*j7;V9?A`qH(%yR9gh*Am#SX27!#an&JH*W-ufSbRz9! ziP(RoCt|6uIa~M+rpx6~*ng40ai+{&^WeifHibltTjgbg5r;}k0MFmc@hsZl?LLpN{&?=fPMZ;uEyvALw zQyK0K8D(5|dz`im-O67n2mJ{Co+~tLj<$?pD{H)2KD8F0>*qHxm-DuU;LMRbanbA* zo@8JaJBboy8N&z?F>!XE$<>2CT!js!9eK-wwnb3VA)?+)scPvLnyncw?x(EvR_MJ&7cW0})O+J-Cym$O* zvldz=7c4L1Omo5(kmkenSf4u`(+pxqCfb_6lkZ-mKAZu`tUWtm>CpyAMY{%_v3gbR|ze+J~>$Z&}D{ng&H(Gjdcg%R-!w z@qRq4=wC7BZB(>-t*>hQPx%qSKr_Z&MWF0>BxBjFAa(Nu+`ZRqRuScA*row(Y+%ZX z&yn2N6aQIR-hFe^w1DpUJ)1e4JzgTAUcqmZ^ZGmGwk{uzlVs9 zSR+dl&OAvM^UiO@(l%c&sU(P&ovqlMeKUOM&(%Iu3e*PXkG=Whr2W_XR|3~%iu-+NT-Ft39g!fh`#o~UGfTVk zte_P4X2%C^-=kn(bAVdl5!VOCtaQF)r`XuH=fk%&ifDc%N$e{4e<7Q3qlZqu-O+e< z>Hg6>Soc*^_CEEop2S4xTPypgm{NFBeKYxf9BE%A-*Y60(bBZMHVS-=AKNnNm72ia*%?@`w)w3F`jx`#G{2hT z{h%y9D8{umKyB?o8556SLF;R-A$iJnT4}8Fuj+XB+5A(r{ygs$v#qC&V;YT_8;CYs z$x2_hCPCdM1zbMP)2r8KvkN7CdRgvQF41S&$KmR;-hH`ONq%a^yT6qYH$rax3^!|c>zyEF@A)*o!^q@4uDAm0T88{^krLqm< zztl+JmrNl`Zt)?j0&DOlbMH+lfttX2!Bv{;VU@QT*97L7QQ5fz`TL5exylOixO#Hc z%f3`t#}!tXiKv=yM|AwC{MQ2OV`N&J^o~+L*ogY==xB}^!e3iNHOs<+_Jf8>0Q({)rYf->V31;jsF9PVP%c`((rbC zQ!Pj-U!qqs=1W3O9E~xx1!*)EhfKg{U=KorG<-A1{mjOOC6Og@wA%u(DynlZiAfdL zDa+6ae!4&RhHADc_nZoC1@$AbB7$yX4=;wCP8}7emYm4PAk+6#*edm5mn3Q-FD>twJb0UlKG%d=- zM){hc=QmF;7M5$S|0TNhDHuKbdbk*_kzFbH@dj6;CkJ~J|5pcR%V1{;O_R>>!Remd z0w;S(&*>k!PZ})iH6pfl5JJ`@VC#WBu@%6sUf-W4IvEst*71%YH`9x-5n~&bk&Zw@ z_FRXhOZG!cqUj-I+`PH#;{y_#vhB53p9#qzyJ|KZr*&!7|>lkxk9{MJw zK#tB^@L!E;#ZKq9g`{Ct#iv^pEg4LIBmM#crX~HmNxJ)CgT$5iSxvOn?i8sW{Uyh6 zAq>F{5d1w)r(9Bw{#JNKD$TDUxDgxi+d?jbFiF3L+2+;>_=e_2WwpER#LC>&NG{2t zYTm(F@fZGt3tiOgj=|drSfZ`Iyol0a%1L|kh<87unfF#iUt;8}DHbrl_Yrjv0%su# zXIU>>Vy^p77oX~$z8LG!nwheGzqGnW;Cb2 zOlQ!%d-M3G5y7M1{a662K5Uwa23vgSzMt%4kzvh0qq}?Ks zK>TX<>fJQ12xUyK6EDwPB!}cfydrHdsl8DzTpAY>h|pLW zG~!8*#V%B9d^w>An^RsnWDNDs@FBP*mTcmtq2C6j29eVi-W0|0*CHwM?=u%jK8gP0 z?tAsixZk3wat#$B%2qW59pZUx;~H04_t3Rg+a&JrkEc0-c;pu|`|(r0bn!`roJ|ib zUaA+$?rv8f(N(x*#t0>B_eAR%Z*i>}X#99}3Boe{ z(ZEbyJJ8;`SG#VoxVGic($u^f$BforwYz_To6Ngv;u&*US~D{2#SxGRf}HCwxM}ro zcFU*i^G2S(vO6E_^4WUmnvj=jh9w^K>9u~j{5W4ri222Bzx9aMt)H(u*(#kD7TU}< z=voSrrkc=a?Ov=FNd&%+?}G0(5DteW<7#w_)_;kGvvo$p?K!kmbG-eJ@2icmTRCe^ z-C#*ds^_Vn6ZsinPin-sC0IoH%$*{PV>+abaye9`W1@05nx-CKTdFiF9`83vKdUiIX=2Ur27<>&Vofg^5Zovuyh> z;o+Q&5{@CW;>vQ%KHZ}cjc(TyN?Hi7AOttpckQEHW#P8a(?7Lm`_=T##4eZ5GhEgs zW^2~IvtBw@3^2=UkKt5-;s7o7w3&mP1E_7C{O^&h9|L^Xpj%-vGlW(@z0-SBUw*r8 zMO!mQiK-LRy)>%mJ>JIxenmRa&n;B&0byl6Q z6cO5~Un50p4l&v13{Egg2uBcC>MI_IWDZ7V;$59n{dYpQN<=I4tyE2>|EoYVCs3^NS%YL+i!C#!HlQ8J2QtL;_v#q8+Ye}|{z&ic|u##qr#yEd_M#x+i%c^tPa7EgLq&bl$?cDrmyU&2J% zCqporxL?oC?Bd(7jgs5pgbYjd8PUz7Txh@d+c(AT?8xgIbO&MOu`V@QYxY)q&zS4L zCbY^Xls3ghKbK|Dwc98$Jf2IUqKBwv?28)06=AO3F>?2fbU$55OuP*&+xQyD;#EG7 z4}zJMa=Xb6O1`k-3in*|lY@by<5I7na(3$AEthdCq`|vBH97V5^~-?!O!E>qQkY=G zrq)er6czT_KLm?7touEFXW<-&A+iPi-i-*%!(ln1?h%rLn?L&>_W-8imy#7^ya zh(nWlJtRu3D9~{aI}O`I{WV3c#Bj;U$vz6xLMvFb_<3#I zdQu+R%KEi_kxBAxsF3t)oscldt7yx$@W=Y!_J@NKl!ZnJR)NW~rQfCt@cPDLPNT0B zb|r>yYr(#&ds0d&%GK|V_Hdgf;xKO~B&_sn0;%3$bJOV?&&n^gA+7rTPFLbDGliq5 zgOX2ksYbkj>-K?;%FIXDaXTZJsQd&sS2r&jUY|`o{|_JE&ZTmnt?FtE$}FLE1@DSw z*UVGQx;y{IlnR%)by351iz(w4(<(5iHn{nV0ZJ`Vi}mN(nfn=x96>ndONvixlP7)x ztj&6jr)y~GSv|wnn{;p6yg)bCsgD~o^WI}DUO+a{DX=!8(L_(Q(f5h(3l@WSEJ9kD z#iGad zw~##jJ1}yUbQzXfjjfn!=c_AgZO9>inqJQL>Hm5&A5CnOhz2Rl%`Sr*t&YzhzbH}Y z+nsd57MK=t^XoMW*E;^)dZr^gaN?sf{sJoN2>*AA`6Xicis<#a{ z)1IjoGL5K~5^kBkF{v=%VBLMWPWYHttHG-g>d*kHr(Gr~)%25daChQgjin?#5Ka$- z7HttBow9s;RhJ$bCN^fSEKb?2m~zb^aH!7H!O`<;eKS!MQ~SLncFl^GK}aigXft}N zku6W@6isdG8z&~4$L22i2+25BpgNteZ*4U+XE)7W%mY%ZGC`9T_*?ejlkAe{wROO^ z`X2NTVdYo}o~i8@SWP<#q8|r+Wye{!Keh9SC{@jjT5^PILu2zi)`|{{oBIM*2a;VT zr=VNxZV0JO&S65V3&=+(0(f=lRRBNKeSCkunJuEBOWdV(Npl8chx)wYRl$=@a%Eji zT^FCFwu?xPZ86tKI=c|Y1DU-uZ3BzfpY{R9=`)y(%mo<28oSmdJ{IUq2wif5UPN$r z@w%i7b%gmB6+?~fxZu%3KRu4q>pf}{vbtsDhMYLa4myxhxdzeli2B2(1W?+{lGXTW z+h8nwUNhu{bf6b}1lpftF4l~xrrq(8y*in=SvSo*A!#u;ZLTzpzBg4-X1Q|1OE|20 zwl6}u9EQ<%nxQ4{NcGCu3xyZ@)&lQXEX(eyhabK)u{H)wu#lEM5=;#|k zqgtbKHq851ZRio4Lk5H@1fOFgk&*IHYwQAlU37i-BQwzUm`?XqjZE#J!k$CMx}aAU zdd7{jh;D+<4*70$Aw{hpWVgL4dEtexJng_j#BuGXS>WPZ^zw6sPFDE2MJ!x@4NT9X71KMw<1$(vU0P74x3d4 z4Wvx$t~2w!9PEy^+EqFGmE|QK8ODgAh)z##RT%waSM+nCtWF&?cQKeBCFe{V*X!?p zYLOFhJE$p2$;i}YJfP+kCv%n2&W4}^>o!kmPo6POYvEfUN3mP;!7vXS+t zpZZ^X`1)1mJCsO`@mBq*E-_NtJyH0!huKNG{L8;^FTmdG6b<1jpKxEYWks~(V zvT(AsB-WZScza7|g=MDBIdcq7j<3b7YLh8VheH~Vyt|F-P)?TIukLNb7_kbi6{XpK zN)2xF4l@!1*l04#lfOd4yOwcm5h+a0v6O!`8Pr#Ngz$2&-pVtyl#n*q&0Zv=td>+9 zH8dUtum(Kj?o>M5h|>-d(lQ~3_T9yH^ZogYNuqS;saD-ZeD;IFUT!4p(N_!J zDAZlz>f;$Zv_WAXY@EpTS;8#@?O7M#N82l5c&m?!yc(%*UAiTNgx(9gN2jN}La=zx z!d6~#v$xe7=0dvNY9$J)dq>fS`o1$BD2%XoMeMBmQHc}v;{;zbO|pwKO5s_j#S*%^ z=SNU&TD^y|!EO3PT~YbtoHN!sFh@>h6V84KK#_hUf>*f#@5p_vy(t^$#Wnlrg!B!f zTBY#uu{pn(`4l4RPf_Jm&XI9Ujnvs&u|QF$PCE9l9wt`*LMZcy=gFYE(LcZ+q3as< zu!;;H=a#E7JC2skUl<#&rvVwYACoPDRu^SKwMIcOD&MxAg25!xgXJ7H-}7uU9}CnR zl!G54e$Y+8IB4&`iX-HX8EM#_xzSYKOEPU2d9vA*texUaf;R8eZiy2!WzM1}i(5Bp=_%sYZW~E$@~`^iE@@{+(?)L;zQWub5{t76LKbLRORar8PP9crTBs zwdARf;iKSpxQ}LVAnYTJlc>_3(fgrdw2TG^oArBhtwqEWaBVg-jp0o}3pe6AmtDof zY7>9lZ!aI0GcOq zXK9m@GvHPMqiv1(Ux!58We@$LRI3`agDc3I(EglI@brUA?O%Z)3h{nT_bZ?1^2EeJYPrHRW+0lDuj`zqNxrW^caPzd)^ zt|hVZG<@C2s{K(Cn0;tcGMVdUt|1EGI^F|ly~UOsosVs%$LC;NtOD|*n}j)JKWf)&anVC2Ig2sJ8Jzr z*^|8lkK-P_5T};nw6D5Tj1QbvIa0^j>045oy=-h3)=|Il}0_`HY?aWRpw=t$DTFr7VbZ+ z_rAq>E2?`mpd)fBc}#u1Y{?E@;grS0JzgE-J`~H)7wO1q0W&4%zc)r#{RM9{%m%CE zuJ%4C=c47tK#FT1&EodR%>Cm{cZbrODEa6EZatz_%?3Fs1-M8Bls|?-4%uzpO z8^#|KBwA2jA$ta=AlYpQU!NS|Bn~Whv#tGZKl&5?yw@6C8wi_9@1E19j477gk$atB zUzR2JwAR@D$NusoIfRaR(R%8HILRui#7kjy=QYpLg^* z&$mz5*0mS&7Wgkh8S|`cpp~WqMa3NX3^0%GzssBv zzAHR&kF0N;=J&$}FdCp%RsZAf4 zNyO=C$K=J=UD2#9W+~0EjtT4bDX2`97tdX(t10Bp@~i>Z7pchjKG z3m1Mu>OB)<$?42B7*k{Q*1zWJ?ryZIc6B`j6vk>1?Wpi@eD)nka`(S!zD02>Lw(p2 zL(2u(C*H9@Zdn*zy^<4hxFfRyP~3|UZ`o^(iavk*bq6zfc%iB}_r9EM%4Jd4xEp5K z$g~%mOdrtR9+y@l3-_Qx>v}3z<~R0llSkBTu9}JXj4A?@vI{8togukUXT9~2#I~c0 zgRXZsBIa1YozldAg0{lgmM4w`8C58)3Y)+hmUG%P8XX~nHLm(PeYgQbfXa^hO?R8W zyGevwa$Z^J;@^?2DAYMMGA(nfFy(CMKwrK@exQC@*4*#&sr|;AW7%L;S~yMdFf)@% z!+!G(?}_q?b?tSWh$$4_x>jjdg>hX(xX8o0pc3W>uCH}8RA8B?=U`Xqw_o;OdOo~v z>3r)8{7vn)ZSQ5+JLGf5TCJ)amXbEQ6DPa8=QPw z{uqOacxUVS8UL@nIUDWaO1Z%MBc1v88ECPP)Dzot+e4{_jcdJDZpuPK6>Oiu{@4AC zZ>-|5WsRt`hI*mFELW;$%Q?2js=Zilc$<@g^9|*q1a|lX^D+J*gr}hLRz7l*^TGDV z2+O9_pA{3!pJt-v&|aEd`mfb)yPc`Py?RtXj$e0Fi1f~g;WXoEel%+1UCP|+>}B@p z^!%=Kl34>EisSzF)CAKpbT=lv{O zmnk>g1PgY0uDVR|;J*9I<)J3fKGxK6c!d9sOFm?1qZMxdN&orY3O{*m<<0uN4=N_he#^`&qPOwzt$aYapYh;zoF{Zd>?LW74%Z3g18q->gpaU;L!pY~j z-neeMwXa@{QQzNU`691FVi&krDgqmSq40aLE~0MVP{dp-nbZpo7&mpv1>c{C6D?!y!Xa`x+S?a@4KN^oLRKu#U}CeXj=lE~%U9Y}=9+DNtW|s2KYpez?||wO z-uuu^BeqBh_m}mIxh#kaU%&ej)qj@ti@z@W0-825Nb&9B*!DYU&Z`kn8Sf3hGZ^D= zqCcR!Yqi{x}B;UkX@46A}#G-p{A)#5b||EH!MJP>4#i znVGi6J8Et%Ibkz_Qh;jIMR?NQ;`QrHYN?dC>-G3T4_;=w)g%MRxb-SGGEZcLK<1CU zCw++ZHX+lZ_h$W=)8ASs;uqmLZsqHhD82H@5HEyfS6SI3E+PcK&nI2Lyc2fCJCFPz*0{eT;K_Ba#`Hr>^KKJaAT9F+Q zEM~dEWM;LTTDH0PF{|16&nY|R%V8}%!ibJc%%meihETYrx!NP|Q9;DFytM8a=+L1g zg4mUNUhq~4ztxW4DrPPupgKwYh{WHVgh(o_}|81pVi*PTGstqp^VNcky&7cmhKOYxweoF zSjfOka$O!=cIkVK4U!7>PQDt4j89*G<7dJNuuZqMbZAVWqd z!_~{gbYvJL<_uZQ$6z?otQLNZkKI^m&^qa3g5?}ctxRh(tHN)79Jt4FR&u%K0pmb%o%2^(`{f0$qfqx@{SUb1< z*Qtwpe(Ii78nlFjnC8`#j_o}ebA2C9VApjWRIR-74^I=krpxM+*0Jl7VmS2BNs+*L z`bc7^iiZj_TgH|Q?^K&1@g>4lE-Win{&m?AyhNv$+o$zzi{b8_X@t$Mea z9&=qx*GgF5S^rTx%zygBNl8aJb%eFBBBA)jv$03Ceo+P3G3v99pCVvOHl?!h1P0D5 z?G3K)N^{t99gDSNc6ro?ww@#$F4mL^5LpMVfXsCbopvVq#7{S;$Q2?#M?Hz-g{o9y z+`EVLLv$D3ark)+a4>|*M*h&+pRCP-TB`OzmvB=(zhK8&OEcZ(0W^n)EdU?0Pw*l@ zn%*MoFcdX{Bj9Y|b8RsHH#2iDcPTDPj+UA$-<;MF^+!;Pld```OxC;4$QT0XT+-SX zYKCrF9$XSiNS`#$h*O&Pl}X%p<~mi%(-qj#y(tY=11N*B_idZDROTb)vREzSi`$L9 zucbEJ7hZUQM>4Uxn(E4TWQg$cVBUs}GTlVI{?d3=8T1|E?m!jis1V>$aPP~}Qs>_a zbiijj-hRwNOZ#r0eB)cno`g-PH>)iPz~HwvmHQ->h-A-l*;^X%{F$mnuX9Rh>E_IxD^(6;h0{C+I3K zqOu1u&`>Q7p4eMn^lSi_UEy(nV&wu3@UsL_ribBH0ZXM+W}029PIr{z?H}~nf~t`$ zhhWB&6^0G(V0Q>%gpip|=^(wHVZ}-hSmMj3Vc_w1G~G6$L~dkZ&xw82>0un3b(}at zr-rUu3K_6on`M^WzEfT0K7t}Qf*9^~_-*&Ya}e)%4XqQVO8NTjjK$1tcSZ|T28XR^ zK9vTti!IX3aXijkH+i z!(BU4PM#pF1mI$O%4Ot-4mHyw>dG*J_*vhV*}?}No3xPFI3FVb)hv?nobd8??Avh$ zD*hH52|e8jB0%YhISYUy_Sbgd{DiF1!V{w(J%)*}oE3sCjMuNeVI2uhb@~}$QIY!Y z2^GO}AqHAYJ=4m|yJ_D+o)itE=q~&y4B&RrkAF#RdvS67Y9{xT6a^Pmo@_77opE4* zgi&{vdnb#1|hIwRgpyME}PGd!X_S1+yIPl z2&G#l8x#9v1YfnoBd)V*n%Urv-!D%+Pozasqq;drgR-pjniX9&xM)=l%>D8UChPmzna4Wpmg5s zk$Gbf)BS|M1z>ul8E)7)gKc^Qq(3c(T-+y&`#|qK{b=JTv;XoY zz}{h+>nca+6EO;v&AJ++ee7r9w=e9!Yj+6db;oXx=4itwSPN)k0oXa8EHgWy4pSKJ zuR@PY?zHvX`#rVj==~D_IHit8J9TFuC;#-MJ`)nlt(XgN{)DK5B6@1w-EVW4+|Xa^ zla%@m%&aQ;RbYdLKTCL1RYO%QenBNEN(IBigdX5ZkLbL;a0Vn?hsK%Sba~&P3i;|q zPs%G~aWp!Kq5}b)k1}7wHpO6F~`u5bN|N`%{OI5m3?TE8_@W^4kDCi8{289QMiltmDsgKjRTa1o78M z*(E6)X9;p|e;%>A-KP%Jaa%=13F`(wfH=n35GFmtch7VJpv0f!c{py;dEg5kd=0eN zUQ7v$F#QT{d34~&h_VHwA7h+qeXqjI!XG3Gq#g25 zK{Vr-^?>HfhV;BOG7jpW0G($JfG~za1P^Jko4O?^nFqCP0`7q7(xiHIx_k4OXQ=f%@3ILYm@Y?4Oz|0>wSpK} zB`O53K4(3;TxvPV($LV5T(7*uz1I=VK_luAu*HJw@te}mK>SJG)m;oRP@$FzuEtS@ zbR3sWxIF-9RP#WN7Ew;$iV@v!yFa4UmuSd{G*@0`-cYaGw;W2t!k8(>>J)iO)rg~Qy=#1^2xYPNJ zE>B^{{Ym_Pf9nbOdJ^UNCxae=ReYO<=FdBMOxf8yXc-#q?cY#uJ?6_8N#?)+flzX#g?f4C+5 z&?D9VsdBc)GqKS+z0BHk<=>`g1xCi$8ANz4(oblSE?ARZ`xlW4gATD9>ZH%VKMi&( z-;{dJ^Y*!@|G_Ar;EdkY1mNjuXCjS7Z^w_rZe0GC{&3J#DW3L}jc5D&XCKgBo|4b` zhpPYC@7+nPKCG#heC##@)aPl1Qj%3D?T*^bwjmx( zfKQLiTaBFUXaAVO|LCp`8~y3GJ{jUTGUCt)NMpM$O<8RfL+o3SwH8fdZ+id5l|BFV zt}`V(F-PBTN*!bO|Lx3p4V1#qf(5DL!!$kHViYf%eBLw|$?i31&v{`mTx_T)_fi0? zY!6R5g}yS$D`SFBj^c;Q5=T9@{v?qnC~zH~KD-FFGF!<9zZR)S-CYG`Z~DMpSJ4PL z30tLGHP@K{EvOlG=E1CAmbyVqoXelS_SfYQpvtY+fJkDQ==e-VskG?Nl?_%1fD&-D zpc3h>mzT^AME|%p@;`F>hmK}1fPEvL2yl};g?zvK%YYadfCO+_b#9?mka!3DJ{OdK z@lX3vbI4zHMEKfNSP(ydnbcI#RC)5Pg#a?=tG`0+Kt?8LlEmn*%FJki-9cL%P0)=$ zvL;CeT#r9SG&^q3P2(o5ANOWewZbON!}JoEamRC+l+zB4GmPA#n=djN*Ea_68O%2K z0|M%{*_6PL(XtJ=-0XY|Uvmq6S;%`_f+UrYs|>$6h|q*VzJJyK+Ve2bv^*Z%IFJ8u zekg$aQ?Jd`zqntTCF97+3%Qm)(5YnR-00*Rgdrw3?h74Cg$~)8o$tF~`k~rAUt$Y6 z-)K#fj5)X=TeIFO0X=%6uMCOfK7TTaW~PfA!VYXdr?S}WJ4Y1qv)*@i%a&2}4tF^t ztNexAxb@2-*o+ivf0&0CY%gV~H{XM`LvG|uha`#c$plgaR4>xm8TOYY*AC`6$TSi14CFoDwuJ-4UhsExX@8rvuV&?W;$0JxOg{XeR$waYjt=7o6-KW+lT!)w;ioE7_Gv@d3jdzqkJnVoHG57 z=efi{_(ngxRzX{v8ZnM|cU*glh&!zk^RHyHGZ9+qNqcH7>~^*dGkO5QNxzMrp$7i# zEry1tiSN-HeEl71n}3+-`5+Ynz=Rw&RUMM`Llf*xB3?J7=S<3kULhx}&DPh8;riV9 z_QGSa272C;lZ`6J`nBRuIY-?RuohzV2fMx6?k6nPT>^3Xy+s7SO*!Z)Fmvmt1=eln zC$2a8R+;2{9r*{#2ogdM0Io3AV%}sQY|b~(a!j1p+*9(x1>byRyJmOjkZ@^W9i}>6 z5GXWp*N5U6>Dp{7lmDy-W~F2t@0P0N__OJSsE2wfulhn;LXpxd1ADUpTmzC)zRg|k z6T-aqvY$MYyOngE%}dNi(;Z{lEUGwUKZ97L`8EofCPI?6nP%Ku2^ay54p)l;dUACH zc(%T)ZTG9k%uYDFZw_u0E4wa@RU`q>@S@dA&cYXkumx8s3dd|ptS<=&Yyw;7k%?&21^&QtMh?7hAmir}ht1L(o0{rY61GMM? z9i4cwi+N}%BELSm%{ZeZLM`WFlD_skjbDec#}{xOwUFwB8;Uw88D`Qj@hrcP>} zq#8*0nrT!%r5ImP9EKZKCAf8+jw$2SpcIA+Tzx*GPF@}E=UCFT>0P?a_zsvuYoc`2 zAGW+q^mWm}jnb(V04w^u3Cfxrzi-MV2if&1iIIUJmYfn+$EKUVAGJOMK3o#;;n->q zvXqh1lkje8yutUuH0sXO{yeD9Rx?ggK6tpPFT1i(8}tdQj4<8G&=_qxxe;3Ay4FZ3 z-^MCK*;tRDF*09|X*St^z74(Z^J>?b#KiXIyh+qrD;7F;MCqC5j(0{KJ%cNx99Jb& z!XkVqb?MOch*1qaBh@wwSJ>QKEFslObU}(qfL*fJh0L}*si>1Ndm}aUS<43k0fV)X zHC?YrO*X?;IwnSALAPTH>mN@I70p68w|`SgGKvCg^xjmJns2=s&u%;@%7R>F%bLuD zPsSewth6DyYFMHCdtwI2Pn9zahr@{pE&J1Jg?htR9GAal7_2nr1TS56t!JG)NZaL4 z%9#Afyi(R2geM}pAm<<5TH>D@?u09YQCPVS*ICc*etz!`hIZp z_HA-qw?u>kc*th23K)I00`;ij_`D`+gHsL>eyLI@YDi7xZZqDFDG&)NhV2>NKHYt?AQQ9$;pgk9T$pA_FNSdEC1{jM$9YDSRv0rCTvb z+C#zrP6HUiWRTZN(TIL^b?0Cy=?3O##gy#h!!8{ct9F0Z+}-4&FdQT80>6H4+eM{{ z{Sh$~WIUJCesxFzkd9YmHjB{*=qFQ?1iVh}<(jfFD7!hAjR26x;kl|-yV zk!_bSO97?)uxd01lk?L(a6B9QNbHehc+s@KeTyB@d&QfcwRUWrB;tUq#+{6FHRuvv zBvo&^c?6lokQnNqNnWa+kQoZ^$j$&}AHweyIQJ6o*9DareTCCM{!IPG@G9il#>lhW zXuI$}a|L_dLHiE3m!?N59|`rn=yESGrHo|j$9*fpl*!J`IaXtdscffwFX1zr zm1~Tcv4{002$ ze|I$|1$RBAwRnmzU>0d(<#N;y>zT5(J%~e{)MJp3{2YXCQ1QA1$S1g#cC#`uNLqQ* zpQ7GCc$PD7x;Y^;gwf^CEj?+YgwrJB0Q7mXZLQ3G^-?4X$=Aj) zxVma-?@bTW?vamoDbxzd|4tl#j6#rC^YWHA6#n)t!qHTV_bzol-Ri%`uh?D3^s<`z zv3NVfpdSO3c!d{-fta@QN?#7m_@~8rfByM^DD^dF!Gp?obCJkT_e<(`rg~2jBD^WX z{oZAdm-BPny|uTH;w%_~uyhfEdI|djXz%U3?$H%OYh}0=yueJeF)2+pHfGa z6>2ngYLZpzsGCIVjB-LTYJUpO4j4U`!*LQ2ecHC$1bOrj17 zrg5gl4J1vl7c6A_^vy9;8(Kw>LNYB=uSr+mJ1h z!=|(QZ)8$nk^XXK$+fJU@Fx)@nURZ7icwxp1eKtVhx_se8ZO8jmq__&_T@T=AJ57G%uc zWp7%2dn8ZSMqR2>_~WHKK?S^9wr`6UHAwYxzE}Owcx38b?L1zk-~IHNtqD~IzpEeR zBT=8+sO{q$ht@+d-y`0KQDpD3&wbX0wX>nNum~UX?C)_oEW4SU~`m-K` zZGPa<+~+>d_}v4kp1B~FG_*I!N6XY)*%NJ$eAZdE;iA=P#QcC9>Z3ZM zSBtmpU*$$cj@Vc%)9lUsA=SV}iGQe(e(GB3^~iXvvfz#@q8nA3Lsr_FPvg@PeQ0{j z*oPvb;CjB*(8uk_<-})`7Ao*g=MNV<2L6jBY7WVsVHc{(+L;1zNmXu= z8*I~)UD&)9uv)+H|EUh9hHm( zYg3^@uGC1~!aR1f?jL#5Vgy}xP_jL*nX|m;8Lu4X`JUdZS}l=Dtw<2qjbdF@`1UO= zL7UO8deN9SD}S~nK_IGmVH6SYGC@6EK1SU#0%>2tO5mMldYWt9UG7h~)P(xxuSP(P zlB7Mbdg^^;1dsTkmwf!KH$!jr*xbjCC8vCG?w}TYPJ`3=!f{MtE)}8_lM7p^(|G0E zfAOqCn(mFjio20X)UYN1`#8YzAYfU&FHe#s!NrmKq`G^@MbQh#)HAfu;W+}+pw~~% zdct|3#iDkIIg)m%>}Vexlv2+~jti7G;${o6VTZ~7KRHio%y&2|$`*Bp3*G!{d5EBx zZDa>!9zAcKPySr~zCoFOd^d3IB=U09E6SyOh|gsj@|&$L{cZ{S*55L(QlC64tP$1a zLvS1(&E?%Q)<_o3X}PK=C?~IYQVaarTKxP!g=9IrpXA((UmbMxZQr4eEmuzX#3gxB znFbwPJ_;ujgblaFOVS#5m%}JA?iEn`T!jeL2(wfez@f=_t|`;LDxrue6KW-C|C?y< zTCgWYVu>Ug(6T|WWG0;RGN66k67Dn$vAyED4oOvgTNAz4?r=+>P>BBRY5(yw)4})f zw++;ZAZz}JTHtH_YG0feU*wr(yzhN8t|IY;`V1AcydUu;9ck(r zc3B@|-X61Ink^lLm#JDW#E}Cc#vXT%i00;tzc&0-KnG2GFIieDD0uTbQPyHuZe(h5 zU8rI$`JBYej}HW#Ihy(6sIikS-{w13bwtE3uEh%skrZpV#hI%3UFje#&z?;<-GfB! z!lbPC#eODy;tf<*Umq4k>vs7j(PPmP^--seI#WUd9eB)7Un4vQqK?eP*#pc#2&3C* zy17zq0lhR!6+aQoQUNP0jAyp#i+e{1Ox{VV({(|6$x1db=!RjoARO_+apOIrRqb*_ zu|O`XS&_J_@sIC2aW9Kj5@cOZ8bYBO!PZ+oB=lmprOaO6{P^+~5gA@91eLOBuy@=K z|G+4fI%D4ZihiAUh5n>-oxVvZXq7U<$-VnK>$knbU9u@DLB~s4e+nrKT{bD%G|0o7 zY;C`Xpm)qS42AdP%`l@X(cXR2Br3yfG;hEjKJvE+jAkQ_*WiiXD4&4` z^VpOgh};ag)lDPyLw_mqcP?H7I+}Z{_H(mNzsQ=4Eka@&CAZO*M}P8czok9NuX#d&iMZGF3h=)Bwd?6ep`=E z7^r_p((vkV?+Y*4J8-!VqfU_X?rlEq56DrXDQUL6`MXX{twpwaJBb>iy^B9sURY8x z5mCh5W#%mo547 znd2!#_8jrmTUID6_sFD&!3~XbWQMaCG;^b6wc$46@iaB^%X2S#-AVUmQSt~RfuKE~ z6W7unWlicvl#n>VR_n>;I=*2;JF!x&lq=|z%!p3$Z4o*g>-PAN%Xg8D@q^|uUc(WZ10>RE1-G%aS!R9 zeZnK#Jt3Kt>6&qFy-E+i`x5SwZY!8sWU)<8ZoM?84Ba;uILrz)Opw_xkV_Vk4B)o( zs?9abh_L>?5h(e=!>IQ0=wz;-(a;tRV34Mir(8$aGEcm@KL z^7{R&!_Iy<{9`SbX-efWm><8~-+4cF|HRs%@nc6%Mi=|&YFE>zwR=946a2<;;h|FB ziI{(GHNn~}-HN`lu4H9YIuhuN+zU4qGU{TH7d7d&Tf%}2+&8&q%N@^#9f!TF(%p>I2u-BFg`M@XWzH8$+nlNNYOYP z8xIN{*7wt@UAdV&LPpQeb1(v&6{;p$X||_@pO zSi+KYeCU$PU&UFd5SE;xIuSBk(fYNoh}AQjh3RLIC*Rq&N@}U56IeH2zvqbNbcwzu zWa{v0+03=Zpog%+x-q<`^yR2%1?k@Wo(vRnjK|`I4QZSd(w(ST9~bROeAP&NL6cft zc5Yv8ZRK6K|Y2BzJk!7F7tRmvQ%|Mu6*4Ed%kQhT7sCf&Pcv+D>PdV`t{B`{gJ21ss#mA)IYx&-sl$30=zPN` z>XOB@(qv$HgxM(>6&tL8JN)CB71A~~7iVBp| zVhrt)?i>WIuG9ws*wX0^=*3s7$PWGy-BLu#`aUCJ$C zNYRFS-(aU?F!L~krQ2j+W0J3`Xj1(*T55X-VM6jwqi%YC7Y|?Y$R91Dm!kK_%DVO% z==e(4C9y6QYZGg|N)5d#0o5RV+Q783gn}Rm7>|XiQ5DpLa@+gvwaf{q!`=^lY1!la z7S1zX^tCQCu$~<+CGlr|e)?)IMRkF9l506yTOT3FLvLMd9JzBtGqPEHXUKN{Ls1$c zt478h)%=6{duAs6BNy3d*)L;>o1%lJH*S+BFZgG`C9jpFt`zN+h$~i@45-ezWbr4b z-woZH%tM^y)se<{3MU-CSZM2;QkL=I*d{bS#ME&ODqiYt>`Hbkri$~Ni`i^x?L_d@ zg}NZF@BiU}GVwLo=&=dnffG#CFdFgRsQ^Two@Mz#ENV~qDrP?2OX4hN;_z(IvfK+3 z!3T_P@((tKsJ3?!VB&vuhj$59WyiX^4a1Tv*TLlivCMRmyccUT(hR7XSxN5El27^K zX7BtE0Rc7Nh@4Py%5DZ)E9FyEhvDv`?rm%c9{2P2tlGYeZ?gmeK+~y?ty7~+KFzyTQ=xjknoY(ChV@b2((B~9Ia^9SP z-qGE$E|ju?2kvnnC58>DOSUXGSK!S3nND3tRGV|*+sCM!HPx+_QT5ujyw-uim795? z*|C|7yt5sqwN4$MvEwjTqEU#Y?Xt(G5n-HJ<5F66?&Sm!&p8@??3azt{t#<>k~se> zuER=V8Pp$BS8IO^o}PLtrD_x)xnrB&?bnFoAMAM1w~6eicyE4ZjOVsW8FO49WEGau zG$0yH->KSIr-kX1h87zWO$f>$cYB$tsVwIG{Z#1WmP6T71JVxT1lGg`Mc z2WQtbQ`^u=M6v$PzM2gY*nc%Unt00Y+7+)1YSgc| z(S|)IQ;oH$$MrW@{IPv8$>Wk%8zt(8q7%X*mLU-1*TkBc!B$c+r+GUKt))?AaH)6O znX{DksoZi~31Sg)*?Y$-*uC~kVbHQB`S@4DH1V&BKc#*ko;X7L0-Y|0vc`kiahX31 zB%7$LyD>=)YfIX>SlmVS`Cmeo>_xe1{WMRb@3F@1Dw)|;b`zVIProbwXhBg{Q*k5y z_~9I;quEAND{cu9z>EQSo|~dPv8dyvWD&xpeDQC_z-iomJ?WDs)^t-USjKay^#s*D z`0WF|US0I_iRZOAZJ}A42BY)l)|TBhZl|~rl#Tqalm$=drvL3;=e0?zMIs8QW6h%I zN8g0u2@pM~V)Uk0E5lPS(r@5|a4VsYIF`MY!C?6~QYRZ3MeZHLw$hepj?ojUchc1) z*u1myMMic-7H{z?Qp}1U#Eq0>vv$P1gz6dtC@S>X?V*BR0n{odquE*x$(L;xZ@Lyx za#jdmJH>z#b?8quT|Ln=BV{+g9??%(Iky6<-S>HF+@BME4Q2FNA1gu%0tu;cD}nWy zszB7bw3yx3Q7?J+hLzD?|9)Ha$-0?w?Hgy~QhyTW&MLQCj#H9R$78cUoW{a)Ux{Ea zLsn0{9vrd>^2Wt9nOj!Y5s?$lcQ8$cnaA)qn13&}-j~+g{N@>p11X+(iRVr?w<)4W z#{nV`pWq9xpkuw6hEbUsz49(D$u0*?_@UIW)D=@`{`78eev+5xek#p1Y#az3KmXI4 z?xoz1iWT$Qb7D$c`_$8qvfs_Q1J{0gLkmUT9#U2d-tTfuA71;zqXC8lh%`!m58Z39 zF_4h5%6yzH;y`GE1zx&;#dOcoQ6NRjF4yBTzv^$UeuFbmzba+=js^e9^-c02WXLjy zhWkrknleG_3apx?2C~BZvev#dN4}lIsljz^V<)A6R!#gt>>i>hwQI?hP%8sBfv&!b zH2#3RR6!BAy)VSI9}1@*+evF|Nv(KZs|VZ1eyX1X+q6sG#Del*jDhISrUC>d6Xprx zsV^1-hzZ4AqvYnlKP^=W$HV#fAi4vDJ1&+)oXGk}DL4>v-hpWPw#a+k*s)pEwru-WPnwd&VFWr!m%L54eJVA;$MmN7b{&^ zh9%_P7!OHhFfQ|^`r&c(>P_PHq)U*wJH+Z;df#$vwUd*nVAVF?A7l6mmXy4=c;g21 zVr7B*Ev6S1C@Si!yecvP z*NOg;a3K|i`kS~!!gw5+ARLfzyiIR?bTtE3(n0k6l`G#`L8yxZ!iQ~tzrb+xq738L za+lUQ)FwOQyk^nsfQ00gBpoqta!yUrAT!q->U94`T@^Z1x2FIfOiqi=Ze@^|{F6jQ zWFiAO-LvmetO@slgPq~;YkY!OG5jWRRn*712R>NsYE#RK3*rdf8PPX6!c9qZnD$5q zWM;LBo(J@qDs++5^E>wy`R*N-g9rv?ji=n70)es@OP)C>MY8-((*W1UJ@D)XUc)2} zpMv)u&u)r3YO}}yMx1h^ZyY_)G zw6@xHH{1JeVOe#eC28^GH00h(5BeU zN$t6-57|{Cg|wZu`8aAy*V6mBq)zD4x}|L6d(Ys#v>U*YQ8#*x7)|7-8HUq9{sUxmWJ113ywSNDc{`FJrdm;5w5Mt z`5GgM5OY_-4zS&Za^;_82cN$|{hdSUEe8x!4~f5WzQ3ZgT}qyJW%hK8M;t7Xb+Mi* z@uzrF6J{R>i`}}pMy0wNG#)rQPU+P6eoT?7?j&vpZDx6*Vw?D!$pm=1 zZ$BD*aNBC)gY}_jvR~OL()@7O143kIJ64N{b!`(Abb_LD%&R0E%k8!gY3x|@x= z;^>^?i(V#w5w*`_AQrgBXB~MX@BY3|dv}tJt@S9`N0UMjHQ$y!eM#7`D4e1eFsp8f zlCHedbI-WuL_^?B$;S%wkFstSg|(km%has2!w0?`A{zg6%b_Wk4^`IS#N(D{}Do2F9zRg|?= zr)*H~%Zz;*f-fo-+m2nL`qC#d_V#_AE0S@LHi8&FQ;fQKXO=JT_cjXp4Jy9UwV+De z<)e!qhBrFoMe$mU4TWwFEPNE~$rPixfB$~)M(u%agj)%Fj>*Vcw>@6`|macPvvbh zQ_8bOr^X4VL;H8s{l&*x5ZF^vaAz#!pF(Ne;4XCIQ(pd!v-BD+(4GxodUzS_395mH zfp@@JPS~%L|3Afqg+3(}&eNvfK0zn_Z@CQNfd6`T675F5!Pom!@-+@R9kFhUIO1%3 z-$rMER$F1bN5@;5{XpYOe(;}?8m?o31ZvvLIN9g(`Tz8npZp55yfAH)6x=012;`Kz2`26ay1=`>NnHaiBJ@1TKzqB9_!c_t^)3@=6xNCVXTJac3Yg#Z z0#doo@a5cU@5Y0+gPAcYy*i#2MGG}{?Bf33Neo+K1LIW|- zP#bFgV@|0T5E0=;@4vIKzk^+#u*>IHF6nk07{X=q(*07_UgvbrMPoFi|EqOeKPU&S6#yrkwSON+fhu( z$;Zg_1mCd#`qtmeK_5)O*Q5S#t$`d@l_@C)Q_X)%hP`_oE%h6>|1Q9|E(O}Oq?~_< zIG$UA$20Wb+i=kEX5R?ZK&C;jM^#u1x!UKW!AWR<13p8Dv|;{4UcU33LT zp}2(j*$Q0)S>37oNAVH=Qmb+S2J%{ASK7`$pNf{$vq;H5+V$C#P0%|R$3z4B_1}^S zat8fdcZCuD$&${r|AY#CFnrLhH#!?A2m1EYftUDq8NwgTI*1;c4Wy6K(rDA3XX5{7>BG6k z{>ye4KzF;B&JBwVoo)ZZz~CQ-^%os6bzrOqNPzvXq5W@jO(aFX?us9%;Qkf^g9_*nr{8Aito_HownqB|7LH1! zzxSp@HMGStjmgsdo93l2mPk9W*>^wFgd1neY85EX=iQG;$6apCWhRp;QwvCijHdUL z>4b)Tl{^>ETdX=FrwhM3I$zBHt+ls=nZ$LWxLR+TPl!m`c8O#3Yuv>1?5)MS>Lk4428Z!aqR84( zjYbx28d6-tP*}QFoA`E2%_!1_7yEpeQfnZ;8cE_KY<1XF4VnWz9w!KGobGh|0 zDY4oDCbTlI8Stj#&V*aJAKfhf~Q%vFAo(&yOb=;}sC`#ga z6<*Mj{Qla~gYhb^_NQ6HB#(^RohksBM^BoJ2uOeMXSdL%N7nVU^MHI+bPDqwTZP9< zgLzib71N=r;!#^1g(am#iCwB+Fwu{aLe~GbI-`ZrVliuur4Jm|;j|cKx!FJ)KEvMH za?H_SefoWaP-Hi?HMDIFB2c0&cxdph_?2Rwc0n93M^HVUDGTPEAF|8y8YJ5tTn#E&;okvTY=p<91(m1`PD_@p?{vzB zow3Y46*iZmICByPp-cl*OeyUqcG9??UFzSH1I7n`!^3TJ>!mcl7LZdPWIiftQLYzk zHmN&J?%(PqAH%f~1oFz7;YiN#7oUvplk>7SYZ2~N_*Gq*l4`iE^!v&F&z1oygwP6u zS+;MV>`eRCe1AVK)ucDLKBySYnMwb~rBLChc#k^q&e**;Gaeb6rL>(nR(DMTtqG72 z9%ePOf1Nma)`aa5MqOy1Xh3-SmjLkKPmO+-fjT6g%*9ylhea?m(eby~MNPVv^^=Ge zTSA3OL~LS{c~?5El#i#`347k*vk(ca%f=2#JS)qkU(N$Lm{Y!=IGfZQ5#w>Ql`Hna zPL7!`+UyeiF%(6(sQI&!K6Sh^Vt!UEsq4C@YWyS7Bi3#}6Fe2Eq^Ze)`s2n=9H-XY$m$yB?a&D|t0UR@3P@1~n8djzaFjQEU zdNUxpL+=UB?B9h}fys+LfmL%u;-OU2g??uK0$8=lig}rxq$p<;N47@1yPIJ$c8wE9 z2uP=&H`5>{QU(<gw9HtgT{eJRPntNi^R#S{qK~7c zk@)nWDW$MorCSEZVwgPRL*XQO1*Au5_ACBp4qy+Cd*#}}KwdS?5$#vX-@o^m; z!?rPHmD?tapD`{=OH0opYENsv=u{0j@0T~6KAA16JuzQ>>^VKH&#JV8D;Osi!`VXR zbBCHl*FjIMnA2?NrvRD2SLA_3bOJO%b+z^sr5P@Eb}xNmeplgzH+}BTd>(T|j8No8 zuAep>?7+kMb`m9G{EwzucovF-NuaANcCF$CK@~P-%~=_p`_O%pOQ@5LcO69@a=t2@iVg52aB(JlQ>0Rj?D1Am8=dTw}K(W3y+d^M; z?~??;WCi~?64@;01cm3%c-G4;iL%j&u()&m3|leY(NDq7xqfoXB{BH(72+&y=d}{u zzO0C>keluMcP|mgf4udm&ObJ6^oJDCMMyZ4x^y6gK*&&gOw>1P3CG|Eh$=j@RJJVY=I;HKg!-ZEUL9_AKtcrih_bjDcys# zq>6xufJjLTNJ)$|LyahiG)PGeQX-AC)F>?-l0!&03^Tw`GyLvx>wetNyPso!-#;D$ zvSzJy$5r=vou>*8712h$%=RASO(?m8kfwWZuC z@(BX&n+q&zLDKC51t}{jy~sm6RCUHfqjM?q>aVcx&zM}|Xxu0ygi*%u93V$r;mUr@ zx5mkJI(+5)>GRzw&rY4W9R4Ur7K^ZNq6wJz;+G=pzsI<^u$SaIu2Xw}QCjRyk>%IX zMZRpN_hq*-X1?$v!1!izv{c@$$fi&0lhvr_a7l-UAiaQamXUV8%)7Mv2DOSYwxe9r zRC$*uQ+-(qN;H9JfFC=v!ZtXj))QTykqWU-Yj3CS5jKC^s5uKV*sFr>At&VDb*ec+cnc23i zVOGeGQBH7a`Pf{x`HJlW1c1}@5ioNR+vtYEuFbzDsY3l|k6#pm))IKlZj5+ep_518zp|3d6ZB$d+;t)t09oVOmBv8e2YG zWIugw7d4^v)w&>W8&$x}PiKFJ?9vYg3 zG~Vb&3%5*^SlbyVJ6kbKi%6-ZW-E+~MFuDDEi_VVw~9{KY#Y|~Zw%`@_jeZI#+BQH z8$34`oQs}KY7yfFlbuUrV!w4Tb-n-5z*HUUFSD~;+S!>z3&InLHiSn^z~$WT4+75n zpmRYIo*SW-Ho#i3wK9Cydm|{up^hZ);F@7cp7nqYP6JJLz!WA^o52_$>;GI0XrXq0 zUFvbkQZ<5^MH{WXI*Y1#kV|id8&hI-Okd{S0$k+#C*2N(x)PxITMcG8o-&K>TZ@Y9 zrP~cxY$>EmHpR({@ZXP(HEVxe>PJ-*`Z}i{jMVC{x{8jKJX)*WKQ)1fHC#e`6YaZz zSooOff$POLT*^#uGeYG`yDer!gJ!K|ihca^BfOx0Xhcy>%}aTznC`kssiiL!{hrk! zUdjI$MpXRp8-v+yOX`)Ynf}8CCAiCDhEH$mm*azm3m}IGZ5Ec_`V| ztFfKv5!lLhf44N?`MF|8^p{iYuc~eUUXp5yZAesAtTx-1NssB?_x1d4qk!P!oN(`- z-)YPCz}lC6=?T5Vd=DhH<%M&jqV)PmYJ@(aZ#&?ci;bx?sp{seW3qIHDQP9dv11Md zqkL)+3eUGAM8kZPTqayg~ko!u@Zqw)sRTh+wX~>UD zZ5^tTA2X`=o|0RQis>|@Ny|*V)+utb!i1Dib*IW1tjkyCBY8Ql6xF6K`=47~sj*DZ z&Q~!=segArq3kQ=u?~{4{M2Lgdta0IYMg4Rr=IzZ!r>O{Z5v6H2^t?9*FIsZrH6XS zjE6cY*`npEe?WNg4ttAvky;ATyN%SeQub}Z=_T9sBh^p7YC)J37QKy8qc9NANJZR& z$h-*ecU-SY^1SseQk74YMHp^Am9y9RK=xCb&*ax)>2##K-0+re)c7~`!17+t>gN*I^OFl z*Tbk7S8PYnY#99D%Y?;yl~s0wN+Gnb;w1i2pJ2uh{)n{u>c<%^C3j~c4P|Od^shV4 zwQq#B&AX|Uv$2#}ZH59as@>w)f7!slVNXxJh9`P0Va zRp+1GBuS_X$}Ko^Chg_v*JtW!@A%O?QB$DW>MCsExO#=gC0x$$j*Id6<56-0zEUgK zp0I}d`5vdZO>z77_Pz}ADPn0JkzeUm)t9u1$?M9jS{fKeV5KrUYc%JzyCTjv?m0xZ zB>p{<7eC|Uz8)(c{DoLSEurxNT)~i9{+%`+8QAq62XR{Hs8hg}Q(O{=!#Jb|58QKB z?-Kn_p1k7iAI@!o?RaH0x?x1)XjH(4DoQ37#qB9Vu!_`f$h*HKX%Idyj``ud5i_pyJm{KmR@lE z3P$qTsC^`cAI2JCak1tBPuMXeVar49!^32BgX(kZIs*i~2rAcNZg)C0XuPX6=K0Ll zpz9gyf-!VcQS!xdQbzlRy~$>oahCSPPb>%DPp!`c^VO6dmrmB<0*pe zbeQle7F?%~$=qhsK+m^^u2)*SY@QR8PS}w?Jm?Tqy_O{f-|HKgL`~RTgx$ScG8+S( z(P40GKN&|I=10ce6N5{oe)|dbHh_O-Og5o3OD_Db+4s*~uXxKINf90->qZYuow-~H zo1>Y@uQE4_+!QbHEd3TJ88c*#|8|_*WqippS#vI0+b)i`j|s|!#IFYP+=XQ$-wu){ z@wBR^z8G_5ObU2?aemZMhO&0A-?_*o3P%kqixXN50{o}I+)zoS@tiFmA9?2W;S8+l zd=9uVFJP~HA2-z6s^&fNWO~>F8e^a>I<`q3*L)_&zb@XI8`h9jzQUe-AV&Gb>_js> zGqK2ijz->4Yz+xlsaVQB39MXf=Jf=gylo4_C#$#O&h|r4WNH0IGxVGJVA2--^>3va z)}2to6{Y>>jgbn}u&JK80-XC!<`f-C=FFsJOZX?Xn*zdZ>b9mw-(WivsP;EYa(Vj; z9zyO?M6Om^zr4H(P60y`%iA&hdaX<0a#Kc}M-p-edpT@uWv_a@v)}61ZeHJrBo)*i z#RLC-&r`r@q1$G4Qs@iF(2`)=Z^i6QsM2R)go(p__@vR{meDlM1vDo20$L$%fF6X0 z8MYw;O;^%aHs=zc3{qyRaT(m0+e}a%*9kAz?p~qorpYptUBa*%a19nvTCNG8I?9h_ zNhL7T%7@a?0Dh`DF>iPjuRWIWaD#DJK&(}D*V16lz-5@V_*OD2T@UJ|d(dLI>^Tza zyi%TXBt)S~hSMgrPjlRO0^oBjO8b-oL;OK`!0>wzEqHMRBa<=7;3 zz<<<>B6mA@Y9P~}kCC@enH^c1IM~G&S8}YKViY=kdG>}}FpDLKIg*3Mo{8CwRxEt7 zwQQ&ZR~o&!0v1}Xy6*c0C#O&3tOw0 z4qZ@lGjTaALfKXMtpmWO&f6}*8t4Y@;?_9jFn+tvk1S`+)oG$+I#fbFtiAb(lK-B= zYK1V)F(yXpxH#7l5@{!-ZNge3xzy%^{kQ9VW-d*^G?51TRJXb)4PmpC1-(;D&ssUx8)&Mvx$t`-9{@;{W>K9nm=aByy0u?>%p)pc}U1#O^MDg}zBn=D*fC z(u~<0L>{7|!(bo!Q!-gR>LJ)H8_=OD?^2iWxO6`6lXNoWmt(KQ*6)dW_G{zeB zfZI{oynK<7{@gW?axRlEr)Isroao~sqt+TUSbe+=GHku*3Kq56U6GpIxwu`JM8(V- zoP$S{KUBh6eK?E16ltsWLG8xeTN0RVY3*auu83 z_@3PKR9R10+hqij?3Nmz6&Tt^GP^bAI`L5x-&Jg2ku=CvfRvUgh&(rfsVrW8ob1)4 zp;6$3b>^I+lUkVZ()H>J6Yki+!7}k$E)8bc4)T?VlCzA`GBVUB?1yh0LiqZk{r5po zthoPCwaxy9&yFd(Lr4zY$5I*}B0-rqd^OSj5{d)xAmM~2a{Yz^pPoz#TX0~l;ET``^8YCJQM4!@J&_}Hnw%fKmFdEy5` z$C-1)5Z-%>n#iwd{L*AN964}n1>6=OP12OyAIrzTyY(^~lk2Riwk{PR5F9z8iIb_l zPv4xO!)^btI(sE%yi1dH?$~j0exFTuzzH}#EjYPk5u>K@a4Yybh)1%rduF~yPGeh@ z?-iICXv^&Ngk`VI_Bo`XS-ScrrWI1|YKjN3NUV<3%)C)rajJ#yO!{M=1K|%;N=#hX)eM1h&pB!u2)UyT)=>QGz7E#0?V2itP`JaQ8uwXyxT}NkB|^9mZcn1&*XdhCW9?N`H91@+1cEK;}tfx z1s#LKs%-lK%TAban~1!r<>ed_7v+-W>N}K%;Umo) z1rxr6-V!<3p19;@H=SUf)B3()Jd(A@;YocCZ&L=yu#j$;WTn^x@9 zEE0+3xDRYUtIu15szu=fkM0Fdt{}**Wa{3xyk=gFBfefh81Mq$xmg?Q)9K_w@stP- zZ%-8O_WH>S-82@75!5+_8c`{yc!+$E3`UEo7NKqiLY~OwFYjl~_7~_gxI*A9ss551 z%2jMuJbA0U9SP9dxJFF`)g0sATl5`rf1XjnyStAPi)t_kk-S^)<`}mxHfrmWsP+o9 zyBq`GikmCDG&|juDqWlBq4zlLM0K=B&(d3JnZdg$cq#T=pS8GGL_@wzRp{1~>gL_3d8_#}(P%nF z@wFX`;{*nyF2NWo$va!70r1+Cqidja$7aUp)O}026XxMiFZR>7IXyUP@X*bH;JB_) z>vcH92G5jakaFR9n%&ZU!|zgtnjyDCalixRY%08gz1+w1O{(1q^ASu{!Z&OURS%xz zWZ-U}Q63sOUeMXL?^|uYgWQ;=o~t{RaC|$mH~XdUmA*{&eA&QY>p6Y>nD+uE4eXa- z^gRvu9tBbN74*^bMzsZLUE^#6US83icZ80e6uPgmE9AnnE;t}kt4{{CLq7ge)GD#g zlUt%O?oNl*QKeCEoEE-l-+Q z?chGJR^9C*#DH{jd;GY=(_tHzM>n!=eyPLPj+Z@*pKIN=8HXbe+{0ayQwg(u9^_2s z1rVdf*!jw;)v~y_vsSdx(PrE4Jzy1z>!0GM3#{uf5pIil<=M@2Bt_l?tZT6tVXtQL z6*yK&5cymbDWJJ+fHgNow>$t%%Ya=^3>v(SmO1?>tGEL9Ok_Y_n;b6qXBlw`|vI z_w6>{XyL=>vUBoV>sYvYP|EIlYKxof7dlZ;Bz<#SIaiN?3l)U7UPj{~16NnCH6;ID zT3NR&Z-28tIjsm!oA%*>EN4(!c>>G#IC1Bvv(Jy6<4{hpsQcTgVrAqxEiLvuxLcBBQ@1bS>?o#dtL=+6cd-4b%18_xSit z1+J>rB^9wo9x68VS`t2H+K_Qepzq@Q{X02fEAI12uPg?6Ym$pAi~Mg|Tzh9dxL3Qq z%~QV;+pIwbagVE)JlDwTnsbNSv^g}dauCP#Mt86n*^IMlXIRBQno8bC@1ox1Vdnc9 z$r_CtAyUg11Q}k&OhlYM<$M#P zLjP18rD|dni9&mfJ5JZTp+Ue3u{})2T|H*TK-rG+FDPKE;6*Y)>CFqm=G#iqMKv*B zZeZJ+X2WxNkhr=?k2R}DW%43aBxiH!7z-@3=wUe#-K=A|9h!tfW95nLZMwdI-69f? zWq*ux%I4yGg2g!dQipn5mYckIExHa@w9MRrjOm~nw87=_wr}&=a%WiQ+i;iP_!87w zMp&bv(VMX7FhrF%I%kTA6LwCLU#s=xmh~_iEV13({iZ&V6-?8|K|ouD$kM>cAg!WO z^Exfek$xUk$}JC_=yi0YYs;gjM~<(U*ShfB*1HW>_$1@KsM%=)X+}_+8a}4=$z>by zAP}=b{$%A#F5HqyO`bQ5Hj7M8>P&QD+CYr-lMrhTZK;)yC1&L252f!F_zQchkKrBU z2uBL1KqTa4pKEy@aT$^<4VETLEy%*LC9Sfl5l+RYbhKW<(|WO*ZhPT2b;n7b(oQsa zE@fr*uI&CjR#3W%&s&2_>`!kpT&w4Cquu5-0u3D0)+7i6eKJ9TTcC4b*GrSSHY@_tQNAh8$Tn?N12p+e=>mDuVskZD3KbjA$(G zIsa+E+Z&GY?#^Gi>Bw!0`pM+(`+jG4!1vN?x#ZQvjH1WSmK?|*5}@-gdLxml-t5^< zHFC4fm}ka|C9$t>M@~^29T>{Bg*u1-#v58isgzNY^*pyC^%3O-7BJ9 z1|!cdy{MJv8JxFwH*YzUH(!EsKZ=)RW;wf}NMYKK@O1e7o^bPo*scqo#I}+NOf8Z( zD{aH_5Z`P*7}G@GxREgYX4{m}f7;>b_VYZ+lh=4z!=<~?Y}i1UmtV-c#?(C%mgpM6dM;0mfbh z4;lQxKI6XC8O{sF+Dc%-*RsGbr8SwL+tT=Al+;BbOeOw$*S) zDY8JY`EM!X((&Gjw(SI&v4p~L>}7!`cfG^Hn;?5*tLut^81?bRA_kZB@DZ!|==TT@ zCYfuzdaQRD1M-a4Aa6BAGlgS`D4!*wTpI`4k=aNWY~FK%&==b9x{Qz<@Y zg2=n)KieL*&<-Id=-kR%9yW564uK4YvAX1Ojmj8xV~@Z?mc`+qew<^2nST8@Ysc%y z-hAk#Z?<$U{$V1jH1gQE6e`QT`!xy8-0c;wtRHyxn(B z8&(%u_7r_!Vu+lzj+`}oWMWn7+LpQ3H~cYX8XP=iee%kd&C9UiITpbBBy7t11#AcX zw1BSILe%{gx{kz10X_~$*+10k-fr0$_rmco)-1WTgv&$u%yzX|Uo(256w&A&U^=go z;a2Ss_gTs!<`arK?i{UMy;%MsRGOSjJ1J;s^2U2gtQqCDA)VTQc581;5>BK|1^d>- zcDAPPThTDaDxc1pY}N>>$GJY&TITZRIh!rKSlI(v-L0-Ftg?LtrJKr-tZH2#F>CBq za5pyvJ-3uCW~S$OV4KT9c|UqK2TK_FCbpn+j(*QRGQDHCm*oh1_UWPe%IrwbM|?*Y zkDWbykji1&h(jpPG~UtM|i2$QV75b?*#gmWGG^#4yo^+$;xF?}+;dc&3B*K@O|9 zP8@@3^&elvL)biUL#9p#_TR2b(@2!rbCN-r?#dmFG4znRusp4^r&0ZQ{8V6d?vCg3 z4K13v(%V}(tXgW`P1~^7j^(NF3@H)lV%3XrlqV>m8 z$pgdH(KpK~RvkeqYH&@ryxJ7Bt{yMpp2gNhcA2LB*1kGV+7CvfZquh|l(5fDHf$ym zd8xvPsR_wnsmXzCKOf@(8MaLI?O~)|MyU?Jq+Vw#ukmG{>l{JZHk*+rw|44PmU!2$QTY>@ zM}I-Lj#qN~%;IYj$7L1?A68twhNS{5AO#=`Xj@Z#D6v}IJK(4~vrg+tFl&z0cTlv` zs=+zJj-DerHJ%XidfWv3@L)t@>zjHptA7pkyVPafsbU~wBcf_C7-^UuG1$BAIWGZw zOC9m85`iyW>T^pUFAe}9mTBd;jPzU%Z#7hPI59H{xO)z zC}jD-u3Ue>T`d^SuMswQ!RQtIak}&5*7s~nEL3-KGBUv3b6Ac%qjzt&k~+Hn#_wnO zPV7h9upT<8uIs$LYfz!ZgKZR4^vfd`)hXup45~I(VZUO0BsBc7k-7 zwY7|pPa-Z$AD|Q4y_LC?4otR(YI)#BF`>3E^cEZBQjaM=J;bkvAS5ovI9z~oE8SNJ zwtRebd(dF8V)MS4TRcJAm2VeB0nO^idBN_Iz!RBX%Z_YhSc~MU@$b|yOdn1h9UoT9| zsp)~^f6Y%F1mpL0guOxJoH4Id_eir0eo=K=SgppX!a$+P~RFL7z>W!!Z6~>)jXj5SEW14HdPoQJtS&u1&GLf!HK`K7KVT ziGWB2AsBq(!FtjAaTmD0i_HA=vok)O@;4!4Lt6=J&IPs*_>TMTa`uAvK`VDbJ9cxj zG=E-Vy;@LJeWqWt>&)iLXPZsjj(2cR@6E+x5~#$_P|&B7NZ)yi5;4?Jdi=B*bWar& z(g}~P(A(eHHHD2O9^b6@&GMsOo#m8^{N~L~X~NO@{fi?O6Nu^i@|Aic#`o zA3r9a=R|64JsALP)?j%Y+>7l9U~Wj|vF+K_xDzfA?#6tHarBvNJ%&psaG;^ZJxsvcf{etX6y4hBW|hKqMRx> z>5sJYbjMG%DTCDU`s2^fS0-OpCoHH!D-E7~Ibnas>Z0d@*rf*xDIYp@B&8NEOMALe z?r#>(#pu}u4BoAmOBLOIb(VI3WgIAO=tRdde0aZRt2yx5=NPs+Dgc9TGa@_$XZWtg zlFP7`?AL@Nz@|lF)Z$bnH}1rg6SAs-{>b2`JW?cpJz$^F@AxZE33%;oW}`tc7QWL+ zZIs)pxBR6GF~)J55|?~N^=_Y0PpJMsxmdBh{7pc!dzy*N{4kH;NYWVeYHp7ctbq-0 za2HfRgaIHG7R&o7xsB5P44dgIjEx z=OK943~c2tcV%Kt#6oV#988ku)ZwKF;n!rd>o!f4BOU{O)wQpP6B%2Rf`4w0cWI!{ zp!bU}J0KEaB`mnH=JSeOPdMOR7JGS8SS8;Gjt|bZRFx7gf7YwTaCEI&JyK4yrx7TWU2_L#lhlF_M>0_&}TlLoE-uGg-QRFS^3PdsOML2DD ztqLTcOf!cGxv2vb!iMrlX0T87=MSFPUZxALjGks_(Vviu+>d8b-KF8@wKr`W71o6LJ5F!`oRU2b;b1Emjzz7!B#w};oYwqzinuH0-> z>}8G0{!|nV*ExKc)S%a9b;-8lqix%=%B*#6xU$?)asyK{ue25ycs>Im@UTaraj@1# z9R1lo`kL(Ao=r|@hf5>9c*)yLil||e>B1#xQ~9*=i(6!~S;(q&yUn}Pux}J+wP=P< zNDp;5Q-8SUpLH9!@XLcExb+F-y@SWmij4VO+J5_^D>868B?QkJ$+i!sGH^E z?$$0U%M24*vn(*a54dbT|nlSGqi(!_k)jZkhH`15)dSh!fdJ>egV@Frso9*~FxK}tg zTu{*H*MVLoU}BNE`kot&YMYg&nr|&~Fc%PyxC{SQ({3Y4NA}~r?z-DhHfJ>-(K{!L zTy>r>UF>CbJ&+1$yaB|qiuXgE1au}Te1>917S}nKYS=O38o39680Ihw939BUeLpO$ zKi6i1!zqEXo}kCD>^ngUbeE))QNeQh!YoBjLd?}NYef&Ks_+l>5Kx#9@#e72TZVx% zPt7i+D1rdB)6ljVn~0z@*MJbXtn;hUBJS$BVNeD&ljsrnIX>So^d&w$0z z+N#^A8gj-u_v5_TAF#;rgG6iWDcWg=J#G}EbaU??qZ8BhFe}%A;M1`)r}0yq8YC7 zby0{6KPjcc;b*OK+*=1qvk3h;gIsYTBha#8Ou3bwfh(g|3C~L9@&|tJgH--!-z|uc zgNoazQPN0ywdYY=`wJ(ytoH#vwf_amw!mJ+_RY57a9Tmf)<90#tyP*69QKm>rHx*B zV_ZF*G`Jn7n=3D5m`4B*YrE&H!w?XjlJ!Krm+Z~Fw(-TX0ssqSJ@@nY^G9X@3YSbR zTU~Vs!O?dB%<=-z5hi-4KjY%k(+MZ`b`+`!UR2Z#PqHlrMs`agTYujw7 zCz(K~PKc?6Czk6@%7Yjl=@!zBYuZg?7)8{?;Mml!Rr4p1&6O1--T95TkmYH(#`CeY zXL{O98JvN%)UMQ5q9W;l9yG~+ah$_lBN(?SRiBlKxH9GN9`-2j<-+cDX~7%PVX6C6 zWBwP%)W3PCUX#nf-HTOxUU>R1RHwED8eDiHLY zUr<}g?3wNguN*w|0t#J@UCh!D`Zm2lxTE<(cZyEJ`;AQ<=&?`+smelk07?%w>^TRy zpCfug1_)*GjQNsKV#MT@8TIA}tJ1s^rh0qt)h@bFE(OQ z+%5cj7s1)%@l{3`WZUfO^{ws?W=eglm^MfkJdK;Eixw-l!JxW{LM|98;x1xR!|h7f zh-T;^qH>+6(we=3bv_vG^45w21dWEC5g}B_0lYrq$f@%SPmZg|;5W0EWxHga+G3uk z&tG*h7$Ss9thK~!ly?2;XNzW}vKGYq9sP(!LkgqQt!>D z31(`Qp8nY`?8I@@O)_9&suY|WZlo)OXw*r$>j$ibU^D6~uQMM%x)5g0tx~>JqtOlt(sN zp4RrF)Ml>cBizn+=Jq5BQL;XiH)yKxw$e}b0n*N;{WI5c6*fgm6*sSxyb3GQZ(gLm zHy3gTdThy-J$g7tyI|phO`myNz;b~C`IB{XhF}eajGkK71k7vjn|0kBUk;(K)v-2Z z!{)r5nXG0M)PHL!w1giWpALX=cH=b?D>~upP=NXILtGje5s#KIYmHi|Wma*R$4Q#u zAbB;(*49;D$&b=UKhK}`BcnElyW6SF1e9i!Er0Tr%vplHM!fun)vt?9*|c9o*m(9} z{eau6YJ}|^i2baEXkN^Cu>#`{_~aJcO*L-g?um@Ttalxi~F_%XRQrm5*M!yjZ#_xp+Lp zH{kbgUN{PxF`azm(@B5(Eq5ZwS1*Mo9{pKVOG*YmcTT)Y$~$>lRa`H~81j22BhC&m z!AZqqg;)MF_>YM)QAG~B>f%3xI(1@D$C;3)PAdf+uP&TNc)U_eyApHgzL*hP2h`@q zvzC4TE<|#(nfY0-BD)_jt0ICcKsfT;Ui;r0Kfe(LOhg!O|7u_40E%Jhe~@O5L_e2A ztbi?W>jkAPkl1q{g3TwPO79E&9xnWGypqueY)DaJ_k&I&6qp0_`XOO`jQl7NX!_6l z-6R9umR8sJQ-3v#oj>~jsk0Gu|Ncj9tJ?(3fo^c{@!tmdpFX}*A`TO4LiD|#CS?RP z`9^NfDy{v~U;ox^_pTUpM)d0Fl1lulgT4kAp8IzB?N5=Z-w-VwA|14 z6Xzz*X6bCJdMd5P7?7+agDQ{(g+8w`JGUu0ipiW$@b*{^z3*u?@BO z_3K~Xe3RHkc+a=%-(Jy!I5twKB;B7+8WRL=I9sP+@_V`GA9~ul&A?nN3Mebe{d`hx zqKwt0=J+@N^+x}F?M(&Z0%I;eSN6-55j%wGON{x+{^b>OAA|YU;(r$S%g&x4?!nvK z4}Tu8{kFdT{;}`?Y)2j$S%+UJ2npha29fH<|MHR#h;8fFs8oIt2t6PUj;_-$L;v5e z_SapAECjYb4`{)L^FqdvE z>L=a9-&fghBQ1V~IEZ<2g{OYrk%Txs|81B4;qu2Pz#1<)dR6`SPn(hh=qq~rb))wF z{$&4W9r+9p|4`g6{pUM55j*ZHow4e$e;L$p(Bb|j?fb7G@Np+LUdLYC`0Z`}>Eq2o z;<~Xehm`)D{t`0q%BwG;@Bgw?|L}Iio7~JK3P|(`)BGuB|HpAHX`g&H$zAlzMQ%ne zs(*V;72+CTw-LJk%OTkiSD_2p1L^;mv%e<(_fcB7OmqUlE}wtN&So-o_X8_HD&6#J zJ^k9O|8>33xgS-er+>-%0W1)35lTwN?Ei94OC#`yBe9TAKX-E_3m7AVBAu*@|8^l! zxsX?0{x1oV^N8+K|1=GMdsOh4B>2B3k_t>L(cAuydHCx}17dGK-*B$RPezXJTH@}2 z7&-jill@p5(7>*kW3!44xm#rR{&-q8|W%30bZu3ygme=YN)U`$Bg?Wlw5FDdAD-O2=HB0Y}? ztLnd+K1x~I^Fps-q(2X0HMYddzfuAE$=!l0E-4E>VdX`#BX zl}oCQuwOu5i%mMa#0Nl8W|QC4+5JlgbXobxH3CvYYmHY+wX-C=^yKvm-%&KOG1u>G z1l^vf&GA!9b0J;M?XwK3!=a!yZ1*>2L6?O~+=IsC>B~P1zBrN9gT6qy@bsVd|9=iq z?wO-WhHe6nTl9=Ei6?A3?W|aRKas^=oZH_$J9q|3i1qd}Zu7wSQnLBodTDMxe33-t z=`4J`rnr96KddX&rbw}i-@IJ~JKLPwjHC`@&e2Leoq4#opyd8aHBW0R6{6*}0%H;_n~MHrP)!IaT(7m(jNqOi7 zPl3d?gKU3AP=tKtG+^g>`{G#6e1yU_N%=&rv%c|&Bndya>K)bz(Cj&S4Ha!^)#(vGXu&tSF3lX4hkn<<-C$Trvs_p zXkwq73Ys7nNA}1|$%5_YudX`A;yFoXy<<`|4e)-izD82}C%Nb{^H~?0hu;LncJoub zWKMu_x~MV_$h}RvB2iqql~2R2er(sSEmF~xR+YiqZ@$JDvt3ksZUeBOqNGOnr_Pc} z>8wt~-XXWW#ZSfqxfwcMU^8`~JD~a0+v6U2@6Z;>crhR&aPX{0Zr$Q5Abs!Su_2nR zAfuI#(~XaRz>gmgHT14LJN<7{J@)!$IS3|8N3thFp{wyEN^7)u@3-Y{R+^OSHM4t@ z$iqdf@#jdWpMSI0gFaLMMLtkk4H5Mgp|nhNo05pjgCg;Mg&iU}+QYVtHpB76U4pVh ziLZQYetW+mf>f2k!^TeR`*Zu4+^>Xi*@2MM=q^9u0ZS(t2b3-2tF$o0WjXfcSMWpJ z+4}NY;S@#jq>BAD+d3p3wWn#!p2*J$wBQBxU34bUeaUu!)K-s*Xj(4I)ZRirymZ66 zyZ3gz|N3P)j%#<1V_q^=Q`*&R)eGrv?+%%Yo&ingS}EEE@_LtWZ%x^#nkHN)O6$LW z!PoJYx1X8VA5X6n6Ni0e)${FBL6rz4{_$hiT7uNp7x6z$<*&%_>d~>=ZkR^pK@#MR z$5qe19o7!qaWWaZX{d^b+ce%83p#t7T*9ct=t5oOa=`=_XsJ#v{Bp9uf-TXp)1nRn z-;HCNYkAomqgNY|1P-9!r@@hs%FxpsQBps4*D+xUy*CPm@|`kpY&+T4_BbU0pXSX) zr6S3am5y@c7(1l7cZehd=+E;CMzkaozztWS7Ef+rv;e+3)Ob3?L-*SPiJ1dvKcksk z$|*m?o>XH0h$2V~9C62emYfxu}#@Y&z`LBj+Wk%8gla_;O<1 z46#5x)lF>#&gncV=Iz>QuMqd z);}CXe18q={}^|lwL9|*WwJ@ zKwtVIg|@~-*j!ay_mjm_?htoqdqvBrrboTSW1Tmk ztu2_8A{q1pxq~`=mzkkL6p|XTxmu-rS=?#Au#qZlJ4B%+9#ai+#>;sMPwYXny3ee0 zw&lhT{`~(R#uFT%|1h3kW6RH#`m!G*m{sx5rk$7^lpTLsHm0492IF#~r>f;c`}+jD zJ^zYP<+MUmU}%7|P_R%Me5(L>WvE_x;{*NJOS#N%hckz*P}(8Amh~4Vfkd%Pt?f>$ z_CQwa+)MJ9JJ4%qQ!i1rJv!bdC{=)tREej{uW^y5Olbq5T49&8X}uDpBW%Akbue-@ zwVa~uqw(Q@9$8x9lPBAgyYuB_ppQa}FFfM%>};&-Ys1G^NY1e^Ri;N@ z7eA6`$@p-2UI5|Ry1o(2F|njrbJp$ zm(8;W#rp9MtX?8`9CrDan|DG7mcIsGM6`S-wygq2mxQ=g&{epL-YO`dW!VA8E7y&8 z(5iLdyy$X1l29DiQg{54-0cgnyWpG=H#M>EN9QDP>BZY-N*E(-<)gQ8i128<*!5c9 z>i`VG2`c&RkD1Q5jW)0@!u<3e=^}=qFro7DYS#C=dxOn#hfv114cl?83iQew>_-8W_5zo;>L6Oz;PNB35EcorCcu^FK5g(PO(%H32&_& z>bqjYlH+%u|26dkWDMK@F@eQ=hjMBiah zav5_5Ufo+w)1oB9btRpIs~XTYPl6aDo!_#%y*({J^1a)aS9SY1M#i;T50|XwNR6u| zvsO^1H)UwIR90W0g6YI|`Nr-{NZM!fHXD*_Mus)b*@K4%T^^Gw#hK=cug;C};oMCU zFY?)XCJm&=K9kGEishpIEx7rk}wR7>j^|;z{wMVw4 z4EBogVReH@f)>JJY50j8q?B3K(A~-#93o%;q)hRO&Y{JfnB|f<&heZD=LC>MPmF|` zZ?U}?2=9yC%Ez{iEB2OXCbM(O&VY_3`A61ynsuibc}PIFXUT%FnLJf9nQFB~Gyy*t zW>wxgWf_O4^`dRy`E=xG=0OR}XZ+R4pViF2PwQ{> z^1Dv<7FsSA<@S`1J?r4Nn>(nKxamQv+AgSAX%j-@I-s-uiVWf@(~<_HoF!g`h^|@P z8m_(X1_H4c=tf9rcA(y7if~<|Ktfw*jy{<>Y_V5{6uDBgsHPzx=bwRMjkSp&QzabC z>rA#Vvqv>atyP?@cOLW-F*3P}&FTtf180OzPe+LD`Bn^2(`R*_PAO@Krp?E8B}AL+?_&F>f#-&}vOh(MC-?U*!j=*hWK$Lr=gg5rlyrTUR*^ zTDJyO6cv}m(qRHNE#*q!%P)gs=aiL z7an-T3Q!tPQ!Gl;Vn^8mo&q`K>uaxQw|PRW1Kz6`&@nFMQ&2(j8>*EA%34-_)Z?xa z^KYyZAh>z&s}5jQn@j!NK#P9MezCIDaXQ&;D&QUZkr4Ks~KikHgHanq})+m=XPVC<%;wS1LfINw6xDEF}c+EQh6PqN!>})g! zP)?Iw^`G~lV3q=p7WJ zZy2@c>$CCAk4Uh~p(vqpXDuUPx}q^QVhl!Vu7y z#@D-oDp)+Pxa~*@x;Pon!=qQm1Jb1%li1`#&yF2#=4Yc7_9;e4Z~M4f&phB$*vSXLdl^qb32F3mOb&=?aKg_ zZI~uH;VH;xUv5jdA%&*orFS-|WtjX5mIM_Mu~o9byA>s;=ZO%u*4jbWlh@Bn<35$O z`wYn97s@d!vo{(UTmq`c zMF#0LyF$6gpL|c*2OmFf{)F*S6srb4mj<8x+UQ0^fs0|fzwo{CA0B9g%)8DlpW5A! zh(b3IiKxGDg&cQ4!zck5?P;U_@(^S%h2-tA!cORzrK+8)rigjjm>m`%oW$u8J#!fX zPKjEy43I$!a_+`P7|QKrS=SSjoWihg>zOoggGphw$mZf+UkVKfjs4XDRhv;Z$%%-4AZx5H^7;_n>(cv%NH)lzpysl}%zq^x|(kmB!~(NpglS#)}TiP)ZJci6N8B1XbF)rPL@k z5CR&r9W*CNF1n+WJC2_SR=KcVzlvI3r zMnXT`?`4UAZXs9aqf}tq8&%QnnUY99b^9^fV(absuCBxAW`f-UG}uot>GYXkR>ybt zniH*Z>GJ zqlcPv%aDmf)rE;#w|?7?Vr*TYqc6J;s3pBmmNO2JYOg^-rO|vpBmI-!Xp}d*3k_RF zeiut|f%8RfpR8KZqm|;iW}1Ha!R&Pw&Fd0YHVIlbJ(3!?GLu}L;NOD|hlp$Un-~%$ zH0zP($~pjeXT*c@3pv~oJ?RrQoFG7-;RCl89n4JnP5^6cMCtDS=5zyyk-8bxp>f^C z=_SuQA6}sdFD*##;}5jLx4(^5l`+GX4e*k;xF<4CBnCeqg1OdAg$7EWmt^GvMWP1C zaz@}y`Dzdje_V$3q)KXNkXo03U_rB#uhG4lo!)QG(TAzcO<<00jj9;FvV&R-}Vriye?3C zAOL`ty6w#~HaCXB;%vYH7`A$jM%Q;~FegZc*V~K{Z_iyW5#Qo=QH5D zwzJFHsJK+NLrX}oH9zi8%kJMS4P13sjLi$||5x2%jOV_OCE*u#D}C`shywp?c&?6> zNkSW7s%Eiz!+(@pDFUFz^4YkIY}*@5LMHf>-d7^{G?H34EL^D=qnMT6_tHc22>hso zi^J#07=-~r=DuE}_wYj3-5=AzqWKa%a*-|DU7{0d?F&boxo6N5Q1RbdO2wv251!DG6;u zP_x7;Z{K<+YQ`j$kI|pl`>zN-6G%k!UIdd=)^$0OMwuyAg;K|O^?Z`SrD0{tik{Yo z@#Y;BQj?Mc;?>SVkE8DH>PLfJx#gA-L@tfo#fL#e^#^GQ>rmE*MTWF#&>%6t9pmIXg$co!eisPk8C6iVTbEli- zekF4+y2>F|p~fXbL9Us$X)wc16{hl(PF-^)_PGQ*?Vwp@_Ym0P1^zh>+CWgJQ^{vU5IzCqsU45=9bEJg9D zMxNQ#J2Xz(U%eF>lU&|Vjw|~()`xlmGVzgM9dc&zcQ^Au=sl+5Bs*>$(pFT8+UIz< znq#Kncz_ry(5;o-;R=CRgq;i!H{Nq1X4|X&!z?i3Nz`p$4 z0wmmWEozU(*0V=m%zO>e*jZQvQcQjhY`Y{OtrK|znH^eXUrJV1WHv{+&Un__hlBC? zmjWpex;et(nSphVDVMI0su>nHL(QbqPXNw0a#)Dw`d_8kz-Piy6AEPS@t5N1OgHF2 zBZboo-AqK4oOTU{ldeBx4MgFG`PLFIw(_JCJ@Z{!Ib>rt=uUnpf0%msDbR?yLD!P! z-ct2Y%zb5)smtee{NX&8rOBLXO@Ui?17Vh$amMVENh6Rc%87CPDL^K}D5q<7Lk8JC z@_;BYT3!++H|-sfUgJvlJ_>PVm2}G>BEhVExor?xmhJ#IJcH&~J+&+R2Y5j@9GHnE zYzl9F1KqGNc zSB9_bbiodq3nuJkQG441vcA@A%`geqH`)Yhu3@)ZRtCt{@!uG4AG9LA)5&UGrXzmB z1k=L*ViYHz#+*>y5xuH{Co8hRX14u^)?GYSH7v8I#w}4317n);LI9=|JnJ4$>k?AJ zs#<*(kOac%4|HZ73aAF6o(}+;=mclSLd?XdHf6VsIO6+{-%s)8c=onB`%h@LHDt;M z*92xuGk;J{Dn%sws`!eV_jy$?^nr3@m|(A~OF|*I~KcXwP9~^=M6}vblTTCaiet~# zh4A}hU?MoWyjA%spNRbl9annxbOZ*X`o+y5oVV^$9gTCv^`TUUFJ8X!b$R9}xge~U zm)B>1f{Yo75Ohf#&nU56be5if9y!8$Z!c{@CGPhAdL61f-=ziyIovL?as(%2ptZ{D zzcB~@zTdqSi$f#uUNN=)!hCeYt`5C?qLx!AzYpT|{R#wyr%)S5;m;ikPY--=iTWD1 zqtr=j(O%M)FN-M2{Pezo=-u3F3}$4}lX{?b72Ap(!zBL( zOZ#Ey7H9B{TNyRg>FWIB)&arKnj5zjCJrsH;pnRN6k7Ii>Zk!iC)MCo9=5h;^VP4L zSJWWUnSLc_#-W2kZa|^h8$N&I(KYflJ${*|V6eKpJf`W~88}YZHOGuu^Wb3^Hr2k!7xz>+5&){anXvUAj6 z>jGBJDzb>}$Wm#-w1bZ^(fmKWEOgMIL>K^fpk3kQzi?dIiErgSY)kz{KyW4TQ;^Q% zDaKIrT0fTX7hM-7OsnQfF`}gFmC4}B7ctXsVMu)Imgl69eNj$V(#~pur>xCnZAQ-&wa`0M+==y zK)TLSr9|spf5(!Zo!o83k{eGngG3-OWjybu-9#I%n2e$tw%7%Dx`(pPD+MPV$1<;X z!^-eIM-tE`gbhNdHZC@^I|BkHIbWZ>-{NqWF+D>wvJ_JZ+L`Nw3+1TCjRF|k!NIIv zv{5Me_h&|THWS~ikQxUHs~`VjZ5_R)C^b?yP^I(g z{nOmyfVo|5h|u~yx3O>KG3-laN4yl6g_MM^V3UR`ESX%xg7V;nKYe}Z8>vYEi^UWM zXLgZG>C1QHJo%*ut>sP==D?+F&7NcM%?*r0A~D0d3cm3W*rvfhb(Rhd>Zg9L^Sm+- zH9#c-n?C}NPU`s`?pwDqD{ADAhkL~}Ii+>5mxg0=g1vc-JnNt7Al!)L8~fWoRyghR z^uJ-0jFY#^p|eWsC@}S#Ps{8w#j!?iN*Ky!v;EZ=LdLH zTL!iepg4h(tXIVNU}U_7rILqDr?SAXcsGX=FK#w{%g-yIBak=}VZI)dp34>(L9;0y zB9@lRepuZH@5MJTan=RV1@HFu7z)Xw0rWKWt^>Y;eq^vA;wc-2cz9Wj=i&d3(%~AT8+DB&-sS%lKd2PC5O-tAl&JJt zDEK_gD|1;7cL(V|5PR(V-il*dN0wQFCNlio90#1cQg(SA&U7R^=IVK$9MyYXMqsov z_?pvpjFeZLfO4F~h}rG!cA*)cMo&%%VT-l#)3?*xB?j_oyPy)ZRbsZ4F)5xs%V3sQ zjS;I%Mtu9RlG!kQaRW+~s+P;o+r-jQQ==5MB<=KIjK_>l^n!^Vyx`rtCN|^|58JY3 z^LOMFV@#fo=B?T9&lK_ilTU5IkXMlc9hr-Ov$HNt@9bo+YeWT_#Rq4@5pSm(8+>Mz z96Q_NYSJ>h_S$J%^TKdgjn`!{Z)OR44DkE&jq-M3aKZR~*ce3H#d_bV@lGEwI zyc(#V%6}B%y`%?IHpzwNy5`M7bK}VRECFfWx49Ba$bsRJCeI*}0kM9F;z91#sFqZ# z$H?0uSaq=m$J>lebaxyxq3JHO*lmqm16N9-a7z+9g6~Em5(~eM&`~(|ar%2nA)Xpe zXKdXi6}LgG#B#^EOl+N03~)Ya8-#nxWK%%Li|ne1;U zItd1kd!Hfmj)|msedc3_RHnJHhr4R=A#~Dn1Rq^fXM3cnI=Wb%4$m=~a*<4o&UxPh z5m#&Lp5l$vR_06lMeXJV+$NE?bRv_2)n55eakYSs(aY-Xq4B_f=XWdZe|zC#5xpj& z`Ov~T%ti-u$6xoDRxa~ecZK!*0J8{A@!|fpA42yjqXT1y%zce8XZ6CWT`_v+SA)$q zH#Yr(AjpilVX53%EAhl9$FC+OQD%3E%;>ZQ5nY*bI;=S2mcgPZ+kD$VBJF7~S6CxY zR`lxeEu(^9N#Bi@uNY28OmPk35VcrRq!-BDe+{a6XJ8N8xg2}Ea1;tS$c(-R9}i_X z!6VDA-6+BA0a>)w5EY6j-|TE!B9~8w#j{zPEm+;X=EtR5Ky_y81{6%?N9RMZZXR=o z6u}o%rR0uMy9A*u?GR`0m_14|DtcKHi{iqJbb}DfV9kk1%@KLWqxH+WnUO&>*$Ttl zW;_R0ea=GsfKxTc%Tdz&*p{vexm2mFffz@yA+yimC6+|}N!I@`Zzb&L{joi2^!NT4 z`d0qfrnGI?OCj&t&5FaaL$^ga-L~Kp34eLqyE?-X2}1|I^_rUj#SC_KqgE}s-<%ln zI&O(-q#uK$j}>8F3*vaW3$OMJ4-UK{?M?lsh9Et=1MTw=o7|!mdB@UBhE?I(@6J+6 zly;pADou@L#ej<;k3FI^r^^}yDJ3<+6N^ha9CbHH2sbw-C0p{K&(?SK4tEyiix87O zWJMxc-*Jw~j`i)Q19@LrbzJo8`o{N3TeGcuemWSIV8*7cchWzYQi@X7St^ih4|g~^ zE{sq!t2WK2Iy|;9cg$ZwtQ|cJ8Kia$Em{_=X*Q2nqVQ|9&YN7_W+fxObDOh39if{R z;4gA?+{ckI&I3Ae9bK;tW`*UsD!&X%*oG=G4CQ17q#_my%1Xvn5fh>yljBIyXScVx zQeKLl9^g-XE6N!;S|{il7|cpHcz>N~DsB7Kvyrk~(Lp->9q91DUs>g-k z*XYs_K?Qvf7M`{EbAY{(OYA{k_qLL`kwzcis zZmtynpiAh%^l)#heLCCrBYn9Nb>|FA=i1|~cG>ZlalDo~psMihf#dq36hZs$`-{2k z5%NKYyqkC6GBq0NlUwSv?AWf`VFi*W89J0AU8&Op@GN<*?Dd?aefg92#%GI|*-gc~ zGbg*;uYZVPb?&t{-0!02->{9e$J!mXaR%YNZ8Ke+%PUT1dBU2mUzaqWE3oLwS?_o7 zLC#QmcB5LNB@Xa)CKzCnK1nm)(vi!%UA#lO?SY^Td2Hs8LzPpT{UlIHQpaztW^a5n zqX+?w@2d$6Y@1LRVM&baD5{JM6vdw!vJYL^HV_j&p)YN5Q-uH{oH7O*e}xFT8?N-7 z_+)o(Id4;OT&P#xprG(EQaCWD>y?^Z3+)6YehpFJ0RqRVi{bC1?xi&zV*+nnFTxg> zK{HQg3Lj5c8$z6Q)X=LeW|!e_Ca7=?G$jWznVm+T`cVKj#-ss*shmdd(RYt(L!a5ZA;Aoq1r>9#<}$==Eh()GYz@@Nh$Kq|c2dP?h74$^9pF}sKvT}Q zuZPOrE2J%|*~Lx|p_Zn-$RcM)`Q|GP(K_~*sVMm%(>EJv&H;Wj1uhZ6t*@@W5hVeh zhe4(3BrnMg+d-Z%maUe?-H#y&($=uWI#LFghfNGhlpY4~uxaS&V+<#vWQz4bJdB^% zKkB+Vp}pg6O^wCzK@CIyvmbSy#c)+;xs~*7)V#21$pB?(!LG_|jvcQ82mV77^FPzZL89$%abt}-K!}|z`F}@ z)md!NyxBavLc77}2l|cgSw)9!K>A}=&+pklSuy6Nvt#ZA*C?h+OM-}#5wikAq3=}R zujC<^k3fnun>i)XRXHO0ho>)nKa~#-l}?X(mQ@$rsqM4CK5A=qWjT-I3xe0EBQ`>N znG`8xloUK1vIY^nb%4U{1BxqHP%r|SzyaZ!#^4^rQ@_4Y4ha;oRj*_5-BpOrLiQH@ z(*!=N)XlSnE6(f;5X{qV*R2 zQLg&g=0&n$5HN2`T!t?yWCOgz;< z8dU{_D+o}s1U25o&rF|9OX7xSox0{^ChhM_w!noV*}L{yoZ6U{{DJ$qi%Pwqn?YeV zx}zUV8)uu3-tTc(ip`UpI+YWaRv9G?9^*0gH<>dpL9X{5aFW@MBMOkqmCR;x!{g&8 zW$%ac%En{2Kh5(dti1dcSNc~Z?u!EeyVMYIP5V`$WFv>cQvqU5mhCnBvk%&qK3!uY z(0nh=Z1LF!1ux_%t{LZvw8w{JG)xUv4NCN(4St1Ob;O9SRTI$x<}Tp4E8;61Z*!fE zP>UtZX>BL7tS-FoCjT1rOn}B1;mIv9A^|IAH7A4>$B}Atmnrr|aXCDS*bg9_GgTJB zKMHnZzUo1Nd{ele$UQ&^-3HPcarDnLP6M4;q>ljQ&i%c&$zJF*%d4r z-}65~W?IX+>4V7hZ#J?l5Vhz~e@Tl|`tfiCoh?6t2{LLX9SXHB=KZ0`k?R&J1kP?=oNwUf92}`!W@Yd z!!abLdi;M}3?LN@HbpxB_OADpA>MqBM7P*92~{D`Qe4K(`dbilJSWtOhTG*k97f-w z@lvlcw5uIJK@m7Kw19{)Zn{xh9T0?x6SjJRFo7UTLp{=oig8su{>$|x1At6aLR1Ouft<1aw88$DNi99ZOJ2OB9Td zV!P*vBHe?5k(cjAbYZg4+PceRGd+-Yx~}BF1pZO=-&_DU8}Htu2tR3R9q7(fNaAU$ zFyYD58{&$}Fq%@PqPf=}YCUe6lUH;)%=KzFW?*Exz+`tmkawIf7u0C=#}p(hP^1*J z7?#xo*g%vnQt5^wu^UY+V9B=AHv85;q+U|$Q+DXpOs4J3V?j7OMme7=@3gxVp{<4{ zYI(J)^gK+c$uvSmwY6X#zJJq9`Mn@bXJt@H7HgpY)L3lZ9RnpoM=#ft!%Kl00y^ki zCx`BIHV+IZk|UV1p2By=WxB5vx@ImJ@Nk;c(`xBY=L^sqT?H_zsL`|SJ5SfcJfcX zf7uOV9&d>g14tfZNP1MzPRf+MmAdl}7R3SzjcGW#_t(#winn6z=qf$_2g<*9m+npQ z4~zRyFYkXfM1GCLMhLiW0y=Roes=Q{OKw0Hkxs^4z4-f8#+SgUk@r>#{~z?T5*<7n zLty>&D>B;s20Tr(Gl1~-n`~S#+F68#0ns`DNqwxBW3M5!1F5PYT|L%+Y*`K!0|k&| zV)R(Q@EP`K99LB--|jE8nGFsG0prsfAX96*073zOV`~7IWQ<7n^NWX|*Ut%OPwQvB zhWdL|E6Vno|Aa~S%f0gnc!!aNu=%fY*IatE_lob}_rE}!6abYGc5{F_`r=QNDrhzV zB=4hI|EtOQ|3i2F{`&tn1E=VGf~bM)Z=v&pH&$weDbxIeO#d}T(v8L+YI+As{CuMO znmic#o`sv~Kd95cz5T!NBcQ~aj0o@doc^mC{>y!0QRotHIbQaN-zDDv5kULT5Bpt0 zB4&i1r{dDvs9#YWfxm!aP$c8s|94`K|9-E{U*HP`#OPl9YTlb%jE<=fYu<4FUt>K& zb3=$|wf^e2-kpxt^4<=)*?$$_?*abnM~;EX_#Wu@{`be+21Awd_&0jje|W^gIC`?z zQJKF2AnvN@fij!Z|F5zyZ8R^#y}`8Szq17Yp$xy3uY0Fwbo2LT zn5ap#Zcta|PJ1CnzvUm%$ zkNQu4(!Bnv3k#2yy6pb>9!z*gY$J_{CjZ=f7HPnfh38_FX#ak)Vg?vpTXvdpr4O^y#QWJF5s*w^#{5AEl_+JAUxWR%dm$(g(m}UqHmSxkv~^> z@j!Ut5AK&q|GbF^{7eI+!3^i#v=2VQ&r%Be=S96b;Kd`N7=Qgy8PNYB_4da#98fd= z_eF#da7$t9r$2oE&x_L1&?*$KdKu^(_!qGQph9r>9aMR0}yNA9%Z^F2S zDMtK`82|pfUylg5QsCh3v`4@xQsubiO@h_Y-w-pY3VoDb9HNVfZu+PgoMNj zN9^KlqXgT?o%IRPHGy~8$*5Ax2}Ed2j7jBvvjJ9g$Mn&$*0#3LwXv$WEzrD=;6$4| zr<}}B`89AVK#3-CbPhfBz^Q9I4mf)5O})RF5${Jgi*t#?S=7%qIQc zEd-F|GCd^@y+i*YE{+92pyI#9@pj!PD6b2YnzKF>yR0$D`FU`5`&M4Nw{x&N^9JwuZM(i4iS)U(nTy$4PYwaEC{&Tg05bv??kJjcu zvRTlxjh)jb)w&sLYD&1GpavBS>hPdNdJUIB0b9$ry{WO3W7#XZr!7e3)Id7T+G~jt zVRz5ANw<35jsPEXHZAOFC}8Y+GTN_c!yP+uvS#nfWDEk9Z$Q(LNVgW_3+|ZsKu^WO z9;*Fu8%8U)IMWCGy0AinmNp_at;q-Iw$=>vJz38fvowk`R>rE-BJXK41I+mcG(z%2 zP61+sy*+9O!*mzm4`Uzs-WnM$vrJmZrnI1b(Go=Qrjvg@Iyu1Zu!DDk3)#28^Tdgq z@3j~yuSL8fOIdV~EwG3}I2$?j00Q5&B zzy|dax`0GcJ8MZX?8vU?{^JAz+ceM)NYb9Z6aQ#$o%bO@m2jX4mNcc~%lJ})9QEu= z3Jg!0=3)}>+A0JLc|ZK;Bc*=apZBhO`vpu<RO-3DAp8Z^m(XDKA%P8SJ{%C@)$tn0TE#r28`ekni&tWuO*IDVSLK8zxD|V<>@9m-qjs5@o35Ej z#Cl%Bx&_*bPfK`mR7QaA*q#j-SCZULD`MEITTslebglw?3Up|f}Ms6e@ zrE>HVW}X1Bmk(8Q)oIQ^+R_kgSaT&K!kdi*bNtgKk!3YrJq{|(vQvtY%7PgW2X!D>@K)=>o1VgEy2N>YDkS* zSC~5Nq|j_IzZ;xBgr$k_oarr{7w`J9QQ9@5g$@^d6pv7=2IGUJSF0S!ML}$vV5vVR zs-hOI9r@1LlHv>i#Z$*c_^$ko{cd&vdULqF>Wz0Sa%Fzt6jd*s(hzBGy;YP@sv(uv! z{sAX(pBug!EdrO%d`7LVB;}~PAwv?~PAsEDuE2xqx&R!WZ6y{7rw~lK`rPX+jE5za zZR8w70IcuFS{GzS^P46fSQ2@ECN4bW{04ES-T}zm=4u%w_PNrcqpeX$KdsG=FBh!4 zUNC(@y!A(AvFFyP;2fV0!E5^OT;CP$73Nx)%*&k`97Gua!+cM@#8^pPo9y`WtkcfI z22V=;b*nDg3&=23TH}Bm#b-*+90)f4-Kd`p_5%k6k*8OrcbvbjC`jLjP!H61J z^ygJ6C)bj1n=MpSJgSzGA3l^7`DEQ{eVC+M7DTpV)k4|Po~XuaX^RiK&8M9X7lnw7 z%|k4w@~#u`1U?s9s$CP?$N_025r28_QXwpboOJ;q zWbb*gj=1X(8F4HSoolTMLvn?5%_*qWu$o}Kn0 zc)GD}4G!~nss%a}y?;GQBT_%EBid|&P9SB|-uE_Dt&Brj2$$1c()hdQzaS48b^z+Z zt2v0m4CC7PEpdeVxOL-uyjQm5*cc|p)VKe7(?ST8Sz0Cjhm2BJG?|uF3$Y8rvnx11 zLtpLM^?brD5ND2EL!2HiBRt2~L27&VT_F_7Go9Y$BRpD|6L$(SQR~rmJN(yul17Oj z9w#iF+j%U+Sz*v;qP8xF<_qzQ*J(!F_A1K)Ll)r!{RmL4IMAd{ zy(?zf0tt8k0AQ`>U_TbsL(-=$#7-Iv4N#iK(jEPE&fK%Sa#ImHqL@PmJ7g|M1 z3=|1#u(P$oc_->$?lX9gV}AIC29xpTcgtxU=|2&tIGh>~9wlz9Bi@F`A8iS#Zlr;| z(i^_iv&uIbwQP3@yQT~YM{R;O1UsHIaHxIzO|}P4JI2;B>&y9ysgt->%-(r9G#J=^ zLz~N)@GR+#^a>qoaW)j?;i3=iDDjL%Oe!MB`RUW318KF3J&HltmjlT8dv{uN1{LfL zqf*x>swv4Kxlvnn{N4PZ=FVV<&C_}VK##q&2dU~D2MUM#1yhAZ*W|Sfc=_^K~O56QaS5XKXT&|m!^^{%1%RK_7+fmfm>)_ZYaXcNh zuWF4Q1$p!1YC0J)i0-^dYVb1+wmZ+{x`2uQj5^(eQ8qpyfdWLG+(SCfC|QkkgRbbhEX(Z~OP450lx)>)k3^D%7Fy#iKTyV{b(k=&^)x6p2zn0o zYfxRHnxemUybR|&bdeMo{qk0@%L2A{V6~3d!N(WbD`a4iBilGZ^oYy2#(C(ncSQp}EJ`>A-ikMa3wQBFpJiq#ch5gJpeXP}MR>R$Z3K*N|y`4(f zng>f&xveb=$(Tipu!jN8$fXveB=#~lQ;pGi7{?{As)WP>ykzOsH@M zkh1fzJQyN=NqS$s%p##;1wn1sfC0~Um2$p7vD{P)5gn1ey;(v5Z6YYMC?Q6UyfcQ~ zNDM9+@uToO@)*5*ai!Ej#P&v|KH9`IJ9Pv-WgmggUD;F_Bz&)50P99%t3V;1k0U%H zf~YHxF7jFs+ko7G1NqoN8KhIfbV%E~9u_%z7^2$Q?Oc(gRo=WAlwRHyEogCMkGH%H zJeKRj-CrZwAoY(3EQBe_1cn+Ys>t#`4|+})8`vMIh0Y^kuU46v;qrTZtGcf(^tJn( zF^|?nj4aN^jOw7s)sINHvxw#d_tz<(ic$C&&wh}YBi2yu*_Oq-qjQ5ZSLxwmZC4b+ z0o-h2&-3PC>NmtEwhpW*b@s%uyXanYC-7avP1Gu~W7c70pt~6~Oj{cq%zJ2~a=9!& z$Ow3i7GbA*fn>Zs-WGrWZMABgDUo>6)ziuqct5(I)CzQ7Y4zyjw>aiJYVv!)GsvMS z_63`I;TV|FRf=&=`oJMM6{^^KvrNqBlCl?I&)NiQ9<^HD-Ucu7QO(mN(gecU1g6LDq3HS*o97y7BQsqJjvfRMFfe0m4w<&o&F?{C0&QoaZx-?w-C@Uvr$kpu3 zyj-fF3KncMzA_OxU<(^FdRQ>ra8mUKI=T&@V3}-`s70Unk~0gW-lYR~F@7Mjq&F5m z$p0a-axqyb-&-!D(`mN%$@gSaWnq<_p#bu&i>w$y+bG20+tL~>@wZtndIr2Q#S_t+fmmM-{V8pT`rI9@PQgM418 zgvtd|3Li&Rtoa*jx7H!}`V?RXD+6v|hp*4CLJKmn^c19uP2;c^P457oTT%T4G$1$_ z9E&nwm8TfG z7IcW)-kTUU0KgiRpO^EcU$Z)`rzREx6nxVhkVDe4{hHu z5q9=&1I*M$%MXFdN$fpK>E#7H@+1mplcaTkIOtptj!gi$;*|LKcn_%>x8;4Xvy6Y{ z6u7+i`Y7LE*gR`&m9wXD9f3WPezhvn`Ydh-#1Xu9A?@YRD(D7<`_`@Q zd4;pd|6!wBx`#U$%pe;3qh63oRLn*~9)YfcE-6tZhZv)Xul+>whr7$fs#0o9j-Uor z9Nl_u$g!pXST*~-qlmYC$vy)(EdDhpb>xrz(ZZ;?gMlAypdnGiTrP+crhr1sFW)q}$0$CoLhj$U`Nq-Wbqc)Q zcQ!7SvGSkS*CrH&x+0DySO*zy+w?m2R5*hOggCkb%uw{o_76Dps0$c9G%u3s{EYp1 z{)f?{Mt#SFaScU?l2lJq7^{5b`PW(s%VP;ny*_MI$1Z?Qp?+ilQN@nlG=fU%J;o<~I;32;H$V(E<}ILe! zYp*@qd|6=>>PZ{XZ>{UH=`FhRVxw`qQ1xYikX#7o#d#xs>qPk0PD1XiMdJh8oy1rl`%Om9346o2k}xbekv zqeRqJmy~H8I6*+y&HM5Z?YEPa{v5Rha7x@<9joGNW3RPy5#^o|6{nhaDt~{d!#pL?(TXP zYXLRDv1dILS`sqhYZxd?a!LXb)*;hVqt`B^8CNO$GUT__k_z{VlMb~iQhbbQ=-CQ# zl3BIN@2{Xhqd?RV>7pb0h#iU)1q~ctfjET{uoA{4)Obh*?Q$os2;Mt+u26c@N6%dQ z1l`>a>%{(H5`nGFywv*qDR$HJT4%-41Q8M;Qf8+@T{cl!{|&@|2zfFj0n>;nn3WU^ z)NpRMl*x_rXJrzT*(A6+O8TyqLkjL@{l%%gv}AWu5Y*59o(EAQ1#B2I`_)lDro2Vd zWFwfB^EA0l#;Yr`sPgnJEb_@g^IlHNaiM38&JWo^J1;y-vYVT#kPqNWnLtwRZ!p@i z2CVDv%b@QnX1sMI+y)DDb*m%fU+%4q%~hkSKny!1n^+(d>crmI;b40VtdO88iMUvaH5D8`Uc`aX8_< zvSOa4RZ-;dkYJm4JXI3QEw`{T!*(!Vd--fH?bF%4#!5Ar{EF>V=(6>+x7G}>6nVBCk-j`dDuo_ByW-vpOj+#5DQ89!CVZd#|76Lc^F(QRVzQSMnBUy`cu8SuRs6m~ zXhg&vkZ#yi%_Il^oAMU%gX;c^w+=b2(LH7x5)GEeWpvn7KA5*T>%uUjF)Po_H38c1 zx-k5w7~oI65=iLiUw1%myf5nrig#YC&~wKJy$C^5vJlX@YP{eKKp@*e_5SMF92N!< z$Q-88mYQIlrzs#j&ds@2?cyKYCjq zgh1v`mQSs6s&(D%%(>@_FD0l1jsQnS6Ra$PMNRhIO^PRuW2y$A%0#(9r>1=Q8SVv4 zGFAD``h?qF0^0#(f8XS;d=;dTE>WtSpGHEbb{>VbD*iljKQW;r$amxg&y67KV}T6m%0Y_# z&#UOsSy!+4TLM3`u76mO&&$D8*BLV({`~GxT`+T7T{Lv(nqX~@z*QPdZ*YFz)cXYd zjFsnWko=RijDA`w_;6p029sX`et!?7#w)SUPhQ!egRYKvw`7daVG^_K5q|U$^sG(ZBxSesSjKLgb~^t*42HULR^r3`@`3>PVKks6o9~8 zo`(NKSNuWf%G%V6o{S)5@N}17-{o(exXT0>0oT(giR!}A5=8{g4ey4>fMIfeoRRve zO^xh8KCUdX=L+#EeZE-l6$SjL$i!b_ti;H52(7ek|9b9>O`+FB&@IDXBKQJ+PCh(W z1926BsD-ZlS`Uim;8zpF$KR-gf8O#!!DK1F(Ii3dH$V$!0X8Ge1y%vNu>9loe=Eud zR&Z0OVa5XE&#SJ{12MQWc;^547I5D?#kW6NX&N(s>3S#{4O7%fesV7CqfHfDHSF|; z_t&CAuQAOh4?HFQFu#9G)DPetlO=LTX{KYo*OsKQR4y zl`Io??qz7PhhElD8=iZctUgF>Tr00KaNL=6xZw3nH zox7HN8NhIQUU{AV6x9bzv?9I;U7$Tzco)#Z`zwawm+-jJ!sGcEaOGU#ft60s#m2}e z&7hFTYS0oC0epn$iMHVaT~Sa(QhS3^NFBsl)H(G`e@&zZc#HCDWfJ^z$AaNrf|K|p zmP;nTeCoQWIex36IHN&xKnU<*B`UvxmO^Ot?EU{aRcW>x5^8)s-M*BS*{y74qqNc# zw&6JGEQz3Nqc||osnKL=Rdd8sSU<;Pf?f&Oj0rU72Ep(!dwCpEABH}A%HQNAi>_RL zloPYC#PE0aU_qj6vd2yRfWAJg@h*C_?j`8sNVTuy#d&+R`zH(&G9i-*L`|+{sjQCc z!R(`lp~fi$*x3t(`c2n+R_*zI&Cb7D27j2MtHh7nfB25+&(DM@@IV&I=?fn*^7Hd& z7^i*qbH+jZ{JalK=ox|ekWigBBe+RonwJ&K%U^=R{N7qOH{G^G%kE_NYiZ=R-<4jO zQD`qph%=HtkKr)zIryIE#OHS_S_GDPyndD+H64^g2b#pPrN5a?T^_=B-t(DhCR3BM zLy3T{!92Y+&hpM#qoRYk!|c3cC7Pi2njUZ%JzW}LlWJ+NvA<*aVsFjm;D_hxD@wrn z;{LoqCu@fHBLlGZOToe|Np!t@?pd^tVL~FbI9QN$?SuJPW&Z?cOTI@cr=4UNP}KL> z31|f^dE!`O?7UjarZZ&t?t6|}Q&POTE{|nr7#^LbZ01vLeImh`!EskX>C4!f_vRCk zVhm4Lm{g|75*PRKwGVpBEF)jOnrq9|7)w(~8X@9Iyd#H_jk<@Grcs<78qxoZlhdzf z^ZK&kCYjU8F58=7Ll*fatLc&U*(hG-Q~6Km@Vx`Z>~8J5ALlOWtMpM~npYGar6>-W z4-+YXRmFr}5x@nEiFj(hAb}M%=nuzY*P@wjvBX|hP!dI)R_2hqxg@0eQS>fbY`pAE z3u@Bbr03&!V~#)|p^NxMk?NRFwYAtJPD#}RP>Q;5Q!c$V*Z&GAO8S=Ir>i~3QJl7m{=F>5n z%p^pk5KE5gNk+FU8yW9h>rCsVuC*p&-cSMCnmR_tH(=cX>HpQ-m~%EBE1g*J9_lYvVpO#yLD%=uVX+Ez<`R%*gAI}?Y12@hTlcbRBuPh#PRgM z>`6^juCm)g13$xepWz+34hZ(culfm_=F`6Yk^%sKZ!bFcS?QZ-(70YfcXiyd0gbasf;i?uH zOoEr-qd}AUT{t!8VrZFVsiDBCxt1VNZ@*liRiO;D<#v{OOk#0LV5(}t*S5BZbp(9=45LZvyCjH`d|>0#TKR2 z`#4Ax@l;*oq|kQxg5%i<6ht)cfUQ2|`=`xiSFxuuP~D@RYDX3R=>X5wVGiSsms>MI zMW+2C1(uMRoB}%;9i7M7s(JKLy5o;KMMXamCSdSbho!8M9y5^xop(&XjD5CWc6jMaPx0AR&u@&6SpKw_jvg&^o}zKQ(a0$ zwMS9WIHP9TpD94Y_r}{do7FpZj@nqroLPFgcHp|q-vivHw!3Wa!N0aeT!Jvn&ify) z+1t((wUf3_zH1q0$l}}HX~3y6Z1RI`trU~ZhAG%Zqmo=J^FY^C71SDb41Z6dM4X&$ z&uXGgyntIEsY*nY&d7{+E>GO56SK4b>J9SfNnwS+G^gFK7jHTq1Fq?g05xQf+elf# zJ<#1o`KDlQC9zN&9^1z*4_j2qzQ}xts`C^~${)nOxC-oo5dN%(9E<(z*I4<1hb-$>{DVF-t=W!yn+|WV;-gX(r z{)jG-<*9d%S8neh05#@C_7_D$>ix$9U)r75Z8;}NAjzM8v>GL?et4#!t?y5Kcs%8Q zk3mtN-557jx3&pHwk1~gSRXjs*|R$kA#CKIc3$A0k5A{ce)TZ=uKH%GKj)L%vRz07 zX8Q*4r$gnyLVD9dTyw7D*(OIl>xo`S3$hGOC6*K8UQa-w@1!?ZA})5$f|3$sCAzuV zZMa)Xsg3~BInW1kF6Q@!hmU3fnFWiQ?pPyaSbS!ukJ#B@*u-y9SUT9kK=o3Oinv9M zZ6H-{H_=@{nik|5UGH;We|I_~PBo6`VaZyW%>UQeSBFK}eEnM(Ac6v-AfX^gBPos2 zAfSkJO4p)Dr+|QfbV*A~Exk)4A&qn{ODJ7S_rh;heBSH(eSZ&Jum1>KbKm#OXU?2C zbI#|SArn(>?xIo{7yoQbXOy6-J&=oF0nq>w0^6=awLxSct&*A_g+G!N zm38MG_qZ-DJT5Q)M7pxKS}(WWBt)(;ZGhhA=UH!lKK@D>zk4+ZN?4@x6j}h=>F2q_ zl@pCt{pCO+Ouy{@X6ACj zFL17+P6E3-bsR_e=Tp27e{9=uPhsgR@_q!o(d7tS@PMn zR%Uu1;mzf7-(4pK7MC!X|07DI>n1<^zyH33C82;@~AhktpXc6)XylPV}~;5UEQY@ zkVmz+BBFeGTN=^U38XG}JRwCV?TH8FAKskxOzyK79>Oedr z5bS;}Khr+1o4{EGLG+%NfeS1;8UcX5yRe_WOZC>u|29+tjao?dSw^&)zwoZ8j@$eJj4 ze+$oB&Rkd1J@s{VV!J$UM&%w@ln>NYYQd7R_n>tY!Zo>shx^8QrSf~6E&Q@oJw8O` zsR+GMd`Vw89+c}1O2B%~6a+T|j_B#j%C30QmhU%R#49cqqjDX2y!bw4Z&+#;zpDhXV4@ZX8*s zg?-S+>V*t!L~hdnTyixOR~v8{O1CzhT&tV+W{E#O8U5~0>ixDJn}EhV0*6^e7m~tI zRBWbF+}Qu}XpTA(x#J4#YTzg<5{kr(83k7M^tt19&RyHFKvnpa z9#(mu8~ydr#h^hg#IIcDqMjW4H=eXB8lu?ehhvSKjaDZj))%tXEAeG(7ueb&mm`=p zv6WouTKMOyklQjO{Jt>1_8_5^$B5<9^c8HDg8dx5#lB1(^A!y>Ji(j7lzYG+q#lp! z*8A%O_}7ts<-eprZyze1L=eA}{Or=Ud;YX_MCkEhhF%hrLSdm*n$ynnSI$44yJUq-d7v8f!7jLfIZ$HmKI|1 zs8#|iNqcIkXt6C-D*icsy*ExVMYq!0TMLYwR*=#!K%Lc zGwqtm=Ywez&CM>*L+;e!GJsnEc*~BDY{tGM`#kfoxa5|nQXt{qrRv!t8|GtZeG=v`T?5`w3upEVso~~p- z9%51`6tBn6T?ECkyMYAUFPI)Z_pvHHk%WE@>68SHj{Au6OZ9YWau+FS1>8)}-s7Er=+La{Rv1P1# z)k&Tyb!Vw3O?(LLw;|HB-6X^uGTpWlT`eCs^fF7)_g>-EvBB+n8@t@mf=i3#>U~32 zY4Nlc_1knKehe_TS|j?H5(G-p24h`SyA-t-r6nb0B$zHLt+ZZb`~Ur~$M*w!vrXz`_GW)t#s$#?1Xw;S!&5DzdVgCPUAE&eX} z=jgo+C&|tPtn81XI3kC;zsW5bzIdfqLf4bkca2r3?dP&+NWOnl%GGg8jOW`(gCOe| zpmA2MZ&1U-cW=k|5&|5@13SoyNE^Bw4)zxz$=Ow<5^n{~?P=_*OE*$2z)8i{vLq%g zoySQVzHI#4&rnklS;@bq#HLEUe|_$;9mHMP7;Ln9C8_M# zjo(Re^g`QoAcs0z85LE55_~d4YRNdH);tF1*ht;UM-QNagvP|7W$C`=BjL2*h#LXc z?ZKdDry_@0Rgl0^m8T7I*~_}pvc{z}&e7C`=Pl(FmV&LL9?Otp^H@{7j8h=+BS;Ej z>>+NW%{!-J%7; ztUVj=6s)K|JQ(+piRYcn&JQ-ll5A#EJOP9y?f{GkVjc$Knxn z=^M$^!g6#wkdTmT1XkFZ0~T+su>wa*>OJvcI;p}Rz4<`h@3$-*g)&F`gC&MemQa%)M^WMCnMQzC`gmA_KCZ z7KS|Y?Z%2$E)&6JKNgD-#T{6!+9SxFM>&*2!2dLlu?3Lf-MVMm0veY>1?@5Ek}ZJZ zI1R$!;O^Ufulo<*&rzFGPOs{h>9jOTV zh*aPf?g9RfOvQXE`P5%GJDIerJI&vx5Zic#dE;h_G7_VtG^h3Iz0v7H4i5K=a-SDF zEws|ca?kogdy;%0PhY_yQ(tAD`t}?HA2*Ys1lWRh1k}2SlDF7_y`Xwvu1y74jJyvAr1pSE>n?JTGn2Ww7?f>PW6QduK%*T)1)m)Iqb&va=Q-jv** zXi1d{(+7EMTJ}jvaAb?9kTaX@k_sq1`DJQqsu`62UdnA?O*L;Q1ul3(8DSB@i!*NyZKFzfNA+qd_WA9zcB6%&?k8tysC-Huq-14O*}+ z)-Yc^y4Njo=2stF0_3dZ7v*&=1oHg4Fl6^QhSe|%O1&OoKXPOa!SkT?<>%XE3jKha zpl>iOy|WUnbuOnsqVtkBplx!U~Etc3QZOQnyD`f9Wk%Bjs%_T5xhi8?4qmG zq4cx(lH?er#IC$ac&1X4cMrdo5Ken*2Uz2C7r5+iRek*AEeGy=D%xCl&7kxcdjEs) zEzHp+xg|OK^sNSLFFcsMRS6A9fH3dXB_wGmIH=Hos`;uk@?*ET^l{@plk}^Bd#^(J zvR>0Ikzf|W|8~_pf4~vm6oB>7aKF zam0>)^VFYVw(`08r1xjy>jh>Zlhu^uZ>a+t3=Tgv*lwML!&giQP&!3I^Q2LaBJg9y z$nn>o8Lzwmp1DAI_%|Nxo(x2q&_eXuS>K@~!}O+}kzM?xRjUg4&|Oa}zB3<^!Yr2g zhHi_KRyWcBEFzimh%;fp#PFr!%D&Q`w4x3G52Z%a^ZK2Icz8BwWi>rLbMjCsW&--+ zl*P}atPm=LLA?9%=%0|$v(=A2XT`|zg@wU@R`30dISXSrR)n#ivCkZiG*~rKEhYvp zPFjWMfu5~zO|P8!P$33`$mrz6lUCHh;Gs(~*UN#eefo3vo&izy!B0#-(ZG^Q82!Ne ze)EJcbc&EaQU|RJ7F&>iLy0)xSChvb*KeKD{>0Kz0KkQa68=5px_<@T`+D{4+6bF~ zU=W(H@$=hB?;b^fXB5_6-aYF(l6OIG=-4B!pYWvI{RqI~dpA&gW|0EwLhxqM1hRea zKVX4;Sb$}hZ<6}y$N}Ys1(s;0&fA#3EG{C9xYseVT|P^`ziwg{pJg-IU+nlW*l|x^ zKhsM5go!6VzyW*73DF`F^j3ve@NYg6xdq~8}g{JDlxbB|LB2k zFcLqm?P0A7?valAImA^aMY2 zxMIWL9i-a1hCzG3FO#v#OgV&^lR>JAK0*}!+X2*b>(~(9rH(&lyz_?@CHxWt(XC&+ zXQ(gAU~)`yT6b4Vxy|BXSId&-l_^;N!Sh|}CnY4j4lozod9|X#Yl+|zuBU8lY*U~( zfgvKE^7db~vkHW6_0GRy|39PqCfs^i9^CjONI;Is_LvIja9H2ncM zv9L>*i(l|j^2?F@D^&kiPGYM0s(xpJfME$>22UNUmvOhQ;v~AlWtdu;+ag}3h)4V5 z@vjO`K8yQn=5&C~BX#fM_ti7)Wo;}4F8en|yT1&|3ZHO~A2F^M*~QbZ$HA9>f{V2b zK#Dz^aTg_~eoDwzYu0xh7V}Wx33&*Jx1p}+h1Q2r9DWXqHjCSBns&Jn&X%93#EZk_ z;!PVEJ28=Ru*&`y1M~07`d`bBa_>)#n%}~b`v%K&+l(D6s_H=KXuzdQahoehbX!*r!~gIOuy4P$E{wqb5XW zY90=td6I%9)1+^$3vNA(aTOd-N}r45!(`gs^P6ZXHsPaYXIBP1d`3RoskT^4+hBj@ z)=#@j7&ckxZIGJw*Y&m@xB4}@`a=sPsPi``(Sxh^ zNWjN@8skA3wf{AF|M9E4D1qesgw%F*a9l+L!gO}}*1qwPQwa3CG65Nhh%k~#& z=C8f1O(7R_&OKbVtogz^L~3c>HA-^j!vD377N~)goKj`z06ok<5FYZQ!CJdT%KlDB z?5BmwYj5sr(H6E=@83V9q7uQB0=^2ZlpD&mh1OJO#<|#DL?x!BXM!X7k{8a1)LR=b z5JM_|*j9mpg!vM{TL*Hlw4*`7G@Y_$zbJ?Z%;OpCZ^jowkgi2NelRlUq$5m_|L9O7 zQ@f@RRO`US*_!?x1aI5lau^#B;+)$3y|}v*uq7r!fC=E^3@oiF+3`%2Xo_K?lNR^G z?)y+^Ar<=tYmSe&K+&a8kXHY~wC~Yj`f&xyRz^t)%3-PX8eB|OJ)Wwrj4Csduddwq zskAp0wp{%qGh-kObo@a8i5Dt5G>UeNOM)l;ryE+?h2R`0OufuzARP$EU-B?Zp^4ll z3KGyNSf=%|TD>LvuEAd-lM6NA>oF;N$_N;9-_0XDtT>X zwf?!o{o?&$*zyOB_Z^+-W$c|fmL9YRmH824ot#&Q-01Aoz2I0&EhbW~sp#2BU)qtF8UnPs@3#5ngGS3s z3Sz)o$ZDtleTJ}~za&i?yj~k-2cKziF|!hQi0a5!-D@~lFqGw}pEz_~SyfXodmXt` z=o}Z43rZMat`VMb5<6_WEN^WVj|sYZi72%U6~xN+Qn(IDfpXuTy5|H`6<77ATV2+D zgcu`%KV59;s8=3Ngj+TTYJ>|pWmlT7*PZXLTvm6CIp>#~YMl`e6BR^T`|#A*uieyT z$TuHPK;>44n2dnhO#@a4iw=waPl=8-HAgl9pUJE4|FYR3CkdVd`m%DavvtA5gQ!+o zS>xq|_5Ua!?V@`S&8^DK9wHhJ{G2=liOZgW@_c`Gq?;7H5d5$6{8hSjxKSc<4oe4i zFoVWW;L1Tq-C1on7k>@gVd=XZ-;&B~(OcQ* z#ho$4Gjd1cs$;(0hsOAo5Vt1NdSrRVlg{8O_)ip7P)?K+ssol$C+M{K%>;I}Cu~Jy z5tW^%^^m2ybl8b&q&Z)=V^eWRcUDo}6>T&4>^?0nG|q7$G@o}Rh^2b&&4q{Cao%D3 zTk7UYfd#Xp@)p0jYci*?l4c~FZHsdRg#f>c=2y}Dm_O=jYA7&A6=P%@&ph~qYhZX8 z((lI?G@=U)YT#_{@T$NaaSdhKF5=&{omWN%!i6}qW^%pPeBlapiYX(YGLhwLKOAXh zjrJHWd#jZ)+{%6~-d5mvic-pTWwYxRZmx6?sMCTpVJFNjP)U$S&(|>4tTm>OZBqt- z>95i{rG>n}3qGx(wV2$NV75D@YlV0&Txkq~H`trQr{$inB zTsK;VtiN#YNH&gzrK))Nqv>W}LDN7a!qSqNNnI&yxX2FFzt6dbLpAhxq4jpR2kldC z&6lEh>hKBW+8UNpN)hiH7WCz&&CMZ;ReNK)%ya13PSj-Hr;u3E(BFY=*f`X4_xRD9 zx`qazF5CO|NQUh(Z5L2N=K$f!PzB;uy_ZOqY_{MGEpzlNE0NN*<(4(^zrExl5m_^! z#z-t6V7hjeMKWrt<^O6m%d>bqSd1!<@qs??DYxMyIP9L~8@QPrFn(MORecIF^@A-? zM+bur?zuKI8QyFO&V{+xES>kJ<=AUrajxa}iP09bZ1!4t^OHa40TZ$vn+Ho-)Z=O5 zW4)0tI<1@Yd{fX0>}RYaiC8#}(g;|8yW16L<+@I(S#xkBjc_WckHVI6o&q;vbN*G6 zI+jV5`Dp1lX`47AZg4PttW{{tTQgzH6Au%dU(tEDWwg@npzoUV>|Q6@#KOD zs528x8i|UG9#dl8XC7;dJKUf5dQo}Y%i6k}Yu5Tu76)dlny=&jnL-uYrcsf!7FNj+0SD=`Oew!0R=FlF5l$t@p{>^1KQ1Y~w}Y{slge z%oK)qbJCB>pEYJA+CD~EF1t^kcdaR5 zArUN_P4IZ(!MCEbD(Xp&X;OFymAZqvaS6U= zf4b#3W6^#qnH}MwMVWiNZ0tHn$fDQn%ver@N^gRI_VYQ>gF1KNa*PKOe%Gk-%yXtb zCe|<~O>1dBO6$LUFIZxvKNJtX5+!@EVPID+X<_-!qux|8GNB~9^|#qhvqL~uTM3hy zWcGp&r2oQ!0s?BE%)m0`T>qaG8oOSCxHn~8M3=o^>x`gKka zaU1QIyUjRvzdToN^{tDC3p}BAW1D>2p=%rhcp?(Rubs`w4onjH_&Q167J>+m8!Zfq zzCKnDS=7(l@D(n{9O|Q@4dc!P8`LGhO;}omy)5fjpPo91cR0ePjdEa!iJSM5@o37f znTiqiqj|LOI+Jm*B#SPJi?3ASS-!Kw5sU>1L;^;vAy(&2nOya;6Yxt{knFO`6izuM zhkKoO4ZW@-cEB;Z1y5)x()}V1?0o^t>hc0TN%9vyxDTjt^%`c`xdXFn2?qh!>9nX3 zUx;jS_G?D9zE>O{lCz%;MJO1y&pjxYm3iq?5!(3O9d~-tM_pzR8q%?R2dN{mdel8? zuE~VDZ0oVr^m&*PK2|P1$~7u1U5x*6Y!@D+s9ed35|^9 z%KgK-`Iu~86~oB@k{KZ!h}j_r=<95&AzNuc^6W9MPdy)F?6a)BYRRGI@RKSy3mk!a&|0T>s#|j?Vld?SOW?X<#aVg?k;w|Agb5Fcc4#=;?#=Yfy z_|AxDqx~Tu3xdSBW^gNX^XI#KX@I4v3%H{r{rwz{J6dy=@Z{-EV7!jHI=#nO49N^t zL-m(&%~dF=Qv9l>+{E7(*_2Ei?g>z$kx*E{mM30`Swe?z*ekd@^a%|yiEo0gg z@!Y72mDX*gXLLiYjko~~p*^oz#Dm5tsU)Cy4C#oG_PF7W99S~3dDnMboR6$L9VUG962jpXbAakIIzuF${|@)b@O?{e!*lM7X*AE2SkL;@c)1)Q5j&9@!>3m_gcp>|Yne!y%q=R3|rR`*@8 zT8Z22p}1_E{hE|kf>ChPj++^eOSGY2RafgS6{!@Qw;PUJWr*yKO4c&1P%oPEM*(tW ztOcalVdvrDKYSmpAK0>@3)^AxkX0oo6+Kw@-ZlcVu6bWRT676} z(ssk*eP;|87X*lbdKPdL)mobZhEmH#yc~AD9T1Fw)^Cor6u$u##mW6b+OU?FJo2`Q2*p0NJs-#y z(>8uI!23piAg?nll4&;DtoDO%e48;tx~Q72xMk`_#>Tg#P=^gi$<&B<4{RHG%HI4C zyvq$KDhm=ouh!>ItyHKFC0>$uzE+)D0al8&+l4zqXHCir%3y`su%)UiQ$a!yx*_JK z_(@NhXt3e(1QNT2B~{Efi{~8%sPecrr|NixYiFCC&l@Yi&1#dW@dZ^~V;^Osw$q$) z`U#JA+}zfbs8r2j_-DSTt=Ho@wcByq|GLaP=9ulNVXrGbs(Cn{AuzT;i_@_{K_vm( zR$^B*^SHAyyA!TfLf^8zytj@RH*8txKd2;<8EF>S(Qiu-*fV5^t-p~?ZpT;a;W#eC ztjdh4sSz-rzG=s}a>v3&v&-=N2Lmm8gV;;R(ehUrwvj@INeQ_#ZspmQrCUh+AAm4a zr6VF!6L|0gT09ADej`Gr#;lNNfu?%}YjK!mVi!VM!Kx7y>P@aIBM~ev2ZqtFMc(8x zziGQ7F zEsk0`v{tA{(-9zKJyxg0I?!z*W*}4y<;wIFF2oo?u)8TWXYR{;S5p;NrxJxw;YLcR z&D6@iPeoO7=aG5y1gOKU<%Jd$X@4+$a5?hYqMbvUo91ML_I!iBoNMmwP`DF!7{n$! zqVxKt6%zT?hRY9%7b+dFk_gZ%)gK36i|%i#8f(QZV&e-P4Qa-3&{bObL-~R0GA+OV z{t_DLbj6c+d%6Oa?E~#wo6pd!gHh9!-r5@{VFR9%RTy`W(2@V)R-ReC2d%1V8A#s{eHXu~Z?-2OHF@oz zlS-TnwL|zHAp)DD@0Z(QyyZ5a8WNVvK)*VOTKivHE{*7)NDaFk&C?g`t!X0GMo5I+ z%{C&0ye;K_$*78$r%z zHxsK9u{U`rbMVAv|K~H^^vU``M~1S)H%d*uw{zY>>Xk1kU{Y{f<(Mv>8P@T8h*?$a z)d|d=Kud7cV>7@1H4zHYR0D+;cLwV7c>B3Z$@Y zDBT{WQPwJxK4JeH)-L-LdmtSf6}OLw7=J_ik_T-MyY3hBOOu3S$G{1WTWn6VI(&YL07e1&{9-vK;`gx;(IC`L0CZ^zquQ=)Gj zW_8Q*VK7ht%na?O4;=+cWnaEb!p}|d!98a(F0}hKY|f9Jgr;YW$fluJTq+?6xVB}o zm4x=djaAm_ApeJk#y%`MngLMuA26~KIos06wyr7Vt3npC5ls|!k)TlLr?DNkBU;2q zg{2Opk=C*Kax1qZx}AM7mNjqy`Tud#2w*+<&-1jRF|L}ba@;hNUenM-icprCQIq{L zT@kIM316FDt}&;)6byT8Z*SJ6C-YUnr>Ee$H+NxrOyu#0s=@O!*Yg^d0*!qk*UpEy zwPi=`?;pi0wQHd7Z^7aNZa-i#E$Ev1MU2lurIjWmpnPP z%hC7vY>S8&R1Dl=d93DU2y7-~hc z^*XO4I=C>)3p#|T&NoGZI-E%~b`{AwJO_Nc=7`*HOEze0)O^A$--S#}Vt9m6RKc0F z+clij=d1dmaD$%$(Xmw_P9`@AxVwWqhNPMgEPguHY>7pCOD!nw9V05D#_6-3+?dGd zdqAQ_cgtTTz&LsL6Lo%%7sD;CMlWCQhKACf0EkBL9by`qH^lhJFQqi^YM-HTG|Jzm zG~N+?+3*QZSS0xCW$Y(LkPJIV?J5gPRD6@s?d5pB_dnw{_HfPjJ9zXa*PWk7>F+Rc z$owRo3^PB7Z``AmA0@Mug*=C-jZ+~SscI}_;IxgoYUFN*4ZpJP=DJY^EkCI3PI2=h z);=uDjoocpw;PX_t-IN)`@8XKH~%^!=N|u)Fmom=<&8J%bP$L2&0Znu?DWH`EGCIx zO7!n!A_nw26VyYEI=o#DXw+HK7>fC~6yJM=*o(x~OHd$*1&a8il2b~BkSv2oie+s~(2=pG-1&D-+j)`mT)-aV??9*NesiP^O*cWAI%+na@_ zGsMR6+N4=TMBC4%$qW(%jn|Kk4ja~c$rlWOgg1d}85~NvzOGmB5~PmE7+q+8Edv_l z!^*9JzN~uu z*RxaYeC)_&V86b^o5qE&8jYGxMQKB+vvodunGHfdcEmQ-x3|ku#Y^4mO?3O|ldVk3 z85?&GxcmZl?!9s)Cm_&kiDV{_QNlK{hyy7PtP@i$67_w3-qvlAr9EQ&$@SaI@npck zZEg^7XPd`v#dN>DRN%$v2u-ze8`-2a3mKw%zPg0s=xdTm7`R!?0k!@0=*qu4huqwjJnbv3Ed2`N6mDQlF(|pHXeca zxue>#x+OAy39VVa#_8UJ4TuXc>&tTg0`CdncfJW5fV@TLJ&E1TrRj&dq2eRd#57Vz zS)#2awxDs7$9nn-g8!> zJBIc9!({xULudSGhwErs{Ah8K!oA0P-b$tD3Oe7a>uazdvYXYn*V_r)-1snxD5u+? z7)8*$`oL1S`e{Pyyk9rlrP{FD_!*a^=>hwpr|vG-|0mu5$h*#W3>epk#O#P}&Jps@ z+nK(59a!a5gWD8zOuWvJu!$IRL1L}L_K4)m;cvapxhG!(EU4TEjUuNHB>->@j7J4* zBrjyhYhUBDb0sh|qOBX$7P^<7(RAQybzOpgZ^}+;ZYpuLUm4E}Sz$R}kxS}?Gi4D( zhPa#H1VO_J76fi7U&B|)1+OxlE~fgo1^Qh@Lp>gfsl?-?ciFHZ798vo0qzBeF@%iU3{5CuF{lXpK{iaH9dmsM6 z#1kK%|L(_R!T;7>|I-`r!!$7nt-IlNoV@?Krtqr%+!VRwsRMqL3XIwNZEs%u(T87$ z0A4?!LESe`T~6K)Dec)9O*-%Y=@8K^Kn{BGSk~)5`|w|?HUBcegmc0K+~)?SX#pdm zgRQaLr%stpCYS*QJfoAB2vdL#xlop!{{9yi!TU)FhY9~+{{1V!_cBwK(CLWsfEKN) zpsvK90ZVFOL&#V6a#eItqpI;T&Lw{cB z?gzA@VsU=D*r`*Xk_1MKT|4?$Z+@h-|HX7F{8#Zm0Yt_wo{UfD2l$17ruWo$Q@)S_ z@JL7Yr~VO{@B5%PIeB?wrwgb75J@_jw9h9ifKU>w0O233gs0;9{VKpy{1dAC&+xzI zfDRet#=Sco&&v!zfK=qG{)m{n+SRKGeaY=KQl}0I3e-ODY$9Aosz~(+7Zo zKhp@=5%WhRbELr2vd$!@_lF)cztIXYC-ZwJ0Zhhfj)3o}0{ucCAo@VLY3L84!cW2Q zvDNO>Klo1>_%G?ct_r%)JV7q;XNXyp;B#K|F&F=<&420(onP{E9K+v8{)%h=kn_x-Kr~M{5_5EK3LHn)DlIRnq=njJu7 z4Xe(>d&V?0rw?gpPF*|ANIkQjD|Lp3hPldBOUp<{OH0Ve+tbE zJl*(#&s=oZUS1L2i}9s<2&YZ31HOED;nDlBoM&3ky%;9L-<=j^X*m69v4q`{>m14Ne9>+gsB{GqeIfaKS6B;04&AJOSJ`cQhm~PsrM(Rd4L)cx(LBl4kTJ_s{c! zU~^O7vn(e{p`mAU=<%(2|RA8yKt8#G~6g= zsc?7HNcB~hLe|3!TAFaiVY|f3X+JL{a6hY2Plz?}`gyiq-)rtHIxFiU=g+X6(=?}; zlf?{9g_6%9tEB?p7O}kwt7`lpdH&PJ+bU_vxBc1*Tu$*dH5?`(d`=M!upJ$8Iv`^_ zzF$9KXP{m$YVqbnu6*w)a(4eVA~8uc6%xtGlW?ul^R%MWh-|5j0@noYR1d5K5r?X-3C{tO8h zmrsSs1CpxazFq++n4GV4Ng6ZJq^w{99_~KVc~gTqRaw8sJ2txFw&b<4kob`uqhz6# zP$K|sDNL4;Jexeo<=cN8E!%qrL4YlFy9$QD{7(iko>&<#g1 zgog@$q33L8JVpQEFGP@=A$=^zC)sBj&x{%SSyg1WZ^e87IDf5@sh44LSU)>R{_cr4 z$QFO2lhXgz2o~&%zGCLnc$b4FZ3L35m(jn*#~8}Vpl%{(cx5o7_h|v>i8`H3J58TD zzY9IR!@EfU3tyO+Ri)tRQ%{9>ZqX}$I5ir2sf-TWe*FUzbNjh3ObOxMMhtH4cV5uR zL`W~vHPC@VK`)q;Y3Lm;wa_>&s-%Ppoo0J{S@H8(SM{b3cb=cAybS1JVGh;Iak;_y z=;g}~r>vNOubFeM6tS0ty5(l)jtw)c@{H5ZM=<6-US-|me&E175IW(Y5}-Qpdfowc z_pBYW$XBr+x9)N+FebMrZar=|(?)|1#kbRMu>|nZp5}gfCGE}4uMd#`xn%PGY8ThVm>*BgpUF8e-^owm(YuJbfZ=pL zFa7%Hb^bH6%C09&x0rZe>33Fq#XOCwoS1&F;k3cOar;2!T%_aAJum;e_BJvS-1VFm zZK)Ux|^B24iNzdXFp9Nj$<4g5fUd&Th1rvRfQqiYGkgl`FQeJXv{qKPHi ze)(NS(nYAE+VQCI?(tYDUv6pcn6viId3vdO@p|w9F`kbFx;}a0c}^qmTt!^vT_v5~ zRs~fFRN2h1RykD_I+2{Zmsh((a`m)r z`liOpi2NAah~!u#_ubd35#JsDjz0E5(X+SzDiDbOrso6# zWH}t%Q4=e<*>tl@3}jYjv0+BekumHwyJ>gRzF1=|W)$F*RF&-gZpUERd0AWZ635j< zheR_`CNqiBmW=L{mAkR>lCXuhfdsRsW>+W9Pt=x}m1LGIxvjgYx?QP-xN%L`l}Jz6 zPQ*`uOS4S`Cvx2Hx}TQuch8s#7&LZhtTeV1F4HZ$qi?2fum9Hhm2)!YWm21YgL#a3 z#N<_AoSe0iMsU4<^Fd0?>p{&-KSe)9g5TRFkNIo!txfz*f_r=WSN7{xWwFt#VrxEo z)qB`IK^`Mko3rLTraW_Uo!nKdCTH0$`SW%>kb9u>!0CZ}^ixM`$FObMC4q}&Z(H9E ze;)mePI$KNoaSl;P;}{%VY%IZ$6YR1)*b*IAZP9>VPMkrcMN6Ko*%bsE_@xj(*0@T zXLSBY;i0O5ojQ(*K9pOYS=5BPyCXIL8!-t6uFA0h>!xc^A+@#D9H>cD%^S_8A(Hc~f~$g8rf3FZ zhUH-8pqe6EgG* z!p2SAGA@voVjYdqJnW;s-7%Fa$&Lf=CS(hysjT!ZVHZ2e<+qBab!Z)qUchx zPhDboLvO|Pm4(8&X?6JG4^XwbH&JZ0^x!0G|j5 zHg{<#qCS}rj_*Sw1*5_5B;Uc3788sTZpW=AG>Cc0^a>Z>UCVFRG7=5Q+(@^{B3~B1 zz5Jr@x!ZF$EuPEba=02JyOb*}HJXs`>l`Xq93N-7IOKopQxWU#JpQ@vdjsMcq{~PT z^j8#SjKg1xNF7XdN)@!YU#8e-1*(1Fx5ASrYdxjhzcWa56?Yc*1ddI zIpbp$OmGLm*1EiI6Gary&W5$Nx8yV|>RyI#5!pD^63Dk3#h+SF`J-@5;6?w_;60r0 zjHSsniv%;78uuR+1@mR|N6l!QW!s8XrJvW4-KbsfLRegAToOc)DR0Rk@5Y7;;>{0DWz5#iI4ypZNR?&@yt_NTeUVf+>z244 zz7CIk70KkL=_WBTJ25HnSf#4R$8tHbMsjW_vds8WrP zxurG&je}GjCu|l|qW8MU*Na^B$Da5Y@2czi>JGUg#&G2^<Yb&jc}QaS&7TlYOsc&({dqv(x7?`1klWLM{-0b)5HH z{f=Klz_O#n)Dwh*{P!jMd_b^~Rj`jFHj8@W(;r{D`#8*@jd*;PMOCK5Hw}$)fFkt}=;ZrUC;;dI@=**> zx$=)Y6sgC*PfK1A`o}H4?kZQF=o<-Xd3rku$x6sb+`gj9EF>hP?ETzX(fHnj|7uSC zOXZ4-ukQ;*Nl7pmECH65@bm^q-ce9cki0D=DJ3ONy+hn55ajzbKpf&GK>{N06r>(W2R>mO&S1E$KXEcxGqugd%;;BFXIAAGL&3{9!ubib8D{klN?xbe?# z>M<>Z?~zWp;h%g zb?Ur24ej6g;Q4)j^x+R9*}rr5Kc0GeE0^tWcHp$o@EeBHTdtjKktLV^UY}13sfV&b z{+{qual#(lQV%t}3cYK}`nUS~y9ab3tMq?Y1*c`6QSay3{+8?Z&n5$DwX^R9TEBWU z19`{tx(h=8(@?0hunV;prmF4zb@f3Ci$p{F*-N+EeOHHbQ|s%Ngf zi22&9KMHNe>EcVP3Z9o8I?LZQu+d5=7!lf#D=4^b{VU#ZGNlbtnC^#t-$?a4$jxTY zjLe2tc9u0RAJ=B80l%JHWIfBa;Gm&;QKUk~!cL*zqsdjwr}HnIK7N7Udi7%QiE}J( z{S{{8OS}Mbo}ix$g^07-YArtDkqL-+ajyY z*VjQX4&SYG^uTR?B@9y(uu4aN53(@87qp6TCgD&Zhuobg`#O)zqjih!`w*A=?6(hu zt51&86SH*^@d0}y_ebP?;uLyE;ZYIkR`nHc>1p9jZjs>~n(mXA ze73)jA!lnFiw5>#?=8xn0OV$ix;C2e&KMMW;mS1ILV#mx&Anpg4)Fkv zK=g$~H#JBP9!}3e2;_zs$1Y#_`DS^Kc1zvE;E^K1yNOzVg7mu3@G4!%hQm~4H;5al zxcfakB6d^V%!IqB{9AR&;Up`^wMFy8l2Yf?e#vZ(>{(!a^rvO#gJy`uG}*v9SI6smhgCDrqL}me z9+l`U>C{|au&+1dh&x1~{pA3e6OBf355W2z&zJ=64vr6=o~WS<*#mnmw)dg&7WTG0 z3?a}I<@i`tV$}%YuDee}Zq?{2xpr#PMWW>eY8;J)odiE+{~$B73gMRr!EZcy?;5H3 zT8*;SjadkGrw@7XewC9+K5}$oN`Ww65sTp3H&zajB^aEN=U&Y(u8iknVC zK3`uZ7PwE{@e(_;b(8!>{@#bs@{yn4u>%%u#=IF%hgkWW04?Kj6l9w>EwXBRHID@u zC+xl?Y}a=9z0bL7bo73=;K|28;@Wo%5$n#hAqF=K1Sc6Eut?szV^UBiV^18tzHNMe zIdQng#DYZeLzHU^G`>gJ0oV~;KTeZv zGng`FU@fTkX~p*&tL-OYzWUyf=M{-`e(arjs$aa9n_8eR_9v85(8vDG*Cds&=V?{X z=xi-Uu$iY!+1tC-&6Y$fY&M+pV;(%qxtLi7M{wEIk?;L+e2T)UCfrONbnCvU(!=&T z(s!=pd;Q+}U(}Yk`D?}pkn;HPjik6oJTs@*=4KQ@t$rdtg9_Fb`xK3)Mo+#4q+pDLOiBz+g%FVLc6OY^TuIiQ5dmwTh8>_Y+(};FUf*hd?*`iXJP`z&r^z-t|9%0x&?=JJ zEnq$VE6Kq-!dw%GT4Yl&qUF71l1w8gPM^P=!~P;~QKk9$&kvVvr2(DZt642XAH+rXF>Ai(Be>ap2((hLIiB(q~r~E{0IBxPe{~ zuv9ay?y&&s>nry>r+2EdK-AB0HgJrz=G*y)$Puh?aC9irLOYZo`}{t-}UiX zKA(Z4?dmbl zDUkwJ4l)rR*UQQQLkA;5!G#0u*BK0y_s0vpU}m=ap2@ay?--ZrV@aq`+Nhs7H(B>Q z8=ZjjvUz>&VNpMY6OIWmR64)EOL|Ft(!=1*M#H5bDA^0A^rc&XSG!*V_%uc}s6U{Q zf1hBeW}80H=RN+|y0hBPMIkGO-@3cQvae?RpcFTxhPZ1N)Ri>T266Wp)v->+L&5#e zxzm>Wr@rH@6rAw2Q`eml6gl16k>et4bDPUZnoD5SjFLSuAUYcr%CC)t`+qf4Li*NDCYFx=W z^0K#3MIRXePtYFK=0xr}yI`Oz8Hz%Pt&0J&W@c9T_vBB43xWlq0lAN1N^74DMuIPG z+RF)2q3#+wv_7HWv(>SLRKnkqFU(%JX_e+)_tt~;Y4@=+%b)=^Z4H@i2lge@ya=0<`9PR>zclgPn4y@tq8T9$Zd zPCmszt+jfD@D1&ex(>EP`>92Tn@_0iL-r6r&=JaGOwQY$^Mvrajl%0`6EC`e<0T4A zeU|K|n8GeDz)q?IxF00eQhoRL6X4GiLVwT4?C&r&=6vx3f@b0v_$U>?SxC0J5C2-( z?f>QkQ-VCk)M>%0wWEmxHsE=Wyj>#xdTS(v=;63$qm_Pat$_={)e3J*n*>r3>D)$W z6}KFeKGmi02g>X6kuF-X9nc;siDB?;Ff5)Hs$qN|qu~5ZSsk;mBH*rW9MQFzlg9YD z$&Z(p%?2Idm>h5()!HrKt`Jx0s3zUbFW;N>2*)vef!U!ESJ#M{^C`?9ofWigs*%-- zgx=&itIOm%joq(>Kll*3P9z|Pq8J?uAJFHN52V})PQ}%^$DfrEr1H7P!#Y!oqpDPj z_lEIaVQ0i!HS*JLy(KC)gvX9Hm_*YCoAzVxZb?o4%+k(;yJ6j@nye1ZbrucWY*mlDc|-{Ajhu81;|d88fn?? zl1jf-YhiC}6k3<7MbKkZsckW%vIpd6ol@hK#LZShl6J@KCEt|#nJ|K(swF?N%#_zR zG5LmK?utyni>X7~TltjZI1gx6H(&Luz`YU4G<~_^JAxr!K5bNaHsnS%E`|e*XC}Lw z?TX+wA=`BrL)h${GkV59@~2-jel_8MZ)s~G5Z~L%neQp#YGU*9n=nlDA$@D~N$ogm z=Dy~QD$4`oswpKB`UHA2>&z{MqoXjoz8GciPcX$JAevjA8l}sTe1I-$e0+Q4=e10g zVflc=Es)oXaFxQ=a6#ztZt>$#3?0GOyDapJ(&n@RN6%9PpfwnL8%;DPt$Gd;@d#e_ z_~$?QryWus(TBWdJGsT2bR;ymKLY^A(x(s)GM`qo`umf~3ot}58F=tcpFzuMqPmSf z#6zv&n8=Tuy&uwN7v7rljPB@&i%LcZ0lVm zT78@EUfRK=uQXY9cCTbL*EX(~@PAStWQ#bN&kfCZ`mHJT9RDO!&ve@lC?GL)q0;^& zD2V;NtO%Sh^TW_9E)cK1m_p6u@Q2X|7YTS2H?JSi47ca!-^ z)`p!yj9{>b{O-xIedMqDb9)k*-hBz<3Z!q~%9WX`e_Ec28w*YK)a?$Y^RT+J_GbqC z{5;p>_exAY(0dOy7CX9bzjyM%P&iB0-4B!wTrjK<4E*(SE=MEEdqnSgBQGc=Gh?ci zhyw{iFX?Y@1-8xBd#WiDdakl~!x3#V;Lg7U3o2%OE$mgq2vi5=4IvpAR+N$(eJq+S z3;QPbVU$uiw25J6+}u^@I+Uu~5j3zx(Iu9dLR2sxM$DO@5he9|D!(K3ac zugAW;czt=YqFnq(j1uNLkY9yZ?NB*VC8@*X9x~%3?V}YbfmAs@{5l6}j($`j7`)MG zBcpY{>S)N2P)eq<+_>PQL_Lyds!zM@P_9t#Yas zvE4P})tWe%H3cy#ta!w1S^2CranyHBN{S2VaDkwJ(6a@TnltifvhR8l$l(m`#s@CVpXQqBZQN(LZ1JZ^q$tI@qdA0=_7~5xBC~cURlm`WI7m#O@qQawodWItL z1Vr|ag`{eMgQkNZ#Gb%H;L4oo>@Zs}qRsC>iRV$WpMg`cUTO*6%_sW@gn(pQShqUD zXSQmfZ=xjJ%iQY*cWRtwgPCy@Xb!$-9z4`fAs}>p>gSW7A{4~@alLwA>vq?u&B^g@ zykbekkSfWwggIA=f^W*k)QlB$LPXQPizL?9eyAnB4w*w(Kr_qZPdp}^)02;5N@BIE zQNKV<#Rmxc3dC{zXV&Gu9Nv+^(RPqceIH08Pqvz zfJ!~=xcZ=Rf6at+Zas|{L6VnePSEQcSJ@e_KL}&ObmJ3_>+VZ0R{og@-lH2i(QWYp zZVHVyt{6nqpJji3o(QIT-?*^Lu$)KqE&e$=^zqOyMl~7cQmX~DBCKa;k^FO$viY^? zj25yt+;=Bct&V%`VhEd|XzE(tprVmhr!^RsVBNI0`zCqFq#+`i`9X2ln7?}@iR33=g*WL$OH%jq;#+++&zm4Lr5ij&O37nW} zmat&WX-*H<^-y~(6h(eRUn3iSL#A=ibQ3{y`8 zTgCi+`1k6^PcSz!)35L8zj6MeyEEukJ!rwRn748sdE2>^4?ltS2qw1xh2pb5hBwav zF#~43KKl`!b8TG23NbR|7u021;)eZN<%xC;=?h%JaFYBCqy5@ED@1n> z{O-@utsL{5$4rOQ9XZAao9cYq|WtDKbsw!eSx4UJa{SUU%5UI7+*od~XM4#*rd z@%Ah-UUe}t0*Lzj+g?$z^I>DVE(H0pBQ+k zH0s30P+q_CpxITc`v7{uZei({&su6#l6&t!i3g57C8_58O;S*q8qK(%H?soIRi@H0$HlYfDS0{uMC8rF(R;4oOT zTHTUGO~`C*4>ID1{#N%LR(F7ZNwliuru6AxRZZLriH*{Cj)sh}VMvV-ZG8$UPQ+xLMPt*I(-l5c9?j5 z8-bOBFDIxeBGAI-qaEhKRITq@{se*QK-W$Id-!}|(3l3MbRv*BC z4xws`>jm4fI3c)NaG3sz1jlC$17yHYRYz7$_agytjs@jAvT=~oP2qB=TT3sP27FvHCzY1H%DVyc59C1E!(*vVep%0ZiPvfQnF_^UQG(D}3l z*glXjKiRy=2y3E@BPH2ee$`3)df9Fk>cU$UC<&23dn|JYaO zC$T~*A#LoMTF+ay`65A^XfEFOKL<7XKLTBVpfudEwo;Dse2^4Pi5 zh6Emj$j{ASP3w}*m>`_~7&1KH!{t&#MQmWZw_4pedQ)`R$fK#6qteDl#X)Ez$43e3g=sb7rXd0IfdNAL#P-e3ka zKL>a+1-7O2&&6d0V;Cah`YKtMt&@FNDO7*(A^eKWB3zg-=d`^SJ;>Z%^qFnCje}X{ zVglMlh(g ztXf>sbZA%s6=}+3?R?oj{d#Hk3^o@55dAheMEJ5osp2?WQUjWgRrc02kY*#&KA`dn zoF?O|@Qm?u`}QOOtKfPF^EDIhY%D7AX#C~%ke zPgx6>n{?4~?b;ExmJ!_tKd7FbYTPsL3%ehQ1S1aojRwVsFuYdpv0CE32baZrEjBR=_Je2!C0)zPrdezRV?KSBjSoXj@ut)i;u-FXpFgXvE4UJx zqdXThgAWrQs>`2Vu(caZO5L}$NR`t!SF4`VLZ6xU#I6KS@8*(ZOh!DRCQ3``C;`Y2 zCA7Eaz_18eJ0T}LbG~n%}(wQ zAq4dt;WNMO@iY3=&CpUMqh*N`8Rr2&>d+W}(dc6Syhq!ydIrpv{xPWWpeY^B-(ywl zW@~UV zUz;(Xq0F>_!{^!AJK}p}NkoVgp*<$Ht?6 z&??v#R|gq^SIdsHrIe@FNpw#Hz|7R@4T+Gx%nmJdkAlzWUt$N`rLl=)Oz-x^>tm-C z8>J63pu~hd+M4982Sk;CPN-Pj|NwKkC>xn4wu9}MMx6IQ=jVKyn>AvtwiM^!AYRx=pI#;h{5Ha4Zk(yUiN67ON2>l2+yvMh@J zK01xH9JD%n7mH*)N!YtA-%ud|$uUA3XI2p#DHTaPrpbx1 zeP7an2$Fm|#km1kM_`{#9*fjGGWACAo_C3G&{5q*!VzpYQ~$V3nR?H>i`(l0Z$PZ9M7blfDck zkVEEt6$c+t=@4PQZvTZoMR^|uA!re}+#+Q~f0aq?@i$`9EPLf&TZVl8`o|RdFK?t& zdp9fRu+X%&VEI7sB#*i`lkB`YyOL3gY^XCF!1}V0-eprgNvZm~EjT|}+gt3e*H0p? zIU&S0W`2=|Uw#}j%f*vZyKEnf6X_LN7|zwjt&P)ce&;eAN>9}q!c&*+B7_)$R%pR> z!jUgdQSp*q{&Mjic@KX~nv%?qHx*jSnWk9|#)}*7OnC5bdRzh}S;gr|pLZSGx#sUL zGSO|T*tH=2^y|B8_6T$%1H8MS#}xa`wTE7&GFC522~ zrHW9FMs)$dAYvYwI8`yhVB266l;9cKrXZ)Tj~{BrOZa%|#3YMbr;nYL-sD`@+T4HE zy}ST#nw@DHXM`z;AX?-Xo}^uB>NjmP->m;am{zQJm zlCBNkq7T`lVLJOH<*d0YXG&p~75flPt~)g{)0Y{tLtH%1s@Q1l@&ga<8!LLh$ z@18QT0PUKb%bf=vs;M>qN=1&Tss+Q7=y>HT1OVK!|?Ou)J)Y(sXM{# zE?%S;k8q@~t0BJ$NAAs0U7v=@)>-k{Y&Y5?R%?e_(wD^dXs; zL}y)~SIoLTF3TWT4E3KWC=2mWm_;2lYp^Sx9H9D*@t>UERcf3IvZ!hK&^IdIHLnTj zX|>yEm?OzzQz_<$=x!s+id@ny+tRX?3w?$w9+{ADWqSuLIHtN|qSCWy4zf!`u&5|Ubsk=e#rDE~NXkhD_Y6H z7twtLI%Hz446F#LM0_1E!efGs{du1Eav`C+7PdFyyJcpsWJ8~hz|O(ZJpOtTKC~p|^pCCj{G<$@GF*d(rXq?t~!usHdUY+M!6LEcCS9!Wa69!+F zkZD*0$=QQx#C=svD@Ge5@~M`jf>og98h6bO_8E*CvOoL;w6M$fm^gdxLu00_W|*)b zEJMvF&K>~1em)SDdY$UFWqW7c&yQvocc>!Dg6DQEt6v=M*C2o=d)cL}6_gs+(w`lV z>-kQm@zzz>(6JqsLBs2SKZ$SP$#k8cD}1|A#;)T_-ZI@iL+i}tJ4 zr%77Du-nZNPV&E+D}rX)R-y5tm1cI!pb2U`u&ELM0aZ9BqiFsm4blcX>fbo@&WGeY zLHDh%h?-Kf(oWb5v#6XH&7)4%LuIw)ABe)H3jfzT;342DjUf1Sl}NVD^K`Qp@YG-r zUUt(WWNly2O0`riUccuyRv@!pL#R%|k~C(Jet{{wA@HWqDC?Jjrl|vlV9(07Lf_vG znyOh09P-;5z%BxzmcRzW!hSVPQv4*O;JCS*<_SZ-bE4}ImVX#LHD5LRqo8u%mo!RU zx92zn1`U2cwjQR=qdzh(1s0hmnrvN(Q~|bw-@GFuT#XqRF9O$Ne688fvu39h9KoMb z70i(1;&9XSwe7i^RIkbKV!GqGlGsaYLsqHT{Fu#VN!XFdGHlLEP}r~DZ}b?TM!GBO z_%7X3xSQ(2hxmh5a}^kvW%e+PavWA!eeg&n`Y7A=?sJ?af-Z8**flHHH3`;-#B^2z zBbq3>*VMWQtE~Nx+6FzvCkf5AzK^MD2E=UbTDAlLD?HJ&HK0ttvMT#Pr?)U&vUNlq zG)RdhmY7y?M33S5Qrll}mbVT%BZLfh7$OC(tE8)`wdzHS=FIRwNht1O#RmGJ{F;;f zspRYUNO23G(R>!H&0p@*aM=|<@#f15eyP*PYm69_qxz9%{B(wMh)=!uC@1#h6?vRXM$Fiy-z_qIlBcPf%A>}pv3mFFdH;#P!zeDe^yAwP z$?x+lPwN#L%vrGuk$#>!s=X2E>1m-*Z*{u#bZ6a+-f4lMMzl`4xGXF%@#Gd+^oG3I-J5G=Iu-^ z8J(~)~G>D8(degC@OlP(ZyUckD!f@ZsTCxx6PE(hgrBG#L_)R z`>2I(NBBoKfvgZV-A4G$g0(R~TH|t3BWBVXEVYtR?MDVHF_%PV1K2}eiq zSV_W~ZZmt<`5kXmXQZkG*UmU4M~5rS!%paSC`EniGB_^tXFk0S4pN-1eemS`nn(Q_RAjKV?3EXVL zvS9Yclw?mLby@zzIH;1}cpOTTeIfVZYxUYwlVx|Dm;3y@yc#p^q(r6#4{e=^|M29ZC)6juTWk31&*Ss2t6{IXsD-LOqHogv z>)fA@!ruKJ+msmI{~*f0g4Qkpzp=QGa^XJ|f&Ht+|A)I#^!8nkY{;F2KV|0sZ*|Ox zr_V2%yyYSM(QN*E8zW)bq}7rOGT;Axi?`JJyu>0ewm*2+|M@Vp3shV^8fK69gKhYC znL^ct=}sM*e(F;BA7}s6+Ej-Mc2NzJvwvHt|C5oT3n@9Jf9LNDb%k1*F6=h<_xqiA ziaMYEe`Wkh)Bl7P6}JDU%1~$Fc+wWq=sMq2Ygz3a?K)Lq%VL%@^LMmrYC%QWdXS0L zMb0NwLYOM=X*U|4mc~=PKWWX2v;Hdg^y{gyTKB2X#o&d&LWQOG(s5|M|2Y@_H?L9u zMxD50w<~_lo@MBY<^?qQVUyful<+N%2h=_4p)HM2VSmYFeUmB)|V{`=dUKfrVf^ zP!YVDky@8;vqf(+4x$TLS8LZEw6OIvD;aXdTw`$mz188@=D~U?JdMh(zj@Tp`*#GJ zmp%Cl!IY`!C&k3~BJ_wjg~&>sbY5I3R<3B?RIEP2q@%8F@P?_Q+aO44LL$ASH|36_ z9$|CdWJPW~_NGZeiY;}2f*Cm$x_5O9Zja!UzWStOoBS`g@&A4l_K9j(*oEEf&LoLj zJGT)h;AxeP-ANN)b_bP)Y`ng6IG2{!iDKI@2`Mz$dlzh3Wg}vVGl>>AltBYr_@YE|BXv}L%r)PH&)l% z>DgqiYRBktETn{QGqUnL587W(EJ0UNYXuq4UUIOi2W2V_vHfXT`;YQ(b*kt!U!Wgk z4{ezv!nqd$mRPGvo6X5_Ei?I-seYS2gj3RvZ-__Mb@X$~vCq%9B5B7I5?4lGUu!R0 zmlvEvX)?~BFvI(ios^m(UC7QGp6_p^2k(BPZdjNvZjvdW$sYEGF>i6-ec{kcQJT05 z{ZGJEul~&!X4HQA(qk_y=4CYb_>>*=4RL9__!#-Br)Y%cqd5k9ZZzd9Di zsTj?3O7fp|EnM_F`7HQ;$zJjxxaY%V%m=M=I>NiV*V;wCkGVkK^T_t`Q45}(2Q#Sq zerW7iw-(w4*dtX^3Qv_6kWO%eh!~c`Th}Naf+^&6Po))=W z8bQ_&d*6}!&QvsS(=;$g=apj4UkPmkPTeCey(a{!jNP1z1gfB%0qgL%IXeNPX4?H;y0W%sQ`Fs znzr3&6grd%UU04X9F4d+tWC?sro5%TPAxCWatE~?VeYD5@yks;p{nL7eTefw%F`y_ zHRCT_{2^N%7%Gx)-n{gct?ThZ8m&u|cwLX!QhEJ?6cfL%(Lx~1Qsf`V=%MbR`;UHf zn1(8j42_%PpcMO}54OBMjk>Eqy@7EYoO4D~}*AOCs4|hu?l>oRcXvxT(vX$ot-BDOx_wp0aLHTt()N=tD{; za;yCv!dPTP)iU#sv~}Pzdsu;4skz2$o%rji7WR;dvjWP~%7i(e-`LV= z%8OAH&Ei-MMw7B;T=Jshb~ihI8&&Bc<@i(QZ$81S=Ecfc18WmgW!;kke|^;c39|y} zq&q+UJ>j{AG(YEq9?knA=;UOyK3aEQja44y^PhhDfJCiHRO%gMdojYG^i8+O&g#NC z6)LR?*s|*I>aJ_tN=%}8u#;nqCyZoWV$dxJ3u%!_Tu)fG>j6%Gc}lI<#mku#=)Kid zIw9{O>k$-S;jf>OP!d+UU3;hjFqDOfmS1=%>ivyXK7}f&^f}Dq?5gyngyx+-G2GAq zq_N}fMG*s;;EhUcQ8h&LGA6a})|OVmdL$547Yzqd3w$5oA7CfTk-vK5m!QX;7Y#dI z6VxG(q+N;)aV@)pVSL{TO~6_imdq0d1?Ff zT#igx?oaN<4~`kC0r$urEb}!1F zeC1eTgNjuh1;tAW-p|RZHxB#T@~DOk-ncia>sVL@?vO2quyu^~71$h$-7$#y}# zMJoPdq=Q;GL>vSs0*aKytDO*jX=m1{BOT>waekJTiO)d>JN_e55JWXEBI&>lS(o9Q z0Ly!s3E87WoFV9ttPas6sF1h5>12O#HMslZ)NY<2rDv5leIIBxtBHO)3@*#Sm(Jet zT{YUJT9(d}4SB1fCr~sQBai$`o9`pBVwPB~{l|?s)Ih-%I)yq;;jI}!_VTB&6`OJK zIN0O!S_K`W`MN&y&0xdP^|l-BB3!J$F!L8#OIAK<%$Zu%^AYay$PC`6{}C9t+Q}ps z@*%l<>&G{rkur_I6^gPNRc42*&0d$=YD4YFZh_Jm7S3A_L1qgFY4foHDork}pE_^@ zb+ZF`>LqhjNTFKDKm~t62HIbrG@!xOZi3!XbRWE_hAG&t?NwHwsL2X-8a~>2QKict z!y_vSj~UTZ@k*mQKuJGw=4-w8H8_e%T58m_Kdf+bH@grPi&jk~0dL70BF>(G5l~9F zUkk1dWxRsh1rr{Bh|IQKz^6(BFrPx-eG0s%GJUn%tR90uQD?h-A&H6d%&HQ1`+$44|6?R)_>c#47D7?~C&5+2k}TV1e`L8;t!NwPdc=sHn5CugNbC^5=8zqcO+u_yZvtRYwycxHjVC4ijOu`o?^UYMp&(!YNM|4Gr5Bbd0TLIL1 zvRA0KJXvlHNKfCO5S|dm_eng+9aC@qywum>L$`{BnEum1pQrAE6?vB07;v9&z{lp~ zX(OCML4G=cl2_l%eY*;f>vhN;Zr`E$HSP_*wE3^uPMQ%NJfUpBENeBa!vH?)*=l31f2pk$#?cZMNURhQK&ek{tA!+=m%>36l7m!;{5U14< zToHxCZmJwi@B5*g;LX7*h~fJ0`i`+2My5AbZ;nF|A@!iI#^}d6Z^ggOW7FBi&m@`9 z#6sjLr0Q^xjP)o|9-T2Jze+V&dOHMk;xKsHFfYhiMSH>mqJ^H;ls0CzedPMyFNsDr@jQ6Ne|^$bYdG+#i5N}d_cHPax+kMRCXI5VFmW7aMfGS(l~p8{z5+>*oH*w25`-!~Q9+5NxR z`^u=OyRL6hK>-n@6i`5sF6m}45GjX7TBKWAx&%ZKkQzc5x=XqTi|%evN?I6T$l*OB zUeEKacilJK>;3S4dOlohU9QEMbN=V-z0Z!{ZyyIQ$acSSP@J#M1FXl%4MGU_dX#5f@W&guN)rI?hIP{KXmp};CZbnfE49$4rTU7FT(Xn_7Bk6EjdF|28 zSoUG*p@u0lKei%>59QHrdDX04GKj+D!z}??-jd$#`kUu-}5UVF@@hW3mWB94a%fGi)zHv7?R|`HUSq9hAdVf@}rTM z9+EXWFe{F}+3UT_ocS@_+^@I#!kosovVuR&vq<$H#K0&XVByjmet$x;Znds$9LG)3xXE+X67g@+nKVXSN-^VL+`iNPFg&HF% zAeV`t9ye4|L?)Glezk zUCj!=|4X5+_`IEp03@rq5ayda?z+4S?CPhE*0F;{vU@*pwEdSBV6iYW3dY03Bk$MT z#WLaM8H`i3q`|~^0eBs6A`NfedhIKBSX}JM8g_@Ya%Mq8T@L~oSOBrPUHk{VzWnZqT7Wvskk-{Wl_lr5#yuXcS&FHQEY?+%B0 z?$zJVf{@|wD(^Yrv!hV(2Y=nRy}zMxX=r#_6LFpdM7&s%&n}&oH+Z+ zlxuKW5aQhLqvyCTQNK!}08VJjh$PQKjA=$}cps}iFVCA;agXX)E`xyBd-}dX#!tCy z>i05&qK8}C81c-x4%QJ~cDjqHSZKhZI^jz@nyf^N=*Ryi3g%6>tNCYMsk}g=5*juff z3BjwCO|St$;bD6S1id?33)jo?R1EvDI96d}2i3WHc*x4N)wVuV2oEx5ka;SFrS}*F z2nkLyog;osMBlYve#YK0spae!@Hp;&kL~&Bvlv5MLgPwt8;48wq3DrGnDfIAB*};U z8J!6tCX+($yDv-D>kl#tYSshy9Z7G7YpdT%Z6N9^w;G%MD5ikeZ-SupF*zBx)<;-8 z#tq(Bpt;20MimGQVzjKQ=&K3<3l7Bm6Ha6F3x|FRHRH~`^6My8op-*Gn~7z0O@*OL zRO~_~0NZF35%Xfs#N*PyF&gB1;?~_4L_p()3g{-1@X#itt^lRs;ea^W!FL^VNZvd` zwRnZ>GlT#K_j&!k^-bq-TZTC14stRtgOrglVt81^m{&Lz1oC@q3AJY`Emg8yP_th_ zkzRwEbn6(Z-{I>^ei&H0{PADsf&M%F<-?6lI^Czl&)zoISv^BTL(M+oI53SXl#Z;3 zeWyOli|pdWdCw6eWuRBU%4`3Kmni<7uY?^qa^uP1Yl_Y+m4;#Kq}W-rrQgEWShw|f zD?hd}@P2&_Z>+mbS@bk2eW$XdaCb<*7C|K4bFG{ zd@+Hy$`>zhO2MoZ0M9(WVp*+(ike-3TqT2hwTgF=oRa^x!9Z%O%ZZxCCTYdZrx(kwf{ugSvL7Tyb? z2lX|m!1}Li2c)hc>6N)xrkeCN3lxrRmrX;D)=jdy^gQ?Gu-W;RBcq!PPRFZ*=%^K2 zv!7VUxn6{iM{wciv3r;@5tMnXhyu{K?!stj4ZYyEu(9|C*?EgrID$$oM~cT))peo- zp2e3Lez3~)ZNZ-?l_hyqz-cKR)_Hi^+MBVQZ4NkH^j}drox)| zk#9jH%5&A*z30$>Vv)qT2*=3|=v=fGq@p1G=D}VK7H<0ZdL{**xk|z)=XLhFa`!zu z$ntIl&1~{kkELvtX>`;qJlaSY#NhTzbQ+&;SkHSVqIq8SMcb_`WbXgcVJY3~y1!a{ zbgy(vMeVpnm=pd0OB}tepmXFzW{2kyfrmZ4hsBoM08?s101bP)^BI$E5OCXBsWtA5 zYCsB z8xZojb;jbK{3_SPHI-OUUdJe}swQeTw(IQ65mdaU3cA8nAD<(Umm;I!@WzaRN$5JE z#DU*YE7XzM8QGR?QOBF>Z=t&OX{yt1S$${+Z0y{8`j)z`i&4U;OqAa9ol4=l!Y1NWXjHLOoUplm&BcYq zhJ9e*Mn!kSCy^q{BaF@@Ob|CeiaHMQ#4Bg z>9eW4c%_Szb#9aPwtjbH#Kb|S%0BK|%hZEgvbtDn4z^o+dIz3o zDP4&%USJu_w4{uO?Ia(LQ+SS-?o@ts@~@ZnpF{yAf4W!Ri8sACRH!G)s*<&CX8bWv z{=S9{;>am6Dn7L4k!n^4`anfSA7uU>@J#OsMs@DA?LWyjd9!E?e?x0bvQmANRnbS78;k^#i~u^DL=@#tY`@@FG2 z38Bcwjxme?2DYjwJgJJ;d#bZMfbcqwEL;+^pKrIzjY{LJ@N9WcPkrJ!8j~=(ZG6A3 zYz3P$%S<5e3fSy^NI3W4m>Oi4cWaIBD!Lv(t&>MoS#UR*1_Smxc_Q@&Yf`KIqn+%h zD!RA*2*oR(@?`8{(V?$EZkH(30Dk3zsk8@JjOqQEA2%Ov6L#=scvcv;gez?J3)Ov% zvufIb)~LhFwJ=-iurp$kxoHYY7}iVu+5GROb$#s72S2(Ffp?grciRS1ckDr+Hj9kF zyU};Wdaz-wOjMtVsZc>z`wT;xl#X9o33vsB+CHM!A!X3DON24CUZ{F|PwT~2e-{l? za#|6(uo{H<@7J}ZRQr!GI~zjjy?rT`Ph$B})9!@^ooa^`cHP=xDB%8_~0ky?^bd7DC2+Lg9C^Vj*JyEeS;Zth;a+&!+&NR0vC>^MC zSm36CoM=9KetwT5Qyllft?Mvbzs-Wjx+S6^ds~fA4OGma}6rf~`FS+WmYUUB&zzcJmNc zfo_I=<71EBU@1>(*F*pi)$^SS1mO+0s$RNk!clC*A?n#8p3A}Fk%`c&-_sxK3pH^# zN|_rn)eCjAtIf&_@@%x32s=+_MALdpaH!M0HuWx)wqBQ`GF28kui4>`Cn#*twWmQ@Pskpa$L%%e#?e{m37o7OVtmM%dL#+tJ>5wV9V~F z-`|qW|5Ih#e2Wu}DUwDU?hvB)y1e2{rK9>6O{YhKsl`Sus~0nj$180!v?{E#m-nxA zc= zb62bKrM`A!nsh|C{mwLS+IfISm@xumyJKafqyyOnvBCJvGYd1Y)PtkyG0`$q-@zWU zJa5U{ARL5a%;;6Y>2pYs1etW7W7Xrz*Q(%GZ1AQKcF3wa+-#F4jeMTsP0sVY!FxBZ zu7?x4fIrYRslGJXg?NT&X|2#hc+N*EKb6)24O>JyC`>+n5Qc5j;mvaO6f4_~jq}bl zg+jOE|0z*Q6K_H}qF*UsM5t;&5WPDi4;S|c-ru0Isnz$~c&Aqho0(zqrt^eN)ED4; z9PIG*$Vs^@rp88qMo>FENPkZE&yRSrVkmfwW0)l9)+}Uhx@P2j#U#aM)9VFZPD}LV zsOHXo^qQ{74fFUFuaY$ttptBDS2LBzT2T4L{rF%?pxCl6Ob|M;ZFw2s2VH0G9g16SM|tjcIQyBoqPM`i$^^I zgHvmWV|1-^hgYa$sFnbP5SUT6)aNYrUvL>?nBKIHJM_uVQ%&tYK3okx?-pEN0qV_K zx)Tqqw%g_e&Z=sqVaGXmcU4_*VrHggoS5zPV&2SVpxgTjx=W-4$Z0&^7l(+4X$qzF z;Skejl3v-`4c(FV975gCzR+e}mF(sq7AO7Xa7i8U_5!x+&I-k)+m)!jCXn~uJ+PAMn>EZt7|Z7br`9(;RxAlf&P5XgqnQOB+u6% zb)P=Do|wJMh?G}tX$RDiCO$e2YGlv$u-##Z8(|VsXKSXDe%5&3V_|VV^IVW=V^$^q z5-Z*;OL-me^5%=aUTu@*x0$RJ4C5s2j)n~jUBjzo0+ylWj<~~EI!SW9%{s1!9$uX~ zu)WXr&^2buN~Sa&J7kyGSl;UeK0qyway8u~xg^Q#{RG@6lb;vsiB%mU{q~c#-f2O1G1yjw``B~zB-W~1U{<1{2$s@dGD!yv? z<3WGStaJLMfy=)~fRm!+!=LP9gg}EB+*s7&t(R`e?g~HzY*>mPBO%8#dQXoA8wz~y zk&@2haPIoGp}mW_H~K0mz-D5Z3RsoaMu5I;UzO)-h9(RkG>Dt&`Jt}Nza)8(+V&lM z)*INN6C;l-zt}CCtg||LsyEE-gGYR9tv1HF-JNJ~=jW#gdQTgQ>Dz zx8y*fhSwql(ihgtI{f{Zfy}i~CL8)`bArO%G68=zmAY!yDbl_I$hzUv#IOzgdbqt9G;!Mc`)32Q_SZjcvVf}( zHI-@_BnX;VF_Psfx$E4w>`}4>a7t?WbjE9EiGCg^=9|<>PAVp!gSUm;u&lNjXuN_7zzVw#cbgzjmxzSBX-kY>cNg=nIf1SpvGF$bLgIWb zn}$dv{CFIoIq|K-cb~~tnuckXNLzy7K6}}qF_0muKQqsHWy>5M$yK4(3-9 zJbuIVNk(arjn;VQD7juds*Ma2Q(v3xDtV^I8jV;_J}m8zK`&19<|(5y8s0+=e-L5- zFTXkGj-vZ!LLt@|tbp%*tGEx3_sp}Iy^yejUT2AQccxe0CYL$I)SJaYUx7sBERNP= zkac-CX49rrM;0^7L7|rC?s1_%0Hn%>jY-Crsc36JT29FE2oy1S{s3l<(}^EJb|##s z1YfQL!2*7mOeX*GSV{wBjToki3QD!55af>QG3mt{ns3_})ZmJ=VS0LQItO+LlJDR) z?v=Z5rrFA6(N~jAKSO%C^gFqhA^nW#S!Yj51keKKo`RFl5cY%m%ny#GgEDVCu=wBh zm@m)a>+Sk3_Gc^C&FSe;fT~n$Rsm&FdE2n*Zw;&`YnD{os=C>G?H`4BcEGi&8RlzQt8yT(A zXKA=Y(V{XH2J%?~!vcmszW5shcN?^uGur4iDKY5^X;V>{4FGj!QyKEj{!jH zveA}j6|58l0K^P$*9d#pa@0xIzKf7NeeEWxth zmuK;brXy^WhIqaM2vi&db!tDQleu{beHd;{BYO^=+n35%msX|651!KS82xy27m;@k zPP6WuDpWnTCoO#I@JCe8{0QMfM(6hh!gX_Dt7u&rX3h`xFJ=bw!OTAra9o^>pza51K%j$ayB^IG~_%xO9P_?bH0qPJFh)-YM}|+ z&#hn4`e;qpc&_W=;F_z0-DP?c@G zRXLa48gQ-bLN1(nY#>*1`S)He;YyDg53;RrRZ~f!lZU30PoPdnsFDp%{ZEXX#BCq)>(g|>C}R$Om?)%^O{=UtOkQIsrYe(-gZMvPPb5?KoeS=UsdLq6 z!B;7d&NahRwY~5LN`QTv~9z-Ey|M_?S?_r#^ zsed>Be-Gn7)Yt#jjQ?RKPSxE1KW3``k^gLtB9YPmy!`$PQ1>sdcZoew&qy5QgTQe!KFz zfM1V0q)Ws4`;E2W8Y8fg!#!h-hPWWop#SRfS9_j-$)%ajx-65HFc(e=h;P|M734tn()^^?Mx*uK@izi{{iATf!c*Dj|r@=t=7u z2{CYn%Fr;wvm^@}b86m=?0;9ui&^C;NoL&{tHiM38n<|}@c*t-1+(h?=UL>Zuksxx z42ge~a2+gbDW&P}s!EA4t8Dhmh&^MKzyk!2+dTW{ahrcQ z8d(IVud)q8Co~eX(R}yE1V~6?_UK!q{OPk@?tcdaYWvF*hLgYJwegv!o;DbRZIjwp zX%D9F9=^Fo*A6l}%J&GapRN={S(yElnX5dJF(2}~&%xW2*wwtM#AEe&``0Zh*4Dd| z{r1o(gbl~>@yZ1LxT-R`X+say>o1c|O2)@RLjNe`#)F41WO!ok1belHoA z)G?Hkk+utJ&F4zyR(efJpB|qQ@6dDPgkG*Nw_5&K(&f^L6kTu;?h=9@xz4SWphhhU zw|Aav4)&+Twyj?=f(FJX3n1|mL0SK`}rnbwV_{o(tSTez?e`} zmgZkimxaj$UcF@q@+do$1p8a-Q&Tt|DZ)QaKb&*tu}NvCl_dl@PF!nR*hRbB(-5GTv4DyOF>Hn<5;VB0YTvzM@jl9 z=^M8D`1N4yShk@Pqx&-Hq7v?#n^~XI?etJ68)>*yN|m{w)K@XeP4J$^4B&21e^Pb9 z<6Z~cvElS;e(P~l*ivs8p{x^q_=4c+0>^UxqPvn}%HJ>dCuLgv9OHXY2Txkf61GgN z1u|mAKN0~DvKdH_Z;l9dLIsY$!$<*m4hKKV{q3rv9o=arjMf5M#*x z$3PI#D|CB5QDLO`&7d`ZO?Hv9&9RZfO4P2z#HBIICLsM>Fha?4oo zPLTx8)tfg4y!dNJJ{bhAOx9_!sO2#Mh;K^(GuNe4KWgUU;hM>%p=Vc7dg z#xuh>0sbLJpd$eYH0d)?zAYy=gVcH-^{_( zLwEkTC}DvT%wh6 zFJ}e{UsMdI3baHJMrH2MQ2G6Vs4y{~A0ZBIiFVnAQ|0rf%9@f%sov5-=K>nj&d%~s zVW<{fJB_;MPGSANIR(GvvtC(B0c*B(#BsgpG~+F;yTl*rJq}vKZa=hiPJR5ocp#LV zUDNP_WNeY#(9Y`E94Nw-llfoXO`FN?11${xrT2u{pqr+^N?h8S0cUm&R6R)urbwHd0P(F2R6XZnO%ku=|B47%4WP0P`|NjVtNcKSZ_|4jg8X$|z?9uhXmhCYh60Yv?A`+W zI_jf?xMu9Hly@A(s+L+pGIMf*!5>G@yjsmy#<=ju38r0eFq6yT6JJfSnJC^Fw@8OY!akN;tbcq*sA;d%Jrz#vtSaKqAQkT8=N8-)huw3{zq$ zsG6sAs|CqMJ3uyW1B{S#AeZHJ0U6Ppde$(A#Yk~_?e5Qan*ci!6e7ubFb0BR6P4x0NO8-4FUX0s8X4^DwSaMY`E;B zrqp=7&r-1GeYU1Iq+wEhCWT`dnqw{@hFh^Cb~ys#jFaato*l`#BvL^Y>gy3Dmn_Ob%!SUl`>Ime4fzG@u<;t~8N83s#R(|&f% zXqjuVypJ1wB?@rUM7nL04uPrcT$kuzoIp8Z!Ph2g#$*INvEg-YD49atI>Y`fMW<0v zZ7Gkk{P-E*0W6~u09|+Z;nDtf1R&`S!+kJ3-XS?mkuP^5PrFJ90|EvuwLv|TRS-N; zP%&oyL>NcMxBYz!UpJnJ7a9p)6~s6SxvO#jQNvP;{QZ?scC6fLwbuxMfdlJQ3gbnb z3wTYt8|rDq-7E81(rliJZaf05iL}x{B776rZJA^A5xrtVlddH?mCVz@64aMcK{d~d zNMIe59^2H&?N(n&o~B&fiooKaGgEx1b*{c>jbye16r?uE>pG;bT^w5QkCf!Titl4b zdTKb)mWzovx29A~MOSem*z9+_G!_~ao7lv9YPAH+OzKxy49;_n6dhH*Ouk}0s=_i< z!0sWB?fdos*8gN-e2ZGS0~U1+X*5^3Rs+q6^=hH1F*BWi*OO{goqeOo=opq%(4m+h zEZx_cFbA7|*Db?mUitOX%0TSmxq?_B<)tz+Wj2GJqLDN$n<(~Nby;lWfk~*w+T8Dm zr{N?8b!u{yInNp!k$bU+oty0cQz4emYfYYw(GqCtcQeaZ_R6K42}=z+OKt zV}4y$2dB-dEt)+71IO4|pcEUdu+eh?oES@qfwG?GogVY+;uDkn5WSB8+rAcQ8Y7jv zU}^*h_sdv)+ZrLs`e<2OfP+Ieo6gP>ApT!1=({DrFfr5}g7f;&s2gC-$~vYtD0ens ztD9dT;A#l{C0OPf%7LE|<>OF5`K3T5JACqsb+u*8&T{nB=6W(g=~5Rk5S4|W_6h^y zF&xu{OjUQ@Cn~^zOpA(~VynF+GH{80b3q>=?)G}w7U)rn0l+Q)_>9-JbVB(H68nW; z%c?_h+!I~qV_$egQ*u+-Hc}Lee=~vHP!B~`qo^xrrh#_er6&|ZpZb= zd{P@Ft^OVl1~RZj3@+OXVzEOnPY#?b~v%apc9i=MWYly?T<0-g7~;LD!E{1CZ_ zEJ(gWDguZf39p8}XTi%TTVmBB3K6F~2c94L1V7vXqedxLjos~t9En=Uo?nL&?7n6{ zmXoEvP_D4G3w zuntRz7r3sG9)BnH8FfN+k&Gg?ySU4yv`Yz;MyqVWs~r~U=}*f?V^#02ZJmQxx%!G^ z#oTr=T`B$Pt)BF1fZy+H?$K9#WDSHGXT9Aw1j zSFpAGzGQ6;G3ay9`}VMZKHg z?e5Lf;Bk8fE8p+1@ubs?ZL*>a*aJ|Fm0~ql%M4t*@)13bqBR!Sf#zMigHmeEHhXK4`dH6+#d^>LFMj0S+ z-kB!(-b8iE#y3m&d?ehhCQw|aN&Y%kAk7=(P1wbtP_ z4!${-DwUKPo!Tj`6}?tikksa+!(|qJ(|k10in6wsKbGi)t+8d3FYR{Z9-I01Y@jCW`3BK8xc0L*&X2JCv&$bBH{*emQ|5(Q?mGAVQx%-1 z^v-*X`N5*mDVNC|H7%MuLQPfNzcX|U@P~I8Kfd&Jv(VG2q+fa-E`W`@Yr1{Qk>eJU z=N*-O_!xF3uqc|2PZmBkYH^fAXs{s3mCc~6bbF|c3*rD9S$znunydQ`BAQXZV2DE_ zl{d`^Gi0abhnjhPK3)ZrQ0s&wzr*eNbzLFbx;jmrl|=W+0-^!xwC-XY6b$PirjS%^ zVHl|+oE5sR#{AaB%Q}Zi?w%@X4sggl+ONACv8v)_EY)sHM06&k*JSff!wD&kr$c!9 zlG7=FkCfPFuJEZ+wW=0qCsBBq=djhj80~;Pl?b@s+7Mzf)WzM?uYWQHEK|;9eqFL_RvB+#7 zjVIA6ikie}M<8K_SJ`nL0Le-MkGPh)tUwv}@H$N$DPrE~jnu#!* zDaS>oxuxfReO9m6qKxL~g~9>TQU~@^-d}bJd%pRtXwJe-`zf2_1HHX3?i&@K-9Kk( zVIw6+aEEkR-**bP)rTH+tyzs30vt*)V6*wAe=are=4?kaLUt+;?{n2s$!y7M_cC<2 z^I|plAFlHpjF=c9b5xc3++CcOIt1QDvXG4%_ifH?4&)ZLz9``hRBP|4x8OH>k&ED6 z>Hb{rtWTDJqLHVM(J_{*-se-V0Mx*P(ARb)*9w_ZV=UoZ^>opm6u% zJpMMj?`p7-GNX4_`1IbGt5Vk$26$b~QDwak{SoMOuPxCXwb5j!&=JQ^n-=A597C_P zRWEGJXX)~tOld92&+^jRNF;~yV}3R*hO$sGwWr*&x~lo=oQF8`zc7A;P^wg$8d5UT z+OZv0(6qXaR7BEeT4&?9>+%dZ8WT_%KNNI)P=Bs0fqpmCCOazqDR{FaDLusM$vg6L znO-9j#@3#NM5>PlmwdE|nL?fi2S|bJ(2dr(742WxxL3)WM2W|%o3Em{WjRA`3MmQ4 zAe>A0kpbxT?h+FyFr>X@AbfgOc2j45NtmRee-&VkBjek9gRI?}4v##`v(+-S zQqBciP#r7}pv8>N93&>Hwnx*Y~ z-u}%;CB{4Bd!Y~x&Uo8ud6?yrel#7k(Rnr;EpgAExUs{9aFJWvIUXoJ4^>{hoht88 z4zB?a;LZ-Tag^wP$ii=@BG@||bq~t^5v#&4pq9^+ik0XWDtM<-?t*-^D9k!R&fmLS zVDiRCS;qx@l3JJT&9=E;$j*oiW9hJp0)+UQQogx;z6SRkf`JtI;|SH1Fm&PApnfaQ zD*Eb%fX=>op2pJ^Dv}u7v88frc2>wid!h{AG|xr=mE}v8fgQ95ES6~aGV*(+^$|H+ z7$rm6oK1lZ0b2rU*kBLu#okd-sDv~*(-Js#9_?qUek|zdm5);#QAa6>QY;2foT&&P zX3y1gcS-NA#4o)Xw|lNxC$*l9^~1rc<-9nh9j48Vg<7XknHM_h6iJ_%LK~0$^3p!{7&SKGnp^jjb>$GX?gjfE!LX=rW)!Vk{qk2g zZPAY}f;+S5ta`G-jS+7gCP)c6X5?T^t$}KQr|y!Fnk5StQs5WW#=C9GMqor|f-sRiFKW zh>BE(uW06hV0L+hz|e6_(V!qQcp;e5$j@YlBEBmK;c+x-vFV##lxF`<2d~4XN&Nf> zn?mI08`r17v$BDbxjnmD#rB>xDyVmM)Y&1)Oruo|1p(F|jTS!m`+bNyY{uL$dcJoE z>jKW3NzR0L{Jz(!zk3ec!Pt~2D~Dyv=!E{F4{DV?c!E~#UF7dNy2v%9O$PHc?0zK& zjyj>efQR5tCYLo_SUeMG^5uc3wVeJ!sZE`_1<8{Ec^J7HdT${;IKbP0--BAX+-|OQ zgokoITPgy>QPSnhRrCgWs$f{AdZ8goPeI8$N47PWkdFm*Z zp8t*%cs#bgko6a~u~2ri1dq+}P}b9gJGtV=qWUm~t!t&nARGh1?h5Yc+DIAei=6gh zBx-4zm3>SDrym@{g*Uz9jbtrgkT&U7`EEIyXFvR|hXk4~wcMhNP;=*`m zMPCNCRXexR2l*+Fipr*b zx@zv@cDv`FT@ns*)wT7zn#8XkyTrYW@Suk1-3Vd>o!osr%Z}HLJGY>W<6gOX5I3Ei zRUN5)AzS1<+5D=niiHqQvHkF5@) z$n_z??-wNbLP>4((mFy!)&viN<@n%laO=}nbw^=4*-oyZDZ~4*kgsK4B)@}JHqeRA zpqhZzT{J*Z-@=P+pDgu5l*H zxnbH^fMC#eRCT}6Xn5MCZ zt2!*C=IK{Sy7ucYg>?zsEDv|IoLPS4PMJKrA+?@-|L!W%1^GQA`&ncW=keTa?a|D%yCRHQn#C(IhgV;V(@VGQFVJ*xli>7f8ckPU(8+cd%B1>S+k4d9g{g&aKxVZdQNs zsgWq!afL2S{`?D1$Woz$b<26tmQFI`E0SEHUxFDEhH_%jbp`fv>dj4rDAOs-v1`AQ zx*$&3jyne0@aZpPAp7pMwH_twDhDyLn9d~Hu2?*4$aF!@mvz~$#SEfk96=BPUa~UQ1wAwmd^%bU4 zRk&8F=^OG;kMLW$@!EJZzD^C!{SY5xHp;k-uXjZRY(hl!>)re8zm8Q@_)rpTRqAPK z7|of$u{~b<>+s%7RdrX3la~|EkE`q2GkiJ^!4NVarck$rgXEP8`-+tT$Xc(UB zQy$JM^q<`jGT}9Y3H{>Qzhn=d&Z(#1DUJzPUtziC@8NXlM*Q2BvUWblJ7&sepH)Yz z_#Cv@-oMVPdO>k`Bkf=xWPdN+rpXWHwH~iLKlPw+K)he>tJtWsqE$sKLU~)fPQH>q z&o{JYy-5G7rHGYCKR(Qy?-oI0<-#(;yuo%G_ahn%|ntwK5kaveGd1Q*^^;4Do$R= z^+mxB?&tUC;8{;!omy}<43l8K^={8D^_yk7OjNOf{7_L-C=DkF)W}LmUthT?cn=B) z9{f*0UE$kBzga+Y>MHS2HT7EvcZH(E9)%#*?5xZE0wf4y}&LteT5 z2;*uo>Uz~#+4zcW?(uXrFN3Czzg_Fpr$7ew#r9J9doP5Aac88f)#xLg8vR8jm;TB{ zC&1#i+p1c4oIvO{v(KhimU9R~7?7G=J}L*E-qS`MTYuiV>GO;FiALGI=|_FG2be5P zGGl^a$CpN-nID03tMS&v33?ENXUUpnmExPi_iR?4xm1CiTz5gjR-CAY42<=I5>WJYB&{eRUgSRTdLM2{pK5&HLZqO(cuz zxk2F^+n}kMMaA#@irKx+1W9gO5QgXsh6B=rZ_N>LJa-9Z`Eu5S=#d&Y+;>< zimmkokZ6CKEy`Huy8Tv3)`=rWA8RVjo*Mh+gAaNc0ZYPThY6|i8v8A1_oTvXONOvJ zz^x|s80cVYqh}DM%U}uffVUiT$=U~H=g@&_+%*!?a2C~^C!n3?Tcc)%Uvw6Oc^~XR z7Ejs#iTPk2GXpJ|tIe$iLdYSlu?vUWB-;!H@qcnUgvy9leVj<% z>D2r1NAaE;&LD5!3epQJFz49c{s{rL3_Ht=#v_a(D^Cf=EAymonf=kUO!glg7^~Omv*DQQZxQ5WFl9G;FB}0 zs3{oTXa&j!)?2@vDv4UN1MNa>lj)qr`R~pNJ0k~C9BDH&vh(1zI13%beznV-43}&? zcA!iwryb*j-8)l-oElt)MR(NNajy#1;thifGW!%RJL-sV`t>@-KiNJ|9~z;l#TTAL zJZxZ8dyT4M3M+Un_ebj&xuHX%y?lu&D^gz6uRx{QaHjG74nO7Zp6Sr+UB-+%P@-W) zXRDI_*U$KxXMDv*GeG5aXW?ziO-7H?OZBrM5}lXaxA1E|P+D{OkPz(sf;qe9fewI9 zdJsI#ITOH6+-Vaz>V1l6XnXxK^dM&K-tp!UaKJ2$$f+DC1fF_w-wz2ysjF5sT)d~L z=TT-sjWQqHA|i18Rc=1W=91%RQR7u>E4aMwRYB&ng0=2$Dfk^*;YDc8@*$qM4%|ac zGcHHO#mZ$nd#I*JE(eRI&iE&RKywo)?n%g&$a3^N{9JzcmC&d%yEawJbN`C)JrS4p zEeTM=x%qq#aARte%i;)_y|C#!ic(J-`F?%uX!w{dUU&c}W~;J>zg&LBZQ%o(;H=(E z;G2R(u7_6z$Xto7F1i!9ycC69>?I5Cxfg^Z&-*IH3%d8m(fzWLX+iBz@z7Q`m+XKy zEfsR1G6|}S8iHTrsQz{5AedM+sU?^2EbKQCLs%ac&5^GPKnKkCc)1kn{al2(fOPk} zlGa(y)zY7>i1zSj)mOstcUO807(YITr3h!+=n1WVY9dzC*kC;Pj_hj7h3OcxR=igI z+0!acB1e`w{PHb+`ZsE44~y=v?->=1sD=jX<_9v%fyhRF70lRgw;0li8ZnJJBnNRrG2?rW)T}2*3-K3sW#5e~n4Oo=AG?H_v|wf18ww~x zhJq-x2Ij?K>Gd|-l52qNzH%QMRwn#IB_3o_QVSH=ZZ}c0YPI*W4#m;WEv*rTy2uYp z(k^57QUptr&q_OS+-hF@C?(ve{L$lA*Com|RfD6s^N{@#9~{qZSU@4~_}5dP)dI9# z#mlpn4U8apKC=XK-j_^7FMAwa-(72~xv*Whfw&>2dDX1{3FSxE97y|fulKkbqJTg= zio!%u4)=cG>pWgex1N|~RbG{>uz>76T8e9cu9RCWtBqJkPvp4n{@9765wGf0;mxrd z*8faDYQ1ZgInu2FB+_5$Md+pLO>9ToV?%nd3;zuLx##??~YZXN1U2d zZRbHuGyB@2FiM!AT{-(PLC?$1pU#sXaMg9lu8a|OxNa-aF`sNi9SVlHxIR#Sbj$gPmGXPz^|gtep=y78qscbTw)Wc((@P|xM6mB|M42_xkqL|Eu$J9@P#&ut1EYaYK^ zK@ZDvMpbdvk@5u&^RLxGc8c(z1qp7B`Yh@it?bwfoyfNm9G6KY?=fhEF^*Jyd3F7} zC>{@W!Kt-7A_)xmh+|s0_lwxRz5^D#Ry^kZHg(|-2a=S%F7)pZXF+q+$4k_g&x?!j zTZLz8mW6M>yDn80Zh3$SSS;*76 zIdY)`n&ZnBX!);lW^)=ujTnctSie1Ex(;y)ZK}xFlxr*-PgRBtxN08%oTLV!~Lmk8O?3q=Jwrjh32;}cTn`AUB|$KiA;*jqI~P+K|3Xc zr(IsQ?@aWsRtvcTV(6V*0$EsVsw@?f-wB19yfKt8BLWjTgNc1tn^h39mrK|5^5&tZI?1j!SQLKA4Wx+NG~detNhQ0|FB%Sg*`NMwEktxKV3V$xO3_ z=wdA@rwdXM^|rKYx!p5iCPa3$jw3LG`Wi`5&&E>54%t<4!9_<&$KLl+ehR{gIonG? z8o9Yy)+PrDuf7s&e#-u4|L9<+7g>i2_jD>9?Z!9Gt|(-b3sb9eYx92?NWQoG)?w2j zMB?_vx577Od_`wEh~M3ki(>bZb?UT%wR$Rc(M54}pV8>uN1LoU$Q#Q4+RbkJf~Fyo zA1e}8?HEz0>mq4M1_z)Sg0>=meACLs`vliwS1StZ7^?4T7F&(~EfB6t6e$dlUXh)INU0n26vY zgU=01?n2s51a9L;6gFvs&6px!wr13Im}!t{48Ui-n7`~}~g z%eA!Db#IQpsMqH6`D}0>`LFXfx$U9=&Voj4C#K(KOsyb>SGrX_JACGj9AxM(w4`~v ziw=2uZziT#%#_Trq5g{3GaCxnweG%%Ub*uooO&C`*IV=#9ng}nngRJ)CA9utf&@AHD>1g4cbOf4#Kf(ZJzwHey?U}*0fY4wxx`8T|ieYfa# z2HG}k0N32RVC;Ibw`mW-jtP@4p1~9I@dell<`^pVla4Q8%I7(zBa|bIi%$b&0MRvk za}EoB#f9j~$?yBfk<(5`v_Jzto!&Xdum%jX^!n2N7kABj8KiIS5=%d{aX7PK{oXY& z1r7V?U+`xtMr*b{^H`l00iW{;267&8E!5}!2~09<1PtRo*t;iu`mhzu_W&6g`MWRV zKyc0U(@0Jog>@0{E;wZgOYPTxv|GX&Y;H^bLWkw)dciFV&dOMf@bO7%N8&La7}nhM zCFyhlwR;4Hg@~GF{Kfj~1Hdln<4}v!CnI9|2+rWko-N;rBnsV@XkcWd=85>rnE5x_ z)T{t@fMWmojlW_U3%-;wA`!>n^b5L~4-Bi?`4-E0G8;C=?40A}IDM1^tvtrCU6d9$ z5ktcgjM#Wqx1UbMr0v7#z&^8I;ctL~vbRqT$X9O}l zE5`Hq1jsA#2_IMpCp+s?U#J5&3NUbtNzebuArk}9m%jVe_6&u2s|!A*hsyph6kP@o zsNlrMmt+6k_MPme1TIidWnUWVhbLE6QYGd~VZ5lb#0oQ8Ew0pGy`p^#{(0rH%~=Zb z7##HXHy!yW!u88BS$bBLX~*O{^XdF-T)~h<+?XGH2wafh%(z0|`kXGqhRI;N+1#__{xYu|z)?$AFddz4#A(B-!La^( z)4z776JxGMq`JPHzK`4z;KOi4F9!TQ!wfK4%NFCe-P5gHF$M$757C+b%e#sLN1cWn zZhiVFA|{OPpHH&IJ+V7g4B#+^5(SZ`2b|4!!EVQH@!t4LyP{wL!yeLH`Fgq|){F~= z32ns0-aVPkp9F}fAf(_7old$3BndCIsq93Mz#EWQ@S85(awPvK`oC0gS~`rCn>El^ z_-o~&!LW8$>fqBO1=FXIdeJ&SB$%`euhMM^X$Zv)e~aoKYiFHbEBl+I6j)&5{H& zA@={c)!z;$YSuZYp8Oxiz5}YMt?O1rKt(`BK|usjid1PLH7Fti3MkT>Nbfy#5D~Be z(m_h3OPAi8NH3v7NCHR;H8dfFP~MJLzw!R}e*Nwk3@?{<&e><}wbzju;H6m_|l)o15 z`MtQzlTBv7ulEPb^&`0<-C$NPbreQ|=bst>`LJ=kAozRed-wg{XCay6fk`a;R)JT8 zH|jzCyuc|CeP(`nsr%m&fkxu5mV?oaHR`h(Ki!3KJus+c-dc0{qimku8 z$40GBi-2;smC0DiJb#(3o;nvdUz_p)$Fkep{D8{|n+lYw@ zFXOUcFSkZ;@#ypvA7x6M{uwZ#h(tzlmW>9IoY@}n`tns5 ze0HUi&I5n4*%XG2f3g@q7GfND{Im1lv-=m)Z^0dH%P_uv0k^U3N z0;3>>ioX5%_N3{7fu@~}$p6EJ`)%EAnbJz+ zUR2p43vb&HbTgyC?Y^2VILP09Y<2nAYH3gSeaa?CHl5XJGx zGA6Gt2z}4FIJI>B+O=#cChrp2Xl{f>^gbu6Ue)DuYOLmsFBvybPD{j@t+9iSXdc!W zeQmuemmFIpfkeCBC$t7XcmIY)ex$CWyi0ZNa4|eTLM;cX*c3QB^ZFX+=v>vHdi*VN zd<+>uF$NoXc;Gq_3x^y&%X*yp{$bKy1fb_p)GqnV!Jcr&H&LD6V}C1Hz!v4v$3LHe zn@1B=JcF0KIwHG^9A|l#1}Zlj9Wr3vWomVMj@3_d)U|nQ*3R6}8`G;?-GUq#LFv%?DYB53875&cdDRz*2ua;A61413nbJ)1@tT}b_RW!^PYzLyR*i-KaB1fpl|seKrM!?lZZRdS-ud9 zj;T=X&r%fzN?$o(Buj_4V)7YHizp}OgBkj9hgMg|)!H1J6RkYL(5<0PX&gCD8)`C^nLQV>uZWOez?Yd{J~F5QDQNmZ!u(J9;zT z4*DR1&B;cPa#YuICHamT6XmKG-o!~quXPpkj;~CI=eTxTUlJ;HSyFW)2OnJl@zklFfRX&9nGqFoIw2g>Vk@7hfz8k)=5RrTay zaL9z|F)2cVDcshyi<1;HN{r(jiGd$4#Cz`VJQ4PvNELK}OdRril&RQdmoGxOkMG>? z(xox0vRc*GDzhl&9B}zI4{gB-lCk@%YXza?rkohCh8-Dv%-AGyN*9k@xMV|0cI1^^Qr`WeJHZ@Yu}%2TaLUR zTvsyUyaatMvH4IYOBavX$__lOW%cqFp(azw#O}fAEL^m^WyELx?=z?BQ zjmylk9{qykMwIe>oAyGH(y-fxZ^92-YNM*L*dMHpM{STGkvs!Wk_o9I7$|CMqELDR&a=ziJ5Bjc;1}=GBMMWg-v>b`XEB_OP~Yc=qA(AzfL6|Jx=xMKT+Wb zhzj4SuP^Kv|LA`lMy?!ofx)$7#f~qsnIT+bEz3F@v*@dEZDH?SO2OoGkS)#evfRgw6H?qf@H(TV-r-UME{y#7>0CyRijB9qhzRnRUX5amvb zahMJX7ceCigiKCrY_BuDH+cM@NrpbH?@TUamW64X{Hc z{21NCBf-3+dleV8gnb22#v3vj;T7E3j}O5Y!^=Lhw$dW6<+Jp5@)d|QX0bwTi_Ju0 zny9$A@;CbCx;;&H)~?y~ns}$Z|B`ZsOAnKK z<%?xT|FC|nqf}tmGj~sU4~mOp9tHwwAUp4F$Iv_*hSUOPxhI<+KCw!7%7b zT^ZFOUYSO8wI)Eoq{Gzx0Dpf2IiW6cHPibJ2c<-%N!Lad6NYFYx z;zRp*nm$_cF)lsjD7!ht|%Xq>YLB2dY&3iYA2*JmED!*$fUQsSTayo_9#>NFrdVyny(GKeh0;ecr}Zb z5F2Yw^yTLTo5&1DcuxLU`FV|neu&0epTknPW~pUV@Y2@;j+yAG{$sU4ncr7hs;;s_u6gqKq;kkevY=r;+|%kC&pNbS^hS+0;4;vP(ubGam06~-7u z=Jvc?((@Z{_iRWtYt=@!^EBtwyo(d&R*XLtCr>cFw?*|j*Xc^1rejj8HJcF$-rIHA z_rMwOFho2*+$ssPWE7eg203sD(7Upn8X6Mj)T3n{!{BuFlU8vVm;pC{`M$Jh|5PteyCK}2$>W>!x#Zc0udjKtlYDJ1Wk7&VTm$(Y!T5E(!N9{Lj zP@L8R@#1BtE?tmul$&c}29)E0v>7DG<$0j-gi=CX+$M@fBvgf}Io)}d-)BmC~#-QwjLX-kNlLnhfzqX!pd_h1@Ejuz= zzcw1t5UhT1LxXqM2W%8qKE^HzKA~_$zDM4O5+#-rn7()0*SeO6@kY$h`L$1i0( z@|=xSo$K6~6}M4?ftgcJM43%No`UnYv$HfkFdFdQrFn@sQBtOqSI2zUmDIUy6}e#Gy=Pc2YV{wTe)w!V;IkoQt$_sejEHms9Z19MliN{BiDK<-Vb{{Z ze;=>7MN~EXnvCCm31)iZPx+~)Icvs!8>~(JCW`(tZ|-vWkY2TscqXk^dEim(rIlAyWZ0{- z&Xja;7nGu38Gj`2be?6O6a?}8Ch17s+q)jrl%(BBXk99CZmByov}=7<&t+7mTNqi{ zliWVwQ*tA7b;@V54J?p2Vn zZ1{(uh3A9fQ5ev)=m4GYv)f3!(EG35N2*=zHeI`z0ps|*r3Zhvz|;z8^t|WKCTQ04 zo&ii5^8!lt&zw@=B~{=FYr7R?mmfTO1_+BYo*SwnD?o3(fN9soV^UdtvpGZgdezpX zoVdz5;+*c@&N}%wv51y%zI*h4M1UhN62q_dg5}k5-7_BY8Bf>x8ZFw)dOxks9v;}K z&1>%aS4EC|d-JF(=2G7s+WKJi;w&9kC3_A;zq)FMb#w@0Q?M>MK%pcmE&Ps2X+NIN zEvAk2t*k>pN6PJZ!1y=W6HX5oUe6x2fj5+h<r|wjOsqDh3>` zh7)@w$9ikrd6pf`u~iqipmBUc_4am;c0R{x4Rh7JeA4@xk!ZH$q<|SHweyA~P!~28 zZP&j6`A#IAwzoh=BAGr10+rM#FvgEST9LAN7brUMXqU99U(ePoOc~74;JbL`DC|Xw zv^XGDkPcKjCA4$SxzBb}#+f)sJyv1?9VG7u%k|{tm8&v;#BAGwi0A5+y%|ru^H!bx zo7HfQ2Fx1g>`bJ`(4OL3ufqZ5@(#3X!8yIRT-Jatq-pk}6;-fyAZKnO-sj1|PV20I z+nTlxzZn)am)xmcX;qIm4FY0&uF1F|0@}-o5#P+mSuvNg5-${I71Pz`r<9<7V+gt^+M zAf|jf&Z}xM8?&hqG6&}j%Ez_k274!jUO0abn26<+j$d{(Gw?y&->f{ZiYc0cgKL;@D z8=HRb`!UTPU?9h)9B2?vbUi80>-T;aN$5-~Op`FD|KrI8tTq=AkwnCn+r~?Xy9Rp^ z20|tquba`OrP&p1(;h{cRcO^pc(1fV4Cf=>I*Sm8ABI2 zOkb(yjwQ2n&dTqIQlwjXw22_}B%al(^UB0;6h$vIzWfC?CA(Ne?PGyrR~0- zHJI_Okc%n!D2TxtAfDbqlg@RKTM(*Rxc&Z&*Xxz9&o_)SdwqUR7rKjlao zK+)J`IX?dRsxPEFj)`7admP16z1{JRb!j%oMQ8TcAs2C53>3k@!d=KiBDu`SVvafz%n3(WqpQ@$J(hSbiP$FOeNFXVc=B9i!mAj- zuFVb?f=Zsi0i#s6V|Kp;QkFv$8|bfe zGOO3AF2HP6hSCcwpq%=ijSPWk?9nvuYf-Qx$=rdYl?@XR9sA-vn60K*1zq8+-(Rtt z1^TchR333Y`9GXKOuSVwgv-Q)F#wu~haZLHp;(j!L|M|~#|NMN-S(`^BznP)werom z?&AAmzIxe@2!j}Vw9AMV*P&MBl?|iB&nt?2wbzNm^Yg0|=pTZ4IEks(*HAXb3;pRE zKyJA0)k&J=bwH-3Sr2q%_`f^4W1aF7iP|UORW3_p`<0BP{bmO};;U@{=E_Y>65pLq zT|v2U8;&eswR(L-=DZ z(9H3yPQvg%fJFGISf)oTyIk?NHc6`!BjS-i76t|cBxw@foW3G)JKN5c8Vt?ET;Mm1 z>GiZ7uMzDB)F;TGllJ#$`SdT>;0X4Fm9f%yvAyz74S+ziZjupEx9i(+fn^uA$>+$W ziigsy*?hQ`<4!Ey@gmA&#Ic>1g@Ic@(Wzi^*Lbe(jwa;5U09$o>XQLxV`nHO!kDb;^GU93}*LC;f0rhJO-mn!S+MWDY2P+-?U~!8ezBz!&veON=`|Pv0n;O4b%=FI6~==sE>cQdjiseetW- zSkCD|1}F{w|mbcFiMG)m>|6ip}~)BciNY*(Rld@i2uc5R zlxadf5nYq5o=4BGm@k`OyFE4;D;{HxGK47#4^_7M=ywa)Ivg$7(%JMj5xj5W8|=oieVeWuqCCT9uK#7zCpKla$G>;csG?L>n3KWBl;)Nxb{ ziq&>fo=n2y$NZ$?o{n9uuzcsB^8Ws+FZJ%zVm}h{`+&yq;*g)Z(0UUGy?w9c-2+;#VZM5d zb&Rd-WvJE^N6L^M3M0L`1+;nDE7V;}IzCL?M+R=qVpB0jB|k~0zPf$r!ik-V zgOZM53gd;~EzwE^NPag6tQdsZyqzYzak9bkIc4Uom&zB+`k8RR)>o7eBYT?FWwsK# z9wU0LvOhNGZx#R09(2>yp=4OV^xG6p_xn6AH%|TtCWWt8gdQC9HH6k%n4|$tKuF3J zTU9zrpGy7(%n&yXMhQ70`;HdzVhDshDIx3(?{0OaL6}Yn!avJz{;~G`X_VL+!XW&s zmGaZfsS3VoMeOM*x$#Ue5w5rgL}pt=+Av{&eoty%xfYyVVPD88X?GeU0l5Z8wvF|J zyGy-`f)6}aWqYYtJtL1MfcXozCgizBj1+m(=?CEtGDUbTm zI+XVy2jfvD9AeP3nJgVuvA1p&K(Ck0WxdJOZr)4_dFTY3)N!~*lcdk>j#Wi}S=)!Z zAM*iOgT35p&K*j+Nk`mf&f{iYSzJ3iY^RBGo2abv3}p#?amJ+XGKN3S#Tuz8H?jai zoR@@!iXow8K`FzpuRbMe?>Y_CoeQuWY^H{=5^}-nC0i}+#XT`2VNXq z5@@f#c@7W|HZOIf|H%cxlt1qm6&7;XvtFOx>(Dnz$78NbE(ggx(c0*w<~6Uls`Y6K zaJ?wI*-?^LVj|41*ybDhF^o8*+@g=12maMQl$^<{SMS_zc9b2;?JE|8O|=OR;NAQ5 zfar2pmJntzO2*I-gP1-?BZWaFzTunUbRX0OY50ret>nCsqK{(S9Utql{eGrT*zEbtv3^tDUS8hiOar_ukL1#@_SC6Tr3 z`jsAYtRLeYRheR+dem^Z0eO701z3m_g8IVs zk3kee*O#~+$B#0<;8l*a-b4nW;b=LCs?Y1|W$>EQ&*ALZCwu9sdvH8R`)x=smu_MT6jc@y z_Lw7iLubpL=9PL|BS%juz1ih97eCx&BDlZRJ7+ce#V}dzB`WrZ8rN}fy78W1S}=3# zPm@3C|M;M^y(QejSL(cJ(m?{^k4?ZF#Ezt9v+l%S#sOM~FRrcov%PuApCxrO&u5DK z#&dr%!~Jh$R{^8o6`;R7tF|K3M2^LSRfxCJoNPf0J!bIbZqIk!pBWlQv!jo~?i~#S z0d;Z5k{V_)=?$5wF5&4halFmy@}9=TjlOX6H)GXsm=Ev%qM|KTR?V*B%h|1m`wlxc z;;z`sHMJkV$H;iq^wG9`59=VGMcTwPPE&!P~o?9`_P9yUdVZI0W z3Ltg;jwYB@_0WrBUSeOg_>XN8Dqcjd4*w|rPn@puoRsL*p~tS0_yR7Cm%aCKSoAd@ z34GEbYV0cHUO0E|8Du=u)LM-9h76^9@Cp#rIyv|F{81*~8?2P&=Ch&3@sRDC6uv#Y zug?t|=^Ko~k7o4}16>>V|tm_o3}`u^QF)lIcZuz>#pD$aE+H5rKHuE@tPj0H2&_MZdKR z@Qon-)DbkG>MT3l zU%)T>&SHI2XW!c$q~5Q!UUpn@&Og9BQT_oKlYv5(5arIHmqS~U*4KwXf|3K^Az#c? zONU#0kj73pWPqfBNN&woFlf>M@waJwwR^P{I_ISCo2&=diTOAY6~WrCW!JGCKVRc2 z4#-8rfkd;cEl>dlfN-$5wL$k2+mw1UY9K*6>6TJBe^~$z58CSyjJ^41dc9_@X9whv zU-2PG7oRrlIX}+;VJ|bhuH;lu4)^n8RF4%8 zcP@xMe86Jiab~$q7Enu4bv=@1$))h@5_!EM$FPHm zxP)JMsL58cq44$2GUU6)Q3WX92pq({v|apB+gP!~p+gBGY0W`a#s26ien2})IkvN( zRy3$#pIko8FeeOqiriiKnp9Bjt-o?kt=nOwwQg~hZsOjdwcydpHV`5i#gna;ibbmT zE`XS3O?Rt`C~|L}D&F2QH6aMjKKqCVE=l>4en_diZQ;Nbem4YMonc^leg z@0{PkgVcn5o-680FOac4TQV~FhRg^x7ev2t>gjoxhF0p(c?`1_hg>TJ)ast;8#V@C zl?gnK0cX*C#${ZU7k=ZDo+c!VzB%L&4B&@WYv_~jy-*(2d|ptGN%DMIh}qhEUf{C2 zFWm+t+tA;8HB^H+D-4!*_N0dflp%~B-umRgYhSTK0+k9?i5?W` zKj`{7p2@mi-oA(vm-cWIzD!)DI)vTg@BSggW2oc72kuHOZZApAoo5zBrb%- zp^s(@cj<*b1y(%bd5$D2MTfb{z1Afk_{`Scx!@)yC+iR2>hEJ*n=fb_$0@3-v32#W za`pLS4|{lL+W-&P5~Tr-xJU()%Ob6#aLeowOPA|7FQe8(Ywox`jKAQzK}7cek$mS5 z$*A-?aSTGr3j3>Z|IGz^!+>+*e%DEufRgW-5c^Fp;22oIo;y{m&~#OM0RzyBkW(Zp zfKkP9>J2-Y_d?8}Hl7taAl*VjEpeuVf`SB}99VOVMV4``Z@nI6IqfsX8O)8qJ@{BVv3$-$dOLSX*?vxCJa%hnLa$2ey@=NlPc z99q>qPcf7Svh2ZM^zap6Fjzp_MebDs1C+diys>F;X-oYsOLkbm#k>yD|Bdgw=8F#%XP?q6*R70-}Da zF`%Of19&})fa6RXk%IT~)74&R;hoo^Qo9`aFpvt3G53BAptwfV4^IQsC68?YoAP?a z+1;PZNF2>vQv&&PN((wmHS;wuqcEWAZrfR(z81_N5+YWRd=hf|J6qPBplBYQ`=yLG zpGg~IQI%nEDFU}+6Q#(#M8!d6pZ7v120*%B;bY*jklt3~zR5y=!~;Mv{-S}w;$>qI zQofYm=fh3tXXvH8+@2m{ogzmzop=ii3Xd|aD91Psz&}WBg4&6knqvQ^b}joYxAgtM zfKeiEHN#WFMkn7jqQq$$nC@@fF@lWX3zbUqCV0D$?lVKYTAy3g+WXD89-vS_Jop{ZAEpr6Sdjig7%KSbnqnIhhTeOMFZ2NeXSobQkCSp_3|AgXx z{jc;oD5~Aix5NJGj(&6A-r!YCTVv+!dBAvn&wF8YE@4?Mr}mpIlh@jvrze;ZTY&iZ zT`j6^M8%)t*zAQf@~o57FR9vJo_8+=$H=3b8OBcZV$SAgCgq*$pS~CRFn#x;;r>kP zgU6-M+h=18lKP8JR>QW}0rG=!uhl1@oZzG@&vRd>qyp(;mVymkzb(gcZI>}(BsrIh9Ty+U+}nhF6$GnfZ{2| zP}mnd{RnRqysldL@xjj}s9gJ}r|&ls`G2j3N)0hU8;P&}6`-+@qUd^n`Qb1A0Jgva z2faCGxE(e_yjS{C<%~g$;b5>^yQhJq(yx-C zxK1DF*oJ}9pDf_=Ih!!@LB0rs3GJS6J<8;5x`^eYoSjgOaT_?LkY%lH^BK^bH;(T4 zI2&*co6EvRc_71CWkXO~(c&+drIt^PxyCCk!3=a=7;vz-#vn$(+KMj}52w$8gOSc9 zSY4W4!p*+dEH{ko<^9krjHN;`OUwvOT?X&&SHx6W*_U_ukJYL3FzFk$QFx}2{|IkN z-}QTvu7Gf={9)vO((yHZ!=S16Ntw0QV}C%%uh{)jI33WWp3K{$VT)uLQwF%>3ZLq_ z4EUZIVGS8o;w{2QbMDJ6z-014%w=)ZBG&#LkqjCe&m0lU+Ov$J>2_!jXDtGFDN-4P zm}!Phfl$a}g7ak&KL(<_LF^Y*dp_?npzNx-CRIQnQc|lI=<|R>w{T?MNpfe>f3u2v zcGEOVfd38+zu!6j&QAzt{Ge3MUwwLzj;rYM(!(0e@tH0e!_%*2Fw|}hi;@bD`bPp%<%E!+Ydxh1Gax1fD zR6Xo}q1=cK-`4=u<|5zWzqVrkGitMWxLkX(=CW+%fdTi?V}56#SC1V658EWT%V-b}u=ere6pR+r6v@`Q)%iTD(5g_kGqFkk03WcT|ZdGpXi zOu}hAOLb^KQV?U@laMI|bE?X$jxMj;0x7n}Qq_sqFMfVVN4+@hmCfNCE^|aYZ3k{C zdYF~pH9{$ZngrsH03 z!OW{=p=v4L37|}#+wGq<$pCDFB~JUgB1~dT%GWKj0Fi2Cl)CnfIlYm^Gavkv8KtXu zj zX(37-V6Fg9>e_ZSXwdj#pp@KYhkM<^`y5K(cAK@@Gk>qlKkM`V{riLbn84Zsb$YJE z+g~dfaol)v;Ch49mCIyOK;Sbj{J?AhYj_(x?1Pv-D#pv+Gpm6HHzBlkn{ghb2D^}vsnpHf0Pn!6l{Q#^5&nrYwss~UQ zKu6wCElTvtP=+PV9}TEImK;j__0TD`nZH}k zukU_P1kYIM=B)bbneQC|fA5;)-)#Ip=I<9E2Y#6%wDt+@KVS2ck^x`v&iH)&^M854 z#G92SC*CPJZFbT1UnZW%29`pdM$PMA-MUHwFs8S~;mW_3c)pyt6n5|QFa4KI`txSZ zNq~u2_}~3-;@8D`vBY1;vR=pkdJ#Wu;7^~6#es{9RXRtB{JOgNS+Ma+PNb!r{m=UR z45Ql4sYW|INbJ zGxrvfNr3`lS-gb1W7gf8l`zBv)|9r|X3;y}_l52h;LTin@5`f^% z5x@iK;y`sg0+snFey$AVs3>C5e;o(7Lp%u-AHC9~1rGo8>Pi z^6V2&2fSd z`)hJaPILx)frKRkv%$2IPTtO{0$*>Fa@@E-`o+;a;q5rd>ZxFlmdZCYn5twM@(M6; z<gYQ$Kd7qgl9>qA?$9YP2)YCJJ;XU-w?;6SjM@&)ch#P&di7a) z(67f$yLK9E$`CtU4dm;P&8`gF%Gr-1YoI)jzJhEt>xguh!pfp7b9k= zhaHLi2s)tdXf*DzKXyT*W|j)#eVDHXx5p&g|fdNS4xQ? zKm-i^HD3zgXXzr(<7Oa?F7ZuDQY({RoZwKTq~3+uuN08QI(&Cj^`(%8FF?%Bz-i*} zAhL^3Dp}YT#fD8~VpO3-Qn5?gO!}h(%f>xk9=;#7CRe|9KNppQxWYfxyi8+Be);A% zwA=KTE6C)}8iMKHh+gB<5%3Dmzqro#H{1SCfY&Q?T`6OC;?wU(P=4f8 z4kD$U)?0tO9aEB|0~r zjU)jV>r$Omb!7U=#Zy~9*lP~9%P+(u)YLlK1Wjq)LN#ZAZVbmyoD!1|*TM45~YC)_dKt}|g2rxTz^o64>R z&}R3RLBP0>TUkr`&~7;QZS~>70+!F$T?Dy8K5}(c-;-yRO3a+J9OZZrKC-Hn^Bt}+@s*xS9f4lX+n7=gB^mA!uRHLgn8;ZB0Y#{yuqe=MPLZ&ZV1}=8(MMCXoO~+r@`jSas*U^_(4aP@rj`;LXcpmN_TcTJlvd_CJjM0;*a=?n&@t zh-xe}QR|Yvhegt%Ga^Dy#9#0merKAYGFhft$_~1}WmoM_oiwvO;p@(aDZ=VZcofnv zCO8eZL08=Ox9~$&+s6adBiMZ<1OZ&w?JwI^>ts#s;XHjioOq=4!^Qtg2SmN}sj-Botp6Ee9SGuUUnb-Em z;Pp7Oxe6d(b_UxgC*s@`*L1`cth=c=vz827S^)Yj zt)BB)TrsS63R~ytK?~;UG=9K#v~#MA&QV4b#WNic#&PN{su^9I)!dYhL>kq@ZtyA3 z&9;{@Mj=|F@94yL_U7ess_*z)x{?+-Ea(!w!>$Cmmn*X;t*LgTrhKmpGc;ZX)mZv3TQuO%J6 z3g96Ht3#E;z7MFs<0+How0iH<$+J{(c(6K4huT?#oVJ$Q2s^4KbJ;7!dS~rqTw|X} zOkSLKN)FqLLw<{XU9gAh=Xq z7uSjB1-Hhm!oN8$?9R*&kb$(LIFtbtCwLb?5Kds!W2>BvDL`KeY>~_&RECvJW(Yt1 zZY%PRcJFHhrB$$QMfLkyQ`yoMAz7(DlYKh=x;xrnSNa~#qBEt0KUWc`-^b?H`)CF` zQ12O)gV_Ecc%Vzqb7c&a7XvH&NcLR|Sa?lP=hqjwA*OOwKl^$)Wmu5pd0Q3e?UWcOeGYZ zBX6(V`2?rm0YY=#jScLxNp4doaiDjxLRDFEC=ohlAv~VzKn*=WJb%YyiN&>qDm3HK zK}nlr3aiG|jgwC5vXov)p0*)`(bg7|=h{YB=wYK)xA=yiWxn=<>$%o0ZI4bPmLt>- z4{$BEzyp2hlZ9JM8rgy6VRl`uU2+w~Cc{9>l^O`;RCff$lN?&;v6KE9_BjPopXNNy zk}!F_UFzVPa5gyHr4Tk;2_0mw`nq)MbWgh`nbg%w`v3`;cP3`m_2=q=BDunSzto36!;FG1Gv;YgcuGzzrqp>*0g6K}D- zIJpeOuU0Z1#!W#^dPXD7Q-jA8#-JlwgPBGlqHIRc9#M=N$*!SIvz_5d|H^To`MKZ< zLANA2cHGdaKA|%`e4;~Wj5Yrtas+C~E2=GX#HbxKWleyqL5HN$g!x_7 zxoaiKE`sh<&mVnqXplZF-9i{gg!r`=p1ShU0H8>=pevU#Ld4`c?8t6=Fx&?m z`~*8Q&qpSuIp`O5lzYa|Z6lRw|FccrtlayH-ysa{h1Edfg|TPhW}_$ozl&kSR?WlZ znX5HJw5_1Y;%Tr*9Z&63*jCy02bZ=lPPbx}x=HfW4C;BfqQZiPaO z&?N{bp2ZNFdh||n?DlXe2&54!^@j%s0dH&fFfMjEWthBvkuH&S=1IsQJ~Up~Dq8$- zZ*!mhMbM1tsz^OPm;maUSd4n-@Q%!3@j^yChz}1ohi>(IG%)D?6a)k5B1)rvR}B}y z=hZlFTfKRnP)1WidTcARrtC;eiutu;mlXqTj2Yfk^vW)*@Hc>RvS4b`8yfcA(u!n6 z1;;WUtym-(>7=Gfl$yH3q;^5Q_03D9Tn`#TxYoY5ftHJ>H;vuxmf1aXmc=WtL}eD7 zkv$=81|2mFT0WY+bqL^HvzF*>ZG_We{q9)N%#6WtkLZT_gRO#PlTSnHI(aI0HDyKt z=DQzw!m|R(Fkt_XDW96j;oDg(sP@4(L~K#F551hH@4DNFD7(G6fXYMq5LVFheW^KC z65IL)5ezI*gf6Mv(%xNjDB3qV zXNtkz(<(Uu7)rc;QfqNN1+QD}hto`6Dp||5xMHnXlbC&tS%jIHMiUTar9f;ADEp>+ zbSDA9kY!7cP${vd@$8$+0d&xI2TbDX)BR8ek(?Ia#UPPW9bdgRB9zsDh)A>Lj^wsm zhJaNxU0sO3ZqOC6EP5(0Y$XP5$?>faVLDw*P*?ZZ!9dK^n^=-=sLpMuLudBY)Gw*J zgG71AGm`LvgiU?ix89=?c~TU-zv9Y+D$+qxqN|>tKHggZo&S=YVZ4V_(~^pt0DC=u z&PRNIE$~5HuFo-zYtbUHS#yo`j5+`-`D}!NNIz6ulLFY`Xi?9{`%BRL_qjrY!#3nE917Vv-IX}8r zZ>!Bx9e~t9QSS!e$zS_;lUu~|$9?&z@^OzGwtUc=Uob^CQ}o5K+F-iykx$xa`5U+N zW;cND@1qC^^9rR-E1`(0(bVG`KXTY<<}?MYuXze|*U`G#g&yr4E-3C1)6!X`+v4&u z+o%iVzQNbZ*+%EAZ~OfmkuN@bI*bTa$psif5IQCk?OUJaD6%P83^bk2EpoI>kAE76 zD91i=pY$WI3T{<>y|L@il2><2wqRA?Ky!D@^-XEa40L6%r+Kr-cm17#ah!QMKV|EW z?_z!v%PC_co-$z>rC7HVdY-F`)w^nkErzLQkisa?QNq>9SMNo7U*dMAmB{p!Hc}Fr ziys?aleUO~q34)Fs#&T~SM-pH^Co(=?x_=!9@e#5q?fe|$Wa^!t&>Iyy@rQSBE*yg#w&;}4?BkZXM8@5WX8XZ}sucGM?E|`92|o{y zK2HC4Nk@k0oTDioes(oE?X?)CsJyn^eOr}cF|WTI%$*2WEse@O_iL;_3yYU6L!X$2 zuQ(x`ouOvo^TH_Wn6GLunuUt2JtmU&^3^OsAo;deD+Kzp;l!FFu z#pvg;J5&`})%tDw!Mjv6Vy)xrMUp){+_$Ht-K_#8A7T_WF0e6w9h%qk&iliwy6zAW z?L^usBM2hiWFl+pGkZrSeM{0^?&YC(Ljiw{EC%txv*kL0#FE_BtnD!zHVU zt3%`AQuvvOs0d}LN--uJY&(A$K#fD9qDkzBGwhJ8aU4u38wG%5tqgExHt~B`C{04l zqJnSiD?JzHlZfJp^H|YE>~!puw`_yDuxH#S?-sscEM8y)SBI;$b+me@`tH?kzE3F$ zrPmiLYFb5yG%LC3D;?1F<^oT5y5%X7)bq0XtbnFg=BiEi71Gk-5h7Dgf5ooq)e1 z{9bsikxFWm@q|0TH0ZuQ^Xad6adyUgHY%Ug!R^%@>R^BS`m-dkRqxew?iH6|_x@Fd zUOlYsv4xk!oYeWmQK_2c56kz8zt_7gA>A~Dl^Q4M)i(1IajzGCA$bEAkz0HN-`sV?f|6uVco6N2 z{&}Ql%NP;vQY)|^f5}74wtBeurt8$|f>#-*57_TRRDx@7R>lW>v?sJ+(??D znD(A2l*Pky3VJqm?(`Hq!zAwGe0c@AlO5nZ<<2Wg-`+YPZS=^bZ%Tj1RIkNx(jVUR z3S;y-!$)a)hAL3Tcc-ajSyks|mpgv8G76+XQKy34bA3H2tFddv+OIKRn%GRL2@Qv; z%H7#5;x3C`^=*3V)s!`>Jc<*a=SJvvm`}U*T@rJ)Hd!8xi?SG)(_nk3`OM4sQp1t? z(h=H=_(>WgA*|o&VEP@+E6 zWF+4X?kJ5^rKz~zSvCKvqHpIyzTLUcnRL**TqLj!6KgujjmRH*+hRZ?EdA>v3Y=gP*-_l{ew)2uPN;agV3s%8|tp%C^I zfs?c0ipB&;vVY%^5FYOAlqGIx7(D^goaebB{|szt&nF9~vu>+5qWJ9e0uIK~4U8Cu zRhN!$ja4Rbd+SUbfH4uA@e>Lj+vUrx@DJ?`nLhmHR7gOcmat2fb1h+F3WX{%V3 zw#Pz>zvtKOT4Eq0vwOHj6s?YRUo<`eGT~mCSpnOd8M?bcOtD2wyY8d+dSci82tP7m zP@~qKMJQj*+I%WQ)%T{De0>1P{>)G-DERh1Gw?s3U34*TwaBcU^7)afkv;M?Vx^pE z=6$ffkMB3PF06u5^;|) zuB4zrS4ir8(XMBrOSCdYEGi>bLKL9epW(*&S)Bk$rdFz_x_AIluq}oew*Ao-h*F> zOZ5G`NQmI^_7&hKtdNg}oVJ#>(_IFjxe}-|9|7)DumwM1`SIQEodARLP6v5n6TZ~RBa03|V+I>0 zcg2A#zv6i`c|AHGAU?%jzL3Vel70m$JW25*5p)TCOOo^fadr_4G(x-j?|JyVoIO~o zKj7;0-->soVgyhR0c~)wK?lKV-E2u-CTDd1015-MmM?=GukFX%{vV>wGAydLd;0<^ zC@~^R!-(7x(u2|rC=x26pmYtx0187h^dOBgLr6=55(2^yLw7ewcZYNh4ZfTEd7l4! z9DL*ho4wa{tvJu$s%TdMN^j349wWOer3Th(@+eu%A%a7tk*Z_zdUH zHS>GC8YKqA{S-ZvoBO(+eTfz&}hlk^d(h zu$LY+VO4|$w}v=fs$^rN*Ahjma-xsuYLDfeo2V7be#C4sHU>aGoou6zDwXMMK^2#u z)jS$JfdwWZ(dl`CVGI>sfO=G{HsT9-f`9qSt(Z%N`=y&GKeaP+(X-~o6?j4EDL+++ zBpXd#^4DT+e={PK3xF+jcupETjt^vT4>$ApbDr1&wWW8Ns(aYgPo$}i(H^j zR6V5#^vymNBb~rq3O_bHMBn-)^PJC-$ME6ezj!h zX;&Qs1y3{Zgr2MXi7Z%<_H`5u#Q%_}un|Uacip@we%WZOhG!8A{qxQ8mmOdc{+PiI z7+*b9;zv4a$W7Fep;K4-{xN!r(=#BO6)&Dc?~1QCR@=a5x3ibY3elBMHYz#iRS6X|)2ge=H2bCo4TO<87JL`$grg?*L3{nW>tJlcQmoh!QfNVfW-6~$^cK{U0x@z|pU!*JDK8Ka*G z$)p$UytP!_ufX)EykCZJo}=b%*$XCciLH%VxWpuiP15O8&W4BnB8#r#^EgwdsxFHnfAi`xRjnJ-gS&YXD(_P(0~h z;G1siphAES6FQs65r4%a*R+WoU|s2BTWM3W6Ci`v>jQ92+W?3 zhkedD9fYgpSWbuX(NTZs4(=~xMe>Y?9u12LJu+XDILKc8c4ywgl;5J0btx20=F#7i zimf}Jk;%gLc+HV|vUJcmfop{_uD;KNzZmtyDuFINVR-Pvbw!J_;9OUKd;i+@8*otW zdt+WdXyUq}OY{k_3tre#uCV~dM9V}oCWvSy7vUX7_hrlgUcDhm916bE*O96^OT9_b-09Pabjmg_cTwD;Sn&rFmob-xBNZ&duc>Vxz@~Ix$!km&lu`k zQxzm<82n3|tp?(GYoIh2_sj6R3QUsXLVT}{y(mi%-KZ;KTIX=9i*(fN`|?d@fpnH< zGNH94BZiXk>oAJur`HD!iUn*@Qgu$)jewKDr>I39W`T(UdWW>0Qa8S9PBl>uqi>cK zT4ZDglx1iv^X1Cx3cIw+;D*gd4<29DiOoC~H&!-l976LQrzRIddv|7BbEmQcCAa(( zH&%TUEuRPWs!<1V{@b5^(aETDtS$JM+&k1ENb(oSOt8^5<^ zwcA&n25lw*R71V0h~wn5l{ym6)6Gs-r+Pq#y)xWnw}7?LGW7B^?B0TkSbI>BOVayO zRk9{}>~-ouS7)~9{TxwaOEOQ7=C;3CPX7dq@tl<*Q(haK6?=S}B++?td12)xH-fbs9J_=2??E%V~941UweGFZtvLBJ>WQ8FPCF z>qXP>Q6v20e4QxjqE320G_U{S`U6JV-Q#C&D%$5t)u}Lq8_+YT^xp@4ium&&57@F^ z#@Hfr+)h{rCuv^Tll~KL zWhx?)iqltkftBT3m=v#J9nXWCqVE~PNF(Xi!U&BXY$0y0>>8_mXJ*C}7faQn{c5MV zL1QO??nYymoW9)_4J&Z#6?ox94mQlL%~(}l%)i1K_W4FpqR&mtjbt03tcqGW#$~&+n3$K%OkL z8{FJ}T>b1_GgEwXT2=~WQQ@e=0Vfs{#YK1eYNx<%kC`HsX8M}68~8HCXn1T7an^DM z+zN>EWo&6(OEk;AS?DYin)vsc*O*A*7&M^j+{dMbWoeeO;45LYCq4}H_mebvpu{GY zkHMh3UqVHjcZ@V?}Z%dwDEcrf2h*+mz_= zAQXc86^^5AkgHYSgmgq4?TsUB>I|cT_jZGNlb1_GXYW=n{vsC+NKg1>#^PHsXn|+JewNSV&}9EaAgWP{H83_Nc#* z>US&o5X7+G9iw!IXL^UzL63EZjs1J?=>^tEt#rm>7qSdz8C!EBjSF?Z>KRhEp1m0IqNgC^$Tjsz`p zjRo+IMR9UF&|A}|#QL*obBa+3+HC~4NaHDtU3_|>)q5RP9gFP_5cU|IBIpiHv6iQQ z!~CX?41F{(q7b&~TN9@+Ki?9IdqxiR9C{qsYcDh{I-O-OisYbNWM~mRcK`FEe9XLV ztr<9<61@x6{BKxx>AdmywsEquV#=E*q*m<`Jn040Qas0gj8GyGPdDTCcmEKdT*)TA zp$eaT>!BPdnB9ji-*yI4{Iq(t1lge^vBJXq_Ye=;CK6Ds@9V>BZM8aYup|-2m0U>h zFhuJ2ktEBzbEbv+9Zl|+-K&fY>NH{<_f#vW#h6{-^>wxV8ui4W(z0R_wBZ@hVA9!@ z)G)O_5&iYk)yGO7;~gI9C7Eev;(gw@+E9ylTi<9S7Qb!VU`3ZeExNZl1LR6@w1(92 zr>G+#t|Oa1bI4h#&QD0-k}uwjZMtJ6@K>YydBfE2*WvF8>uFOjne!5*_q{TTI%yH$)UhKvLm2ImU;O8{O*8! z5>QJ_^7d+rk%A!yHf_V#%^3WGZyvmul5>ehvb)tET*N=nF}S^y_Uy(0<;eq3tiD{n zU9oF}obuV5$u;%?|C+0ME5AUx039pveRF2I(~(u8r*KL| zw|S#go~~@@GIzr)|1Q)vKtD?@i03fucZW9iA2DuSezE}h>xK2ywe_?S);Te-soP&S z4u$o*J{g{gJ}L5;i_lUECTAp@4C;X>AMZ%K&zSO4)-Pz0a+xI#tnmfSHo94-!=!H` z(!jij;iU$3ILL&A#elq6S73iY>U0W=Hxy?CXT-5Lut^c7PrZL>a5RY`I_|kwR;-2= zT=Erfu#O2chr}46T}ws82c555e@_}c4E&ImC+jH&%x7};7Fdr59V|G}z?Z3I_1C-L z7<(F0vE>}zp7y7^YFsS{3XuJ#3W*kY`FEbRemOA09vBEsYX^$|`5sYdcW04oVp;RR z0FO?QN?D+HNR=t}06AR4c%6<+sypYq}ld@q9u zeTUD^{frnce8S7IBuKI~)3R$yBug;r>Po73h#@I54>=rhzqcL|4FstoWVb0lHa zxFyT85y(O-1RZXENQ2L7CA^_~lWBYp3mvnUpT2rxp$mcE3izL)FWbXJZPK2VdM#Aw z{xu0W4T@jjiY!UAnKSHqYouOb(>WC_H&#f|nX7bB@5yyS1;SM5@-JC~{{M@Ku zkr_LOQ~981VD-=^tB>doy5(0$Q^PHUHzB{9gBdMotg1~7?au$GdFk#}8oWF2k$ZoW z%Xy7_KmMm;7yH7CZ`IP~-znt91-jhmhchATBrqNA<*cGr8zC*8!hpIm^;U&p>OL7D z`Dvdryz9MXoExY%Hs)HXQmHJ{vuAc`x6v+yixNf|qExtsYwsnJ7qUXO6IxBMO+D;+ za}u!=LPR}6EziDbZ_DbVx^KG{LqsI-T)$}}?pKy0e>+{TK^sg?K{QiM z8C^(!YW+WOQbbThgrFb1j%<`(7R#F)q&Y+J$wEY|SE^An~j8*-9HdOlYQw zaep5@^*xEFa(Ph6=s82%w?f(v8U??6s#3tFV$4D<^-eX~UmqLMtHLmC1y*pO5EJ_8 z#{RV@PV~x~32`U&;da^=^-cjLcBLQrQZkndgyQy>+2)Qj?_W^3_-{IK(H&$AYSZ8N zJ(4(89eAHr^5i)0cjNEoi~q3z&fJD8+W+>+ZJ*qpKrH$?Z1f1%I*CY4{r=A!3m9e1 zrsUDQG=30F#J3mpnK#iuzqt{j{OUO!RntyNorH2i0ohA53hdQv1bJ~==9HB>N1 zLP}MPOi+r4`1?BYx@t{@HIBRZl7tB zY)QM+V0(&w^UEV$hL?^<)U=@G0p_}bQ6$SrLGW%+yyV#fYhK!Wc0n}cIcU9E#%&ZX zHLFL6c#YMx1QC3OI3S*D^yh7B4h-Nj+OUu_KQZH8e{x0 zwqsSf%kh2`pC*%LcXQr*jyN%D3|~1c#(p?UgVc_tS}0buZ1VMgxvqNAcT5V9R{X6}c}hRFAaNi)8BPMCVgO?qs7IHJl%;W-pm|E?h6dm388POc-gkczZ|4zq zSqF}{J-nN&-KMA1vB3PB{LVuIw(U_>U;O6B_cI8v*zB_)r#^YfWuME@=8lIDxxWP@ zm>Kmcg~Y@OJ3pjoZqM`9hABruR&U<2Kr}|dRyidJjWc-Wg7M95OcOj)kmN6fq)Ojj ze{%YALLdP7U4>n$^faXG!=jQ`(8QLQxz4i@Z4gZMhVSF`4LQDvOaBioEw6?_<8LLC znu+D@UZ+h0R`Kjb-{fb%5A|O^41TBHHn>U-I3`v-yLV7C6{FN5uJr&r{tcLtr@dT zqUAzVxC$zU-3h#BnS%Lx3JYi-%?{@SE~>bPhV)Fh>6H>dPS)B&&r@g!@yPN$Y>p6= z$#!chR7@bZ?9q;PkQ|g-Q(|8y;UyPr-LjtS4zZiJa1zD`7+(ae;A)(+BFk_ZOr#4^Y zQ7#4>!q-uJWA?)UZ%#g$O?k@9VRBjX(oZ?BTLwfi1yjYRe!I$6%BB-bg$p+%IsL3~ z1i`je`w#y;qe^cVe5R4q#4XeazFG&STcah3wt~LwJrE2%#BU4IGu8EA<=9^o(W+Mt=USfNo&XGdwCM_bFTb4g( zU~sMgs}nZw^H+If4YVc5JKtoKGfZs7Q0zv<)WIC0qp^Qyab(Rn{X+R?HQqjzw=rF>VE=?NsR8Tdw$EDH{L0{}hFdp(H@*n9G5t=_El6a{LOEk*`NC|C zmScv?Qo^wG+y$h#W|+INzr~h26#NeA1vFbxdW(fNxyE;qlwNlPSXh0&hIhxPh`tBq zfpdy56Rb#RIMur3xv?{2N7zqa51weG|5P>U2|1WT7%2(<$;sY0Yq5m&FA7$}iQKW1 zRkVn_yC%BTnqaWg5O3Wrv6jK7*VKM`pI<4Gd*F@8U%umy;sH+eTjz)IGv^!>-!3w8 z`$Vh4e0uBaW`8qQ$*MK@%kmVdj6}m;<)`^vr+e%CfaW*;CQ8I$E#LFgN31FG)HGBO zCo&dLbn@YQ(gU7o-=|@45uCAHBk!=lbdEE{I%2g}bpIpWV|eoG1(Cn<>n5==JI+71 z3#;G@$w{k~#$0kNO~f2vUhOz!1)HxMWWvQ{1qJKH$KXS>*_oI~Ta8ndcOo*4Q0AC- zdM_{JCOroFYECRDRq~WYwhFMtmkkaXfrUYyw4|4tWlh62hwrs#DV&Mr#0nOvUg22^ zuTBUu%Zt%nwyk;?=gl=WtAr2O5sf9wd|_$Zd{H#-0$pKYa=}LKrT+ybVnymPod#c6qgaUS3RTBYoY9&ay43{) z$6rJ6`B+R<3;rJB?TeUiK;E*^Z>GDT(*d8biLQJKRVqoO2!->s(BjHp{p6GV*1gKp z5b@eDvA|7Egv>I(wdF-OhHgWOeR$@f=lVvOWC_5U_0!KWVf}LO197f9#wabIiyt;p zR?~1$o3LqVcxD}M9tk(Vb>X|{}!YXFn1OBi!klQry?0P#mLomaVzP# zZ~@7ir3>Dg2g0~R3DdDQ?Xq5`W7{KEE}F|zA3M&Ph+l%DN@E_%E64v*;ZZM%YM+ zHOW!(e%%2rnb6fDr`Os)pT*j;tJ2dOcOo{>*BI*A6PkWFhWvSRWP(U`2F>Lee%~|J z!D0B4tES*@GA7q1R0pjpaHNK*R+=lZHmuZiSX`Z;J_a|D3a6$m|GbbM}rUrN%-5F$E0 zAzyszA&bN&sw4Ts)*G8x9DPI?jGW{HIo08r zvMbtMY`X@+r7j99MU3e%fY)m1fGO+mXg@JTr`*a7Z>Sr$K`-`WVpygZIk^$+8md_A z|0HWc?&CyDih=C36*y=gP`GKHy={BJt`l$eSY}vFnSYuzbCkr)vMTPek$ZL5F%DxS z_+51rkITAD+v?XAzCXR}iwJ<{Vy)hTeUFi>9X;_W;K6-c?*#i+3~RV`*ITf9Me@%P zL`Px&spSAL2iR<6+(;7zh;iB?mcMl540D*CCPB~NI_4repX3{08UCP5$*B`H!KPa(rk2n zx@0vpnx$M(!P4dOrzK~vFtTjNd{FB= z&f~NRKZ`ap)O*(iUJo7ms{r(aOfyyeJ=qA&9d9y1gbZ427Urs}(ucyU2)u(!qi!to z{0$NuB>RSr-JdUopcdZ+aC4n_ZoF~>X6RX^r2an_|)-ORodEM4{hPXGG> zwr}iKdK81zMyAgL(b2j1zU(RWhO!eTn>X5txC9sL&Kq-F&Mt{|g;ESP)BVd>yQYv? z3oupFJSC?cZ~8k%O-((#lFT;imR@z8`J72ei$Qc0R&?82V7_rhKTM5jIwQU#hCs92 z+2Pv3o%wFP1Hj!F+aOjJ>EJAe>6k-rxZ!1PtrUY?DsQb|Lbvl85zRu8f*DNe03JFh zZ8czY(7pd}H86;XFMYVDj$)!h1oXBS^wx#n6y)t4RV8+H`xNLXH1+IMWb=*ITc~n` zV$~1ugnFXuXO@%UZ=Udon<~fmCIB(2j!Gb?t(@r^{ltxrg{>rhvGs3%s`M;0R_(UA z`Bc4$VUxsMHwgiOpL+(Kl#Fm`Jl3~ax$i{eN=m9Hx;bw!9ow`_xdQYy7AYA_oZ6<% zU6)wo5~&bPHvBv6+jCT`!!nd9x#-!NC~gkng*x*Bu^y#%tHz0nI5(ywq$wB8@2&xX zHO*HcI}%ItnG9>#?7iO{p*u=(d(-!@OP%(&mqIS^$lC*$-E@xwUpwPmqq&PgYcKAL z0{aMo-@L-W%{@|BMDW@3efH6t9@dZFD^hs!tHEhGKU}2ny(a}i)^(-itw_Gb_H38{ zBUYyx50aH@Oy)J72M;Kftm7w<;*s31GpGl)N1v`~Jx0dgr}vkmvy!UZs<6BvDOO*{ zzii^^v6{c3-H9)Cb^CCEQw|q#Y6y|cRjvy4XhD7Lf;S&_M}z0h%6Wl)uTD=`CCeJy zqJ^pFCq(#9o1l^Cr|ZPO==e-&k2@Ccd1g?uq$ra8l*`h^q7f^SJdBV8{9lTwb;(@JL5wp7%h!Rw(dH$5`ekSF zYbkqjcl?mnn#MheR6Xrv z(wb{#TAaf3@PZ-P&Rr4p9WN3e!l&VGnl~qTbX(~`3!nwypB$bL)(b?sUufRQTm?3r z3*-lM8k(d;#$&>q*paV(*06(ZBfF#X^YUG-G%WoWzkPgdRRJp(=IwZ@$#IC5W@+_Y z&f#1s(9D4B-_aA1-y_!4r%P8|6w1)YhWI09Bi>VAT=_Qs{b^&bd#0R}T;mdI<0|Y$ z2)R<$sfdW*$vFyR$7g*Y{fxWunj?}C(|YrmOfGKY+Hc+7iBhjvg^e}?CSDpTuH*ht z^tDx~brV&zXBm1L)4PE9&CI z85<<#a!Tmh53$mSH9zj|OkN868eTY_j+LR%%9v6r(GcNtSEVJaNj5(DS%gQAks4~w zGvd)R>fxPyI zS5-%8wYA-N9Vt$k#bsVC|1!Q+;f#Mz!JXMX=i8A6g3b^`XzgfouvcJ6S5XqDw`508 zXw?ZIUbR!m=m%wb(32WZ>;mFm9^vz4rwQxP3I^dd@&PJB#1id*z;fK5VaX5%;hXL6 zolUYwS{~X22}h%7-!6g?&nNqmBa2QN9%gQ8tSylo?UsY_6UsF9K(-#{jaDaw9m!Rv zoDYJ&Cju8X%UlNr+&E zqVB<1!bTbuMo8OeECsl=@^dxjY!l(F0Ah~XlY0QH&ao_TAOAKHUh}1xElbXI^Ra2k zg>CrLRLG@J-$z2fSX#AA{y9||B%UaW}>!1g6{tzr5;|KC@{aTUo()>H{ zu~8J}G?J0#sjy*zP#CDkK4_OJe{2^WcUX*>x$*Vs<;*ho;7cZ+iyx-~$0dmS zAs^&KvS*l?MvLJqgWNeh+zj+JN-XI{Ey*8ORt2P@`?Cj+Lv!o7@|7Ek#{!1endpCI z{dIFH3Kw~FpA*6ErB@UE+R(EEVSFOw@zL6^IL=yoOT^0Ry!(v1nkv5t$)$S}+Xds+ zsJ?^@HUgP@_8}uCPan`+S114WVmSWv_5YIq_=%`$?4=2~cvM&bso3$k(pu_WDno$c*)StMno?$}@eHqjC)z%f!~2kFD%)SE!`LZe#H1DQ=YH?FL!QTG zGY#UjTa1AizuXkL!C+;8TT(qycdI`Wq3YcE5o7ps`B6SAn-n-`8`sME-jn~UwX}>& z5OG{eOm-qk*yR<&;iO&fx{u5{uZBm!qoth>;={r8Gw;f(?4KnnqVL#LqZ+qzsiE(_ z{OFzvv5KePZ?znJ*`}^wu2cKm;Fng0@(64HmR&uOeI3^?!(^CKlpT)s$C}iIzao#r z=$39RmzTATN@AOPdS`$Q<9U{|z;*o6b>z{e8(2Uuf zK@k`Tf^Ka{F4>Gxgz6E-y7K)Ln-F!K8eHu^bQCy^wGrv1Nld*&eVOEun#Qs>D><+DbJ(*&kOqeYxZh z1iSG#Z@NN9DUg~68AT@}1#Wz(p_4DG ztLiRUmNXo5n*$$M#3Z|KiSuZ7yQTy6c^o}?=VRVXZE2r3yk}Cf>O?ugB#+o5wHG>H6kz=nK=L*{kI zp0Y`*S~&76iNG$tWAIe1YhvfHE=5|4u{$dlWaIIzTllXqE#m~FTb|ve~hef=D znS-%yhtjT|d5GR!pFDQLux41OCg!NKI1_RHyhcI4zwk$G;lg7*D53=z**;Iaz0OE@ zq}IE?Mn8Z!cirvFm)4d3m8pRvNHob0XPsrE8Zz4V|I?R~*N%W|tKy*nM`6j@Vx5mX z7~&{wmGkaHq#VUc0$Lp#?Mq>B1#T>!QaPVuV&p&Yiv%`RYr;LYDfWgUz#FdZ>yE9=UbFQhKJ;H&RBaW;OI^*`XOM zREJ_al%#(nxet0>zR=TYFJz9!qvnVKDds?6O%q4%RU^Np{msX|jwcpMcTV9hov|<% zWuXO6R@|r0z5Nd;&wtQ1`~fSTnSI=#yvbh`xTLOTog?F+WH!L(9#REkyLCdGv%~hy zpo&uGs}V2r;=jg{E~~M5!*n`WS*<+7GB{tITwS9bkBov~;ynjAB_mA_F?4!Oo z1m$6>ke^C#(nLk<(ax7(>L5u|n+5XT_IqgET)sGQ0+LAm0Z$n zkqo7(ye=NoVvxZb)#KcIu}e!b(V}aQ8>0SHuI&cY*l!GcsUa_%ARQE)a@63Jd|LU+ zpLea@YN0jceQJ>;-6*PaSjBxRp!c<;S}i>lBEF+YC2(c1y~@qhdE>DLC%x!tRbOn} zAH8TiS~%Y|7>{XWjWbJ1Ae`@@v*?st3-L?Z-#r)<<96XmGurO3r6T1xktg_iA@cVf`{AzhYV0-qiiF~jXLI({#gDqrxW zJ7}_Y^%@skXNA?Y@eLcXhbXk_%I^i?s3vIu+v)mbCdSpR-lc*4 z43A>u41ny3BKQh9`~>AMGM9Z88Hd$6;On;4C}xT0>}ruTBSKtoH4LBno@jc0o8$r| zR;c|(Yoy`6+bgX+EAFiz84*KSSKITX-{yWliZ0{-TR8v7l@Ecr8^z-j?H(a5K zSh3bsWG({5GlDgO?LM7p@Q~24xin82od`OI-4&*>?iADs>Exk_=kJL-a`PlxaJ{tBoVKatFhbOo7J^>@(~QQb%n~o5|_k|FUWeZX$|*c1F0VNZxPRetPz+DC>Wx18zjUj1iTvE2e!j8Nl>oe3}C z0Q7plgtH$%-Vh%M{X@fg*EaPZUb=wS?ZDQoiLas3hp{Snw-Arn&De(_5fP(4U#Gg+ zB0mQ_>l>jnbV=plUghBQ;z|zFNq2+MeEuVHEGVON1i0@Cp8Z?_?s9_?sk~=KufRD( z7cY~N0Z(cfqs?Pv3u4T~&NujLRWJK=N*eBZ+3!zeC&9>mE9aBXIP)qTyxM+_b|y%4 z$hvQq1pP&I8X5b}vvjWz)468#6Y$4otBfQK+#x>6EoG;oc=Tpuj*ie4{d6L=06kW0 zvI3;sTMwny5a)-x`G|2lkG6~- zd}%Yi*iQiQsgp~{&m$3r+%ZEhqi>kzf2|l@S6nZ|8lL`p-R_(66><2v0B!KEmfAAh>3NO# zkO?Q&)8_Df6FpUwR<35~ex5rhTwEOG- zmCUQu#PmwD`5Fl&$IIr#dwXV_?XkuK$4yklb)=H4%CUlM!MADN@)yn<9!E#A)Ga_U z9005|u{tW$TY>{x)>FHqf*-vGzNL|2YiqIpNleJDbwz8|7L;81d^#*7iqalteyz<< z%C7Zh$9+}ko#^$w@}-JHg;Xi`-M-ulwNYI>XI zWh9en{XcXx)KUpD%dzmE8*<`BnCpMbUnA=_sBwxPk7XE#U(@rE*DHJsOCfVZL*Y=n^?rAz*m&U77 zHqwD+Y6TZHLx9+f2lQ^yyLzTIKuQSkTkycY;$%lMQ@nw zcCzzBIo=m@u&L}z2XvN0BzSH^qz4a8Gn{2B?smsW&nuNfmVCaMx^=Vp^yico-OA7DJ& zI;#8#odMWHy*Okgxu>t;ti~6OOx5lK3gjtJHt6y(t;^7sR-4Tv`EK-W+M3hx@8CAz zl?gvaCyLt|Iz}v{UzUJGsvkmh{z{pPEz%|Q2goYEC7pAT$ye5k)9OG_8fw$dX?vqJ z6eoVg{Hgr1gGc_eXo=r`&f2E{$+zfD{cD@r)2KE&GaNB?_-J$&YnL7>3CNvu{yemv zXdSEgkZp4%_Y`htEH-fkUTod_fKYXo;hz=T?^%V1c9tW7QoKPLzqekDQtYBJx_6L+)h zIjHlhIUmqF5UgEMrjYo29EVOg+MhQ&jeeVc)y*q2G*cnFM3%FAAy#~F9&CmZOfu_Y zrY{)MSQ_Xt`*L0G{hG2=orRpOwA?3p+4*gtQ=wnmvux7q#9MYyWi$DM?E4EhzGG!7 z@x;S|r-euq`@#ie6X@bu@Nk!UW(RM4VO}RlVtg-o$)^{D-fLnpl=S9nvA>66DG=-Q zzfGlPnJib-?dK{I;rv@z#%6kX3;r~66T$_#JT$R)g|C4aAIVk^? zTzSdz#6b0b#FZ39GTUo|?BN1_N}E(qvPH?B;{F>|ki5+Ju$7F^c(Cz!)G7R5S7(d2b zcOnb0CN%g<5TgbSmLF}?7n(y&THTg>1YO89^QS&Z30~)2cw=tyBm(eJDqFt0ItMf} zTni^eEnt)CO=F2O8&smauLlLz7WEj$qhK^|Xvbut<)hhJjq4<-_l#9|mf* z1+tb{Ir!czW2=pFkwxX_0>n7`n)@p%L&XW22|Kcuje`h@aWu^d?Au(KpDW*dpq-yv zy_mK_SbH@5r$^^i+s$7p`;b`T6gZTN`DN(aOuEci_G3C^&cB8a1!^7&MY6r$I&>4W zDRfOu05s=yqd01FXI$Zjz!iMxW4&nX;7nxCn3THWbDfj3pE^Y~+I*Oxn-F1bAf@-`|90-yL!KA6e1+ zF%gyHPrB2c&n(v#>P`DelMhwYDAeb~`WoaYc=-X?`tH!JM{%0~06J<#X0pD~r14r3 zD0`>H(`x<;5i7nKBhLRS(B|Mx&%5cc8QY^99bfzdt~Nw|W2OxR2CLfT?D<#FNR)t? zhhM4O6*Br;LBjV@kE?B3L&YvWd!K&%e(aWpJb^$I7I%;}%tSC*;!@s$~P#{)o_$?6h!p_OV|5nt24_jh*;XacEi`f2h;Et^WB?k$IV*typR+}XbGdvyZDSwL z{8#Ubr<B;a?9DUW zN4r>==K71NBRR)OF|T$0zB!!yK|Gg5lkN8T@-qTCVc_TAD5s8phO+W=&vv^v;BZ_T z0*mK!XUdco=q!&S6vPq87uiJA@=KwzN!cP;tFYdJ-g!pii$#|GHO7N~NLfz3vj)CaOBs{-$1&zN`#0H*tN3IAr}Nk0_*j<2u-6tdlUFi zAAmN%lbvUk{vH#kgq6`$q2b#5{hS@6Z7$xhe$DSK9|5zoVX0Fg1h}0S(jaJLvR1~X zagyDO+D1r<>iC&d{)kt-k)h5~iPq|oI@~=2%$l78lVplW?U#ri>G9udLW>p}2D)s} zS8wRjHN@yR`24LZY+rwEl1rWJ#G6^5@=UJ{Q0b}m+QLpCTiP>SCC~9fs0*JtTMUCy z{kAU%s(tbJS(%9bi@$LSad>aoo8>u|YlOl$ajT*QaN97=g|c)sp`{^MRuH84e^<2Z z^{>}ybxgxIk^(48g3e{TPHajgWR9K0i~u8Yf+*S!9WJ~tX3_TmV36eu-8|iiF$#0M zat-g3xAn*fq5!&)GkUJ+#GjaS`l{&G1L$l;`xe(#3}5J?y(jtbqb53xJbA@m^~~ZB z70qih^7H2pr7#Ue?r0dkK>4yhRPSTCT5!7&-yx|L>DPO{&&= zomDPhrb(P-vOB8emhWrn3-S1-&E?6gUNdb0JHp$-*bY$xE9g(#b)-~O`G43AsGU)UHiq84=0NG63sV2`t>Gc_ZfXQ9E*o!No^`=Iusnii%ezzc0y4huhhHPcM-e5JZyWtg^5psAWYM6BT?kugzp#}1wP z)KY*UW0l%&p;utXjL;_I!OvI>^O8RxM?Pw~wo1~+n#RWushJ>+>I$w-?YcR@jO>#M}Rx+ z0W;KFP`pm9G4z`b*qGV1^`XPps+}w*3$QzYe<{58r}a;1cserYOApKX4_~q1+*?9P zNr1Wq?cVf_vBgzCuwnA%#S7_?33#x=K@_q`^tm0o0;cWMUb05cYr4Z#AGp9fX&k!T zEY%RhKRb#ujiZcOVN5}E%z_;pw7Ue*71ppJ?7w3 zChIboSV052qbpUU&1mM%xcFMs@O)nhNL~BhRPqzUJ*` z|3Dxp?Y_AlFl&nzt?A;*&tG}DC#sebM+jcl(4qiPfe-F59tVB7@@*bmC&I*EsOnn- z3p%I-)=#HAAig_EN;y*t8-u%{0JGg-|DWXlVo8gM0D@){d1@R{8imKaveWzjJzNUZ z8-SibbI<9QKft6-zslkwq*T;Iska02(WD{B{yW3WsF8`z^hGv4rX$?bBzv+K6aFo z6-NVEXDgBDFqn&TQovU3^4s1H1zN{bU);={kr`(&?NX zV8y3Y{~s&<$-i&oQ#ZvO#4L?Du)gnqjAJ|E%Zc5w6&F_5MQUe&B4w6jTLmn_D^h#Z zEa%koesLctXi=Prj_P=(8&JN_$R;3jvU47MtB9y%U@JvH6$iu}-8eY`kUUGzs~^GF zp!YFTl1a zTYYjMrz_kIK7tSG^cPtDQw~hdJ1;JeYI`5*0SLCqSRpt7*Uru8RD$J8tWB!`*z zI>tDv$|H|Oc5t@g`XUYE@#2ylfFN`jF?7$<16JYgSN$>cy#l~L5W8U+E1Nql15g0t z*o+#(AE%HVXb@k$9}UwEJXvu6Q%T7sqwBizvrRN=jsVOcU?7u2@BfkZ6;M%jZM(0cB8rrONJ*=d zba%HHAl)S$1JWWbC7>WJB`94(cOx*A)X?2Ez%VlmoXz{`SN}O@owd$dqmGX_^X&cH z`|kU?WM1xvh@aCxwdkjC1Bmoh7r=iJ4|slDyF7Z`=fVMXh63WP(W%WSF~NTbV{Tv1 zAL4;e7oemuO-p+JTnxFN%ud40_5-$;qLnsB=x}5Txr>3DuM+#lR5;8Pn(iSvAq_L{MJa&q?C0T?oQf)HYVcX}77MmE#-txkMe3PQ7J$DAafl@S@H~I8WE9 zypcGSN14;uTL!M`$hA?uvz@f#2Kf4Z0{E~ABUJkoR)@7OZKtqurB)>M%PVYO?6ih% z?{tMsd}ES9+U~J$X>B7`Lu+dKbiYuhHqRhom4H$#Y4By#dD-M&ZbyttuYAupvfX!d z)ZCEBKAvk;2DanNyUC<0HRrnt0^mzf{fSCd&Z9apV$)HnX`8AkaCgKPhTZxS&n=l*wmLIG}f22ig;SGQ0QJy z;^EvlVfonYWCQ2N7~v_B1qmNp(eyueMaYZ5zT>Ymul-OFgx+$xK?=C#Y_$6`T74eG%Unzxr}& zAh>31`d9qxw)#46&1r8iDQkxft{v-+x~1DDf>>wsH4&a=6ShPheKJ#rDR<#v1}Cm`E*6;Mg}1YI1K!RpHptER+A+s+G0Wh!Gm9x3x9z-X ztX}>8^BrH&p=En9*og)V(4J8bst#=*w<#lYDr?5NYoYhoTy;u*&Jr|WeFiEQ)1@#G zuE};MbX-%5!?k08zqdM^yg^qpWvXj)?MhKzI(g$Zr(LF5&1u0h&=i-B#=Hx==!<`w;=fUu#4Z>rd|r6?8lK7`KBDf^-G#^L4^0(Redh2>_ zqusv|)BMABe!SpgxpH6cH`NXRsl2#5wtIgAFaKR_vFN^5Nw+?x;*E z{^2wF$Mqg!U=RiL5B}^MHs)f-%u1Mt|7oTFFK=um!4}v)CnAyhegBgeL^zYxF7!$N zwsn6N`_EPXej}c9VU2U*ix2*^F0fuKi!J1WwPeoX^>r}bmN9J3JtJQP@p`$~cx zuw{-p$xa^tdx%UPGEu-CSdA%;PKpaiDus(oNVSCjHJ;lkEphaF06w_NbEmqqpaH#c zfrQ0IR#S&e;IgOz&7{o3X+WmWa)#M;18Bv1qcCow!1p2IaH20< zISZJNq~6p3gOEnbo4WKRyo*snTW;>N<_gMj!bOaYe6G{%CzNeLTA9nj2fW`!J0>`T zwwLj!pZ63_MwZR-iU}Ig8^Uf=j(JruAL#1OO09&u|AT4f-ZfypS@1U${}48z?}H02 zcgO$JC8+s>acfspf9wR@j3gbKlJ>WG-xs-H!i%E@zTTBRPx7h&mTncGbmhLAb~&ET z;R1dNK&1%Z@WaA z{ua5G83lmXf|1j`ELXZ;*uJpebePD`)XU@;16(?0ZU8P!;8?(HG3MOqN-kHyPUS(? zI53Gj;5oaI>!QB_7wXcEg_ut3Es9*+75843qWgYiT%vp4T~}s+@ zHeOtb&?ADQlAl6 zndx5b)1QRcBiaT}DlA?__RTViPtgAm);56a%_J)`_WR(7UwLzV&&WFa`SYF|UX zl#BL|u_lY9uIOyny#yh*LeDeQ>NEhS8e>fcda5wad)wN;830?oVgz1`@H`-`Kv3Q7 z0(k75jQ1^E68%*PDFsKwMyOxMRsdFa3n9Y`a^!2GJf^*#7mgbq&S1Bm?mdRv^CTY7`m9FudY_TmSJhPU=}xzi7eYH8Le&%Q6mnhf zP1V~6d&TFvl`m>Fhv?;U_L{8>`sfD)*=kw7SoaNT>1_iFs2kluPfLN# z1Dct>~@AcxlhH`%xAO=8qFTQB7Pu|6J-13?o7r^?cJ!%3#kH?Fp$kQqtM=>@X zQH+a*T2?Fn>|2utAXYzps9Xka07*+!+vD`1ti3)i$O2RrTRp_}H&M+3Aj$X$#vi>a zPrPs9JDJT5>o9zE`KK^ly!pxxPU#&BhO|Fkxc$Wr=B=T`%Rwgjv|MxJwl26?6@QD5sx1Q$>Ke;01?6?i9lVOl$Y-OLo0>Vvkb1nCqvh85U}gRt3O zFBi4Mq`yYs0qCN?Ly6d@$JJbbd{Fc4cj))(*GYtWMN>&?5**x$hHW9lXGSyas=#`Z zysUDiHH^SP$E5dWDL8x2p6ueA*?T$tNa;~74SC1#PB45rzauJbTP*NYozJ+f=NQ`W z`K2k8sbQ<1e~||Sjeip>IET#uWK1gA!nJ=zTNnFmbb&p8KjrctR>E_dfo?#;^tBq8 zlWBliuL&6XM)IE-*&sk?%=9g4(K;QP9I6awrqm2V#dCmlTeF(xJA*}!HTDn5NnV&G z9jolmQx`D(g|#~yh9f4oya2A_nt5O1GF#Q$Wh4ObY%ZwT_+bZNpWHxv^xB-h&FMy< ztQSz^!2rh){=FdcTNHH!X?th zPK)_#gj8FAjmW;{0<4Tojm&)yMdfvXkGd8Mf}9$Fe%J!2g8MJBd~I6Ubbqh_b^!X8 zD`=WEX=kSh&uMzZ0s}RKVRqfwkKT+o!qo{rx?e<`G_4nUUyjPX4N%g2umkj7 zMb(58RBz`lxq+UZ>I?J`f<{dPZwUBdxLF$F^39qIpLBnKhnGYC)bJe~kerv+aS%{h z^d~1|Tm8J9M&Q3g>Ckj(S`-oFz)O9B2T(94+ItIqLA2Z_Iv7~z1#mswfFY|c15fa; zNt?31DWFnT3IX%to74ud#u|{X%SfWp<>Bx>0Eq)MUzEMeQx-q}{9M=tqGai;*_p)d zPUE>xu-dwMXZM4&XMZC-W|S@C@?Q77Na{e6w|@e5h2&paUdMfcd7B0&Eu^LBa{!Y0 zc-X|NVHa2^2;j`Dz;y66%=3;L;*fI-sa2>zx1=b|=|jkEuec;QNisdeJ-m9fb8fM# zGME3T|L8nMhT%hq=cl(OB-Lz#(l4JrxaE5n??LO)1N_iLqFaqg%x`oH-^*U*&XuMq zY?F4-yrcg9!-scY9r)i?D~mAwMuIT)oKxh>=w;m$V)28MFrE z$Y{o5Cg#&_V#03KrjJSZ9zNfq$jn0mDrs0AJ zH11W=FSj%0qIf~M;Rjrl#Eek%#L#);drnOS(WX6zRj}h{0x9PW7NO3hah^2?jMu8> z*f$k2AvMhjw}~4LVeRs18_z>XrW!6ny=_5~ahE2Dg zZdtIFLXim^CYgGOF*r|SNeYH_%cFF(VNv7DXXeUr&bNeH=C+Zm34#!RP)v0hLr&&} z>Z!SvZ?22Firj+V;U3Yau+L=h+HW@(DoUIP2g%*S?*k$odWN6Wgt5} z!)$J&t0w_>xgaLoOqbWj=vM(eb)^Ys5%%HUiTER&Aoj+($-;EzZHmHT>otwaBjrjv z&j}uvoGivZ^bveZyGoE3wv}m{7CWtH8aCkd%OrRoaeIS8!0GcQ4!`k^iFG00tgiKJ z#O8MGzLMtBkGx~Z;=5BhioxE#tBq_}ttgmP&a2T)WHqSaY@koQ(WJC;<3L*a5@yx-hknSz`D*czMd1i#Gf;ciy9`48{=6k zXMc_g@H(%&9N#tbgjc-b!_+g6dTpUVI_O>rrg-~kY;1gA$E-2l*2x>tv3xuBoG7#t zD!Rw|V>HnVVO#)+`#xj!q5j~P=N?MC+_G$QSBbsA)z-KW=#I#p>Xt;mQlEoW{K+N+ zLG9Do$qIOTgVHf{H-_K$JK(#!1wQZzm;1prOubE>9-Le#)goV!!tIlva%CY88uEsPEm$%#-uW16`I7;v(6a-LRl5WG%%>Lz7%v|)QZUDMN` zGgbw`b0-je%Y?C;22!G31$h-eZ0%i$Og*8yU+j6Z~lY46Kx1G-BnsJzOCsmn zJPO{?nNT9NUfq2Io2;;=!xUK3naEJ9CmEJ_p$@|P5g>uuez3+-L7N}GHv*uV0mfhd z1EJ0PZrdq<-?HTFtDbGx2#p+>*k6z6cL65q)?{o0>aW?iixIi!Lvg<41n!NmWzk0M z4-#@xJ)V>hFw2I1Zr80}_`pnp2u_WDef8M??izhu@b>fIyRFj71^mo7I@pGJuGGM6 zrFe9oDPRGQ7XW;k@6DbS0{U?>X4;-7@h;6bCP+3Vz3x*6h2iG6{eB}+22_uDd0-hlc;kI>7Fm7;*3q|Hge`bBY>U)W;2 zefJ?*$3Xc! z8P<~;2*Wr)JK1_O#<1L2hIbfnxS6rl;#+I;3RRC5z;$a0+8Z0^${Z>$6A9V>m^|tv z^vYs8AOG>|j!-4D6HUmD=1ZHO$qp^yZRls`c}0bh2a8us9v_2>*%J&w!spjBf`=w% z%dO=0`6?`Q-Uo0QEixfyb{mtB|H^d!q_4+`ZPi>lJQCzYt|BJGj*OH&vPhC>U?8H#j&a430b0F zsFh*dLUytp6kP*>aEhBoWS|?>5%PqsFHgB2~?(< zC*D+QgifG`l-S#YEC(}WO3+5N5m_Gh+qK+Qx^c?-vE)Fpn2?w5uF+Ty<)w>`L&z)l8ZM6Z?@4s zCs;KkOm72G-)f(FJ=tI6D%N`|vE|1RN59B~bPV`H=>2X_G5$y^7){vRdBK>*f3!8h^@j8a zZNlRGm1v));|2VNQEJ5D!pf)oD9-pnx#~DrqE>Gepa8(&7NFY8Q`Hj0n&x}31WS?lfE{O93x{jWj< zU1D74=+8F|8q2Y-O)w?28u1YiGQv!=!bd_)V5tb(*;Uh>#>VHb*H$I4yo&FaYk3)a z{f1q-V{GPa^CgZhVTZQ$9h!A9s@m3#@hlN~@xnv|P0coRzS6W5QwSNxfitMR7}pOR zR|$HfO!=xz*PT@Nl^oX@4YF(*uA!ZhP9K}u=CEy{w~9+AGD%L zjnqO5lW+18s#SLyeYCg8lfU|)zl6##(!g!{GGF0yH5&J3y$%AzBq{xddsM?5*QD1O z>a!Lsx$$0CGV!%9c>qB%Ao;b{^%r1F67^0fl_#Wlrz-P+j755mj^(BnU04M zgfm^`@T&7dzfj&N;e7NVOFEU9QT>21rI!CQzERu!yV`S$jV}aUlRx{36PS=bcrl&Y zi(7KLlicq0mu6@0F+Im0z(acQ|H;Xi^)<~rO zCN6&N9Xew>Kn9vIUVHOc!t{pv+H$-vv5rNym~hNrcpv}mHNtx7hSx@%m=4n=l84~s z=OH1U9B|Y!emQ*WS6)1p;S|AvEAqiQr*xNvbhXe|@5-G?^~9*h4m1Aj$@L*ab4&(L z=j1E~2U%-ew;zOwXI{NTl(tsxFyGP@O70}RS%=m|6DG}H(XZn_BV8#b^^O*`l5^lV zKFJ7vX8KT!u;V3@!S$;pL6N1Vm2*zVEh|1)^m@kVL=t5J9_xqaiCY(TGy$-v_ zOB;{r*>7~c^-ninMGmInKFXsjIWc*H6{n_=FNPm~mH%`N|2`4N#a!4F(tW~9@C~thcHtDzTMDw*@E%(N+UdKuq9G*x%q>1)!x+_`c zMY6R$Rqed;lYNnx>{*&L=|QJL2chen+-pTo!w&+C$Roi8BsDCNov1_yA!AlDy7oxx zz-B{murR#7k=H1-r|iaH2LSnJHkXxqI9SP*EkP?k`YT2;9}?h+lpXgLUZw06MhoBz9Ze0i@QP)SZoDow zlo(CS+3a7{P41xycF(Q5XWn!vZ@4A!ZuIboTY%K~CH3ZSDx;X97}sP;`mdSqLTnuz zTIL1aotCu=KXgiqJM_TP3>bXGMfp|Lsl=j$OO;7gM8+bW`F*#Yh_l^hBjkLF;p1(| zg-Y>us>=_Llb!o*FnXDacl@srp(N!z?(-Es;f&mU+OY8h#i9Qw>e21zV$u&Bpql|} zicaShV?QWn1fzT-U4#lXr~MNxlrN zlgRq(-UnLY)0PH^_XB483n#6ikL0x9#T>E(qBCR!iq*=beZ0;Nhku|V1ejr*lb1A8 z_Edhw^b(VQwfI~lpir(HUBk!bO2x%fCZ{;vqc#q~FPL z2R#;>yjI;CyvM5f9d*SO_lNi2U6)8MU)URi-wfL~|<$?)J4qKCi`yJFo`M6Mj zH$c9C@p+3_6=o8+U&BI|YpBGQ;!DPy?~g&a$;8m4JESo~qso2Kqd0n%JCz`scGidA z6C~}Qqb3QXQB3URnNFLjXRZtgn7ejaNzBjxIfJi2T5^u}dnlCwi%h!hw0f)|IPVu*X9tQWchx}-AR&DD$q^2W9a2u9s&{VGh- zc4a}DwM~JQSAu0uXnmeumj0TNUxEH9y}ITA^i!}2xw_~xf}=w1yKZZWlthXO(}|(3 z_giVUZr*sNpW!4<6zFjpASnIplAISL_TCN45@k_nhV6X50F4s>k)`Dc+}eUyKDiu9 zh4Y=us;=UZI6RzpXeZESVC={6Dyc#KMj16$ak6SHqbK*dLd(}If%NSmgu+Jq>77e5 zmJN#upK@Q+*nWy%WmlMsEmxI?YvX@nX7A}bSwp?w)P5ID-zzC*nkUd$*Gr~5c9~=( zBEXWBlj$fqnnR)u1sMq*=kLEVg zBNXZgeTgPa{~R(?Vv+|f9JYSni(8%(X#f14HDt9vP0;gj>eq5iD&P0aab&8`ju&yp z2&?fUU(tnzUe*%w-Az0{R_bgvDus7fPb zLjC&5GqcqkHYXV9g-NVF=waSwH)p1E_&4EKj&^D&)95O;&QfYRa@ zZC4Z1BWnV-OU-+~(5T$?`qbd3W!Ye*F?ntJSuVA-{axw3uSBhb(U)BY}J?I-78Sd;X zD+cB#Bq|g-jv?E3CQ}jBXtpV@)aPs?2G=>vQe=ILsd}_oIzcH&PLfB`>^palDbK7amVVolM6W91`v_ zU4t!0fa>MAZda3^%?qy57yPP(3 zA6HxAceKZ#BA)EcU~5X;p^_#l;ta~jTDWrAUzl7DQq6#+*uG8`i4*e58~gLwZVl&(G{U3+dTV`lP`$6v;HWnFdk(bkSmI z)Y}e$C$d7VQp@epkGB;)t)L22(qZqUeyM4*#4ed0{hTY~*Nn~h(B*Bg_Ye}QH|e?^ zP9Q@bQ_4?37Q-stwfuAxDdmN=o@0d@uS2C)$4QhZwtPemw4y4Z%k#mpm9qXJ?d_5>T;=rCd|u6Jkv}f1e4}V3bi?#*Hgx%(*k8C)h|T$xi2L39~I;|)R?tOIS4g9+Z4c=ziSgM zx-ed{$O1B%5M%BKCGBGO%4F}ER8sA7>kAqTO&wq!4ptILY$0Ha@GO-3zE)AJ0pM`DL@=&3aZ4MEP-f^gORA8#m_!ERW z%wpX?yx>BZt6_Bi<+ZF|cr7j+@8kY>E!`wUxCY%1UI!Sx_@-RaXc}?Tlc;{VgWSFs zpITJdY2ZWa%S58!TwjqT>3B{nxyLz_SiwgAw>lMXmZ6D5$R*v40afkl6(q+x0?>

    0wflNYA*Ya!S3)qp#Eu#<+@z7mG28s`Pz|OiAf0ZP^ zzATtdKn_#7+;cnD_x4z0^nI>;gnBFBr4Q6r;(#yN(P9oO&|+?SJ^#T--4TH%z^F=s z(7_R0Ul{_4)3qvO?;67xV)P1c8+OP!c?@Ps$GqK0s2Q<%8FSHN)2R>$w;xqS=2FsS zJ^I55BreO*o3Limi!~Q5zprY-zJvVNQZgui?afu#oAuqU$0?fyVgLZT4jC43>7hq%3zb1E(N%gK}Fga}7Lq(!F;51BL z2%N}|X8KAGI%NFYK$s7omb4KFeoX#-907T|ynGYfcOu1p*ps6MyT!*wHcOYP(CgPX zSjp2SKP|eYbzKI;Z-EyAt4?lJv@u43FzJAHyCTJn$;ub9)OuJs6c(i(NLYd3hLp2> za(7yrFj$6eaOzjP93XaU11*y;oBq_Nucn4aXb`f>kM95*+#?Q6vaH0$v6ga70pY$-0m{gEG9~HA z)ep8Y(LuzKTA_P|n?cLxGvG)cRnhIT>PWts(fDt}eJEM7s{-ppnfLt!o@v{&k1k+w z`u_Zn1FZ6dWc78ptB__Dnz$XmCi5Oq*YB8Bsd}z+#lA600BY$W8-7zoWSYbs_y`Sl z?&Z#U`pyf`rm0!Nf(FW3z2WvL=w1mU(&J@;+GfEpP=~w%&EsD8LAkd@s$3tpCzL&p zq`g5AwqI!5sP`g#u*7i9_g?NHOQ%R-Br3KMO6qlqbPs@t!?gP2DV)B4Zjo>?8`Do_^c*WM`UrRnmL8P`REOhD-M2&-9!IeJ&W){FN^s z#%IV&ce~Nlf8H+d=9mu`&S9ocTPB2&CsN%zXfn|K-z@1(sxwC`u!Rz{uhLv8>ca2` zjIpDoZC@9ur?$-9dPr}jD6H>1H&C-WvvBQiQ~SjfY|hCb#<5dBcl?^>!)E8Tm40v8 zJaZgx;m-C3D;nk7yWTtVZE^5WTn`57SBo#|c>)tBwC2nl>;W+)Jz!R+ zvXD(PwEJ_NGaUMNE z&#frvLjKYKa`_KHrt3Of5-l&18{}Exb@(kNXwr7|yqBlVkDMzqZ9N5ktsIz#I0hs3 z%j9NF8g9>rf8tDlw%He;@LLC`cDRYy1J9reoB#2a&a^$y;@<);b$^t_I!JncDs$g3 z2DPV(%SCNzxR3)2fln(#5@IImDYEoyLG?b5sw}Hm?&P-R zfmI|EGNJ#sDfvKs#->7@97VBOj=f;CCTL9;nckVIr?Z}qzOyG){erau*$*?F3}*V2 z%W$ONPc!WTChSgOigR-Kb(hpO`m;;| zUvX(FDTz$;+s?*5#bmoIAt35}Wg4Nn_cfgoY~4doiUN{TQc{-H$TNXmdilxYxJ)et zm!-*LwA(S4Y!g7oisfy*$yyiDJHyS1qQ`vB;lsn-6@vd3DD2wPx`%|bVEyB1^Y<&> z>a7<)5A|~-g@#V#3%*-N(3G0`64zNJXI~%XyQKpq+`mtWk1VXT&zJ#CSmZSl%~+3h zvk6eR4OX%xh6DLl__*d&HGOir`x!?td8jLRcKNVRpuZ7Sp?&h|zlD`5UVEtZriEQ1 zOV+1-PZpYo2J_viM3cY!JaJh!^pxy=+0);@{%br;v*^dMwu4_U?k3MDhZ80E&=$IH zKY`MrlY-18*JX>y%XW!rGY%k`R0mfQM+Hp1G?-qmN?wS2Dn0zj`Zt5sZPZPE`s;_U zsCReU#A0+TY^XGTMoIs*A6^_f`s52@=PcUf!_Iq&Q``uSAjM-?!TV}Y(FwvUV=)(4 z*m+Qe_@qJXWk-RqsMBFeJ-&N?m^}fa*_#e#>UM+d%{?YB7dWwj`zaQ`WfD_T?;zm2 zA+iaK=3jx!|A|`zT6{b2%H#cl$5YY=P4GoX;?1&4b{IH)ZY)xz0!u8ZP<`hzBs@j{ z>6~i>ja8m}a93=c+r$}q;(gCng_K~|%roXet2PwCD#W|Sg{dTF1|lu&NJ1d*A>U2V z$+!+CSZj`HCmuwQa(j2p z|A-ZB`tRNIAHSVANSxT{`?rio11w3~3*xnpO$=aU+U6#};Ewn!cScBl&!0}uo-g@Y@+cuBhIHTW}Iuc|L!(z%FM z*gUM16=WAqd;1|FgSE1y|VOi9bc}3#*uMns&-y8kS@t$iY8HUJISGt ztocNw0!N;)G8`y#x6D}frat6hvNI>PF<;L&0@UFl(bh`V-m?M~*w-|P68jE+YTl#0 zm0uGp1=dKq+))Fg*FC^c*fdshoyK7_{sYJbz6bfAENFPXeY9}RdI#tZO;%>`LuE9< zqYF{X?}r_)VBbz~MTq{}S(l_ba^`Ra)}|U8kf<~H#C-D82)S}YTUy&L^XNNd#{E(H zq|-b3*p&H?BLdXRW6Qz%#T1_{^V0-(4mh4qx%K`X=v5{~Ea#Y9Ig|uUaj9M z_t+-Gjrx$`uI=(Fp|z3th?VuuWQ*}>{I4g zR4Ay8D9VL#N7|$^Piy6vK3{u!Yk)#~_A}(18t6@bpcR87C|ze&R>E2m#rX*M}TgOcK4QEcM;NjA+UB}pA;Q9B|QMX|1T@+ zqZ%iAgb zmJAbZQ7w@KQa4x5A>ooS59%a!432$Nj*}o1V2fcwz3!~!}q_$>B5SDzHy&9AT^F%-2%I|TYOA3n=N`AIq-EIWsx>D0HY#m)Q_}{(#70e@ZN}`K$_|2&EmZ*r{8F`dFyaSGF@QIj<;nYZc!<4DktV` zS`M!6ZaViw;|7*9^=2TGUJ&X*k?pX|#_@Gf)9h*&I4KPIM^%B+k~Q{Muh9jl_&CT8 z@*E$UAE|HTqr_6=y-ZtOfM_cFDWjM$FWbA&%Eg=cR>VLNqDfJwqiMa(T;C&_ZmI}k zoH5na`X*s#y9D$lWjC$KVi&Slm34o_^Zyx8621K=MX#$=dg^hhzM8oR!m)I2|BGq% zZlpKpoi3Rkc05Nb=&|iwo^o`()Kox)+;GxpXl3d$8yOA%^<>5<>Tuklca70}VLoIl zpW2mi&)$fk+3alKp@NUq40du&-OsgXE?_?0mPO3wv7Y}A=Vi0K#a zTDp+q=PT9N%Uj>f=70YDWwM^HoSTjl3#Nzn0%*V%>_Ukh{ua)pH{BBd_$iZw_)JN} zTH`yo5=I70vQBmP+yi_~9wM1w1xe@me%IOVEi*H-EVyIo7A_YNFc-_G+Uf+d(+^Ob zJWS4IwsbR1uD8tHwRju+%x6f0eFZAWyne`Ag?)Z`x|cAHoAumT@$8M8h16-o{c@kY znEeQ(1u_3^F;E}I^AZq!QUL3`J7xn>;6k9HV`Q^h<4{eU(c(rK5WBs%pQsA`inM?n z$IB3jZ7q-0!2_-5&3!t6Ot{uJ6=bCbs+WX_krRmMnSRjbDhz{Q6sRaz!wp=_&h5;V z^yZr17r%IV`$72rXQve+m?7p%8NY;VMU+q4W7Rdgoon^`EZiW={vs+0QJZ4av67`x z<38kndP*y23&hDR(m26Di{sbt-!CI&h+w#*T52d94#2RE&8wZX4tpcX*x=}E4NkbAiS z$ZU+BC7D?0T-F)6Ih(0*6{DH{X3hG^n+n%6GkeOd#!FiyS3v7-ijh2qu({~|7I*K; zE-zNnpOZSk6&GXIeJxC7_p?!s)A#Xo!z7bc=oA{$CrLWcPy9^409Au4o#< zhR1LhHa&35Za6yhE|*aAjR?cx+R>V?P0hpG4L9)5TX^#wO6KciRPB%ssR*od=I*_n zT}b@)*O$|U4?aIWV3a8nMAJj~i>Zudo-QB1{8DUtv7NvgGL{s>r5SZ3t44mOA*Ps1 zf}H1gJ>D^?=Nob&>y*Q|N=EcCqA?gCiwL0`-3b4>VSC|236&GL!RZaD0oFu0vj*>; zyHb7>LB01YBc4BAXa)iJuF=M5>YhmEyDi}ZHQuKlZ@E~i;`s;rQm4+bC@(}N-)zBk zq^M>;h_W<#G?`GO$QJNtPQoLZs^(=+GLq+vCX@S)Bb$TX7G+enJ_ z5Vq=F=cbe9A}ucD7t$!FB4*V7BfSulN|gf9p6~lPxlC1Y8G`6 zaR3>*1HCh%?%2Ypb7p;O-I3OP{_#N>6M)q|RU0?l;>u_MI+KI%rtv2gBrnbIQ{SR! zIv;W(1OQa$x*W#F(H@G?w=EmITUkTQqiqIUShk{sSmxf1nU-^$J1N8=2vbVfvt1th zd3y`e>aIg&`xTSL2KTJbVm6|bFMXo;AKOCm%W<-!Q32@D1LquC>(GwMh*R{AiJDBD z-yMoQxOso`Q(H-?VY_$2=`09x<$-AV9S4D-<&m12?XB}>-4Fah=7v{wn!u(yk?fly zm#d?J-D=7Kkpc4TkIM9_v4d5fMj@W7gMz9t$kLQb zwk)ICD`xnjlD-G^pA+laZ2cc^Ae%uPS^!%t_&I-ICd(BfDGp6TeQk)9xN8|`CC&=P zzEtA8!)c`cYPNj9l2dW(E-HQcd}yLvR6tH`q%4(Ys4sa4B_J z75~$SE?3mb(tJHvq?}3hl<1PjfNtmxI=|THSZ!f%G#I9EPJn9Ug^u4-`O7U zcW9c4no*y{u71;PaH8zq0KgCX$Vj+Q9ap+V){0JTs$KDN4>k3SAK@`E>-A7hujIfB zQd9LNkT*J)j6qad6WLU{>r!-rT6sAB;v_6N)`7Sy-@;h4qn{;GBP{_Hc(H@C z07>X1?>X5Ru)Malvaa@U@laA(aj^m9WEx-YIZ~U5!`7t`h2j|=k?QvxiYaP^#IWwo z4#w3bzO?nraHSLROk*Awt#Xfk_CSwai@NCru}Uz@IZ;$Lma~r1-EtlrXscFK5@h=9qHRa5lFFEJP}ARPlRSf$%a`?{ zS>3U9A9T{x(K(X|f>4PT+_79xYegSk<|X?ctNglS29J17{Nw`oKmU4`w5Rscndr3o_o>m0^mCq; zSzAfCVu8mfw2r%go-=a2EzK6Ik-Ls4r}V7r>gnPVc`i$31y_pKa;(ewmpgTJ*4XiEo5BtjIyP_6YV=mac}%Vr z`Ym~`E9!a5_o+^vz8ewRMqF*8ZBJg zz&$YP%N|pi3Kr2gJuSOI=s~J0q>u4!yGr6aI`w-!u`4%pbUsFZnth7gclb=!o>3|P zwf-yB*i#$(KiwW0L?uCmDmSgsXvzrk?m4sc?z8r@{dkS)zZ^$2pI(et)Aec3Z53De zba7m2qxDd*j=pO6TyDs_A=I+TRnZE8MVD^vO$2JYD<=e2vj#5diE-8p<)q}@GfPDr zq9;yXj4z8ryk~4jMfDi$m{xbhddTf4&|xSDJrTF9r{H`9lhg5^NwlmK>{0499dJ=V z>lfMK(He|+NS3W}XR_Yu<6u6PvFc7J&=1usMYOz#n|>4GyW4+p zyr%EXCD>HErR~`O<<)&F!lKqY280s)$wl?rMW7+-Hjmo%USK7Ju+fmdYidBsGN~5H zTV%?9bGkVuy>_u|@T8C!2zdEZawF0rm2uvE}g!2|gmy}mUNE7q{# zQ~V$>6G7To*zP2~%gf^6s$tb=wqA;womqdoZt zBdROD1@f*}G(ooCgFmE9k&<@2pwI2K4?WsfB<7`o?pVq&mO#N&R^jWpb#5X-+OMkI zeIqf7xkk`D0f#ig9ZnTS)jy`h1kso0wXP*Yn-$uqH$Q1WRA^^zt3%w)njzL#FG-;r zVTkP2*KA&z_1R&xvBVT1oI#ByueK&gK9CGc!T6fd%7M3pnABJL;1kv-n11k*7m)Wx zcs_318tW-yaG#Tjkq~Kw6F;u+D+zsfF0(=d*ML3ws~W&?O2RwRm2d z8uOcfBompMs+SV$*H#;A@$>|eib4#udtW+i4#veBNL3~9o;yJy=39%olK|EJ14edN zs%;*sZU`LXruIFaN4&2L^)$exXS_G4kun%@9J{i@q&&NlW~pa`9Y|-nu4*DU6SeKz zR7Hs?gM#Gtp!d>TNldsfv45sQ&t8=GE5VVN+K3Bk!ch*buc*{Ac)VKnCZ&F4x3zNJ zVU!TUj=;~#*V2|54z5u$ieAFdtE!)$F>hx0OGHFSjB&e%?7($JlHS|>!ii7=EVP<7 zzjSVDox<|u~NtKT|_{Lkhc|8ds2>{&t0JvaF~@yD?+(v66+{;c9Zi=FwyLD z^RkI(^5N2_Cr1^n1QToPbqt3Lw!Q=n2qLy1cl%dUd#FuUGs)Nxok`Z9-$G?YiGotD z-&TuJM+9D+oQ%i_HGbjbyG^)9-i4H9p1P<&2gQ&SvY;GJ%NcD@4*t&}fUs+%sYt_%=V>5q)1)!Mh#WqYi46?#i`gH(i^!sFbcfzte~+m2a< z?+ks);R+x5a7Wzjoq@~fEFtm! zMu@N4))y3$j{4k$d_ISo-t@|ybt7%N1z%IFJgr>Eq1f#U7F~l6@2efZsNK@KH0VcD zbw@Gnf=;-CYQ1ht*g;grfLnHZ3=N=UgQhjP5@lkNh9BTM zTatDA+$sm<9ra+fpP4u{NNi@DwppwlYQky?G41H3^-ZoT&>UXg_+)|iQOIq!u~Fy3 zPxj?-PI~S27X#OQOjCg0wcj~#%9(ByUnC%`g=(5{e>bS1Sy1OmX^QPi-jzc(BNKGl z_SF>JViV4Msg#$tooTpSD5-{RikI?>nw$>lk$okx`sMNHKw?!zKJ@fNdio7{PE=9$ zuUc*`p)o~u`}-?dN&U9;Yf$8cHaPhjbg3gSwYdv|#m4rJ}~@^vd9) zu)$sbkG;1Hi?VIIKozk-Kt(`7LPbDQK|mT5R62*D5$P`Jl2#B<=|-dnhK8X9L`s^W zhLn^VLKt#pU-KB>`+lF#{=I+fJh+kf&@`v_v zOH3j?VtJts@+Mn$5BZ3*xBWsdW3nWs& z(Ya;P$46G~5P6t`VYeV%KWG=8I69v7{^UCSsT?~$JA|yW9ER+U)tjrYm)6(}#?5jz zodMhz&689QSW8aG39Eb}>#xE*H7T5tdGEdPxF?z0SjGyFOpAfuYO5=s&_K)GMupbWTs88HCYa$HDTU zdmio&*dG8mu>tjLqOx6K>F&~}{5{8Q|CDPx1wqt$3Vf*`-Sjj_t^ykN{nYrp#}zoR zLerdeFp=zm$@zZ*2-b*h>`BQ!BdTz5>01wUaUNdKS|X$`!fdfwc*&{Z$9111@2B!p zrplAlCx&{3eFk;D6QozbEp)Is*W02eKjry)+j-K%{JrM#d4nc|jVB8DF5{ zUEdRDf|+<%A2`fqjlc@CaBgem@&Jh#dFDNmM5hx*L{a_e1O1C1t#Qg`_dXiJ$*9U! zQT)iY5D(;XD%>Ft=CF)e`I6EHqc3@}-M5jwORjfhmqjm%bgs{&k=^qIAz)lOQZ7^1 zFdu2)b7XJ37u9CXLAf}Un6oc6!R2yngz4;>5?k-FTpnE72&I{m<+3hw+$>z1iZE&% zN7tjG?NU}E@y)0BX`P~zB!o$y0O#iY8PbWv+dwZ?zaL6p``TTnYKpIxj$&)7 z@1rVXUc~a34-}7_!m%Icc8=2wHEZ~=RQC6e1OS<))Aotxn;3phB*9 z0is>tIt8t=LDTioQFy)?_OO zdk6OB2n1l9Rw`Is^Sw;A`$B8(1uo8>6`s)eb|!Id92C8Y^wVA8kU}`5k2FY8dSth` z)P^&Rn&Zuc_n~6(VhZXRT{B{6cQN>hF0;+5_gy6I0F>VchfvRV8jcroiJcNQ@ES*y z1y~+p%yw6k&o3^Kno{vDw2_azK0zR*0JwecYUbk=M##P{9nOMza2SVP?TDI|e$>Wd zzbqFoPW1KhM~Jk`n&1&SeoC?AlU_+BK8IUyRrIEXRN06@-_Ie>exXFx&aU&vv>IX=*a@cJN-_*fPn- z7$)mf^0P-Tv(*o4fAnWc;}Fy7XQ+>v&8yQ44|ip|$i9<5nFj@cM9-V>suZ1GZcn(- zI{qU++@zWLSG3*G{z!yQaV}L=kn$2qa0u?WAaL{W=r7#=f%A>VjFNCbvnIcoh zu#5+nhEh8sI8cCtasTwW`&YUSQ>=z&EHXg|4_iY~;m{v^)`4%If6<%zSbY01T?Fnu zQR``vTk1_G1;nDL`h;y_ap!jM9@^^~&V1=j0h$8(^aHE)@E_%X=UFVDco~zAn2l%={ISnaYW@XSV6lj!YOPVWrsE4nri zl4yWB=fY|3Lu%60{OAumu}^-)-X6yo9UlyO*$8=(f@k!<;`@Jm`>B``Ki|XAR&uLv zH;xu}>g!!kjI6%ZE$t5jW#L&L=T-Sop>@9dY1DwOf@0%evzK?6clz>XZQ-nB=~`;v zM}AY+Fm2o8J7%yOk17#qh9#e77P`*LMQ6J0j@#`Gl65n|a+X1nOyGS9g-`5{%^;X*|@;)bn`FVl#F z!%#H*Cto+xJ@J^GTq5*;> z>7l{(;U~T|n78%2%Sg6!u>HnFBi}lsV zQm|=q4;U&v$M3CP1%sLkc{5cTSt$wZ>`P9TP_IOm;rt)7JzeyVO6tqU;N6cNrQ=z_ zR)7s!-1qTGYv5H~CruKa>Jvz?(Z>K~aY$o>xUpWBPFZbqU#~9Jdqbwx4s4nH0vci5 zXFAV~Mg;bU#@=y)RmyJD0+&y{d;Q;zNV9}K?GzAd8G-$W<^xOy>o%)nskrjRgMnk4 zb}PAS6OlPj-mVPSsq547n8>aAU>AK>M}AbFZE9#=IP(dND~(v*jt<)mw&VBD?$xJF zk?(i}V+|z!B}n{}8n(33;z&OoP2be#`i;%MDem9AJs16xEOBAixU9q&Bk^6tAoIS36Vq|cG>UW=7}`*NA2bhqv81H@B|_{`2o)LWX}0z+Wfn-$T!^KwHGo^n=ayk? zXBQFCIgX(0W5n&~hXOvd$gbYkgdL$=)y0jt@v5_AAyF(hzJ0msG}Yfv+HsnS{rrJe zEy7m~Zl!SG1O_FkK$_$IZmc{a@-#8^(|GQd@f(NB2fK@f=xDt<_0A%L@8|){q|hVm z(P9V~=Y45=mpEVOqic+bpwpGDej%OeQ{rJngFP7T&-BQ|&v$VfamUX2w_b|(QLw19 zA0I+a?zt+xuv_Bgm#))5bX4e8t^q=~lA@N(=2&uOPq)0}lI5V>NXDR!uJUyPf zxh7a$uU5K&Q`J73-&z)?xn`XVsG)yHG71Wa^8_=6Gho|zBF;N}kIW4Hbpyk(-ATARWk`;#EFkJ!6jm)5 zPvnLDzrceou}DhP++i;#ETRKsr*n3;mebPY*hq<0&KA?6+v@aghR zb7SK#1tgg&@wbTY64DwMl{l|?3#^r)t%*slhF{lY@XC#)gc)6Wlssi%GsS39S@9eQ&t7z8SEo#ro8@q8wrpXx@tM@(( zAMjnwBl+l;SaAwnXk^%5eBZjdZFeG9^)}Dc)JW;q$WW=pY}pdW38(TfL5q#;CStay zxhgGlvHH8(orS>8p}CBl+2$P^T;qeh^)x0GCyYEJ%Db2MLE8%{=-PfH$GO%2PB&M`_tOl3I|?8)+AgmYwqt!S}Znp1F86)rizNKd4+ybouZes2 z4|yN(fR1h3)_y-t_c0q_)N(hJsj!))FY?)pKNtzux)*Vezv04Qe-POYB6rE$dvo!9 zPL}2vKMDso|};T^o8tEinqX=t|kt@0<9z6nUfTFbVo+s#`oC%i?rC z8Z-jF`Po@TKGUfzz>r(ufrhB%*zHjzmGlF=d)&}_X5o?$rRvF{Zbkn0J9P%lXZ8nD zu|}e(F0wCZbvX+4d(q-+_7mCLLkwB&fmC%k{3J;SkcTDG?y=1x88(2V@D7>qhB!jD zZ^iP2##)msxDn1-&x=Tifphufx`V{p>eu0&=v7{;yr7vAE|1aWz`m#Rs9z-(v94Wa zc7wVfuy9>Ac9t9Tk3Lxfo~jYhJ=misHsZqPMD7E@2AGv58nuM{=;_9u;QcyTX*i<3A@4S#G_lhgRHT~s8N#v4!@$9yVx5JEl2TW1=PEWEon{-fylMUnn} zZ$1@Y`NhAxt3*yNUU#$_nPD>D&-YmnaEdj{-6FnfnCRUifVq21sg^sf>xS`Ms0%7| zWJFQ3u1y|4@vtZ%N|^Dc_wlUDwTaOa0US^s`K5azgMF3go~@;i4FQSFR!<=E$dE$* z$v9C`mxnO*dAa$I)qHZxeg(>l79L{k%Rs4O$YZklRt&p&R#(1yZ@B+4=g2iun*&-# znn-n~wSMEwH`gK;`1x-H4#-EBsIJz(>0X=iDaa)%=UdnDX%2%t`n;G_+Iw`uJJsib zfe4@uA7g6dd5fg%t&g3rb@_mab5{TI7Q(TaW^6cCKLyNzT2BXaS3iMYYJ@O1g1pQ~ z&VWde3pze6FMg_2>$@ryNr%O`VxTZ^6Ac3u>FYC$0Ljc zxG!F9+)3%RP$r_4t8zP6<6f~=E!}vzWo$-f<|qRUECm46X~8?yDh+f!9qC>Gd>Yy< zH*6(6%!{ciH!`iS;ytqlT`VxrA~|gttwkbKgPy2zo5=rB2Uym97(}>iEI3=53J+!i z@{?qM_P$NxmpO<1`PTxf2@ht!1 zF}M+oK{8LY5ga`uqw55n5cBqQ=N)*H*IRv0s>`%F z=+r`A1Ka$^h>Dud&yWPCMW)1_GINwXB!`~-VJ`JKul@O{1R4A9A3_H~qgH^*L#!;F z*7qpLDsa^8L2*b(1`rH(BLpHT6MUt=61Ly*(2evz)#@}dpcUO z84>&g-M2bw+FrF7;}lD(H{ro1gl?TS0!-_)r{{pK?s8>SucFE+0q|kG2i?SI6%ZK> z+E5+5=8^dMtlxYBVnAD%D_fBItRBMdLxDs0qVOc$@2mB{ZW{jExB7%ca(0l$ls%(@ zA1Ou4Ijhu(%lSMu)-2H-Q4jLGx3-MDjE)X=4%cSaBE;$ux&6_4eJpH-{hv%hiC~1D ze6(;0lPSlWk)IU3!#9Q-Dmc3~a^FllQ$||V_>Sna_?<~^+bWYTZ)N}EL&H%AJCT+B z8fV&)S)_f6r^EfWvGT((&9B(L6Bg&>9zdZb;GRGxD9$ohdD#caV1~IhEz7 zaelOTHcbtt&I%PtCI%E~r5E@{Z^A=A&ZHg`2-?;Ve?cH7iv|t^>VO`r9GBIm^Yi?@ zx)R508KYy@c)GC|jG~@`3Dg>2>NWx8zcbhY*cow}NX-sXpl&^B2`lW@Ddy0Ap=Dg| zQ$y|WWJR^qi7xD?Ad5u?FH!2BFoFMi$VyiU0fc-T5Xs-ma#np7E}va{CgWWWnP^|E zeHnyjApKiu-Dc=ZK&9iP#}i{6xk=225);c>bE+ZN6XMHZw_a9@0@XrSBrB{X#4GkL zlQaI4!)^pSa2r0JIO4wk#rFikzBqt5L=opNocs;xv;}nZCJT~t-o;Sq5KaK~2 zKnz2hOmF&2LHoCVOT7C$cs~NN?mu6D+9zTV9X2Z8p8xZb-vPB)sF49)rSNa>XU-Q0 z&V39av9-$Kp%C1>^#s zrXDi=`Clc8HUzld2PXgf3t@PB7Ehi&ku3Z3BYdk5uJ+upP&4B9W%2z;KJ7T!w{QPj zG4!`LHJ1e5Pf}?H^Uv2$R14%U1U|&^e_s5>J3!R}WCH*HLHYmoK_MgnkXIz|ACU!Z z-da6~U}sx3?g$eANf%zUfI3e?C#(UqYSAl^9zePd=zG!*U{OXp9%R?)36q+#Yz`)i z1>)(`t$z=5X+^{rbvRaC;`V>mp>IjR(I5Ske&_dXQF;kZKJ=vxT--&M2|&=29fs>>8n%Y_19b!5@nC#2z3iUl5W5@LwVJ6_ZgGA9$g@k5K+oL| zqyV`}A09Ss9#t6r)O_g*<%88>j{$c%X6=STim>J+5M}mZ04vQa1GLrGcKb?A6#+Rr zj(5

    c#HpalW;E9@5Se;we8D_;T{cD42Uzl4a$txPXNxChrF& z!3gkVO$jPW zq``G*yB(lS=m-06`tBBT0$b}uVX#8fS!7gSYX&Uo`9KJbJXuWtJBIy7O2In<=y3dx zBfv!t;Daz0Sob>|h)Ylbg8+#J|2JaHr-LqBy9wGDXm6(a1!PCOX_9@=bzxT}Z|uJ5 z{%UEDB>nBe&Ub{@{kw@9JAe}DRzVN~ ztKIp^Xy7xz2{et}U}M!YEiDcR1_Em15h}eK2x>}$zv~$<`N3+5e}x~0i!4^YL0vRF zg(+9$QvRgyw2Q<^YV%iwYBbo@UzxTKUTo8u2D_l5ffGKj*#n>{soMJ%>Tm613{Lab zkhbk8Q6gwYHpwV*ov3sQ0H2XvvqZ8ZhJ)s-50Gj)0G@6qFaR;d0OGCEI*@rxyLxK_ z=LQQL_E^fl=U~z<^gzc639;dsiJrC~I4|@&IR4i|XFzm#{Lbv8;FOD4HB$dM)p3MC zOrBNKt`n~I49KS>c$EsGaw9yrI(!H71*@m?62L%2gB1$D?gA9T+Vgl(98g9)4JM^E z0wjHvbjjBUzJ23aGd~!0zX(_ZwX!0UR3N4KO08+nW@A zAHv@+37;Zva*6}$9QMq!gP&($k06i(vD^~|8up*(CXIy{oLH7AuLU@PmbC`GqnOpm zU1DyhWi@kD#oDDAxl~cWfYsv&qv4MMi;YL~@~L&ks~od00CTDv7Y^H*Q`^As?hbVl zavtcLwhpIodH^SDkO5{HYoa(Vl3;JJeh%#N%6?koyms`+S$B~esHaEE%p+<2!<#v5 ztboe6%%C6K2ViXij1DTKTS6!Rugc~fFmESYkCM~pA%-uz0?z=ZTaVwo1;n;au#P?x zs3FcDgUuz`yK#;z`t`NrfST+8T3@CzBrRT_07icu;B>Ov9E}wQ85UM8P~!u`oEy-b ze-FPdpaM_^Gt`n-HGs&h$~8=}zl4YHcQ1*8J!JH4#<994E-NA`+I7Lz85tQ*0b;x6 zzQ^SUGq_aovsn6%YlnZ}7g^z3Ouv5S+YG`2sdmvnLREZjzQTmp-2QVIB%gsN<1l8P zJ*pZ}!D<#kCo%{4S?_`5Kn*W{xF+i9dY4h`LVQ93E0F%j{^L~9%m!Afl>vLzf^YSY zcMxYdc`xQh3-i9BhU?{>)FgRs5vb~A^^>@AOx?C?t5!Km>z8a*cd_{Z4FRm>tiqK?zO?($Tze?>Ug=ke;(jg zln&-=4)D=DuuB^UHkQ~sje?EHmwtaP^nV=ElY|5(S>b1{2 zaSoi(jd58M2O|RPt#7=8u0XhbUGvETJC)=MTC;g25{`Q8!O9lUs*bUy;1v@{rQt$- z+eGvELEzsrW|yVDIQXQi=Js__CkbT|-*6y}`QZK?{M8&#Jy!Z^kknf=*u17jfoZ`F zK<_M)P;9W?tA1%z{o^?y!8amY0f@CC~0jr z;^l*C@M$;#yLzJVZa1@nlfY6!udHJg@ZPL?A0S?8wky~{V4sKbAe||231gCTD?a@C z_AL|@wskS;fk@0lS9=VjXW_Vq3UEuG>WF3wR{Xnc-1i}yxLtYgq!!c9b1A-idYtU& z9Nc6ooac9V^F3k*W!sUb%T-kI#opE~%amzs)L{G88mpav-$;g@pv(g6D8}<-0I=S5!K- zV5?|9kaX0D0NHO}QQjFPC*>9VE?D*FBs6A9YA6ew`&SP4ZZQAljAW9Rx!T~vQSkf_ zP|ZRng(}UacfN&kIVX-1!STBkE4bm*OV@Q@Asb9e#LGMyF6xjhY5uiM6F>JK7aQO7 zi8uan)KJR7mo7Or%#i{FC#mWORU;u|FHSbwVGfq|-`#q0##go>S)HLkzrlO_j<-|y zMwNFnFwE-!)~?Joosi8z68<5OE+2<=q4kF&HJ9#HA~q3gIm1AtJE)!{@;xKcuUYG4 zIdFT~r9Q}mK#v)6`36s*f%A)b&pvoJRu>;EF|>yehaNO)H;h?4Mk<0%jqB8z3q>NP z#_MCfg?2CuKAA|o)oiXYO?HYQAz-cO%8{plV+v-a)^C~z2Ug(82M z^k{)MTt@8iJLLKL;l=8H-e<4j`iS2AwARr=$(MZk1}MuMfP5j1Pmdj@(`ddoB_pD;+W;HY%e-2H4alxLtZT4Y@a-9&m2dB zOTsgvA=bzW>Hws8zPh1q(KFwp1^$NDD@}F!P1}xWa-W+K*oKe=6TtZ-$9Nj2=uB%U%Z}2RWWaX*>NXOLfCTM1=AY__V4=ked$sq zZrdg_lE}h%5NAj23?GOu`@NbuhI0Y3sCc@ldOfIf*OkUC*(oEzB(qVSbqy#ZNsK_L zD*S{M&IH5ep4wo071SJMf9lAox$B94JoQy%ULN)1W3X}5CC(CXGUm_%X0OJ2?RK|Z;S53W%*#Afp|2DPcTjBQl(+W%S9uZniqg{W zh$vVC0LcT+)$lNnIOM=!XqvF}z4FH34i!b(3ooM=^_H^@)tdo}r2x+d=P-<<*y0fQ zJv^NN0&P{V?PsQE*uaK_JRPv^KHYcnw`b0f77|hjY4G;K7q?*V7(e`5o=*V?fHGk0 z=I?kM-4aSA3jo1Ycs?QYc)845tbND{tL0P8OGmP?7vP30|Rg;Bmb4( z{_0M~rdAo*e%<$F5N#r_r3qVrNqJKy@pUF*c#!`q8x4A&qhfrraaQ$*QCGatIywO; zlVa>(p?ie&f?qnmQUKF36j2d&AL}-A4{^_ON0p?oy3h-E1VZj;kcHC}sG6i;r6y&F zP06aRcpl~)JsLW|C(Z-#U9)qt@>_KpeDyCA#bSUu@B(6J2%Y=V4FS-1tlc~Aq{XzB zf>oRX+h2LC6T!0T4lv-kR)&F^bSIggDyrsUYlKie1Z<&Xmy{&ncV3-PWJWOsO#e{F zc-pSg1k?rLak(DKX|>XG>w}^5-w*``rKfoNrGA>uvY*-L!R3>fNAd-B&Hr<*lw9%g z)^&ZpIH4VIia2@zasT3(uk9-qY09t^{4lYr-G*mv1yrR`LhFd;iWO94;RPVq;2!xd z=-}JDdIqY?pnP~fm_m2zpxOcn47Fe}6Z4gwEG&6pya66Vnx>;^89pg=j)pd)C7EC2 z?%lfaBhOj~SDg~Qk!6|6{w&uQ1q4QtHKD{!7M}nKAgki0Wuac(9Pkn8=tVg{!-A?Q zO2=cZydphMovT14GepQpzx?t_82{u|sJ+uKueoV0yz)_~)p|)}*rK4?hz|q4ZwF2x zX0#wnTC?TG+)@4F1h`yK2Rx>?s-t_#MX?FfQK$I6s(Rb)r~TXS;PShWzl-nv-nc{y z{Oq&s0>DKJzZgF7C%1dzW4EWb|JKX~UK0-#Po3rO0v~x+Io~KWY*@})AA0%W%r&6f zT`3o=UA|BPYz!VnQOg{GOe5(ZflY5<&oNLitu<=D+}HYb<(pq(H5Okg-;UKuhc#|} zCRh9i?R6gM3uN4RrZ%t4iIIZwD zo1;$}(Wpu;)Gb!c5~Fbe>T{leS%NqCyQY3KOz2K9fBnHSn>mQ_y|ADQPQpHW&Gd7K z*>G|aZGc;-;PD7IP!C!Qk-)>j!f@B9y3+G!FZnBUb?j}<&WEtUi)!v)#e1S@*Qt_# zPR#nzTR?RQ5}||lem~2;GY+V&idvO69QdvWsE|j`*i4i+8QK{-wgS$DRMo*UEK{e- z0kASWs}>S0t;`@1WIyeg3=)@X%RAuRnx_h=j|LrIZ2D(tX_f&b$GHI)OJA`AgIPRK zWBX7&4|=00@MKZ-yo`q+aiLD23o0jB0dx>+y?`>;#~m$-Svw(t>(>}Ve*N;dvrwl) zK!S(~<*a@RwY~~%od5=i+Vf5eU*m_S=#F-{#1PB+JhyMRoKeSt8!L_1yIYd%fsSlM zOvGS9;QPts?CO(YCAmvqX7j{^TYlKxYz{9mg!U~QS%B>E?*Oyj%S>8WNzkyBI^ zoifk3gbWjZx&++o@q-Df7i8=M3a}<{etwtv0qAdZ^;~C8-_ff@Sfg2sLCEzsr6%+O z{DygY++J{lkb&-_B%q6mDR5Y(Uqw~gUQF5n3&WcY?JykUoV62pOBvuxTl5w0lOX!yuqu4I0<$2MWY9HZW+h)-`()o90Y!=ahYa znCacpzp-y~IG`vN4d$Fo0e8!BK%_5?_nu+6xYFGRB~c{>i5+jdjE({6WmJ6SA10N% zg%pHDv$|!X5~}Zo46gx>z3WOFc@S+Ux%ERoy51E4<4AuAr%hC99}EmDzYIGQ@3gAi z3Ccn%Cq0oYn_Ex9FD&qR9lX$u>yO*pRJ5h)bzlcx>3n6waY1r3-r|%EW+B9DAAXP`HWNVZ zXE^FsSd9s)ALd=v0_}yFbhaJ)UQ{nv%5BQ*wc9-Z%!nB3ejvzwy^_cqS?BA(S5YLJjD*P-W=Mr8XHfCar{zGi^yV315xg~dKNZ-L_<1Eqrv;j*pS zhC-AMdnR<>p%SeDNoyQ{tb?{yC@}*56gTzmE$XP!B4L9$#Xk@o8&V6?qdC1_hNv{p9o&97Q{(PpxCw4!~PH~rul z{a@M%aC431)07CIhEr3VTibCzu32_J#zp0`v~<(6sT3OwF`E6p-Hl{hpwTkHT4?P1_o}%@h1oIwI=B^MZdX z&-WiO+`cV^ccVfvck4Kh8awRI$1>B#EfCPTPM-vS)?dZ>xZsX4XBB&;-7lZTb9xDY zVM*pVQ_E0TaYQMrdi{sbGQ)45(}+fm+<5o=wp+!LWjw#Szg$4@f=o7817Zf{^+(GN=NXV(d#r$Tfz?J;4~7VwS!KT!Dp zbYgGOr}?Z#81Uej;wD~?ZT7bOVIa}F*%V+R25`SGbTnXz?>KNUeYZC9THNN`l_hZE z-kmSNZpBFFP$#IuDFrOes{2xqH%k++)OrPs{ckobY--(>{>f`;8|T3g%M%lI?GHJG z^%Iz0pB<&JJJ|-xq=Eka41h-f<0K;O0s~+}Vjs(dpl*FPOS4{oNvF$ROYmno|6fH2 z(LW<`uF7$TP+Bx#SF?gZ;?*=lMk~k&4p|Hy-^gbA1$!p-hSQ##ixKxFfq#kl!5s~m zdLOr+dOXt^ulQQ6j>#^>%L#r3mCRb~ujPgefcD(3rJnv}O)7pFOc11>jr^IEU9rQ% zYa29iXPaHXt0#o+^gRcKe&nTFkDmgx%@|Y;Dj?S)`p9*{X4^Ky0PfQPJPd*KG<=}{ z#{WIHO3w(7^f`y~V8m3MQD6em8ixCo(Aw5%L_HBdmilh3KcG1`S0Ubb0gmmJHJVMl z*+LSbuFX3G$$kD1R-USW89R(@Tg|%3RK^+{k{JvQCD)U0ZLez}qehE(kV?0|Z^?LJ z?qTSFe*WVPKEb_Z0|&?Qkot2>4&#IuAdp)$gSP6|~5c!>m7j)qi|4zJ9khfWy~W98L+byo^0Q%mk1^dP7+X z`-qmENyk&-Jn=?iI4AE1WS6Z>eq3(ZvL7tr-F*t$3>A-emno$BnPjb|)bCL8d_bOJ zLb>O-9$1QAC_FGw^dg^c{R9>O9U3nWt^rUpGs7CS_oL2Zwqf5SLC3L6rqUeSvpJPu z>&*P;rq!4*nc4 zFzxPfbMql18aoGSQhe2z1Wd&7M-xAdz`N!OouJp#!U!{Dmk#t{Apd0F=?WmaKMQ zQe%cn0{#YD*<#1ic)Dd|AnPSJI-$@kfC|CkZVHS$-m2!vi~}n(WNmd*3SaHPioCFq zp1c|4$4;7CxzAVlsg?|l(Nd{|dN!2~LY-~9crm)SG^D@10DLNIcgL8n3A=hVu?V`r z*^>n!F>LT0qxxs$r1aagBJM{lU>|O~9{=sk`oTgU&+)5tuFt}R_ok~6UJ)YB)%$0l z%F9S?GYqZ)2i2T({TOq_5yJ-OrD5He2}aEUbe^r$WbK0Z{UcPiBJchLTITHGKXW?= zRew18Z;1`ia|NT-Z)+Y$>j0f<;C)bUk$`mXQ8j+{8rRs&6 z3DxDPk!tDp=hX(9VOuLOx8mHkMN`l`dOd$w#ny78K3n0?>Me(${m8SjT4NIA zl5!+|Y3)Hu)F}Y(*Ks^lXnNga#GHk7c>_IO8mIvAcjdjD{X- zQvTw*UamHO3m?E^BEol%04&Hy`>Y4kE?N0KB8KMZbaQO49Ulh2~AMqm}^mF2#4e zM>!BEe;k7!$*nl2N;3^4N3}LNX~R8VF|UQ{TtuGF^LZbxmV_{ug7DFmZ!I2kWIlTm zLxo}&bxQRcRJ*7w-0nc(0ao0Q$~1LsnStw<&>%0+ssidRV+| zS*LM-hIKl{Gq4XLN(a%==Th~okxt-n^@r^;u&HEd4#o`;a>$Mn<7CkeeSR4(F7OW}2}Z5Q1uKZP zOwnXBtRK69t6pZTn%bKKBPyMhT}|V)V5b7sN}a1X#&dPMIb0Q;PCZ#-ea~K2Va4iJ z&>)i@xD>vhZ&>B(Z(K>LrvKqDu6!9JUgc_(0M9U}B~rb1HLG@pw7YPr$`e@n;e)m! zBjQG+5%=m}i+_g2(`6QU>RL!+06gF)(XZ9DLGc4GsL;w&^L$4^QtAwx>MH0#^+p1t z#PPCceNZo$&hxUMKmsex_=kQ-D_$hvDUUjWriTsCnlp7>d3A%u5UsY1=Y1$nALT}Nb%@*U3r z`IPq8VKCW0!=jr{*pyB^qD`uKws8U#q2@<99%v5k#>}VSj;rJCRl`UqpRZC;J(mRyBg* zs(dm9h!2PK^gs{LQ@oKEq>eYEP3Vyh^Pd{qUM%iBx+#;~PQJ;`+^qNe_xgP{}=F=qKkpA@k|!4wuX+)k1WyT$E4~ zzj8A3ydP1{%Q9ltc|D0c{SukC>N0y(Uk3bW!Zz5Fmd2L~EY2nMKHTcwW~>p~Nu083 zD{<=)y6^p6VC-%V>x7r;%*&e(sC<0st~%uHH{m2=&m~*J!eaI_HkJ zZa?O+1@c6XKmtiP!wG`P^V0%7LNrmXOdDWWxqX=a8uScI^DzwN6;`9^;}mmy03yv< zYnsb+0uTbE4uHo4V3amf)f`%N5q|L5|KY_GC;$G1$S3^v?VE;}Q}(iIO=d?6AOO~WK0EO?#7R+q2jhYl+g<#yB)}agc{e`s0xbWy9S|+2cud`8Pej1y zyYd9VdL#9EHzzDr_l53!!$AmYxn)g%?OHtZ&1dr#YKgeF+SBQ?7WEdjt*bKWN9)~> zO-kA9;VmEfG1;l=AF#)4rZm2iIBcu==T`$@ba5?#7iJ=E&!Kgti}kQs22t(fWNxedF#VnZOw}iMrH+aM*`nY1+bW=GyMJ&CzhM4mkK+) z90WeYw8~gfGHpKY!U9!-fiQv>J7*;Zk0_^baG&a>3to4*Iu_8X`gZC+g_mBlu*=NwgA-p*6+J{Bu0eoc8? z%@a;(9hQmK&r7llfF=4zE_M4F$lR^PZBz46xz&5TY^jIsRuk4SsoG-Jmu{PCKD#bm z&Q_)4Pi%B^f$#9Mz`2*=>x?fKYsahBHItp5KfgHv90@wyBm!W7N1M)^;_By8zTZ+H z>*gi`s2~=7>8H_OR38f5SA%^)PkJ(*gL-|ExODF2iNAm8oFo81*Eibo)M5{S4hW!+ zjy%pN=TTOLe1a^0O%jNF|GvM=VotZVVjqcI?~ezm*E|kX+6T0j;zv!)1P)RW)|B)zE*J-#l6>+d##bL<#I!L z6UA-r>K2Mwlg-e!b+SG^RqZ6LRWzN&ZoBV2Eq)or@uY8|Ym>DNn6@jmh8st@7C)0n zDSX$RB0np}BB^?E5?iiY!+jJXd09S{PU;(0D_h}4o_@nQsVCWe+P1V1g`#iE0?t;D z+dA_;rb|;ePWeEhc>|$ENpQhjS)rWtA_r!7AoVu7?8&0ZGGbWQn1!zbu*b9_g0F09 zi%;}$kcDc>MjoB?ZuE1E`UFRi2`l;KsY$zR^&5oLtZvQUE3=ysAR;lo!JU2i_Ezz> z*7^01S5T7Km9Jkt%>?_+o_^t55#5&4bYCr2sZg~NuJLTIHMS9P56Bgzcgx7Q3}-5h zOP7oH9L$4AM;A6oPnDXc&S-S2TI8)vR-@}LTiNP%cb$X`$9_Eb9EWKzb54;>+pe8} zf98OvG*zn?_?bXb7qt+q(avc2lbz)%oi0h&!zSVzKbpx*)qHB4k&8aP+bjUv3+f-t zRn~NPPjY`u=xYn?LnNU>ZA9_=~|wylh||fN#*-) z_0CS8BM^u_K}aItWXv^H%Ngs6r0>ggb|lpK@i-N{ zsOXd*=HW+Fq&J|4Zk8R@G4RKP-hRaLJF z>~NgliJ23q*bazf>@J%O_~_d$eXx2L%XnONC&pbwCE>A1ay`wc6Zp_tWXA93R34ZGv>(A&%8g_m23TzN}BH;Jiy zgX~)hgsQKw-(+=nl7e0S_Vxzzejrv_Ad}Z}x#(scLXhkSD&YL3+KDmch%P@rqTVlI zPSM-B@U+vVH=iDFb>7h3P9(xRj?_ z#So_B8C0=(HgNeYMTX*7Y-LND^qrW?Y}h?0d!STi&XG*!)&Rg^RBD7mJYLX*h17|Q z6`3gqyfOXOua+2uBvKysknOXEOo%buY8X&2QC%!6?<+gh;HKdE+UQ_`%6Q;3bFbry zqpoa9RH0a$IL}aOw$mYb)b?VWDXY@*=} zeym&6uCfceJ2zkH4vDqRj@OpQ9*ML@nzyXGI^X0FSG>>qI8y!bfUVGME{jjxGK`8% z<#nhddAFEtcxISzteW>i#QYv(ccoUeePUrzeBGw7R7;j}YmKauvRPnxy6rbP zIYqQ$(iL==FwqMA3dB&c6`hm=VU-}!!+G}O#fa??TRkkgWrZvzD|?-NefI{<#N@!e z05KK_%%zCBb>O%LXGGK*8=O}nRPd%y3f}E8ysAwcsEzv=r+BY&^voi-lU1=NQnnq? zW2VLnDFHAOF=9&gGyvizXdb0J7jCF@Z|3M3I2`~>$zdQP6hHCzFF3m|ApVr3EJzK- zoGvb&v|-ikpZKBpm`n{J2n2r1{h6V(2n1qxsn5Us`IA*)f&E>SZ7!Gv+qfZ4_^zlT zSXUMzT#?@zSS+)VW4Jn|bjW!~=!KT~7sGJ(j+2nBQ__ZC0#wnHt!m^Pk_AoaukWbd zjNZ<=^59U+_3rC!=Ngjjqiti&mhN;yPRri3b5f79dJ*=QoRd>T*oyA*MjV_vdV2$s z;2y4;~A$Q}ZxAJ#Pgq5bQ}M zc<^D%`0GT?iYhXX6Elpi4^6k3&}nKDT4#~@ws5Dr=q91};hLe1J&M-Up~M2hUh|c1 zLt{k@m)o8`%k3P0?waH$Vf*LLnvmkN-5ny##XBo5Nus#%`4_Ab5wtX)QN)xVKR$^Z zeRy<1J1n(Qs;_>%uQ@n!M7Nyj_4eu`GTLd53`2@jRnSSd?Dv;n)E@6D_ctw)iRQ@B z`{)E#Sj#@UWJy@4Ng!1CC6|v(MD3x#1?G~R`OQ|@Qb#*!qNw2Ib5r6BR2N^S-JoLM zGER7|-U9P|rG8sY6;YiArEqt2M~nqce%Hv&zHRe?zhQPP5Bt%1erYdW?Y8&*7N4!d zyq&h$T8NkMYqq6U#pr=9UHVTN-r?>Fiaw$x#QSq~%pLu`yYp%y6Riz2RM6+W=e&2{ z4hGQ5@RP!`2t!bhBA4nvw2qJKLo!3BEY#W*EyeO>KyI`(wH1zgDj)2MJ@JZ8A4=(K zd1%ipY;%vxN%Boqnf}G{e5fSv{<~N7jb4xlcDI ziUAUv#U6Sv?=T4=oG=+j3ICkvr1`YQD%LXgr2QBPjdo;5DXMz>luD24d-s}PXtoxG zZjbd%M8Vj=d_5b%V4rL^E3>Al_G`${hqe~l3v+aRO~}QB=(J~)$sxVN@p{j0Y)7p} zTfHkO9j_hYtmIgx{6MklU`b@$zhHWIYT%nbBBgnaFg;1~Qql`~(wc1;3RVUt;)U7@6* z!GhMCbEo41w$VW8mQ2lSBUj09Avxcfji$3(`}mmfuh|-Vu@^nhs-E8#*m3+K^G7#XA_fjP+x7NtR0Jx}+z|L*Y?wk++Pf^x^y}Szhz0 z`ukouFA`Rh2d1xIZte{0ehWgvRyOF*>#V0KC{HH|@a7t}zQHY-8CYj47)R|5R3*bG z!$MAFQNow^s5nB@;kh?2kdR`tpDwO zas(^Xd4gx*dWCI6G@3m2*^`6wQNd*r1is@BK@uM?>5nx{@eP5Vq9~Aw%Cdu06yUb) z(l7H_-1w-PQ|an)U4(Br;PMtN9mHSs=w3*@{%rk3HJ5VQIhv_>irf?JS0k&{RS3R5 z%2q`bK6S5Ew%11F1%@Rod|Y+kzv^RcSiJn1ij~y`Iac@R#XYY*bV&!r{pg*7*_ag7 z^<)*6?o{S4!z%Ffo3#afY#OiGjE^>TSy^vbv53*M@2!pQs2#jB3VAWFHLg76jd+uA z*xxX_TAV{+}IyI ziNtK#{btT$Xm?xbyyxevAc3J%0p>mQH_e(#9BrC(OT)z$v-Tj%p@&PKd}2TDYd<$% zfJIZlm>;L6>ANPk$g4|cMvvAx3)T#HcZcV^XT%-GvgVqSY-5!JkK`qLxbAaFnU1!r zOO`ZA^vkZ+9ykq$ERWYdQ9I+~vDT>aW9v9GS{3c6pQ;jGrm_(66nd~CI$u^z_2dPs zqL;R*C)4n3Ti^AmSUX-{-2+RE{R9`y8OY8Ooz-rrD^}qog7wDbkG~ zBAvqs3?MC?Lx+HffYRL^Ly2@N(p|&QDbgU_@Y{3B^I6|>-tz~%XSvQA$C>AOX2-qn zxbEv(eS(<}HFke|^B>|}7!Jm9T>{%IqL#$GiwZVbVjMiCWdablr#uz*TB<2F%-Xdv z0Gv}0H|zc?W!Ltp`>Klqy>@YaU1qHtq$K|^5oQ0bxY$Ik&ZXu^0jZhaN+n{DnR%76 zC*>)<>Ipt=xjMZ(jq%d`2eaNnEld5`>)ThZzvSzf?|@cVJ{b1Jb_gABH!JcT-O9|W zCdv(T-su@z=sAR|HwOsha~MyM$-r)tt|?jYSOk;^XjibREl9zxTu=J6Q{uAyBfjuZ zz@B%m1!Zut5IuXZTBnwGEJ(jSZ0XiQ*sTA@9u+8a>y|ssuCMR2`3^j#<1kN3I0%eupnI7|Z#0nVZ4~jUW92Sp` zo+qygXPm#O3bpLjP(C;+Qpi2ucI10iAQF-?7CYU-CS(@OW9R;Xam@3{Xpd&Gz*Ihf zOy!$qFPrJFRm&4An_LNgRNNljq$iBsGqXk0u+WztWzC_YEX}{uEqUrX98#Zr+}L~^ zbVs~kXjhV?X7%B0`|y6>vx*{$RH>*B*@G2%Y3nhDx97qKIx~Vka4a9#4VU8{R067- z+-%6WZ4vqB6V6Sl*i8k`M3i`Lde@oGx8Pg{Tb*{H`%=doDCls9EPjQNKvQK!7ypl{ z{Bb#VZ%91X$&#R>6e3|3)$Q~3un|>qW z_PxwOR`ymyiS@Z0{$8O>@1FSM31EM2|u7Sj`X8 zv_@2m3B-?p#L;V`)-HLhXChobw{UTt!BWOW)5#`+P!f51G#R;ew7sB9k9=5aq9SPJ zqaE<0x2RjKYr`@siy+UAdA)LlMOY^&uUb|QU`y-c2XmHhRhy`2If%e5Sn|dr7($~R z))B4AQ*2AO+E?MqVG^^mxlMC&Q~I`nLMgA zynnPPzT`*MlY`K2!OXpj{i$Ybw8Ugh)mE0TMp`$K-}gmLjmM50P2IM1Ob3C7@^tcd zs|oeG#irSEoB6sG?M+k>{%tA`{Vd(spuD6FrJcoW=bbrDJ0m%1X=Swzgw>Ivq-@t! z)1lWz)!eAjwei{ud&TqZzC9bTUByH_H3FzYZ95~_dpkw%b1WkBc?(uP$+mWJQDG{T zXa+Du%Z@VEn{UB_g--)s%J}F8r=%n8z4l9!x@{a!Hl3qQXIj zYm&J^15d6<;Wm^t<76bY)PdF!Wla%I-Ywk3zQ-$&Ma&d&E^x#wa%I?HaVX|3Hs@ix zE$1hT=YG4`zBOF+cb3m7)n|3G<<}V+x!K1%{B@2x2Li~EVhq=ublR5$uD@= zWU8C;;1IWOyS5(f6I)-uL;3wc1%6l;d$7Ln`SxSXxzI1(Mje_WgYC@>vjli6bAVohol8+8^5e=u#@o z1t9wDrKQ(npLBg}_1)LYP&uGS4KW6&fmF$yqesBL)8lwp=Fn#rfD+l$*;OZY~8^Vo=ICrg3#tz&9f!ow*f+mI{Ym z!qB`~tFl$lr!fdprHU21$)-%FLEn_paeBQ$Kew`K#bN3$?>r#1vju#J`@_kxRy~_b z{RZP(swflWN=liV^N0BPydSIUhbSGJeHR=uhXMVv8w8E({8qJiM*iY?4nHYGgwq4_ zTjg1ej>#(8<$8NjO4D{^h9t9=czW(-QU`4CpdwRMD z-H5}uPXGNHWK!b1p{NaSq(_q+ry&1iAw(d4#in~kke#PfC^7z2aPQH=n3tMBhyCOSMpm0N`muovsvyd;^+0(_rhX4v)Uoo3f7_-^)aSpxL z_!u=E{SaZ9Gamx)D_(x0&?N@rRHu$pb%4OU(A#`5Ub@YFcDS<$|a0 zpl3l?8{5yf&eae~g1T^aqi6tttT5_#OP`hVHs)z9xGGN+! zNMSaaKwxSjZl0GK>}01|I;Z6`KbA%cXRy)yQ_ae2O-{67err*yCr2s$iF+`&?e`b1 zjj?r(c>w(njfU0`Bz)(`;QM9+XA>w)dO@eRsDxeB!YrHDKrJU^dh?ZRtCS}xd|e}mPN7iVc~n+LKt4b-r^u$Ld>-+mA5^0jQXUl_ zOV8yv_X@G1G_-*Jc9{LixsVBSeTQ?cM z;1KUg!SrZBl4fA3f0omH*O7MCEBNwIUNL5l}06`9;XRDl}T`Z59ZF`vFH&@Ead? z3Jy7*uHlElgGB=K78U(7?+Fn*^6ytJq8%+WBuR<)Ry3B|y9c_+`f~;MEVNpT^J9@H z)}*;cmxx4p8IrxzFXwttV zF^y_C(b2&|C*F>0GkIb2YX8~Z6XE0-xUeZSNZ7zw+s<8xFUd&F^19vDv)~8vwLkcI zSC?1Oi&d~W_v9NM+K{~kDL-o}Ofk`<=_dBs)uINR40TaBy+V>KVCuS))19d{jFUQ` z0BFmWKnsLwP$)?9qb1v?`spVq^#IoYv~bzxguf;+rmzw^Rv=bmgB1+u0Dso-pnQ^k z#Ky`RHmYqVxE!g=+aQ&(ds5_DjRij!yYzt z{hz9_SP5@xQJ_tmrTBdWm!!Z8a#i=tNG2%az)>=Yyj{@(ps5h~=IYVU>8Yv3>deNg z?2O-4gHGmj(2yH#KY5ENB-HiBcdXov>9tSQr8%o+^vRnH`s(9{W>(mp(tM8H*@w*} z*+&X%tQD$*cmv5_!ot~J%EfP}tP8;T)5wJe2LvmI(iKO&682flHOH z1rdr|eWIWr)03Drzu-qj3EjzstXi#}O7JiXMP<*UbRri<*OrhC zmEhsq6&{Ay^m)gF6m5ddGb{>YAg7T*k(^(WAI-ZCc2XL$K=ZvRz0C>2YU;|dFe%qc zY0(A;%MMWmpZ5KOgk?aS?V_5+{=yeT95xb2yCgxrM&snE4NnuRDbFPSt>$kk?%%=s zru(As?9}c$Smd=WP#4Rr9a8{+W|_Ly7*?B4x32m~J}!%6aiwmnLrQhKdD4C+ICMoL zfj?XsCZ9M3V-i}BNpdjX`~GS9!?X&OQKFWlR^g|)PtJ4s2a6v-SfDy_;4!zc&3G0# zxT59LxaQme1Id8Y32om%2bdO!AjrqoVKsyNiNa+v+4PR8R$Y_)`_`!^5xl5%g`bKK zg*wOYR^L&uky=#>>>Ux@xJRCKmx4Fe-2cjYd5FEE`nsuUP{~%xVvKAn#68%sygoKE zyLSklHP0}$o&t}e*yWJ%+AWIxYQx2WU;qo}iyh_0W!#VhTvk8DBj=erT2&9EW}`Wn zvmh5#VYX8PAEr?T+up4OetE8!TakI40@)wAod-}IkKmh0Lc-Z}@`%`~+;{KZ=G12> z{Ih{gki5^#+yzipA;x$a>nDX%Fp3^ytDJa*)_jW=}H)vWDH|;Ps%^N`Etgn4z2Bcx}dvETG-vPxxKOYbH4$u%at^r;_OE3(HzXW}wbO`b{H-L>(@n40ZVWmz}V z)ThH=DPljT&AJ+|FXSC9tbMdm8t224n#DOmn(#VMRpJdPWuj@UUMH&l;M^F?A}P*JmLapUg2eKP%Hf`vwl3a zmR&-wSz0&lnjOoNsPYCK!pp|!6*HcwBZ#M4Kuo%MOU9PixDqGB6Hh~CP5j5n!PnGV zJ`b*7irzHVA4gbM?69TEM`)XpZ%dVKC)1& zjkRAhv$K5rWFMLR#L!7c?M|-e#XP58lS#QZD`2cZF0!P>q=$N(ZjqN+dA_ZXWNIGw zLjG9)GJp+_&1T0ZU;(O`?xl9d7_pjVn`4nLDkgu7Dc73}>Xn+SC*IP}3KrcxUX=vC zIaXM8p4z0?(N1=><#?3nN78l3y`DpZQ(~6=osq5G7BZsOr-z8;+ecmI3N;?Y>ETMpO%Do`4i*~^nVpu+32_qtzR$63*{nKfTR| zOX-je%AGLLOPXyzyd~8Dpl;?yY{wB}9z#Jmb3en~$-6UL$=#+nT7`z8icXo{K9I+@`i; z7`TwhlkEq*<9sbT{tx5q;=lyRfY9)+s&{J%JVf|mT@904o0Y8 z(KyV2V*f+V)2kmAg-j0SG6p%_wLX}V2v*ZUSV4F6#NyFZzg=5C3^gd3JMHq_<``}) z*zLY^&1FS?^B}5ptKtHC!YVL0c;KCnKj%(a$Iwv{zRL@8bXax&%4NYtLs9P!uot3M z7HlfUvy5E8)wtpd`YHN3dIi62Ix=pbl)9e^v&?glVso1SvR!fPisCTpWTCO%bx&h|LB7&B!O*l`#(iPCoXDFAkM(zOA>n z_s~mpYoF9u=e`*;Y~kQpk?Z<5_4}F?ELznOAa5#}nwpBJ1S;yLQ=o_KZbOBQ=O!B4 zfT$|Aj-0;D`l*vkK_@>!KOO}d@iT$WN6`7{jzT2Gy?gDOQPn_xTZoW8w!~Zum9NfG z6Pw?z<9Q|lbpO)9r3c5#%uIR`_|ObVL>GYW#uOD9F66r32bgCdWK}`_{&bR?q^aK^f*;jBdiBy8HUN=iyYfGBe>lWDn}pWA_0sn}xV)6;^g33|Y4 zoCT;He+s;qPur%;$S-2Qe^cuChe8PWjgSoog$ptjm?V6*?yS`LVl3y%o7i z^DWUs(U#;b2mL8tREiZFLOJR?#QbEE{}gci=Bxdb7j1_Y9awpOu32GgW?uC?-81Iv z9Bb2AJu+LZi;A2ZRbMt$;0vv=i)8uU47yY6j*Mc;^d)PF?!}rW@<-|w{~QANr3Co2 z`w5GU5po>WsRZMO*8mR7m$S2l1s!uvc}k<#>fBGhb*vBA(;$PwWBK01^`wK1&9|^p zZKaczc`~pdFR7xN(<%7zfn_W@6>K9=VH#bvdW3m(y|mo&qcM|7r?hnStM-vOZG@I` zcQpas+q}b!jiQF<-9cvt!9ftn?2!$^IG1C(S%J!njIjrO?G&1DR}gi9jqKYL+4j}3ZfWg^Y8 zjQNdLEGG88cR#U7AY7EXfMx|C`Rjf=7l+)2x~Fr z+s#?gX>t5KSnO>3oQn@j#irup_vt!*O1q$*osv^?Q~nug*bYx}McVveKA}S~QILRG zcs@^-uj_|yD6A1CP)NM#(1#Dzl)~TaoUTqVGc24Uhi0yY_6DhEj~0UxlHEGjL!qE4 zj&G29w@!0+4yFo$C-U!DKPcPnFNEafos3`Ho6;4XmULy??sEsIDNvr2$8hSg!~Y7m zq)DL=TUh)WKhKCQg}m^ut$H6&lY8!LOR27ET6}l#wuP-`}wn_DYzotWL#HSGuuQ5$Bix*_R=>S<(UCHTdd*(z55aK>J!~ zSQsNmv6707s|I(x49TL$GRvsy+63%i5>r*aUB+S2ccUqA7#DTGkcJ>12eK*czUd3?e$O zK3j~H49{*jSOQ4{!3KRJo_jrsx0-VERkB|>AbD5SpeXDJKTUdoC;pQ`dLyk9Q3GpX3(c^;DjuL7^*Ue{!PhaCU*MCwZ#BT)0|C`AF`e093K?RM}*^;d?~U zoaefe&dsWhG&@8nH4c9!i;svo>oYSypQSC$iRZ0Jf#OB7E~IE(!^4Zt9xbj zQyVOk$=UNO?l*>Pm)N;lwzkS%kbBqBdYXDf4GCOc$7SR)@VjKw#Tj0i23)g5#yrgmOLRtHTub#y>xX;db*=|$3v*8x<+JDB zKMKkL?bVPY(Aqrfs9xi=NEuBgY?WAeOt`3EV?e}%0{uz^*gVSs(Whe31W`?Z1d=E? z8iJmI$L@eC00El-2v!Oiz^?(_$UwKHcc7+ea6BoXWv+-_K7%$~4@cC?DnGQu`e}Xp z9_&$J$=oeOxTRecIkdT0bwU{)RwaD;^BW;CaZ3$doo?%cg*kaN%a<#KJ#%#d`N`g@ zB)xpXOk%W#B4DYCR9ObC+D!sH1)jhU_Bw+BM#jA!sHW>Pa(BY)0jY56i54V#sVTf~tc>YvVU49$e!M{L5COgF zvg7i=-J-4byH~D}JCc1{?jj`!H`?3u>?#Pl*NT8FuJe93=!kd`3@76nOCRno_)JAI z7l%mH-K#ui2rA<+diIE3V=|KWov9;KOQB|Pg+D1s-Cv;3RX&(W9x=7CRjjWtZdpIj z(DgOhb@yOeKcWPYRN_p|J{Lhm6uD8KI*$t-_oL*WDc9EVShiK^ym@DmE$Dto_>G_G zco$vYKeYNJ)XGeP>K>Q?S-?G*`;E!4s{5 zDCOCaJhyEb&9r?^WGruD?BO52IMATg%Ne_uDiG;X!rjC`qFBPlw^%S=5c1xhM9t)3 zP-aB~)e3jvQ1|r08(UX7xL}|ZnT=J!I1jHl*=)IsRjq1!h*5s9(jM(K1$Ro}M01GS z`X|lgq(kGSL%nxhuCq}uSF?og&4(SmXIf23rk;eo&Rq69=iTIBU4{-1v~PoAX@SK9 z|9}$SkR<(}Fj?r7j$>05U;c`4MnPp!+@q4cNLw5ENMXTAaU-4Mi4TTT$s4`V)j`72 z7rmbA)sD@}D3vgNIgy(x>~6bu5!sCBr1hoCJm@p@n^z!A`inixF!aG@m+crxaopYf zV%J8>W0`Q=5OS^_T5WU_2dBKVd3|tsh)=f>v&L<2#on*uEda9k1`bbqURXF}_eg#u zHLPH#c-39pG`TbM=s?Tp<>_mIFzMQ?!PoDelHUW(#-%_otz|O~2Be5%d?Ou_nGyDO ze02#yd5z!fiO+y4GO6W%3WQ(u*ubxHc+fjesAULio}~##YGH&n-&%Kb zL*_{!mP21aki7olwIuq6mHaO_O3eXP6RE6*QFGoMdMXPukkZ%M4$hUk!e{<|jyDxa_r>d?}%_@Pe!97Auuk+l~p%Mrv4-e+kA#y>ZD9bEc|C(2YQ8-RSOG!cNxD znSl%Gw!%qeJuO-(uPFs0*A)!cwgtIGIu2#&N1ZwSJyB90j*f~mq?b?CgP_;K7P}sM zaEGQhDGp24)?*MCPwvqsM!)GPOp8n-VOi$FysfkR~Ek za>eFcd%&h@4^-tVBLfMtE29HS5S6Y#0;;oMVo>763oMYFQ6cglHv`NLLsgVAtWEyN zdx78C)IYy<vmeBRNN`A|=yJO`ROztA*7MwT_43mY0=V!fw9 zhbJ~Y!1MN5mjI}j?Cy%l7(5~$=3wey(eWe5MLoT<2@lFr>Q_8Qy|gA&gHvhvbmpTtWDVrq~XlXA)q@VP+K| z3V3g&0drwnUxPtg97r%mX2~b6lxtUe(qEbM7iom(2zFJOd^HD=3c6jX6sQnzbpe5} z7jN5$7-6x-wJ2?8|J#=lDi@bGS52ISz#Sv2b#+rYx6C{gf`7w;{v%*B78gtkBq^h; zj(&kpIGFjI$ubEev#olOz9anhvpnZ*^KOG1inqWlB;LThenExIQF<)k_kKil<}?1A zl-bX7&y2x!Q8A(p1cf()sythiv)L3FvxkHpB2>C>Ud71b)E(sm*j`M5!yl<3#bs{Q z2iE{c6zHD%{t`Vq#WI2ZS4Bm!Su)!J&DFDRug61PmoDM4NvWmTF01+fpww}*752$2j0>Yd~z-2pEmPuR~rw^z?J{%uxZWe!3XTzOc87(me zO>uZDo%*c_%Y+s#1a_uL^>5>P*bRiAcz~WiKtcqel&Bhb9_U!tJZB+G5x!dt7!|5P z-}J(e{xRT0&H)~*^oM*3{km?5<4j&&-RRa0`tB4MlP9hZtgjm-i@0wX-qrzpj)g!O``(gylpNLgAbD zS)eI9u&1w)rFiHh^vTdNWv}Cc;2UGUo)w$c~~ho6?z#Dt zz=fFxIL#6Py`^X%F$;BU4Nq|nhtAF}9W_!vM$!hKXi)%*BQxHNv zkLYGGSUlO@ZxlhlyCmb!p{ti(%mg4_it10*#i0h)=m{+gA##v_et=FcjsdEQr?&yP z-lh;jfU2iT7cI_B43ief&QaPP7#J|GP+L~PM9j|4(y%4~K8LJv%NjXEE+GYl9B5fo z)?aaw)is!|cSi?IgUHDsFk=~v5JZk3n1^Y%o!fQW9ZZOBK!6y@Fl>JnxghU_aKMNE zFiQd@q_Wo~@`?O3jRVvYph}#Xl{Em8qLPi{d|5%w@t<}92U|dytSvZ43h0k(#u?RWHbY0vqQDc zcJRW<7YlkF5s!ud6I|rxsl(wcQX9XomT>`AM3L>XJeL6Vi@uHD{ zRU-Ekl+=`>S+&+2Z1G7*vdLd%e$42?3_;*~4tl@DGw&d8)>X|0pvp%F&?;`<1lxkE zu{~}=B39H2Cabb}&>}TUMA&qh88i-%*~HrwScg^tVw^=puAQt^@sdqO-TNRA#^-!K z2dwM^`oTh3f$Q^Ku^h{QI3I!na^`CC)wa4f&4Bi1+S_!8hr;&+9GC$=n2aG`)#^yb zPr##+Is478rYe^o1;gw^ryJaxTUwNX77?=Qr~sfsObZgoyZF`lf`fyz(TIh)6Stwe zjG(bXt@^=owpFsW^r7JQ@KkHfZhQ$&jK4&J|5d&e&-WVb@X3eq21vW&S*#ee=vz9nEl`ILZXtM` zrQLwefwKNmx%}nK9!E+*(JM9I8Vnr;YIZ4re<}1PA%iG2g2-4QF@ai&rOp0#D15KvGG{8 z#$7R~0fx6F1mk(Ev}vDN_N83jTORZSK4{)b;CmMefi#DWiP*+(-#D!M^kE$~t5GbR z9uqGSY6YZwuA66Xn)9eNDA>&ze0_bD7PFI6J|p z>VKI2H#*=X{)tV%_$w;>0!K##sL8MgGfclZG-fIcE99m>XTE}z6;qyw@N)(7jLkLU+a%Tt?UCd~3lF|AX6?y{G zj}(#Kvc~nl8I@~WJUF?aPI?_*QWeihdYd?qk+UB3sIpNes(oaXWRqci zQ!R?;UjqK_f`-^(iB`th4dZjP^LvGa;A&>PwjA78Q<{Lp7vEKQ`xZnf9TH`LXdMy9 zYumy76Eq7ua;H-YxiFx*G%c%|SqY#WfQss+1(}ucwm+|9fatzIeNqb8po4$~Fc+wm z84+pJIIsZ55S0#_L1tXP0jRdKFQxmg5^{KAWh#Gh8P?*m-A+GwOlYixxA0s-qQBvM zk8NQIF)5mf1}ZVoD-P1CZkGwGy7_gT{Fm%SK7n`D z>J6|D8-1~vp5~)Eoy;sPeh>>1_m@>r!)FNa__U|DTwSO#9u;Lz6buo|8DZX{`%AB(%U=_Q8A)F zKGDVkHhUWj(?{pO9KY|}=-|bIDd@=i%bv_DKqWi`V7pvipd_sXIF5?~+nw+WwMo3l zo(8;u1M{;Y^A<7J$SC!!6daq`&zTu4hbnJi=3V1R`0J9tdzgRy-{2#72=)1QYJa#v zArH||n}^Xv;eR_v8to`8!4dDZCUzga_L5v|or$gw`%!ts00SrmYb5Ga@!CK4*@N3ehl5*2htnPZaR;x}1i(CiI>MlK`!!ZS#ekL5{&JrTQ*;JF zumsBMEFfWl?!@nQ>O4Z%p+ShsqEnv$ILS;~Ie@e=>El;#+!H4ifCb%PdVBb9hT}8A zWh`jPpy_?$KW1(_)lfieO`{NmhaZd)Q2x{Naefa#> z!2Pwnet%I(2ac3Fx)FAUKW=KEfPu?t&Q0KFGAJzgUCm%tJoTgKzPvF3_r!D{@&t@ARI0^8k8ib@|H4gUV;OC;Jc zW@;rC`t{yl|M1l zon3gJGR51LA<+AMitXJHnUMIm*1njHks&^BCmx&)tBCKZ9_-5Ezj$S|o!3jhyuqL3 zvZBcqp44NN#Ay8f*^6K6^*&YvkbJepiW>I;Uc0XL-ZaK73m`$_$qpY_-8 z!h&He+=tzsX!lwCx{>CzZ5qW822Lt|NhUeE1{$)Y`{sNNBj{gk`peQnxJ z@#e2DdP!e8aQ5Q2`w0x?|6Tlld&fH%T%!}a1lXZZxF+v1|1lzmbRe3r5@z@{-ErCHP1 zILlkae_YKC9k}yQMg01mqAB=a+_h7B$WO2R%h~+L3h|nG2rl-s`_c11{Ynxr1@8i% z`@Q@1OJ-1**2#;g!7GdZ-!mYZA`8r9nXDYoHS9k|q#hi$Gx2w%fBnw;ir{y$DH`K= z{D+kk{fV}@hd&4({&|cBf+_eWkuEO&YuAfy&1=1&8{D1}cKh|4^AlM3>r}&pH{qZ=~1X$cpeOwKA zf2}RA&vN%iHg@jASjJcHrT-)L{?}GD2ieJM`=?)B|F|B562@1$*9=O$kN@UsT$Tmf z;j*B!HN}5Cp7#f^9iDQh-o^Q20mE*hw}UU`*so>s<^n8}q>G;0g1;X5AJ>c5=jUHG zee-~pV?=E1GCLc<`K5uxSj-Vf3q0=K3kNzpvC-y!>!SqYx~_lPF~wmp`HI8POD%W) z+#k64U?q{{a|GJ_*CL<6!@`WAMpb;W`%wi>C3$$RCaa+IA{ zrt|SfeeO-4@UNhD1Jqarw_+{x&`-%wTV%GWQC%;QaLrUFc`%DhVw9 zuV;Am+cU(a8=LgAS6IVUR~hZUA(I-B2m8j#Zdo#wW3?Jsx6RZ?#Ve~1o;|S`s4fD6jj#bl2Wb zg5A3PA6LUbFE6lON5b|z9qnvyb@cM&C}(aH;?G^2H~zLk`@plN41NJLaetaI%sb#w zulB<9XnyUvf84CNOTeeQtvqY$=0*uRRzHY|clLM1cIRl6ZF|+LolSWf2|KLW#BtE8 zACFbqNQ~9h+@=tSlF_U%QbrX*axKQCJw$>A>>qQKyoq8{NZ;1u1ClOW%ZR*=NF&Ej zTF)?Q9F2895{E+6bFMuVSC29L@K=Iv`<|23YcXfHpL8I~x(6H84!kn6IS z<~t=T-H~lGPdc!N^3xs&;B$KH*ZA#WuE*I;LW;?##>Rl*3tG6wJF?c6AIdvFTv;$< z&Uz9pmZCJ%9?{W7zicBVLaOEaerBRh;$e%Wbf!_WJ)R3RTke-M(~LP<_0`3#JJ7~h zACH#fnR+SpzH#*=FRyu@Nnjk;d*wxgX1Yo?ouYvOF?<6SndFql8tKzgHDc#ld>eS> zFKu6g)7ZKSYfU6pa@6^%y~SjJYKin{T~Rfxw*L;`^81Mke)!KW+UFR5?v#I=n@bp8 z^58U6CN2~{oWawme4P1m)nG7-%)q`!kLxq!oi*}W1|ggJ5U<-IdmQ^irTy)NXw<-Z z1vLAcpIwgo3F92SbO45Wo6FCckE-dAFM)`uFxzz_S7{Zpa(TsT=S}2=6GC~d%bn)Sv+TF^;<|KJ)nJU4Q z*B9b~0#AG-Gp3uG+(5lem2b_D5+Mi4J8pQ-L%UELQ}aUlMO!vtE+jU#I9eqIWeH4| zjVh;m1-wr_Tl59i2XYu^s*`xX8_2*O_j>UPrL-jx5gjazdZ-PkYRYYirMF4cH^`|J z@J>GGWa1V)m#d6=d3PmPiYh$ZbL~Jfm?!0F1@iHxZsLlTzaVj;_Qfe4KP_gXSu1ze z1`lsF)K!Bish4O9xLAC0%=SPyt`GJm$*&T+6f;GPG^Q_64F+6WvN zzgz2AAgp9iE+a3W<=!ekI51zBqYmq<)4pmt&G4bHs)do8lPt2aeIU~~S0VYE@`o}{ zPfdjKP0a+cN{yQYi_J8FA8YLWqc9d;5plcRtCrkPlgJ$^(z#`0Kf1J3PT2?vzIHie zYx;t&kE6FqC6E}}KUHUuYiqa}x{vXS_ws_ChKAR@;>!Gna@NJBr+wCZCh0|@_i^tf z%Xr=;px4@?jWC#95vNMX@NGy8pBqL}ljbzsgzm9#eJQ+Q=bsdmUAbAo=h^tCniB!N zn|v$>auHTp7(u|sMo@b_5P#Q~o$R6U`VL6pWdl*G4}bs|@>;797nn01+gOJ&cqLH*em|k&EXx@=$u47aAH0jC<9liIEW<&<_4u3K^r17N592 zYiiP)Htvx$B37wFj|GiwTfjA}X^%dSWlcyBY2X7Ym7e~N(#c;UH)l(F!(RWK;eA9t zRaNqlR%|cwfR$GW&{**<5~Wu=VN|!3g(C)gnD2 z3Z-t)Ym)~XH*S3BoS(LO3P&6%EWN~nvU#wi(}LACgL{`<4--7D9RDd$Q)*|(11*eM z2?^vtGl$>|D3?Zky+zI&0<6}RR%3b>iHXH!PV2wCf`74f_pNDf9M)OGL5iT%48?lq zIT}I&RNi8bB=8C?M?QH)vFTWrE79{z+7s+;PU~nz9dGHq1!bhf^rCucV$GgK>5I3P z(dWC_2!LROXQXs)l(Nm5)?;NgkC&Cqgn4e%mQ=r&)$G@sL+SMPdtco+M?mkS(kJCG zt!gj^1THO^kA0>MUm3cA7piSKkR+rIu%ITfIu({z@znPjN!incC!O?ZT?eVPN*aJY zkV>APgUuUzo}VtRP}^F_70aa|4`lJ+jz`;^0Qv6g6z?dn$0M;aSrZkr__&oJg@of8 zF_*`MJENf?QD0xGq@f6Tq}@P9OOtS^m5%RNdBL-W(=hqgpoR9GAPOOgk>%y9oSq(^ z4;Sav!I8hTyDSK5dvUvSfwwa*1P_2_S@b#6Bv)|YDwNPW>|`TPA~iKhNz_^12@uGr z;_jQixHycSDz}<`T%2XQ6v!5~G?eRh^Uj^j(1&C(;}}+xaZ+H?{4E$cGOQ-*%}@wV z>sJ(}W4ny?5hf@5vgmU{_?%a1NFmyp%B}CM)45$!RQ-gAq%QJg|HnalxO1t26l1~5 zP`VS)Ma@P{ts`-9;8~Vy+)HZPMN-XmCtypC2SRtQ%MDU{41mj{UM3o``#pRwC+Yns zSVG3zN_jkkQSOuWor~y(%9exqU=y+0c{IrfDe2 z>|^500j`I8G=WT(ac>;8E&N5QS;XSclg(ZYZIy}EnXmALYBitvy%w`~76+>&KZ;qM zKW>@D4o;t|$rPF)qk?OL_BXntgtuI8jPpHAv#78jlelr?NKX!?a4<2i-RYv45KRu; zed!=t=BwAeUXc{?-%ug3;FCPdPK+Q}lF4_aHHz`g>rNIB^Pk(yZ#Z(GbxKhH24IFJ z|vacYx!Z5ibURHPyQ5e|ajeC8(p zPuJNMAe8dDbJmHUYL1xxof0ejwcQmhp!-EvorVPkDq^yl`y1K2+m>Ion!N>AhSJ#2 zX76}Dwus!9vU!`gwdE{!%jJco_-1#}@?iW6rKIx)W~)ZX`NdFPQBn%ev>YC}oIXG5P3Ls9{H*WD{PJ`uJ&XA1Sgmurm?#<3Y5vn-AvHfrx1aCz$F1s3 zo&xgR&f+f3AF1MeVhJuWX=$G+@??|TJ`!pm8gG+50iM}@o=od}92ZOG5`?WbhJ9^3 znkDW0`LYr7Vn@XT@wq1MU@1HdBTp=V8NY$xk1fDJKpxS+->j>oa#T~(o; zpveH2@(X^;1R3-6aZuE(#hod~w^QT1%oS|5q==gMNQP2;FGaTUSJX(!%hjg8Gb0E5-HhCnxPi z4etWEbmRiOHOm4b%%r;0ivIF?6I>j^`b(}R2Z8ZOrHor|<5l|STFGlqdn2CbPnG`-iSo>Qg1 zO{EZRMtKf|>qxTfT{`NL5Iu(#LkqXUHqr+d0Ubm!mE5y!L13%yH#UB5?xQCf<)< zt4^JT?7H_Nw%W?)Q)9qzPwtmFddBV`C5YZGo#YQBkMF;j82i65B9XYpyJwhvdg{JL6 zp=O1=+xhASyb?G@0oShnw__ChcgN^7V8hcJm2GZ{JT%2K>7$L(GXlpK9Ua|3QhGK+ zX02u=aa^+aI+?Hk`ydpIdslkGkmTVQ#mv%Mp2_b4oNb2WWws-qT$DLU@5RdX3XxcG z7i0I--hgJy%i)SCKm~{kHpY6e zRHuQZLl*0vx0Q2?7z?Oe%Vmg$JoK->@JM5x+uE2MZ~1_myW%P^=9{|KJE(vnQ6d$8 z>%^X@?Xryd$cAD3Wz9bMq{qqS!3h-wWH{a{^}ZVOQT0b|D!!m~M%43E9|AYQo3Jrb zYWWiSblPb?1J@bfecNBtp4Y|xinN>%TY8PH>Py;c{ZNM9WNBtB^C`EY>I_M$0v61- zaKpC%cP}3sDpTd{Uf>k3GZ@3GboTkZO?%j?!H_yD)MBst;!x584}QSN@5U?nY~P%< zIXO{4vXc)m9}x?kT2oXXuiOOE=((VhX)>y+Bf_jP`N=CCBRhtA;;GL{Ta`3^BR;W* zEv6E(!d=iDU?KSsJ7RTG|e}aWwt&$oHx?T>)IBxc4;*4^lsxa zYs?kH!zeN`CIdjRQo@hp5>XSu+Jy%vU$4sZ*E-;vGw@s~H>Jft2l>AH*J?wOFkp$J5AGVX3lRe2nhWl1(0Qt?V#pX{?1 zvjmD}%b7Kf{?I5cQaW+PZTNqTy>(cWX&d)1ii%>;h?I1oWJ;_kEpxe!kha?!lPSt5*CuF&U=z zSa9zkj(5Sbw_8|mDsOqNc7GmLv%JQ&{8{Lx{;L^ok}HF-5jDAYtj7g7CHo0e_0>#} zqD?%j_-I>YedNhyi(jVxI7)I%oot zp7V92_RBRs#gB*LwoO$gdXFz&JaF>af3)lmJ3dr}h-u7mT)wP36h+;2BwMj$UqH(W zSe;`uzi{o-EbrRz+W5|JR68frcik?%eMzpSj+rmW+GonCxn_5SdKlq;)W{LGKbK1L zou;|wY|yItsoKAO{+(t?LM6(k#m0ICzIaxQww4JW~&0YGZ z%=ce@c+(>za{jfYSVdYo5Yuiovy`5>?R<8{ODrFCD*tXZMbcKiK8u$3LbRmnqfsp%sifN(Uy%*NLLgH&F>-uby$^V5xD&B&F3 zJ_X@q&YpUgIhKx0dY$e^_6{>%{YmjK*@TXq6h8X1W!~XPq2^R?cL|mVhl|508abaW zi#9WFrdzG=)~j81p2yUxT8$)mA|Pdrxl3+4jkoV(Vvc6WruG+V6&63Qd_N8?U2c@r zLY^VXP=7BUmI6%O=bnW$x@T7>VTrfP2O=LcOs&odw|9PXZq{(!I$U@9UeWAQ43Bfv zTGu{NZ9ILjxT>^~u)=r9*&$>Lb$?mady%l<);XrTUDvNuFA;P^R`}gG)oph}M`2?u zm80XScSBIe_DsC-Y=Pz|XPXts!#TikrApKI7>Hl%=H4D7GIFqK?E8*L5$=P~>cd?U zerlXf{FS({`FW4~-dnH=ulgw$T^e^j$4-QIy8|Y^i4LK=U{dTo6gzzK6=_cslsl** zB3R=dj2*N`ohT>e%zQ%(xR+Xp9~IbTvwg*_1Sj~H_qK)OEvjrz9fQfp!yfbNmxpLJ zCvnmXdVl|J)lONnq2{{zy5Q?Y7&O6h^1GFZf3wT|52Rc@CXk#@6>ZudN$DtVYsF_Yxn zZq#!sFiMcGygaVH)yKLnymsg@XLsaL@853DO4D}U)vrKUAGXpd4D_5m_-P#B|KLMR;FWeJp@25cJTj@i)Eo5 zH?n6H+*OY@4ZW#*<5sJN--lCu&B|^ju_5tD=_j4!B6t{=Ki_Iqbh%0Y%(X0iy}6Qj z6yRfOg?)7pc!=@CP7v=K-TXwh99&i9Ilfns?iSsnKdZhlK5R_ar*c|`lWC>7j)a~zo%(DRAN6X><`dc&0QHw zDGpOdY{=B`xt2K0)e)c7HgP%aQjDn(HJ&W@+2}l}b;!}$Oh4+oDqgPan%+Dd(cp#R zL-G&F9~X2@ZI|a62)pk?Muy(yGotqQR^0Ug0A_9-#-cqpf$;DY{mJE?nc@jthJth@ zqq8m=ope(wETj1X{mj884revh{PV zkbt&Q;K7V#>dxJa1_**!4?1+VJ*cWOgKRa4@;%|~cuBg#d;XSJ>SU&ZK6=^$p#eP+ za%3!H%b7urS4UcP3@Ya-^<;eq^ZS*f%|6p}!b0|J^p--hZ+Vc7_czxl6^Z8QAKCyR z#s!k3R(R&=LV43!PZW5eVo%mD<%w@#+|mC3X?dYwps|Ba%c)r_get)xd~C9E+h=8J zj5LTEG7Qmi%$_X&XtS;Dk_o{p`&#e9hH_jiX%e>BF& zriW@eW?OCm&f1XD1f#j1I3(4J$7_=Q;QN*XsuESw&`n!+4;^jT;z8O2MTi%L^zH=<9g@kF>yj)T zZe5_{`pM9(<>e1-Me_a@zld{PIF20zKj{=JhB|whkZ3;YtQ4Iqo*exdgmUo6$G*{L zy#=Df`0|mHm+W-v1w1=eKctXtyP2#zCGgxltTnG2Ul(J|-YxI>k`p8>Omjg-g}9@= zt7%SS^R&M8-cIr(mi>dyGWYsOa#3DM8zxJk11_GwhQmcD6t(Bq0k=fhE_Ej`q1kCe zjd!}BfN}R`k28Df&BEIc_n2|~3rI~ZP%i&%g#GSN{L`vH{vc9NsR6rfy4 z*GH7mHS1Fib>!0pC5#nHfo(CiefcDwXFFT{na91?WUB60(BgN1+=^0bX8XEqRvF^z_^^@O6)YX5&z7hy{fMAmm8O0%X zNF~tmp62W=2RtC@{q*za3mL-g{zRsn)0p<2YTPeR-k6*fv88{oy7*MD#cX}DlD<$2Umlm?rPXBKkUwUJ>12f%P%wI2sEI9) zn`EaX-R-tMY)0DFy7bbsHj2$KNTfoiPHbp&fBwN9W+XFap|qoQ zVwp-hq8OcT0hLV7!GHxGH42v1HLdu;G=i7?wH*$RP)1^Pp?z7!-UxP1t`+-@!n3x? zZc0v4lW$8ZQ&mc3rzwI~$O@I|Fl_Out1WQ?Z#e-_?j?F#s{bkRmKiyjytFJ zQ4K*$zrR;}S@7A4dxy$i-{r9DU^)8gX?ST=oO6m0i7J$xl|hH63+vfNG2zaTyzV54Ha0b|Vm{nbM-uuQU0K8>}jDS!TKH+STl6Ve6$pm8zztb3F;t{tqX2wOw76j}@Z?Cg52d-?_*;?`m>gs% zGW+i&JP@6uT}OI{Tw6#$?_=(w7sy(M#QmKsm~uJ?-e)FVPvUoIA+NE})-9sitY*a` z2$E6_ce4Nm>}TkE0ITiiEymN_2t9;^wF`KwskDA z?6+*VqQm43)Gu(knxzGD(Xl6r5?DN%)+2!|`KW(Rsu1!hI= zh&|=c6L}CS^Y3Zt7-n_do8+RL%r@R@UJL`y5)vp*+eC6oN)rouPAZStGm9pQFT^aF z6vm)CI;iV~jY5*nsasyK4M_fAu4LF-ajc^4>4}$UEXnU=-<=5js$b=4?ZZYZ;^!Cr z#*|c5wHDk4-!06~e`<9gB5##^^#ecW5vvzRi5jgh%nNxMsXZMn=s;VJv(f^t z|MMGvj%jZkwx|Fp{amw{ArvsJ-Y$^t6dl3lynE8DXAZH?yjH)5w2pyMY!TgjyVZ6U zzU(SoFy67hbrDZPZe2Ca zCdHakyhuAONQw!Un7RGDkgIW~I8?l*4y1RjyF3 zR#;530iSjJz)NOb)f- zZwNM965-)VfNA~m$%&8z2&#S2o*OQ>zJuyt!{f45gvHLVQbf%)tRcIwoTJyjn*#d!-!EOPK zw7>@4Wb9A_pR(^wurz=LedLo&uU^EM5|6-mLvVUh(PTP6uKA(aztnYCzsr{p#*2aZ zMO^WNDdsR)Zw@ie|MHutbSR-U>-}^QgUrmkye^=3A` zjf6t*qM>noF`?tzrNc$V(;bAHhXdy~r;R~5esBc69vl>oM%(3-=7W~YoL+0|5-g8I zl9Sns!L=x}pT!1cCrY*X&~0Ffnr4bx<P z*(Vw$r)l5sY^F}U=knIWP)^sxS2k<)JIY3aRmEXiAtM38Q-ko%?egj-aJN4_XDP_- zl~u@bOeFV(adYTGd)}RZjulNWuWbTNF>#=;zrW)|%mw`Dq1TMftmn6k+(?#FkMG}- zM>&7!eU2gXgO&N{&Xtz(0+9dip8GcWF6&1w_C@s?F!RM){%v!--*dOX6G<4$(2qVyT3?7kiAMosuM%_LZhrP|K)7#ZR}y8ofx zQw#o;yPhMjSUQaKDb}~Totxi+*c{yuu!D>igWJJhb7qc$PmdFX2@MLyqvz)nxAXlM z%rlK@Cw4XFE}6T=F%zv?Y2XCYV^A8>Sg*#~am3Ll+C{y@Ks~#5OOw|Y$kydglj{nC zh^PiqY*Et1bGMyTn~_ICr>hj2P_);raNe=GCq~a_rq(1!9!O%)ZlD7G7fp)KaBMN@ z1?PezVCiMEhgg6{-aC7&>oNvl-PpT-4eY|KXn=X0Q-;~YM(!b_fZ@Ol$m1{{-qjJ+s9z1+Dq$^hvMlQt$IQd6Y{C+n+{!xy{XHGkoc=eDBZtP1wtCp%i}}R@ZA{ZKSHiid$gs)}LC;7ta-MSo#{c=^Zlej>8 zB4WRXi+A^wh=)~ezhL74-!CI;vu%95&*Bb3rb_3erKWRMCeNcu^;BNT z_29o)HN5TiL~#_&pJ{=q7!#9i_?6uXPyt)QpBHz0VX)L0ZcI#N%V?1_>>7P7d`<=| z1XwqK#prgRs;Vb&wpmV1!ECUb=Z}|{aI&lvKs^EFEG9Y^X;cU-+-N*4bog-!8ug)0 z*x1-|N>BIcR?XMIrCwEQ*!1Zi zCK9P}*UWy9{2yu1Ke^HCIV`lt^LgX;U9L{&VvCh7)V1ENC#?b4Oh0Z&0ngd5@sqlW zusZl1i-t&=n4Pm-B3AO6J}+)#3O!=yj>K(n^pF>pE7Z)xjb{Z1xZWKbZ z#9l!cir4w;MIw4s?XlW(*>e_C1g-UGg1D2(b=SAj)9)7d>+?~il}p+;MzO74Z%@Cg z&ifLk-`B(wz!}SECyu}Dek!n66Ag>#NfL`hmhHBt;B97BtBerdDc#1&$C$ojT^V8a zj(5iRN`pjvj^_(BS17AgtF{(3Ygi{NI|iIX-0Yre3Ti0p3E9kT*Nkr@wUiz*+PuXS%kz|@gIEx< z%v-tGSx6uK-Zt9G!B7 z2osew>{3k@zDN4oLMr?P90p4y{TV+L#Oz%;?npNp?05^Mf{Pk}?>xq5dsxQ(sx2-{uPD3_zb) zdM8iSFMs+Cv!}s45&DV7aSVkY@xTC)(T}ua_#6Jcc-_>C>C&%|)Kt#$pNisXOQlRN zqm=axzTXTM$1Spl7dNd>-qr298KlHpYI+i>fYnzEx37PtuoKy%`LT0BoMap5vZtPzW@fD8|;;TKM#Qv6sEd3ja->QwLC-5<>>ylbH+w7&rn?=w0Bk`LdBxSMZj^nSDOKXbwgU0*P^-jR8<-WN;2fz^Am za!AOP#4$FpHsscBl3Gh%%O}3Fe1yKOej%Ie{<6bjbs)X=L9xn*EA%d|?uSq(#&$b9 zDb!(M8Kij5IuI?Pb$EpGU+Ns-PfV zNZo_vtof!p@vcM#2 zY;K-M5HghbvmE9X?JP($Panhr$uvJZ%iW{l<((kPa2F;98(+r}d+!ppAxcCYVWcc` ziM-dh1~NuXs$N#=C)*3tw^S9wO4`_8ws!Zz!FFu40dmv6??wHr23@)Nj7UwM|No3V z(y(be@E7zF=cspoL^@L$sd%?ZXNRe);BgjfMS|5s{gq@MJ6~s`4}%a~QA6D?C)dph z6Ofz)_6>ig{Z)|`O=)`QL~njns+^UDdiu*s^LV!`uQF35dc+3)bHs*v8W@Pf!CTpz zm}TkjJ>Jb(U5-^44`Li^bRS78Znk~~L=(98AO2m{3KJS%5x&HffqKU?Zd94t;aW|N zz6_pQ{yLm{=c&D6gIUL#;og#kSn@67@W%=}vz%t2GYe~&x?ldSM6biNJyke_Py`1qhzm$nD!;u<|%&B z39@ot!_vt-N#x8YxKE?KR+4KU5TJ<<;~$ z{^@>jc_#M)dej}t4Yjww=l=7{BQP9Vo|m_%)K{zv(B(p$mNiqozjAl)9oz+7-Z?Nq z-OcB)qAdfaWTpy=%#S zI)|(A#AR$Qz4KW6^lKc?-9nAf(5A7Z^^uz3}mFY#e@86ZQ+RIxw{(6^Adv>RG z)f+oEVyi9Oakqrb8>@eK=CC;k{e>t&umTqI&# zA_43}7(GCMW&BUKNnAfS%$6G51~Ze-bdSJ@;AF1t{EhqD`?9h;bOxxdTR~{y3n#<( zcInv8KjU0RHp^+D*Z3H^!b=mYmE?%C#G3 zpCb0QKs*_>bEEm{vVN1Fo?colSF@Zt04;aH?WqH!d+#r}DZA7%51$n$5JER3Mu2Wbq3i5; z__5m|kbD;*r)RuR%%^(j0|c!HKaxGC<>powP=BzmLBY$*djJp`LGU+0phO{F1;|Cw zu3VgPgUv!7;5q^K+SK<@iiD&<7 zBV6Po7RE!o3%-C4780$WBHQz7aQ01XrtgGV<%W_9TQdrKwioO>$VPl|bKi^g&!@*C zlf-lijDnr@!Z${GJYk3w+vZz9m6yiPSb@a?& zM|VT5K_GOZTu12%M9^tz^%D`>ARTDV^XySit$5=xzBptpZZDGj0EuRAt*XtCtk3wd z-XtMzL;#F2<(7NU(=H`f2%*zbXI%4T0yD*;eTtW^XJJUo`9f!sz*WN*|5TME=JMfG zl~LzvN;j!c9&OG$L?7l$s7D`hfLb-1sbT>p;YNdCIZOLyBnk0Imr2oL)B!BZ{9azl z40SV}lg~*KT>ruy&Z!>PpGRuEP$4lc)O?Gad|HbqpKBdUoS~2NFMJ8vPi!YZQS?{mpMVEo|DGlj9oq|?>_pX*>#@E=d*3t7}fl~ zwR5)(n~zb_slZ0$8{B&KV9@!F$9%@So^wi2y&7yMKW#99ElCVfl7{FAae48z|9DY! z7{y>+-tL)fIyo|RZq;pPaHMoJ*CLDgCUMI)S?+e>k(i~+RhRbAw=?0|jJ|x&(Cl>_ zyXdLCv*U}Ml#g2zR|Zl=ojKZ7%eFB}S6yGTt(Gaq5=-evI=dVk{G~dhm7ow}A^XO; z2Sx<_eGcMzBVHN#(VU?N`S+5B7&E}^?@Nw;r>hSH#F80(PPv-bjz`L+}@5 zG)>lrbKO;*pK!VD8SWC<__lF3Ldm>cDy-O?=S9W8EgeyX3YaULavjQBp2QbmthpnM z0IyZQgLuOM#W?58Lf8aa6DoM;P0n~_`$dY04UO1EwvJbkAJ0%PDF9#26cC74f~534 z23?{Px7DO!ZvNSpm9=LfA*WAXA;xBc*F;Cl*deF=QYWT^70<{OfCe#M;w>)#ntOy0 z46RI*l_BNbEaQI7m4Nr_jgP~1^PHa~vmr`0jfFI~RXYFJ^8b(VcQn!K-o>(aB<9!K ziYNfZ`<+KeSbeB&${pPTw=m}h2)|9&H(@aOVvp_^CLK%nwps#STF&ArD_0q4vSkfB zrBPVvI`uq&w_Z2KbJ`o1PqshfbG0pSMcecsbRuDJm@gc2OR>D#sL9kThc-|No;h!7 zSchAcDr}s&$E*L6x22jOLm?EEA32{9FgR4=?*u1X(n5 zonA&be6q|R`?74DUd+MCP1QD$NW223`^maeq3BdyLt3ew_Gl^P(hMiOfpLdPrWZsOuA%FIKaJ@ zsrNcNmRTt3&tYl!>5KC-$TU*|NCotI;<>G-L-AAtVK8IfGlul&Ko;C$eCQ;x(F#L- zoo)2H=xznf`@^ra=+{L1K+~h+`@63KJMIgYNt+JDIklz5gb>L-3w{0cFFyE=^DM>r z0Om8`x)N`45AO^8EihG7CAOr#o3-ect+1(OH!57rNu`WC;3$WZhgDwI2c#;~v56M5c=FHbN};A*EfD|1qUm9qxfDA1YxuJ} zsuP4X^Xt+3>^vSTre*Y#d4hHJwxQ#~5?PmDR!C<*qyPK1(|Vw41ZQq{ZAzAoRFYMZ zaRV$Ogp$?F%uN6GhXFhfadUs^Cm4RH8jQKRD*P_njzpivS9ByUmsV3xAHp}J0?;RP z$BJ~?@U3SCwjhE!v}-sJh-IvGV2`GMXZrK#hC7$4ZXgX})D?DGk20qYWBdW}eJR8z zu2}gL1HYRTZYb~%tDYI~x*gS>s|a&V}S|EuTGj0^PSM5YyvD>hfT%?wE(yzn_Zw{4`R6PjV(m!Fa0hfB5D2KEP%hB%>VJML}(O4 zSz4b{H_L(5Se)dD=eZK%LmkGr_At$v1l25QTn+^R&y1P)bompEczpe&oT})3pdBY+ zoZQU~2R!$Y#W~s;koFleKpw<5Fc3AG8TD6^ay`m<9%RXDekq{@xle7PkQ%sjW!) zK1uk-{=A(sB6W_$)q(Wn&${&kR6o~1^U(r28L$z44NcR?_j9^<5DePvZC@Z-LMzna zviIo7ACsaLeq}~-0u~9LU{*!|Y!*w;fjcNnQj!0%_4$OP+4oesGz?=)Qj>nRTWV1Cnu{wu(c ze{M7ZhC2P>p+f-I2WAgQs}6GZY98v|00b_~{=n&d^7JoQ{kf;Xea?aG+3u$>oTx;dUtrj2NYkn;wf3@MOi9L*`?_ z;Yqi*wrZflW>GOt1{Zh_ zph~W2mQJNq<@&ooj4*T}YA#ko14w~w$jly=+O`2QmWr}6mfiR3m}}7*IKAo0crY-c zWDLfpB$R;(`j*?t03qV*;xQl=Bz?4LM*5!w(AlY*%M9TfF}EWm14d6k*HLa3>EGvYSsR7F74ezlXu ztw+(UC@aY+-c5dmE!s+G{%1Ezi+Ek{{*~(f`Z&Ahzza7OQUr3#1VbB^&q3fu zf3`Z;+&uBYe5cP_O)aL@ssV%N=|osZrqk#Sr_aaQz8xWPc!!f2r{85j=7~JP#X20HXp?ew-oeLB5)TZ zn^m1y*=@szMmdWOt1WI$ln)9Wef38FQlJ?|kcVLNJhqKz5i2Ysalq0yEHC0ya#*y| ztxd_xDF1QZvLf3T&eG%_KQvxTD!9g_Rbfijfh<_R^@(c(2UK?D^c2FS>T%{eQuiIM zQ2A@+|Nn3i;9t`=FVebcnx@mBcPDa~v-Tc>;l3_R6_m)lW?_Qx( z3R8V<8A-I6rGZ<+zsU+Cu&m#R?B0R-7~(clz5MgJA9H~9wo_PcnwY2LX^YJEN38|$wGSPjD- zTche8ITGEZXRczcYP(spT-mO60Ja^o!smb>S=#9IeId`dimcU}#ZLLdir)K6n0o>Y zUpv5=8pShv4xdeevDUVS7y5HT-Z6`(E!mN-kvD7elD2G#o%+01rNo{@8!@iq@V_Sj z^wO9yF#XG+;cB5^ZrxBwSOly^m8}zqES!%R$H)f@?Z7chG*G|SK%CrKXFf9y6*ezA zI4O4w{hx-9{aG4On6iMa=pRvj3tpK9>c2hTqMs?Ffz_g&FiiWCpe zIA#Y>0fDOFlj5z*_Kpq}04g_(#~4JGCwiR^vB{z`0lY81a0=(T+G)Sf<#WIiewqlg zpCQGRihfyTNw?v--^YFM`NqRI1R}E1Vk`o~u$z%gI@&^%Mc85GUZvGkj2~^RSgSgc zXa!I8Ndd@4Gr&kxE!7tdH?ro2^K|m6<>-OFh6O;Omt+8hFl;Ve*SpYrIIQvx%dZG z^FP;#(aez?6U2eO?XQQRC;$*aIAQqa{{mk`(vYx$wBD$zW4d&yLD1WL#@Mam`#ECI z8c_Nu(=CvcQ8i`iAVWB?lq`b#y&PrR=qwE)I}Q7xC(D8~H>6EX@n>^A>lGCy6k7zE z4%I&N=o=X10=}}Rd2SA>&#a#pBc3Iw@ZhLVZZXV>4J!ot`#-5)jXqO8Jeihi=sIy% zMl_y$^_{wdP2EXdhY`~j1Dr%A3`YA{$djiL;H!n)@`d32sS2Q~RD$!UT%!U!`n(q; zKr~wpKoe`kUnhl!KLaXYTxS3mpO6(&_k)*|!#KFX@iBjg>*`oBY3XtFm^V-&qk@C9 zWdMl37WH;!Fx!uy15B+L0LqP&FV!Xxo+Yi}HjWH*z$vefj!h#gdJlz;(~!@Cj|Njp z{jOYc@Tzw}XSwopPcKidlY!3#Efl1-Io==t7hVa3^4((En)k4NhpcHYP+JQ_r|*`$ zh*tV5gZq_dJb8r%SUj(?yKRWPfC&w10AMI+8}HrSStC*ld;794Q*{i&Zd%S{4g2dK z^q=^-+yde<5!GAMkP|R;bPv-Aa!AqY)(+UNkZ?CfT3Xg9uR}@y8+~QqF~kcMX_U6~ zs?#8aAvCSwFi(R-QP13jI7#C)PXj#ibeLv44Tzdarl#|m=G+*kXH&4SvF|f43Z2lV zM|aZ;v;!UQgr>{Ovz^22y#%<3mzY(d!4VopkSz(1(Uw<4w}1r?}Tm!w_lfxfvKti3NV9>PCd-BwNL)KtHlq9@*@+a=)H$Fl)bbuBmdHiw)V`_$wT-v- z57U;DpzrMM@5@!=5JC+!8eB^!Qp7*%Gq|Y`xgM-4Erv^yu=Px&q&U8zs>TghxsNAR z_E|*?i*u^<%9%9E#yl9zmaz{G4Q08l6pQ6+Gn2a{%#?X?8sk;uacMuhgW+}OzEdd^ zI>Q7BjqZ(Ze4#+ov}`N9E@o(xc3=RYWHWB;vm_HwEx66MZYUnjZTAD=p}wZLDS)D< z6ps~f0f=F)o+#m2Fx;Y%yKV=5NK5s(tZmy)d-j%*++^+e9n{=<(?M;RPkObtWf%a^ zWy0+o9V;e0fd*kV%jQ1NGYOua)~MlcVU8HsaX6a%vx|I9gvd`2Q*KFiPG zI%o%MI@%dX@$7>cKB@3T@Fb)T7JJ^0*Ue(NK^lb`h=J6-B_;(u%BNzs65IW)>N&2P zUbB|vtZ@|DlaW~A?iM+FTS725mF3w`#**Hi9*%k=(gV|qx*DZB7+a!B<)u7&T13ez zh-&K@zH(Opel~8RuO@Z+3%k$MG`^8%Q7_!9-4~L#xUni%)2*+7I}d^5Rzk}uAZf;;mqCH1SgA8k%w`b}T)7LjQEeTLY$Kq;b`iVw3_{H%8ufuKm7AH6SRlt#z>d zgG}`V;~vt}-Ya)?>qtZW*d*qRzZi~H9$hiBaN0uN420PdwWjmO{Q1gEZ2-d%_G6I9S!2RB>)TUO=bd;!<02SW-HxIzkr4O*|?VPnKZSjID-Ro`vMWFZr5m*}TtP zhi)CMF&P;d5o}FXa#(?+!!_Srq5@F~ijz!ux0?aRHXADNpq_Sk>bRDl`3$VOh88)&?jU~Sj~<#0eHX~wGdpnE_~ zN%;}OP#FN%v*N)Df)c>G$s3!J_60=L?kPOw|v5#{Mr%ULp?XuJ+njVsV z>;7Yn%}H?d+P&^#(!TTa`-l1*DKs1J}Z9wZ-<3 z3}9p<$BEyyhY~Y1vu+@(n`x+b07uT3RqyUE=XyOEK(yWnz5NNK+(N{LM$?H8r9LB;CNvCeGw!u znWq^QD}`doer*5i)l;VW2{c`YkPPREjwD`()zS`<{ng^MwAaY=d$L6D23T52P0z@n z12WwiBSvP;(29ax+;J&=3MlbqzWLbm_yeY+xN)#bj058aj-vZSU(T60m0ko8UbL_VjPA? zX;NH$w;T55J5HzJ!2OC@j23(Xwq7#_KvI#FHYLzjprfR0EhT2}p+*u6R~ih4f4!7H zUI6^&e-iUw(;%xhsVzN1*8pmV-`?>rMbQ8H5>rXPI^3K%I9?2sNrZat-V{7t&4@}) zmeZ+o`~*BYHu_6|(U$?1tm+^!K3)o`32X+UnHWzeHh>)le>sfy=~Gps0VH}HprBSN zy_K82y#hl+vq1w|kPvQ^gmgllD6fuxeS8{V>pjbP0|wWAdw4VwfP+L&scq1vcw>vO z50?=BuUCrvLq$H+O(pfCttm+`E}sEn&F%+4KtUQ5=&Kx4Qd1QK-4D|I{n6rmK$&_7 zskrc74s;D|?&~5G)Uj zs6&}Da;vOoUXFs`(q{F|ZIY640lNiMz+e72>|icK#@x+_d@DAG4SxK(cR!>=W@z`S zvwX<_iB#_Kr2#Oty&RrVqy|&`q7483>G^P(kxV?mx>JMoH3nh< z*N+-#JzZTzjGtM+6v}Hrn?sHL_4^fLkfu4tgw)`l=nu^pnTzgk#(WzG5H{kXlHV@m z&rACI=h(#0ze>AY^;@%z{9rY?{drWLSP`S`G9M^cX8@8^Iq}9FAR_~N{^0?;4H!}Y z&XzSWBqVF4FEJ5;Ogz@7s#zdK+7rEB@1Tu?t1+kX{cCa^JbT)&e{px;=U_em=kl(h zpo0gmY5OA`4GD?6PO18@YRKR5!I^EBAJCLw>fQXmkG#~!CT3ypJ!t1c|9c1jrlk>Di z;O1n-#XaH(QxLj1Pyt#+AE_SVKS5r{KL+mq^*TfXuz4J)!<{YXF6NJ<&nz0+Rs>>X_=KxBj_v z(*S5;TmG5g-_JzFMjqlJOWl-GaERS_GVqahiI(m|AQd(mb z2)<+qU!C-i-bHb28{i%-(vhj2wnyKs+wXAPTasFUJpob6-SN&Rn3$LVgd(;+n1zlM zO;T<0bPIS{m<6QbzGq5B!ayDTlIP~nT#V}*K01=z$jM8~upLKqiT^TD?#2 zaMy2R-#AV9D=5G+@&ZE}LnNc|o7Map$RIuctUz|_4_6QhB2u{j&3GX+TDDJN^s%ar zR3xhVHxAOpB7unT!!_vD=@?Z=aRp)d$2ba;?b*h&K>yb=_MXy|eZJiQwh|XEB2yM7 zQ`xq#1(G%y4iFGUk(T^ZlR$O$L-L`@)l{p-$sU#{fZr5bAzI%E5+MC#?;X) zk-^F4Nj=sq7(_^*mW@+1*Fl;fp1|d0Sx`yH{Q1*%Vi}YgrmfTh8tVMIP-*2Uc$T@Kq3?KgairB+2{eXsVs+gE>Rfi@ zo6q-xpc28$C(2hzzP6Q=>O0YuZRtZw6scLDJ~KpUbCENi4p|nQa=WZG@!!FvmUBBw z-=g*4`8QhrZAy=6P%c|og~wiDt`+Ij`%}P9rO%Vzrp~p2q*!$k{$9JiUz&%Cn!4M> z>YU2L!yU9-)_{x=>&9e{osKioFFV6YD1JM>hsb;L1H3FT4LRky=9hm+1zSS z`WeQA9zHPcJCEZ+dxi+gfTpVzYI$s>W|Z0Q;mRRQwTT+}tQno^m+>C6AEfG9efpiT z{bScbvj&p~=<@F3H}isJ`T*d+ejwrrcBCU?VyHLv94dh@MJE^gjb@S0K*Iq-h@t&E z2h#*}^5>c3ddy%j=rULkp%>ArQAo{BgP3G1tCeW}7wi9*H@Z{`tdpeiE$y?HW~HR%Jz&s{LvrJV;qD9{UEe5iV)FjfxK^N0V{>x<2kknurT-3Wn23cxF0IXP?B9R zjU_#>0a4dk?u-H8V)dfTzC>?Bc{Edv*C0&Fsk141qDHUB^YYa2hJG;6**)(6Mefv^aJu3}LB$12X zJB~nnJ&3HxgF1DD6iA$yoQ@ObRBB0!_Cb-S=Tc+yeAZ*9i=DX{6b+Ec%TCJpA(#`O zMb?)%KKxF_WE#`8aa>4bWNNyV)P>GAIZi>LFmnpX^n7~u_7+7qrZ0NJvzh1&+so4cILnDnoN7Tw=;TyR zK_Rx7MK@nS%~%O*4W849jgE|!$I4zYkCtbetDY5?Ez{|roi8Ha!u z*MB45fw6yb$6t%$t}pQ>TMY+;2kmC{)oQFj)4=R2{$>wQv0SdyN#wHX zWk1Y?N%@=fId|J!(E8;{fKGB-62@9Lm-ZoI4C-OULO$|xGB@b|WADBHsqX*y@fHn9 z3n8PVfhaR8N;0#L?Vymo_c~E1mA!@RIQCx0Ns_%CduGMKu}>W5_&m>5^!dDdU+>%Z z5BUCa-40jId7bC;u^;!x{eeO5jhV**6B%Rlu-puIE-0_PaG|x?;?*yilAa0N2|^5E zXLD&?U0tb!9xDFa8?2)E$(pshx5wyq{BWjE0Ld{6hl@%&WPFb#&Z#S`$5+r0yQ~?h!UJ<*gd@PlW^vJ72Skc5Vk-Ca7_b|FpvE?>%28wc( z_74KF%ath#a=ISaCH^b;3oXf> zHM`#@G-A6+4<9=#cIf~4Ph;4jrf}g^TdpG~m|h$@@`gnpb~s$axqg)R(?7pDvGSq8 z`H;6_BY7@Z7A#8kM%}xM;sc1f*<^3pft7CrTe|Y~tjL|i_wWKe`Kf-8rDShGy5e5_ z=~pK&JcLp!5B%W*WB=J{5F)p^0vvrIa-5(uY-6NxT#3)Z zMG5Bt^hq2_qI#jd$UtGK2QEnGR4UQ{Rp{7cwTNAHiBQ9@nlM7sdh+dG9&Q24-$p)U z7)T(jhcmoLk46~K3()mFe)*+V@jJk-;W?O3b~-UVn2S2 zG!HJCu~iK~XEBPo>PGz2kng;>b?)-4!z$!?-wI8tMvC#c@#Xhv+CzV?>)@5^d8YE% z8~5cO|8wI^1;-XSHO`}R%jy0I0pJ%p!*rHGXA>I7063Uc8r^+8O+db%1a`>PQ+$~3 zcuP7yVg%SY2)5)ON!f(Y&~SYfCA9JTv(lN}Tmd`yC~oVNcP_POBUiqV5d^H#WU*Sb zq3h5@2B&2Zzu;ve1^Y&hsRNGhOKt#v`EY)I-oO)ZGS^~M>Rd{{r}5dn^q~Ez%I$26 zsdFE#f;EyqGW)E2v}!pSB2^Lq$B$>|zv#3CVdG@4ej;D584he!41i^+6>LILR=NE8 zpAW&1?l8f204}Q+HCDHXlX_NsSSsfby#EA;nN>rIn$-)Hy2#S=a6fiOhNqfqTtT(& zHgipQ24ns+*vnvCM0lE~j8DT%7vN6gXY6w0NcBn-oVz9paQGO|Foq3mCH7Bbc`=5D zhVB9``i3OY9;d}VxjE=jOr_q@#VTja86kzT6kn4%+Hd7uQ+?VG>&A8!HSw9Ka!ltr7FIIXZ}aO&PpEHqUN;aG4u=AS2w1!FTvWeyG&izCP^%!+X%vs zc6vW*r%oh;vkAVfQLi$|)A*bXZf4Y{LB;>ktj^jk0TCI<*{xCBHr*74pU|=LfxB51 z*OT6PiMnfPqS7$schpi;yVPP;Ja1WJ#0(BRZ-OPmR)y1&*4}*|@8*2J_HV$q&#NOG za$Xw9&|{8L2u~ztCOwGP8^w@njpFQImJ!~J1z27%eFsMJxjh%|@~^<>%r|v&sx$j7 z060VgqBy*_Hq+vHG-n~EpC!Zf^w>-EtQSQQog}+G+6(!z-vLI&yGV0-7j(V)oqO_& z+g(#7U{olzz4CGGVHor!98^OB90r4ho-aF(c~Lv$jyAWP6Ka}j_c@gdjF-L--1P&U zyyX9DyTlH84;(v@`)&3S+ppsdc=ZDBs}NGIX?1?z$lZK+M0k!escBX%<7fY&0DE92r7y`dF;EhrYDupBOe`X90GM-he~c(tzv%Ue`w~}iQk%&YG5%t--_Mct zWXO5QFvut4CJa_8yO!(XDf&%neMr(7bNn*B#T`)rC8cX=IlWof$-o`^ed&`8nn1+da6gSGvM0_Hb2Z{?ViYpvp zRHLWrw>qcsX>N8C{60%M0z-3{i#^8^cOO4$^_webo?A(@+!R(z%VXt4Ox4RR*@q$&+-pEhea0Rdi6gJ zHvmxfr22{XP6_0>mHkBPuz0r6qjJgaf>SS30$uJ~o&^2;F4FDdfK(`ddHLi6XLhY6 zRh)BOTCKgKkk*Sk%Gy;Jumqah(|kaq?qel!Wu@_WkAf)uP^BZBkx8f6Bt+o8Nhebg z=RMIaLLr&J5Z?p3rF&JYRpS*>eYKvsi8K!3$X_M_DZAxTI{vz7vx3r9d)4oiN~QPj6j(lpFartBKT*O-_>BnqOyaYAXw?4 z$n;#PJ?@2c3nab0iTVM`wmMRJvevkQNfGjML#N`kB6x?sm%im){Dd;J9N(&>&2s-a z=`YSK8F<>%L>+tl<$J!yIkm{sfh|CO3kFzAhOC{EL^fYLj85>5SYjzxRnq0|;>}+x z<6;2gxa+0|Ag5_96+~|?t%4!sjwMz@i~>f8nVESpdemn47^WUfCO_$LMB4WWS9MGb zEN+f=RJT8~`QU#+rwu)#MNRH%1*QiOB1O57_c>v>qS&;gvS+(LSJQLolpS$FYP`Hd z)q@p%m>hz&cyYbRIC+*i@3bU?>sLl3f+B~2R@-^sXPu2h{`8QM5>Gc*%WGc^*LVq+ zCW2f3Kigl{|6zZhz!)qPd&i3XhIus78+;5ZJ#kyxNs@G5PWw??idwyRf-6Q*m$;?W zG>_>zEe=fT^#nGMpEIlPHhD`o;!u~|HH0P*+bCYqRv=c=%#t3Os?|>+Un9X*^%q{b z@67I$SP9A~!|Pn3QkPa~?n4AY3^vfD<{b!_|_G zm;=o`hQ5)ZL&mSWtfCuxx7VBz2^Ie)}<;zSbrZ~>{ho|kR@yb8|v!GD_Q z!^ci(y_hh2K-MGrE1tByrVk6DmJ~Ps^vBZN1wkhD(eqEvLqGcsZp>X#7PJ2T^^I2} z`=!T4l-G;M3`h@;W`$^x@RXYbqX-t2Q*UOpb{1^ibLptap>8K=3FS7gQ)-54epeqaI*bhLzz-JARn$Jm3X53HX~CJ%Snlrc1dFQiZ7Iu= zhq-=cj_h5_{N1hvi#?rY>=1P%ZYwUB&}7xsoHL}({$OBnXY$hT$ou~?!e`-PBgfTY z3ZrzihzYDBQo1S0T=JSPhwI$&B0_gIBq>eXxqd-R=-5MC_m(f!d(Del!dA8>upI*P z)k3?W=FVO0tbaFO27L(H_8hP`Og9eWB?1Trf9^|)9hmU*=JzY&>Mk_iYE6fzE}>^O zpU)0kBR4sx)hayDIc2-}+6Vx4{#iAG1_Tgo<9TefAJAinDn^2Rog;u+uVE$K9CwL{ zQGP-ocgDmAL_WF3{|SgFDK@ff9*vW;*Te;1hZI(osL2R9e%5+65CV-TViQt$FNhuF%e_ozX%5 zRJ4E9kBTAxEr}9T9b{T~KdL(r`om2Kl@8ZuYNarq&MZr^;p8h#Z$xhR zUEhqk7`yeOxU&|2yomn0_q(G>9T=Q2&rHHC@B%-ww>}@A80)z{9?v+mjcb4Hxx0n8 zPAVAv7HiMt^!$-UUAv-5tv}hrpq8oG4o=LT^29amNQ>1x{^h)>>T!*WKUpe>ZYDV8 z1>x!Az5GA&b1f3Yly7(wN7^P&4&;9z2$w%lDl4mhOO5m9hJm$%C2+ul}~Jr9cT>DeBH!`50T{Pp_5!OwE4mZJzT!K&JvPtS-&+k?-W#HCRu!1ft6TyVb3(1GO<`Uf7ogHCno8|5bZn=JKj;(?>3cSWQh4Cp7 zc1u_p%u=Mb)oR`_KoR7Nm8$upw%lNXq?6F5%#nKZ~MV#~R`A_1wsK+?mD~3ZX{ZrK5M>S3R9SzowOu z-ktB}8$HDM=COH=CNsv#r61WVf*fOpC}b^IA6Mt<<}%bk8x$I?MouKYXljZ}`)YHL*kd~bW4S{R=!0~lk=j+9^1y$XU9fm0XRBDay^wm)5hrx0BSGJdm} z7*fv+&W+`K20?$lJEVGW!zaBPbb;M(F0KP~3ZR2@`LgIf=}SEgiW6~~*etnbP-?!^ z$5-A}`;@0h^-t!xqQk(iyQvoVcoTT8z z(hm6PThBk(J|3u%qJzFr0abY>Ai4bhVE&#BdQ;s8H)_ARLo7p2Xgo!vZ>8bEwyCj! z3eV?d1Pp9XyV@qp^tl z4xO9O=mDqa_Yp6WT_z!!TDb75P9&+SkUbrNTPOLImjlP0KEpDoox z*7ZZ(EeC2Q{M19#PnD8exf^J1gW09&foDOR6oZLJVUqe1du0=)!&YRA zZMfOSbBxWv*Iprl;r$uBR0BmPUquVzE!${mHWqsd-LY1tU?8%)s)PP+yd?8q=1Gi6 z?-)-xt#!-GM9!1&!mQ!(?4en8wI^D8&wnK9aZ;GuFTK9D_frX}msdFZis8bpS)A64 z{no_b;2E}O3Xgwma_jNW39GMHbYfrDP@u zn8`1yXPS~|{Qrc%-{ru%=6i8>{Ir>lfN2}9J(whnp}JGI*W3gmi3@P$T)eckW6fzp zz4pb%OLXhGtY}F(7lB;DZr7uslTsP}%i^xR&%2 z``$ERBK@8cZjtgwgf=MWwKlu9(h{M;+`!IU+yUi{HiAB-G^ZS`Epm7hWX1YJCPpn2 z$;(g|p2b)J}G^@6h6VEZ<;bhZ=L0V3Efyp1?4S+2niJL=jIgfi?s6+?ePq$lO<3wEAxn&CN zCG=-Q>D|z6{BqhNk{w2W0)vBOB(PWv&>VUGczbc%s?7;A?)8X(B$E$eqeI<6*CHb= zWy1)G?4dk)58)h9{MlFb`X|HniEnMgJo zTVXdq4r<+$P7-%bnYU99`4e)#dQp6DMSa<{Zg zvrRTTG$M%@anLIL>Rw+F&aSCUqGMAO^1-UaRC2oH4C9S6WT%?drCx&gB;Su+AfGv+hq0EPM;Q95?H2jkP8*=}hS zmBJeo@{PvSYE&k-R;D^+r_nT#+J;wDe4!Gslx70BPpPPVsc4CseU4AIXddXf^V%B* z9T&B%hm<|dp-$ixtr}8e%U;0p4<+{xgS-~-bVgs-nk)mT>aN&1GyyoJ##gJ1Ev*ZX0d0-8-iCpOs%wJz>6fHmVjyF4QwqWE7X? z8qeBYZDk~0;)e5xDRWBJ6fIa7>@M_rUPS1@WO7aPNZg+*kBgO!moeI1N-5yl8{Otw z-FkDqd?*XX7PC5Vn)}@_5}_Mt4fFVVrJ@$a2CaIyQ9V)U@{U?@N$}g^GA}%;SLnt% zK(2sO^i2B$SEc zCHz5plPok88@5a~>{%-O~E~JJDj-so!kaw!f@u$<##c!Hz z+b<<5uW!UEXSmXDdyZj3g#|TB*~gydDwWD;nz}xh6`1t7P+goZ?3p-=e1gp$v^UdxB{Sb5v( z?wJstqt&zorF zF^p|4?1+?pqs%g0Y%bqorvo45z&XTN>==cmx=)%Sf+}yLWu`dZr!7cB>UILsmO#A9 zV)QUzalB|;Lp4kLRyM_G<3RkCmK&V>Q{zP<>x`E+YiJ$Ku05&Z!L85=l${L-(LTh>dVl?LXdew%THg0dLD83UNq-%@#At6 zJ#8NM-Df(IQR<@Fl@bX%#=i4#s~IlkOowT8&P@}j0>`}qeZAqL)w%a;kJtHIHLMcs ziayv4-s0Mv%;d7~l)I2!y&ff$_H-#bFGP^G7A1|i(bQ1~i%<=%!W>jOT(eQMJf#~+! zR?Kk2F$v4K^*xM-^d7gam&?p?^tioFl5x)mmHgOUCYkI`3=?rmGF)1(iR z%%A5*ly$fdBUB?dhttQe-+;P29U%BJQ#Ch~d00GzKOc3Ae21{L7_hDCa@0{b_0WA* zWqRK+_nR{#V`+z#3GW1h9=4IIW9wcbNJcIlIYxW_8AAoxemKH(^Rqov@s%avJt%2vSSFh{~ z#C{P$EcwL6i=I#V_qhPT?H13}84gf*+RrWel8&0C9p&8CitSxs62&L59=)$?xWhUJ z=@|)|^wnWzrzjDX7Ua*RoRlIg6<&elxViTGRLR{_hUc9z7ira*j>YDlBc~&c0=ljh zV?Q0i+?Hu|cFl$@SH9wT!0yk5AcCTdI_vEyghNcPg_eq!!jA5BY~mtgPji7K#vE;J z&f7)7u`Q<7p<%fdKeB2lfW^!OxY%!OBNA~C?T)>MZM(@Z>YX`>N@JYlaElKG)$1V> z-yZ!qW05%N_4{o`Q@iii26Yp+JqIaEmUrc!3*=*7$W^!poD5hfn26rfAoy1gt)SRz zQHkRO&Fh=7hL!N)tlVPvkMXM6DoT9UEbm~yld9YI^u?>tHJ3btuD8)%s4N-I!C2iU z&$BS88Q0oG#YaJlsyopF{;Wwu+of|0)w+bW8RZmda?N{oNsJpgibXyfvdcGS%)|Mg zj4GBS*f$|L@7g1twVl}}#9-1~n!ejLC^(kdyVZvVdZn`^|ZVLR{8 zA#h`2HK$B$Ho=r}b7=<{6b>NVQo6d^raqY95KeJkN2K|}=b3$va8P3Y*m&Y%#RRCV zu^2{C>%S|$=wJf@yCa88^Q4DndAeBBXixXnli%sHR@ZZD{bBIXXZg}7U%a1V=qw_x z%HIebnsfcfCr@*xuAC9Gm+vY?vqMcZC^Y#;UVKu!iF#q^t3|o%N4wD*@Np~FYFzfl z?TD^;$+*&}8k@{wL|KmOO!ac7BKqs_jaZrN+Jegd-czYs5q&uUS#wpE94?DT=2tY1 zi{@7o8aCI|;>wC+G>e0l^&F$RDP`l9Mzx*eriRt6sB@UIC}nwrGiAR{WKkE#_ueR4 zvj9QPO#8O8Op~2I>((+bu&sK7SbtVx%Nyt9Y-v>{3-;3-)zyFsS9LWm}JKq z%xMRinv`Kbj498T%T$_D+5sM)h@G0dg?DpT-Ww>{UB=; zW6C8tWohI1d`E3Cc1v5X+`4_94Ni~>4aTPLJk@eUX$R)m_?)h^t5Ln_`L3GByu>5C zx^@xMU0kYz`joCoL4d%Y(g>t4CMiB$aeB+@AJ@HVC=qDK*o~prr;EH| zP!D-8YofDPn)9rpmDt{yZ7P$$NY6-@ZT@;OW^;rcnWvwRBBfbBud`J4DKT?kUT+%4 zR%$(3JlXP+=D3kd)nsynVG4=up2j4EUt|-~^H!U_k38*hRl4PrS`L2PM$Tm;h39zxMJ^T(b>OkC;m z2Q4A`L~Q~7dr@v99OJv|bi}BsXnrh1=th}*6@+#-&0D12!_39mq$laRjYqw?x)hv{ z)9U4(01Qeynk@pYenu#W{Mgx>v_QK8z6sk${WgD!8^>JQ+1%{g>4|ZZqzsdYi0&3< zob&jZ%fa1gva*APW3cJ})`I}L$aln-uROLbx-AJrf@$(;T*e}n<7Zs0#}I|aIFGK) z3-E;7WhHLXW~%p;oZL{5s&{g0@a&r5897r8ydtXeLvEOL143-+hq+`+_ZwMeKLKaU z5f;u~*IJ!rA8#mS*A2l}xR zF8s$##Up7E8(SvEGdk^!+A`P}GCZ*lm^m$eH46W-+ z?@q-|yoZ-ZX*f~2>%hNm$u3i?U4g_69xkBU-lR+S>d>lFXG@UZXOrL--3Q#ZRPYxNVMAn?Kp0+njXX0Kb8{;=i~Qq zc=^GGaMFu+SX|wh{P3~!nlHq}uXb=?{eDLl5}F`YO%}$D2>o5W-S<_#vc&k)nk6Tq zEUd376V=jU9xopylP3EJvV?8A8iTxox-6QeP>i zkK9k`afQ}N{g2Adl~*KtZmy`uxerOfy>hOSvW_wtrZPSI$Oh{n6;r@CRsL{!d05Hv z2k7H4y~Hj!Uoxss$nam{P4QJ8laW?Bx50%oq5sus>glLYFJGxgp z%`iV8pE@~Vz&^PZ=Ik}#dc2#W(Lc)bCj5DJ-*Q_r75#DN@W<->q1_QO!=oNoUx*zc z1J-AvX{PVD_4z18w(>zeH6tldEp1_uP7oDSDE3D+!K3}H{q$R;=VTB|Mnv58(QCA0#c%2Cs(-}1ogP6ZveEMN zrag)|uUu`o(ceGJ^z2TsDK2o!^k{f#s9CDha=C>|H>ntNNl-BcIRB6$tG3e@ht172 z3YR=BnR&5wIbGk3aIdMn-p?8|&^Jl5wX`z`YuCVLart*mA^i#5?lSd5lz4nWspHbf z#KJTo%xJl@B2-sjgL5{)ddU%qK$_I*T0VO}vhJ`4qH7~i);0XTbiuJlkEhrTtzOn_ zYZE*qy0lLT?aS1D{PTYYxV{oZIUCOceW|#-0@p4(d2w{W{xW4 z+GeOOYBbVhOM)zF=&kRWSG(@Lo?EfCVriC)vUJ0eUZmO8p8B?~aF zc$KO>(Pq&j;APhlDEp17VVDvuQ)lnTE2QIT(92d_0haRASTx%~@l{eBC~8VlJMUi+ z#{ThwYE-D04ypR)pU0tVk#avLbIi{JrUj4uEl0u=03c*e6KvE7?GEw=`0>7;75Kmeu(Lr{Na|* zre5VrSZDfv2(4cKz3ew?7d>&+WlzL-vjsmncQB5wgs{_;eJ#ca<>mF7D&1Jr`6tO7 zl1!Uo-EMe#QgycX8$%G)$h+Bdx68AxptvHq;oCb$H`R=hcZOB3IqLos-txOtIyR}% zbQ`{|2>0`|#xJPd(#%bDH|;`K_Ymj@i}h8Ejnpvikjkf~J>SOkigEpq`x-%|%p;st zomIBcg&1jr9A9pH`Ci)@!ox$}uP!ik2HU7KlON<9k6+9Q*PQronz!$cHI983EMK^4 zM$)G{e|%TB4NVo;AA=dnmxX@9`OrkEX%X$Za<@1s=|^L z*?}J&@gKFt|3J_5vMKP+rSHXX(00ZP>lYR;^vi%u@A5GF(~sSvKarF|xh7|b0%yz< zWKxSN;1A?YngZ!~Nb@F}>}qJe5h!k~5!2BH8h9OR?reIFP)4oTC&Y1t5jlyuP5JCR zuLP{CT)?#`bF0#5m5RCBF`Jro+3u#Q1%`77kCrZl_1jFo_FbDY7j2%&gK{(^IAw?D zDrz}dkKP_9ptZLrBN$ste5QDWw#k4al>t)v@W~DSm-`m%CrA{wFJ>Po?BD17S&2$2 zdSXGz>7Cp5e!depzR~ogdnL0r{!x$llTtnv| zfs%rTCpPvT{I}Gu3g5ik#;j$7+KMt-*&DWPtLksmEQ>cPwFB8zk3N$sJkiSmFIo7s zIlv@}7su&YyI$2nMi4AB!EjbhWYK4!tABNAR?9d}RjNNZJZo^!~} zY0m72d#YJ(cMR?|*~!e63AGH0w4Wi9uY3WsSaW8wBGxH9 zHz(A&&=s2JvnLk#SJdpx*4r+OH@<6lE>(Q03>1r^Lev9WzZ;CcwBKB};q+J>6}QRk zsSd30597GsBpM!9YE_S_k@l3pk!e?Bhz-uG7u@7d4Cl}}YNH}rpp|k9iQ1wq1>q-e zt&N-S(QOhokC}ghH~>dvywk~A!JJ2X%QUX%%T6z*g=Meik=BOk0~203Kk{SeRlvzU zZD(`#-Iua|P^|}{#UInZ|LW9R0M7Zsb-~x>GGDnF+>T+uSxmV2iLdUa`; z$lEkMjhn(EdekBr4|7gwvKD{q?NTyJeKwA8EW6x#&*bq(19^TM^cgk~ZLTNhn8T|0 z7DLY)$uxRz9GxwCx)cCPxUNW2bu4DkdZ(*`RUM(D(*{X6{Ns@KRSvO_Nv~mt%RPT5 zQc@bk?!1#(#ofO%tNlm*E)RefBToiH=xpwkyG`e|M*I_81x6n7_Df;uaNKuz-aep+ zmZ$GIPyau@|5IwFa@s1CL5WB5zy*KDu`c2Hg3f2NYau@HRTojo9Hw2+ChwvB%V>JdV)Z zKO%7AtV!eH*LC~aFZSUSz=&jAXvp9H8h<~$l-OY(_{n>j+m5nfIEBax@wsNoJl!if zJ7pjloIg(dgO6uH;Cb_FSY78q+A9peCsD_RlfW}z%M(ijoT(${9o|Iag?BRRqI$k5=%zHdE?1$L|+f6?yf{#V!+y+7x0?Hv%Z zS1~eH$Nu>&?`rUHja64f4*rF&5^&jH?yAWbT|!o9Q=!z<+%t zu}N^^S}t>bA-}w?%~z81w>xdV9)=MsuQH_v@=u%h{O(O9~=h z(uv0TgD-Q1sMo>rr|S+fg}+Yb;|Ze5`GmFK{tZBW0t_P$&DO7+@MU~ef%-fYyn7l1 z8h;(dFLn36dK0M633M-{0dA5o#}0)P(q@ zTEUXwJzS4XJM4ex$6#Q*)TM6t863ore|;;(V?<vFHwB`KU-se{rNv47c2$D z{emf91@*5_Ub_iW$DkJ<4)pAzG7z&<^Iz|_08r7h(*+I8L7n?%CHe?}w~F%&x>=@;h+I ze_185a~FXLICdjm`}YJxEbwC{T#E;S`JI^0{7evid~jEPzsJ>+XLX*W4o*XVU4LT= zcn{$tc7pqw`u`h||7JuuF&DT2TA~8X%uN%SIRVaE2t(g}bpO=;i+xii+P8QYE4p8* z2n3P#YGyvgzRrMHCSiT;zCW$bQfJc3Pc!{`uqQ6OnADBG-|Dw$D?TFXL)V+R(%<@U z4ajonDcrsud;g>cu`z5mc*Trx&x}*t?{o-YevuVG{2T(@g3WYx#rgd&Xmbr%pBB+2pVN6YV6__;z@y!QR+nck@AM-HytCdJX=zOW zzQ#<+sv5kp;ou6OPN{$><8C4>l@8Qh_59Azv*sbTVt)w!b{c;_idfe`ZoUG>k8Cpa&hO^Kzr?*09_!rI3!nt`dagBw8I153 z#A)6aPYNEfsUzpI8o9T3sTPvxL-}vE&HEwIU!0XcCH~9FPM844bx&(ehk9SsZxTcG zQ+@o%FL1tcH!$N4>py*SpHi4sU;sRZ~JDF8ri{R{(JZ3O01!>*3K z63H;A^W%E@^#pNS%*pqUPvx4~taHM)Wxskk%sG#H-k6JbPJrngji+7Fsjy4?5zSLv zsb70!uUxk)KfAQ&?jtSI)0ddQAflbd&%QuhNk5dkw#%Qv?Pho88X$CS1OQ}a7Mbu9 zLN#DzUB!>&x2*$T&g@!0131^~KNlE!UMzx1#+iz_gfPJ06eE@|avw}zi@q?&t{#No ze<{VCBPS_!bgQq3r$#p}SRSALy1+91%8VuLp{e!peT(sxXz;FIr#%Q6Y=K6Og~SwA z`>9(-tH6Vu=DQ`pr5cmo2asl!b3888fMz8OK*!=n!9Z<|$xQE5km&uVHjcBcF$PJ! zVBkgxaBs5#O0Qtz2*rj{rZS5r7?T;F8$-CK0YJBb0famR>N4rO20)xGL;~!I;AuZP zt6(sZs?Ku{9-*+54AIzhb1J}^m2D1jA~r%Z!vUSrH6W#B{&M& zT*o4j9xzS2%qrQS53p|xT4zAaIja`AU_#xzjGh}x+W>bx4anh{%NJycmG1wrQNMn? zm`y~!mn{l2G2*KwjoF9kl(HVDo$pSuBr)}TIRCm~aQ~S7L7;NEP#<(>euks~GJU-nt|GsRvlGvumGcC1GHrLU!lSEza-)$rO`nJbtx*|;%-$K|7kU;d zh>*WUWAlI|bDl&~^S9116@sv*kz?^7#r>`eLMLYam$W*lfYc<#MpbSRu(%QYK2Y_+&QtCLmgBk4f9k{kp-&mQYwdj&7t&8JPWPwi4R_#F&`JYjP zSnbKLpt&4Nt>tO-*dhti(*My-+BK`^u5yyY-Kw_=za_#3NXWfQ*#}PX6G#MmFJK3Hfp^PYb!7=}md86>Immzy;hc62FVUGks^L$Dg*Dbl<&9+9EH zf?B2^)mn1hsc=NA0b`nJf`Tl8S<E3 z{bEm69_9WxDnGo)*7NlUVu-JWCP5=fkg5il{Xyj#u*-yQ)-*6rm>i)piXJep%BX6v%WY?jWs=DFN?8#l!bXV&DYdK!%=b0 ztkBNfPxYpXPP?VzV<*?zzLR9#)1f`hO?2GO&5Mxv*$>`P^vrWE4MEduecIXx_1HA& zG#QqwP$$gT%kIx~Jx3{e*H~2^S$t`~M;R?F0J%?asY-Ppmy93h?r6<^cYevqxLq!+ zA3DrlVjgwMJT%ftaiO1c2Jtknu-H<&7UwHJU@(Z(o31_H-<1A@#%|aWHPbE2=FhKB zOf+9V0QvA~DV_sI_FWNZn@@c4?und*6PD3EemsteY8Na4DB0vtkJ=49KpM{ku;q5v z86$IU(%vo~0;DN4f)1Zd6MOW4;)DU~;=bnxxy4>iG`4`fgF;9|IiDxnyUYM{>k?H7 zE`3r<160*-rZ%7%08VY5-~eb`*H@DWNzHgf6ad<8p*ywY#e*qk8-t;C3;Pe zs5_@IwkGq|IN$C%1m_qkjl6K))1%qRK9`{?RY|~gBAK<)?Q7&1qQ7xva<~uy#cff} zp!4Wt-ZT#OS#-?kPhRZ2W9olKR-*1x<%p*mUfZ6_ zaLa39LzngFo1^<~jd4b8xz+aXbR%Kpdw_`%fD*Dn{_r#+nSS5uoz)|j6h=H|)PD=3 z4Fp?d@Ps_S228K5)gEV*T8Y4R`M?!~S6>MO0;uGqUH}D*Hp?2amVZlk*^w=3Xnka= z_URzfm~x;vm}q=lA@D*x4-O?XxF^w&4$+wb<+X3`8;tuQHH=kr2_Ax6M@l|-?ET09 z_;xOALr_kBjP3b{f&oS`5Dl{kRJ;M>Ox@$uIy6E~{vdRfDRTdO2qU!Q$$5t1bW@?x z{Mw{H>}MMrgq7nh6)!JD!x1?7D_|C;9!Jv4-~+EY4~{ul`!KHMyW-98VHMLqIke(y zVqGn|si~tgEAWn1J{S1&SYGq%Z0g1YcW*=-*ay^T6s2p-&jNZN$ zVo4OaUNwe6r?)wHpZY@JD#LICVdEJ~Z`ZU}h@FI=J>Fe^YzB zKkKm|diPL=c{{n@N#OU?Ai9;snc6NJ#Ztoz>Po&3Tj^dz>N%&umLyWINzU_2xGnx?+}V*Y`894VK=ku$=9n% zj69^JR{`<~%pZaki}pRa=KZ;2$S3bN#(suvMu-x}94O^wBUp`w7~V`|K}~=wvKw{m zk1-!Yf+(DW7|ddgW9pN!Sz~|%`26TN2=y;~N1ZBkvuA;ew#_vL~sc}ne)gkY)VuzSh>7*o5nbg zuMIKJQ9F6}_P&JjhS!gADsQI|8E^G6~JUK$SEY2Gm5vFio6HEo%AV$pC zao9L6$ohB-kn-L9xsX%23m?ba(6?1YNUa4(rtUyQ4=J`1g7yW|O znQLPr;Ma01*Sh(I4A;JoDp%Q^9E^4o1Kr(pYUu4-N55HyD2HCD4~Pn0&It@zSKwgl zM@((bl)Nb(aeqKL@8(o5<-cZ`NT(BjXVMVE*q!2xu$}VaoQP%xRE%L46xf&WN8Nqd z-y?UqAizGp$SfXAlZ6m-NqUe=J^*28b8=DxAW@Bw4s&ur+6>&t97B{@={{I4Px0e1 zyD0Lh${qV4MpyuaJHEFBC3!2yNpGGZ-yqeW3n_YabLlfr>UKRf%+0$se%7sWuUDm| zv7TBzk}dbs`MaNRqs~=^y`Mx4Hy1q9<7A*K<<{fRW|H5s4q81U^va}~t>LkNOvfC? zKd$p6w=zqH3KJfVSepu}N^{#hZ#NSGk^8h!F~{fnpbG(w2n>ZfhIEf{zBOx}&xm^O zdb-w6B|X&*Tk~bH@6bZEtEpYfZFt*OvcwZWWZ39AcTop*W)a&&UUpuGw|Ey69RGU- zf1Cd<38fb5-2Yv_(WD660pnPafCS2QZ&{^BRXYdl2Ga;LsfAdkPWF;C4=sR| z8k2a*Dt`jm1Slb0uq$~mA~iQ(qi=(Pat~>wZ2qZ*|7VTXdzbQNaV@G#bSab?p`TUd zV6LX*mZ&1Zm%1F~$1Bs+z7edMHw{rh%+$T-N>bO&oF>tB?0V*;TgLdI_({#SV^Hp6 z9k;R^cF*?A%c~k*i^UJ>G+1-ZPJmp6WVUdp@+S#d>?@MTygGyBt55B9>Qb2{`BtD8 zV2bU++(nghsnR#x_dX));T$2fwm(uN`Bwe2+o|8Ruz= zNWw;s6(;J^EzO~YGyEE+bSC$<0)@QR^_;D-!yODFSuHSveKl6FthJ&Tm*OcOU#Y@T zVdz?12fb5L_>SJaF#NXrC*(P1!ksJ1B2MTWlt>WdTn8in@-+;^vEh+$tKBpBdsCe}c*86){h|V#0BNIJj&; zth61kW)g=BKBSW)SG!b_qF3Q~xJ@@3!6l$Aqytj9(exQL~)G2{i^n_#4shf)Q^9h6Qw z{G?|t-&DB24T!3;uxSt_M^`}FK&&9F6H;cCW)r|d8PlyQ7y@k5?M{)Tz=)3A->??k zDpw0Zu@<-qmzx~I605R+`V1-)#j(U#+W&4A&2RW8bpH>5`6xz&-fj}!Xd8VCSoxUg z2az1r8eZHpREjPBr1v=2N=xbb?I9NH)*Tg6Jr(iLzVtXnbAOfQro!7aYtnYH4uS|D zVLqd{!FKueu=|dwRx{!#xUojhNVW&Vzt5QV&It|F~DGR|J^yx4xy z;}ikZskdWF||8^?U7K@4nnxyn3RCRMNsR9Q5Fo-W+{w9)p(Y84VzJQ_E7-A#8V4LSL6wW3|fh*DqJO7CAq#?y|u=;ium*dN0zj z1)r(7Z!~lmO5z<1(RzC7#Vzq&)}ec z_gA10eDdPZgjqk9uetknjDZxd`Mj?xMi_g^bjEW`$O^HGcp_z-My4o$f%^uYb0CuT|kD9sU@ss6UOnT7b zeH7hzDa@DY0`D&D2tjmMO?(d{pqTADk6$@Fc=?FTlUV2(#dg1aK zXL|dA-Oa)0Ft;TbFS_eUklP()2#OOa7ZFI${jzvzSbbxNhsU!DrN<1pfyZM{1Dd{Y zb(%UIwd+rIR0N&DrZ7@F45BPu-IRGf+E2?G=~jbee)YQu zw7e`*U1BO2{p~$&CcB8r9r=2Yk!q#)jKw|Ge%?od&)ZGMI3LN(r)!c@jIm?Kk$@9x zkMO1&;a;*w|7K}wv%gFV>1AFwE8pROfi;J#Oc%Bks%@7%dwbCel5!()WP-$jKiXS( zT~0Uei;VG%8deB2drMuDDUX~mqy%vf>XpcTc}(mo5wU>P?44Ku#WOI#xe@xob8FBQ z6U^|hDazTK$wZj<(8jp=m-Ok_9=7H>YRCohv@sFm9AO9fyW6OiOhP17qOvUeT2B-v zq^iOC3_zvR4TaAk;f}R}kO^z|N3@se5D)i8?C{x7Ley4b8k`>~%@l+z zLr(UXZH}H}KJ&im%xC&xYP}ENNz7#3Bb>z3W0yaBBXKB8-hoQ}2N#gBIqst)frHRE zV%g}0*wOKW0GjD8NR4D$U1xIt{h(h){>uGQAfHMv!}Hdd_~ zQ(%$tK@pL?VX7^WetZ13f NuchaCv-pkK`CXG6!-vusU_0}bWAK45;%S+g$E)uw z6xe-#lU7&R+21$rvA&S+83NT~G&iyB%jUVjfI2hRF7iaHlpUkai1MQ5u(-NIV=DbS zRlHm{mkUL7z>mc(@`Ihs7XZCx);aMaQ`6&Vj_8Ydf(y{DtQ^`QIR()liExOfiVB6B z_W+Bro>g7c{QQ**Cr0zHi1%en^Ct~O>5VO_6C=xM_F4%4XEeoEZKV#X+mX=)vrd5j@pd3l|hDf*Tme^|K1D-{23K3i?0nePvXXYuK&@Si}}FKtd5vQb0f&MLGqB z4v`+ZB?bf(8x*9ZRceNgp+N+sL1L(303}9ZKwA1duf*Qp-rIeCo^{sx{;`00=Y8Vt z>%MOCcxQp4$)E;<9>=zrzWS^$sJeTbWJR0VP(2!yyRRRS+GzuY6wWCKms=AlGjnKv zyZ>g!4*1=sfcze<3M^-qcO_$UkqoMFKKME6F`@G%Q}l{l%Gas9={7>pXTxjDp@wy1 z%lVQ0SP<6rT@cLmvy|lxA4`asDw`=WGW%8|zB&GyHM%6Rc4bibj$Jw5Jc@vOmdx)B zuS+)WnCPT2PxFU!rDJaCq4n>v`ji;ATEye71dGg<+M0`zkP0c=6(_yz%Ft^Zn$@&e zayQTWX2=+Ap8RYg;U?_0Mn&iU6^kK)`5<ys(c*3k(BgAs5%z%Pby`WdCZhBK!)= z9bNU~EXarqgOby*^?nZYaxy?DJQd6u0J`Gum4>~4n!BQE8Gv%`o_=k|$O9OmjM*Zt zaw@^Y!Zotw@uP-Iqwz+zp61bf2-Wo8bG9vM*_$jpO5SPx+hAdAoYM z;d@Q&FtCjLVpBPFFb(&isEruz%eRfymp~~tKB6t80R!k~U=#YL{I(7SzS{*nF5k~Q zU7qyx%Jh19_nOn%Vr)lB8}&Bd@^Z}AYLy>{5~7Sp28gxtP7L>N72KK<#G7h57OV@o zrL(uZ4GZOMW9JHGCcJ8YU#O4|3{WP_tSgn+he;Fr*r#9c#2^aGTvYK(;9YXk=BY)_ zSd{|*?;T7Fcf5?h2R>@uChBo&ZfqLHd9;>`4EsINuk;rKLEy1N9xB2Vf+Deomw z8D=2B$@^VrbVPESi23V_oMKr9sU_A$>N@&-Wo?vkC5lh^-sYXGT+hpG3 zNk*bQp!MQlW6YXCA*bYIkI}hqn~x8uLAGkC8i|JP-H`a568B(zN04%g1u3T{C0~%K zdCjcU_$(vRvqLV)Y-@vgoNC$l?8eaNNzD3(n*pYION2sFDYks#2#*D~rdJpB6qD4v zZ2I%n$GCjcF3*(TMqY6Fn5chaL$P zy)9Wu&|lf|)XBeE{?T?lUrc(dZ?5-HX%Oj6^RsVG8tNNy`L;_nnSOp@@b02)#^tpv zU)$>~Hs`wHMgq@}kfk%Kh}@~8I}Yf#U^vwer1Ee{y+?f0AGU23-!7)O%xs|g8Z%@0 zq2z96nbRXHYsoi4pMl1z|5oe8r1rD>dTXr_s0g9T$mlCtG&E?%w??zGQFN7G1H(WO zI4G4$D=(T{*urf?khCS1i}WB1i$Ivu*fS{+4koj#>vmw5=*3>D zvLZ||6`3~`Yyz4Nt^?h6y2S&Zxr=vUn1k%bhTu5a9suT_I_}9?zgx8Wu$ls49@CEx zm3XXM;tuham)#-qSbE#9mSnTolZ{{c#($(QLl1UdF!!c*L6;?>a&wt~0%QGBPz14- z=2S%#_Q4i=noGY#&p%OGAYVI8%~4Js&Ylvd%bad43it(1=K%miC(iGv@(2EP-ZoN7Pj?VKVd?1h=#3nLvG4&d|_k*_YH&0fi&eZUv|<%I#bM-pg|70w;|%CM*BC<-Ac5}}LRVNZ(xZZd#fQBL?mqLuNp zel=}=`h_iXJ$z+sDQ}BAX*8+{ULTfXh8RN_u9L;tgW``g7$Z#iK_l%)LJGRA{%C^- z9`=S6Cjan}9PU*bjhHJcyd+VIpiqqpWsbeK)=2;aM}VL9tqupQ5Z`9cZV?Mp)@r#| zmqJ6WNGmX7D!94m#C$h8rc7pQtp}E@hNPnxUcNlhF?P;i$-= zAcaw8>mp)(%e=qnqP+Wtr^DiRVnefTR^}t?_;?Z!6mXr8)JPMNt_oZS3wZpwgS?~FUAvW!5E`9mOq+^+1$Em43%dh1iGy%M%k zg)Ygs*z2)Ct$;x?ZBzq;xqK^aYJ(ul)+X+&uULf{9W8hId_D?uk8#Olh3GJn|2p-6 zJ$5Q3HVH?WgUmdmky}fv1;a7Ar^E2bmYVxdzn*lu4 z$$c-kBaEnI z26c?4a6(w7f!3qgl$-USs^5otp?lG$5_j~`?LlAP=*90jpJ(R9^$J+IxXLw*T15pm z^l6)F&vFU$EYWP+1F~ayLjZYqI2=RvNYgett8(yaxmOnV%H5T|wwnP#3qiCrb0XN! zn=yjCN|~iIT9gM00PXwqi}R#rSoC41iKHe_#z*qpyM6eop-5is!(+mu{nlFMefDiV zDl`;9rx#tZ6Kf$%UP*GH%?E7lZoOZo77}P^Q2HSKGQ==xK)hwc`nx-@XUU#+KRjQf z`O3VvRuz*5|40FleW_(^rz0@H?jP8)McoAPOWxaA7O#XjKRf}w4k6B8sY z7KDDLJYgxcz4)-f>;tR!JxIgy4{td1*s;!w!~F&4bM1$2c4pf2eN#heUR8I!UPpPD zldX{?z1HG;9iMT3z$A>%9$B(6cg7Z@;unbzn~&oq~XoD6BEwg-&nrA4_uZ)hHhbnJ!I`kfj71nxvj8a)_dO`3H@V>x`2fh=)4{+~_`)N{; z5&LU{@xO?FO~9`&Nn-rt0#lLh$Ix?iI71k z{s+AIXbn3EdCifZa1OJBuktN(ZlB>AWOK&HF>~mJa}69eclov8M^KYYV$2!hedOpU z)OssI*>Ui{bX6#LS#N)lejFek*jR}0OvK=Le0@v=r_!Bdykzx%0kIj#fZeY7`hnYY zPY>?#+8+ClM_>2@+&`IzQO|b{fr1_wsc$B6=a}|B1Ilc13r=j(UVBg7yA^-A(^sy5 zhY&F-RPG#VO(Hmu8!^`dcRyd>eU^yHc|MDPf{=_t2I6^&2O)SC(xapa50Ol<;3CarzW^n@6UX&Jpjd;n7Woc7WQedc(bc(V$<& zEdXd=pgonz?hE|WsgW4|0pNdhaWob?{@|-uhn}9Xl&zQhmb~}=e${~EcJ|tr8-M1y z_Fi}IUjT>bZ2;Kx%kH?k^FDJ>ORO0F<(>UfkRY&E5up@yzxS^shGhX3SX8Y;|5qaj zkT+1qqaX>bq1gM(|C={~rWsKFyn=L@9U;GHOisb@n(2wn>j&>H`IGry5t?*}x>J0u zxhSCZhJSPF`+z|&stbre&YmN3z3`=q=z`ImFJ56{2d4j zI(9yAy9%VWCr5?>`#gk9LIvG3*Z+zp-=8ANql7 zel7BH;66W(#w{?-Nj_n>f8<{-6u293=rX+AzYJfY%OLXC%aC}asO* z;ROI>wR6Xg9tH}__?p~FpbU3@lM3cTc!Wv3|1Zh!dIDBMZJeaO^O;XjliB@Nn)mzd zd$*1`#GjRaLioL=W>D1ws8wr)wcq_EU@}XQ~uX#AQi;- zNj_zFTT{Tc{)iEf-suPe+T-CVFy`hB1$OVO_Ez~9!A(E|N$n25Ubov_auV2`hgFxk zZ|{9?!YOdRutP7I|7$gj&}trrDervIQ5CSQUj^-7Q15-=Q6_NFu3SX#3+_K3CSeQY zG=sw`Xs13SaSn8X9SxAX_hj#1C78hZqK;52{iz@R@l%2{w3?%Au{#!sA`aSC=fQJ) zd)rDO4=$SOEt~yrf`2^XfL}kXgA@kwUloS@Q82*u*!8#jT5<0c!Itm- zPU7WJu$n(Kg?3TiBEZBv#Fufy_qLVc4Y+8D4}14}H2&pb1x!Hn&>sZJb{=cY0B-zA z=BF3;&1)D1n3#IX@=wUozpRED!kaUuyX^3yN!$ndkE4L2wrl@QuYiko>sZcj%K(t* zDFD&4m2>UO3hakkC}nx_y|@2!$9I2Pf;tjJWA7{Pb|grE z8*nHsn{59k`hw*mEyx(T%Sr%mX4DPGch~I(w4o9{hi<+@4m9Phod8A)71Y$#l}_pW zMO6Ow{t2w$(xcwV=yUAalH9|I$E3Nhv= zPm%uLi;sjunDyTK=>zHGBs#ITMH07xI?^id)KUM6!P=E78G246@sJ3EqTK5G&^9N4 z!e4c+oVR0Faahu-Tnj5(Xcaz1MFktQ>)UVR_{S#r0iGwVfR5~gzqZwHjRo|rZnX$n z?D;KAl0eKRfkx1*)qzf*~Qe&~t!@lU)z32!mR6_6uAJmVnn zOlouzS~6g4xn?Dk_DxCr+Fgvk+g8f?6XwGV}!E zw-zO{hv7ax72nV0=H-D}k8uZRT~M=itp)u&9QGBf$smDJ=vEr!@$tbyG_?)D6O4kv zyoF&V0QQ}mfUwl#v*}8Gt?%5z*HPp+@}TbCzLWg-07Js`XxGH>9P~>@ih@KSD7qr5f&%yNeY!S&HKGcI|B$J-0v-ZN97ubs?GiFN6Tc{_7 zDl2E~jHuxl)=b@1n9;Fg$KECO0xEW#rXj#;BV8uDIT8!qxE)Qn^v*1-zuBiz?*}CSk+a^ng7?O!=NrACNb*$Pq=D=Q|OO=i+rdR zJ3JZ5ZDP8$u__jJ2he$5Vw8T7eNk038gLndRJP>wQygGfMwg`d9MyoiV$rtmj5Raj zkQX}vceetVy<&@PJfdaM9QifSc(!DU(`y>MEp}^B!OkwzlBgGG2<$@9*4h+-fBQgs zX4irX0LxY2i1i7r-upP*zaPvKZQwQ?(PCWwHeU1VZ>&(;{WtUceKq&#=CAi>BF%)9 zC71ws8H}P1bp{En0TOqAfGl(kEgbUE1Ng@)eSLlN0F_aMffewQqFbW{RNlRNSEKg` zQ#!bv0QJ#8THb95jP4u*Y|eR2RHT`7Hyk9O_8C2#>z9O^%NO3if4@nN_Yu4QBLOf3 z*UfByktA;bP`&}%M~@!yfJw&KIxzAB!kA~{M`u1B+IKSkrlTZogC<`l0Czdd&+;ou zRuu%wAk6vwet}4}hX}Y(vFDNU08ab;h*lFdA@$Dt(fI9+6bQF6Gk!#6DWLE;%9nmu zI`mv&sN5jHtDRD=c~40}AruTOFBSV!cTm_TY0S=@;WA{`GH?ysPLxNuwJIDghM%UP zv0iB(VPavyj?FK_kj|QaS8e-(|1cJ~0O}X?TUt1HsBYAVtSL=g)BI zb`V&JTF#ijq;fi0!Ud_lyZK# zb?a6>yH1CCt5~U3LQDFN*@isw>s|XEIdr1>kcy7>pF9p=@v+0m!b|Yf*Ib}2F0<&{ z@zQ8wEkLkNn=O}}U?~-VQm%!G%IefD(ANNjJ3DBT$O|)GiUfTruOSfLOmdT`*YcwM zCyU?tn0`m8Qah_KiET;s^R(v=PW;uR47(Yu{%E5lpzp5hcVr~7(+sg#u1^kv0cVe! zxxTxX;NUl0Kfky=F<73HmPySt)om69M~VM@s4KpipQ7(+m5vQ0+WB5Ml$=tU>=4)! zO@~P+Ryn^ud2(lsnzwf?@1qMvlp+{fsJ9UegeC7~28?|rZUlIt$BJ`5%jL_my1H*` zYHRxtWjA}kKwsJItxbZbh41Dtq0Wwdq={U7gF%-{(}>=8BM0PC@eqOPoTe|wd%@_x zYq@=8c1bqD@Q7A~ZPP1pgN~b-f~c3VC5zR?%!_X?KCckH{QUDWGHjwt9(C5JtWUH% zT_<)dNcdX|W8VPG?V>=TY@Fw$%xc^AfQfkBXX&U(Dg?-2pBtiGefUfJNRWasE%l&A z$$m~@@&Rz!G2+KCv;b78$z1d{D(dQC;*+lca7nMl1rYcCaw#Y|Sy@AlQ8L#9Kf%7o zey~gj3|pJdrM%5y@4&~%D9Ks!{nE;PFtzjzov7!}3o7ELPoIt)@(SDdrcigyZCX1@ z*gdnY0t{#lM`e~YTF~ygfcuO7b2l#OF?<6x9!=3gb!Yc8c?-+(osncS_GV@5K_S zUQlQ}8`E_gs8j8zVI;b9G99Rx3{H6)n{)tsr-8J$RmX>?)BObsblyL1dTcKB5SB}4 zN)+M{%Q~g$My#L}i~qzK_E!L3I`OV;?%ut7qhPqmuGB@1Qg?}>u2M#UCK#L8{nr2^pRA+`y6fpDs%p;uF$Fd^7^3bs(iC}MS zmR$Msk~%RdYbILA_*U8Kh=hgJmxO6a{1{aqzje21l+mC}!`f0g0E-09Z>`tWoKC&w z>-_{Es}QJcctN-Opdjn&YCrl>T4sAao?(4?tSN-)yjv`>MKs@Yp5O;f+`h8)A!u8g z#vflZMzQvJV+}06`BT_}=ls4BmVmfBgux;fQJU&yj)O3`xP zd&mw38m8Q{(y>UuC_*}LdyanlPPg5-yLk0ji@?yE@fL-x*X}x17;s;Qh!w!hQ%2DJ z=)T@Pq7)~hL+3I2hkNYyC(wCg20~OZ{HxGVMnE?I2B_v<9KF{xHw|*hzUlW`s{YKA z?_fHPQS3!u>W-Ug%OcF@`=SS;n(MC`ip?&jT)w!h=8jO}P>d;3FmDyPTdE>A!BOr- zLhk2TmkrDbWygTAR)+TL%d|o@vTbo!mlvk{QkrZF3l?TLf!b22^r^)!_nOeQaBX4N zZQ_MjUJZCoDKGRES@sp>6xP(qG?jTg9t))DXrbrSZB!B{;PdO8_3pnx?+<&5m?=Iy ze#f~s%s3ViyHZngPNx7FajY`@hz;MB=$Q22%;(`cc|uL!+nMTUxZj1XzE^Z_sK0Uz zBY=(+zh^3Juv(U->zb^8-?)KZ+nay>m*buw4Wjf}~j+D>Ra4ve~}x_W3LjP@(Q zZ<~T~X&FQ?>aUPnwMMKp_FqSHaP0r-8? zkib$tMukt68br_09$+q5PbOcb^CaE{Uje{XDNZ0pi4Zcpb<01a1bI_uy9es<^$S_45xBL3o>-_>s3u zp$82tO0jTw6&U<>!=?Ql-6>jw3PxLO_!KdWZxlq@bc<%?B88TdF$ipr;jAv~`n~#-lsO3VO(zBDo!zvvmjDs{G$4^S~SEdGkxA zc-vgiU;9@V$fGB-YyI@>dohCFUYuVai}P~B1}jq(nAAxF-h!L$uhJ{>pCJQH3qBz$ z&~`0+Q_rdk-5#wvEwtDw@?oTN5nh?i@k5v+PVOZH`(ml;e8*)G@%8D4fN@)lGLWfg zvUd*3O=%Q@q~he6B=P;DvV*c;OCG5cU*H%S?T%{DMLY(^@Qkl;bB9Dkuz(PQr;?Es z&-FpR|-x3BUA9oxSr9!A@S5cyOQ~3!JP!ue*xHmX zE{1j#Oi7oDz%{H_@#1aQf}_~v+5y=2;KKdVZ}RC)5iI8e&bS$E4^LKZVKBt%1nC7P z-aJ*}ld`H7O1njq7?0^DfH6gSBf$fYT;%5OOZ>J z1#;on@+}=;Y>&1G_P)Qul1bX`YPzl;Aa|2zu>~ey_x*s2nhwAD&1LrURkEXqGO^M&8-VNM+?@(Kxs>+6$ z@_SMtC+RNSpg;L&PA+}=$2PuRKzB(Mi`v2UU9FmRLxh3*XXMh zAEFJgix%<7QjE&&AvP7Tp8@m+Zyp-BmadegsHnUtomKvV5u?(oduh#3~EZH*v zMK0P^b>V%0ZQUC?FOawSa`003p8uBVj~;4=e~PE#4eW0hN|a?ny^Hn>v%@Yo!Wv$;hnF0BiBvqwc- zi6{6m8=W7e{!$h&18p=CuAlF2wccGDWYUGfuvSu-@0LTyQ-L+P7N+6eE1%~%c;c*E zL}2ob^ulk*!c(Y~`^wr{J)#>9BwmAab9^f|gz>#QLiJ>|?nte8+fs02*RPJheBaCh`Pt1&H@>FL>Jk1n3myd(D-z9K>5+!ex~{F9*0IK6a$bUIGHT3xlYip z)#noGOdDltG3vDBEa}L2`(lPFVl7vlYSd%p^pFujy$_Cx!V{RSHa7$Xv@7G_hUk4-PIq}-xI} zv1EVi!=M);Aj1b4zl1?)fk_1;O*jtN{3ECjC06P|Y3LFe(DRn6 z(xxlr_W4DtU9EQfOYdJc?>Cw!wDZ(lKx0G0Yv2eOsi~_Iip4-*8IAUEQz1sxt(M1VJ}~TNY=F^d@yvLnsRq7gw9eAF13h&8eO)=ieokB~<;MoXlJ%WGnH{ zM$b5Ra6~VMi_y~OPtBhQZaRzgVeIo@GOjN&-!zrz=@YX>P6Y^9A}@9oScifk8Q&=2 z*(U6UF&8U;*7BFGR;(+Bvc!EKok1pc=a{%R4irBI)Gs5p*EHDPacX~2k`A)5UGdsn zss_eu0&)aK^E>Y;uG0e;sUT#AKG5TGctDFAUgI_C=|Bvj$`E9$gf=ZpQJMX4Iu3WW z>!zg+#_sVF>3Q_Czcd02^k%B^iT~M~=?Vjyr9_DL#eX1P)>u^S{ZT>%qNjYg=5hke za4ReITO&;f^HSyjlxMq&-@%*=C)8it9}QaVX(Xnc|m$tH4DR7iafvFPRzHwQ{p|96k+$;tVy|d7@j?u zy;XoPkby?Pb!fAI-G+>UQzKdrD{tU=nG-7FL&+2;R%JMQ54pW zR514>o!)X`6(RSnZi6wSN7q?WWQoZXLrH0J31ZaYN(xhqj*g@_{u0$bkWhJ+zP#|G znpTmj`~K75;PCYHTXIS*+%UrxIeGb@^OE+3Lh#gKxVd@aA|aY}Wzg%bzL%|ar_qbk zXU;U>d^k0B5({PZ3lO(O`;Mh-ZJOfUMa4qG>uY0@kFUIvFRjO7M zW?(}yB)W1))MNIR5{cH5Hnm|ak6AF}WX>iY=Cmfl)IRrWOt{%{*p7?+^m+dDqC;sj zKN{IA>OmAT*XKSzT0VZ?i%`OC^38OxEc4WuR(-xm6=rV4y`T&M9S?VbfXl6io-NY^%-KmC_SbtN8nRP%y4yZJ>xY-b0e z_(#|m+=hED?q1@4&kg|8xK@HPiB{$6MfD)_vq!qbK`y}x*H!45nl}QJm)SzaM61k- zsKEAvW0`a=;$COrfZOJRJ)xf+ATSZR4#sk3FpKC4mFR9cJ1{FNZ8CKb;j%gwLEcd0 zC@dwJIn~Xiurl)!;kNqixgw=E&ZdV5HBbTqJM})7$45?};Unv_+f^F=n|H>WC+-FH zbmPxq(PRAtzgDTXn`|j@9_9^2F57XU>X*5>KWpAw$~u7hI=DVN#KCL+hU{E0HAa`t zlmqM{yk zORslmVbSd!@1(}o*=8PP{n9Im5DMWhm=aLP2WRxx`uV?{(VYZCA}y8CnOC3Q4Ln%5 z&+3mlNb*U3=TMa)WR?1pw#2;)>qmVWC~IQJiG7U1exv9n%Q&GJW`7mW7*)}`T4 za5Eq)fG(6Y?CiN4*-`0+IMh7tmtQ0284|$LAF!wIC&4}$0yUT&e@pqFuetYhzbAh@ zsUL>B4blPcGE^;8Lp2fxkIj2$^`5LFZHX&37_$t(sQp(ELYImrtE))BIuiOJ9Yn)K zyN|MWh2RWAe6%Nt|3v_IzT3}}gW`1+##8itjL44s!T_K_l}O}IA_G@#=qVzCC-*s& z{;?N+p3I>78K-n3Wv9|6p#yxS#tvheJ(WOF0iDq70JqbBNRbk#&3|aQg5QOBP(jN% z7@WN4TuRVF)l)JRGRfbUd=ugzn1}^s>%@-QRfTAdb6tA(*zS)$%mN9XufpyxF8qE= zWGMmW(u%inbtkEEFwKPI|F5CigC;Hn*+xWC(b@A+ri4cZ2+ru}VL zQe@}=q5O0S9<*Nrf;r|Jc?2H%w?f0amr3UUOjQex{20$)3306?Z{q zpVM^`4c6uA<#TSI9Oa*0=Mu!fiFj+eiY!4ZXL+kkAIG;gMjIi%eQm5ktN7@zq;{{y`}I2Tg&L6Cdjn&&8%!7lb7rCCmP^?H{^deC?!aP#rotML%93`;NMA`4Y41V>)*$}gp?i~aa`xFgd*xRis9O(D)_&C06% zom3j4+O`%Dzg>k&jWwS?Hv;s@Si1~8=te1(mzEBMhIY?`Ok)Ee*%^1%)zWu-v@zpe z8EUjSsdb8ya>Pynpanobk1W7&F!A!L`^-Hzs^{y`AF;F8!S3wazCT^0;VuB06y=+_ zuxq}A0K_*@S@}f3z7a&SgM>`jG3&C!q&mzjEbA9QA(apChxx|4t{DSTpO80iMl)4p zWhrcD9~$CFjnO~GB8(b8`W?pIfvBj!Ks%Q9_V(pXz;5YKNTe&PsCb&MGXYuQZxdGg^#ontX2iSDF7GH=Ymh`4^b$PwehrHiXp<@BEywZ+Blo zPTJ-9KI89S65oXhMsOOi0s=G47v!=R__9791ev8+*UB)`_Zq~A#$(lSIl>A+cbq`k z5)_d(N8KyeV*xI*2{41QWR=Z7D-GuSNn+?4yUc6bf88LT%Qoep*6*v6Dbj#_IL#5C zy0d^TIcV3MbkCjM-!(I6*QCEcRK#QmeL{^*WQmbzNy79neSl3gHs*%oEkJrZ%^L++ zTXSE~2(((@0R4sSlBPvcr7hrI$rz`mr6o*%`YjY)g5&t@+YYX)GbaTjV_DK3=bGYk z^sUZNGFjx?Tr$w*3m@fg`QVOCE|6_Z-0{h{_x*W1+Q|Z0#pfFT0 zMyM0lPb*K?$&+4NnVrQZu8vmPgDTU9q$D|g{g_gFNLn`L>L8d&Y^jZ+Duspss zb_{TVML>8iQ1l(xbTtN~yZ{?=NvG_7&L|$=R24vCTiZutS5!qT9Xlnvg4x<$uiS<} zN2&CLEvU>4h)WGXdJ2Z^vG-lqgMe;0!|n*cFmsy|(Av63K=pON)r@O1S$Hs-a z)ANbrW1I(IQc_YpyH)g3J5ZB{Xq`)T^IHGrr2>C6n=I3OoT_oLK)gO#vd`?-D}LdpmWUOwkIRQ+8fV_$>>C{&O<11_gm8O5=SG?aWCQ?~w4EhY z_qFN-07{Jk?c*B!$M*r3kq{<@QNX0=u(IA{v~?*Mqy^WbcA*)2;ntt(#;>39D0X;K zYhAg1sAo1bedCr@&vo6*8ETeIY~ib)$+cmZ+{{NC=MCy^qjJon5heLH?Cvq0gB3k= zT)XZ#Lm3pG_IPva?(5nzAX#Br$VDHjWAUDPTKNX9L|UDlokPD zXn}ipf17XZlRp?o0T}W1_wSbR$SeRLblUjoSn37I7~uCoH;o;GR75?{TxQjQr0AF1 zy=5j}ShFDBG641IeU_=)=lb>2qd|kw#K&|YAlq2FeWk7M{_w|xptUK_6u?H@U_c^l z28wbtFgg~#gL^9A&wbea39ih*9)KdrT^RMF61KH;b-1Un8gT5xq(TpUb8BG}08&w) zG|e`rkOuRcbNV#8u|h@9ajmsMJTkeY>ps1-62bPo`!r9|;onUeg6MOaOd&WB5M8 z?K(Yxpj?fIr*2`F^0w#rE})FNfZ`1A7u5*U%1Btli*F0w#cphPL)@9^`o$f~sDphw z=)u}bEq2#yzsH_+MM`KBYwXdpro)#oN{@392_abi0+=S>N1=uz z27G0n25sp1Svgz8^2i<`{%L^Y9G2ggmrLqEGa%cnJ*rd3aBaS~F;x1PyORK5H!uU} zNtlJ0GoDSB1zixlCy83~==dPV19YZED1<;GmNB{aEFQiH7(tr=Kz4ut(&_Ocb2XGV z15mni8r9&mHL^-85bGtjhdFGpXeH0(=?S}zkJC8!A%f2`=MkQHyX_y<i{(z){#h0f?lV%8Ev<^Szdma>$ zCix7NzBSi5JI&dq-;L2UA>4DB1|S5mw&}p*NrC-_-B%7h z;@JgCaA9nK9{{mhxtD8_yRxPdBa4v2aJ~*u`;LGx@Mt!G2ZH$e1`#U;?y;Kch`HLc z06r)K(BWnv4hIFa!V+xkvs7WX=~o{D`v?4!@@t2=q1uJx|WD( zQ@p>lg3pgoIHmVY9RU#F8D(omXWh604eW zMt@s%PDfC@kIq3}QP^OG|4Ve>F?}3kPm_zgxUW zH;UoAo_#sfdzoOjU_DKT0^ocC^JKn)$=ROW-pV2^hP!IbDxg}yz3nJ%gn=cY}_GszwoHaakAjnH*fnzN$l(W>N4=cmYVeNgi&9uGcxHRKhAEvx+^ zcd#EDVngjPGKK8|o9HH=wP(~b<`(6&8h;|0miL=(UHt=Nqo<>?;m@Xf9o0@znl#gA ztVK>0z|Wd0EqchaF!__kMd@4tVD5kmB9UB$xNc?6^6Q%O3sN(czJ&m078NhWbaNsm z=9X1gs^8*NPqTttFj{UsPQsJ@@5)@*M;z5@y@F2qPeXV}i!$!d9jt=LyR7JZtrmFH*xzBd5ms?vqg zjW2p^n}3fBP9plmS+s^-DeMi66&H~Uk8VV9y*-{j=7Dqek+C|{sY+*1t`LHaJf42m zl~W}Tj>V&~Zg1gd9yd;B=@m-n-m8szce8uaQ_xt^AC)LY%ZAGn18TFrx6mF*nmM_Y z>pGkm4d=!=FhDPI2eyGzKt_qJ82l4l!yWNY^*_iWTa(4Gz8BVB6R_j z$ffgOjt3@C5l1S{0sKehIFIotHBcMkvJH)hzz@~<*kREb8M-9^O$1LXnxyZI74<@| zl7tr$iMVBlLBkdRPQExgfJh6X0tGY>Wu^30un7O(`5FnDM4yC;)-V;6Xn(jzjk2o) z=GfB-Z5EZ8VNFe3E|Zp_?`F2waXGn{W}9n+m}TwzEHC67Fid16!`c&MOWZ|B{N`L; z9h0c278pWskF_NK3k>E1lZh`bmKy)V7dy7O!aJIl@=P)mMyD+(d?T!m6HmcbhJDMY z!=Hd8tz1J!#Q6F+x*BI_3OU?;o0cDH%eD!>u{7FnsiB4A4S-B1Ob^-1=WZ=}PUi$A z-?R3@o5Xr%1zBe*$EtFW2TDkC1UTQ=_i@61fm$u??-%5TX~w>`QqA|>-bzBow?^^G zd=8?u4#=U_#SAAA>y~qoCc=l+@x=)VA2%c=hkUIfL7N1GwQAm8@tx-HbijXlbYiSq z&pr(Ju`LGlSJ(PD>cA=%KXLEk-QFAv|fN_I~ zibsAq{bvZ}=gURZ{jE72qEprmeEA(|ebsu$T)NX+d3?ORGe}1@=t`NDJ2qllH9q&* zA!jaxI*#0Y0=CXQwu1w88?SS7)}tQPLv4rW z7wUEPL(eUs^;e&33|Ww7O-@1D#VLiW;^(^o$2!`iwRQ(HfLm;)2__kZjR*Uu^$xCYllf@3`PXXfN>jk z?UTs0en5dvTId7jn4n(<%AnYakX4;xh_xa-26P1V0j}Zew*6hSA?jg#7cW+6Y7zkN z@pbEN#V$is>RNR3TfU}Dcj0R%KpTM=#;hRMMqd7zN57)NtR4GrGrnE^651qM7_10E$sMp9jNU65(01T;kf-ku}8ZMTa@x?EEPbq~ObL zPfORyi&N;65@69@r_Vf#aUW!+nISu!n%;X)Zvb5!xyXI)5a+qd@sjfj4=GKDvAaLQKDIvus zgB6HU%Lf<_BBAiSmTiOT3~EbgFj5;c%f@8-1yRp@%le*5e^g$q`<~GKnH||J=e(sn zx;{MVH!TvCe=o%pA8o4lK&$inm127d89Bj74wBq?)7qJnj{fNf-Li6E06$Nf$*J3g z+fW-=Q60;eEV@^FY_+G7EV`~ZKA+Yyb;d&6np0rlOZUdD%GdTOH>;n z#07)2n;x3q8JonnZb)iowdQYrPX-Vd&ccBXO=WT1iuYpC^E0$z)6=(#=NrQTHE4d> z#{5lyp(6)Dv!u0?Gu8#FxwLhms-aol;WJ6_cX&8O?UE z7l&8p+hxuJdU+O8eCxO3r!Q?S>*npZyOCYq!X^!ktZ%m0eS_ZPko?-kTP0}#g^+nXk*C_5zgj)juJ~d=2-pf527CKgL;EZtRqWh(ZLN08C?EF)5UJW@N-wPggg{d(|vF zEx+T-i?lHBbz8K^>S(ZAIUO%|&TGY(NC1L{o$^14NwI6Izw(A$T*Q3qquYS%R9{|> zzK@5(YAu&;pG?CQhs(>yk72pO4K+5D22Gd}mmmPxGQCwT_E*x~D)_TxF_o_yTFO*Y9&3gs>$@MKu} z(pz9P6TLWo8r3CH=Uw{OTIr9dTcp}#^kVwJQUAl~OG&(@k}a6)Q)=(wkAjA#R0gm1 zX27BLHocc!gv<5*fugr71eW4-z8skCFKFl}DX@Q_DH&q&dHPlDbA`fo z^yV60SXL$Ha)vBu6LQzm&%p?Kr>%Ug)@$@9!X?R34pC&ct};c~aKkj79nK#N%*nYk z9xQXmE!y{cZ?UG!=8N-BnFk_gY$rLVOa|1|^OPcQ{Gczno`1t!F{ZSVbHEL&3}AGU zJP6Ns9+&U>mnsER2n@Wk%d84_>Qu5-$}TSYmRwq`azco!$DpU*!Zlm0a!aV`p-HFr zva8q)e3`vbT-s6H4a8TQg$i;yfZMNPZ_vEv7PK%L8f%jPg4=+Z%vNtr(@cKb#;Yqi zOA?+OM&5JgE0KO@HnOa6bvd+r$b$00*|NOR_4ZXARf8e-!3P`PYDGtpC~x}5+F`?R zkBud7zG2Tkv#LrXv32%_z~QABuO<1Mp~F?IFl%3OkskqIU_|h{A>ON3p_Z1&gr1z4 zHnx0FP5vT1?YCFrefS=#Ci7YA=;(}Zw;Azl%evhA=w}UU_uX2E-*HS1uWnTsgHFov zZ4@V2FDF00CX}yOAP=~6`bZ+hKfG_9c12ii8M^KlvQe=m^J zl$NZ+hp4FuxYEMX%(4?(2&)1NNd1>o^$!f_dwhG!0;PD4_a@P;zm}nU4GmPO zE2FW*TT4!xyF%xMe#m#4-dy4C;j<7@&|opkDHWz}U(94+=tan;tpZ>g^t}(fF^Khf zCD&#Rf#Fmt=DOhE2+)%mnV=bzb|wegSD-PR4dy@tNIDKpeY)$FeqGQ@)7F>(zPnQEK5OtkC0_YDUh`Dh zB6%bH9N@|>?VZe?t?=ps8Hcqlcb4zp4bIwlKv;Sq0vSz=*XZjYv|8Hs{qeS0*2-0- z272Y|PX>w?3hg2U275ni{sDC)n)F#9<1V-t3SLys;6!p+D96%X&lUgxvWc#=*JBvF^eHi1$H>%L*J|L$^i!1YcIeE;ykF1>UTx-$C76sCyq(Hx zqsxxYS1C7)K}MDEsK!&vPY(gW^~EVMa`AyGku%r2Ti4dB=gz{-_<6o zTnm-Bljl1=Y4}=c*$%n47Q7E!D^D779*kJ=YTl-HSnhn5t9wk_XmECA{^$B*FTVR3 zRN)aE!ghyJy=>xz1e6cBLZGd;gVuPpEVgadW@>5i*|Klf)&b`Eb8#M_`n*E6bGGmt zQ|f~Snb}L5iEV#E1sU!^6fSLPA|CS}rg5b`A_!(IF%LPNh-F;hyGqGpv_&G`KeI20 z`v6o~Kl8XdtKj$w8%T($p6WLTDNnRPg~x`Bi%b4$T~$Vs$3n<<1Sv*Fs&H!C_gAvW zcgv%20+cQ+;_mW%+Dtz|L_{?1PV#sZWXs${WP<4m@UHz)6=UzKyVVp68yrg z$MS$1U<;eE_>UBt&c}^=ky;!_2V8qrm=ETouUxefYnK5-YbE zH8SD*UfPyR$no7rT=EIff;@z)@LqK+Ra%+A3D;%1#;n|If z`Xf3BLwdxUuXa7lgClFx=Y|88MO`Nc-wo&wIrn%teCEAZgMPPhYU|Q$3}}EzR4W%- z>JoDo>3{4#6C;RmoaB%7#hdxZNeK-8jKylMc&rl`Tg}(EKAj*LAjErze9dbqR$dZX zr~r85Cs<}~$AEI5a%{QtxUZPs+CctQETPTUyMLBkJZ7=DLOG5-YP~Oy{60B>Q@F0( z8RX9M-!aOF42u(BQN_nyZMLW8J5>-$OJC@H?l+4Lfx#~8`o4zP-d~;yp5j0UA>yfRDUo0?|3@>dx zGD#4cjR+R!T&-C0X%jM;s|+f))gj}&YbW`l^vIAO$6i2i;E?fEkc-e()+?u84Cm0B z-hO_g2bop^_h}nl->wfk$bC_3VLg4&ZYWvEx*asZuy#`Yev%MUjv+ndYL?AL&iB`_ zp@=oEO>H@cwjrrPBKUg*X1wW`npG-iuP?c1ejUp|>c|4IVvEVl^Xrl4z89Fv$vtSI zx#4^(XzOd;WBNgpy2P8sqF&13lWLOY%CfF&i}%>dR1Ev4oCa`Y&-uv z2!<%fqYjFaPEL4|8h9SgP!>kGE4ql!I+m|%xb#J>w7*vvx9iCao#DIYW>caf(K%sM z=Uqhb&V5{?ZX(t?h0tRZ@o=-O&K2!-xL~VF%%W^-s{E_`b~b7mm1xG-!@XKa z+Lf|$;S879_(_iMr7QglvqM&+7i8*Qg{TQp5T?&gC%sPJI;Y5| z?>^X*$#Klo%XU+;vcKDF1L-p)Sl7Yenh?)4ILlqm&zFk)dWSU3v%1?aQ?!mNa+`$y z%?+YxXVNfhFP85a2c7X=J=z0Tkx&<*sLE>jQA;%!N&c{ z%>h3L2#lm}k?Hf&3lu%aw-=smbH`S+z2!qS9@s*(#)+0TB7V;@CxJOaZRx!5d^r35 zrYnZC&*esGmo}E~Wq4XZ+pBTz+Tb_tZuQMDq~Oq#DuZvZOr6{2TF$qRhP zqc+`QsX@eP@UEF@via%qo$eU1^=ThxrD?SDXmc!j4o!Ytd3G7Z7px%5V#T`x3xDqn zl1>+G&(&iHU)b-z+{6-3@``SLa3Pem6TTJnw7z=HIP$?teQ4@SUt&79@cNCq^CCr$ zyw}nUJ6pp$X2)XLY|l^j8b;e!5^V9P#XqF@?V4ZbwJ8@wmo1FjR)U6$g(8_DKd<1d zm#BG!fbW)Z@z$ElTs$MVuXRq{>y_f0F7GxbRE{lsx}hJ<3nc0+Xn&rao{9JFP%m+@ zGW9(pNQl1vG~}$2$p2yQ&%>eK|Nn9PoJv}b_EcnPUnHdvvZW$x*>_6z?8exIqEeQK z>}21@zHdp$E{wq#qby?^vM*!!-k)_i=k^SOS%|KHc^x?a~gu5xA`%l&a*ZVRig zU~vm6bb~@!f*)>jK7AoMOS7+lLz~a0OD9;{e&~;)(FAT=)ruRsJ8dH;eJ*V~)W1Lb zcU6@Q$I2bg${?$JDD-^(`!+y&ASQ5rNPB=(qFcLXmj4-MlJx3QntFi@2pEvK!Rjjw zv<=q%VCYpmuCm#7-Wa)Uw6>C*-Cpd#T*Ui*4zjA{B|C4^R;iE$?SpSQ&C3=k?x_sL zYQ@*jBVI&8f-LmCj8+&qI)!F0p=NMGxJWo?S z!ux(pX&1{xLmgPruAM*e45?0{G|el@BIpPUqwSv!oRc7N3q0YvRJF+cgz<^C`NtN< z6!p?VFAbDpgIrT*dIPtsU)SJ4Cww_{G3UgyD8@RI*$s~*^V$#hLF}L_%rO}9KScx6 zFu_@(Z)9G%cVGY5hdW|JJtpX`tJ`;7dt0sW4_sj>E(nmFL~AVE+8RsRst7&5kH1;^=XL z3k9ir+N=kU*E(XF`KBnJUrxhFcc;~GNcFb|MAMST!;M?HM<$=;ZZ%!R?9QLaYrXGS z>qG3(EW-sIe1>(VR``bVPEWE-sHAcH)8v%nfPR)sxTuJT+hYR*Z|f#*V8*wd!#L~d z>lce)Q|1&$MOyc5Z1{hlgy=xw&)bye8z*@yV&}|>pCSj58TVXXdCZNe?x>Xh6dr|? zfv>L;wr-E>jzNugeo@ey7?4M`?KC)Zwx-MPQA1F<)>4MVDtHTYeNJD9!!?=SE`cBmGv>XmPxw4EZQ1nDs1@XFy-S%(R;^KcXayd zrVcm@IL(3og*8JH!~p})13Z*el4G98wjJ8WZ(XBQsmoK!rL>oO{d!OdrW~;7LT6#s3=X{Y7lVtuyPdY z*6Y3>y3meD4=uLROK^T&>Peo9KdeU8PPp=X=gZ{`_O(@{F^*N;}CF2w68}mRMHAGp6ZZHafe=(PHKYj`>%|pbCKXwRzMLZm6)ny z<|b4%EJ5SGqz;A4Ti~|*lLkkx96;AuQ8FvL8}|ESoagUc&&Er`$$j?di^*dyM5lK3 z>zT(#hMxUVW}Qf(;S)1=G$_IBwqe#1Ti4Of{20ZfaV#k`ftl^+8F(|hGM0MD9?0zZ zk5Y4*)tL&Am&A+D=h~5CS9_AgA|2|9L8J{cO0aA;gB+pkuySwKuu!hr|yjYlW(7!kT z#&1QV_iaOF<$@ua(=&2D&Pgv%@#rfp@-@^GakdwIv35cf+Ai9qaN%8K9M^xu%2Ti0 zf2V9-F{Ik5tAWBQQFhpv=izir%ic*Vr}N2QE^XzpSs)j5C#a2{#rMLtc#f5hm(}jH zDev2r!_XDRo0C)UvSec0KGdDeH9|y_`{LJew`TPMUxqxmFpNrszT) zzhPcrTh#g(GauS&k+t5-OQz!ZBW~d5t)pju@Hu20CJ3qYx9n7Q*jiXzv3NMmG;_W$ zzj=n1@B_Y}o43B{3)`+d)LR{OHy_LRn4 zfq=?lHK!C6el5}aHKX#3iY@<(sPZSoNH#*r5idg&_T|Cn+}DQ*V!<3`xl37up`Aot z-8S34l+YE`mZ3it0mj9mSfhCqNOWu6Os*^6=g0!ubZ&gUhjE0?3|a2VuD81~iksEn zDGJe!YZusS%lu~78a+ImHDs`IQ^J{0{6w8sX>qZ50w2sl3J)-5Yc{r6O3iqC=5ljE z8o6YOIlu&SVGplE%N@!t8=vAnd)|$`tBNUhg&TE{Z!Xena>|*;gwe1}X{M=#<893w z=dE7d-FFf~hxzd7=qG&o=X#kgIUOIl(KoFK@zgm<*SsfC_u`4f9??v_(qN&3x>%bK+J|J-H+walJ{2uP-wOoji_7GpUNyIi`JU z*|CBpw|D~Pa$A+GJE05l4lDF}j4p`3YR5uOYFd_IHL0u1Q;?Y26SbCxHOW?FBTn5Z zQ_9dcYZfd@o>fFof|J`bhaRFqtmx}C;uw(c62a-Qdr*gBQky$RerPx zIjz(%Y68{tyF_^NKp84&<){^b`-zGqD7?5$^t?NVUEx9ASnsfev9S-pd<5^^tGoKJq>o!Cp%PQ>EDy*w z*#MIaQ`3bv{+~XbTwa|$I1@&6GNA0Tb(wtH=Ic_Dgf^}E0SG?K0#<*RB>jD;E3G!)bGiW(al`*#^${sWk zGVgo1OqeP!z|VQF_tNl-CA#Hk3eocI&4}eWoZ-3>#Cm-LV%^Lhj#< ziNB#$ah|3MHAiZ3u6^NWSFTM0-Q3$Vdmc59WjCGIrK^d$sd^faJ0VdtUXNGiSoBEE zIg-zf%ie|NmAPme{#NKrF{F;n?&1zgmR}5s3U-vBK|>EE8y9OkLtH0lu91mq-D@*5 zub!OOW@GVX!Yi#!`(FONDqoP+_vv0>CFmUB-2?@|$y&7k{l3bka``_TwM0bRm_3WX zl85ffWsNQYouyGPmKmw&F?Ifv=I151YBLnB_^x-!4;$vmjfa`r1`IdF_EN+5#kwv% zK&wDrPN!GIPpfhi>Y_`Up@T4+c#;&;sgog$m7*?UXQ75jY>aUH;wqoq($^pFIo1p! z4+7=z1V6}}o!`6N5x-4sPiMt?IU~>Tmu`b2%J@0rFm-|jDD?evlSd4@T_@cmV%s~r zF;QD1yb4}rxPECZlA+?fb}5f#x#!X4_6a>pB9~wCYpvz1)2PT8YcdZWtmi(G@OP{esOF+yi+dUMVF{Jv$Yo~4Rl5=91Ym%3Lr zqUXU`Y2&H(cRzcMKf14e^t!*+bGs@zSR-52cH+jdXs_>zYq*k}SoB1(4BM2kxONq3 zEkjs$+S3ZPzCouCGuByI8E+@g%#BuC$FYf~U1mJB>pcgIa@4hi+_r2NnRY?Zb`EDK~QcpgPEO1Py zbr%x}g)>E`;>HAfNZES#tVZs;t*(;PP3L>VFqt&vP$yF_BLgP7KzAekdN}DNPB0!xDmb+VCdAu!dwtt?T-aN%GFsyFQHDifE#K_5uWqJC zMYI7S(E8Zw;>K(76eKln?%nRa@$dietXN3U?7&3It<^I*LAa(ElHb4I{=qkU5+(_^ zgI&~YpY!2Zzh&vtEL>e=_~`BHyO7*FMwVg|X66et_i!jKH^mzQx={Q84u9q23{=b? z)(_Lu-wQbVfLn)Ar@&Y<-t7U`ldeoR0iq9+?iMA}v@asNcinbb`WDCaH8V`GrrfCg zw|LgAHYucxNWLgziykAz@W$V2lTuUXdarT*5ov!%j3*N(7jRauWHgWAF!tj%i`~*o zoC%+BE{ek`H)}g<`^M+7g_eO#vE{T5;m&tRaS(fRd#3D3@jbtlx_&AApqo;^#^*z& z%ub-9qO>2Az@^JmaWq@Qbe*+Dco@bH;}Df}R;O*@_04Mb*V)s3KUXh% za#fL}jv7fL`gA)LS2n4+GDz0k89fQLv}m=EmPaWHiK`6gD;6{x>MQZ3C%O zY1XsSzy6Zn7$A}5oN0~;Z9-%bvCP8VV*d(z2R8K}T*shNUV&d<$S)Uu$6H&Yzj1g@ z0~_VlXE8naBLDQ|ke`W1!vWm(sO?V*OEM_Qp1>;mO>d%{zQJBRFR}RLp0JU3{^zfg z(1N|F3v2&VX7HaDM7)4f3L2jDbsqKqj{tMu0T^MDEs>GGzO^`?o6YX)rp9bpZdmSVCpKpwt0#HBwUZvK&-*^DsR)GxM zKzwmvlmomQ0bo&gF5Z^hGXtz4NdPbD%BYD3ATqrX{AdXrMpORm^$^f7UF@~?1z4&A z03Z%>2~l}1fF*hlM!WZu_KX&z@9M|xA;~HW&;88cx5u74q(V6F@S(;IDO+$UiUv#;az*1aw1vJBbmy;H z4@-U3G$6+U@*M`EzTE})7AKnTpzHN&v2p4rxBpT_{;w?(j)6>rKGf&cuSY5lQ6QRA zm)GC?!%2{mYS8X@@mS3QH8=7V?86t6;-f&~IM)>4c|27qJrogpmMgI(Cvn!zc=j7- zr)?Y9e7^pkov=$ZcgyUh9z(Rnb&ZN!K*l& z#&zw_gwU-K@gK_R4D0sXeVVhd*qkUB!fTySN?pKbTMpc9|5ikbWCNw+BE%U&4xA8^ zL>}wuA&l~~K-vlbY47*eZy31Vnh}cc!4G2V5lSS&{A`U8wZbYY--ClY^!$jHAJ|vC zxAmf9JgbGb@`{N>v|DrpR>M290;y(v^yu!bp*&lZE334 zKPa`$hyoN3<0vO>!qbzTg%mIoNu4pZ@=`-YiNx!h2Bfa2)l0d$W|S@b)s-A=f^*K zbGzm4g9}C9@a6QcGa>#O&f4c2ZM!yZpWhS6&CcLoU5RYlCw|*P5iM!jogL3|iwTTh zcE(SFBsProTtgz{P_#;n8iah)Ffbv|00RfJgx*A17Fc_4!}nNEvH8!44gttNwn!c0 zaWdXx=c;M>%;>(f5fTcL&@79Hs#C4I0g1zfMn#18+T{xQH!&*3M;XW zlSQ>1P4)G_wmgnd%zIrZWS1980@wdAVKLJrbSsLc0X5u5z_bs4KXr0Ts&%_pr#vlP z@>)Nw(2s_3Z_vC%Bmf$(qS4B9lbspb#N)X8BDxrgjD+2kwJZ?7np6J1v;c2kE8$vs4>dxucvpLdD#_Q$n>6c@cy zdpGZv+Z>{{=iK==k+Q9YnN-l z?LGz!-1~{l85%{|>g>ZNJWdQbe&|QQ{`^o9Tf8@-1@tI%_f&_fXK0l@?nrvj2IeOr z+@_&}M-ot5Q_L)|1XD%yBh${b5dK51f7ssKrffZJ@t=>{pF!9ykY2o}A0*$r+%!vU zkFc59+U9qgezg5iiH*{nCtzq7ZnXSbh{vyB|D{xohBv?0%Knc8E3{p_-Ca?(vh8X$X@9k=Xc9;hVdcpos#djx|goch~3w zdGd+z_|W`B=NrZ5g@ZTO>)A5IL1dum8?W{7mk@)<3zM!L;0%4nexcg{jA5A%5d66s zEkGFL1ApCEa}Gj71Svq-vr_MMdTc0U&^mp6oR`x$vAf^ScCz<^bQm`m|L0VFjwJK zSf2KEy@ZJULpSRl;QCjGz5Y0M65)%jF0On>R7XIN_MQyDbk+;Oec7*NH{*m&RU!@D zlVa2qICOj!T1i&|bBKdX1%hygPk~!Y!{Oe%hiy)tMl!S>spe(#L91(v6~Tads7_<% zt|)acn$*}ew$FNB_&+|Qzq!Tj`_cuT#;3#v!F%O_H;idt#eOmOIsVeFMErK#qiW9Y zrmU4eod8&Akiz!k$-i0V?L&&vEpILwozwA%W9ZcYHhZ{D+r6u#k;x#0scY0%YOl~; zP-gBu_BB=v6Fm$TIdPyAkdQ{^NO{C;9t64^AZ&7wCvzFXahT@4*(7>YeLBCxoFTYT zl(=fu>Jwq-)FbV_@5~Zn%)S5T0d`p~)k=!-bVyZ9)wfjuI8PY$yMq+k%oN<0MyAxw zi-zc}o9Qt5hF?E*?DhF-{@F3cI%{YLrkJzzADb<#^E8~Cg$()ll*?x-u}han^cwcm zxzo^sH^9X{97?fXakRfucV=lo8|bU*RBOqg>kBTG+TE@#KX0Z;c?<&uRu>}74^ICmimZmu4d8&2=P!> zE%R;@HLznFo6=znmo%i=v)S+Zdn9`*T)*SAsRe3`F=w!=(z$xeF<2y9g|#^OK^#-Y zg&@HwSC_=bC|BY7Kwgoayi@>~H(jt?wC?|Sbrg>dP)L@$o1J}9>wK<{Lb}@7$(5Iv z?3OG(?@q=1aOrmXOwqHkH#c~e(AT_+_~uSafhi?qXMQmiTDkUTN5+^3e%cud&+Oc1 zC|=I>@b<B26lL=`4C?qW~aXzK5X;bVbUHnmsQO*0fxf^@_fEGCo2bLG{wv_GB6; zxZUh4M3Hawen+gs0H78oO2=@0AKi!&#%WcE8;yQJoyci%Vk>a@kymn!?8V|TLS4&1 zDfr6@Q9CA1rqU9Mx(J#cx)y9Ezb%2@0gulQPk{+3leVIu1s4|qQp%W z2)Ag8-S1CT<&7an$`9POADJ1bDBZ(;|CtA<k-u5AeYr!7(TTmsH3JXQqMxRk$I zUOm(g(ojES+bdqkw`TZY+W91YCuU5gGi}*zG0&Jtqns$UT!SzAwxj}q zscLoQWrtfy)V;B93cbXkqFzaOfQZ)nT@~Sbm!kzi_+nFNfbpgiYS<$<~w1!5hM%M$|H_#*!27V%vG31iMC7 zgd8#4x+>AE>zaxsoL#wcC;McD(Gv69R^vUE+s5C3gwP~-W?8Fj{k)LpBa0TpiXpNy z@xfX%B-1@>QyHL=5k^qVGv^66L5Jq)&6AoCAsKt%+%}y+UoLJ)@r<3n3N8#qLqY0| zCX`?d7D*cq+G2IHh95P|Zn*tztizvWPx2YR+)8Xkd5#jdll7Hvp+x3smm;S|$qdh% z&HQ;OH=XWGZ&OCqcKDw{FO@aFx6HR0vB+K*?DU?Pc(Ewi)1uc`x-~)Eh*lZ3FGrso z3>vqk8Na8V4%SlRG9KZM#%DgfV_xfdwvVGllKV!ny>&jAMoZ+Ix9qpIf1}3Ghh!d> zAQJh;`{k{TPbOTCq}x`KN@H6m;bmJaN%QA)S+zT;-(h~`;z+DUk<|mm>pDQvXaOin zl_dL%8xKEiD?;L@B^~q4u2LMUF}&zf5qyekKfHvNNJQ6l=cz^Q;FT$q*H@)g&K!t zl&_@lx*+UmlYY2#^qQ`O3(6U^niW7Fa#(-pi~>1Xj=^y2=Bq;}Er)Ut9{{Gl(lJQC zUo#8zO!Y)GfX}7gr;LR-A8?+7G&cZB`JeCa)2yJETu0QS{>8CGoZT&s4%0`C!p?Lz zn;%TE|BN@|>NHF3`MS5l_3i7i*6T6OJvF`k#sO#FHTon22Pblyi>tXerDdHu_4`zC zf7J3+z=^`Ky=MoXM;MTrv1Qu*xJ8$pEOJRl_m0Y>(lKJL2wYNW{es7SUy?ae-E~G9 zX{Z~Wf$n;GP(a;ga#;?Avmgz}_d}VL*fWwr;mP))nXz@UPFStB-@Zea-L11`URnhS*J#0<-)EuVsvj9G; zGUh2@Y8m0-sR_T$WRH>GTr>aF^$e~;qPwy*U|Ry+^}&v9Ng2 zLZ*?RgmRX+SZJK_e0jDd!25E_BjT{bf(tEs1Yi2Bt;14{P%zjEUe-);L4jLHwQLydm+lQN1_3IVidfLY_y+l_je*Pb|2O zayM4!+q?wrB$YX~K}4^H!7iLr@6{p&BNI=rkr(R-GwOIC$;A9F%|ry*mLoaVN$loP zNNEivynTmR^g=J-wAhfAQMgt8g#|zRPK(6J+YX@Ia+e9mW6b&J^9}%UxtuwCQQ-=S zpecXkvWB5;DV>rNh)=yvW=7-0$McbX2c)9m-PPAsl!>%k6U~I}A+#ZFD#R_&O0jG# zC3R5NbtPbDK~F&Oz=Zbt3Ql8)GB+wIk)` z*YaeiLL*<^V4_*7TGnazRO$-$Ef2AmM1F74g+CVKxrkCVsOfzNhF4X6I47p{dQ7B% zi9*se2o0 zSy%!YxauV+3+EaVqnO{uh*m7vO5V7X7^&7wNx|#_6HE5x%Doqh2=8$~h|~tkWKe=M zn?3)H@Db_<_0kMpN)3fC4683c%@!YX z?qs1cx}!r=98sc!;3FN{pQ4A&$R(DbGZZiys^I$j*gdYYKbd`8aH=~;Y=Mk7*fS~< z&t=@{?53Uk4cPsGv zeBu+L3k>4W*0Qp)YCK-CSTs*IR!gi?wJ;J{Dy^8D3|&u`M%}NXJef>oOGzdjBSkJcdDG$ zZP7TOm&Z%J&*WEWEUlRDWSD8ZHV*~PR85MWdAYr);j$!0`bEG#-`8@o3!QMqp1epzi3@@7a$Ws?!ls$+sw^NPEsRMnr1vSH z>GDq0Jnpv4i)Ie|R~v5eaA65ru%by1z3EhK-!>HGZT(z{-G8!prLu-FGgn*d@nONP z%lh6nWiemOIh?jOfl{9tufJm}t&27otx<|RWBFfnrc;u61zlEE0nEXbtUT4;+CLU} zfoP|lmEVld%Y9uiFgmJ#q(igBN=n#RX_dj7iOq@U`0Ze7rCe1x~yY)OeD%8GLK^AZLVcXnbfYn67bJ5ZoAU`PCH z9U`>TJr!Qje}0gDb9;SQ+`He{YiHDFjgMlbI^(t4Y?n61R1s)uzRAgKzB}HaD z9%;>x-p6(H5A5^^jzDyrQXXDSQIsyr=&tv-ZdTpTpb>FZH{;04&C_TCDpVoq2SFwt zH0tDklcJJ*nFWDuq)o9E0^sFo;WA0kxYA8vWqUO{#-^@bC80xr&#=&u)u>Yu86EDYDmJo_c=5^l&cG#bhlCTBT<|d{lZg1 zT`pIQ4{TG8yMt|eFwG{03hTfTg>*r4UX)REQHQtcls(=L^+PGX&4dlmPv>PNq^*1;T+ zw&sY`hPZq4)aWEejfiU`4ReyW@q?y`-jD&ZlEck8hCh;exIJp~+_cKL>%c6slrN~s#tAg<{`#!Ve2b%RrC3FS#oEQ4SqPuh&m(m{Rhc^mOC~ZyfUVvWuVuNA+?IDo z^Pq;aYt`hTz zh8MU=(OF=$2ns369APGxRaN)rl#F$zcV}Db1{p?FtUH%f42;c<8jyf^WIXlb+Y2Z% z>hX2+ncKFe*wZMJc?sXJ~0SJUGVly)0A40cHnmRY-%36>(yi=6$ehBLx)aLXMSbwS;Tw z^PL!=AO382Tw4O~&sK`>TXis1uf%GcKK{=s%kSGbWss#R#vA+Y9*EPZ|Mrg{Y}4$yu1P)n%&8JYKV;rKt;aIFAFcPUZmJYb~3v#^6Th zXEUxOde>L5{n>R>)@zpxQ}}ZQS4Oy}T5vIY9IhNaoyU(En@r3x;0cs?=i{Ysx|Jb~ z+=GfO5Us&H+onujGNmjF;QLcNEnOFKxcc^_6IT>Fbe4YbS&{RI0ig1^R6GA1zqb;5 zezR&beDTj!+hs!w6x6PLQ@NLC%0&z#=Aip^*XQ^#K3Y&DyL5aL-SuBFj8o$0T1ZqF z*%oWyN3M@@+FN4o@DI~)EFP~9I-wkC&`f7Ho};1XPAkDz7#hLk&uuC=Yr9>*&^^9A zA%fk!EKe3wG`zGY+w4c%c218&X!a*-pT>1^6}~K zeXa`Bq>dED28w>nkQ@jgwq_mFpws)tx-nz;&!!5i--9g|m^1{|bB$+y946g^$Udl+ z>mlY-9}})Squ`a0ZP*}qEXP6~!&$lY43h?Sjoh5LqUI4KdoxQDl7Is6zEuQzx2GH? zJaXCW+*cio`ECO=LM<|?AGsVyD2Zao+np@H^2ggA7mr$L(RB)&k}y}NWx9R~4W3ZS zt3K9A?a009U?Xs?c^wrnK05NiKU>e5Dd?2gN$@UoDWXg^!R+y&yl_=2o6`09p3CNa z2Q`|=HT&VdM6<%vw(G+k)y;Ggg>=0l@+5-%>7kvBw7SsOP))5!H)~4$S#fpv_Dbyg z>;KZ|h5K@smE9xNwm?y{`te@Om`}3M%2$aglMbKTnl_LC`K(SDoLjDa!rD%Uxm&8K z=Q!7O9+XyQ&`(fXqa4crj5Sx$8g$#GsC&wea6b!u!KA#G#YfzmK2@qe7d;iKC0u|B zw{XX+uV$dMz@{*OGKqh55tM`?E5=h$Z3m%k8Z_L*R!h8c=4a3>jcTfOy&*Q|#s0Se zNG>t}F%8Q8d{)k{e+=pE!F)6jrqp&76xC6x7#91;C!pV0ib3YTUYX5*J$A~ktrEL} zWotM{4wEP_Y5>!%Dfg(K-`tftyk(h`sNNK{s+4!#Rs(xgfI7ElDwskf@4!ck&`hym zLnVgliD&ptk%cfO{P}o5)8is|?va-HbH|FRz4zA997$^nj%U_DiRSV}$_g3{(x}RI z1V8Zgp!Kbb6c8JFea&YoI%Nu`Q~_**&DB&ffCVveu~kZ-mU^|WVAio;@hpMFpEig zXP1!}ufYYpc`z6y+f@V`>(;+H&MW7zI2l2T28G?as(Tx!=)cA~tf#ig@fD`9&3%Cj z(v)&o??;KrV``+RRR`W|KCFsYf4WAKsF9+0iLF3N^&)h*%3TGc#EfW^3rrjQr(9h_ zgo?k$j^A6HOkA0ozmwLVLO870aC2TkvxuB8AMdn$5F}BY`+U+(<}>ZLp_L*yhZu7h zO@0)zXSC##Z%-7akl9r%?yKdgrE@fidc>3QQI`}`gZ#@Jed}G<9Y0cP-*A-eGnXF4 zOM}UfzPmeU@#pNh}q&M_wS8osu?Ny!NszloN(es^&il*%_y0QAq=_ z8&?k+#mroL=+YoR1^S?=dQQU_%-iF&$_6UDUtSz3h2D z1HBCA>O(bY2NEtc!-5{;I=Us#gYil~8z|dl+(9d7mY2TlNKXU;kh!C+v%%JcAa|2=7Gy9vm+-xf2*k$@)mAmXY)kn0RFh@UM&&?R`16H;_F zO1LGP1<=n6B&$a`b%ewWoy|arIWdxlnm~ni57S{dFnD zOmvFnkWc+PWz6)aaID_<&ntbn0w!~Zl{xdl;_=QQzDZlB76I+L))?)E*_NmagktOu z+3tad)>*S4(vnbc%2<>4+qR0(_3shr1xNmRvq03i&r*3zeQ8tQ)T9DqfDqv6Lgi>D~Eml8aHhQ zKo~$D-;%1F!A<<6Q0_Eoo{xb$rD5BxS9kUPUH_RaMu*{^sIxcLA2P7WyE1S=JR(-? z4rrac81aeq+ACI?p_j_~j?F9X?(R0jtHA`&EWxJ_EKL@^yZFw(U51Tg=mSsayjXNh zuc%i!n>t9nzSlF2XIIa@gKui~u`{hT?4lq3>BaLAKS(r)|-Liy_|Mq40r_=u8+1&zy(5}m@FZ>GIp zpF3%FWiq=+Jyj_tEmtTbC|6)Su=gA<(mRBqhbMgGFMiMUL;p-e{48NB^m^YOG5Q4E zd}}MKI2e2*N|Hq|MUDq_lw52Ln%H&F6SzpH#s3e65t7L>|7M^{6^9 zs(ib`Iq7g#7N;w?M#$3Z&n7t-H^~q6yLp`bm?F|C>a{0iHdwg-2AQMCL| zxIQ0t}H`RDe)T_V&d(qxx*cApw zcRrM4u6-}ou0O1-byzLPV!~LUjNQ$Mp-y zXreJnh!~{=bC1EX)QlkL!mD2{{c+1$gZ+A1u^E96X0$#a*DjZU}xo(X=NGMA!VGc6 zMlNz*ayE`pg9&6mZNU5Cx|jS#X9GFFNd+MqaXT?GQG$etT=k11HVg$%9i5HuyFg(0 z@Vh<1er~{5Xu%_Ol7yrB?tIG*Pffayy-RLKy1MN4-bI6JzJ*sy-HRpX{Jdxz5~Q^y z3MK_$_K2sC18=tW72Y`L5~SbRnhf*F0Fb99OlT$Zvn-6`S~z%2Ixlr+ zKJ>V5+#!CsY))?7jSMYZB3-aS69pXF0WxBaa87mlw7&lQFme*JFV zvUa>JA`EE{!?1FZ|IPfebSG4lGL*#<`HRY!ORn}K-?n%ukw51}luWI}j+E86)`}e} zX2LW73Ap*&X8JL}VVBp9IC|#S9-lc0<^{Lkk8ay|dCyxy;v*3rz9&HHBb|$p&IF7K zfZ@zYVi*GJm^1wR{1>HyQuoomRReUN9EWVpUNb<(wk6A-Lk{yL^?a!m<&4OTmy}ty zkWXDLzAj3`&Oh9G`TGTp4$aJV$Vj2}uwq&z$u32fv41ewRpi3GAMG2kRe$%tgEnzp zU@aJx7E1jx<#Tg~8+ktI=+MRnx^;ll0tZ*;%LnvP00-QJ;UYF5z4oMtYTPmQ;1uDr zG|G$TBq86aN|PVe+x0>T^zUbnb@a{s|+{oGJDZPXUn~_2uKlzrwGO~9)OTVV|PyO zUtX+OXGeTqCc1NKSAUvXv_^}_WoQW?2ra{7bVnkcX6h1LWMq7HGBAUq5vF+TBJWV3 z{2&4d1!Zd%ecHQptRS#G4|=gY5)g>3=8ug(U08=!wB+*4(9n^JrRRVl&QhV|476sB zfPV`(jN0q3IcT5*R|!)t=h)TrbE{VkOnOS~t-lKK4JSsqsCC>Sxd7JqUQ47vJltoO zh<@*oYX%u zq`61!rtWf}YQT5CRUgF8hG5AqDy9sMRWVzPgKW_|{fYHu@U5u&z*xp4un41;EfXN4 zUIJ3e_W7afr657Ryfok&4?4$f<<5@R#HbpsvrRn1Id)B4xFx;$=a`p~M7ZL-E`aMp zK(a##VP*#$=|T_oX|vez2e`nz`vX75n914j#oFs@&3^FWhg?bZ;h2~mUt4{Jk~a7S z{?&Ks8)^9+<|!TG#i((87u%4nJ6FfkL)QK8aYzRWIr(Qf`hVFv^ipfz6iWY^_>n%k$OL$6<5 zcNG)bt2J_Y@@{E=a5Cw6qZM{~%OhwD^(>KlT0)&C0hQ`HS+!SaZrl|nqWd|z^qZw4 z__)45A6&J{#|WAnBcJN41;nTnzgE|kY{x~j3N_35L?*l639VUpd%K6CuE!Uia{>Ir zaFD}wS<=v%Bl_6%7VrF5>!s+az86P&|45H@MhdMpUXDQ$u3_pqe*&|B!;-0Cm>Iv; zd#xy{iU7L& zb*jA?C#Veo(fu4ZQmR+QMACc5J9cju>*d{^VN`LD^jw{|JGEw2WAuI5k0kloB}op} zC&M_1X<()u`(bzmfLJR-Wvq@JU1@HVH29~~DQPi1?O30 z+~JRgNKFxv?X@M3Cq_Ed(@S^Fp7LOMwYs*zY?;TiNL@U+axT&%{us-R3=X)2&{fX(TsL}UCr!=kV+Ri(2R#(= z+oFEU0xNT)x?@F^TAFIWD-+wBds#!-2gsQW z)3z3`?f7%=UN6*#+-zxJneMC5`Z6gh%)y?9_@w0Jh%Ent?OiVClxlddP615Z*RCXS zWdOJ4{(DEXZ{Do!);D(i!7C`PKSClR$SqS}{7*d)d8jViL;*J_T#mI(6ZP(+(j7kc zs-FGCYTv}$=Ca`P1$~cR{q&4KFI)gKUk;iVNm{#f2gy3)1<9sD05z_$1(<5ltyeTV zF+KL%GYt539O;arZ2KI{5Xh$;$aB;E3V(|wDZ#pQj?wfoI^ z9=RUpi{v3XT{FhqagP06o-U(iw$+N}g5#p5>+3|-`oBHFzb>cnE8y2kPt!bJ`nC0^ zD~X8!e=XVJh24hpnZbb+G+Boox3?-(Czs|=eLANU^_@8}Y|o-{ToT;jBB74#T(IdxU5 zPtdhDQ;{th6zkjL#Sb;;T8e$)ZCcXZ>G_dh_1xZhoSo;+ zU7n~)Q~qMzmNF4x~)mu#W=>lv531yyLE%GvFz zx3)aguE3ng10a%@&&TZygdg#q-+FS5bZ@;aj@3=mNoKrgz16_%<7K7j#>u{<-wRf4 zLvy$Ko?8m~vi79nVap13eqp>xlb_v0y2{*^L1)8_%5v5RII*Tt96-$0Fp(x3zB_GD%% zO_FX^McLETdpM6#?8fnVdtCA-j$=`)OVdTgDitne=6#@a@B*XVrMocE?ZR6kpUQ4P z*|CsL8dzTKY4Hd`XShMSG!~<=x1a)G&LlqVuC3LFHK>#q-?l05E;--v-{!+mEkcIe z<$hJ;*XevE|8Xr=*>XVy|5xBTgE*4_hga8X_sE{87Jr1RMQ=zkwTw_C^fA&(9zf1G=8d-H)~8q$wlC+)aOAr0txF`1j9%|Zmq z5s{}Wk?YOj!rb2l=kr9$K7^L&(m9&e9%Ad_2Q-nZp!IO$RckDPi_Ai|zt44@njoce z{sHAR?u#a+-zUO$qPWTwfJ@S@S;tLP7rUFU6`swPdS4cq!~c9NbY#^g!lPuOhkKXF zkjrKFlFpv|SqIzk+R&&@-}$1(7DApqv>zVr8N!=a%%l0}e5%N&mWuMpv>7aDt%cd> zhzx*NR-6Ue4Ly?By9$hdW>=(**U%^vqZBHTF{movaFzXqlR)4AY$SnfX1iL6PyRJ?r z`9Gtf_C_4x`h0XeMns0PY%Qv5wvWAYGQyjlofGA8B45RMbQ&VS%L!Qup#1cpp@o?x z8Ii^XX{#JNuXkSdFTT70HA|R@>QQSZ6Ro}c2`VSZx7;p;L_8?#QW7Nf2b=z2UDPn!+D^6(ah$;*@_%c*w&^Nv#Vf=iIUIn$uP zB`v}@FVd5be6*K$`0z!n!{oAx+avZww?0J4d+uwIH7O}VmB9UqK_kz!yJ!&DWQw(_ zfnM9C9Q&qAfIkfq?r1CQ%+3FrY{B4=iWF|^4A(?|9n0_Znd@KnqiOyk=TIeasx_BjsUK-dK^ciq#Dm;5!OG709E7iKIh8a{EX6aA1&H$unxJF@OB5r*tNU6+aF2Ni;hF8 zME|wL&$(-wR`XL|iPB_o#rhg0zo;;Zuwt)y%4|oEmUhoeI`@>sX0D}7;3~Z5(ulxS zY035|LGG{Jv9N!kC?99{Bb+}YbK0}WlS#eUCRxbmL;3sVD4tUcoP-hbOepabXi9#P z6})O{jQ{^_B{TnRB?D=Cg(DgFZ-hjm5tPc}j`isq+b;}_BNhv^j zeUF;;bmZG_-rkM)C%l5Z=j&Yhp1*$bnO$dHgllrwp}*#`;yaO-H z%XtLzx#DDMkL!;$pLtSh=KB098o$>ug82SP|9#Rd6td5`{Kwz(54#_&ZpT5xY}F(c zma1PS+V%(HWD5_CNqZ1h2g%?kf3H!N^GUpBW z3>gV&Kg8wYy8-9!9MGRGsR)@v+dO2*JZ~~=W1|Ws z$rMRs+LUSAW(~+Z&qEQJWz4Yo)|06BJ@5Jc`2P6*d4K10-uB+l{oMDu*SgkqUF&g| zx>j6c@8nhZd4^?^Q+ml}kp95d6Xj#LLUpI3hqtW#?brcXpRUASM?Oy0^B}W${-x-g zx*M1ApcvE%2w3YKMJn)n?GByQ8Cpsgb;28NOy%Z*A`Ws`*_xN-^!Wv!;64(FcXng; zC|aEE?`Kv?i+inGQ9K19GnuZiZlQ3o`K^g;iT+Zg7_eTXSE_hzE^ zE{3;z<`vheNbD`U%TS|9)!ugJiita3%9NmojCLv;e)O37)7XgkVW(WoEew`wWw|xR z$M(FQ8&My8EcVBDzjWQaPelq27Q{Sz#sq$>c6&;DKw!LA%r$Xo+=`*=P(k{kYmYs) zcH&mTlkj3k)zcPTzRQ~&b;-A&l{h7+L%%I^xq_JeUHz6c$4aA>V-?1XMaqXE*cJT7 zP|mo@@K?40th3<-MY57_-5$|vagBsXJL;<1Xkos1zczsNWMRPKVBQT0A3O2}>W=&h z+t`((93O_CQ4|MhCY@h#?sgf;IF=0ydAU{sH*U(QF3Ox|+s^(h|Bl=o9}+L?>=o&| zTrR~xiikD^(P3hKS{f(q^`rb2s?ulqRp0D&V)C3}k!{r7gu9`{e}T7;5tZ9TizeQr2nAlsX*cztEO5@_v4b>sDgUvF}*4bf() zkCm=Yb7XP5Ti>KTf#AXX!eciO>YsK zTC}b>ddR`KIzPjt^)z zi9YPbg&jx<^89*>PH9HNO{o`W9KaMf{?aTb=*~4+B#TFbQvSbJY7{0r3n22x&Dg7I zx^s0egN)rhvOnSF$raeq2|9bo)G3MR1%X7ZhbR(W`tkJ&{{RWyg4<`8yA~x+Frbs2 zGTvB#V%9mw((QT+Bjdsx-R|W4odw`9vtpai4XC@x*ci&UoAE;Lobl!&y6iTdYmX6L z7_VZ!Ik1!Ou94h133a!^GJPKO+4n2i!|-+dkdMQ~a*O9SQ?F7*g3|JeQ_yT_qPpYesGxsNf%@ zGUj2xrPlMfLO9pL`+RKClww-@+q2fOtuPiRHi$C4Yl_P18`d+e{7~F$=+f}DT+gL8g48!c$>8PfMnv)%PH4X(RO@rxwp3o zhRx-INdJ9W_RB7)fv;XQn2n;!Y5Qs8i*HocY^6;b%T=zsCi%6F#CoX<{bDrhedSWU)C zqkG;z5~T3jrwxk>qrF!~hc^t1U{W%IVFuDMg|?=m6hI*Qphe}~wYFt@7zHaNf9}%! zMfdfM5>6~n1ur*t-G9>Kr6NpVEYP;MPf~NH#!P$mQyrS?r~4?EaTbUiN`_q(RqU}7 zdAd*O41Q`ZPW4)MwF=JBmrTlzOpr>~c3%lQ6X71tfvS742gCJ7)8d5V(Ro+qum@at zIk-{T`t05!-JiFZ@r^xW=f_)9!yByC+lS%K_@wHS814A!NMh{yJ5e*oMfTVy>CQP< zQq={n+lYcncz>Tt8W}*$$C{G}3J5fAn4tFRlM~FiiIjkz=2PyHo>ME@4YE-RT#x&E zZe|IOpa%YF|7H3Rg2qE_E4IL2t1k(qE&Z%eJjvFX2?<1cRbNwhhBfFKXrKYE&)&D^ zLA;c*{Vus5t|p2LmOS1hPp+|W;v%yHlm`7QebJ5Ow}*qtG;JHSH;DZ_7V4f->15BW zXR~HTern&L{*Qu?3848Or_?stwSK$zfxz_`RW1MTTAF1LB33o-=rL(^Vo+R zhey3?`ttC0BvqA!RDqKGvLne?8ZGb*;J541LJSN>d-AgYK&|w;y$S%}G3ca*p$yzV zW?x181t39g!Rm_!T{{iU-P;FQa5`GTWB;RHeiDkaoT1v$eZPK>UjpLTk*)B)bSvig z9S8gr#VUU01kD+vfYg`l8*ZwXQUL;g0wMF8=0j(AwjDb`Z#q+a#~ZvFfL}^v2_*%Q z&TEQ)KI;y@uV5&kb2KG;QyMK9i0JGZZ<};%pC827>>Ke1OA^Xsh&@V1(PAVr*ac>w zx4t>VpDAKmNrSisfO0?>wAjEEyGg>2>jHiXt&aXX)B9jAP)R`LDmTZjIDC|gUjxnlhL zK>N=|RmH#g$8xuTBQJfbiEQgbL%iUDPWDHhJN`d@((g^cs|mfPMC^sR&D4cO8oDav zly|qj$d4as15qD(eEJ_*`BrRV31LIPAJbzIzrXlCjFt=`m+9KhIG+Gjzi>#G_VPb3 zp6#_y1jn`7marRrn}2c(_yFX8d1i%>A&2g7d#^uqgROsRLQGC0Ia!-GznEnoEb{)B zatzzwF^k~wUe@LJww`YLAZ&dEO{E4LmI(Z84a4RV(*OnM*r}u2K3w4LwOYupC7rn4 z2KdLiNJfIGm{RC%Q~J#>X1xeYdi;RpFEuyvMRMYBsGis>9p1O~qW<||5oh2+R!6;X z-*kGTfmY%%lG~TIAB7(236njjJn-+2B1emK_}+ymZhod=aKe&n=K&9Dq ziWA#U_m2-_Q3nvfeC#uy{pJq32wIz4aSr5L3nxd6loCe!BK|MN@s`KoQIrlnvHZRF z$ze(Ft0quy?Maqp1cCWmXuQ3%w%5fp1!A(IzWeZ_&6s=-cKYAeZkC9d(y9ekw$bL+r#ar+up!iALgeB(JV5VqrPzSNRmTnrtvR7 zw*4s7$fE?vm{M-NsDD06!hNLOuPv9j`Nbfr2G6;Rj|I2CV~7?`+;ZEkeg7k5{{GmI zWH@nr=x-51n>z@xf4Qi7e*1VO_`#!CX5Lf$Yh3NtEBpOWe*b@h$8TrB#Ilrg+s1s` zhi!X(dDY?Mnqx(?eg`29mR=(2m!U%}TL&b>k7(32R@Om)nEQI-zvzPDHV{Mtk@@Ke z^3A^|Lx&g(Hp*CRFN54(WWSm)M*Q>I-#!+jEU;f0uRRw2yN?5CT+hEp7b;Ne|@sGL2VqZoT#YdOPs1a=YO8j%Ehd zZ2ovZ5=4$q!&KZqWl>-w1k5lk zS@Z2fu>I-VKUD;YW_LAB_iX+Ns~kLvKa1rb=?^aw&1|F&|Fc87{b5HqVMzn%Vv~PI zGqCKSIq-)H1C%oe?iC`uzYSXc*P=8@!4?roJMR2DxJx0yokX5*`*%J;g1aeIxx@eZ z+naw@X#`7pr0}OA`j&Plr&MKtQfmU?hW?|^nb3d-_mkFjK@fzq9b%gSrW4jkLLt;!Hz6@=-9 zUrAFD z`4j$6dBeL5?0?Sm?`sHx62GSau{PL4`-9iEiyt_wBk|@SQWt=kg`r@dCF}k3J@e(5 zK_x3n8z>+UPa!BPf<1}o2MUKHt%raZA=87tk{TD3^V`~u?-nW5AvthW8Dy$M{Mf+# zEzt`hGWFAaI5QP={Qy`$qhN?;-LMTXTme?NG&DNXpy~jvMM5&ny$x+jMR9M4ann?i zz*&vR{9Ln{QUWPZ4c-Qnyu<$*GkhhTC|NNMXmA&DTK*PZ4U~Y{14n<8T-=|1F}3r9 zW|&+AuNgx7%2#>Tv`^@{cF3`WE0r^UIm6Y=Q_}0{XPH0Zx9MnTIr|7v0;(%&>FtUu zYlS{nly&9qQ!?vaU=cFWSEO49Bdgx*+m%tIk)IgP25jHJQ$Q8E=c}=OGM{K5+h`lP z*xrBJHzKl)C|S`CXlTFy95e29DHU%=QbXyw004~?6u;~sO%6AHe@s%fILfbKq@eR!oUozHg-T0rEhle8NyA` zNYRjg_wF46O3gN0+FJ#BYjwnU#_$=PJJp+3L`VP9l#0M4>?G}iQWH|e!FgB)>WH0x zuE=-9!w0s?Np|*%nlE6UbM@8bM+sfRZM!*#xcyU)ojU3A9ULg0FxVG1&bQ?|-*9Fe z4SGLyDWk-`gwUqv!w#}a&%kzaQzTh_sAbN!Wt4Q}6ogYUE)n%@4DTO@0L1f8L~vcO z*^Yog;7jXWNngpF`;M(YZ4&w;t z9)b?a&?BL~bH*ZsyAjZQS3aZhhDOsKPy+Cmh?N8O(rY-+>+OEydtT7nHS5y}a6-NB z*+?^tc<0eKH0Lh-fQeyRQ@FuBpjI{4C@3rTSx7akn(8e8Dl#%A`K5C27q#GxVWE;L z0j|8aU@P$%LW9}*+VXl`Jbh2A2ZBms@x~_Y?ic22_`qB7knlo_I>IJ$LZFMe*bPqT zoALGP1H&p&>Fl@;&gA|`4jHd*w#6}#De392Iw6@iI_MFy5mNWkr?qDIZ-8?e!$B=C zm?~e3AMcnPES#&O?G00J7x~%1XpGjMhmmeY`0sY5z-yu=K-a{!ZAw;Ry89aK}_7iZlxv& z=Yfd@_q3+08!Bq=wSxT(`t3wLsK;;UNu&a3!Jm|E$e0>bwbCI1J;x`&eW?cehziiD zP&LLmtKI$U=2&9FvIEE_A_u2N4BIuUM^8-PyYT2#TSE(bA+KAXN-q?%$_K@}rYIADPlp=DE?slNHL;~w1s zKC{9Ma$vd?tc(<9Bn0b$WO=-aOlw4e*@2 zF37AGPy)^%YR(8rv82!7c_Xv4gYBdzcj3{_9BY(@&s!{Wo+>mZ*1VzJJRD0|_mN6{ z*!|I2JzPUZD!2H?nsZ5S=6E;N$mPPBM8i*Y@5RRj-U34XMz9|!9M8Yyyr8R@ul6ic zDM_O5agfK96$x()0QvZ!nG@UfZ2N zx5ohGj>&zG^&xb=Zues}naMXS@m3q@DW2?czZ}O(GLfUbAJg~;6qKw&a1p1r`R#oF zf4muYD%ORdRD<)46LH@OgMk|jj5LVp84{uhCS`O#Cget^=#vYqJa%d}GBN}d7?XAH zDPAJ7f9EoK6*SDb!e*;&y=RxE`0&$~Pnyby_kBI(jL4zQ(nRAG$iL-xjESi|WvsS7){HdOJ4exU|x?gs{gud9E3bEPaQm*f1f7)?Bs~VplcXJlC(i4HBtC zut*n_1_n2m+pbx2nTXv*Rx_pq1JiDs&FOSj#Y=AFO|N}+V)B!w%%nvf7qHw8$#P6c zI(*~o;caN=pCS1OcZeG{XTE+9(}nX^bQkT*YCL;MTUS@68+H!oop^oC$?Z`K<9WD4 zthy+t?j#f3zhvE;%6$_Izx&Kr%x$-p=Yxr&)IQfTv6n_@`O6q+ABJ6{kezkH@ zg0^d}D@)VNo!OS^AE<_JPwg02;fkfh#w=-mUw+EfVF_m`ly2-nr(_5H&9V>o=qex8 zL<(^5x=v_iIZrRN8%{G=L;)e5zhEvUhfbs>hbl!hNvl0r^psnLk=w4i0ln<$H7rkF zv8Y5$c)=@&nU%&~y-BW*WieMk7OceA1K{||o~}MwX3UU^3G`||DP&NuI*edV+9lMJ zlm!Ui(WY*_IU_xcCIN#Sl?&-}8tmOz@$t15^>#(KQ>{M=M#4F@uir^Wqiyzz&4>6D z!$o2qQ#62GerQ=X(1mM{7`IzJ%yV6O2pZk{xI-B70kS9LE);qeeIMy>ds~lyeMj=9 zBvU0WO*pPjEZR6_k_6%CL_wG6pkk0T=E~cAIfSVgLXAY*oP#9}=XD_pzvSmTvp5%2s0X+|} zBGIkAU`?(Tkm$O;l7<;OaTwq1Yrcc3=K3X1}VDIa=uSi1putEuJ)*Q7-^2)Xt9;7E@re>Xa@8uG~Wto`-I% zRtvZWB$eeK_(t!XF+H#_xM*4Nx;?VU)#iI=%!50^lSgf12C{Swy6K@0v}wLJeW|`X zhcYN5u6=2!D)d!XjIgu0M#%~r4!bf}M&`Cqm}K#yaapV6 zZJ4!<&Vs$?lT)&O4DMxodgk~&E!AWG?u{&G>}h09_{3X;&^$e?M#4j;Ktg)#2dTiJ zdqkJ7lO{aiIWAL1c4gmvQj%Mw2~_?~1@p`OBO%Vh&P#oroq|&n>r*3HHD{B&>toOt zR%`MJtE=I?14aS}!P}>H%ECib5F1rg$3c|5KXb`AW$YExR)xRAuZ4U@m|LK(1rlC& z_Bg`>;PvCIIAX9s)tTHe|DYb4#zCWn5p`}|wYje$pL_f8;cm}J)b`*1k7~a1rKAoC z)~a97rh{gVsfdZL!))Vw{Lb5OpDj`J?BEm1tXCPB#Fe?-CqhAp{%StAgxo@TAJgBb z>vrEjdCl{Ah|cQtno;Ee{N$tGoN)uh7IMgvB2xP&U( zf@I>`GbKM8<*QYc6?cl?eZ4oR3>1|wPDhBYBj!j;s6^>L3Za1p#v4Kp`-uOuVJMR@wbhwTWrj&we{@4k#;}7@{a&f2l$ZMLY6w0(xNYt+r?Vkp=4rd82)h{q|>Y1*c zymo`BLFp)61@PFchShQiQ^7CVlfEP<47^@F`8~RhV~lPZZM>7(x0PMH^W(1gw8=FU zhq`K8DrZ48kLc~{>hH{+#oaHPLN7;u1$ZKth_!md4o;H1qAqu4er;EMpVEkm3_Chl z0Yb+Yo^^Y9o!NOqlXU~e5jB8BiT*Ora}+Z-Q!Z(@1-nAP2)k0`foI^EM?B%g`y(|p z#}%!)T9J`v5bHi1QMqV}KGq@BJ(B5#eMR;fF1j=7?*@L#D(MuMg zCQwVyyW7$}UCiiSRjz2#m+Gh$br>k^sEZLDTsbu1*}&By;pvk6|vghKp$4zOY=D7`JZQ{w3oK`kLgjd{TGk z5lbf#vgRa}r4gf6W9Yn46xfXT_%Ge-J~V8zf4|dK_5JrUgXJkn6PH8lq7~wsWhN*3 zBV}hG($)=!-DUvWzKaVPUkuCwxUJ_jK$aTMF}wtAo%j{qHgBO;}$*=FmN<& zQMfVuWzJR64cbE4p4@Xc)Z^?K=(lB6f8H$8pRr`Xr4)yaXF^;cs*5fJ*& zRj)^qSE#fm=2pvEu3}VuG5BG%WatLe0@7i|by7V~ITH9mef1f^g6*a9LK$sEkiY5b z_l$#DY0%%*mLb%(;Lz}*#F-E-Y!mAqNN2uh^hBV{x~#IAh1z+n)+U+Hv}jk@gD^2S z1=kMt=&OT6&%O=UE6*ezdSPSu&NDcl(B?flINgTTXVA?uSNdKL$i?7F$}S``5raJ1 zJ2vMip^*iJX^FP8>+f9(%KuKForop8znF>XEGp@hG;+IbrkjCjm5}UkwO;KxXxy92 z&S$q+^xCXo(rublH=`Io&C&izYy*IXeC;)ikep8UblW8R^<91k$UBx)C{yAox8t_o z0ZNGbw>va6jYua7C0jPy3#i>jgeH3KcoxM?6-@4lij9JtUc&w>7l|s(>fqu@c9S?~ z!<7P+3SGnT_Ka8uCROT*HI*4A$L{iIC8T8KE zrh@W!=_tbh^tj1%PpeCB?)dZ$v}>M`_ma3XMt?8dJta6n`e?guCf5>+BU6DNBiquu z(*rOhv$~~ysmuC%ziqlb9CUidT=TVy7$uYayOyqiI=CKi<7jj{xB>lwQi^ItJ)TqmS9e&wV4_Dlc!vZjob z^xLD?dT<}W48}yb39H~ks?4JH>|E&CCTi2H{=__=r;P&wLK|QfxOV@F(jeLM{Lm1= z4ai$fQy-05C46RKA*Y?H7%d%`@7t>38<@@qv*L z-k#Z0K*{*zI?>^nc6Hitas$5VX!zyT0Xw_y9N0FtPTV)F3Or+F@(W0%NwGmk_}H-e zk#&Tac>qM%r#!AL;dI$o$%k@$`+Qd3Zwg!yTuK#3@-rHR`xM$Yq*z)s_#cAa@Z`dHc&Wb$;cwu_(7i^Jr?_5er>( z-4DoN&lx6o11N3+vLV5RNf7lZG3CW-76|+Rm}j#763&^~PDy@ac z4Zc>hRfc0lYa{&ECq_1D9HZ=*jKUpy(Li)kPONn&UqeWeEgQx%Xg zPpDwKBnmBd#88toA3PK#V0|e3GD;2u;r_aau+3ZtO6X@@%&qM91x;cx0iVpC0oKHr z9+$bXV(g*hWq~5kvp;c8)W=;i#=T)bn1J)K%LEX6D_v~sqJ`JLlXbta*q@^kEAD7! z$w(iPO8b6_GR*sn{KWT!{Foiy!x1;0R6h24GBJ;As-HLke5!)h98|vy;{%xZZ#b!- zC?Weg{%3i;u2Dx!gyOoMjVoh!tzK^)8e*bal{w%PeptwWyl{QBdi}9%HSDZ5!48SM>HPeXg}syjciu0sUwG`g zvWo`eL(k05>_j)67%2_3n^9Nt;1j3?7fx(M&A3L6$HZyr1RYLI!6 zm08JjGvv^lA8OrG_a~bDbvgS=;*gMoX3m&Y)*)M3XzZq!`);SLl!-UP?X-jVAH`<1 z0h)c6)CG2-S4{;Y=yH(`yR)3QrlhEfUI0hi2gllS3uy88+0@=&yV>$i{{gN%^n63r zFp>+A$blE%`TIw!*sGNLCrGju+0R!^w7r?6#x{(ubYZB2^x&e1YMqdPCJF`n4_j{x zn!P;$`$Fcb%m(gj-(9=@ z9D*=}{b}&eG@-vWm3!94FrXXk>f*J(=4S4=T5CTYI?#ceeknbbyWj2PU|cO&l7^TS z^cLgL-Lvj8EC-QFKt{jiuS!4!sRZgGBPp@IG0mBCJMQbGIFlHsV#a#>8E&N*?rE2; z4`!ASZvz_O^STrHeyQ{<$qSuJao(e7XiV`4-PFkF9Jpc|s+(7vGc+!bpSs?;GlsSoj?A&~~e>geOm>8K^RruOMhraz3||xS`J#_@sUNE^U7)uNndUA=+X9A`q~K17c7vb%zvWrC*X7AQ6>4qw z$25DMuxfUEOK7UH#2nCySDM}>)X+5Ciqfxb#vCou4I;Z=3<5uIeZknEGUz3kAc{jD zu>V){zLv-BAu)D-bf}=#-Y_TnTXp#A@`Q4xkFihMb11ksWXW}3U|Lr{#~1}uUT>Sn zQ;t75sbJGOjQ;xJzPIlCsqld_40v8Shw3VVZFNIf7&rq><&`Ze7`CdX+p1z~2aA#L z9^uX1A#ojN^6Fdu^h?v8ULH4}jEmBk;No3QR%<1Wxu_bSzb8*sD1$6$EPS{@O*q{#GZOKgTJ8nk6jtcXJM-q21y*C)7!y*P74Ut&)=! zW&MidgO0tYzTspKcGzvCr>D?PqNi};U&6*L(MSGdp`AK$LfmgO3I{IzC@#wI%f0%} zR37OALyPTnwX3I;%U9CiEBE)GOn{L9SBpH*p%P~X*9oiNniROhfR7u=+9#cW^o$Ez zcYV;ER0BtFHnY!9dA{8W`=azcaH+%5xhiVlfEZTmZT!v95AT3<>}=4jpYQZ7b0VV7 zGNz9;c{F3O1Uk|3Befb@l@zw2xk`Be00-u3uWB6-vj0fIcNz3@hwOQEltm}`O`e3^ z?qi5VO>+yhcyh8w1qJkt;GsEG*Ag4*)N{dOdfZd8pAR1c+IxhyiI-o)6xA1oao4;} zZ1?0plOB6ITok!Nmi(7?F`YIj#NG5M)@iGq*V940lwn zK#_u&z3`wR(k>fLTe@w_*KQqJ2$J}(VmuW`$MkAQ>GX`aBT%BnBC=zBC$OpA!MK{E zf8RQPqL5@0k>x&Iq>KG5%S%y;l3th~)Kq^WdX_gnsz0t}354@I zXa7>t@f{E+5Q1%gEIQPI&;nBIH`C$)$3Z;J;E1-ESji4 zw0QM}8g5d?U+c)iEH}j;^%v$Iu1&d>(AtNol!y?%&J?=ODSC@pjvVX77lkQ(^mGc1 zWlv=kve(ejRhhx(9Z$ch;=!9#l(dXYoUtsPw{9M#vp0kx67Fk1Do%`uEj(yMAO%A~ zg96v|8Zg*FvXVfD@gg|i;Grw^HJzWMPd)2m$-P3P;Ry9*E#0SHp3F%KPxOdZp{Ax8 zh`SxlJUI$J!(b4rcXvo>yYqVo3bEs3izm{kqyL+!yUAqoOCu%Mqdp9UfXC?q+Q+U= z>T_i5=NFDLKo4ALr@p*2O1|-+e2=e&zU5Me4S1w<^^N>;W8tjY_w=^iLfAJo)+>ma6UXRlQa3^b) zupggOF@0+SYq(rxN-SvGXx9ff*S+=cJ@4=BJ0abjuG>OqZhJ2IEJvfYLm%Q75h6ht zRe1+zxYEX$pm5;%_~J?JU2b;Q7mcHoq7u_3Av7B0*9l=C=-0CSzAkMKR%#S_!xNbME5B6 z8U3Q1yZ*^+poT;c2>>_b3^MHHTi42Q4hlV_28Ib+r6ee1cGa*YC*O@a{?sRAPcAdz zougJxb|O>hR8noTDiBZk3-CW|&zspCMz|*O-=G9q;`%5Lo_T&y6JXkD_Eu-S(>S=E zumh7NT-Uy+RWEBUt?LuCi7JQo<~DMF=yq&A$$%39jnXJcmvj}&3D6vi;6BnV?P@1< zK4To;<=t_i@Ly)VEF$~oIn?{@}_W0Jj*6(f8gmRumcC>e0z*XXh90n)GN z6AjN0VmFqVorN3M2EbMSG~xiYn_0Yv+X_@Z!wRX;Y6*kFFlx@YEW`Uwsj{6vYj0th zkxERgMR#ucLk6L`mczRPF;G#<#2%*2Ic^;nG3)@t3D_jjfSa-P1Lws{NGa2KMA@<< z^CiVhPLLe~*ranI(!}?H&tPuE3P%Uo>i%bCG3~7boj@?*!>oKj=1ZMU!QGwTB1Y&ody2b(aE-J2iO78@n=>T1$aL`Ca7JO_rDb;U#@7&2=DokV{&=Giu_-uKvZ7ZNralC35|!c$aJW_Xto8EU9yBfNbhiCaBUQE$$B?T0KPS*a237Sex| z4Z}jrbJX-d&V#$mlTa0LVXjyvgtw7c2p8>hYrC0bhKVCJIPf=_Bkh3YSqbkc%w=5v zxG}Z+=y_Gdw2MV&wr93A8&hZ`3m-gX>sT zJQ_XG(U|6yDwTvkECrJyZ5$&EBnb2BmQ4xwg(ZwicZ@=_t}~Bt%t3(m2>YKJ^sj%a zR7aNjX=wT8pUHvAH+_@mn#Hya7|lso)Kf?5WGN80B3_FI7Vzs&pfJC1bH+%csd5fL z!G{HjJD(voSQc?c=V*AijK!J2Swp7_0#o}8LN_v@mKKAlK5#yj!39xbwf#n2G%`_b zAsBtTQGqL8+C@f%+N-6s3gIKM)FXaj3C^pDsco*KO&_D%jpQ(#gpYKFoDf;Vp|$lH z`gcmDuM2dN8N9~GJXapgxWd>r7WglMNua*u1nfj;)y^P~(awOHvQ^yF)bx2Xv^uEQ zTX@-(qb=$TVerK;(|KTeNmm%6KDVw)RoDa7E8Z^`nZf2#W?mfCNS0}0>XxDQJ znL-OQZB{i4Fv}1L6lYS4-q^MdXkwgNp+u;$N){~DYQ|xJsS$pJw#XaI4=Uj^ZutAa zS+@)X1TqGkram3+o(;&r`W1|E_@zpn4%*^$Zl!gu{=B&kJ)QRiqt-^;-d4E)TZ%+< zZ~(>~#99v@0WQ!#`9PE`_bfe44`@k436pvK&k!q>lv5jp1+!`TX9d*;Qqa_k@3}*M z&nEwCWBytYIUNY13CVKzex-wwU+7rkUd{ybi2c@8`^BGz%^5E|l|Pz8tygOs(l-+8 zW5;wXL+UoY=}%CXT><>b=Uu6$^(-g=<-wuq5;1=cCRl9oxwddiVqOLyNzdSb>-4lr zPUhTY@{seG|9%X->7Iz083^FiQO762ZK20qOqG^8?w2PPlnR3Fy_)LqQP$TAsm;AW zN=J}Xa(l=>4Y8Zc!wxL!%nvpj8Hnv6i^lK#442C@DBrKHEKWw9wgz}L0Vb=m;aUw^ z4&K;U%quaw;xi4S%1#7dI1Uri>`eh0_}XSXR~IQzJ&%DaYw@Z3B*6APK!ie!XCn*o z<>}ajlx_erULzrD0$Z}~krkNUm%&{)zkChoxi%?j3WDC}Iu+mt5q zVRuCE+aa``_?&?fRr8y#8JV$ zpC6QJ7Q`oFFXBPd1ofPkAG9c4R^(Oz#JU32*H8ts55HeRS*dzd8>V$Y9%EW$hreox z==^Lt-`PD;T-~*o34Bu9+s6rr)?SZB5aCHn=Lo^=Eh)K$+}zHDp$YhZ@q%w1-gzx_pDzDtV&ZOcc?W>s(22YP1NtpSZ{1|SDfWMGD1^H zhs2!QVHbbL92F$yIQLj=PoxV8Lt@VUuO6x_Nq(s-Z+?PMvkEAsHCEIxiq%4|kp%n6 z(c!P|(e_IEO1_{f1Z$^X)=5sX4-X&9>+`Tq6bWJyJA;fpMn)OVC(A>R9vG-8rdKK` zNM;q_^{hR4{o87$Nfq7>|55(PZF)58F*xz8A#(fKLqehM$kqaSvDwd=FHQiyR3ihN zy_RPkzwO7-SCsAC%FzGgx4Cl-z`$hyj4CTbAc6kS%7-4)fPs|x!eC5els_0G`W5T! zE9p%|gNy7he;T|QdFUx1*SH)YqrMfl{cI2h27?x>0Ff|-9-6%Xna>FMV_ky$fEC;R z|7}7ZGD3tu@(cLo=DZ0qtX=0j8N^Le8zlTaaOuGH9M^DXACCTWx%^hD_#bMPSq&qY zZa(|KaIL(ieYE*8;);@i7cu*M0ECIJlkF!u-omh$f(HBz7zyox0hgy?JhsaN;Jwco z-V3P>^ExA|(AUa=S)i{!QM%B*z+I1cJJ6 zkoXSqKLm0bGwKIC(`z7X@?ut8oQq){kWtH5I1h!wY8&$M^42Uv3rTAoZj1;5m^LW@ zr@Uqi>k$uK6m!isBqxHR?&0bW2%$~#-MR~N+0h6^CGPx?ptF_wOSxKf4X~QYqS5y<5YU?)ECf1>9kJXXMYjm zLl`%VPfdrP(4Lm7lcJG~yCU!$(M=5N!Q3*XOoUxi`<5(cj1sGph>b_Ci)6J|ceIsq zfOyGPi*pO~;qG}TqaG$$^gdt~+m!r=B)8Q1Tlh~qPy-w4u)T{48+0{~h4 zek92+`(PV=IZ~~$Fa%lIGdhEtQpG>NQf2A*w*f6#FAMKqEDm;d!;Z!xmc4MwLhS%x zaf0lO)#kWgDup|4^N9V4R+}gN1tpkz|EhD<6ZOw(?(IXyWy73qMida7?ylvF$ILZr zq7(2GNh$Pk*1)`VxA_%KX)u0Kmx@OQ&+IokY;j_K>97DtfcPG7G5qAQ#&8v{)0{?jo z@VX&zj=ZNpdjTMfQ{_C{%klSPEOX32u~EgmKC`Rj3D^XGhVJjv)2CX=@~wPR6M?_~ z5GG=k)+f!?085E??zYD)G((fV(+#wP-!M>A7n`A$xB?aT382o*)xQmpRE>jtbL=xU zKqSAK-BG17box*2l!C0ecTzhZ{e#@yz6@>f+vca#n;shtSivqu=#0OnE`r@D5bW92 zMUjl_ZsK_7gxnsa-9+o2|c?Kf@?D9DmV=a zwZO>#d2%^~;~`Cnj7(SOltE7tp2$aVcVq=N;l8d#jzEhYDf{ro}D=zj7tld-UYX1$glxB}7oe zKg$@d4R!Bpo+>7|rcZR|)oa`=r(mxR0s@bZw=ayQMD|Du=ulqZ=e z>^YqjjW|sFx`C}K0IB;14j@7!3snkWw@*E=V1$eo~xJOrsuTIgUPK` zh+Jl`yG+~w7WcVh>rjp%IZTnTz&4PSOarI%%u^~A#wrpllem{wq<}RW2r!-@*)|@a z7YG%#`^%I=3WE1l^U_k#oGK?;k!8WCJmb{9ig@+jI_cDprfz|C#yvf&E4Xy~wHig& z^jnk5)$Fk~yy;vhY&3<2SbkU4JNs#I+R_xiG*B+Q%J=RxQ+geimm;_`&62;8|KNXw zFu9ARb=4;+^;(6=F`sP!v~duIJ9^(LxNbb>c&e?L!J> zTc=L5*^Tx7447R~zk9N&>7>F?z*2u`MsXxNbjhgGeK=}23?DRPNB?oV+AQ8A{7i{Z z0?Ki~%jbnDy3JDh!kWa|0a4!aPH;Ipby+4wD6D+cCB%EqDCDi2lqdKo_CDXszk6+v zoCXGHWIou8$ZAN{_ojd6JoE3DNSO*5Ddl+Ouu4f!X)BD0xPn}VADr#1n>F_s-uyyJ zdw5A*QNz9mrv^pE!Ii`Owozo?4Pa6!GCz1YH+A`i4^X(Bs!oPKZ{?otZdz9x1Xtwn zAA=RE!M?f>#KB1%wLiV-@iYx-ArW<8%fb5#eNCG8C#S!fMnZqpei>vfhr;IpYjP{JYehM&N}>5s;P;fWd8&#eFK0ml2V zo2GY3o{i`1IJ*32p6SE1_fbH$>-OyFreH&|i>gB+{_R(*uDvH2e`hZ{NxnkLKvz*F zb%@B0M)#1sv)6Lc^EYi2^QPCHc!8DGH*CSwXUG1lj~l7E>g*L(WvQw4V$K=+mwdI- zpfNqO63d0wdS%pLe{C{vnLh?ghCtDcJnaXsAh@OGV&!;l&j9nAp4H@Yq}Z|PcQ9c! z9GPQ7YeZ<%wU>tr$rReA!+R|jm;A6q>Ft4Z+;$T#C%=H_`s;-&=kQHq4aWi?bk&Ev z@L5hR!7B~b?!(1#jLc(ZDYWyZbVpreZ{(+qe)BtUbUQX}U1q*9gA{dCw-!uFeRq1R zT6LhsM!d@eQ{D5j>cw?k7TRFdqz_gsA3r5IV72e43x2a0k$ei6tQzkh(r%M31n*HX z?_|3o@5f3g#fF0vbJoqW)%}hYjLVu{7Wsk}D%>!8{vsCe(X4p57y&HIJH>dey%&CaJAjm)88k~ zX*#L=0B&r(k@M$^whFp2<_Xv7zOzX80;V1d7aQYufe_YmX&3%iP5!nbw#Ky~<#vM; z(}Zh@_Wi}tbz*0|ptHgMMGW_gy(U=_(gPk^jVxDV>>Cbh(ApyAaSm5;LVu9cn(;pMn+GM-|BKUNPT!8I}mLJ;Zp|? zAmPA!Id-ShMgfc2&zI*$qAK#bj|<$hg<7r&QAJ*1wiJY9__X%B1f{ES2ECG(h)`55 z4IczP^*MJ^>*a97ArrsS4n?9;A9pMs2rJd>He`G{;3;kwN3?5{2`6GYQ_Z^?sxtKQ zh0o);u~w@2sh=;gpHp<>TQy4b3$Crqduv7NxkmIfE(cfeW&PJ(uWCvHDJ}cTNBdsH zDjd-VNAq=qCJ5vY)d{WcIZyycUKl3XV4q zYVLbeo+)V$OKzs-N%ZSZ81wrXGT$1LkLa9Fg_MUCb01YDHkY;{svb!8X9m^U4&@_bxuW48U) zs13`+9CvZ_jiu}5l=<7~$nRTy2a(K0D9exY)VOTUH1ZpQmX2KAeT}WO4G5!94fkGt zxHx>*m%6L@-7EjOi4$D`ei%E?;^kq6BQWE^3)IWQ*;ppWW+kDBxOU(_7swMZ>C?d2 zd%6LraC|BZAcQ1(6f|&%iIO*dAV@sd7A`iJg?7bRp7=-(7KsXMz@I)_z=0im)eT-( z#LFLaA3LV!MaJ8$$a!G+34oLVZ;+Rp7?m@nb36M9io+WH%C)gfR}tIUAMZqv;tD0 z&rAJ2+yGpKLEtaFAgI5}<2($XV-|SYFc{YTbhvx!)v*&xNTiK4X4dQn!BS(zco-zR z9fdd(#!v(Yx=_9jRi98hB0W!vagEfjk`B;Dx9;!$bdI@pet9JJL0dXUT((7HdB*$V zUH(gM%J4KQ__5F6qwkD#uH02D3IyVGgwQy^Q-=aMuru98ZclP@M{{ampS+(}s!tAR za|d(!s3m`;qzs_doU?6|JpxlzD*SnK7-1MoIHb>20_}PxUFOpt4GCi?^EI0zkfI^T zBgu(zvG}OIyTDyfvd}h;>TCDtw-TT9gi;QfSveckzs9D%`hJ$(a|%fW-ex>{>^WUv zNbgZL>HfA;6D8W)DEwtC&0USoYFWXoKDWF>82m%E#wqtR|ZM%ub6c#g<%%_ub3Fn z80s-i^H{xwP%1s#SO^$}njVu_L+%Br0v|6!l`w7CEO@fOy)4UHyxVRm2Xrw!+;8}? zpx$2XXA92zY6Y{HPOJ-zA2IvJ?&1niEUoD3M3#~}Xw4n5NBbB2{c9JD@~xVn+^$@d z099}W)$+7~YlStK2YUA!gqZ5-clmHjw)W5&lp6O4v^Pw)gC@enAjH82GzAe|hc3J% z%w02o#Mw^u@S$xlUSK$vXMzc^6U+o@O{8EqKK_$pMbF~ti6Y~;{U!4x-)Sb*J@v!d%y{|Dv^Z4PDcsc-+4MHU*igF^Pg(vtPS7SEhTy4icn5MdqU?gbbAzV?Dn9=!jkK5Kd0ZGOxQgs=^!fY&qDE_=)@# z`t6K%D^yFeoZfj{{mJ#?zrBEDE|spoO}ChTX0UyY%E-bClev*LYMG6k{iXM7%X54u z=dUHt2UPR3)KfRLeCYcezK*6&X)zMDzpW@Cr&_&m?b}1k%#>dK^L1nq5Do>0(`OFP zUDJQG@V)Upw*s+nQP?HhLvvk8D$E;rGERi|KeSpQvHm4CZ+bj)0FNt=CI*_F86?r? zhSTZk86>>D6jx2E=dQ(|ojzO_R52jIveB|w0(%^r;%7Su-6NZ|qE-%*dhyjXVdmX> zwN*Fsm+qyHBO@n}9GN6+Ow2go;sSoE1YG*w!XcMfgrVzEt~kF`#}N6Wh-WL0eU6F* z4mCb=%|T#i0eyC=ckUx8=DeE>HzOvVpXB4RTXyYlGfD69T!16IRH2YDeiIipdABw- zLuwq*r;kwj42QqMw3V7Kw4s)YTZ^qcdd=%!FwR|*c;wE}^66WvDyB;y;?VN39%_L>`gIO6f>GS zi_c(6EPilOY*8G`Bt)Yf5S*hwl?y1EqOEfVdqKuv!a}Mac4pKr_YpSOQ-8^J!0esL zvl<-9xWjm3?w#J$u4@c>^fnojcQJ;f={a8Gah5IuU2z`)0KJaCl6lqyE&|6|m+1hb zOpkbR-I4*%YTMvqpWXpiYO5TMw^oJ=Vz0XqGl*4w3(eJ|J;ktd29os{-Ea%fItEY% zS5h8MfUqt?NAM49wGD8Dpb%stjP=`Qh*TvfnPB#$ltO*~<5cAfZ{otPfZpRAG`pW> zO;ast64yZr7*bV<^-U?e0fT8bSErZ^*y!i zp?F(+TLuL=O1$XeJj_}Hkj+n#XfaqUg6mJ#Dan$KsG8c|%MQ-Tl~P~Nnx{=xI zIwsqwY#9b&ls!~RMP=V*H^Yo=j9n`G8pdF3Wgmv@JHPi_#r3`KtNT8l=Qy6fp5ynQ ztL19u{ds?0%lSIb^VOA90c7`VfX4dXHFE`&?3)Bu9KD@ZEPWK!c=n+~jN^EHT+gYd zNm?SeYRYvVwp+{8Z9@HE;@`!jDf2y?<)}-(&*RGZ&MVq`EV5-^`O+W^jZCw90sc{Y z?1(LB5N$z&Ca&6RV^`gV%-NTNisvTWbfbSz*n2#Ebj0J{4RZAJVr2oYI;` zO1Qg7vBe8Y$>OuV`KX#Q=wdlOnxYhfW51BOY}JuE)CZK9PWA@|-0e6jy|~GFl<@U_ zM^e&^y61M+az#10z6q4=^E2AfM3WRqjV+**Mea*XS_=!F_g*s_i@+pDHHO79L&dVf zn*O1t?i@3fRR{31T~^)6eS0_k-fw091F)SGrefrn*<=YxCI`PRus@1r{kuQs11gVw z3Q$gG{h9y+CY*1)gWe%;Cgm2ka(kvi7 zoO0T)@TKP@ILhlGzm76R7uSs>A=Xc;nN8A#m4JO}@`ZqA4v_O4Fq5dxIzHKXzn$9+ zSp&|rT?scs-555*Vq^yfx9VDs*&>p%fugN*w(Nd#b|&IKMY}IM0nrU5%zhamyH@@P zI)NiD5`;))P=tJ9X5S=uN=~mE^W_1b`U=l=Cj6Uw6}>Jr*lsUH95K*65gHBk`%0Bb zJZ^a?4J=nV!0t?FYWeWeGujB3qRHmu0D!WiFvF;c?j87dH@|}2u8drw+}I0zzh-$p zH@NO?kLw&NzQOX(pFIsuRPwK>QwDn_ULt@;Nx2`Us|z@u$Y)Q1LUI{95m?fe=qbYO zM(N5);`|DV*ozg$O-bltve~zI;G)_E3Y$$EaR&{*2~Y>wHTOnf)VZ&+)$kR^eba-;*v-t@fNKeyV!9_ z+dQA}x&qAIneA=2#KJNTnc=t~nx(2#ar%PQzx%*!Ec3s`0 z<;S^LmRMXr)T!!`+yhxOLZWu7Jh2%2d&s#GLkUBEJ@h+oBOIA zteDdY8@a$A!#)j~IxpDii+(c$FiEsxT6PApPaRT29>8MEJt zv^{RF$G%X?F8CK=8q9|(^UnjqN!Cs1d%`_MpcR*6y=nAf9X@jcFSzX1Q9hdI({jID zdo{7yXg=GeOB^2Gw_Y8VV%80M{nng(SHF?sAx8aFA?X$Pei=lo!_VR~r1AqKcETy6 z7X@{g;~s$avWEVPG`R%XA1VT%z-OEEoms9-i``2NWlDWZ2fXFG3NEap%oe~tsVH$9 z(wrLsLT{*UNgxzbg@R^6--)5&_+ASEKf+>vFL5$r%xvaRy%FnxC z+VKD|)0cRC7gj*Zc{_mwRKmZ}x@*D--j}{{?))dng`cUjrq5z=3p`f)#I-aAj@_?x zWy{Q%f3dXr19J!tJx{Q?`Qqp++fRUBzhPrXWuDBpOa{_oa6n#*Z9r&(3GK%G^iVZo zFA#3b?qAH8wR4D7XIg^$Nq+G?ItD6IBI{8toR5Fye1Uf*S8aANMG{d$fBUG7KZXmw zU%_t#{tn)?)Oe*OqM&5LNfc)2BI?;w=KlEZl?`{^@sm;4UI%yfQi7X)(B1;Q4k>QQ zlq&hD&3QvMP2|$37<|XUKA5rm9iS$nDXpP;lqZvg(*TOmWFnl3Rv0+H6i1jF01M{a z`KFPeP4x2aV>S_cpLKJ-Wae^NSb9r=>9o5l$;__=R|;fWIU0h?7K6tI9YhRZ?HDYfW6v#fbd@2S(1j>Oo@eJvBIuDGK@uL=52s5^51>W*GAUd(^bH&hc8 zM5j-vOCAiO%_E;r>G~bG2P2+t+H?QMGNS)%Z5e5Dx*4yCif%~WdJMQ}pW3-@ti#9v z`v)a~Sx{5wpfJ6R4Is51Zp%YQ!jGfXu>v>XpFY}ws_!Loy0^O`)w=hS*z$=9H+8=; z+fVTYSkRh30fPCmg^^Px{?n&_G`h>|2mC z{e4(XC?-GXl_}Us%{iQoI2wjV+rizkpneQE3IJT^_uuYYkYp7>nCg4BeKIN&>Cmjv zCM5)U6F-@|dmo6kt;m~)H}%PNZ`gfGk+SB(VWd#YCi-Tq1bMvLGAti?yR3LQ1o4`F z$|U>V_1-5`M;S~+dO_i<-sN{;REi>4IjcZjE!a~L-n)zz`qKH))o)X!!-|9*be{yU z`SN7DC}<`YBPcV#vFQQeYF=LUr`08?@3#R|dRsCvpY1EELK=*KrBP6on6!o*uNg30+(Kb7A*#T38is*q6LBPJJoJ4QbJ;e z8sEnNNd;fKm;}e~@#IM{AjoJ*?6hC|HJJdf=1CW7t+R9@)w}M{g(DA~=54f4o-KfY zJ5aGOTf@0NMp+!BO7_+Fe6(!ag9Cl6d8AUqAzBO=n{TV|$B)v}5?ARNraS3`%4B+3>om1(3;pJFr@8aSKeq!cXx>wJ<-5?p*)V;q{)>CK}lEGAT?Xu;< zMW!bxbSlOqk7we;)vVEP34}^)X^68N<1QZXPvq)8anaca?Q%oMPv?uiE9Fv zUo2Zp5aGh5{Cm7}|9G~yIp0ywkH`M`i#4E7f86U^mMD-7wl2y)wFOJx-XEVHYO*1q zn4LJavDc|Q(4~f)86i&sL=PkjHYf&T*aZfQY7=6E_CTFag@Gb$sO#z)(hh>Wx&WPZ zo}2)qV(Z{0b`Kf1RNok;wZB~H=bReQz;u#|(BvGGTlo}Y4+t_;AjnIY{Q^kN`?UzQ zm?*MU{R1UvAkOE5oe|(ajbPc>1fkGV$o8I1Ft4u$E@od^+47`e28+tjyMRk-^HAEk z%A^Ek_s}f&kt2|hr81Z(c3{R?8_%3-%`lS&NMQu621+y6Y!oAhTE3ARO>fKr+<(+& z?o0DbPXbON+_%ur!qS40N=(pOL^j~o0buvmSi8fsWip_A8iX_#$lxG<&M#@VzCI4& zV7j=OF@q?X;LoaDj!7jh_W@c*g#C4N!4@^WY%SC@^Bh_%vN~8j+O*jQt6xCvMc;(E zb|({LqQZYIS^cLd1wYk__&hMomeAIDSdiB&r3xGn1YlgKCjx9=7gdAGl&{YE>QmJy zj^CfN1W0`30ru)C%46#0%78O4H20eirl8Gu5e&yC?9Q$~(F%F-u6*~Bd;~QXoyGSH z`y@|MxoS`LX6b;J&EziykZgH)R5=F!??UK0|}uW!Dd0z=89J?5NyCxpfb4$$ZJ8 z04Fc|ZVx91Yt-iob#q`dk1Xu_P(`P4^+i+x5SZwcd#q;Wj;taVwZ1TNt3DvMmVyZP1v#p%zoTbGF~Mzb+o)%9XFnNFHGF(FBQ0U? zHAPy7HgqoI%Ht)^MjP$0D?qGTKPU{QDC>9H<$uS)i*V{B27X?{8{j`a8!R9)je5WB0Max1 zd$AIaF{|GcAnbS0*YmAn9;IF_9X~gdc49BO=sJ(cznCW%gtXH4K@kq9iR%MxT=V(HqZ=dg#M@+66Te;=D@|X++U(0 zZhP&bro4$N*f<`2$rA=MuGo49nCDVp_g2KwGajjU#v9^napClJL%B;7X@1?*DbXQ^ zK4fUJ^MsiI&*&qulVFsir~t+==PuPc?>M~#B!e+bz;JfEHTdFOrc~l36n5ml5hAF? z(-EA)$0Npw&dkWe3WORv2*$YkXpG5o$g!ya6bL5a0@zZWs}C0eY{;Y@Z0h|9Og5tN zYm;`sxb~KgL|bQ;f6C(--H~3Wh6|xvX(|h&(b8apJ;ZTyG1Pox#i_JLn|t6xnR`$@ zcer5an>U+tRV-u5Nw;|~#7l z-MjMDc0?KZK*9m}`I%EL?gx2m^Rj(PX9}3q1|7gynhi3Xc~eIw98A%O6^$$f?7m9B zmUq(A*Cg4wgHM8(a!vT1>9(v4Y`^{X@DaqNKW^c730|^XKM&HT4}T#Af!o&pjz;v;5JC~wECuL^a(XZi%2Zj_u#gJ zty8+1qK`FveI>2dKd`-ZL2~x%(6Zh`pTB7iz!d%A%ctM}A?A;Q_ek|Oc~@cY$?@*I zw1r8c<_lnH7%PS3e=3x${LfeZ=O-FSLhAtx!*4k9z;Q=MGf?p4RnhbLIf?+n7d2DoQOjAnjcoOnJ5F*z|M z@XshT142%15r^b1yz5IPkow9<<^Lh%|DN^xBywwA+z0JTfY8g7f&H=Pm9*R8d(b6) z4qxc|;h{_xVBQdkDVmsrS6n)9wnxs`+moABe(N-!_BmG$6Ub7VYIs!W!-|z3GS(gA z&xWsziH^*T90UTQst|nPLjXk6frITe?r$&+SxNAPz*e7aH zuK}nb`*}2*qEd!)8|qcTc(E+>NswY^u@4%p4|autRgXv6@(uc3t^A2KI;nj?WVxvS zHA}Ec)M;h0IVQs_N4+ys@?kTFEdN}CY1~D8uMVVHt|UKR*p^p%2rT}PGbme20Ay^- z)t_JbQVYl8$za-XO5~0^+5m?u#CO?8 zi$hA+Cob@rNR@uciFhI>t?rFGvkC5LTU%O7hGR8rO4+9ojzsGPSa$RM&C%1q4#yun z+KI~=`M(Cn)N%p?Uh`am+ip8i>KC2rzn2{Oz-q!zBhS!U?5NiKV@eN!?m*vnnt`{= zz7qC_RKv!`Y+J4Leb8prw)6YW67P@-Lc#kXa3@@Na-#r5jI@Tn$IvS^Y@fRF#vad2 zm@LpaMoEXK#t<%vMCxCU>I4-#Y*w3wu+6FaGwSsp<_4HJrpnKP?1je(%6W z>IasD;`&qU%c#A1Go?p2fq#U?K5m4@789l(T{_Bb6ml|ci>m-~J!uS1<(W8x8;0PwTJT1#l&t_hWf*iEyEzDDIB@fq?1hV`b zkfkq(mBz=h6mnEJPX}@+frXy>wNu?Sz90QqNjUTa-;Bjlgz6>w8o&>P0sTfY@yR#C zog?Qm0No0=fTGmSFZ}5l*!$!IEsaJiimEdK=Cu~SdRC1Q-)UUs1lXofr0n}&l0i#p zDbKv!mC%w2GQJdE{g|wt2}s-*!cAc?V7hE>Z=wBuw5eitEw|=EyXe8A=@$Cj1c+)0 z(rD(OB{?9%z6=@2`NrDs8WV1)e7!T0Sy^o6+2OI5nAQxVyCk<|IS2+AkK6V>xpT(D zq3m#2M}E{}kUcjNh_|Rl8m`?I4OgSPX&Evtd^OTE2ZYMp5SPaI^)3p(W{DR`i-*-` zE_CM%q65#H)dys_VFX))vs@FDv`3#L^3(m&f#atOq@W)*5WM0 z5_tJ#8#`QoF_R$>0sone(JOf}>t%*$AY2~rSv=_;G4#l7=q&}-I-V2if_R!mOVH1} zd!xWkRxzuk~Bf=OcQYBLP`T zE*RqHDHZ{RLNhPa6}v zJ0Gm+HJTM?AS~RStSntt(}TS_W>=aM!1ByJHOArdEClj+Mvfn_5&3h_wi?m;HAYSO zzRH};Q{(#Y)CN%nh_!{{w(Re-300o!f%P+9coo2x?jpz8X(h3%u_9pz%a*Ok!}a-; zM}CI!Zm3jzy)FGWW<`-A^9*zIsqizhDAj@Tw5lxUVvC0R_MzR3IvC@eLOGJC{91aT zK~v|M6682M(X6^-$q(tiu%Z#?wRSN0sx5@TEWmK*^{EE+PZ)qV`L5|CRp)RUIbG2( z{MdvY!N4}>3omz0YMV_M+7yFWSHPAzJ-O8P*uV6V(F0#7l0aCUpNw`_$9790VhA;p>xiZEMI*q9p=^urXCY~K(*i&$ey+9ww_D%4$!}0{D-1(r!?`=JDhAX2-on_ z#}@uLGN1>Am4QOIG00o=xwJT!n6wZ2yiy!Dg%p31sPb4*&4gYTdN%9s?2}fMdZs`^ zXXYwSvSY9_$1I4(>^6;bkH=aRIODLi>v6yqOLDTqz*fU1Aq}H}ie^`vpp}Ndo5T?@ zm#lr!u~EVO@{b3~G+sAo2% zR6>p$0lSj53AB#3seUJ`hsS=6Z>9TpxW zhnmC|+K|ASOP)N#%xEZd4$)~F$s$t^{pzS5b_RTH|67vxqDzMSeUMbAQP~^iH@%E_OuY23zbxRAh%IqT zE1SlMuYF|_1Ipfv`yy3k@Jp68fi`6X3w-t8XIC7VcLXF7jy{iK?}hYQdvABaLml)H zNI$;5do|wM?j^lXhTytyFh|`-BU2PfcEA$kwR;e1KoIz&m36r_gbE0U!;1Az32%J6 zFxft)$HZln)sqvdfq<>U*E4JE`j(2ziz{=Ocw)?`CXh`L+EC$&($eUv0pexrR<19Z z#c)5QleC6mp}UBniCei|#t+4Isc1wzGKXklLpsA7-AylGG;iYkjWO>7BGG-aU2|C_ zn5RKaQai44?b_``!w;#((8AWvW>eEAk3cwE|0-Hk!WXfe&?~3j!(Cv<^P%*KlK3|bt2&!E+%`! z?otZ-)Wi1TMI}lJB2LaT$k=s6;*qlSV>tt$+|?c4m~W_##d~73J{CT_reGa-ibf<2gdN_9N^|5O3eG;hN|^%N7(<>O-jopqW6+sCi7jE%1(` z#oW$%uug!=t9*H(`eT~@@$>Fmh|cm@_vxJSA~S2*CyLUmwWc!HX*6c;_I152WjzH}b~M;yYs1a4 zl4iuVQ;pg!yaVq>6%B6>mxjcls}bL5gW>G9$J0`C5J0~hP`YG@;L{h3nD5Go_6B(< z`59j8q23_MWa4UR@=9Li({66nCDnL2_Tho;{uALp`Z5?na&{SM{^4`CZl+xN0uJtp$bEa-H4LvZu3UL;V<=9xBG_xw>m49Iy6sIL zi&D^Fk4dMzG*s-M|9q6rSayA?4R+7W^Bc38AL--G%Xy6Cscv`0{dd5Y0B5E_GOccL zWnhq8vGy5P^CV*0ctYDfj>;hd`dEGKdn0wprKt6EcYMozfpGYl$!S`QMr^TBl!U2W zfN^PIc?XuW;sZLXfkM*NB!tAt+T5|LsYB>?$TAT`@Uj>j0$cuK1UI&@maIG$L9jx~ z7dA!YC`E}$7xWb3c7FfboMD2( zLCmRY@a8D6|HVqZINhmE`!7<&JP8S3Uke+aV`W|6tZ6&wXCxL&`%c_CSFL>ILHuEb z{JrUR4iE0Oew14(M^1){KKjvI=wX-&DCe2NMlR(sZg4(X4tx>%(bi6RN=)+QLqta1 zX#j3fxkE zZJ%wU6ZJiC6uKpW`X0pNyZyh>1hM5XT8?9E&cz@I&5)MeCkQrvk_;vO8_%XdAJ{`R zOAx=QcyqTAw53uujf^ksCb*p}_Rk^tc$~bL?SrNo>FQ6G>HtpTg<@}j_uUq4jF%rs z?#nUr2OgGcQqJSYBMZ2Uv#-Adw+mqKQW8(w)RTNtmV5L5PDzrROQf+{BoX2m9I<)X zte{Q^pLu!Rtfn)}g@TIkl*rDfVkX~|G{wd!^2Iu2i*TVU{*~fg1rt@jD}+db9s-6S zA@Eu6wUY`Wbzh$%goEKgfr_=>r4gv<=D2LV*DGZ#y0M)4s%n1@d$Iw6LI``Bby5N% zgWZ=-ht7>$!LGQCgbqAeZjLKVAZ2qk4RLdl@;sf^r)V9?g-wx8apUm3=~JhVv3sz~ zfQ{g7QmJa)BUxc3pY^O7kduLAXb4i@^%&Fs&wDk2w-R4yR`*qTq zA8eoYLCeudA48uhRz2FO9gv;tO`WpZaSt5f)tV zVi3YsdOp?mg7Jib0QAf|piu$ylY0t6A`W;UwbQxbLXqOfmgX81Ki<{|j#6k)eBB)G zI1)(XQGETan`iC2DiU_YAp(5t z;-^3OpIOtm9VB-uALWxvt+(oB!#cBw^e!EHG)q3CQ^97W0LzpXr)IwM2ai<)3iwU1 z_duWZ(%?aZk|l37PO*gi>wZUF2Ytw}{(9JE$}r$+0+XyWK%N3^NLBYA>N&$a=$dI! zvxW1dTXOyUj047jRy${6t?%~~tY!%SJ6|sw;HTdKua25^kC`&UaM4&GRwpX@QQHwj z39`a_+pw)@z79aa_d#o)te1JWx8h7`T4E;dbV+xvpX&~GQU`9Y zaGe@P6)FdxlAJ5|)ZZ(nR*wQ%n4@ul(w)WNEuSx~>8impl4;GVEgTrgL=gct87Z#~ z$*m*l1qhAYRuhxZg}j#L;9yPR2~*;|dJtS5oVm$))TM)JsBo7DtF#&`??3(2J(P?Xgcs9hk+}fsE({PA=FvyXbS#|`0{$=P%jx;)F?ZR*To%cG z{rqW@BOoQdpKt_K{wvHLx6g-XeL}?V-&IJV^$%o!T)^U73_auVQ~Gd0Wq~@>&~yAF z+vw#bI+m@6udiZd-SoocJT;p1uq8*vL1I+?@`Cs42&rs69qiP)JwaObFPwL4O;l8z zAfR8c^cwaXw=4B5kLSQ>8G1wb07E!*B&P;m?>ZK`i0!T+5m6A8#3{spuV=yY#wc8k z5y3@0l}pDY)Oo!1N{V_k{}wq{Jjk=D=~`1XzQyRd%X0(8&M+%K#iX^+P+S;OD6#YM zgRlD73LDBtSDZj|CkkRHTn^*H%>82>ro|9+ZJ z6^>9ff#l~bu#0r31mA)BlPZxrrS!h}I{FbuoxdM~6j-}N@lWwsWz4l|IRVtOda0rE zUr@47E{)1gZzbRp;g_jE6)@LQ31FsEW%bm6D$BZc7=?9^oSzfwLsf6_YWxVmh!$J7 zpKXt$qEtAzGgu)?24J-!^e{oaJxql2OuDEG;5*2 zJF6DJ52c}8(kGvov%OTff3lV9`|qY^WGYX!VPkbs5&FR5CMX?GU9<%Vlq_5RZVaxK z_W8Ud8T5%zS|V}r@J?j@uT=nu%07B@C%ZmDp0_4+oH&2`SyZxWD?I1H{0&lz@_{2L z1;NhNtCSi}v$-$F{D(91RQ$z}!?g%U62hhtw|76>b?-=8#HK|9Lv4$fKF`%-K=z(6 zNO!W}=?h;G4Z7Xr+i~b*L5u4FOzLR)$5a0^8Z&p3T9m;3kNru@{S+v2qX6p8$bi!E8M4hc;~!Z)UTD* zpg0|-YWU_t!$0r*bANaqTlb-`x_Q?UsJePfC!HP0sDTdl}u*+uWbsy3dz*=LGZD-1L{{F!Tow>_rkF-};oG z+vscz0(ye4_~mQ*(8Pp&{QO;e_--8H`uOt)&NPI+3)XIeN(ao4#tXmIGS>NB6Qk5c9pUnBZ?BQIwx$=gnHcA2| zEF@xM(ABOwvcep!Upq<@ozhS%+-7%Anka@B=@V{EhuWZboK~k)G638u2nh5VHO^pKqta^WV)e zHR%VB>Dopoie^|aAdjKyPRN&#;34768zj6Ryz#xnC; zQy}b$A)E68=Q&x@BszQUjog)6GtMy@w86t0Y_@T%cn#USx?n zYOY!`0FUY8BxBGHD7o#WDtnAWk|8uya$T0FDMUM5bLO>G6=49sA&mW6nz-Iq>}_LB zz=xVATh_i8QZnx&O&SlqvSSwFmodz6<0ck-fL$w{&7LwY&`pFZDVO+ARAe?>9X78= zdTf~!vpY(I4CHU4I?z9QMvD|22)fVy2M-u!Hqp&z=dH#5~dlWy3CQ1HbIOD9$`u`gp#KdUNe+4%Dk$_d~}) z)O8tBYBOyt>-w497qwn&Uows|?zo`!0y4FEcWpUk?#pZW+6ksK6U4DChwOaLj(*(q z|92mfY>?8SHjLs!54V4dCllTa+*V1#yluohUDK~5WSFGZe_Xlg3bVF{8ZU~|mK@2z zZ|)Uq%^PpbNY)iiX+J3$^+c~&zRQGR!%cyag;ymH)->FVoer5hF;Z5b;Xn|eWB*e$ zQqcz2obQ1X->*Bd&jj3wgqGu*yYVo9=aUocTkkc2`~v}33Q_y~j4HbLN##8}H7=*y zwU9lX->{kX?nom(=*Jj#*l31Y_d*?yazrp!hLY}Lc`=2oGWI<-1!gRZHv@6t!hJhm za5e5sZe^uB&{H(n9ED33eoqL&YQZp1wvJ@n#U+v?EvrmJb)3|$--t!QC$KYH{I66Q z6&IB}4HvA>#=bz#tsZfMe0QGwk(Ik%(}!`=OKF!sy6M+ptKV)c*Rt$`J2)IZQBgZ% z*5?s-wX85ht>R(v>AQ~;S}O?y-s>hX>-7M;79$79Tl>kxtX!vV4dMm_ z12br@SoC!TqOJ}@a_eBqtEW)eJ;FP!d7vCM{${}?N%$@NvH#IKxEySTg#pc zG6`j7=6drc(3v7vuo=-<>XC{GnCN*ZWGp)YFS^%AgAtnGZMSgruUlKWKEv?Af+=j` zXR6dEqjd~Z>~r4(P;bvM=;}&mj6)J$YitRNZ!iikvyhl9keMpE-ou^ptz9hX$wl^)Zm(NSR5svCXtv%5XYQp{?=e}wfZm22m z80*I`%7Flo6;9yff3xmVfj60qqeEb=1^nbs3!Zp?0%P(#a^BQRvRvbd9z>R7ZBc9a zc;1!Kc-~DxpdyGwBizqctm1;0)3T1)ttp6mR@(c+!n4bw#h9n; z%*=>OfWg^9_=S}}!Lk|BT(mN&snW5f*xi^Cy*Wyfd;BSXZ=35a zt2|Y2v`P{xAj1t;in5gw_sY~m!RnB2j>MOD&#M#Nw!_z6qoRsECtRS%^*H2RzTD0D zmj6Odg9ed?j846onj=xA;%_8<2j_&c4jO3@BG#l2j*sJ#Qgm>=HbR^0I;*1@_6uHw z(NGanzQrMO!*sk$!`QO-G}+JaCyO!1))$99C8RNVCZkx2^24764Jlgr{yJsAX>%cW z^-J$Tauk4)GOm)_?z9Y~CCMS1+7lkr*16(i(lq&|VxpHIiydd3{D<}Jk-n*~IZXry zwkO@&nPo?-S;RY;?-H8~(*#y}mV+i0MCiz8)*d%_Ps(D7Trji!pO($rOVwdx#H%+Q z2zP$I{b%s9`;(Ubz5~z(mAJ`YDf;-+eFxa~Ip~Zt{(47%?fB7sGGom92MdwTff zsbo|N#~$3xV6xcH;2zDkQ-1Pnf)x9QGoy|VW)5fcXBST{{#30Nc|Wq+h9>@O!Vua|0W zVP02GSpUjkg+e7#4vs7h$U#~Aa2vuIeW?YL`&`l&=MIOfw#>>d$|3vLB}%dT6Bk?1 zGg2_2jh{b`<&J+;bc;6WBQThtv?hPf_^T3VAtqyING@szZPf>far=?)Odb)CA8Kwa z`xiGbZx??SW3gOLU5$3GEm-&KOSzG9#4@kztQm(??9ej}0boGfTvXH|YG#Fa%dzsGp=Sm!I`A$|CZs9%LW5#4T4py-L zo6D60Py~J0pAtm<4UixV(w)?QCkQ=|Af9R*?b|IHnsulJ^MT=ocgHXJe9k+J>G4rE z{ixsWWkY!oKq`_e8?*4znogY^2M`3KVrlx~fb7xW`@!)c^F z$QF2;c6H9)3n(en<|-v`z`T=?x4>g+W^~QvW9AdY^R7yb68aVk=>+&eC;~sU%Eg+D5vr zs+kmZ<~_*5mamZPTJpw>(~sm}3)~^lAPB+JJ_32ujzGNfHtLaEvD;)x1=uU|2Y_Xd zPvVi|#zLsmW52@labIvVZ#d|%?%vG7LqB7H%vZrK;is)H+U2-zB!h>0!dHfXMK(d4 z01`I4!OZAxmT8`9Rh)VQ0_|IFkXyaideANUuuIR!TP3*}legsQmWs+5t`KK?Ipw8c zmdE0Z$(Z4ALnVA)z*Db%SC%G}etF=0s*gBTGj zkY&!LNlDh7i&^~NPyra;rPy~v(t!=2oEuK_-cH7Me{BEUSOo7iTG4H4=n&RLrV!5r zEw%a>LX`rt??LSsGl$Vp>mcaddhQ3gqfZlWBaWVMVIG>9AZN|k@#ccftN+e_3YQOq z^W?b`^~;l->*Rq$SD$?r6s6ti!?>`ZI(1d=V)WX_6EY^?Z2dY$MT*8rRBkE7fH2^>-3^uM?X08_W=7rY4z3wouG9cmj8$;Kskq-Fo;39SOybt# zxmIO^^-e?WP5pQ_b$G4p1liFDjp&&FMMl z(y$5;)2Ey^TyT2!m9+>{M6l*phW#`zl0*oF)1&HQq=DgVB}CV=BQFSZI|l6hb&8>0Mog3o#fdN% z#cE^TpY7_FCt1yKA$rJY*m$l|Xl;-T+>p8DWX zSs`pv{L*l2$7OI8Kn%45FVFAx757dKN{akt^;V7r|MUoV`QtwKVgn||#R0y1TsvL> z$hUrz$LfdYc_;gL7RD)EWdh6f0m=f-ciN^Zh8m=kM=XT6A1No6_RS#5x{X!{r)O3X z{+gR6q6(j2tD=Yv>!?~X#SP^)fu_I+q3Q%zyl^Rm z9B(>+9M2d^GgleolNz+Cey}|I!(SxKt7XxN!(QaVjA|GQTUmmHYhVgjC1Df2JZXcb zZNx#<4Y=b2xAgGc+f`e|j2TCIqJp~Z{WY58<|+2ggv2_PB3GJbM6Ya#HXQP}!l7_X@4FP>2?Cv@sHs zjhaOR-^bI^E{&Pw8L!PXWv~bR0zZE}LR#Q=Ko|sQLuH@eE-u8S2fzlp&`80uM}n@- zuQDS_Z;}-ySN%+oGTFD%|CaHwQ_O&PqlR>s^}cXRQ?G%gqEyZ$NtdUh z#gKf=SJo5EACF!3QN@YcwO`W?m6~7g3ccn3t0(+Q3Gu6t+B?YLy8lyZG1`iADj4rs zq;9zsn*olys$kK={6;!zucuo0ZBg%G5A9GZZ##w4rg|q=Bk)mNgaiSe>Sb zca%nub5LxQgvSS!i{?6U>Pf2}R#p}bjSW`yODUwP_*i&#T(sSCTt>Egs;4h{RUwc4 z4+$yZD~+#cA=sXv&ta&psu~QO=2d_kYjN9Fh}jmhZ3I+`47s;&->y&BPI6|}U%$4K z?YW>Jqhn}PcS5ql#lt^iSXA;1q|7c?e*RD#Wpz9!8DoZz_7XMeFI=IQ%$|PQztbA5 zA1^B%OOqAdOq_7*zA_jQ8!2SKYM}Gckp@36s&i#HlD}mfVQGtEo9MvkB5~S~x6U18 zZ5Y~&XGSyZW&H_8R*sAo{Fk)y8oqp|UVo$K8Bt5*t<2tT=gTH4t#LK6Dcl@5b~3xm zNL5b&M4))h^~uov$dl5_oL=2m!j-W#?vc9l9;CBSi%XW9e`V-k1LOh+;b(-!|M;fl zDzwr-!3)6;RJOV4tzbgqsR+@P{l4+}2}C8#R-@rVC~sb}4PmY=MTO?oD?wgDtSJU# zT%;qnI?SZ5`UDp;b4mDb#@lf{P>cA&i^m0b@~qZ9(A*qRtMairpq8y()>(Rg?8OIH zsk~Nkmy24lnft;7OilUZOIQ4!(4L^{dvZea?s5fEbZkiylLuMB4pBIe$HfF>Re#6_ zgtyFW_u{;}@EV0Us9hlhk`vR3i0WOLew+9?=)Kr^Zdq;6#+= zSDpes?X#amOOXMaY3p5oCf&f~+Ata;=Y($x zX9{_O(^*tW{2a;2u-eLeN&g^ti5W0E)lpq@bEnh$!fV?4r3Ig}D0J1Z1Y(nC7AeLV z=giire9!@cByO9m$`d7B9B|oA(_)3>eA{IMll1M^n#A|LO zpmR#T_-^?&ak)5`{Hsq>nQLkvsBPm7N3~ZO-Gk0#Z(Z`#j-EnQR9ChWPTL0!zylR` z>Y)FEM+c~Lje|-$zZh(9gFZwO>eO5x60JF4i+b8034B8Q4Mp!qkWZ*<6B#);gn(5@ z#Vtie*E7vhzi!5T5r8pF+3(%+JHc_?q5Zmm{S8dF z1l8EBfPX@>@j|$wlt-kgG_m{-X1kbjusj-qmMc?k-hhGZO(LT ze*9dgE2aL81Q3O9%z6-lk#~H^7rr^eUK_``L1m6l<@0FiMVaXOyg1C(+VqUn)GjQx zQxQ-jaYFXK>nz5eb9KDPl?C84msjd^;U=uhTWa9)cG)9tRxN=W)ZHq;`1;Xv*u3of z{lEV5p(_A`xG(;pnoQx(W$Z8DogGVL*Bc1aFBfhIg@>DL!W=)L^3AmQf|hDkI`yt5fK^y=tN1m}qz*sv?!Xgo)o7jmqF@RL+)|91$=r*8#O^Dt5h6 zowK$&NSquW{pj$}1y}D}wSd^`HmC$e?Im-K6xh(6%WGUa1#4(;qp6>={w>uJlA-hX>fBa`IdpD~-E63fi5|1R^5pltOWAipn{tG}@L5M^#< zVe=ZaKr2!mh>~2bP#8fhBt^8Yr7g?nT;{mVv@#>)vi@^V(8%$f(B2xuUUZtq+VCI9 znwA~0sm>~IQd-oe1f`!o%Z%2)8ol}_08WAH!U135LU@OLcN9-_du}7Ve82>y|1JXr zDX=n@3$35^0W8!}1|rI+8P_W0r-cdsks3}-mDRbCWX*W^T$(&#iL_AeIWgB|=6<1p z^#_yY)evz6|GI2k?62Ad$X9({{Lo6K-wBmmKdIGYspR2>GqDH~tobW!MVwrG zcH+ECExY~cN3rFuPBHn2N$EFH@80oHNHvo~(9DNp&ur0!%@${64lGTp6R(dsHP4z- z&dOX>u?kTNvaFw}u(~tZS?(>an#OBPn?Qy*wc=jV#`hpmr`2Wn!(|@5T5v@Lu`^UcBpCGn z%PY2X6o6ZleezJ>Al#+kPLbmWiU+zPMth*$@U}`gig_5QHH3l($>FAP?^af>X28ly zW3IjDo+&5k0B4pZx1kfpi}j4B*frxCKiKs#E|krY(drgcU2ea=Kvz!5FpkI|85)ta z*kZXlXVG^a6Qt06==j5n?2j?Ke3209bc|c*v>SzmuaLYUW!G;qZ{GAqjIod3@HUo1 zC=>;8{BpLCTwQr&r|kM~&*pg8zU!>UeeP05w6@C3yl+uoGVBI^JkyKa78qM|VQ@+< zh?%cQp`dFkDX+jy>ktK48Z(s8r(faqEYpNtpdUt~=>R$We2iB>HCZ?9ZLXaON-erm z?e?2=_PFCIGUVBzH~hc14JY!rx+yw{9XrhaKRyJeL-m8GsFe4wtmjl!QjHV|F;7sh zGI|Ei?T0JYt`v6zg3&Ey(0+`MKLnc!JTlZ*JeMhq%*Gs7Qsa!B)YZqlD<*6PkWdcZ zm@Z=(wDhS9g(w)`b{%hxMRQD&)a_)I7XlhW#dje z=e5eM*ooB)W)rJ#z!5v^+rt%Ke=y(PI{NBWh9HZH9)WT5-MrzXpuqYcRm#Gz8-&rqkNY4{IMKy>%>DL@+TNm?1xcu}_RWJY<+o*&M_c51 zq+Mddl9Scaepo|T#ZYlE?sgVLF9CIo(JOf)E3;}~QCwPiF9b>e!>V?TyGA%G_9sgFhS@_QP zXlyf5a9q~BM|=S8Wz{TmPJZi2Tai8gonW3&^TAJsZFqa6>`Yyqf#Yly1T2y@uE18v zoh@-mQLPEoUh_^Bn$MCMYmydbW$kv0;qRiXN;+TslJR1#M9{$T24~vR@`SF*3wreV zMe>L&tZ5NH5a%#DQE1!mp%UMouB|xHofkE24;BL6YTC>(i*(%HECIVJj(W(%m&g?{WjN1r5 zmIb^*q0is`_i*;RWm33%_yEFTF*u2JZg~2tRc?%VB&L)s*kb?*^~vu{D+u_I&T&|y z%Puu;u(tM&EAXseaJ1gI?~A_q;#NbZfl#c&1ViNIp_k9 zIHC7MhlGsiZNDKBUAI=N=UQ*lH)g;pAnx9)4R)@xRerE#5+ePn#ro2$)WwK*$J6{G z<9O-W!-hK0P_fmu$-gojcL!!`|dJ^=7%kqoM>LS+%MhZv; z4eAnvw)N^a-6K8Q_=?!`+bcC*#NsjEG@mgq0B*8j%X{>y1GCbO2{nSNq(2V~d)G(o zy-7CWMV>X)x22XN){0K%j2UJH{grbQxH7(UvcC#E`_r-D_ZwqSZ{;@}?Bd?#A1Q~q zbf3aIO@+>szy9W>Ov+d^ z-&NQ)0=Cl9+fZ8cbtP-XqeSQwWOdu5JWp(##Y9k znd?ISop_)l4mjN8O~rJNT-qQu!VNmBuGSWFTvXlZxCBZjP68Q^S(dfx6x(g}?4xZ= zrV5Q$67>>x=M&8@zLwaIu0@)oQSGSKiuoC@m0)fzxH3A#61V5K-gC6b!?9xK!qwW{ z81Q#0Ana^H0V809yHJb%#xNn$RDo54F|IL*-G6XlyfOhZWjN&1Y&=5&6kd+hY%D_A zNjqKs38ZhtB8wJpzYb^8D02(SO*}Sbl%Pm0B)T@daj#Hz?BqJxmG(_d6x35ckfo;8 z{4`=N=o!=>5ax=^)(|3H-!}1>d-XY(IX~lYGigr;>Hxi^PX_}gK9eAiCq#ppv*ez( zB;&SM&_oEANDdmKxa-Ob4B==Gvy%NHb%^IWaH4|vW7B`N%x~!*2TEB3eP)^UXZgw# zel?_OI!pVo(VCy-HmmsRp{Wwff6mVzEA=a0zjrD3;5ap2&2DxfLf2R5^ooU@elE3?`k0_uFv3rE>Beu2b* zY@dvWYiV@2FBcpCWg_1A^%$lzX;|5zwz>@c6eTKHwKZ5fAH+d+_5td$-_{$>CO!A`Hi}U8kwAL!b-qz!`x{D!Q%1>a zPoGFGK;_D9645>uo2zhuI?y^Vfzw_JVhB6Xc)1HDkOzcs1Bis#_erV3a^HM@IK6`8 z8`hKeBzD2j_XlAObAE-$r$dJxA6So2zQpuj;4Q#20DG<1XL3DISl!8OZZ^8;QTrie zPv)!8Fm9n}6mdtS)9C&&j5ql4e~}daJ5pmcJ#?GX7#giNDdTD=nPu5p+>tR`oU!O4 zt)Qk`bQdMva551pBI*piJo{1s>0&~DcoX&5!Wx2HM)4(RCn3vGf=ZS$2!Obpf75Zo z88HY5AK*2wb|&ucJ14W zy(Vs)`%4Lp+IGC46EIk%P#5`uaqrEE3vqo)U61l*Cf0nGhfIKhxWSqCBT%cn`|+9B|NQ05Iw>^j@_Y>R9>6dyM2D89}*VU4)+>uDyB5{!7Hu5 zjIr2^*AU50rO3;6onn*oHR5Y|hkE(SNlU~pNwzf#qq*Ak%hQ}MzMTTxzUf-WvtKQ% zOTGtrSSnrw^Iqgar8ZDTQ@)2eClFRKztc3itw)Yj@i(~Q10zSb?K#K0UL-()ME1H@ zMiXa|M}sMz6phXtEqCy%1n^*@EOP&~4R(+pumZ_AiGc|E#v%*VgYj9tjzsrI>p8*& zQKoZ2U+WD zR0TYC1sWJVqwi29W(Zr5Kt#O0#$UVh;W7ZtuL_?y@-GcH82cyVN=dy=8GhvtABvI& z`Hkv_D4{tfJWAUV@=3OYQpA@qWjgZ+krMM;$0Fk@Gh!@ zL*q00I|`#4bC#XZrqLH>U2A6Ei)r#drW^{fkLe8&FRwx6CjI?;8KxY1H8}3GF+$16 z=h!V8&7f9Mqf<%ADy1DylHT?eXGtNRE%8qw##47NI{iM)?Jup^4d5nJ`$_SXvU%Sw z^1QE)roA|vf|{w>Daw~{G*t~ob$GphKWEVzb!Rogf7zo04uN>_A4vh1>RsHJjbu7V zkv<+OuTjkQPf^OK3Ad6vlr9L|I*3(_^KT1Veqdo&JZ?=lroNBi=@U&7p&z&i1g)=< zIa@0SYlMu>*g4zgT1RB}0#J%gN6J1)5Pjgy6FO`vF3#YU|KA{fe;qk=|It2aw+Oze z8Irr4QrIG&EC5Ovcn8NSNIA)>X$2Tw$_+sKXj!#%d{_PW3C&lELIspL1=z9~&M`s5 zhdhlnEt5lVsKd!$QwIsi>smfCWtmnzX4h5#*W3JUTFw=aHBAp;E6EeBQTFAF((m3& z_*dG+cOa;c#tkst$+N;XLNJq3l^79?0jz56T+A~-XU2T7&#GAH#JP*f{tOSH9mQ&~ zVVJ=Nv>%OPc8ANa{DrZ%wVO_~Wk*wJ4|8+^VtzC>Q3iGq=ZDB+E9fxV1(U^1X`tmt z3r3EmfVNX^K6A&~CK(6rEz93VFKGb2K?-^Ys0;v&8_ug@-%EyWYdG$HuPPW<+BWW* z@y#cCFcnV@ZUQb08>{a#;2aYe@maCsFr0yi7$G3VTwl+(d!% zWQpUw7oI1yF=;lrwEF}Dpl!lJqi>uBF6pbt&Ue2r=>Y`$_*-j{vfJK(YiNK{-!As^ zB8zNB1P!)kd*uh;oM+{|Gk@Z}3%hSE;(qd7AW^*d-xI}S=U#xs2b!xMuT{}dr zYFuG+kGXrP#qMt1olDPvigli>Jddhmj=5|+!Hz!=WonVib`Q!k5R#8pU27hDG>2>I zwOCz=^e(shh~Dy~o&~W;p#^cE(ABhS!%+Y9^7VDQiv>nC@;SAMQcbE2Z{{*B+Nc#^ z_t)5h^v|WXqiVs-Iv=91YBuz1e8hZT$Y3)6`la!Ssn!11w;HoA=t*ypnzFv07vmMH z@$hy(ujRsO&8q{lH|-7KxNfA9Fw||W;Verl5NeGx1Hy?P;JfY>Bj}OG0dL%gy2(eZ z8i0)j6s6vr;^yWjpp8QG(eLr_2!OdB;xKI_XN ze^An%K=f*H=%~C@3 zO&^*VuCFl+O&p_WjPGdd1Jg5g3QxTP+Crb4de8q>MhSWeR5Tuobu>smaIA+`eh0UeGV%#yeuZ+bY!ylU^VOc{*%Usg3ES!pjjiaWz<4Pp9PF=}QJdVo zM1Rp%trBIb8;B8qwNnemu>Qd5N2dxo`bI)9XgN~LOmZ>Dl`UY>4xSq=98W( zX9UvUZ>ywuv($|2uCcH7hi(4gt+gGR5d?Dgjm7u(Ie==-@X!)rgVOcx71Q7%A_XA@ zUqnAa;}~%$9+1Bc7xbFjc!j>egE_OVPWw@JL(5M2kE3GSDPGy{<@Y=t=JflN0?_wf zQ=Hg=%Zw54D*t_%`wtp9)bk<}-{*kz1-AV?i+k=ZeXWy;=YrIoEHBDD#?9>b5g6hp zTjH4Ji_gI|#H@7?|xQDoy_Y`wthK zcK1lYLJLw!SC|grQ115S6c(w;o1cP6%46m2v8!q$t#h$3sT_O_ znUqS~bU(Hh!p|XF-~0*#U#0^u_F<0MDyNgA9TAemu2g?xOr-GdD22is<1tSU_fkvz%vP9|3KI5=(10`3$yzRZD1ezgli%TL6q; zOTYAPaR(8!W%cB)`Ca{LK^;2CWHMC=s5{6hgz4z$$mSa2Oiff};y)hF6KqaMNLbsr zpx{IMuymC9N*xEIl)}^hOqtTo9UK5zFRP-eGNIw~m`GWub))!nU()wfRjll2lLS_z z+7=eWvXRxiyvv{bxf7!A1~nwa6U1{Y+Ja3;YLzzZZ(oS*^D&+>2EBMl7^!fRscqM3 zbAPP`6(f(hWiU@58KclJoQGdeB+exdr0(E+e026b- zLb`@$cD2}b^L2O~kqc){r7r>H7%tqDjk0n=iDN1lI#A4wqRzExJ?u(JTz@GanBx9J z7y1s!@}WNl_Nq4LPo7uw4W2NE>6KnY!9+#TdZn>t_CljMq=zMZcV!OzhHNQbdia?R zHYFmgW3d>;Rq5%hp0XquXj(0~CMF4bxyW$#h39u$oV7E&|~Th$A(7x~6t zYkQi?<-M2{2uv!jbW@t}t9&`;p6K(EEC)+GuF8kyQv)4=*Z^c9MD<XZ{+3o<1rLZQ%Ibx2+uocjvD)#9VF5i5TP zcdUp;C)+D7CBF!;D(yL@b4e)97WWw_z5Kt2agOw```GisOtO;SM(O~v1C_EU2o?I_ z|Ea9n2<wzl#Am1rThbR>@-<2JcM$wO`0#l`LM;AR*{IN|%zjaOjo$Pj^8j6J4 zG?(LnQqPKPjShSARS23S3!?n3O~8%2-uleR?jM}yGd^QFMIi*-ni$b+H0_Q2=!Al= zm8QT71whghK>m9&Dk4=ka!8qrffv7mNBOiAuRLvB?yZD^w4tEYfa56X`c@a0*$1z{ z!|UZ^ZiCF5)4}k$j{w5kavkSASK&>q*!1Lj3S)#edA?%l@T#c+L>Us9b0$2@5d3la zEeusLaOJWb^Zwk6ve%!%L`x56qN*4B65B3%^bgGF7hP#VhHfS<-P{X6lP-Ze&x;#2 z0r2r2)3a<4A93lY}(Fct@b@1%X%x^ zEOf|wllx>sx?W#7q6^J!1oncFYe^^$*>-fN0z%fvouU~VFCHNc4Pa>wzerpvC}Zq# zUtkqwQRuIe!NmY2Rh^=uqU8N8C4-H%srpd)dgx3x=KEq!{#;R;jWo7QR@i<7LgR>n zHhsT+>GVNo87{A?{Ys+h*aiex^brg#_ zi2-29zWZ28+m-T!Dp7+N`LeqoKf?XHo^IuBWgn^#7P00baLn(7H!mOmLRpVoyqP~L zA#>V4_lvMb^w=-f8BC?+7hUQyK;4KwXhq+Yy~&DfEzuIpEuZbVx;3E-4RO2u%GdjJ zGlrDPgl(wiyU!N!hS3@TRsyArv-0IBUEP5;8-?Vi*-7Dj@_^M^alyj0O3_vr!F%#2 zdPcKO>K$>w{?cY%d-7Ugd!pQZU|J~e#`ym8t~!*JxSYrGyAZaN9(H{wl`zdqp~?Rj zrqwat7tdKRE2?c#drD*vjSwq+kkvRtA?XLIdFTwtyqA_K&jTIw>YVJ#twrlB5qMkM zv=9mS5s?-;w!7=p1lR2mE%`ziu&Zqsi-FtFlq?%9EH#;Q4T!&RT5ZM4=O04php;ZN z^yVKwq)qy>V0lQrL!pK4) zD<>!Na5&9&ocspO6-+cR!51aFF6uUvj*FL*My4%pzqAIDnC*;!LaB+kYpIC&F)Kes z(W>sdT%Kt)HIwa+`7SJ;{{q_X*a$s;KS_ImxfoRorH*22!&{{88UST2Dp!KSb}pFe znrKw(o9_waL~-k1-@*lZwq%>^HmZmOgjdVeMAxjx@K7S|;v2m|U3NG$ZD6ozZ3384 z2qBtIF1VMEXO99c&0~)Ns0WWc{={$P*iQ$&(1MgbWtItMl`~tjhf=i9u)|pRFT|*l z`R7JI+wz(5n%wv3*eEZOuVX$NTasnu&DZaBeNKtSN;_hBpZK}_;Z z-!BgqhtVF7HHrGaFU}uC(lMTc^U^u)ue-cN}WnCl;dzBfJT|8!Py9xvuBQ zvZ_oP(D)0ouJ=Fho!F%6U27JF_kP8?D7%^GD;>j#nnY zk9#xuKmF#xB5dZ@iwvz4)_Uym^foLcjn-&r2f)1B=zTEbGh@Xw0t6AZD`-g<3CN8-q2HZU4u8v=Xe9`Epj8iRt z|1==tsg~kb@xH`17RT7UP2qN1DYeJYqVFgxCt<#lMw$;D;yEDse&LUs{$17?Vg$-M zWnilvg{e`CwJDGdLo<2akPIjz+Oz9KK5gZbcI-}n-Y~P_;x->8#>ep zQ3nk}iZMC2E?T-vAD7J|0HH&ib*_+i!yM%YHvEENoByK;_ytaeqqwu!>uS+~zMaj^NuN}qQ)!58#QTjw%w zTSyVP*CGSsN-}UJ)D&24ku+2AR7Kd-fW!ZezX_QDaQ0z6p(^7< ztuU?2?6LBXdB0=*+Aeb;_57$eT4GCI>br+^E{DMt%w+=ai-4#t6k$e#+HM07+FPR8F3L=61YV79MZ^ z5=IF_3e9xpb5@97_{duvh<=&>dQrHX|!Abl!UY7gpy8X;@Eu+XS`CY*S)mQBY3rSiqY!#{fNF|0p|XYAA<--P~OBKx-f z8)xCY&z|v!K0A{a?ysSse$S&7P%+)p6#`FB|D-52L%sUU?#y2>-W7-@*Bp>751=vn z9=ASSE%*NMjVEV>6bOu{x587pSbiiw59w0O*og4o!TLpr-yTwp%+YouU{C*}Fn&zq zU}Y4Sc2?cyX&ESUl=xv&!Cca*yiQEg*A)D5s{yz&%Br)^2R6YKnU10NQ9G}vVabU^qQQKddqQnyE)rYfKT

    >>z-soL}Q ztfA%AMRvX5xe8d4%EZbR~){(YXKa-i>t@-C_fc z@o=0HbDqMbTJ?Puzsar236sxW@TdyCzPE|3>up4q6LC=%>f3_7IglAtxVSY zH@#Oq#mT}MaOoDKK-KHR`vjf?8)n0Vo;&Z}yK-f?#R4XlsRup51NH<I=^%khzDIO-vS;Icq?RaKf z@r%#3hZr5Oxu=O|5Qek(rZG)-J$d5oanY2cfUbl<@(L-csjjBU5HR-uD6y3!1#7Ek zqR;Yux$4re27AzeVmFCZpNP$)v- zAtga1Tei4@xV4K;&CJPE`>e@yKoHkitNF#U9)Bg$I&IvOGWs(%?j^7kYsYOvlfm6S zJtb!S6duF8-*B?&3~~2_X1-c`+f~DaZZngU>}|UW%Ba6E zBqR`7Y&{sH#ehi(d(x7m=2U8KY|Vb4L(r}LM~49Ts%sYyAbU;m=p$v%0qMN)8#Ks=}`eMKKq{&A&vS%EE>p?eL&ei6IIq-2hO7cK>gqD2WLb4~{s};f;O^af<>3OI zQ#M;It_Rp=09J>}hjyb2b5>j}Uutt1OA`^Kjs z8N&nzhXbuDN8bLd@SkKiP3p0F#mrRcZU|6zZ_Ma6t!!FH+$Ds3c$HioET0die#C1* zFRfNcVfzr$Ufo{2@l81ZfZk=WsM56@kVROhsLdtj)D%kLg?-?Dfy${}$F8{J^*Jq|;hwjI#0USdcaVVEcyH7U< zjlE3GcJsP8CA)0R2=}PP^2?)-b+w*lbSJOne@$?_bKyVmdca?A z^Rs@dC#11uea^Z(C0uUUeH@KSGpVqP0&s?fLYOn_zTs=ak46EQ9wN1#3jmHv0D=As zN#6CJ6Dbc)1Q&23-ZZ_}3ors)NB^~ZKZ`3)obOO?WP$9kIv)Uc-+V;+7q0c4Qq6jX z@As**-n9&pD8WS3WfWr_G6K~q1JFlc(f8Otg6+9nCIqtti`>gg10ixb37C8M9sJzZ z1$ONV)$Sz_lpY}DskHnpo$;FK=4y1sr@7x;Z&^*@(|qMN04u5E04vVnW_<-9w9oeG zq`qM|%It0RF3F?K3u7AxcXfiVu*QabUuXXW2R#xt&$MV>KMogc@MdC>Yf4!1Dnp|z zJGm9ja03eg_j+fhxhkG4)j+pr*OdG*Le_vw_}CtMK9XRu=xKG|M1#68knu6#9g4-W z2HG%Io;Xtyf`V+3m1?Nxn@dO6am)EE&Ve(t0flEDxLcO_N=?g|AfTn`p^bLucmcf^ zXAs_LS=r$G2&2xu@kaMZfX2}ZFt5$)6^<-#F93=lNzgeX{6tEY`rv#?>Tguo(g zssz`Of{YPc7Ex%!WvdMYpHl5Ad}6zkAz#GLweTQ)cQYcfxJ^pd6cpw%<}F#~M;`DX z>D}e0N_%scu2`jaAMNZij`o&0N>i{Lft)D}d@@Ib`Nsf7s0^&*BsWQ#{R@?D|DROO@j(2 zZ={Nb;}}NJno(b>bLl)YV%r2~QHpd5wC4ApSFvYJS4YnLQ@P`k zD#k7xK5X!}EnPGlv`=XLIA2OrVVK6tE)_lsW+aP^2FEYq z>0rt4CU)M-L@Pq2_30vbKf0hlpH&PscLexdtT*cMI!;f!~hl77nA7@im^mD(FVE!G*#wD5k175KNxd-wD6XLuy z8t&-60B8m9Y$usbItz|XY!&8qlX9UMV=F#x%OTbLuFrLa(Gl1w5{BZ@lBh7z-;}%U zKIHLvtP?EPKV*Y*_QSL;e)ipSmIRJiwusY#R?#E_!ld4)w4+AJ6$;J4mKx4NpwR6G zF;hwBc;C$*vEI}oE0IXkh>hMh5(~8}3~2(?qcMlGncj8s%2v{lba0ll66H1(*fN%_57{Nt`b%faZNt@=p)pPpsR0oYk0V zOTheJKYw#N^#D{~oO$(k?b%W7 z?Vra6mvcN=>I*&|5oFFX9Iv^{r~o+Fg%!G`q#f? z{8aDWhWs}}^8eqJ`QK{%&%gZ7+a4sD|BF5T7m59jr-9(~e{t#mbq)VpjsNdfLs{d| zM3vX-7`&?m7|uQW@iRKva3TwAaq}rnv-L48y0B-4_4n1piEsj!6O6 zdRlTO^p~Q663|E4nJPH``+bf*0SXHNo~sLh{KS!{I$(6Y;Nhbuj^!%$oIhgsg6{a4 zW&+I2-toyF2K2vSX2+y~kN!*Qs_U`8KkUDerC(?xI^XW!FpW{fLx2v9psL~sFbs_K zOzv4Dtu1-N{U?s0!rj+=))#mt{r9VZDP~~+q*F`P&aS>wNPFf&(5;hnUuS0KTKH3= zSd@0OMSvMa1~tB3Cyl;J{Nqh;rMVsf6s^O>VZY?ct{qVZb+exS;rj0?%I$*(@)2GE zDWk7?PIgNin!cR&3H?+uRG`}l4a17Gw6qif{2^sD-Km+h-c#Ds1Ym)IHe%TY8JElw zkv6yAS?BNN1ET872O?>wIQf5x&Ltd5=XiFkWB3W=Paa%Pr%aWhAYHWBFTCJA$V8M5 zX;~^QS~;#@w0DWtE5{5NE&p2SdX%ED75=-Q_nTbl34A&ecGI%t=coN(pAwbcSuJ4u z{Q$=d4_*mK*Gq6$F5bU11uVhQv8e9!%g2I9wUoEF>IHs3#-C4SodN_L5BmlzaQ)1( zvjpnQoT9QN2mj~?KGeDd0cIs&VkQ*6M6(`q1NJ#x@$V9Pr#@ zhtjtw+n2SS{>dXhQVx9Wzfvz%{G4oe%lhEevydI7zmLj`UbbTdqI>{4%Y()F>JeoV zpahfK<>VPE3fV_+a}_sT`EpR3%iqC+}H2iG`j}RZXN;ebumz? znKJjS{G%j=FJIkkie9aKtfXow@Z8mRQ4hb+YWShhA9o$^lCu0L{EbHP6pFjGWcTJq zHNI$9KXYfgbty}$($J5YIo+hmFG`6e{#sKf@@f<9?T%ODiAA{Pqlmv3X^6DW{QJQF zS*ACa0d3xEHc3B);cmS?Sa%-T!V|wu+b7e5y$k@A8xr@7_WgZ4xH$;P6z3gY#;_r! zucU_4NA4Rg=pPTs>vlC6dhjyTC^i#vLzm~hh(xvU6^r8`qoy{)6@1;jM@DQJjY7Mh zFvi>~sN}ttoo35;CMV5}F(&)ca+K}h7dGezg`QeuR?Q! zx6TEkBQth6;vNX-a-T>TKw{E)JZfrqK4#DJsc1+S_rt1et!<5}7w zYmH%xPX1WQq``2HEsg-4JI=DygkSb{+Sx?BGvZs-Gyh}ekAl|648XUPU9t2rd(L+&92@A#sS`U6`IKJr5YeKY`2)|2?-O5e1D`N|CC{&BEacx zm3qDS)7lk89eT_paXpLY=^yJyxW+m_tTH@-QS>djzg_W0rN)7jVL?HEJ$JdDaCJWi zhjI=aNXRewptR7`AY4Ym*pJKFH}4@=*EM#(QESK7E_4`O+NmdSnN$tf9?FR!6>+D# zJ`DMhOXF^)*Hs8e=BtwBIEFP`EU^|K5C)eNuazbAT`DJSYCFCD<4gXu=dKq3Mu_fc zmfX*Uw=p$F~re7MwFU+&<(tap9BWFUSaO~jY;ndvNfby7Y(JWwaU*+fmKW;Zk22xq;~tp~cx z)t=gQO(DJ?Ii$M#E%kD;xmLc9zWr0V)AojF_TjAf{hN!{{<66sNWy zc_pbaPimI?_Z~XRX@W z9P)I2``u~i#;w|RB@LobbX@ns!aKeXw6PA3N*{J~YBx#4CwV*Ev@#!K*Dxcv$GFtB zEy!nO^V=r=xgpx=z{Oyke)elZ$~n3pbobABM1%g^W8H&WAzZ%o1+Um(xZDjka!n^W~%Bjm)F>*6aVG1Y0DhRF7pfQFQs%vKg{#_S<7q9v@2KOG`jS#5t7^&k(zN z&D%z0$-|#z@&^}lwwPBaQ>fvH^`Hbj$5^ljfz4GTys^Z3e=%OeRvtAPBEo-NmYuu1 zF`53M!@~PE9D%&8o()p$PPby7-4^QYwU6wrD+-2GY}n0knN%uVk z>+}u1<#0X2hyM$r#&(!IVrnTev4|&ES)rGt^OPuPwfNybX8HH_)+qx%(d3xQ)=zJF z>B^y<0NyK{EjRx-&F6nxJE8Il0|gKF%D);ik(i1_c>dy&#B}TH;-^yg6??Zu{fJdK z7B0or4>Y$fk&*=a82}uXcXnkN+;ich!gGonGhm*@_tRfv-8Q8J!bG-jDa|?>g7Xk% zpRC5!K|n_mDdcTCle5{1w(a*?vQT+rr483`0Wh7CO?a6McA4e{-98>f3QO%Kk^J3o zBWO!kjKAN?BPxF-0e!_*(_9@ib_Z`$esy5lq}Cz;Ewoloa2r*hluN29w%u{+X2xK8 z;El8IZ}QQMi?Dq&IqRL`W^-E6alyD38`2iEujxCc?bg*3nkdST8Wv1K-Io6LL$ZQ3 zrQ`ALjHds}_C1$8wL}_MB7TaY#IQvye;slq8K16`AJ)5wwc0EE@j1mh?2Fz~LvK96 z_^c+U5Rw+1IIFIjO&K_vtax!Djgqu-qNM$VSwZ-Yb=TYR{aI~wt(sE{ZE&-1-418v z%`_;Vx7KPBLgSDBL*MCoC~)syI%l5!>5!CpfS^UWFzouF-)`d?>w&iyri1O?zHg1% zP`Jn`>7TOq;vQ9>?2rZmR7kOV`ujBUlS}J17=sWY*&Z9B!W7Sv?bLMzTcD5^OCTcTs-P&HUN{hUEGUwql zcLOQ)tZo)~w6av(E&Eu0?Zh7Ho)|(tj%g)3V)y9Q>JXMHuU0v^*H~gNK1p;NM z@e1Tq{O(Fs-Upo@H(@o_&`KIKD@!F9g6G`K3I(x?oE(l^1a{EkMr39Glyf{6x76dV z_!}wyO5;i{lFPzYZu;l$d{7*--SX-`q7&)B3bowh1|_x@;jfbf z?N{C+vv@Olg!!!$S%3q*oy)aon2X(Tr4qJ0s z)I&|1M__CMRs+Sm?Kt@`*Lv;@7(#u0Z(FY4d_Pc~AJko>+6n0}#>V42eJhV0b+XDH zbpKJ#Ty{VDLaKJ=XlVMamj>|B_wd2~=;XK2dcK)za%P2tl6~~`g!A-!{|v&8T@N}q zMB14wzYfu5)`44h9+U-J{4ogZ#}7hZ_kiD_?~u{6JqWGnF;U9}XX>ZXq2c~g2RvNd z0HN)Csu{d1y`2KvsPiV?ZG_k=n4?O)YbCiUJuA#o7K=w=gYl%y@f1?#%U!klM|qrI z*28s{hq$LCJTi0ECrD3kzBeWc=|d$WrLlL6I?q57t9$lSke5jIn*~VS$}R?~A)7Ok z!+!6&(YcZm^;@ppM|7*r=-`Prp$<|N4liF!lxPx|meBjNKARnV-cO&P`?73pET@hy zSD5at^+t!|)))DQ3+&%xZ?S?DBr(%=X{G(JDL>p-n`tioCx9a>vx`XgDvMD3CrHPWyah2^ zol*&m`62O)`3*SFht+M8HbeNK?6dQI467CF1`L?3V_v_7!GD`(!1K1NJ)a^~{dflO zDuLhLDnIfGD9H?p6mtB|3LdQ-dW`5q1DVMsr-h?8)_m|*5fkU$%5vH^XjwZEVV&Fd zXEmk@hM6w#8BX-8Y88Myo=$0%$?>!Wpi=g}Wh*qZ@x`5k2ZT7V_SKk@Ks1@xORyMZa2tTI8iQ^>Vw2t-VNRNF zs#zN2LbO8UcT17$(ra_HRHetL8gC-G8qm6@uBN6g@+&y2u+j6cQ_oIlWAJBw7@Jc% zp<$p6%?sPN>6{1a0EHX37@xckOH4;#Zy~!T76BDlW|bmvJ7V~0mvy!K%)xF5Huxl# zz=xQ%x;}nIF;qCX1Ym~4?8Vt3EP?}LncmyndVaO}vvGP3BTLJET~?E}xe8yaMExHL zBtMM*_yxSV|A9l{#zN43@k|V+d?d$z?EE)~duO;gs;E)V2AiyE?+e47s@8lk5&t%R z?PgaJ14j1dg+G_%-&?Z=Oo@_pRF?haHsuepnjouSeTLumTRZ-5zj?LXP=6S1hz!bN z$3KGIi?1lPc|F7qEA~n1T_|E%zvEYlNY`C@br0sZU<_9}x%Vxdt>{G1MeyN_t*PhZ z#W`*vj2~AnHbm^yH~bx_EaU2Zq!zN|Obl&PJ7E?bM`7ayd5FSwbaD10CpXfYiIE@H zx4Zk4q@;{Vp{xZ0c|Qz4^}A|UP##giRuUHK-&S<@%Qd;Tdt}b%1(1vjvfU7~p^APD z%qJ6s=+-WZvD;{vy;#elN$VraqO5KgjGQ2wVa@4b9aAsf)O0ew!3K)81pjr)3168;DvCO9`WyQp1D-y*9c1N*}#Db9|jpYX!w(1!r zFG`3>reUh-<#`B~1EYc28nk5aleDYd&9wsqys_*Q8qB-{bYsa@YN=QiC;^`Hdiy5= z{gb1$-vO?L{I_R6^%HLm{e3M)6$=57g6D>a#1nKgLwb?;UN;5Y(R0?>P{ zS=o8dFkfxV!|S0}JC{0ytvb|qvKs~(- zGy2_@gK{iS-gq3hmkv*to*f&qDa`0ORj9jl%*SWRtP?X9oI$l_3bI zNq-c6@~13&OXcr151F#DO`Ldr7CGw?o7{ed-|bnSx^XL@6L63YEZGzwE>-CZmM3t@ zJywpS%b(-USe>%DEiEC{#pGQdWJ7L!d(;2TUNwQc&CHq5Yd$CdwjD6?8mMhn|5}0Z zOAd3IPA#sFMrR}at!tVJE|`Z4L2DjGIj+>bjJblZ3kdn$X4%Wa33*83l* zYg|03uuy9t6?~7nCzSor0lBGIp@C?**myQ!7L$&BIpc2xP zU-8rI7|ZSLUW||MS;XEd?Q2ZQ;E;QEXqvj|e+gO6FtXB)69t%dHUVf8z$Y}IixMy$ zNwHq@>Q1HW?#}*4)nd<=6)6Fso~_hoj@uIfM7PoI8i%$487qs*ze+a=2)jT;OU| zJ_mVkJ&7%oR9Z-?5WDe_g=J@>%u*$a>JX~6DZAQ>4bIXruFF)PZ+B;nXRdj z*x4??M}_70n-aG*zB3lozrh}XDR9>D{5H~mEXt)DT0q5R?MSA~&wqM+>R_GKeZCm} zS?7mGK5ZqzcIycpBr$f8@f$WFHpop4rlSyWcJDkr@F$^0vs#|@yB)&ND&dve^in*y z&B%yqQ#H&GZ_za}tsUtOA?7=%jHy2J{u(+lthmNc$(pmN{((wRsMqf^Y!J%v&VHwK z;wVS4y{KDNPM1=P-aU|6*l2&`(6rdQ?25_0LKeT?RRy2*t+w+93qyX}pT+}YhRgQw>;_=urCbH4_=lNUTb(NnH7nN1p7Q~#hs3K(6>SA6 ziYx0$$NiY|2`Qfao(L4h_q^Udkx$&K@d&KLFFKymH)z^7kZY7L8Cmu5y+$f2XXkaB z|5}tczaN|*=u&?v)!xlr||H2Qlx|2i@cjKp&@^_BREAiZS#w+FY4 z)o1#BIBs|xl-Qs?PM~wNwkzs$?ZVkEmLb@=WWHt@5`#y00J^A%0EQ^U!lZlxqrDeqru9x&$_f^!GvTTW4&3nIpms4B1CQ^QH zJHTQ-Caj6z!v?%`%^NIweJmeFeeh^!aW=}~%5{Ru04m)&pQK)Bz+V;5Ikj@TZQ1_s zt&P9*%ps030ByUKBE>Uf2UMGoA)E=Fm-`iRslrS(kDM>lVl*{DOQo~n#?*1wCl95- z=izIN`S#(>c5m0Bxj<06jYPq+x%urxz|4IaxOLS`ZE?2b=20j6Def<;g&6V({XKjh(g)fQJD;DwbQ)!Vo z)U}M!ek;IYzfMEI_CSa`-1&Rjd}W4;-UC|asu_3?RP_BRo~osW?OSQC zHFb0X=`#&EOxMURxoJV?dUm;t$ucgQ^p!?QZ!#t{1kW2^w3ULY9Y35hQFdQ+QWqAP z_(e0+-MY;W*NfaR-IhLUZ2zILQjZkBiknXyf|?XN3Wt?qqZIPXG6vO^8frZ>8@5ZG ziD?SUCT0wniRjn=MS|;v0f6C72C+;1>`Aivy(l=!@u?P`$ND>5xF&i~&nGcs90t@p z+}rZu-e7KFAAi2*`j(Y`n>eLsu=f14gzd=HO{Kyb8!fb-(n#LctzNOnigeFGc2LvP zPS4+-`Mn;JIz}OkeLdQ2DPrmR^ve#OvSnrq3r5%*et+e$o|R~~zCNS0PS26!#wVG+ zFeH+Xt8ATg(9l?ftcjTj4-gM?t}o9zC``;^M&;gs-0s9~HM!B)wpk{zV$p_X?t-Pi za?Q~z9#y25n$@zWT2iIhVVpgD!+x-D8RxSFy!RG@IL%wW;^A+@@SYF*7SX?Qu* z#@c2*G@RT;X*--qRkp!#9MaolNL0f4sXiT5@;IFBk&G>=`p!V+bkwc_iTSCxoW7u>Q;C54324-tnGe#4bYI_zt># z(Z<_wuPksrsZR^z<-EL;Ysc<6ZK_uLXyTk%TJ(EKpFpGL%X$ve0`U_k=yt7|7pQYz zz6Ed;b*^hjQOEGU4)7=zr5UGRRhMhqfLTpCaEr5*xV6f*tIm)8jJm(oa)WkJ^wUQA zw0Nji82PS<_%^PKTB#RiFzOiPBl~k%cMEMqZ)UiRxZ0cB=&7vCleh=2%tVoCl zh5J-B{@q_wP!~-#?qoc0lxcoZ-^;ED?$7_!IpBy@cp)!w?}fzIY5oIvG9x;-&|aCE z!M^C=SiDViJ6+6U2HdxqG!MM;kg9ssy)%XJO9`JFcykXcfcac}Gn?D4=H;#BsGaN7 zTVqr1oS4WIyv_@hgkIx@Hf08TWH<4y8)ypsyUA~uq%dJ^rqPr&Ybwh>7EkoM!6z3x zX?nVOhYyNIbGVl2dVLpIQ!Ujq&3RQT$3G63Q}V@-f8aKBSx+4`WrP=$T8A3~->yPE z0ALD{%MiO#2+#cr=`N%F@jD|7L&`4FxAVh;lG@A&q=uvH`lRJ#@Y*s4b(NI86>L|^ zuaJpRS)=S{ipt7<+fV4XB6UR@u-6S9I}pXE>gCjtiwi& z{G{;~IdxHM(hwP^Rq3 z(i7$Uq7$Z)ab_ODfC6S9L`tBxWhHb0?<8@I2SU+IQ>mOcgsMi?yjoujHw;@ ze922cBQ-Qq&PC5f`PG&n;ggsQLu`Li5%WpCf!e^mv{Nbh9>NEs*5v|FTWpEI>5!2e zUCbP=R)LihEHli}IdCU|F1WkaHLK**CXql8L%v4xnNi3SSy<$MkCKw1ZdtiZGAdg^ zU~PbH^Ig42CVIjcYpt4@s-RYQ)>_Nn^DSs1fvef%lY_M(9rieKYMb%Uv7+uA4 z)2VdvSV^(k&-!vclXETPbDaV?>}F@P3uT9PI9`-p(=n&!ju9N%C?ri_(0EHr&rO+0 zNzUDzsKq1U@NbgtIpxY5&Ah@pF>IZb#;`sksq`g-D;#JNl~_pk^aQQ5T>{O?jjoG3 ziHBc6Ga50cie9{upws`xM1Ot(*jGN1*K@?w3(eRWHeU<2)rfhYbr$B@SqJ@0-6`$M zVezB2lr|?ERNG^4?&ogL_Sfh{-8=F(SF=cKA^qC*H!7pD6o))1 zdo`}9jpcyVK;icZ6J+3e2NLms^i7_u0#f7zJ~A=4oo45VbJ3_iDhfdeEQY!?r9(55 z_4r9k1C(qZ($#ki4y8`6q57O458#YgKB97Zn0~K|_A4A*26lA7tVE1lRCb%#G=dz(q-(cwsE?+}8 zZ>!L47!f{10|k?8r2+y8R~n6`woxiqs05XAat{v5N$%dY}K{g2DBd^J22w{TY_o>811gX*h_P<4@(H#%rvIZ!o(#y@Y2QS|`S zGkR_Ag*AIo1eRP3Z|54LAODmxD;+5u=&e~Q{?`9EhKv<(f$Q(qb81x)0xZX42~hQP z(%x)z(4#V-Ds{kQ6zd(GNq|y_&1>8hwDvq<7FgtCwq0P6dG46~T40d{7Fm!Y|6fHj a&3Gn!d?)Fv*byc8?XhzB{x?hC Date: Tue, 24 Mar 2020 18:42:33 -0700 Subject: [PATCH 052/183] Update airgap docs to mention both airgap install methods - Separate out the Manually Deploy Images method from the Private Registry method -- Explain the caveat with manual image deployment (could be unmanagable for larger clusters) - Show separate tabs for installing in a single server configuration or HA configuration - Update the upgrade section to include the system upgrade controller - Various tweaks throughout to improve readability --- .../latest/en/installation/airgap/_index.md | 181 +++++++++++++++--- 1 file changed, 150 insertions(+), 31 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index dbfe7a38898..e0db18c9fe0 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -3,32 +3,20 @@ title: "Air-Gap Install" weight: 60 --- -In this guide, we are assuming you have created your nodes in your air-gap environment and have a secure Docker private registry on your bastion server. +You can install K3s in an air-gapped environment using two different methods. You can either deploy a private registry such as on your bastion host and mirror docker.io or you can manually deploy images such as for small clusters. -# Installation Outline +# Private Registry Method -1. [Prepare Images Directory](#prepare-images-directory) -2. [Create Registry YAML](#create-registry-YAML) -3. [Install K3s](#install-k3s) +We are assuming you have already created your nodes in your air-gap environment and have a secure Docker private registry on your bastion host. -### Prepare Images Directory -Obtain the images tar file for your architecture from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be running. - -Place the tar file in the `images` directory before starting K3s on each node, for example: - -```sh -sudo mkdir -p /var/lib/rancher/k3s/agent/images/ -sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/ -``` - -### Create Registry YAML +### Create the Registry YAML Create the registries.yaml file at `/etc/rancher/k3s/registries.yaml`. This will tell K3s the necessary details to connect to your private registry. The registries.yaml file should look like this before plugging in the necessary information: ``` --- mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "https://mycustomreg.com:5000" configs: @@ -37,43 +25,174 @@ configs: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password tls: - cert_file: - key_file: - ca_file: + cert_file: # path to the cert file used in the registry + key_file: # path to the key file used in the registry + ca_file: # path to the ca file used in the registry ``` Note, at this time only secure registries are supported with K3s (SSL with custom CA) -### Install K3s +1. Pull the K3s images from the k3s-images.txt file from docker.io + Note, the k3s-images.txt file is an asset on GitHub for your release. -Obtain the K3s binary from the [releases](https://github.com/rancher/k3s/releases) page, matching the same version used to get the airgap images tar. -Also obtain the K3s install script at https://get.k3s.io +2. Retag the images to the private registry. -Place the binary in `/usr/local/bin` on each node. -Place the install script anywhere on each node, name it `install.sh`. +3. Push the images to the private registry. -Install K3s on each server: +You can now go to the [Install K3s](install-k3s) section below and begin K3s installation. + + +# Manually Deploy Images Method + +We are assuming you have created your nodes in your air-gap environment. +This method requires you to manually deploy the necessary images to each node. As such, it's not recommended for larger clusters as this could be difficult to manage. + +### Prepare the Images Directory and K3s Binary +Obtain the images tar file for your architecture from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be running. + +Place the tar file in the `images` directory, for example: + +```sh +sudo mkdir -p /var/lib/rancher/k3s/agent/images/ +sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/ +``` + +Place the k3s binary at /usr/local/bin/k3s and ensure it is executable. + +Follow the steps in the next section to install K3s. + +# Install K3s + +Only after you have completed either the [Private Registry Method](private-registry-method) or the [Manually Deploy Images Method](manually-deploy-images-method) above should you install K3s. + +Obtain the K3s binary from the [releases](https://github.com/rancher/k3s/releases) page, matching the same version used to get the airgap images. +Obtain the K3s install script at https://get.k3s.io + +Place the binary in `/usr/local/bin` on each node and ensure it is executable. +Place the install script anywhere on each node, and name it `install.sh`. + + +### Install Options +You can install K3s on one or more servers as described below. + +{{% tabs %}} +{{% tab "Single Server Configuration" %}} + +To install K3s on a single server simply do the following on the server node. ``` INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh ``` -Install K3s on each agent: +Then, to optionally add additional agents do the following on each agent node. Take care to ensure you replace `myserver` with the IP or valid DNS of the server and replace `mynodetoken` with the node token from the server typically at `/var/lib/rancher/k3s/server/node-token` ``` INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken ./install.sh ``` -Note, take care to ensure you replace `myserver` with the IP or valid DNS of the server and replace `mynodetoken` with the node-token from the server. -The node-token is on the server at `/var/lib/rancher/k3s/server/node-token` +{{% /tab %}} +{{% tab "High Availability Configuration" %}} +Reference the [High Availability with an External DB]({{< baseurl >}}/k3s/latest/en/instalaltion/ha) or [High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installatin/ha-embedded) guides. You will be tweaking install commands so you specify `INSTALL_K3S_SKIP_DOWNLOAD=true` and run your install script locally instead of via curl. You will also utilize `INSTALL_K3S_EXEC='args'` to supply any arguments to k3s. + +For example, step two of the High Availability with an External DB guide mentions the following: + +``` +curl -sfL https://get.k3s.io | sh -s - server \ + --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" +``` + +Instead, you would modify such examples like below: + +``` +INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"' ./install.sh +``` + +{{% /tab %}} +{{% /tabs %}} >**Note:** K3s additionally provides a `--resolv-conf` flag for kubelets, which may help with configuring DNS in air-gap networks. # Upgrading +### Install Script Method + Upgrading an air-gap environment can be accomplished in the following manner: -1. Download the new air-gap images (tar file) from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be upgrading to. Place the tar in the `/var/lib/rancher/k3s/agent/images/` directory on each node. Delete the old tar file. -2. Copy and replace the old K3s binary in `/usr/local/bin` on each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past with the same environment variables. +1. Download the new air-gap images (tar file) from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be upgrading to. Place the tar in the `/var/lib/rancher/k3s/agent/images/` directory on each +node. Delete the old tar file. +2. Copy and replace the old K3s binary in `/usr/local/bin` on each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past +with the same environment variables. 3. Restart the K3s service (if not restarted automatically by installer). + + +### System Upgrade Controller Method + +As of v1.17.4+k3s1 the [System Upgrade Controller](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) is supported. The system upgrade controller can be utilized in an environment that has a private registry to rollout upgrades to your cluster as directed in a new CRD the controller introduces called a **Plan**. + +First, push necessary (newer) images to the registry. Take care to replace TAG with the newer tag, using the latest stable release (tag) for each image. + +``` +rancher/k3s-upgrade:TAG +rancher/system-upgrade-controller:TAG +rancher/kubectl:TAG +``` + +Then, install the system upgrade controller by applying the manifest yaml. For example v0.3.1 is at https://github.com/rancher/system-upgrade-controller/blob/v0.3.1/manifests/system-upgrade-controller.yaml +You will need to obtain the latest release of the yaml before you apply it. + +Now, configure your system upgrade controller YAML (Plan) to your liking. Refer to the [readme](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) for more information. +Below, we have provided an example for server nodes and agent nodes. You should take care to ensure each Plan you will utilize meets your needs. Please note, before you apply your Plans, ensure you have set your labels appropriately for each node. + +``` +--- +# Example server upgrade plan +# Always upgrade server nodes first +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-server-plan + namespace: system-upgrade +spec: + concurrency: 1 + version: v1.17.4-k3s1 + nodeSelector: + matchExpressions: + - {key: k3s-server-upgrade, operator: Exists} + serviceAccountName: system-upgrade + drain: + force: true + upgrade: + image: rancher/k3s-upgrade +``` + +``` +--- +# Example agent upgrade plan +# Always upgrade any agent nodes last +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-agent-plan + namespace: system-upgrade +spec: + prepare: + image: rancher/k3s-upgrade:latest + args: ["prepare","k3s-master-plan"] + concurrency: 1 + version: v1.17.4-k3s1 + nodeSelector: + matchExpressions: + - {key: k3s-agent-upgrade, operator: Exists} + serviceAccountName: system-upgrade + drain: + force: true + upgrade: + image: rancher/k3s-upgrade +``` + +Once you have applied the necessary labels to each node you can apply your Plans. Always take care to deploy the plan for servers first before applying the plan to agents. +Based on our examples provided above, we would need to set the `k3s-server-upgrade` label for our server plan and the `k3s-agent-upgrade` label for our agent plan. + +The System Upgrade Controller will rollout the upgrade plan as per the spec for each plan. Please be patient as the rollout can take time in large clusters depending on the concurrency value. + From 052a66a145b31296ad152498f8d96d19e471c66a Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 24 Mar 2020 20:16:42 -0700 Subject: [PATCH 053/183] Various tweaks to address comments - Explain what the registry yaml we suggest will accomplish - Provide docker pull, tag, push examples - Resolve issues in S.U.C. agent YAML --- .../latest/en/installation/airgap/_index.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index e0db18c9fe0..fab40f66bb5 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -11,7 +11,8 @@ We are assuming you have already created your nodes in your air-gap environment ### Create the Registry YAML Create the registries.yaml file at `/etc/rancher/k3s/registries.yaml`. This will tell K3s the necessary details to connect to your private registry. -The registries.yaml file should look like this before plugging in the necessary information: +It is recommended to mirror docker.io and the following YAML will accomplish this. +Make sure you replace `mycustomreg.com` in both places, and supply the registry auth username, pass, and all tls cert paths. ``` --- @@ -34,10 +35,13 @@ Note, at this time only secure registries are supported with K3s (SSL with custo 1. Pull the K3s images from the k3s-images.txt file from docker.io Note, the k3s-images.txt file is an asset on GitHub for your release. +Example: `docker pull docker.io/rancher/coredns-coredns:1.6.3` 2. Retag the images to the private registry. +Example: `docker tag coredns-coredns:1.6.3 mycustomreg:5000/coredns-coredns` 3. Push the images to the private registry. +Example: `docker push mycustomreg:5000/coredns-coredns` You can now go to the [Install K3s](install-k3s) section below and begin K3s installation. @@ -142,7 +146,7 @@ Then, install the system upgrade controller by applying the manifest yaml. For e You will need to obtain the latest release of the yaml before you apply it. Now, configure your system upgrade controller YAML (Plan) to your liking. Refer to the [readme](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) for more information. -Below, we have provided an example for server nodes and agent nodes. You should take care to ensure each Plan you will utilize meets your needs. Please note, before you apply your Plans, ensure you have set your labels appropriately for each node. +Below, we have provided an example for server nodes and agent nodes. You should take care to ensure each Plan you will utilize meets your needs. Please note, before you apply your Plans, ensure you have set your labels appropriately for each node and if using the examples below that you have plugged in the K3s version for each instance of `VERSION_HERE`. ``` --- @@ -155,7 +159,7 @@ metadata: namespace: system-upgrade spec: concurrency: 1 - version: v1.17.4-k3s1 + version: VERSION_HERE nodeSelector: matchExpressions: - {key: k3s-server-upgrade, operator: Exists} @@ -163,7 +167,7 @@ spec: drain: force: true upgrade: - image: rancher/k3s-upgrade + image: k3s-upgrade ``` ``` @@ -178,9 +182,9 @@ metadata: spec: prepare: image: rancher/k3s-upgrade:latest - args: ["prepare","k3s-master-plan"] + args: ["prepare","k3s-server-plan"] concurrency: 1 - version: v1.17.4-k3s1 + version: VERSION_HERE nodeSelector: matchExpressions: - {key: k3s-agent-upgrade, operator: Exists} @@ -188,7 +192,7 @@ spec: drain: force: true upgrade: - image: rancher/k3s-upgrade + image: k3s-upgrade ``` Once you have applied the necessary labels to each node you can apply your Plans. Always take care to deploy the plan for servers first before applying the plan to agents. From 015a5fe035e3ba909bbedb709174bc781c73569b Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 24 Mar 2020 21:18:01 -0700 Subject: [PATCH 054/183] Various tweaks to address comments 2 - Resolve issues Craig outlined: https://github.com/rancher/docs/pull/2381#pullrequestreview-380835214 https://github.com/rancher/docs/pull/2381#pullrequestreview-380837701 https://github.com/rancher/docs/pull/2381#pullrequestreview-380838546 - Fix the airgap page so we instead reference the private-registry page https://github.com/rancher/docs/pull/2381#pullrequestreview-380839331 - Modify the private-registry page so that it includes our newly added docker command examples and some other tweaks --- .../latest/en/installation/airgap/_index.md | 45 ++++--------------- .../installation/private-registry/_index.md | 25 ++++++++--- 2 files changed, 28 insertions(+), 42 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index fab40f66bb5..3eb5a1477f8 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -3,53 +3,24 @@ title: "Air-Gap Install" weight: 60 --- -You can install K3s in an air-gapped environment using two different methods. You can either deploy a private registry such as on your bastion host and mirror docker.io or you can manually deploy images such as for small clusters. +You can install K3s in an air-gapped environment using two different methods. You can either deploy a private registry and mirror docker.io or you can manually deploy images such as for small clusters. # Private Registry Method -We are assuming you have already created your nodes in your air-gap environment and have a secure Docker private registry on your bastion host. +This document assumes you have already created your nodes in your air-gap environment and have a secure Docker private registry on your bastion host. +If you have not yet set up a private Docker registry, refer to the official documentation [here](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry). ### Create the Registry YAML -Create the registries.yaml file at `/etc/rancher/k3s/registries.yaml`. This will tell K3s the necessary details to connect to your private registry. -It is recommended to mirror docker.io and the following YAML will accomplish this. -Make sure you replace `mycustomreg.com` in both places, and supply the registry auth username, pass, and all tls cert paths. -``` ---- -mirrors: - docker.io: - endpoint: - - "https://mycustomreg.com:5000" -configs: - "mycustomreg:5000": - auth: - username: xxxxxx # this is the registry username - password: xxxxxx # this is the registry password - tls: - cert_file: # path to the cert file used in the registry - key_file: # path to the key file used in the registry - ca_file: # path to the ca file used in the registry -``` +Follow the [Private Registry Configuration]({{< baseurl >}}/k3s/latest/en/installation/private-registry) guide to create and configure the registry.yaml file. -Note, at this time only secure registries are supported with K3s (SSL with custom CA) - -1. Pull the K3s images from the k3s-images.txt file from docker.io - Note, the k3s-images.txt file is an asset on GitHub for your release. -Example: `docker pull docker.io/rancher/coredns-coredns:1.6.3` - -2. Retag the images to the private registry. -Example: `docker tag coredns-coredns:1.6.3 mycustomreg:5000/coredns-coredns` - -3. Push the images to the private registry. -Example: `docker push mycustomreg:5000/coredns-coredns` - -You can now go to the [Install K3s](install-k3s) section below and begin K3s installation. +Once you have completed this, you may now go to the [Install K3s](#install-k3s) section below. # Manually Deploy Images Method We are assuming you have created your nodes in your air-gap environment. -This method requires you to manually deploy the necessary images to each node. As such, it's not recommended for larger clusters as this could be difficult to manage. +This method requires you to manually deploy the necessary images to each node and is appropriate for edge deployments where running a private registry is not practical. ### Prepare the Images Directory and K3s Binary Obtain the images tar file for your architecture from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be running. @@ -67,7 +38,7 @@ Follow the steps in the next section to install K3s. # Install K3s -Only after you have completed either the [Private Registry Method](private-registry-method) or the [Manually Deploy Images Method](manually-deploy-images-method) above should you install K3s. +Only after you have completed either the [Private Registry Method](#private-registry-method) or the [Manually Deploy Images Method](#manually-deploy-images-method) above should you install K3s. Obtain the K3s binary from the [releases](https://github.com/rancher/k3s/releases) page, matching the same version used to get the airgap images. Obtain the K3s install script at https://get.k3s.io @@ -97,7 +68,7 @@ INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetok {{% /tab %}} {{% tab "High Availability Configuration" %}} -Reference the [High Availability with an External DB]({{< baseurl >}}/k3s/latest/en/instalaltion/ha) or [High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installatin/ha-embedded) guides. You will be tweaking install commands so you specify `INSTALL_K3S_SKIP_DOWNLOAD=true` and run your install script locally instead of via curl. You will also utilize `INSTALL_K3S_EXEC='args'` to supply any arguments to k3s. +Reference the [High Availability with an External DB]({{< baseurl >}}/k3s/latest/en/installation/ha) or [High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installation/ha-embedded) guides. You will be tweaking install commands so you specify `INSTALL_K3S_SKIP_DOWNLOAD=true` and run your install script locally instead of via curl. You will also utilize `INSTALL_K3S_EXEC='args'` to supply any arguments to k3s. For example, step two of the High Availability with an External DB guide mentions the following: diff --git a/content/k3s/latest/en/installation/private-registry/_index.md b/content/k3s/latest/en/installation/private-registry/_index.md index 6160866e13a..ac068a6f423 100644 --- a/content/k3s/latest/en/installation/private-registry/_index.md +++ b/content/k3s/latest/en/installation/private-registry/_index.md @@ -25,7 +25,7 @@ Mirrors is a directive that defines the names and endpoints of the private regis ``` mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "https://mycustomreg.com:5000" ``` @@ -59,7 +59,7 @@ Below are examples showing how you may configure `/etc/rancher/k3s/registries.ya ``` mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "https://mycustomreg.com:5000" configs: @@ -78,7 +78,7 @@ configs: ``` mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "https://mycustomreg.com:5000" configs: @@ -101,7 +101,7 @@ Below are examples showing how you may configure `/etc/rancher/k3s/registries.ya ``` mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "http://mycustomreg.com:5000" configs: @@ -116,7 +116,7 @@ configs: ``` mirrors: - "mycustomreg.com:5000": + docker.io: endpoint: - "http://mycustomreg.com:5000" ``` @@ -127,3 +127,18 @@ mirrors: > In case of no TLS communication, you need to specify `http://` for the endpoints, otherwise it will default to https. In order for the registry changes to take effect, you need to restart K3s on each node. + +# Adding Images to the Private Registry + +First, obtain the k3s-images.txt file from GitHub for the release you are working with. +Pull the K3s images listed on the k3s-images.txt file from docker.io + +Example: `docker pull docker.io/rancher/coredns-coredns:1.6.3` + +Then, retag the images to the private registry. + +Example: `docker tag coredns-coredns:1.6.3 mycustomreg:5000/coredns-coredns` + +Last, push the images to the private registry. + +Example: `docker push mycustomreg:5000/coredns-coredns` From 5779ef5b2728408afca683c00631031b2be692e5 Mon Sep 17 00:00:00 2001 From: Craig Jellick Date: Tue, 24 Mar 2020 19:48:13 -0700 Subject: [PATCH 055/183] Add docs for automated k3s upgrades --- content/k3s/latest/en/upgrades/_index.md | 40 +----- .../latest/en/upgrades/automated/_index.md | 115 ++++++++++++++++++ .../k3s/latest/en/upgrades/basic/_index.md | 44 +++++++ 3 files changed, 162 insertions(+), 37 deletions(-) create mode 100644 content/k3s/latest/en/upgrades/automated/_index.md create mode 100644 content/k3s/latest/en/upgrades/basic/_index.md diff --git a/content/k3s/latest/en/upgrades/_index.md b/content/k3s/latest/en/upgrades/_index.md index 3ce3a0591a3..58c34361b0a 100644 --- a/content/k3s/latest/en/upgrades/_index.md +++ b/content/k3s/latest/en/upgrades/_index.md @@ -3,42 +3,8 @@ title: "Upgrades" weight: 25 --- -You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. +This section describes how to upgrade your K3s cluster. ->**Note:** When upgrading, upgrade server nodes first one at a time, then any worker nodes. +[Upgrade basics]({{< baseurl >}}/k3s/latest/en/upgrades/basic/) describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like [Terraform](https://www.terraform.io/). -### Upgrade K3s Using the Installation Script - -To upgrade K3s from an older version you can re-run the installation script using the same flags, for example: - -```sh -curl -sfL https://get.k3s.io | sh - -``` - -If you want to upgrade to specific version you can run the following command: - -```sh -curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh - -``` - -### Manually Upgrade K3s Using the Binary - -Or to manually upgrade K3s: - -1. Download the desired version of K3s from [releases](https://github.com/rancher/k3s/releases/latest) -2. Install to an appropriate location (normally `/usr/local/bin/k3s`) -3. Stop the old version -4. Start the new version - -### Restarting K3s - -Restarting K3s is supported by the installation script for systemd and openrc. -To restart manually for systemd use: -```sh -sudo systemctl restart k3s -``` - -To restart manually for openrc use: -```sh -sudo service k3s restart -``` \ No newline at end of file +[Automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/) describes how to perform Kubernetes-native automated upgrades using Rancher's [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller). diff --git a/content/k3s/latest/en/upgrades/automated/_index.md b/content/k3s/latest/en/upgrades/automated/_index.md new file mode 100644 index 00000000000..c595431182d --- /dev/null +++ b/content/k3s/latest/en/upgrades/automated/_index.md @@ -0,0 +1,115 @@ +--- +title: "Automated Upgrades" +weight: 20 +--- + +>**Note:** This feature is available as of [v1.17.4+k3s1](https://github.com/rancher/k3s/releases/tag/v1.17.4%2Bk3s1) + +### Overview + +You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a [custom resource definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources), the `plan`, and a [controller](https://kubernetes.io/docs/concepts/architecture/controller/) that schedules upgrades based on the configured plans. + +A plan defines upgrade policies and requirements. This documentation will provide plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the [CRD](https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go). + +The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade [jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) on. A plan defines which nodes should be upgraded through a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). When a job has run to completion successfully, the controller will label the node on which it ran accordingly. + +>**Note:** The upgrade job that is launched must be highly privileged. It is configured with the following: +> +- Host `IPC`, `NET`, and `PID` namespaces +- The `CAP_SYS_BOOT` capability +- Host root mounted at `/host` with read and write permissions + +For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories: + +- [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller) +- [k3s-upgrade](https://github.com/rancher/k3s-upgrade) + +To automate upgrades in this manner you must: + +1. Install the system-upgrade-controller into your cluster +1. Configure plans + + +### Install the system-upgrade-controller +The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command: +``` +kubectl apply -f https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml +``` +The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied. + + +### Configure plans +It is recommended that you minimally create two plans: a plan for upgrading server (master) nodes and a plan for upgrading agent (worker) nodes. As needed, you can create additional plans to control the rollout of the upgrade across nodes. The following two example plans will upgrade your cluster to K3s v1.17.4+k3s1. Once the plans are created, the controller will pick them up and begin to upgrade your cluster. +``` +# Server plan +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: server-plan + namespace: system-upgrade +spec: + concurrency: 1 + cordon: true + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "true" + serviceAccountName: system-upgrade + upgrade: + image: rancher/k3s-upgrade + version: v1.17.4+k3s1 +--- +# Agent plan +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: agent-plan + namespace: system-upgrade +spec: + concurrency: 1 + cordon: true + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + prepare: + args: + - prepare + - server-plan + image: rancher/k3s-upgrade:v1.17.4-k3s1 + serviceAccountName: system-upgrade + upgrade: + image: rancher/k3s-upgrade + version: v1.17.4+k3s1 +``` +There are a few important things to call out regarding these plans: + +First, the plans must be created in the same namespace where the controller was deployed. + +Second, the `concurrency` field indicates how many nodes can be upgraded at the same time. + +Third, the server-plan targets server nodes by specifying a label selector that selects nodes with the `node-role.kubernetes.io/master` label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label. + +Fourth, the `prepare` step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute. + +Fifth, both plans have the `version` field set to v1.17.4+k3s1. Alternatively, you can omit the `version` field and set the `channel` field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This is designed specifically to work with the [latest release functionality of GitHub](https://help.github.com/en/github/administering-a-repository/linking-to-releases). Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the latest release of K3s: +``` +apiVersion: upgrade.cattle.io/v1 +kind: Plan +... +spec: + ... + channel: https://github.com/rancher/k3s/releases/latest + +``` + +As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed. + +You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl: +``` +kubectl -n system-upgrade get plans -o yaml +kubectl -n system-upgrade get jobs -o yaml +``` + diff --git a/content/k3s/latest/en/upgrades/basic/_index.md b/content/k3s/latest/en/upgrades/basic/_index.md new file mode 100644 index 00000000000..6311b045764 --- /dev/null +++ b/content/k3s/latest/en/upgrades/basic/_index.md @@ -0,0 +1,44 @@ +--- +title: "Upgrade Basics" +weight: 10 +--- + +You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. + +>**Note:** When upgrading, upgrade server nodes first one at a time, then any worker nodes. + +### Upgrade K3s Using the Installation Script + +To upgrade K3s from an older version you can re-run the installation script using the same flags, for example: + +```sh +curl -sfL https://get.k3s.io | sh - +``` + +If you want to upgrade to specific version you can run the following command: + +```sh +curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh - +``` + +### Manually Upgrade K3s Using the Binary + +Or to manually upgrade K3s: + +1. Download the desired version of the K3s binary from [releases](https://github.com/rancher/k3s/releases) +2. Copy the downloaded binary to `/usr/local/bin/k3s` (or your desired location) +3. Stop the old k3s binary +4. Launch the new k3s binary + +### Restarting K3s + +Restarting K3s is supported by the installation script for systemd and openrc. +To restart manually for systemd use: +```sh +sudo systemctl restart k3s +``` + +To restart manually for openrc use: +```sh +sudo service k3s restart +``` From 05ee3bb540c26f3744fe9de070bc8a79d7a96830 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 24 Mar 2020 21:55:53 -0700 Subject: [PATCH 056/183] Modify system upgrade controller upgrade section - Address comment https://github.com/rancher/docs/pull/2381#pullrequestreview-380841861 -- This modifies the section and now calls it Automated upgrades. The necessary images to add to the private registry are listed and the guide now links to the Automated Upgrades guide. --- .../latest/en/installation/airgap/_index.md | 66 ++----------------- 1 file changed, 4 insertions(+), 62 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index 3eb5a1477f8..fc2df77bf89 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -101,11 +101,11 @@ with the same environment variables. 3. Restart the K3s service (if not restarted automatically by installer). -### System Upgrade Controller Method +### Automated Upgrades Method -As of v1.17.4+k3s1 the [System Upgrade Controller](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) is supported. The system upgrade controller can be utilized in an environment that has a private registry to rollout upgrades to your cluster as directed in a new CRD the controller introduces called a **Plan**. - -First, push necessary (newer) images to the registry. Take care to replace TAG with the newer tag, using the latest stable release (tag) for each image. +As of v1.17.4+k3s1 the [System Upgrade Controller](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) is supported. The system upgrade controller can be utilized in an environment that has a private registry to rollout upgrades to your cluster as directed in a new CRD the controller introduces called a **Plan**. + +>**Note:** In order to leverage automated upgrades with the System Upgrade Controller in an airgapped environemnt, push the necessary images to the registry. Take care to replace TAG with the latest stable release (tag) for each image. After you have completed this, you can then follow the [Automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/) guide to learn more about the System Upgrade Controller and how to configure it. ``` rancher/k3s-upgrade:TAG @@ -113,61 +113,3 @@ rancher/system-upgrade-controller:TAG rancher/kubectl:TAG ``` -Then, install the system upgrade controller by applying the manifest yaml. For example v0.3.1 is at https://github.com/rancher/system-upgrade-controller/blob/v0.3.1/manifests/system-upgrade-controller.yaml -You will need to obtain the latest release of the yaml before you apply it. - -Now, configure your system upgrade controller YAML (Plan) to your liking. Refer to the [readme](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) for more information. -Below, we have provided an example for server nodes and agent nodes. You should take care to ensure each Plan you will utilize meets your needs. Please note, before you apply your Plans, ensure you have set your labels appropriately for each node and if using the examples below that you have plugged in the K3s version for each instance of `VERSION_HERE`. - -``` ---- -# Example server upgrade plan -# Always upgrade server nodes first -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: k3s-server-plan - namespace: system-upgrade -spec: - concurrency: 1 - version: VERSION_HERE - nodeSelector: - matchExpressions: - - {key: k3s-server-upgrade, operator: Exists} - serviceAccountName: system-upgrade - drain: - force: true - upgrade: - image: k3s-upgrade -``` - -``` ---- -# Example agent upgrade plan -# Always upgrade any agent nodes last -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: k3s-agent-plan - namespace: system-upgrade -spec: - prepare: - image: rancher/k3s-upgrade:latest - args: ["prepare","k3s-server-plan"] - concurrency: 1 - version: VERSION_HERE - nodeSelector: - matchExpressions: - - {key: k3s-agent-upgrade, operator: Exists} - serviceAccountName: system-upgrade - drain: - force: true - upgrade: - image: k3s-upgrade -``` - -Once you have applied the necessary labels to each node you can apply your Plans. Always take care to deploy the plan for servers first before applying the plan to agents. -Based on our examples provided above, we would need to set the `k3s-server-upgrade` label for our server plan and the `k3s-agent-upgrade` label for our agent plan. - -The System Upgrade Controller will rollout the upgrade plan as per the spec for each plan. Please be patient as the rollout can take time in large clusters depending on the concurrency value. - From 6486a87e3ee16ff107d9978c1bdb51eb1d5b42e9 Mon Sep 17 00:00:00 2001 From: Craig Jellick Date: Wed, 25 Mar 2020 08:22:11 -0700 Subject: [PATCH 057/183] Update url for upgrade-controller manifest --- content/k3s/latest/en/upgrades/automated/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/upgrades/automated/_index.md b/content/k3s/latest/en/upgrades/automated/_index.md index c595431182d..3ac8143052e 100644 --- a/content/k3s/latest/en/upgrades/automated/_index.md +++ b/content/k3s/latest/en/upgrades/automated/_index.md @@ -33,7 +33,7 @@ To automate upgrades in this manner you must: ### Install the system-upgrade-controller The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command: ``` -kubectl apply -f https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml +kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.4.0/system-upgrade-controller.yaml ``` The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied. From de2e81292ef1d7fa6a14c86bce0eabc65b6f03a7 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Thu, 26 Mar 2020 14:55:28 -0700 Subject: [PATCH 058/183] Fix Automated Upgrades section of Airgap doc Addresses concerns outlined here: https://github.com/rancher/docs/pull/2381#pullrequestreview-382323414 - fix S.U.C. capitalization and format - Remove S.U.C. explanation as this is coverd in the Automated Upgrades guide - Rephrase and reformat things as recommended by Craig. the latest version of the S.U.C. manifest YAML is now hyperlinked and an example provided for v0.4.0 --- .../k3s/latest/en/installation/airgap/_index.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index fc2df77bf89..cedbabd58ac 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -103,13 +103,16 @@ with the same environment variables. ### Automated Upgrades Method -As of v1.17.4+k3s1 the [System Upgrade Controller](https://github.com/rancher/system-upgrade-controller/blob/master/README.md) is supported. The system upgrade controller can be utilized in an environment that has a private registry to rollout upgrades to your cluster as directed in a new CRD the controller introduces called a **Plan**. - ->**Note:** In order to leverage automated upgrades with the System Upgrade Controller in an airgapped environemnt, push the necessary images to the registry. Take care to replace TAG with the latest stable release (tag) for each image. After you have completed this, you can then follow the [Automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/) guide to learn more about the System Upgrade Controller and how to configure it. +As of v1.17.4+k3s1 K3s supports [automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/). To enable this in an air-gapped networks, you must ensure the required images are available in your private registry. + +You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the `+` in the K3s release with a `-` because Docker images do not support `+`. +You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller [here](https://github.com/rancher/system-upgrade-controller/releases/latest) and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. + +For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML: ``` -rancher/k3s-upgrade:TAG -rancher/system-upgrade-controller:TAG -rancher/kubectl:TAG +rancher/system-upgrade-controller:v0.4.0 +rancher/kubectl:v0.17.0 ``` +Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the [automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/) guide. From 24ffa4453f8b03814b1d19f86e2789cdeddb08b8 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Thu, 26 Mar 2020 16:36:19 -0700 Subject: [PATCH 059/183] Resolving remaining concerns around K3s airgap page - Tweaks to the Automated upgrades section --- content/k3s/latest/en/installation/airgap/_index.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/k3s/latest/en/installation/airgap/_index.md b/content/k3s/latest/en/installation/airgap/_index.md index cedbabd58ac..7f9f4a8ec21 100644 --- a/content/k3s/latest/en/installation/airgap/_index.md +++ b/content/k3s/latest/en/installation/airgap/_index.md @@ -103,12 +103,11 @@ with the same environment variables. ### Automated Upgrades Method -As of v1.17.4+k3s1 K3s supports [automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/). To enable this in an air-gapped networks, you must ensure the required images are available in your private registry. +As of v1.17.4+k3s1 K3s supports [automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/). To enable this in air-gapped environments, you must ensure the required images are available in your private registry. You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the `+` in the K3s release with a `-` because Docker images do not support `+`. -You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller [here](https://github.com/rancher/system-upgrade-controller/releases/latest) and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. -For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML: +You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller [here](https://github.com/rancher/system-upgrade-controller/releases/latest) and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML: ``` rancher/system-upgrade-controller:v0.4.0 From befe490e2cfee259536684620c65eca90c9196e7 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Thu, 26 Mar 2020 16:33:20 -0700 Subject: [PATCH 060/183] Rancher-26175: add known issues with hardened cluster --- content/rancher/v2.x/en/security/hardening-2.3.5/_index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index 213826808ad..75a48a7ba50 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -22,6 +22,10 @@ This document provides prescriptive guidance for hardening a production installa For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.5]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.3.5/). +#### Known Issues + +Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes. + ### Configure Kernel Runtime Parameters The following `sysctl` configuration is recommended for all nodes type in the cluster. Set the following parameters in `/etc/sysctl.d/90-kubelet.conf`: From a511885ac942c434dd0f6ef331de520abb294053 Mon Sep 17 00:00:00 2001 From: Simon Heimberg Date: Fri, 27 Mar 2020 11:04:32 +0100 Subject: [PATCH 061/183] inprove view of code example of nginx proxy indent all code in example, only some was before remove double code end --- .../create-nodes-lb/nginx/_index.md | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md index 49a77c9010e..f915f340d59 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md @@ -34,20 +34,20 @@ After installing NGINX, you need to update the NGINX configuration file, `nginx. worker_rlimit_nofile 40000; events { - worker_connections 8192; + worker_connections 8192; } stream { - upstream rancher_servers_http { - least_conn; - server :80 max_fails=3 fail_timeout=5s; - server :80 max_fails=3 fail_timeout=5s; - server :80 max_fails=3 fail_timeout=5s; - } - server { - listen 80; - proxy_pass rancher_servers_http; - } + upstream rancher_servers_http { + least_conn; + server :80 max_fails=3 fail_timeout=5s; + server :80 max_fails=3 fail_timeout=5s; + server :80 max_fails=3 fail_timeout=5s; + } + server { + listen 80; + proxy_pass rancher_servers_http; + } upstream rancher_servers_https { least_conn; @@ -61,10 +61,8 @@ After installing NGINX, you need to update the NGINX configuration file, `nginx. } } - ``` - ``` 3. Save `nginx.conf` to your load balancer at the following path: `/etc/nginx/nginx.conf`. From df35258f8a5acce57ef66e6d82e5d7a0549e8a76 Mon Sep 17 00:00:00 2001 From: Max Schmitt Date: Sat, 28 Mar 2020 18:14:45 +0100 Subject: [PATCH 062/183] fix: replaced tabs by spaces in code blocks Fixes an issue, that you could not copy these commands into the console if they contained tabs. --- .../single-node-docker/_index.md | 30 +++++++++---------- .../quickstart-manual-setup/_index.md | 4 +-- .../upgrades/upgrades/single-node/_index.md | 24 +++++++-------- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md index 0f6386a6f62..2626d4a96f7 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md @@ -44,8 +44,8 @@ Log into your Linux host, and then run the minimum installation command below. ```bash docker run -d --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - rancher/rancher:latest + -p 80:80 -p 443:443 \ + rancher/rancher:latest ``` ### Option B: Bring Your Own Certificate, Self-signed @@ -68,11 +68,11 @@ After creating your certificate, run the Docker command below to install Rancher ```bash docker run -d --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - -v //:/etc/rancher/ssl/cert.pem \ - -v //:/etc/rancher/ssl/key.pem \ - -v //:/etc/rancher/ssl/cacerts.pem \ - rancher/rancher:latest + -p 80:80 -p 443:443 \ + -v //:/etc/rancher/ssl/cert.pem \ + -v //:/etc/rancher/ssl/key.pem \ + -v //:/etc/rancher/ssl/cacerts.pem \ + rancher/rancher:latest ``` ### Option C: Bring Your Own Certificate, Signed by a Recognized CA @@ -97,11 +97,11 @@ After obtaining your certificate, run the Docker command below. ```bash docker run -d --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - -v //:/etc/rancher/ssl/cert.pem \ - -v //:/etc/rancher/ssl/key.pem \ - rancher/rancher:latest \ - --no-cacerts + -p 80:80 -p 443:443 \ + -v //:/etc/rancher/ssl/cert.pem \ + -v //:/etc/rancher/ssl/key.pem \ + rancher/rancher:latest \ + --no-cacerts ``` ### Option D: Let's Encrypt Certificate @@ -124,9 +124,9 @@ After you fulfill the prerequisites, you can install Rancher using a Let's Encry ``` docker run -d --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - rancher/rancher:latest \ - --acme-domain + -p 80:80 -p 443:443 \ + rancher/rancher:latest \ + --acme-domain ``` ## Advanced Options diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md index fc89564232a..ee362745c46 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md @@ -3,7 +3,7 @@ title: Manual Quick Start weight: 300 --- Howdy Partner! This tutorial walks you through: - + - Installation of {{< product >}} 2.x - Creation of your first cluster - Deployment of an application, Nginx @@ -49,7 +49,7 @@ To install Rancher on your host, connect to it and then use a shell to install. 2. From your shell, enter the following command: ``` - $ sudo docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher +sudo docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher ``` **Result:** Rancher is installed. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md index 6c5581e8f0b..6e859c2f9b0 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md @@ -135,7 +135,7 @@ Placeholder | Description docker run -d --volumes-from rancher-data \ --restart=unless-stopped \ -p 80:80 -p 443:443 \ - rancher/rancher: + rancher/rancher: ``` {{% /accordion %}} @@ -157,11 +157,11 @@ Placeholder | Description ``` docker run -d --volumes-from rancher-data \ --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - -v //:/etc/rancher/ssl/cert.pem \ - -v //:/etc/rancher/ssl/key.pem \ - -v //:/etc/rancher/ssl/cacerts.pem \ - rancher/rancher: + - 80:80 -p 443:443 \ + - //:/etc/rancher/ssl/cert.pem \ + - //:/etc/rancher/ssl/key.pem \ + - //:/etc/rancher/ssl/cacerts.pem \ + rancher/rancher: ``` {{% /accordion %}} @@ -181,10 +181,10 @@ Placeholder | Description ``` docker run -d --volumes-from rancher-data \ --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - -v //:/etc/rancher/ssl/cert.pem \ - -v //:/etc/rancher/ssl/key.pem \ - rancher/rancher: \ + - 80:80 -p 443:443 \ + - //:/etc/rancher/ssl/cert.pem \ + - //:/etc/rancher/ssl/key.pem \ + rancher/rancher: \ --no-cacerts ``` {{% /accordion %}} @@ -207,8 +207,8 @@ Placeholder | Description ``` docker run -d --volumes-from rancher-data \ --restart=unless-stopped \ - -p 80:80 -p 443:443 \ - rancher/rancher: \ + -p 80:80 -p 443:443 \ + rancher/rancher: \ --acme-domain ``` From 5fa2f917d3695b8fbc57ddc04635f094d07b729f Mon Sep 17 00:00:00 2001 From: Craig Jellick Date: Sat, 28 Mar 2020 09:07:48 -0700 Subject: [PATCH 063/183] Document SELinux support in K3s --- content/k3s/latest/en/advanced/_index.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index e84d5761245..58cc810fb41 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -212,4 +212,18 @@ sudo iptables -F sudo update-alternatives --set iptables /usr/sbin/iptables-legacy sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy sudo reboot -``` \ No newline at end of file +``` + +# SELinux Support (Experimental) + +As of release v1.17.4+k3s1, experimental support for SELinux has been added to K3s's embedded containerd. If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed. The [install script]({{}}/k3s/latest/en/installation/install-options/#installation-script-options) will fail if they are not. The necessary policies can be installed with the following commands: +``` +yum install -y container-selinux selinux-policy-base +rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm +``` + +To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`. + +You can turn off SELinux enforcement in the embedded containerd by launching K3s with the `--disable-selinux` flag. + +Note that support for SELinux in containerd is still under development. Progress can be tracked in [this pull request](https://github.com/containerd/cri/pull/1246). From fa8f22511a94853a18db961b3ef7526f70c3c044 Mon Sep 17 00:00:00 2001 From: Craig Jellick Date: Mon, 30 Mar 2020 09:10:27 -0700 Subject: [PATCH 064/183] Fix links to advanced topics Fixed the broken link for for raspian buster did not work Added a link for selinux --- content/k3s/latest/en/advanced/_index.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 58cc810fb41..d7c4c271d24 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -16,7 +16,8 @@ This section contains advanced information describing the different ways you can - [Starting the server with the installation script](#starting-the-server-with-the-installation-script) - [Additional preparation for Alpine Linux setup](#additional-preparation-for-alpine-linux-setup) - [Running K3d (K3s in Docker) and docker-compose](#running-k3d-k3s-in-docker-and-docker-compose) -- [Raspbian Buster - Enable legacy iptables](#raspbian-buster---enable-legacy-iptables) +- [Enabling legacy iptables on Raspbian Buster](#enabling-legacy-iptables-on-raspbian-buster) +- [Experimental SELinux Support](#experimental-selinux-support) # Auto-Deploying Manifests @@ -204,7 +205,7 @@ Alternatively the `docker run` command can also be used: --privileged rancher/k3s:vX.Y.Z -# Raspbian Buster - enable legacy iptables +# Enabling legacy iptables on Raspbian Buster Raspbian Buster defaults to using `nftables` instead of `iptables`. **K3S** networking features require `iptables` and do not work with `nftables`. Follow the steps below to switch configure **Buster** to use `legacy iptables`: ``` @@ -214,7 +215,7 @@ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy sudo reboot ``` -# SELinux Support (Experimental) +# Experimental SELinux Support As of release v1.17.4+k3s1, experimental support for SELinux has been added to K3s's embedded containerd. If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed. The [install script]({{}}/k3s/latest/en/installation/install-options/#installation-script-options) will fail if they are not. The necessary policies can be installed with the following commands: ``` From f8f8563842854d1f61dbe1804a28058d7655cb2f Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 10 Feb 2020 22:35:36 -0700 Subject: [PATCH 065/183] Make RKE cluster troubleshooting page available for air gap install --- .../options/troubleshooting/_index.md | 18 +++++++++++++++++- .../air-gap/launch-kubernetes/_index.md | 4 ++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/options/troubleshooting/_index.md b/content/rancher/v2.x/en/installation/options/troubleshooting/_index.md index 556800e0432..001b49dc0f0 100644 --- a/content/rancher/v2.x/en/installation/options/troubleshooting/_index.md +++ b/content/rancher/v2.x/en/installation/options/troubleshooting/_index.md @@ -174,6 +174,7 @@ SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 ### Failed to dial ssh using address [xxx.xxx.xxx.xxx:xx]: Error configuring SSH: ssh: no key found +<<<<<<< HEAD The key file specified as `ssh_key_path` cannot be accessed. Make sure that you specified the private key file (not the public key, `.pub`), and that the user that is running the `rke` command can access the private key file. ### Failed to dial ssh using address [xxx.xxx.xxx.xxx:xx]: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain @@ -186,4 +187,19 @@ If you want to use encrypted private keys, you should use `ssh-agent` to load yo ### Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? -The node is not reachable on the configured `address` and `port`. \ No newline at end of file +The node is not reachable on the configured `address` and `port`. +======= +* The key file specified as `ssh_key_path` cannot be accessed. Make sure that you specified the private key file (not the public key, `.pub`), and that the user that is running the `rke` command can access the private key file. + +### Failed to dial ssh using address [xxx.xxx.xxx.xxx:xx]: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain + +* The key file specified as `ssh_key_path` is not correct for accessing the node. Double-check if you specified the correct `ssh_key_path` for the node and if you specified the correct user to connect with. + +### Failed to dial ssh using address [xxx.xxx.xxx.xxx:xx]: Error configuring SSH: ssh: cannot decode encrypted private keys + +* If you want to use encrypted private keys, you should use `ssh-agent` to load your keys with your passphrase. If the `SSH_AUTH_SOCK` environment variable is found in the environment where the `rke` command is run, it will be used automatically to connect to the node. + +### Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? + +* The node is not reachable on the configured `address` and `port`. +>>>>>>> Make RKE cluster troubleshooting page available for air gap install diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md index cdfe47dee61..36aa73e5fc8 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md @@ -83,4 +83,8 @@ Save a copy of the following files in a secure location: See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. +### Issues or errors? + +See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. + ### [Next: Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher) From 46a972fa3eb5cbea33ca001f6c2c1df432449f47 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 11 Feb 2020 14:30:47 -0700 Subject: [PATCH 066/183] Remove spaces from links --- content/_index.html | 10 ++--- content/k3s/latest/en/architecture/_index.md | 4 +- content/k3s/latest/en/installation/_index.md | 8 ++-- .../en/installation/datastore/_index.md | 2 +- .../k3s/latest/en/installation/ha/_index.md | 6 +-- .../en/installation/install-options/_index.md | 2 +- .../en/installation/network-options/_index.md | 2 +- content/k3s/latest/en/networking/_index.md | 7 ++-- content/os/v1.x/en/_index.md | 2 +- content/os/v1.x/en/about/_index.md | 2 +- .../running-rancher-on-rancherOS/_index.md | 4 +- .../v1.x/en/installation/amazon-ecs/_index.md | 6 +-- .../built-in-system-services/_index.md | 18 ++++----- .../boot-process/cloud-init/_index.md | 4 +- .../en/installation/configuration/_index.md | 2 +- .../adding-kernel-parameters/_index.md | 2 +- .../airgap-configuration/_index.md | 8 ++-- .../configuration/date-and-timezone/_index.md | 2 +- .../configuration/docker/_index.md | 6 +-- .../configuration/hostname/_index.md | 2 +- .../private-registries/_index.md | 4 +- .../configuration/running-commands/_index.md | 2 +- .../configuration/ssh-keys/_index.md | 2 +- .../switching-consoles/_index.md | 8 ++-- .../switching-docker-versions/_index.md | 4 +- .../configuration/users/_index.md | 2 +- .../custom-builds/custom-console/_index.md | 8 ++-- .../custom-builds/custom-kernels/_index.md | 4 +- .../custom-rancheros-iso/_index.md | 6 +-- .../installation/running-rancheros/_index.md | 26 ++++++------ .../running-rancheros/cloud/aliyun/_index.md | 4 +- .../running-rancheros/cloud/aws/_index.md | 2 +- .../running-rancheros/cloud/do/_index.md | 2 +- .../running-rancheros/cloud/gce/_index.md | 16 ++++---- .../cloud/openstack/_index.md | 2 +- .../server/install-to-disk/_index.md | 6 +-- .../running-rancheros/server/pxe/_index.md | 4 +- .../server/raspberry-pi/_index.md | 2 +- .../workstation/boot-from-iso/_index.md | 4 +- .../workstation/docker-machine/_index.md | 4 +- .../storage/additional-mounts/_index.md | 2 +- .../storage/state-partition/_index.md | 2 +- .../custom-system-services/_index.md | 2 +- content/os/v1.x/en/overview/_index.md | 6 +-- .../os/v1.x/en/quick-start-guide/_index.md | 4 +- content/os/v1.x/en/upgrading/_index.md | 6 +-- .../rancher/v2.x/en/admin-settings/_index.md | 14 +++---- .../authentication/ad/_index.md | 6 +-- .../authentication/azure-ad/_index.md | 40 ++++++++++++++----- .../authentication/freeipa/_index.md | 2 +- .../authentication/github/_index.md | 2 +- .../authentication/keycloak/_index.md | 2 +- .../authentication/microsoft-adfs/_index.md | 6 +-- .../microsoft-adfs-setup/_index.md | 2 +- .../rancher-adfs-setup/_index.md | 2 +- .../authentication/openldap/_index.md | 8 ++-- .../authentication/user-groups/_index.md | 4 +- .../v2.x/en/admin-settings/drivers/_index.md | 24 +++++------ .../drivers/cluster-drivers/_index.md | 6 +-- .../drivers/node-drivers/_index.md | 4 +- .../pod-security-policies/_index.md | 8 ++-- .../v2.x/en/admin-settings/rbac/_index.md | 6 +-- .../rbac/cluster-project-roles/_index.md | 4 +- .../rbac/default-custom-roles/_index.md | 6 +-- .../rbac/locked-roles/_index.md | 2 +- content/rancher/v2.x/en/api/_index.md | 4 +- content/rancher/v2.x/en/backups/_index.md | 8 ++-- .../rancher/v2.x/en/backups/backups/_index.md | 2 +- .../backups/single-node-backups/_index.md | 4 +- .../v2.x/en/backups/restorations/_index.md | 6 +-- .../restorations/ha-restoration/_index.md | 16 ++++---- .../single-node-restoration/_index.md | 8 ++-- .../rancher/v2.x/en/best-practices/_index.md | 8 ++-- .../best-practices/deployment-types/_index.md | 4 +- .../en/best-practices/management/_index.md | 10 ++--- content/rancher/v2.x/en/catalog/_index.md | 16 ++++---- .../rancher/v2.x/en/catalog/apps/_index.md | 8 ++-- .../v2.x/en/catalog/built-in/_index.md | 10 ++--- .../rancher/v2.x/en/catalog/custom/_index.md | 8 ++-- .../v2.x/en/catalog/custom/adding/_index.md | 28 ++++++------- .../v2.x/en/catalog/custom/creating/_index.md | 4 +- .../v2.x/en/catalog/globaldns/_index.md | 14 +++---- .../en/catalog/multi-cluster-apps/_index.md | 14 +++---- content/rancher/v2.x/en/cli/_index.md | 24 +++++------ .../rancher/v2.x/en/cluster-admin/_index.md | 28 ++++++------- .../cluster-admin/backing-up-etcd/_index.md | 8 ++-- .../cleaning-cluster-nodes/_index.md | 12 +++--- .../cluster-admin/cloning-clusters/_index.md | 10 ++--- .../en/cluster-admin/cluster-access/_index.md | 8 ++-- .../cluster-access/cluster-members/_index.md | 14 +++---- .../cluster-admin/editing-clusters/_index.md | 20 +++++----- .../v2.x/en/cluster-admin/nodes/_index.md | 32 +++++++-------- .../pod-security-policy/_index.md | 8 ++-- .../en/cluster-admin/restoring-etcd/_index.md | 12 +++--- .../en/cluster-admin/tools/alerts/_index.md | 16 ++++---- .../tools/alerts/default-alerts/_index.md | 2 +- .../en/cluster-admin/tools/logging/_index.md | 16 ++++---- .../tools/logging/splunk/_index.md | 4 +- .../cluster-admin/tools/monitoring/_index.md | 16 ++++---- .../monitoring/cluster-metrics/_index.md | 16 ++++---- .../tools/monitoring/prometheus/_index.md | 8 ++-- .../monitoring/viewing-metrics/_index.md | 8 ++-- .../cluster-admin/tools/notifiers/_index.md | 4 +- .../upgrading-kubernetes/_index.md | 4 +- .../attaching-existing-storage/_index.md | 2 +- .../volumes-and-storage/examples/_index.md | 4 +- .../examples/nfs/_index.md | 2 +- .../examples/vsphere/_index.md | 8 ++-- .../how-storage-works/_index.md | 2 +- .../iscsi-volumes/_index.md | 2 +- .../provisioning-new-storage/_index.md | 2 +- .../hosted-kubernetes-clusters/_index.md | 12 +++--- .../hosted-kubernetes-clusters/ack/_index.md | 2 +- .../hosted-kubernetes-clusters/cce/_index.md | 2 +- .../hosted-kubernetes-clusters/eks/_index.md | 2 +- .../hosted-kubernetes-clusters/tke/_index.md | 2 +- .../production/nodes-and-roles/_index.md | 2 +- .../rke-clusters/custom-nodes/_index.md | 8 ++-- .../rke-clusters/node-pools/_index.md | 6 +-- .../rke-clusters/node-pools/ec2/_index.md | 4 +- .../provisioning-vsphere-clusters/_index.md | 2 +- .../node-template-reference/_index.md | 6 +-- .../rke-clusters/options/_index.md | 28 ++++++------- .../options/pod-security-policies/_index.md | 2 +- .../rke-clusters/rancher-agents/_index.md | 4 +- .../rke-clusters/windows-clusters/_index.md | 22 +++++----- .../docs-for-2.1-and-2.2/_index.md | 24 +++++------ .../rancher/v2.x/en/contributing/_index.md | 2 +- .../rancher/v2.x/en/faq/networking/_index.md | 2 +- .../en/faq/networking/cni-providers/_index.md | 20 +++++----- .../rancher/v2.x/en/faq/security/_index.md | 4 +- .../rancher/v2.x/en/faq/technical/_index.md | 8 ++-- .../rancher/v2.x/en/k8s-in-rancher/_index.md | 38 +++++++++--------- .../en/k8s-in-rancher/certificates/_index.md | 4 +- .../en/k8s-in-rancher/configmaps/_index.md | 4 +- .../horitzontal-pod-autoscaler/_index.md | 10 ++--- .../hpa-background/_index.md | 2 +- .../manage-hpa-with-kubectl/_index.md | 4 +- .../manage-hpa-with-rancher-ui/_index.md | 4 +- .../testing-hpa/_index.md | 2 +- .../load-balancers-and-ingress/_index.md | 16 ++++---- .../ingress/_index.md | 6 +-- .../load-balancers/_index.md | 6 +-- .../en/k8s-in-rancher/pipelines/_index.md | 18 ++++----- .../pipelines/example-repos/_index.md | 4 +- .../en/k8s-in-rancher/registries/_index.md | 2 +- .../v2.x/en/k8s-in-rancher/secrets/_index.md | 4 +- .../service-discovery/_index.md | 2 +- .../en/k8s-in-rancher/workloads/_index.md | 6 +-- .../workloads/deploy-workloads/_index.md | 12 +++--- content/rancher/v2.x/en/overview/_index.md | 4 +- .../architecture-recommendations/_index.md | 4 +- .../v2.x/en/overview/architecture/_index.md | 4 +- .../rancher/v2.x/en/project-admin/_index.md | 14 +++---- .../en/project-admin/namespaces/_index.md | 24 +++++------ .../v2.x/en/project-admin/pipelines/_index.md | 18 ++++----- .../pipelines/docs-for-v2.0.x/_index.md | 2 +- .../pod-security-policies/_index.md | 6 +-- .../project-admin/project-members/_index.md | 10 ++--- .../project-admin/resource-quotas/_index.md | 8 ++-- .../override-container-default/_index.md | 2 +- .../override-namespace-default/_index.md | 10 ++--- .../quotas-for-projects/_index.md | 8 ++-- .../en/project-admin/tools/alerts/_index.md | 10 ++--- .../en/project-admin/tools/logging/_index.md | 14 +++---- .../project-admin/tools/monitoring/_index.md | 18 ++++----- .../v2.x/en/quick-start-guide/_index.md | 8 ++-- .../deployment/amazon-aws-qs/_index.md | 2 +- .../deployment/digital-ocean-qs/_index.md | 2 +- .../quickstart-manual-setup/_index.md | 4 +- .../deployment/quickstart-vagrant/_index.md | 2 +- .../_index.md | 6 +-- .../_index.md | 12 +++--- content/rancher/v2.x/en/security/_index.md | 2 +- .../v2.x/en/security/hardening-2.1/_index.md | 2 +- .../v2.x/en/security/hardening-2.2/_index.md | 2 +- .../en/security/hardening-2.3.3/_index.md | 4 +- .../v2.x/en/security/hardening-2.3/_index.md | 4 +- .../rancher/v2.x/en/system-tools/_index.md | 8 ++-- .../rancher/v2.x/en/troubleshooting/_index.md | 16 ++++---- .../v2.x/en/troubleshooting/dns/_index.md | 4 +- .../kubernetes-components/_index.md | 4 +- .../controlplane/_index.md | 2 +- .../kubernetes-resources/_index.md | 2 +- .../en/troubleshooting/networking/_index.md | 2 +- content/rancher/v2.x/en/upgrades/_index.md | 4 +- .../v2.x/en/upgrades/rollbacks/_index.md | 2 +- .../rollbacks/ha-server-rollbacks/_index.md | 2 +- .../rollbacks/single-node-rollbacks/_index.md | 6 +-- .../v2.x/en/upgrades/upgrades/_index.md | 10 ++--- .../v2.x/en/upgrades/upgrades/ha/_index.md | 14 +++---- .../en/upgrades/upgrades/ha/helm2/_index.md | 14 +++---- .../migrating-from-rke-add-on/_index.md | 6 +-- .../upgrades/namespace-migration/_index.md | 8 ++-- .../upgrades/upgrades/single-node/_index.md | 22 +++++----- .../rancher/v2.x/en/user-settings/_index.md | 10 ++--- .../v2.x/en/user-settings/api-keys/_index.md | 4 +- .../user-settings/cloud-credentials/_index.md | 12 +++--- .../en/user-settings/node-templates/_index.md | 10 ++--- .../rancher/v2.x/en/v1.6-migration/_index.md | 18 ++++----- .../discover-services/_index.md | 12 +++--- .../v1.6-migration/expose-services/_index.md | 8 ++-- .../en/v1.6-migration/get-started/_index.md | 30 +++++++------- .../en/v1.6-migration/kub-intro/_index.md | 2 +- .../v1.6-migration/load-balancing/_index.md | 34 ++++++++-------- .../en/v1.6-migration/monitor-apps/_index.md | 16 ++++---- .../run-migration-tool/_index.md | 38 +++++++++--------- .../schedule-workloads/_index.md | 32 +++++++-------- content/rke/latest/en/cert-mgmt/_index.md | 4 +- .../rke/latest/en/config-options/_index.md | 38 +++++++++--------- .../en/config-options/add-ons/_index.md | 12 +++--- .../en/config-options/add-ons/dns/_index.md | 4 +- .../add-ons/ingress-controllers/_index.md | 2 +- .../add-ons/metrics-server/_index.md | 2 +- .../add-ons/network-plugins/_index.md | 2 +- .../add-ons/user-defined-add-ons/_index.md | 2 +- .../en/config-options/bastion-host/_index.md | 2 +- .../config-options/cloud-providers/_index.md | 10 ++--- .../vsphere/troubleshooting/_index.md | 4 +- .../latest/en/config-options/nodes/_index.md | 6 +-- .../private-registries/_index.md | 8 ++-- .../en/config-options/services/_index.md | 12 +++--- .../services/external-etcd/_index.md | 2 +- .../en/config-options/system-images/_index.md | 2 +- .../rke/latest/en/etcd-snapshots/_index.md | 2 +- .../one-time-snapshots/_index.md | 8 ++-- .../restoring-from-backup/_index.md | 10 ++--- content/rke/latest/en/example-yamls/_index.md | 4 +- content/rke/latest/en/installation/_index.md | 18 ++++----- .../latest/en/installation/certs/_index.md | 4 +- .../rke/latest/en/managing-clusters/_index.md | 4 +- content/rke/latest/en/os/_index.md | 4 +- .../rke/latest/en/troubleshooting/_index.md | 4 +- .../provisioning-errors/_index.md | 2 +- content/rke/latest/en/upgrades/_index.md | 10 ++--- 235 files changed, 955 insertions(+), 938 deletions(-) diff --git a/content/_index.html b/content/_index.html index 583a56f29b9..fd31063084b 100644 --- a/content/_index.html +++ b/content/_index.html @@ -69,7 +69,7 @@

    - + @@ -110,7 +110,7 @@

    Rancher manages all of your Kubernetes clusters everywhere, unifies them under centralized RBAC, monitors them and lets you easily deploy and manage workloads through an intuitive user interface.

    - + @@ -164,7 +164,7 @@

    RancherOS is the lightest, easiest way to run Docker in production. Engineered from the ground up for security and speed, it runs all system services and user workloads within Docker containers.

    - + @@ -191,7 +191,7 @@

    Rancher Kubernetes Engine (RKE) is an extremely simple, lightning fast Kubernetes installer that works everywhere.

    - + @@ -218,7 +218,7 @@

    Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 40mb.

    - + diff --git a/content/k3s/latest/en/architecture/_index.md b/content/k3s/latest/en/architecture/_index.md index 0b04ddbfd8c..6b116eb62e2 100644 --- a/content/k3s/latest/en/architecture/_index.md +++ b/content/k3s/latest/en/architecture/_index.md @@ -33,7 +33,7 @@ Single server clusters can meet a variety of use cases, but for environments whe * An **external datastore** (as opposed to the embedded SQLite datastore used in single-server setups)
    K3s Architecture with a High-availability Server
    -![Architecture]({{< baseurl >}}/img/rancher/k3s-architecture-ha-server.png) +![Architecture]({{}}/img/rancher/k3s-architecture-ha-server.png) ### Fixed Registration Address for Agent Nodes @@ -41,7 +41,7 @@ In the high-availability server configuration, each node must also register with After registration, the agent nodes establish a connection directly to one of the server nodes. -![k3s HA]({{< baseurl >}}/img/k3s/k3s-production-setup.svg) +![k3s HA]({{}}/img/k3s/k3s-production-setup.svg) # How Agent Node Registration Works diff --git a/content/k3s/latest/en/installation/_index.md b/content/k3s/latest/en/installation/_index.md index 68c2d7ffa8b..b141bcce42b 100644 --- a/content/k3s/latest/en/installation/_index.md +++ b/content/k3s/latest/en/installation/_index.md @@ -5,13 +5,13 @@ weight: 20 This section contains instructions for installing K3s in various environments. Please ensure you have met the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/) before you begin installing K3s. -[Installation and Configuration Options]({{< baseurl >}}/k3s/latest/en/installation/install-options/) provides guidance on the options available to you when installing K3s. +[Installation and Configuration Options]({{}}/k3s/latest/en/installation/install-options/) provides guidance on the options available to you when installing K3s. -[High Availability with an External DB]({{< baseurl >}}/k3s/latest/en/installation/ha/) details how to set up an HA K3s cluster backed by an external datastore such as MySQL, PostgreSQL, or etcd. +[High Availability with an External DB]({{}}/k3s/latest/en/installation/ha/) details how to set up an HA K3s cluster backed by an external datastore such as MySQL, PostgreSQL, or etcd. -[High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installation/ha-embedded/) details how to set up an HA K3s cluster that leverages a built-in distributed database. +[High Availability with Embedded DB (Experimental)]({{}}/k3s/latest/en/installation/ha-embedded/) details how to set up an HA K3s cluster that leverages a built-in distributed database. -[Air-Gap Installation]({{< baseurl >}}/k3s/latest/en/installation/airgap/) details how to set up K3s in environments that do not have direct access to the Internet. +[Air-Gap Installation]({{}}/k3s/latest/en/installation/airgap/) details how to set up K3s in environments that do not have direct access to the Internet. ### Uninstalling diff --git a/content/k3s/latest/en/installation/datastore/_index.md b/content/k3s/latest/en/installation/datastore/_index.md index 85bb151781b..9d04be68d54 100644 --- a/content/k3s/latest/en/installation/datastore/_index.md +++ b/content/k3s/latest/en/installation/datastore/_index.md @@ -95,4 +95,4 @@ k3s server ``` ### Embedded DQLite for HA (Experimental) -K3s's use of DQLite is similar to its use of SQLite. It is simple to set up and manage. As such, there is no external configuration or additional steps to take in order to use this option. Please see [High Availability with Embedded DB (Experimental)]({{< baseurl >}}/k3s/latest/en/installation/ha-embedded/) for instructions on how to run with this option. +K3s's use of DQLite is similar to its use of SQLite. It is simple to set up and manage. As such, there is no external configuration or additional steps to take in order to use this option. Please see [High Availability with Embedded DB (Experimental)]({{}}/k3s/latest/en/installation/ha-embedded/) for instructions on how to run with this option. diff --git a/content/k3s/latest/en/installation/ha/_index.md b/content/k3s/latest/en/installation/ha/_index.md index eb945f74a51..f7310184015 100644 --- a/content/k3s/latest/en/installation/ha/_index.md +++ b/content/k3s/latest/en/installation/ha/_index.md @@ -28,12 +28,10 @@ Setting up an HA cluster requires the following steps: 4. [Join agent nodes](#4-optional-join-agent-nodes) ### 1. Create an External Datastore - -You will first need to create an external datastore for the cluster. See the [Cluster Datastore Options]({{< baseurl >}}/k3s/latest/en/installation/datastore/) documentation for more details. +You will first need to create an external datastore for the cluster. See the [Cluster Datastore Options]({{}}/k3s/latest/en/installation/datastore/) documentation for more details. ### 2. Launch Server Nodes - -K3s requires two or more server nodes for this HA configuration. See the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/) for minimum machine requirements. +K3s requires two or more server nodes for this HA configuration. See the [Installation Requirements]({{}}/k3s/latest/en/installation/node-requirements/) guide for minimum machine requirements. When running the `k3s server` command on these nodes, you must set the `datastore-endpoint` parameter so that K3s knows how to connect to the external datastore. diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index f5054869d74..e2bc4a2dbb2 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -14,7 +14,7 @@ For more advanced options, refer to [this page.]({{}}/k3s/latest/en/adv # Installation Script Options -As mentioned in the [Quick-Start Guide]({{< baseurl >}}/k3s/latest/en/quick-start/), you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. +As mentioned in the [Quick-Start Guide]({{}}/k3s/latest/en/quick-start/), you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. The simplest form of this command is as follows: ```sh diff --git a/content/k3s/latest/en/installation/network-options/_index.md b/content/k3s/latest/en/installation/network-options/_index.md index c87b2783831..97873e4151b 100644 --- a/content/k3s/latest/en/installation/network-options/_index.md +++ b/content/k3s/latest/en/installation/network-options/_index.md @@ -3,7 +3,7 @@ title: "Network Options" weight: 25 --- -> **Note:** Please reference the [Networking]({{< baseurl >}}/k3s/latest/en/networking) page for information about CoreDNS, Traefik, and the Service LB. +> **Note:** Please reference the [Networking]({{}}/k3s/latest/en/networking) page for information about CoreDNS, Traefik, and the Service LB. By default, K3s will run with flannel as the CNI, using VXLAN as the default backend. To change the CNI, refer to the section on configuring a [custom CNI](#custom-cni). To change the flannel backend, refer to the flannel options section. diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index 3f1214fb555..3689cdbd759 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -3,12 +3,11 @@ title: "Networking" weight: 35 --- -> **Note:** CNI options are covered in detail on the [Installation Network Options]({{< baseurl >}}/k3s/latest/en/installation/network-options/) page. Please reference that page for details on Flannel and the various flannel backend options or how to set up your own CNI. +>**Note:** CNI options are covered in detail on the [Installation Network Options]({{}}/k3s/latest/en/installation/network-options/) page. Please reference that page for details on Flannel and the various flannel backend options or how to set up your own CNI. Open Ports ---------- - -Please reference the [Installation Requirements]({{< baseurl >}}/k3s/latest/en/installation/installation-requirements/#networking) page for port information. +Please reference the [Installation Requirements]({{}}/k3s/latest/en/installation/node-requirements/#networking) page for port information. CoreDNS ------- @@ -22,7 +21,7 @@ Traefik Ingress Controller [Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications. -Traefik is deployed by default when starting the server. For more information see [Auto Deploying Manifests]({{< baseurl >}}/k3s/latest/en/advanced/#auto-deploying-manifests). The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`. +Traefik is deployed by default when starting the server. For more information see [Auto Deploying Manifests]({{}}/k3s/latest/en/advanced/#auto-deploying-manifests). The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`. The Traefik ingress controller will use ports 80, 443, and 8080 on the host (i.e. these will not be usable for HostPort or NodePort). diff --git a/content/os/v1.x/en/_index.md b/content/os/v1.x/en/_index.md index 1fd27ba96da..585f581fcf7 100644 --- a/content/os/v1.x/en/_index.md +++ b/content/os/v1.x/en/_index.md @@ -25,7 +25,7 @@ VMWare | 1GB | 1280MB (rancheros.iso)
    2048MB (ran GCE | 1GB | 1280MB AWS | 1GB | 1.7GB -You can adjust memory requirements by custom building RancherOS, please refer to [reduce-memory-requirements]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/#reduce-memory-requirements) +You can adjust memory requirements by custom building RancherOS, please refer to [reduce-memory-requirements]({{}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/#reduce-memory-requirements) ### How RancherOS Works diff --git a/content/os/v1.x/en/about/_index.md b/content/os/v1.x/en/about/_index.md index 05b095c5451..306c4e880a7 100644 --- a/content/os/v1.x/en/about/_index.md +++ b/content/os/v1.x/en/about/_index.md @@ -59,7 +59,7 @@ All of repositories are located within our main GitHub [page](https://github.com [RancherOS Repo](https://github.com/rancher/os): This repo contains the bulk of the RancherOS code. -[RancherOS Services Repo](https://github.com/rancher/os-services): This repo is where any [system-services]({{< baseurl >}}/os/v1.x/en//installation/system-services/adding-system-services/) can be contributed. +[RancherOS Services Repo](https://github.com/rancher/os-services): This repo is where any [system-services]({{}}/os/v1.x/en//installation/system-services/adding-system-services/) can be contributed. [RancherOS Images Repo](https://github.com/rancher/os-images): This repo is for the corresponding service images. diff --git a/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md b/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md index f0fb87544cd..d447465344b 100644 --- a/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md +++ b/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md @@ -7,7 +7,7 @@ RancherOS can be used to launch [Rancher](/rancher/) and be used as the OS to ad ### Launching Agents using Cloud-Config -You can easily add hosts into Rancher by using [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) to launch the rancher/agent container. +You can easily add hosts into Rancher by using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) to launch the rancher/agent container. After Rancher is launched and host registration has been saved, you will be able to find use the custom option to add Rancher OS nodes. @@ -37,7 +37,7 @@ rancher: ```
    -> **Note:** You can not name the service `rancher-agent` as this will not allow the rancher/agent container to be launched correctly. Please read more about why [you can't name your container as `rancher-agent`]({{< baseurl >}}/rancher/v1.6/en/faqs/agents/#adding-in-name-rancher-agent). +> **Note:** You can not name the service `rancher-agent` as this will not allow the rancher/agent container to be launched correctly. Please read more about why [you can't name your container as `rancher-agent`]({{}}/rancher/v1.6/en/faqs/agents/#adding-in-name-rancher-agent). ### Adding in Host Labels diff --git a/content/os/v1.x/en/installation/amazon-ecs/_index.md b/content/os/v1.x/en/installation/amazon-ecs/_index.md index a76c7675044..7fcbefeef4c 100644 --- a/content/os/v1.x/en/installation/amazon-ecs/_index.md +++ b/content/os/v1.x/en/installation/amazon-ecs/_index.md @@ -11,13 +11,13 @@ Prior to launching RancherOS EC2 instances, the [ECS Container Instance IAM Role ### Launching an instance with ECS -RancherOS makes it easy to join your ECS cluster. The ECS agent is a [system service]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/) that is enabled in the ECS enabled AMI. There may be other RancherOS AMIs that don't have the ECS agent enabled by default, but it can easily be added in the user data on any RancherOS AMI. +RancherOS makes it easy to join your ECS cluster. The ECS agent is a [system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) that is enabled in the ECS enabled AMI. There may be other RancherOS AMIs that don't have the ECS agent enabled by default, but it can easily be added in the user data on any RancherOS AMI. When launching the RancherOS AMI, you'll need to specify the **IAM Role** and **Advanced Details** -> **User Data** in the **Configure Instance Details** step. For the **IAM Role**, you'll need to be sure to select the ECS Container Instance IAM role. -For the **User Data**, you'll need to pass in the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file. +For the **User Data**, you'll need to pass in the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. ```yaml #cloud-config @@ -37,7 +37,7 @@ rancher: By default, the ECS agent will be using the `latest` tag for the `amazon-ecs-agent` image. In v0.5.0, we introduced the ability to select which version of the `amazon-ecs-agent`. -To select the version, you can update your [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file. +To select the version, you can update your [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md b/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md index 32e0f7ce61f..b1cfb9b8eda 100644 --- a/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md +++ b/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md @@ -3,17 +3,17 @@ title: Built-in System Services weight: 150 --- -To launch RancherOS, we have built-in system services. They are defined in the [Docker Compose](https://docs.docker.com/compose/compose-file/) format, and can be found in the default system config file, `/usr/share/ros/os-config.yml`. You can [add your own system services]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/) or override services in the cloud-config. +To launch RancherOS, we have built-in system services. They are defined in the [Docker Compose](https://docs.docker.com/compose/compose-file/) format, and can be found in the default system config file, `/usr/share/ros/os-config.yml`. You can [add your own system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) or override services in the cloud-config. ### preload-user-images -Read more about [image preloading]({{< baseurl >}}/os/v1.x/en/installation/boot-process/image-preloading/). +Read more about [image preloading]({{}}/os/v1.x/en/installation/boot-process/image-preloading/). ### network During this service, networking is set up, e.g. hostname, interfaces, and DNS. -It is configured by `hostname` and `rancher.network`settings in [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +It is configured by `hostname` and `rancher.network`settings in [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). ### ntp @@ -24,13 +24,13 @@ Runs `ntpd` in a System Docker container. This service provides the RancherOS user interface by running `sshd` and `getty`. It completes the RancherOS configuration on start up: 1. If the `rancher.password=` kernel parameter exists, it sets `` as the password for the `rancher` user. -2. If there are no host SSH keys, it generates host SSH keys and saves them under `rancher.ssh.keys` in [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +2. If there are no host SSH keys, it generates host SSH keys and saves them under `rancher.ssh.keys` in [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). 3. Runs `cloud-init -execute`, which does the following: - * Updates `.ssh/authorized_keys` in `/home/rancher` and `/home/docker` from [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/ssh-keys/) and metadata. - * Writes files specified by the `write_files` [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/write-files/) setting. - * Resizes the device specified by the `rancher.resize_device` [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/resizing-device-partition/) setting. - * Mount devices specified in the `mounts` [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/storage/additional-mounts/) setting. - * Set sysctl parameters specified in the`rancher.sysctl` [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/sysctl/) setting. + * Updates `.ssh/authorized_keys` in `/home/rancher` and `/home/docker` from [cloud-config]({{}}/os/v1.x/en/installation/configuration/ssh-keys/) and metadata. + * Writes files specified by the `write_files` [cloud-config]({{}}/os/v1.x/en/installation/configuration/write-files/) setting. + * Resizes the device specified by the `rancher.resize_device` [cloud-config]({{}}/os/v1.x/en/installation/configuration/resizing-device-partition/) setting. + * Mount devices specified in the `mounts` [cloud-config]({{}}/os/v1.x/en/installation/storage/additional-mounts/) setting. + * Set sysctl parameters specified in the`rancher.sysctl` [cloud-config]({{}}/os/v1.x/en/installation/configuration/sysctl/) setting. 4. If user-data contained a file that started with `#!`, then a file would be saved at `/var/lib/rancher/conf/cloud-config-script` during cloud-init and then executed. Any errors are ignored. 5. Runs `/opt/rancher/bin/start.sh` if it exists and is executable. Any errors are ignored. 6. Runs `/etc/rc.local` if it exists and is executable. Any errors are ignored. diff --git a/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md b/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md index 85ab3695cea..dfe48a01fb6 100644 --- a/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md +++ b/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md @@ -7,7 +7,7 @@ Userdata and metadata can be fetched from a cloud provider, VM runtime, or manag ### Userdata -Userdata is a file given by users when launching RancherOS hosts. It is stored in different locations depending on its format. If the userdata is a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file, indicated by beginning with `#cloud-config` and being in YAML format, it is stored in `/var/lib/rancher/conf/cloud-config.d/boot.yml`. If the userdata is a script, indicated by beginning with `#!`, it is stored in `/var/lib/rancher/conf/cloud-config-script`. +Userdata is a file given by users when launching RancherOS hosts. It is stored in different locations depending on its format. If the userdata is a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, indicated by beginning with `#cloud-config` and being in YAML format, it is stored in `/var/lib/rancher/conf/cloud-config.d/boot.yml`. If the userdata is a script, indicated by beginning with `#!`, it is stored in `/var/lib/rancher/conf/cloud-config-script`. ### Metadata @@ -15,7 +15,7 @@ Although the specifics vary based on provider, a metadata file will typically co ## Configuration Load Order -[Cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config/) is read by system services when they need to get configuration. Each additional file overwrites and extends the previous configuration file. +[Cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config/) is read by system services when they need to get configuration. Each additional file overwrites and extends the previous configuration file. 1. `/usr/share/ros/os-config.yml` - This is the system default configuration, which should **not** be modified by users. 2. `/usr/share/ros/oem/oem-config.yml` - This will typically exist by OEM, which should **not** be modified by users. diff --git a/content/os/v1.x/en/installation/configuration/_index.md b/content/os/v1.x/en/installation/configuration/_index.md index 628115f1816..8d835d0c1bc 100644 --- a/content/os/v1.x/en/installation/configuration/_index.md +++ b/content/os/v1.x/en/installation/configuration/_index.md @@ -34,7 +34,7 @@ In our example above, we have our `#cloud-config` line to indicate it's a cloud- ### Manually Changing Configuration To update RancherOS configuration after booting, the `ros config set ` command can be used. -For more complicated settings, like the [sysctl settings]({{< baseurl >}}/os/v1.x/en/installation/configuration/sysctl/), you can also create a small YAML file and then run `sudo ros config merge -i `. +For more complicated settings, like the [sysctl settings]({{}}/os/v1.x/en/installation/configuration/sysctl/), you can also create a small YAML file and then run `sudo ros config merge -i `. #### Getting Values diff --git a/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md b/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md index cafa5232098..5571bea102a 100644 --- a/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md +++ b/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md @@ -27,7 +27,7 @@ $ sudo system-docker run --rm -it -v /:/host alpine vi /host/boot/global.cfg ### During installation -If you want to set the extra kernel parameters when you are [Installing RancherOS to Disk]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) please use the `--append` parameter. +If you want to set the extra kernel parameters when you are [Installing RancherOS to Disk]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) please use the `--append` parameter. ```bash $ sudo ros install -d /dev/sda --append "rancheros.autologin=tty1" diff --git a/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md b/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md index 81db7ae4132..8547f29023e 100644 --- a/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md +++ b/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md @@ -10,10 +10,10 @@ In the air gap environment, the Docker registry, RancherOS repositories URL, and You should use a private Docker registry so that `user-docker` and `system-docker` can pull images. -1. Add the private Docker registry domain to the [images prefix]({{< baseurl >}}/os/v1.x/en/installation/configuration/images-prefix/). -2. Set the private registry certificates for `user-docker`. For details, refer to [Certificates for Private Registries]({{< baseurl >}}/os/v1.x/en/installation/configuration/private-registries/#certificates-for-private-registries) +1. Add the private Docker registry domain to the [images prefix]({{}}/os/v1.x/en/installation/configuration/images-prefix/). +2. Set the private registry certificates for `user-docker`. For details, refer to [Certificates for Private Registries]({{}}/os/v1.x/en/installation/configuration/private-registries/#certificates-for-private-registries) 3. Set the private registry certificates for `system-docker`. There are two ways to set the certificates: - - To set the private registry certificates before RancherOS starts, you can run a script included with RancherOS. For details, refer to [Set Custom Certs in ISO]({{< baseurl >}}/os/v1.x/en/installation/configuration/airgap-configuration/#set-custom-certs-in-iso). + - To set the private registry certificates before RancherOS starts, you can run a script included with RancherOS. For details, refer to [Set Custom Certs in ISO]({{}}/os/v1.x/en/installation/configuration/airgap-configuration/#set-custom-certs-in-iso). - To set the private registry certificates after RancherOS starts, append your private registry certs to the `/etc/ssl/certs/ca-certificates.crt.rancher` file. Then reboot to make the certs fully take effect. 4. The images used by RancherOS should be pushed to your private registry. @@ -84,7 +84,7 @@ $ sudo ros config set rancher.upgrade.url https://foo.bar.com/os/releases.yml Here is a total cloud-config example for using RancherOS in an air gap environment. -For `system-docker`, see [Configuring Private Docker Registry]({{< baseurl >}}/os/v1.x/en/installation/configuration/airgap-configuration/#configuring-private-docker-registry). +For `system-docker`, see [Configuring Private Docker Registry]({{}}/os/v1.x/en/installation/configuration/airgap-configuration/#configuring-private-docker-registry). ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md b/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md index 13ec156209f..1c4cff6e930 100644 --- a/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md +++ b/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md @@ -5,7 +5,7 @@ weight: 121 The default console keeps time in the Coordinated Universal Time (UTC) zone and synchronizes clocks with the Network Time Protocol (NTP). The Network Time Protocol daemon (ntpd) is an operating system program that maintains the system time in synchronization with time servers using the NTP. -RancherOS can run ntpd in the System Docker container. You can update its configurations by updating `/etc/ntp.conf`. For an example of how to update a file such as `/etc/ntp.conf` within a container, refer to [this page.]({{< baseurl >}}/os/v1.x/en/installation/configuration/write-files/#writing-files-in-specific-system-services) +RancherOS can run ntpd in the System Docker container. You can update its configurations by updating `/etc/ntp.conf`. For an example of how to update a file such as `/etc/ntp.conf` within a container, refer to [this page.]({{}}/os/v1.x/en/installation/configuration/write-files/#writing-files-in-specific-system-services) The default console cannot support changing the time zone because including `tzdata` (time zone data) will increase the ISO size. However, you can change the time zone in the container by passing a flag to specify the time zone when you run the container: diff --git a/content/os/v1.x/en/installation/configuration/docker/_index.md b/content/os/v1.x/en/installation/configuration/docker/_index.md index 0620f6ecd6d..89ec70999e6 100644 --- a/content/os/v1.x/en/installation/configuration/docker/_index.md +++ b/content/os/v1.x/en/installation/configuration/docker/_index.md @@ -3,7 +3,7 @@ title: Configuring Docker or System Docker weight: 126 --- -In RancherOS, you can configure System Docker and Docker daemons by using [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +In RancherOS, you can configure System Docker and Docker daemons by using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). ### Configuring Docker @@ -61,7 +61,7 @@ Key | Value | Default | Description ---|---|---| --- `extra_args` | List of Strings | `[]` | Arbitrary daemon arguments, appended to the generated command `environment` | List of Strings | `[]` | -`tls` | Boolean | `false` | When [setting up TLS]({{< baseurl >}}/os/v1.x/en/installation/configuration/setting-up-docker-tls/), this key needs to be set to true. +`tls` | Boolean | `false` | When [setting up TLS]({{}}/os/v1.x/en/installation/configuration/setting-up-docker-tls/), this key needs to be set to true. `tls_args` | List of Strings (used only if `tls: true`) | `[]` | `server_key` | String (used only if `tls: true`)| `""` | PEM encoded server TLS key. `server_cert` | String (used only if `tls: true`) | `""` | PEM encoded server TLS certificate. @@ -120,7 +120,7 @@ $ ros config set rancher.system_docker.bip 172.19.0.0/16 _Available as of v1.4.x_ The default path of system-docker logs is `/var/log/system-docker.log`. If you want to write the system-docker logs to a separate partition, -e.g. [RANCHER_OEM partition]({{< baseurl >}}/os/v1.x/en/about/custom-partition-layout/#use-rancher-oem-partition), you can try `rancher.defaults.system_docker_logs`: +e.g. [RANCHER_OEM partition]({{}}/os/v1.x/en/about/custom-partition-layout/#use-rancher-oem-partition), you can try `rancher.defaults.system_docker_logs`: ``` #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/hostname/_index.md b/content/os/v1.x/en/installation/configuration/hostname/_index.md index 0b05fa53e45..d315838c58e 100644 --- a/content/os/v1.x/en/installation/configuration/hostname/_index.md +++ b/content/os/v1.x/en/installation/configuration/hostname/_index.md @@ -3,7 +3,7 @@ title: Setting the Hostname weight: 124 --- -You can set the hostname of the host using [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). The example below shows how to configure it. +You can set the hostname of the host using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). The example below shows how to configure it. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/private-registries/_index.md b/content/os/v1.x/en/installation/configuration/private-registries/_index.md index 5abe0adbbaf..c371956f3fd 100644 --- a/content/os/v1.x/en/installation/configuration/private-registries/_index.md +++ b/content/os/v1.x/en/installation/configuration/private-registries/_index.md @@ -3,7 +3,7 @@ title: Private Registries weight: 128 --- -When launching services through a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config), it is sometimes necessary to pull a private image from DockerHub or from a private registry. Authentication for these can be embedded in your cloud-config. +When launching services through a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), it is sometimes necessary to pull a private image from DockerHub or from a private registry. Authentication for these can be embedded in your cloud-config. For example, to add authentication for DockerHub: @@ -61,7 +61,7 @@ write_files: ### Certificates for Private Registries -Certificates can be stored in the standard locations (i.e. `/etc/docker/certs.d`) following the [Docker documentation](https://docs.docker.com/registry/insecure). By using the `write_files` directive of the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config), the certificates can be written directly into `/etc/docker/certs.d`. +Certificates can be stored in the standard locations (i.e. `/etc/docker/certs.d`) following the [Docker documentation](https://docs.docker.com/registry/insecure). By using the `write_files` directive of the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), the certificates can be written directly into `/etc/docker/certs.d`. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/running-commands/_index.md b/content/os/v1.x/en/installation/configuration/running-commands/_index.md index 11b8d44d8be..b18fc06b875 100644 --- a/content/os/v1.x/en/installation/configuration/running-commands/_index.md +++ b/content/os/v1.x/en/installation/configuration/running-commands/_index.md @@ -31,4 +31,4 @@ write_files: docker run -d nginx ``` -Running Docker commands in this manner is useful when pieces of the `docker run` command are dynamically generated. For services whose configuration is static, [adding a system service]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/) is recommended. +Running Docker commands in this manner is useful when pieces of the `docker run` command are dynamically generated. For services whose configuration is static, [adding a system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) is recommended. diff --git a/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md b/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md index 2204c5b637a..1752042dcf1 100644 --- a/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md +++ b/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md @@ -3,7 +3,7 @@ title: SSH Settings weight: 121 --- -RancherOS supports adding SSH keys through the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file. Within the cloud-config file, you simply add the ssh keys within the `ssh_authorized_keys` key. +RancherOS supports adding SSH keys through the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. Within the cloud-config file, you simply add the ssh keys within the `ssh_authorized_keys` key. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md b/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md index e351cac5b65..d9dd64176af 100644 --- a/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md +++ b/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md @@ -3,13 +3,13 @@ title: Switching Consoles weight: 125 --- -When [booting from the ISO]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. +When [booting from the ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. -You can select which console you want RancherOS to start with using the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +You can select which console you want RancherOS to start with using the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). ### Enabling Consoles using Cloud-Config -When launching RancherOS with a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. +When launching RancherOS with a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. Currently, the list of available consoles are: @@ -102,7 +102,7 @@ All consoles except the default (busybox) console are persistent. Persistent con
    -> **Note:** When using a persistent console and in the current version's console, [rolling back]({{< baseurl >}}/os/v1.x/en/upgrading/#rolling-back-an-upgrade) is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. +> **Note:** When using a persistent console and in the current version's console, [rolling back]({{}}/os/v1.x/en/upgrading/#rolling-back-an-upgrade) is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. ### Enabling Consoles diff --git a/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md b/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md index e51d1d46405..c64e20b7733 100644 --- a/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md +++ b/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md @@ -3,7 +3,7 @@ title: Switching Docker Versions weight: 129 --- -The version of User Docker used in RancherOS can be configured using a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file or by using the `ros engine` command. +The version of User Docker used in RancherOS can be configured using a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file or by using the `ros engine` command. > **Note:** There are known issues in Docker when switching between versions. For production systems, we recommend setting the Docker engine only once [using a cloud-config](#setting-the-docker-engine-using-cloud-config). @@ -83,7 +83,7 @@ FROM scratch COPY engine /engine ``` -Once the image is built a [system service]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/) configuration file must be created. An [example file](https://github.com/rancher/os-services/blob/master/d/docker-18.06.3-ce.yml) can be found in the rancher/os-services repo. Change the `image` field to point to the Docker engine image you've built. +Once the image is built a [system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) configuration file must be created. An [example file](https://github.com/rancher/os-services/blob/master/d/docker-18.06.3-ce.yml) can be found in the rancher/os-services repo. Change the `image` field to point to the Docker engine image you've built. All of the previously mentioned methods of switching Docker engines are now available. For example, if your service file is located at `https://myservicefile` then the following cloud-config file could be used to use your custom Docker engine. diff --git a/content/os/v1.x/en/installation/configuration/users/_index.md b/content/os/v1.x/en/installation/configuration/users/_index.md index 529281eef07..0a89ec8d5ea 100644 --- a/content/os/v1.x/en/installation/configuration/users/_index.md +++ b/content/os/v1.x/en/installation/configuration/users/_index.md @@ -5,7 +5,7 @@ weight: 130 Currently, we don't support adding other users besides `rancher`. -You _can_ add users in the console container, but these users will only exist as long as the console container exists. It only makes sense to add users in a [persistent consoles]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence). +You _can_ add users in the console container, but these users will only exist as long as the console container exists. It only makes sense to add users in a [persistent consoles]({{}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence). If you want the console user to be able to ssh into RancherOS, you need to add them to the `docker` group. diff --git a/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md b/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md index c24ca816aeb..f3c1b330765 100644 --- a/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md +++ b/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md @@ -3,13 +3,13 @@ title: Custom Console weight: 180 --- -When [booting from the ISO]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. +When [booting from the ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. -You can select which console you want RancherOS to start with using the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +You can select which console you want RancherOS to start with using the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). ### Enabling Consoles using Cloud-Config -When launching RancherOS with a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. +When launching RancherOS with a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. Currently, the list of available consoles are: @@ -102,7 +102,7 @@ All consoles except the default (busybox) console are persistent. Persistent con
    -> **Note:** When using a persistent console and in the current version's console, [rolling back]({{< baseurl >}}/os/v1.x/en/upgrading/#rolling-back-an-upgrade) is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. +> **Note:** When using a persistent console and in the current version's console, [rolling back]({{}}/os/v1.x/en/upgrading/#rolling-back-an-upgrade) is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. ### Enabling Consoles diff --git a/content/os/v1.x/en/installation/custom-builds/custom-kernels/_index.md b/content/os/v1.x/en/installation/custom-builds/custom-kernels/_index.md index 8a7ff668a11..b3d6d35baae 100644 --- a/content/os/v1.x/en/installation/custom-builds/custom-kernels/_index.md +++ b/content/os/v1.x/en/installation/custom-builds/custom-kernels/_index.md @@ -59,7 +59,7 @@ Your kernel should be packaged and published as a set of files of the following ### Building a RancherOS release using the Packaged kernel files. -By default, RancherOS ships with the kernel provided by the [os-kernel repository](https://github.com/rancher/os-kernel). Swapping out the default kernel can by done by [building your own custom RancherOS ISO]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/). +By default, RancherOS ships with the kernel provided by the [os-kernel repository](https://github.com/rancher/os-kernel). Swapping out the default kernel can by done by [building your own custom RancherOS ISO]({{}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/). Create a clone of the main [RancherOS repository](https://github.com/rancher/os) to your local machine with a `git clone`. @@ -75,6 +75,6 @@ ARG KERNEL_VERSION_amd64=4.14.63-rancher ARG KERNEL_URL_amd64=https://link/xxxx ``` -After you've replaced the URL with your custom kernel, you can follow the steps in [building your own custom RancherOS ISO]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/). +After you've replaced the URL with your custom kernel, you can follow the steps in [building your own custom RancherOS ISO]({{}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/). > **Note:** `KERNEL_URL` settings should point to a Linux kernel, compiled and packaged in a specific way. You can fork [os-kernel repository](https://github.com/rancher/os-kernel) to package your own kernel. diff --git a/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md b/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md index 697189f8d9d..faec99fb845 100644 --- a/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md +++ b/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md @@ -11,7 +11,7 @@ Create a clone of the main [RancherOS repository](https://github.com/rancher/os) $ git clone https://github.com/rancher/os.git ``` -In the root of the repository, the "General Configuration" section of `Dockerfile.dapper` can be updated to use [custom kernels]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-kernels). +In the root of the repository, the "General Configuration" section of `Dockerfile.dapper` can be updated to use [custom kernels]({{}}/os/v1.x/en/installation/custom-builds/custom-kernels). After you've saved your edits, run `make` in the root directory. After the build has completed, a `./dist/artifacts` directory will be created with the custom built RancherOS release files. Build Requirements: `bash`, `make`, `docker` (Docker version >= 1.10.3) @@ -29,7 +29,7 @@ If you need a compressed ISO, you can run this command: $ make release ``` -The `rancheros.iso` is ready to be used to [boot RancherOS from ISO]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/) or [launch RancherOS using Docker Machine]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine). +The `rancheros.iso` is ready to be used to [boot RancherOS from ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/) or [launch RancherOS using Docker Machine]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine). ## Creating a GCE Image Archive @@ -50,7 +50,7 @@ RANCHEROS_VERSION=v1.4.0 make build-gce #### Reduce Memory Requirements -With changes to the kernel and built Docker, RancherOS booting requires more memory. For details, please refer to the [memory requirements]({{< baseurl >}}/os/v1.x/en/#hardware-requirements). +With changes to the kernel and built Docker, RancherOS booting requires more memory. For details, please refer to the [memory requirements]({{}}/os/v1.x/en/#hardware-requirements). By customizing the ISO, you can reduce the memory usage on boot. The easiest way is to downgrade the built-in Docker version, because Docker takes up a lot of space. This can effectively reduce the memory required to decompress the `initrd` on boot. Using docker 17.03 is a good choice: diff --git a/content/os/v1.x/en/installation/running-rancheros/_index.md b/content/os/v1.x/en/installation/running-rancheros/_index.md index c677f71c35e..17f070f3636 100644 --- a/content/os/v1.x/en/installation/running-rancheros/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/_index.md @@ -3,37 +3,37 @@ title: Running RancherOS weight: 100 --- -RancherOS runs on virtualization platforms, cloud providers and bare metal servers. We also support running a local VM on your laptop. To start running RancherOS as quickly as possible, follow our [Quick Start Guide]({{< baseurl >}}/os/v1.x/en/quick-start-guide/). +RancherOS runs on virtualization platforms, cloud providers and bare metal servers. We also support running a local VM on your laptop. To start running RancherOS as quickly as possible, follow our [Quick Start Guide]({{}}/os/v1.x/en/quick-start-guide/). ### Platforms #### Workstation -[Docker Machine]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine) +[Docker Machine]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine) -[Boot from ISO]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso) +[Boot from ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso) #### Cloud -[Amazon EC2]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/aws) +[Amazon EC2]({{}}/os/v1.x/en/installation/running-rancheros/cloud/aws) -[Google Compute Engine]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/gce) +[Google Compute Engine]({{}}/os/v1.x/en/installation/running-rancheros/cloud/gce) -[DigitalOcean]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/do) +[DigitalOcean]({{}}/os/v1.x/en/installation/running-rancheros/cloud/do) -[Azure]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/azure) +[Azure]({{}}/os/v1.x/en/installation/running-rancheros/cloud/azure) -[OpenStack]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/openstack) +[OpenStack]({{}}/os/v1.x/en/installation/running-rancheros/cloud/openstack) -[VMware ESXi]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi) +[VMware ESXi]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi) -[Aliyun]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/aliyun) +[Aliyun]({{}}/os/v1.x/en/installation/running-rancheros/cloud/aliyun) #### Bare Metal & Virtual Servers -[PXE]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/pxe) +[PXE]({{}}/os/v1.x/en/installation/running-rancheros/server/pxe) -[Install to Hard Disk]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk) +[Install to Hard Disk]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk) -[Raspberry Pi]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/raspberry-pi) +[Raspberry Pi]({{}}/os/v1.x/en/installation/running-rancheros/server/raspberry-pi) diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md b/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md index ce08ce913fb..839d0200e90 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md @@ -13,7 +13,7 @@ RancherOS is available as an image in Aliyun, and can be easily run in Elastic C Example: -![RancherOS on Aliyun 1]({{< baseurl >}}/img/os/RancherOS_aliyun1.jpg) +![RancherOS on Aliyun 1]({{}}/img/os/RancherOS_aliyun1.jpg) ## Options @@ -29,6 +29,6 @@ After the image is uploaded, we can use the `Aliyun Console` to start a new inst Since the image is private, we need to use the `Custom Images`. -![RancherOS on Aliyun 2]({{< baseurl >}}/img/os/RancherOS_aliyun2.jpg) +![RancherOS on Aliyun 2]({{}}/img/os/RancherOS_aliyun2.jpg) After the instance is successfully started, we can login with the `rancher` user via SSH. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md b/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md index e8886b5f617..66bb3cb663a 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md @@ -28,7 +28,7 @@ Let’s walk through how to import and create a RancherOS on EC2 machine using t {{< img "/img/os/Rancher_aws1.png" "RancherOS on AWS 1">}} 2. Select the **Community AMIs** on the sidebar and search for **RancherOS**. Pick the latest version and click **Select**. {{< img "/img/os/Rancher_aws2.png" "RancherOS on AWS 2">}} -3. Go through the steps of creating the instance type through the AWS console. If you want to pass in a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file during boot of RancherOS, you'd pass in the file as **User data** by expanding the **Advanced Details** in **Step 3: Configure Instance Details**. You can pass in the data as text or as a file. +3. Go through the steps of creating the instance type through the AWS console. If you want to pass in a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file during boot of RancherOS, you'd pass in the file as **User data** by expanding the **Advanced Details** in **Step 3: Configure Instance Details**. You can pass in the data as text or as a file. {{< img "/img/os/Rancher_aws6.png" "RancherOS on AWS 6">}} After going through all the steps, you finally click on **Launch**, and either create a new key pair or choose an existing key pair to be used with the EC2 instance. If you have created a new key pair, download the key pair. If you have chosen an existing key pair, make sure you have the key pair accessible. Click on **Launch Instances**. {{< img "/img/os/Rancher_aws3.png" "RancherOS on AWS 3">}} diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md b/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md index d644822ded6..683fbe0ef9c 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md @@ -15,7 +15,7 @@ To start a RancherOS Droplet on Digital Ocean: 1. Click **Create Droplet.** 1. Click the **Container distributions** tab. 1. Click **RancherOS.** -1. Choose a plan. Make sure your Droplet has the [minimum hardware requirements for RancherOS]({{< baseurl >}}os/v1.x/en/overview/#hardware-requirements). +1. Choose a plan. Make sure your Droplet has the [minimum hardware requirements for RancherOS]({{}}os/v1.x/en/overview/#hardware-requirements). 1. Choose any options for backups, block storage, and datacenter region. 1. Optional: In the **Select additional options** section, you can check the **User data** box and enter a `cloud-config` file in the text box that appears. The `cloud-config` file is used to provide a script to be run on the first boot. An example is below. 1. Choose an SSH key that you have access to, or generate a new SSH key. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md b/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md index 6545a2a3477..0c08d8fc1ed 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md @@ -3,7 +3,7 @@ title: Google Compute Engine (GCE) weight: 106 --- -> **Note:** Due to the maximum transmission unit (MTU) of [1460 bytes on GCE](https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation), you will need to configure your [network interfaces]({{< baseurl >}}/os/v1.x/en/installation/networking/interfaces/) and both the [Docker and System Docker]({{< baseurl >}}/os/v1.x/en/installation/configuration/docker/) to use a MTU of 1460 bytes or you will encounter weird networking related errors. +> **Note:** Due to the maximum transmission unit (MTU) of [1460 bytes on GCE](https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation), you will need to configure your [network interfaces]({{}}/os/v1.x/en/installation/networking/interfaces/) and both the [Docker and System Docker]({{}}/os/v1.x/en/installation/configuration/docker/) to use a MTU of 1460 bytes or you will encounter weird networking related errors. ### Adding the RancherOS Image into GCE @@ -26,7 +26,7 @@ $ gcloud compute instances create --project --zone }}/os/v1.x/en/installation/configuration/#cloud-config), you can pass it as metadata upon creation of the instance during the `gcloud compute` command. The file will need to be stored locally before running the command. The key of the metadata will be `user-data` and the value is the location of the file. If any SSH keys are added in the cloud config file, it will also be added to the **rancher** user. +If you want to pass in your own cloud config file that will be processed by [cloud init]({{}}/os/v1.x/en/installation/configuration/#cloud-config), you can pass it as metadata upon creation of the instance during the `gcloud compute` command. The file will need to be stored locally before running the command. The key of the metadata will be `user-data` and the value is the location of the file. If any SSH keys are added in the cloud config file, it will also be added to the **rancher** user. ``` $ gcloud compute instances create --project --zone --image --metadata-from-file user-data=/Directory/of/Cloud_Config.yml @@ -74,11 +74,11 @@ Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE_OF After the image is uploaded, it's easy to use the console to create new instances. You will **not** be able to upload your own cloud config file when creating instances through the console. You can add it after the instance is created using `gcloud compute` commands and resetting the instance. 1. Make sure you are in the project that the image was created in. - ![RancherOS on GCE 4]({{< baseurl >}}/img/os/Rancher_gce4.png) + ![RancherOS on GCE 4]({{}}/img/os/Rancher_gce4.png) 2. In the navigation bar, click on the **VM instances**, which is located at Compute -> Compute Engine -> Metadata. Click on **Create instance**. - ![RancherOS on GCE 5]({{< baseurl >}}/img/os/Rancher_gce5.png) + ![RancherOS on GCE 5]({{}}/img/os/Rancher_gce5.png) 2. Fill out the information for your instance. In the **Image** dropdown, your private image will be listed among the public images provided by Google. Select the private image for RancherOS. Click **Create**. - ![RancherOS on GCE 6]({{< baseurl >}}/img/os/Rancher_gce6.png) + ![RancherOS on GCE 6]({{}}/img/os/Rancher_gce6.png) 3. Your instance is being created and will be up and running shortly! #### Adding SSH keys @@ -89,7 +89,7 @@ In order to SSH into the GCE instance, you will need to have SSH keys set up in In your project, click on **Metadata**, which is located within Compute -> Compute Engine -> Metadata. Click on **SSH Keys**. -![RancherOS on GCE 7]({{< baseurl >}}/img/os/Rancher_gce7.png) +![RancherOS on GCE 7]({{}}/img/os/Rancher_gce7.png) Add the SSH keys that you want to have access to any instances within your project. @@ -99,11 +99,11 @@ Note: If you do this after any RancherOS instance is created, you will need to r After your instance is created, click on the instance name. Scroll down to the **SSH Keys** section and click on **Add SSH key**. This key will only be applicable to the instance. -![RancherOS on GCE 8]({{< baseurl >}}/img/os/Rancher_gce8.png) +![RancherOS on GCE 8]({{}}/img/os/Rancher_gce8.png) After the SSH keys have been added, you'll need to reset the machine, by clicking **Reset**. -![RancherOS on GCE 9]({{< baseurl >}}/img/os/Rancher_gce9.png) +![RancherOS on GCE 9]({{}}/img/os/Rancher_gce9.png) After a little bit, you will be able to SSH into the box using the **rancher** user. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md b/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md index 7649d6e7e1a..0a55044ed47 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md @@ -5,4 +5,4 @@ weight: 109 As of v0.5.0, RancherOS releases include an Openstack image that can be found on our [releases page](https://github.com/rancher/os/releases). The image format is [QCOW3](https://wiki.qemu.org/Features/Qcow3#Fully_QCOW2_backwards-compatible_feature_set) that is backward compatible with QCOW2. -When launching an instance using the image, you must enable **Advanced Options** -> **Configuration Drive** and in order to use a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config) file. +When launching an instance using the image, you must enable **Advanced Options** -> **Configuration Drive** and in order to use a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. diff --git a/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md b/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md index e0deb1b54a4..0b3363704b8 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md @@ -3,7 +3,7 @@ title: Installing to Disk weight: 111 --- -RancherOS comes with a simple installer that will install RancherOS on a given target disk. To install RancherOS on a new disk, you can use the `ros install` command. Before installing, you'll need to have already [booted RancherOS from ISO]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso). Please be sure to pick the `rancheros.iso` from our release [page](https://github.com/rancher/os/releases). +RancherOS comes with a simple installer that will install RancherOS on a given target disk. To install RancherOS on a new disk, you can use the `ros install` command. Before installing, you'll need to have already [booted RancherOS from ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso). Please be sure to pick the `rancheros.iso` from our release [page](https://github.com/rancher/os/releases). ### Using `ros install` to Install RancherOS @@ -11,7 +11,7 @@ The `ros install` command orchestrates the installation from the `rancher/os` co #### Cloud-Config -The easiest way to log in is to pass a `cloud-config.yml` file containing your public SSH keys. To learn more about what's supported in our cloud-config, please read our [documentation]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +The easiest way to log in is to pass a `cloud-config.yml` file containing your public SSH keys. To learn more about what's supported in our cloud-config, please read our [documentation]({{}}/os/v1.x/en/installation/configuration/#cloud-config). The `ros install` command will process your `cloud-config.yml` file specified with the `-c` flag. This file will also be placed onto the disk and installed to `/var/lib/rancher/conf/`. It will be evaluated on every boot. @@ -61,7 +61,7 @@ Status: Downloaded newer image for rancher/os:v0.5.0 Continue with reboot [y/N]: ``` -After installing RancherOS to disk, you will no longer be automatically logged in as the `rancher` user. You'll need to have added in SSH keys within your [cloud-config file]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +After installing RancherOS to disk, you will no longer be automatically logged in as the `rancher` user. You'll need to have added in SSH keys within your [cloud-config file]({{}}/os/v1.x/en/installation/configuration/#cloud-config). #### Installing a Different Version diff --git a/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md b/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md index 4041c3cf2cf..1b855649615 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md @@ -63,11 +63,11 @@ Valid cloud-init datasources for RancherOS. | cmdline | Kernel command line: `cloud-config-url=http://link/user_data` | | configdrive | /media/config-2 | | url | URL address | -| vmware| Set `guestinfo` cloud-init or interface data as per [VMware ESXi]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi) | +| vmware| Set `guestinfo` cloud-init or interface data as per [VMware ESXi]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi) | | * | This will add ["configdrive", "vmware", "ec2", "digitalocean", "packet", "gce"] into the list of datasources to try | The vmware datasource was added as of v1.1. ### Cloud-Config -When booting via iPXE, RancherOS can be configured using a [cloud-config file]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). +When booting via iPXE, RancherOS can be configured using a [cloud-config file]({{}}/os/v1.x/en/installation/configuration/#cloud-config). diff --git a/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md b/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md index 7ac84cf84bc..a858fb38a2d 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md @@ -5,7 +5,7 @@ weight: 113 As of v0.5.0, RancherOS releases include a Raspberry Pi image that can be found on our [releases page](https://github.com/rancher/os/releases). The official Raspberry Pi documentation contains instructions on how to [install operating system images](https://www.raspberrypi.org/documentation/installation/installing-images/). -When installing, there is no ability to pass in a [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). You will need to boot up, change the configuration and then reboot to apply those changes. +When installing, there is no ability to pass in a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). You will need to boot up, change the configuration and then reboot to apply those changes. Currently, only Raspberry Pi 3 is tested and known to work. diff --git a/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md b/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md index 6a1b52a6f03..372fa258727 100644 --- a/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md @@ -13,8 +13,8 @@ VMware | [rancheros-vmware.iso](https://releases.rancher.com/os/latest/vmwar Hyper-V | [rancheros-hyperv.iso](https://releases.rancher.com/os/latest/hyperv/rancheros.iso) Proxmox VE | [rancheros-proxmoxve.iso](https://releases.rancher.com/os/latest/proxmoxve/rancheros.iso) -You must boot with enough memory which you can refer to [here]({{< baseurl >}}/os/v1.x/en/overview/#hardware-requirements). If you boot with the ISO, you will automatically be logged in as the `rancher` user. Only the ISO is set to use autologin by default. If you run from a cloud or install to disk, SSH keys or a password of your choice is expected to be used. +You must boot with enough memory which you can refer to [here]({{}}/os/v1.x/en/overview/#hardware-requirements). If you boot with the ISO, you will automatically be logged in as the `rancher` user. Only the ISO is set to use autologin by default. If you run from a cloud or install to disk, SSH keys or a password of your choice is expected to be used. ### Install to Disk -After you boot RancherOS from ISO, you can follow the instructions [here]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) to install RancherOS to a hard disk. +After you boot RancherOS from ISO, you can follow the instructions [here]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) to install RancherOS to a hard disk. diff --git a/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md b/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md index 0a21a3f7549..0cf9207f66b 100644 --- a/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md +++ b/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md @@ -4,7 +4,7 @@ weight: 101 --- Before we get started, you'll need to make sure that you have docker machine installed. Download it directly from the docker machine [releases](https://github.com/docker/machine/releases). -You also need to know the [memory requirements]({{< baseurl >}}/os/v1.x/en/#hardware-requirements). +You also need to know the [memory requirements]({{}}/os/v1.x/en/#hardware-requirements). > **Note:** If you create a RancherOS instance using Docker Machine, you will not be able to upgrade your version of RancherOS. @@ -116,7 +116,7 @@ Logging into RancherOS follows the standard Docker Machine commands. To login in $ docker-machine ssh ``` -You'll be logged into RancherOS and can start exploring the OS, This will log you into the RancherOS VM. You'll then be able to explore the OS by [adding system services]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/), [customizing the configuration]({{< baseurl >}}/os/v1.x/en/installation/configuration/), and launching containers. +You'll be logged into RancherOS and can start exploring the OS, This will log you into the RancherOS VM. You'll then be able to explore the OS by [adding system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/), [customizing the configuration]({{}}/os/v1.x/en/installation/configuration/), and launching containers. If you want to exit out of RancherOS, you can exit by pressing `Ctrl+D`. diff --git a/content/os/v1.x/en/installation/storage/additional-mounts/_index.md b/content/os/v1.x/en/installation/storage/additional-mounts/_index.md index e568596e3d1..77159ad30ec 100644 --- a/content/os/v1.x/en/installation/storage/additional-mounts/_index.md +++ b/content/os/v1.x/en/installation/storage/additional-mounts/_index.md @@ -3,7 +3,7 @@ title: Additional Mounts weight: 161 --- -Additional mounts can be specified as part of your [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config). These mounts are applied within the console container. Here's a simple example that mounts `/dev/vdb` to `/mnt/s`. +Additional mounts can be specified as part of your [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). These mounts are applied within the console container. Here's a simple example that mounts `/dev/vdb` to `/mnt/s`. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/storage/state-partition/_index.md b/content/os/v1.x/en/installation/storage/state-partition/_index.md index c16152c2771..27b125792b2 100644 --- a/content/os/v1.x/en/installation/storage/state-partition/_index.md +++ b/content/os/v1.x/en/installation/storage/state-partition/_index.md @@ -13,7 +13,7 @@ rancher: dev: LABEL=RANCHER_STATE ``` -For other labels such as `RANCHER_BOOT` and `RANCHER_OEM` and `RANCHER_SWAP`, please refer to [Custom partition layout]({{< baseurl >}}/os/v1.x/en/about/custom-partition-layout/). +For other labels such as `RANCHER_BOOT` and `RANCHER_OEM` and `RANCHER_SWAP`, please refer to [Custom partition layout]({{}}/os/v1.x/en/about/custom-partition-layout/). ### Autoformat diff --git a/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md b/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md index ba63929e047..09e0024b158 100644 --- a/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md +++ b/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md @@ -3,7 +3,7 @@ title: Custom System Services weight: 141 --- -You can also create your own system service in [Docker Compose](https://docs.docker.com/compose/) format. After creating your own custom service, you can launch it in RancherOS in a couple of methods. The service could be directly added to the [cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/#cloud-config), or a `docker-compose.yml` file could be saved at a http(s) url location or in a specific directory of RancherOS. +You can also create your own system service in [Docker Compose](https://docs.docker.com/compose/) format. After creating your own custom service, you can launch it in RancherOS in a couple of methods. The service could be directly added to the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), or a `docker-compose.yml` file could be saved at a http(s) url location or in a specific directory of RancherOS. ### Launching Services through Cloud-Config diff --git a/content/os/v1.x/en/overview/_index.md b/content/os/v1.x/en/overview/_index.md index 264f130ef15..6c554718d10 100644 --- a/content/os/v1.x/en/overview/_index.md +++ b/content/os/v1.x/en/overview/_index.md @@ -25,11 +25,11 @@ VMWare | 1GB | 1280MB (rancheros.iso)
    2048MB (ran GCE | 1GB | 1280MB AWS | 1GB | 1.7GB -You can adjust memory requirements by custom building RancherOS, please refer to [reduce-memory-requirements]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/#reduce-memory-requirements) +You can adjust memory requirements by custom building RancherOS, please refer to [reduce-memory-requirements]({{}}/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/#reduce-memory-requirements) ### How RancherOS Works -Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services]({{< baseurl >}}/os/v1.x/en/installation/system-services/adding-system-services/). +Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/). System Docker runs a special container called **Docker**, which is another Docker daemon responsible for managing all of the user’s containers. Any containers that you launch as a user from the console will run inside this Docker. This creates isolation from the System Docker containers and ensures that normal user commands don’t impact system services. @@ -39,7 +39,7 @@ System Docker runs a special container called **Docker**, which is another Docke ### Running RancherOS -To get started with RancherOS, head over to our [Quick Start Guide]({{< baseurl >}}/os/v1.x/en/quick-start-guide/). +To get started with RancherOS, head over to our [Quick Start Guide]({{}}/os/v1.x/en/quick-start-guide/). ### Latest Release diff --git a/content/os/v1.x/en/quick-start-guide/_index.md b/content/os/v1.x/en/quick-start-guide/_index.md index 7e01e0fc0a3..67403520766 100644 --- a/content/os/v1.x/en/quick-start-guide/_index.md +++ b/content/os/v1.x/en/quick-start-guide/_index.md @@ -3,7 +3,7 @@ title: Quick Start weight: 1 --- -If you have a specific RanchersOS machine requirements, please check out our [guides on running RancherOS]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/). With the rest of this guide, we'll start up a RancherOS using [Docker machine]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) and show you some of what RancherOS can do. +If you have a specific RanchersOS machine requirements, please check out our [guides on running RancherOS]({{}}/os/v1.x/en/installation/running-rancheros/). With the rest of this guide, we'll start up a RancherOS using [Docker machine]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) and show you some of what RancherOS can do. ### Launching RancherOS using Docker Machine @@ -120,7 +120,7 @@ $ sudo ros config get rancher.network.dns.nameservers ``` -When using the native Busybox console, any changes to the console will be lost after reboots, only changes to `/home` or `/opt` will be persistent. You can use the `ros console switch` command to switch to a [persistent console]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence) and replace the native Busybox console. For example, to switch to the Ubuntu console: +When using the native Busybox console, any changes to the console will be lost after reboots, only changes to `/home` or `/opt` will be persistent. You can use the `ros console switch` command to switch to a [persistent console]({{}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence) and replace the native Busybox console. For example, to switch to the Ubuntu console: ``` $ sudo ros console switch ubuntu diff --git a/content/os/v1.x/en/upgrading/_index.md b/content/os/v1.x/en/upgrading/_index.md index beedfcdd821..4c3cf8e0be2 100644 --- a/content/os/v1.x/en/upgrading/_index.md +++ b/content/os/v1.x/en/upgrading/_index.md @@ -9,7 +9,7 @@ Since RancherOS is a kernel and initrd, the upgrade process is downloading a new Before upgrading to any version, please review the release notes on our [releases page](https://github.com/rancher/os/releases) in GitHub to review any updates in the release. -> **Note:** If you are using [`docker-machine`]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) then you will not be able to upgrade your RancherOS version. You need to delete and re-create the machine. +> **Note:** If you are using [`docker-machine`]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) then you will not be able to upgrade your RancherOS version. You need to delete and re-create the machine. ### Version Control @@ -64,7 +64,7 @@ $ sudo ros -v ros version v0.5.0 ``` -> **Note:** If you are booting from ISO and have not installed to disk, your upgrade will not be saved. You can view our guide to [installing to disk]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/). +> **Note:** If you are booting from ISO and have not installed to disk, your upgrade will not be saved. You can view our guide to [installing to disk]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/). #### Upgrading to a Specific Version @@ -114,7 +114,7 @@ ros version 0.4.4
    -> **Note:** If you are using a [persistent console]({{< baseurl >}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence) and in the current version's console, rolling back is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. +> **Note:** If you are using a [persistent console]({{}}/os/v1.x/en/installation/custom-builds/custom-console/#console-persistence) and in the current version's console, rolling back is not supported. For example, rolling back to v0.4.5 when using a v0.5.0 persistent console is not supported. ### Staging an Upgrade diff --git a/content/rancher/v2.x/en/admin-settings/_index.md b/content/rancher/v2.x/en/admin-settings/_index.md index e1dc6d52f2c..2242b4d3328 100644 --- a/content/rancher/v2.x/en/admin-settings/_index.md +++ b/content/rancher/v2.x/en/admin-settings/_index.md @@ -9,7 +9,7 @@ aliases: - /rancher/v2.x/en/admin-settings/log-in/ --- -After installation, the [system administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) should configure Rancher to configure authentication, authorization, security, default settings, security policies, drivers and global DNS entries. +After installation, the [system administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) should configure Rancher to configure authentication, authorization, security, default settings, security policies, drivers and global DNS entries. ## First Log In @@ -21,7 +21,7 @@ After you log into Rancher for the first time, Rancher will prompt you for a **R One of the key features that Rancher adds to Kubernetes is centralized user authentication. This feature allows to set up local users and/or connect to an external authentication provider. By connecting to an external authentication provider, you can leverage that provider's user and groups. -For more information how authentication works and how to configure each provider, see [Authentication]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/). +For more information how authentication works and how to configure each provider, see [Authentication]({{}}/rancher/v2.x/en/admin-settings/authentication/). ## Authorization @@ -33,13 +33,13 @@ For more information how authorization works and how to customize roles, see [Ro _Pod Security Policies_ (or PSPs) are objects that control security-sensitive aspects of pod specification, e.g. root privileges. If a pod does not meet the conditions specified in the PSP, Kubernetes will not allow it to start, and Rancher will display an error message. -For more information how to create and use PSPs, see [Pod Security Policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/). +For more information how to create and use PSPs, see [Pod Security Policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/). ## Provisioning Drivers -Drivers in Rancher allow you to manage which providers can be used to provision [hosted Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) or [nodes in an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to allow Rancher to deploy and manage Kubernetes. +Drivers in Rancher allow you to manage which providers can be used to provision [hosted Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) or [nodes in an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to allow Rancher to deploy and manage Kubernetes. -For more information, see [Provisioning Drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/). +For more information, see [Provisioning Drivers]({{}}/rancher/v2.x/en/admin-settings/drivers/). ## Adding Kubernetes Versions into Rancher @@ -47,9 +47,9 @@ _Available as of v2.3.0_ With this feature, you can upgrade to the latest version of Kubernetes as soon as it is released, without upgrading Rancher. This feature allows you to easily upgrade Kubernetes patch versions (i.e. `v1.15.X`), but not intended to upgrade Kubernetes minor versions (i.e. `v1.X.0`) as Kubernetes tends to deprecate or add APIs between minor versions. -The information that Rancher uses to provision [RKE clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) is now located in the Rancher Kubernetes Metadata. For details on metadata configuration and how to change the Kubernetes version used for provisioning RKE clusters, see [Rancher Kubernetes Metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata/) +The information that Rancher uses to provision [RKE clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) is now located in the Rancher Kubernetes Metadata. For details on metadata configuration and how to change the Kubernetes version used for provisioning RKE clusters, see [Rancher Kubernetes Metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata/) -Rancher Kubernetes Metadata contains Kubernetes version information which Rancher uses to provision [RKE clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). +Rancher Kubernetes Metadata contains Kubernetes version information which Rancher uses to provision [RKE clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). For more information on how metadata works and how to configure metadata config, see [Rancher Kubernetes Metadata]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata/). diff --git a/content/rancher/v2.x/en/admin-settings/authentication/ad/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/ad/_index.md index f74e1e8b0ce..6b72f6752c4 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/ad/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/ad/_index.md @@ -7,11 +7,11 @@ aliases: If your organization uses Microsoft Active Directory as central user repository, you can configure Rancher to communicate with an Active Directory server to authenticate users. This allows Rancher admins to control access to clusters and projects based on users and groups managed externally in the Active Directory, while allowing end-users to authenticate with their AD credentials when logging in to the Rancher UI. -Rancher uses LDAP to communicate with the Active Directory server. The authentication flow for Active Directory is therefore the same as for the [OpenLDAP authentication]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/openldap) integration. +Rancher uses LDAP to communicate with the Active Directory server. The authentication flow for Active Directory is therefore the same as for the [OpenLDAP authentication]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap) integration. > **Note:** > -> Before you start, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +> Before you start, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). ## Prerequisites @@ -196,4 +196,4 @@ In the same way, we can observe that the value in the **memberOf** attribute in ## Annex: Troubleshooting -If you are experiencing issues while testing the connection to the Active Directory server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{< baseurl >}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. +If you are experiencing issues while testing the connection to the Active Directory server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. diff --git a/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md index 272f3be784b..1400dfb6ce1 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/azure-ad/_index.md @@ -41,13 +41,11 @@ Before enabling Azure AD within Rancher, you must register Rancher with Azure. 1. Use search to open the **App registrations** service. - ![Open App Registrations]({{< baseurl >}}/img/rancher/search-app-registrations.png) + ![Open App Registrations]({{}}/img/rancher/search-app-registrations.png) 1. Click **New registrations** and complete the **Create** form. - ![New App Registration]({{< baseurl >}}/img/rancher/new-app-registration-1.png) - - ![New App Registration Register]({{< baseurl >}}/img/rancher/new-app-registration-2.png) + ![New App Registration]({{}}/img/rancher/new-app-registration.png) 1. Enter a **Name** (something like `Rancher`). @@ -67,7 +65,7 @@ From the Azure portal, create a client secret. Rancher will use this key to auth 1. Use search to open **App registrations** services. Then open the entry for Rancher that you created in the last procedure. - ![Open Rancher Registration]({{< baseurl >}}/img/rancher/open-rancher-app.png) + ![Open Rancher Registration]({{}}/img/rancher/open-rancher-app.png) 1. From the navigation pane on left, click **Certificates and Secrets**. @@ -94,7 +92,7 @@ Next, set API permissions for Rancher within Azure. 1. From the navigation pane on left, select **API permissions**. - ![Open API Permissions]({{< baseurl >}}/img/rancher/select-required-permissions-1.png) + ![Open Required Permissions]({{}}/img/rancher/select-required-permissions.png) 1. Click **Add a permission**. @@ -117,13 +115,35 @@ Next, set API permissions for Rancher within Azure. >**Note:** You must be signed in as an Azure administrator to successfully save your permission settings. -### 4. Copy Azure Application Data + +### 4. Add a Reply URL + +To use Azure AD with Rancher you must whitelist Rancher with Azure. You can complete this whitelisting by providing Azure with a reply URL for Rancher, which is your Rancher Server URL followed with a verification path. + + +1. From the **Setting** blade, select **Reply URLs**. + + ![Azure: Enter Reply URL]({{}}/img/rancher/enter-azure-reply-url.png) + +1. From the **Reply URLs** blade, enter the URL of your Rancher Server, appended with the verification path: `/verify-auth-azure`. + + >**Tip:** You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD). + +1. Click **Save**. + +**Result:** Your reply URL is saved. + +>**Note:** It can take up to five minutes for this change to take affect, so don't be alarmed if you can't authenticate immediately after Azure AD configuration. + +### 5. Copy Azure Application Data As your final step in Azure, copy the data that you'll use to configure Rancher for Azure AD authentication and paste it into an empty text file. 1. Obtain your Rancher **Tenant ID**. - 1. From **App registrations** select the app configured above. + 1. Use search to open the **Azure Active Directory** service. + + ![Open Azure Active Directory]({{}}/img/rancher/search-azure-ad.png) 1. From the left navigation pane, open **Overview**. @@ -135,7 +155,7 @@ As your final step in Azure, copy the data that you'll use to configure Rancher 1. Use search to open **App registrations**. - ![Open App Registrations]({{< baseurl >}}/img/rancher/search-app-registrations.png) + ![Open App Registrations]({{}}/img/rancher/search-app-registrations.png) 1. Find the entry you created for Rancher. @@ -145,7 +165,7 @@ As your final step in Azure, copy the data that you'll use to configure Rancher 1. From **App registrations**, click **Endpoints**. - ![Click Endpoints]({{< baseurl >}}/img/rancher/click-endpoints.png) + ![Click Endpoints]({{}}/img/rancher/click-endpoints.png) 2. Copy the following endpoints to your clipboard and paste them into your [text file](#tip) (these values will be your Rancher endpoint values). diff --git a/content/rancher/v2.x/en/admin-settings/authentication/freeipa/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/freeipa/_index.md index 7158f26a6a8..37d8ba2e22b 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/freeipa/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/freeipa/_index.md @@ -13,7 +13,7 @@ If your organization uses FreeIPA for user authentication, you can configure Ran > >- You must have a [FreeIPA Server](https://www.freeipa.org/) configured. >- Create a service account in FreeIPA with `read-only` access. Rancher uses this account to verify group membership when a user makes a request using an API key. ->- Read [External Authentication Configuration and Principal Users]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +>- Read [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 1. Sign into Rancher using a local user assigned the `administrator` role (i.e., the _local principal_). diff --git a/content/rancher/v2.x/en/admin-settings/authentication/github/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/github/_index.md index 55e505e26f3..9e2c4266c56 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/github/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/github/_index.md @@ -7,7 +7,7 @@ aliases: In environments using GitHub, you can configure Rancher to allow sign on using GitHub credentials. ->**Prerequisites:** Read [External Authentication Configuration and Principal Users]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +>**Prerequisites:** Read [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 1. Sign into Rancher using a local user assigned the `administrator` role (i.e., the _local principal_). diff --git a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md index 5f38f1ec376..197e796fb62 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md @@ -65,7 +65,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati ## Annex: Troubleshooting -If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{< baseurl >}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. +If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. ### You are not redirected to Keycloak diff --git a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/_index.md index c79cf3e4087..6062bdb0288 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/_index.md @@ -27,10 +27,10 @@ If your organization uses Microsoft Active Directory Federation Services (AD FS) Setting up Microsoft AD FS with Rancher Server requires configuring AD FS on your Active Directory server, and configuring Rancher to utilize your AD FS server. The following pages serve as guides for setting up Microsoft AD FS authentication on your Rancher installation. -- [1 — Configuring Microsoft AD FS for Rancher]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup) -- [2 — Configuring Rancher for Microsoft AD FS]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup) +- [1 — Configuring Microsoft AD FS for Rancher]({{}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup) +- [2 — Configuring Rancher for Microsoft AD FS]({{}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup) {{< saml_caveats >}} -### [Next: Configuring Microsoft AD FS for Rancher]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup) +### [Next: Configuring Microsoft AD FS for Rancher]({{}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/_index.md index 822a991e3e9..152834ec60c 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/_index.md @@ -79,4 +79,4 @@ https:///federationmetadata/2007-06/federationmetadata.xml **Result:** You've added Rancher as a relying trust party. Now you can configure Rancher to leverage AD. -### [Next: Configuring Rancher for Microsoft AD FS]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/) +### [Next: Configuring Rancher for Microsoft AD FS]({{}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/_index.md index f5ba2a38b0e..d87510c66dd 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/rancher-adfs-setup/_index.md @@ -4,7 +4,7 @@ weight: 1205 --- _Available as of v2.0.7_ -After you complete [Configuring Microsoft AD FS for Rancher]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/), enter your AD FS information into Rancher to allow AD FS users to authenticate with Rancher. +After you complete [Configuring Microsoft AD FS for Rancher]({{}}/rancher/v2.x/en/admin-settings/authentication/microsoft-adfs/microsoft-adfs-setup/), enter your AD FS information into Rancher to allow AD FS users to authenticate with Rancher. >**Important Notes For Configuring Your AD FS Server:** > diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md index bce05911aac..2a59301ad9b 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md @@ -18,7 +18,7 @@ If your organization uses LDAP for user authentication, you can configure Ranche > **Note:** > -> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). ## Prerequisites @@ -41,7 +41,7 @@ In the section titled `1. Configure an OpenLDAP server`, complete the fields w > **Note:** > -> If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. +> If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. **Table 1: OpenLDAP server parameters** @@ -65,7 +65,7 @@ Note that the attribute mappings configured in this section are used by Rancher > **Note:** > -> If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. +> If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. #### User Schema @@ -125,4 +125,4 @@ Once you have completed the configuration, proceed by testing the connection to ## Annex: Troubleshooting -If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{< baseurl >}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. +If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. diff --git a/content/rancher/v2.x/en/admin-settings/authentication/user-groups/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/user-groups/_index.md index 722452e5f63..d88eb423f82 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/user-groups/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/user-groups/_index.md @@ -5,11 +5,11 @@ weight: 1 Rancher relies on users and groups to determine who is allowed to log in to Rancher and which resources they can access. When you configure an external authentication provider, users from that provider will be able to log in to your Rancher server. When a user logs in, the authentication provider will supply your Rancher server with a list of groups to which the user belongs. -Access to clusters, projects, multi-cluster apps, and global DNS providers and entries can be controlled by adding either individual users or groups to these resources. When you add a group to a resource, all users who are members of that group in the authentication provider, will be able to access the resource with the permissions that you've specified for the group. For more information on roles and permissions, see [Role Based Access Control]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/). +Access to clusters, projects, multi-cluster apps, and global DNS providers and entries can be controlled by adding either individual users or groups to these resources. When you add a group to a resource, all users who are members of that group in the authentication provider, will be able to access the resource with the permissions that you've specified for the group. For more information on roles and permissions, see [Role Based Access Control]({{}}/rancher/v2.x/en/admin-settings/rbac/). ## Managing Members -When adding a user or group to a resource, you can search for users or groups by beginning to type their name. The Rancher server will query the authentication provider to find users and groups that match what you've entered. Searching is limited to the authentication provider that you are currently logged in with. For example, if you've enabled GitHub authentication but are logged in using a [local]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/local/) user account, you will not be able to search for GitHub users or groups. +When adding a user or group to a resource, you can search for users or groups by beginning to type their name. The Rancher server will query the authentication provider to find users and groups that match what you've entered. Searching is limited to the authentication provider that you are currently logged in with. For example, if you've enabled GitHub authentication but are logged in using a [local]({{}}/rancher/v2.x/en/admin-settings/authentication/local/) user account, you will not be able to search for GitHub users or groups. All users, whether they are local users or from an authentication provider, can be viewed and managed. From the **Global** view, click on **Users**. diff --git a/content/rancher/v2.x/en/admin-settings/drivers/_index.md b/content/rancher/v2.x/en/admin-settings/drivers/_index.md index 63d202b1fad..11cc9d71582 100644 --- a/content/rancher/v2.x/en/admin-settings/drivers/_index.md +++ b/content/rancher/v2.x/en/admin-settings/drivers/_index.md @@ -3,7 +3,7 @@ title: Provisioning Drivers weight: 1140 --- -Drivers in Rancher allow you to manage which providers can be used to deploy [hosted Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) or [nodes in an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to allow Rancher to deploy and manage Kubernetes. +Drivers in Rancher allow you to manage which providers can be used to deploy [hosted Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) or [nodes in an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to allow Rancher to deploy and manage Kubernetes. ### Rancher Drivers @@ -18,19 +18,19 @@ There are two types of drivers within Rancher: _Available as of v2.2.0_ -Cluster drivers are used to provision [hosted Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/), such as GKE, EKS, AKS, etc.. The availability of which cluster driver to display when creating a cluster is defined based on the cluster driver's status. Only `active` cluster drivers will be displayed as an option for creating clusters for hosted Kubernetes clusters. By default, Rancher is packaged with several existing cluster drivers, but you can also create custom cluster drivers to add to Rancher. +Cluster drivers are used to provision [hosted Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/), such as GKE, EKS, AKS, etc.. The availability of which cluster driver to display when creating a cluster is defined based on the cluster driver's status. Only `active` cluster drivers will be displayed as an option for creating clusters for hosted Kubernetes clusters. By default, Rancher is packaged with several existing cluster drivers, but you can also create custom cluster drivers to add to Rancher. By default, Rancher has activated several hosted Kubernetes cloud providers including: -* [Amazon EKS]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/) -* [Google GKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/) -* [Azure AKS]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/aks/) +* [Amazon EKS]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/) +* [Google GKE]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke/) +* [Azure AKS]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/aks/) There are several other hosted Kubernetes cloud providers that are disabled by default, but are packaged in Rancher: -* [Alibaba ACK]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/) -* [Huawei CCE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/) -* [Tencent]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/) +* [Alibaba ACK]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/) +* [Huawei CCE]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/) +* [Tencent]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/) ## Node Drivers @@ -40,7 +40,7 @@ If there are specific node drivers that you don't want to show to your users, yo Rancher supports several major cloud providers, but by default, these node drivers are active and available for deployment: -* [Amazon EC2]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/) -* [Azure]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/azure/) -* [Digital Ocean]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/digital-ocean/) -* [vSphere]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/) +* [Amazon EC2]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/) +* [Azure]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/azure/) +* [Digital Ocean]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/digital-ocean/) +* [vSphere]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/) diff --git a/content/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/_index.md b/content/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/_index.md index f578774e99f..ef92a737bd6 100644 --- a/content/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/_index.md +++ b/content/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/_index.md @@ -5,7 +5,7 @@ weight: 1 _Available as of v2.2.0_ -Cluster drivers are used to create clusters in a [hosted Kubernetes provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/), such as Google GKE. The availability of which cluster driver to display when creating clusters is defined by the cluster driver's status. Only `active` cluster drivers will be displayed as an option for creating clusters. By default, Rancher is packaged with several existing cloud provider cluster drivers, but you can also add custom cluster drivers to Rancher. +Cluster drivers are used to create clusters in a [hosted Kubernetes provider]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/), such as Google GKE. The availability of which cluster driver to display when creating clusters is defined by the cluster driver's status. Only `active` cluster drivers will be displayed as an option for creating clusters. By default, Rancher is packaged with several existing cloud provider cluster drivers, but you can also add custom cluster drivers to Rancher. If there are specific cluster drivers that you do not want to show your users, you may deactivate those cluster drivers within Rancher and they will not appear as an option for cluster creation. @@ -13,8 +13,8 @@ If there are specific cluster drivers that you do not want to show your users, y >**Prerequisites:** To create, edit, or delete cluster drivers, you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Custom Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Cluster Drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Cluster Drivers]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. ## Activating/Deactivating Cluster Drivers diff --git a/content/rancher/v2.x/en/admin-settings/drivers/node-drivers/_index.md b/content/rancher/v2.x/en/admin-settings/drivers/node-drivers/_index.md index ba310504acc..5cf47fec86e 100644 --- a/content/rancher/v2.x/en/admin-settings/drivers/node-drivers/_index.md +++ b/content/rancher/v2.x/en/admin-settings/drivers/node-drivers/_index.md @@ -14,8 +14,8 @@ If there are specific node drivers that you don't want to show to your users, yo >**Prerequisites:** To create, edit, or delete drivers, you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Custom Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Node Drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Node Drivers]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. ## Activating/Deactivating Node Drivers diff --git a/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md b/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md index 7e741e0ae1e..12616772261 100644 --- a/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/admin-settings/pod-security-policies/_index.md @@ -73,10 +73,10 @@ Rancher ships with two default Pod Security Policies (PSPs): the `restricted` an You can add a Pod Security Policy (PSPs hereafter) in the following contexts: -- [When creating a cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/) -- [When editing an existing cluster]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/) -- [When creating a project]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#creating-a-project/) -- [When editing an existing project]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/) +- [When creating a cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/) +- [When editing an existing cluster]({{}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/) +- [When creating a project]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#creating-a-project/) +- [When editing an existing project]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/) > **Note:** We recommend adding PSPs during cluster and project creation instead of adding it to an existing one. diff --git a/content/rancher/v2.x/en/admin-settings/rbac/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/_index.md index ee8ef07a3e7..01b6eaacaa7 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.x/en/concepts/global-configuration/users-permissions-roles/ --- -Within Rancher, each person authenticates as a _user_, which is a login that grants you access to Rancher. As mentioned in [Authentication]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/), users can either be local or external. +Within Rancher, each person authenticates as a _user_, which is a login that grants you access to Rancher. As mentioned in [Authentication]({{}}/rancher/v2.x/en/admin-settings/authentication/), users can either be local or external. After you configure external authentication, the users that display on the **Users** page changes. @@ -17,11 +17,11 @@ After you configure external authentication, the users that display on the **Use Once the user logs in to Rancher, their _authorization_, or their access rights within the system, is determined by _global permissions_, and _cluster and project roles_. -- [Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/): +- [Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/): Define user authorization outside the scope of any particular cluster. -- [Cluster and Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/): +- [Cluster and Project Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/): Define user authorization inside the specific cluster or project where they are assigned the role. diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index 591d1e2365d..1a8f6db193d 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -140,7 +140,7 @@ By default, when a standard user creates a new cluster or project, they are auto There are two methods for changing default cluster/project roles: -- **Assign Custom Roles**: Create a [custom role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles) for either your [cluster](#custom-cluster-roles) or [project](#custom-project-roles), and then set the custom role as default. +- **Assign Custom Roles**: Create a [custom role]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles) for either your [cluster](#custom-cluster-roles) or [project](#custom-project-roles), and then set the custom role as default. - **Assign Individual Roles**: Configure multiple [cluster](#cluster-role-reference)/[project](#project-role-reference) roles as default for assignment to the creating user. @@ -148,7 +148,7 @@ There are two methods for changing default cluster/project roles: >**Note:** > ->- Although you can [lock]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/) a default role, the system still assigns the role to users who create a cluster/project. +>- Although you can [lock]({{}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/) a default role, the system still assigns the role to users who create a cluster/project. >- Only users that create clusters/projects inherit their roles. Users added to the cluster/project membership afterward must be explicitly assigned their roles. ### Configuring Default Roles for Cluster and Project Creators diff --git a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md index 895330c46ea..61993bb082d 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md @@ -22,8 +22,8 @@ This section covers the following topics: To complete the tasks on this page, one of the following permissions are required: - - [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/). - - [Custom Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. + - [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/). + - [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. ## Creating A Custom Role for a Cluster or Project @@ -68,7 +68,7 @@ The steps to add custom roles differ depending on the version of Rancher. 1. **Name** the role. -1. Choose whether to set the role to a status of [locked]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). +1. Choose whether to set the role to a status of [locked]({{}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). > **Note:** Locked roles cannot be assigned to users. diff --git a/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md index 91ea1123625..70c5c93778b 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md @@ -27,7 +27,7 @@ If you want to prevent a role from being assigned to users, you can set it to a You can lock roles in two contexts: -- When you're [adding a custom role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/). +- When you're [adding a custom role]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/). - When you editing an existing role (see below). 1. From the **Global** view, select **Security** > **Roles**. diff --git a/content/rancher/v2.x/en/api/_index.md b/content/rancher/v2.x/en/api/_index.md index 97a0c5a6489..b2f9e84816d 100644 --- a/content/rancher/v2.x/en/api/_index.md +++ b/content/rancher/v2.x/en/api/_index.md @@ -5,11 +5,11 @@ weight: 7500 ## How to use the API -The API has its own user interface accessible from a web browser. This is an easy way to see resources, perform actions, and see the equivalent cURL or HTTP request & response. To access it, click on your user avatar in the upper right corner. Under **API & Keys**, you can find the URL endpoint as well as create [API keys]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/). +The API has its own user interface accessible from a web browser. This is an easy way to see resources, perform actions, and see the equivalent cURL or HTTP request & response. To access it, click on your user avatar in the upper right corner. Under **API & Keys**, you can find the URL endpoint as well as create [API keys]({{}}/rancher/v2.x/en/user-settings/api-keys/). ## Authentication -API requests must include authentication information. Authentication is done with HTTP basic authentication using [API Keys]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/). API keys can create new clusters and have access to multiple clusters via `/v3/clusters/`. [Cluster and project roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) apply to these keys and restrict what clusters and projects the account can see and what actions they can take. +API requests must include authentication information. Authentication is done with HTTP basic authentication using [API Keys]({{}}/rancher/v2.x/en/user-settings/api-keys/). API keys can create new clusters and have access to multiple clusters via `/v3/clusters/`. [Cluster and project roles]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) apply to these keys and restrict what clusters and projects the account can see and what actions they can take. By default, some cluster-level API tokens are generated with infinite time-to-live (`ttl=0`). In other words, API tokens with `ttl=0` never expire unless you invalidate them. For details on how to invalidate them, refer to the [API tokens page]({{}}/rancher/v2.x/en/api/api-tokens). diff --git a/content/rancher/v2.x/en/backups/_index.md b/content/rancher/v2.x/en/backups/_index.md index 0f2c8b5a106..d51850c3fe9 100644 --- a/content/rancher/v2.x/en/backups/_index.md +++ b/content/rancher/v2.x/en/backups/_index.md @@ -8,11 +8,11 @@ This section is devoted to protecting your data in a disaster scenario. To protect yourself from a disaster scenario, you should create backups on a regular basis. - - [Rancher Server Backups]({{< baseurl >}}/rancher/v2.x/en/backups/backups) - - [Backing up Rancher Launched Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) + - [Rancher Server Backups]({{}}/rancher/v2.x/en/backups/backups) + - [Backing up Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) In a disaster scenario, you can restore your `etcd` database by restoring a backup. - - [Rancher Server Restorations]({{< baseurl >}}/rancher/v2.x/en/backups/restorations) - - [Restoring Rancher Launched Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) + - [Rancher Server Restorations]({{}}/rancher/v2.x/en/backups/restorations) + - [Restoring Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) diff --git a/content/rancher/v2.x/en/backups/backups/_index.md b/content/rancher/v2.x/en/backups/backups/_index.md index 9ef3beb47d8..57e2150b516 100644 --- a/content/rancher/v2.x/en/backups/backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/_index.md @@ -10,4 +10,4 @@ This section contains information about how to create backups of your Rancher da - [Docker Install Backups](./single-node-backups/) - [Kubernetes Install Backups](./ha-backups/) -If you are looking to back up your [Rancher launched Kubernetes cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), please refer [here]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). +If you are looking to back up your [Rancher launched Kubernetes cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), please refer [here]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). diff --git a/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md b/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md index e86291f230f..bd2cb04d8d5 100644 --- a/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md @@ -20,7 +20,7 @@ In this command, `` is a placeholder for the date that the data container Cross reference the image and reference table below to learn how to obtain this placeholder data. Write down or copy this information before starting the [procedure below](#creating-a-backup). Terminal `docker ps` Command, Displaying Where to Find `` and `` -![Placeholder Reference]({{< baseurl >}}/img/rancher/placeholder-ref.png) +![Placeholder Reference]({{}}/img/rancher/placeholder-ref.png) | Placeholder | Example | Description | | -------------------------- | -------------------------- | --------------------------------------------------------- | @@ -68,4 +68,4 @@ This procedure creates a backup that you can restore if Rancher encounters a dis docker start ``` -**Result:** A backup tarball of your Rancher Server data is created. See [Restoring Backups: Docker Installs]({{< baseurl >}}/rancher/v2.x/en/backups/restorations/single-node-restoration) if you need to restore backup data. +**Result:** A backup tarball of your Rancher Server data is created. See [Restoring Backups: Docker Installs]({{}}/rancher/v2.x/en/backups/restorations/single-node-restoration) if you need to restore backup data. diff --git a/content/rancher/v2.x/en/backups/restorations/_index.md b/content/rancher/v2.x/en/backups/restorations/_index.md index 52fd8cab149..2f32ad1d9e2 100644 --- a/content/rancher/v2.x/en/backups/restorations/_index.md +++ b/content/rancher/v2.x/en/backups/restorations/_index.md @@ -4,7 +4,7 @@ weight: 1010 --- If you lose the data on your Rancher Server, you can restore it if you have backups stored in a safe location. -- [Restoring Backups—Docker Installs]({{< baseurl >}}/rancher/v2.x/en/backups/restorations/single-node-restoration/) -- [Restoring Backups—Kubernetes installs]({{< baseurl >}}/rancher/v2.x/en/backups/restorations/ha-restoration/) +- [Restoring Backups—Docker Installs]({{}}/rancher/v2.x/en/backups/restorations/single-node-restoration/) +- [Restoring Backups—Kubernetes installs]({{}}/rancher/v2.x/en/backups/restorations/ha-restoration/) -If you are looking to restore your [Rancher launched Kubernetes cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), please refer [here]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). +If you are looking to restore your [Rancher launched Kubernetes cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), please refer [here]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). diff --git a/content/rancher/v2.x/en/backups/restorations/ha-restoration/_index.md b/content/rancher/v2.x/en/backups/restorations/ha-restoration/_index.md index ac30f5113c5..5b8cfd3e0b6 100644 --- a/content/rancher/v2.x/en/backups/restorations/ha-restoration/_index.md +++ b/content/rancher/v2.x/en/backups/restorations/ha-restoration/_index.md @@ -8,7 +8,7 @@ aliases: This procedure describes how to use RKE to restore a snapshot of the Rancher Kubernetes cluster. The cluster snapshot will include Kubernetes configuration and the Rancher database and state. -Additionally, the `pki.bundle.tar.gz` file usage is no longer required as v0.2.0 has changed how the [Kubernetes cluster state is stored]({{< baseurl >}}/rke/latest/en/installation/#kubernetes-cluster-state). +Additionally, the `pki.bundle.tar.gz` file usage is no longer required as v0.2.0 has changed how the [Kubernetes cluster state is stored]({{}}/rke/latest/en/installation/#kubernetes-cluster-state). ## Restore Outline @@ -24,11 +24,11 @@ Additionally, the `pki.bundle.tar.gz` file usage is no longer required as v0.2.0 ### 1. Preparation -You will need [RKE]({{< baseurl >}}/rke/latest/en/installation/) and [kubectl]({{< baseurl >}}/rancher/v2.x/en/faq/kubectl/) CLI utilities installed. +You will need [RKE]({{}}/rke/latest/en/installation/) and [kubectl]({{}}/rancher/v2.x/en/faq/kubectl/) CLI utilities installed. -Prepare by creating 3 new nodes to be the target for the restored Rancher instance. See [Kubernetes Install]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/) for node requirements. +Prepare by creating 3 new nodes to be the target for the restored Rancher instance. See [Kubernetes Install]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/) for node requirements. -We recommend that you start with fresh nodes and a clean state. Alternatively you can clear Kubernetes and Rancher configurations from the existing nodes. This will destroy the data on these nodes. See [Node Cleanup]({{< baseurl >}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) for the procedure. +We recommend that you start with fresh nodes and a clean state. Alternatively you can clear Kubernetes and Rancher configurations from the existing nodes. This will destroy the data on these nodes. See [Node Cleanup]({{}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) for the procedure. > **IMPORTANT:** Before starting the restore make sure all the Kubernetes services on the old cluster nodes are stopped. We recommend powering off the nodes to be sure. @@ -135,8 +135,8 @@ S3 specific options are only available for RKE v0.2.0+. | `--bucket-name` value | Specify s3 bucket name | *| | `--folder` value | Specify s3 folder in the bucket name _Available as of v2.3.0_ | *| | `--region` value | Specify the s3 bucket location (optional) | *| -| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | | -| `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{}}/rke/latest/en/config-options/#ssh-agent) | | +| `--ignore-docker-version` | [Disable Docker version check]({{}}/rke/latest/en/config-options/#supported-docker-versions) | ### 5. Bring Up the Cluster @@ -150,7 +150,7 @@ rke up --config ./rancher-cluster-restore.yml #### Testing the Cluster -Once RKE completes it will have created a credentials file in the local directory. Configure `kubectl` to use the `kube_config_rancher-cluster-restore.yml` credentials file and check on the state of the cluster. See [Installing and Configuring kubectl]({{< baseurl >}}/rancher/v2.x/en/faq/kubectl/#configuration) for details. +Once RKE completes it will have created a credentials file in the local directory. Configure `kubectl` to use the `kube_config_rancher-cluster-restore.yml` credentials file and check on the state of the cluster. See [Installing and Configuring kubectl]({{}}/rancher/v2.x/en/faq/kubectl/#configuration) for details. Your new cluster will take a few minutes to stabilize. Once you see the new "target node" transition to `Ready` and three old nodes in `NotReady` you are ready to continue. @@ -232,6 +232,6 @@ rke up --config ./rancher-cluster-restore.yml #### Finishing Up -Rancher should now be running and available to manage your Kubernetes clusters. Review the [recommended architecture]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/#recommended-architecture) for Kubernetes installations and update the endpoints for Rancher DNS or the Load Balancer that you built during Step 1 of the Kubernetes install ([1. Create Nodes and Load Balancer]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/#load-balancer)) to target the new cluster. Once the endpoints are updated, the agents on your managed clusters should automatically reconnect. This may take 10-15 minutes due to reconnect back off timeouts. +Rancher should now be running and available to manage your Kubernetes clusters. Review the [recommended architecture]({{}}/rancher/v2.x/en/installation/k8s-install/#recommended-architecture) for Kubernetes installations and update the endpoints for Rancher DNS or the Load Balancer that you built during Step 1 of the Kubernetes install ([1. Create Nodes and Load Balancer]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/#load-balancer)) to target the new cluster. Once the endpoints are updated, the agents on your managed clusters should automatically reconnect. This may take 10-15 minutes due to reconnect back off timeouts. > **IMPORTANT:** Remember to save your new RKE config (`rancher-cluster-restore.yml`) and `kubectl` credentials (`kube_config_rancher-cluster-restore.yml`) files in a safe place for future maintenance. diff --git a/content/rancher/v2.x/en/backups/restorations/single-node-restoration/_index.md b/content/rancher/v2.x/en/backups/restorations/single-node-restoration/_index.md index 9034877c2e4..aefa51a9da5 100644 --- a/content/rancher/v2.x/en/backups/restorations/single-node-restoration/_index.md +++ b/content/rancher/v2.x/en/backups/restorations/single-node-restoration/_index.md @@ -23,7 +23,7 @@ In this command, `` and `-` are e Cross reference the image and reference table below to learn how to obtain this placeholder data. Write down or copy this information before starting the [procedure below](#creating-a-backup). Terminal `docker ps` Command, Displaying Where to Find `` and `` -![Placeholder Reference]({{< baseurl >}}/img/rancher/placeholder-ref.png) +![Placeholder Reference]({{}}/img/rancher/placeholder-ref.png) | Placeholder | Example | Description | | -------------------------- | -------------------------- | --------------------------------------------------------- | @@ -37,7 +37,7 @@ You can obtain `` and `` by loggi ## Restoring Backups -Using a [backup]({{< baseurl >}}/rancher/v2.x/en/backups/backups/single-node-backups/) that you created earlier, restore Rancher to its last known healthy state. +Using a [backup]({{}}/rancher/v2.x/en/backups/backups/single-node-backups/) that you created earlier, restore Rancher to its last known healthy state. 1. Using a remote Terminal connection, log into the node running your Rancher Server. @@ -46,9 +46,9 @@ Using a [backup]({{< baseurl >}}/rancher/v2.x/en/backups/backups/single-node-bac ``` docker stop ``` -1. Move the backup tarball that you created during completion of [Creating Backups—Docker Installs]({{< baseurl >}}/rancher/v2.x/en/backups/backups/single-node-backups/) onto your Rancher Server. Change to the directory that you moved it to. Enter `dir` to confirm that it's there. +1. Move the backup tarball that you created during completion of [Creating Backups—Docker Installs]({{}}/rancher/v2.x/en/backups/backups/single-node-backups/) onto your Rancher Server. Change to the directory that you moved it to. Enter `dir` to confirm that it's there. - If you followed the naming convention we suggested in [Creating Backups—Docker Installs]({{< baseurl >}}/rancher/v2.x/en/backups/backups/single-node-backups/), it will have a name similar to `rancher-data-backup--.tar.gz`. + If you followed the naming convention we suggested in [Creating Backups—Docker Installs]({{}}/rancher/v2.x/en/backups/backups/single-node-backups/), it will have a name similar to `rancher-data-backup--.tar.gz`. 1. Enter the following command to delete your current state data and replace it with your backup data, replacing the [placeholders](#before-you-start). Don't forget to close the quotes. diff --git a/content/rancher/v2.x/en/best-practices/_index.md b/content/rancher/v2.x/en/best-practices/_index.md index c5aad4106e3..41bbb4cc9c4 100644 --- a/content/rancher/v2.x/en/best-practices/_index.md +++ b/content/rancher/v2.x/en/best-practices/_index.md @@ -11,10 +11,10 @@ Use the navigation bar on the left to find the current best practices for managi For more guidance on best practices, you can consult these resources: -- [Rancher Docs]({{< baseurl >}}) - - [Monitoring]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) - - [Backups and Disaster Recovery]({{< baseurl >}}/rancher/v2.x/en/backups/) - - [Security]({{< baseurl >}}/rancher/v2.x/en/security/) +- [Rancher Docs]({{}}) + - [Monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) + - [Backups and Disaster Recovery]({{}}/rancher/v2.x/en/backups/) + - [Security]({{}}/rancher/v2.x/en/security/) - [Rancher Blog](https://rancher.com/blog/) - [Articles about best practices on the Rancher blog](https://rancher.com/tags/best-practices/) - [101 More Security Best Practices for Kubernetes](https://rancher.com/blog/2019/2019-01-17-101-more-kubernetes-security-best-practices/) diff --git a/content/rancher/v2.x/en/best-practices/deployment-types/_index.md b/content/rancher/v2.x/en/best-practices/deployment-types/_index.md index 82d177cbcaf..ff493e7fbf2 100644 --- a/content/rancher/v2.x/en/best-practices/deployment-types/_index.md +++ b/content/rancher/v2.x/en/best-practices/deployment-types/_index.md @@ -28,11 +28,11 @@ For best performance, run all three of your nodes in the same geographic datacen It's strongly recommended to have a "staging" or "pre-production" environment of the Kubernetes cluster that Rancher runs on. This environment should mirror your production environment as closely as possible in terms of software and hardware configuration. ### Monitor Your Clusters to Plan Capacity -The Rancher server's Kubernetes cluster should run within the [system and hardware requirements]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/) as closely as possible. The more you deviate from the system and hardware requirements, the more risk you take. +The Rancher server's Kubernetes cluster should run within the [system and hardware requirements]({{}}/rancher/v2.x/en/installation/requirements/) as closely as possible. The more you deviate from the system and hardware requirements, the more risk you take. However, metrics-driven capacity planning analysis should be the ultimate guidance for scaling Rancher, because the published requirements take into account a variety of workload types. Using Rancher, you can monitor the state and processes of your cluster nodes, Kubernetes components, and software deployments through integration with Prometheus, a leading open-source monitoring solution, and Grafana, which lets you visualize the metrics from Prometheus. -After you [enable monitoring]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) in the cluster, you can set up [a notification channel]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) and [cluster alerts]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/alerts/) to let you know if your cluster is approaching its capacity. You can also use the Prometheus and Grafana monitoring framework to establish a baseline for key metrics as you scale. +After you [enable monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) in the cluster, you can set up [a notification channel]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) and [cluster alerts]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) to let you know if your cluster is approaching its capacity. You can also use the Prometheus and Grafana monitoring framework to establish a baseline for key metrics as you scale. diff --git a/content/rancher/v2.x/en/best-practices/management/_index.md b/content/rancher/v2.x/en/best-practices/management/_index.md index fe7f5f75bf4..4fd202dc1ec 100644 --- a/content/rancher/v2.x/en/best-practices/management/_index.md +++ b/content/rancher/v2.x/en/best-practices/management/_index.md @@ -10,7 +10,7 @@ Rancher allows you to set up numerous combinations of configurations. Some confi These tips can help you solve problems before they happen. ### Run Rancher on a Supported OS and Supported Docker Version -Rancher is container-based and can potentially run on any Linux-based operating system. However, only operating systems listed in the [requirements documentation]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/) should be used for running Rancher, along with a supported version of Docker. These versions have been most thoroughly tested and can be properly supported by the Rancher Support team. +Rancher is container-based and can potentially run on any Linux-based operating system. However, only operating systems listed in the [requirements documentation]({{}}/rancher/v2.x/en/installation/requirements/) should be used for running Rancher, along with a supported version of Docker. These versions have been most thoroughly tested and can be properly supported by the Rancher Support team. ### Upgrade Your Kubernetes Version Keep your Kubernetes cluster up to date with a recent and supported version. Typically the Kubernetes community will support the current version and previous three minor releases (for example, 1.14.x, 1.13.x, 1.12.x, and 1.11.x). After a new version is released, the third-oldest supported version reaches EOL (End of Life) status. Running on an EOL release can be a risk if a security issues are found and patches are not available. The community typically makes minor releases every quarter (every three months). @@ -29,11 +29,11 @@ Rancher [maintains a Terraform provider](https://rancher.com/blog/2019/rancher-2 All upgrades, both patch and feature upgrades, should be first tested on a staging environment before production is upgraded. The more closely the staging environment mirrors production, the higher chance your production upgrade will be successful. ### Renew Certificates Before they Expire -Multiple people in your organization should set up calendar reminders for certificate renewal. Consider renewing the certificate two weeks to one month in advance. If you have multiple certificates to track, consider using [monitoring and alerting mechanisms]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/) to track certificate expiration. +Multiple people in your organization should set up calendar reminders for certificate renewal. Consider renewing the certificate two weeks to one month in advance. If you have multiple certificates to track, consider using [monitoring and alerting mechanisms]({{}}/rancher/v2.x/en/cluster-admin/tools/) to track certificate expiration. Rancher-provisioned Kubernetes clusters will use certificates that expire in one year. Clusters provisioned by other means may have a longer or shorter expiration. -Certificates can be renewed for Rancher-provisioned clusters [through the Rancher user interface]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/certificate-rotation/). +Certificates can be renewed for Rancher-provisioned clusters [through the Rancher user interface]({{}}/rancher/v2.x/en/cluster-admin/certificate-rotation/). ### Enable Recurring Snapshots for Backing up and Restoring the Cluster Make sure etcd recurring snapshots are enabled. Extend the snapshot retention to a period of time that meets your business needs. In the event of a catastrophic failure or deletion of data, this may be your only recourse for recovery. For details about configuring snapshots, refer to the [RKE documentation]({{}}/rke/latest/en/etcd-snapshots/) or the [Rancher documentation on backups]({{}}/rancher/v2.x/en/backups/). @@ -78,13 +78,13 @@ Provision 3 or 5 etcd nodes. Etcd requires a quorum to determine a leader by the Provision two or more control plane nodes. Some control plane components, such as the `kube-apiserver`, run in [active-active](https://www.jscape.com/blog/active-active-vs-active-passive-high-availability-cluster) mode and will give you more scalability. Other components such as kube-scheduler and kube-controller run in active-passive mode (leader elect) and give you more fault tolerance. ### Monitor Your Cluster -Closely monitor and scale your nodes as needed. You should [enable cluster monitoring]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and use the Prometheus metrics and Grafana visualization options as a starting point. +Closely monitor and scale your nodes as needed. You should [enable cluster monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and use the Prometheus metrics and Grafana visualization options as a starting point. # Tips for Security Below are some basic tips for increasing security in Rancher. For more detailed information about securing your cluster, you can refer to these resources: -- Rancher's [security documentation and Kubernetes cluster hardening guide]({{< baseurl >}}/rancher/v2.x/en/security/) +- Rancher's [security documentation and Kubernetes cluster hardening guide]({{}}/rancher/v2.x/en/security/) - [101 More Security Best Practices for Kubernetes](https://rancher.com/blog/2019/2019-01-17-101-more-kubernetes-security-best-practices/) ### Update Rancher with Security Patches diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index 84b297cddd1..2869abf5a3b 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -61,7 +61,7 @@ Within Rancher, there are default catalogs packaged as part of Rancher. These ca The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. - This catalog features Rancher Charts, which include some [notable advantages]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. + This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. - **Helm Stable** @@ -94,11 +94,11 @@ _Available as of v2.2.0_ In Rancher v2.2.0, you can add private catalog repositories using credentials like Username and Password. You may also want to use the OAuth token if your Git or Helm repository server support that. -[Read More About Adding Private Git/Helm Catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#private-repositories) +[Read More About Adding Private Git/Helm Catalogs]({{}}/rancher/v2.x/en/catalog/custom/#private-repositories) @@ -144,15 +144,15 @@ By creating a customized repository with added files, Rancher improves on Helm r There are two types of catalogs in Rancher. Learn more about each type: -* [Built-in Global Catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/built-in/) -* [Custom Catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/) +* [Built-in Global Catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) +* [Custom Catalogs]({{}}/rancher/v2.x/en/catalog/custom/) ### Apps In Rancher, applications are deployed from the templates in a catalog. Rancher supports two types of applications: -* [Multi-cluster applications]({{< baseurl >}}/rancher/v2.x/en/catalog/multi-cluster-apps/) -* [Applications deployed in a specific Project]({{< baseurl >}}/rancher/v2.x/en/catalog/apps) +* [Multi-cluster applications]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) +* [Applications deployed in a specific Project]({{}}/rancher/v2.x/en/catalog/apps) ### Global DNS @@ -160,7 +160,7 @@ _Available as v2.2.0_ When creating applications that span multiple Kubernetes clusters, a Global DNS entry can be created to route traffic to the endpoints in all of the different clusters. An external DNS server will need be programmed to assign a fully qualified domain name (a.k.a FQDN) to your application. Rancher will use the FQDN you provide and the IP addresses where your application is running to program the DNS. Rancher will gather endpoints from all the Kubernetes clusters running your application and program the DNS. -For more information on how to use this feature, see [Global DNS]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/). +For more information on how to use this feature, see [Global DNS]({{}}/rancher/v2.x/en/catalog/globaldns/). ### Chart Compatibility with Rancher diff --git a/content/rancher/v2.x/en/catalog/apps/_index.md b/content/rancher/v2.x/en/catalog/apps/_index.md index 04d509449fc..c5b0b058bc7 100644 --- a/content/rancher/v2.x/en/catalog/apps/_index.md +++ b/content/rancher/v2.x/en/catalog/apps/_index.md @@ -3,9 +3,9 @@ title: Apps in a Project weight: 5005 --- -Within a project, when you want to deploy applications from catalogs, the applications available in your project will be based on the [scope of the catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/#catalog-scope). +Within a project, when you want to deploy applications from catalogs, the applications available in your project will be based on the [scope of the catalogs]({{}}/rancher/v2.x/en/catalog/#catalog-scope). -If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/). +If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/). ## Prerequisites @@ -16,7 +16,7 @@ To create a multi-cluster app in Rancher, you must have at least one of the foll ## Launching Catalog Applications -After you've either enabled the [built-in global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/built-in/) or [added your own custom catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding), you can start launching catalog applications. +After you've either enabled the [built-in global catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) or [added your own custom catalog]({{}}/rancher/v2.x/en/catalog/custom/adding), you can start launching catalog applications. 1. From the **Global** view, navigate to your project that you want to start deploying applications. @@ -57,7 +57,7 @@ If the Helm chart that you are deploying contains a `questions.yml` file, Ranche #### Key Value Pairs for Native Helm Charts -For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. +For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. {{% /tab %}} {{% tab "Editing YAML Files" %}} diff --git a/content/rancher/v2.x/en/catalog/built-in/_index.md b/content/rancher/v2.x/en/catalog/built-in/_index.md index 54a1268c88f..fa81d40f40a 100644 --- a/content/rancher/v2.x/en/catalog/built-in/_index.md +++ b/content/rancher/v2.x/en/catalog/built-in/_index.md @@ -5,14 +5,14 @@ aliases: - /rancher/v2.x/en/tasks/global-configuration/catalog/enabling-default-catalogs/ --- -There are default [global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/#global-catalogs) packaged as part of Rancher. +There are default [global catalogs]({{}}/rancher/v2.x/en/catalog/#global-catalogs) packaged as part of Rancher. ## Managing Built-in Global Catalogs ->**Prerequisites:** In order to manage the built-in catalogs or [manage global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding/#adding-global-catalogs), you need _one_ of the following permissions: +>**Prerequisites:** In order to manage the built-in catalogs or [manage global catalogs]({{}}/rancher/v2.x/en/catalog/custom/adding/#adding-global-catalogs), you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Custom Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. @@ -22,7 +22,7 @@ There are default [global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/#glo The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. In Rancher 2.x, only global catalogs are supported. Support for cluster-level and project-level charts will be added in the future. - This catalog features Rancher Charts, which include some [notable advantages]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. + This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. - **Helm Stable** diff --git a/content/rancher/v2.x/en/catalog/custom/_index.md b/content/rancher/v2.x/en/catalog/custom/_index.md index 771097c6ec6..67e79a87ab2 100644 --- a/content/rancher/v2.x/en/catalog/custom/_index.md +++ b/content/rancher/v2.x/en/catalog/custom/_index.md @@ -5,7 +5,7 @@ aliases: --- -Any user can [create custom catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/creating/) to add into Rancher. Besides the content of the catalog, users must ensure their catalogs are able to be added into Rancher. +Any user can [create custom catalogs]({{}}/rancher/v2.x/en/catalog/custom/creating/) to add into Rancher. Besides the content of the catalog, users must ensure their catalogs are able to be added into Rancher. ## Types of Repositories @@ -28,7 +28,7 @@ In Rancher, you can add the custom Helm chart repository with only a catalog nam ## Catalog Fields -When [adding your catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding/) to Rancher, you'll provide the following information: +When [adding your catalog]({{}}/rancher/v2.x/en/catalog/custom/adding/) to Rancher, you'll provide the following information: | Variable | Description | @@ -48,7 +48,7 @@ Private Git or Helm chart repositories can be added into Rancher using either cr ### Using Username and Password -1. When [adding the catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding/), select the **Use private catalog** checkbox. +1. When [adding the catalog]({{}}/rancher/v2.x/en/catalog/custom/adding/), select the **Use private catalog** checkbox. 2. Provide the `Username` and `Password` for your Git or Helm repository. @@ -59,6 +59,6 @@ Read [using Git over HTTPS and OAuth](https://github.blog/2012-09-21-easier-buil 1. Create an [OAuth token](https://github.com/settings/tokens) with `repo` permission selected, and click **Generate token**. -2. When [adding the catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding/), select the **Use private catalog** checkbox. +2. When [adding the catalog]({{}}/rancher/v2.x/en/catalog/custom/adding/), select the **Use private catalog** checkbox. 3. For `Username`, provide the Git generated OAuth token. For `Password`, enter `x-oauth-basic`. diff --git a/content/rancher/v2.x/en/catalog/custom/adding/_index.md b/content/rancher/v2.x/en/catalog/custom/adding/_index.md index f3813c01404..f32ad5eeee8 100644 --- a/content/rancher/v2.x/en/catalog/custom/adding/_index.md +++ b/content/rancher/v2.x/en/catalog/custom/adding/_index.md @@ -5,20 +5,20 @@ aliases: - /rancher/v2.x/en/tasks/global-configuration/catalog/adding-custom-catalogs/ --- -[Custom catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/) can be added into Rancher at any [scope of Rancher]({{< baseurl >}}/rancher/v2.x/en/catalog/#catalog-scope). +[Custom catalogs]({{}}/rancher/v2.x/en/catalog/custom/) can be added into Rancher at any [scope of Rancher]({{}}/rancher/v2.x/en/catalog/#catalog-scope). ## Adding Global Catalogs ->**Prerequisites:** In order to manage the [built-in catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/built-in/) or manage global catalogs, you need _one_ of the following permissions: +>**Prerequisites:** In order to manage the [built-in catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) or manage global catalogs, you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Custom Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. 2. Click **Add Catalog**. 3. Complete the form and click **Create**. - **Result**: Your custom global catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [multi-cluster apps]({{< baseurl >}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or [applications in any project]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) from this catalog. + **Result**: Your custom global catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [multi-cluster apps]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or [applications in any project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. ## Adding Cluster Catalogs @@ -26,9 +26,9 @@ _Available as of v2.2.0_ >**Prerequisites:** In order to manage cluster scoped catalogs, you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Cluster Owner Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) ->- [Custom Cluster Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) with the [Manage Cluster Catalogs]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-role-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Cluster Owner Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) +>- [Custom Cluster Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) with the [Manage Cluster Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-role-reference) role assigned. 1. From the **Global** view, navigate to your cluster that you want to start adding custom catalogs. 2. Choose the **Tools > Catalogs** in the navigation bar. @@ -36,7 +36,7 @@ _Available as of v2.2.0_ 3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Cluster** scope, it is defaulted to `Cluster`. 5. Click **Create**. -**Result**: Your custom cluster catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in any project in that cluster]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) from this catalog. +**Result**: Your custom cluster catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in any project in that cluster]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. ## Adding Project Level Catalogs @@ -44,10 +44,10 @@ _Available as of v2.2.0_ >**Prerequisites:** In order to manage project scoped catalogs, you need _one_ of the following permissions: > ->- [Administrator Global Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Cluster Owner Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) ->- [Project Owner Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) ->- [Custom Project Permissions]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) with the [Manage Project Catalogs]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-role-reference) role assigned. +>- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) +>- [Cluster Owner Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) +>- [Project Owner Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) +>- [Custom Project Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) with the [Manage Project Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-role-reference) role assigned. 1. From the **Global** view, navigate to your project that you want to start adding custom catalogs. 2. Choose the **Tools > Catalogs** in the navigation bar. @@ -55,4 +55,4 @@ _Available as of v2.2.0_ 3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Project** scope, it is defaulted to `Cluster`. 5. Click **Create**. -**Result**: Your custom project catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in that project]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) from this catalog. +**Result**: Your custom project catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in that project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. diff --git a/content/rancher/v2.x/en/catalog/custom/creating/_index.md b/content/rancher/v2.x/en/catalog/custom/creating/_index.md index bc1ed5e919d..36c1e41825e 100644 --- a/content/rancher/v2.x/en/catalog/custom/creating/_index.md +++ b/content/rancher/v2.x/en/catalog/custom/creating/_index.md @@ -61,7 +61,7 @@ Before you create your own custom catalog, you should have a basic understanding
    Rancher Chart with app-readme.md (left) vs. Helm Chart without (right)
    - ![app-readme.md]({{< baseurl >}}/img/rancher/app-readme.png) + ![app-readme.md]({{}}/img/rancher/app-readme.png) - `questions.yml` @@ -70,7 +70,7 @@ Before you create your own custom catalog, you should have a basic understanding
    Rancher Chart with questions.yml (left) vs. Helm Chart without (right)
    - ![questions.yml]({{< baseurl >}}/img/rancher/questions.png) + ![questions.yml]({{}}/img/rancher/questions.png) ### Questions.yml diff --git a/content/rancher/v2.x/en/catalog/globaldns/_index.md b/content/rancher/v2.x/en/catalog/globaldns/_index.md index ffa841ae509..463cbebc6c9 100644 --- a/content/rancher/v2.x/en/catalog/globaldns/_index.md +++ b/content/rancher/v2.x/en/catalog/globaldns/_index.md @@ -23,11 +23,11 @@ The following table lists the first version of Rancher each provider debuted. ## Global DNS Entries -For each application that you want to route traffic to, you will need to create a Global DNS Entry. This entry will use a fully qualified domain name (a.k.a FQDN) from a global DNS provider to target applications. The applications can either resolve to a single [multi-cluster application]({{< baseurl >}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or to specific projects. You must [add specific annotation labels](#adding-annotations-to-ingresses-to-program-the-external-dns) to the ingresses in order for traffic to be routed correctly to the applications. Without this annotation, the programming for the DNS entry will not work. +For each application that you want to route traffic to, you will need to create a Global DNS Entry. This entry will use a fully qualified domain name (a.k.a FQDN) from a global DNS provider to target applications. The applications can either resolve to a single [multi-cluster application]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or to specific projects. You must [add specific annotation labels](#adding-annotations-to-ingresses-to-program-the-external-dns) to the ingresses in order for traffic to be routed correctly to the applications. Without this annotation, the programming for the DNS entry will not work. ## Permissions for Global DNS Providers/Entries -By default, only [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) and the creator of the Global DNS provider or Global DNS entry have access to use, edit and delete them. When creating the provider or entry, the creator can add additional users in order for those users to access and manage them. By default, these members will get `Owner` role to manage them. +By default, only [global administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) and the creator of the Global DNS provider or Global DNS entry have access to use, edit and delete them. When creating the provider or entry, the creator can add additional users in order for those users to access and manage them. By default, these members will get `Owner` role to manage them. ## Setting up Global DNS for Applications @@ -63,7 +63,7 @@ By default, only [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-s >**Notes:** > ->- Alibaba Cloud SDK uses TZ data. It needs to be present on `/usr/share/zoneinfo` path of the nodes running [`local` cluster]({{< baseurl >}}/rancher/v2.x/en/installation/options/chart-options/#import-local-cluster), and it is mounted to the external DNS pods. If it is not available on the nodes, please follow the [instruction](https://www.ietf.org/timezones/tzdb-2018f/tz-link.html) to prepare it. +>- Alibaba Cloud SDK uses TZ data. It needs to be present on `/usr/share/zoneinfo` path of the nodes running [`local` cluster]({{}}/rancher/v2.x/en/installation/options/chart-options/#import-local-cluster), and it is mounted to the external DNS pods. If it is not available on the nodes, please follow the [instruction](https://www.ietf.org/timezones/tzdb-2018f/tz-link.html) to prepare it. >- Different versions of AliDNS have different allowable TTL range, where the default TTL for a global DNS entry may not be valid. Please see the [reference](https://www.alibabacloud.com/help/doc-detail/34338.htm) before adding an AliDNS entry. {{% /accordion %}} @@ -73,7 +73,7 @@ By default, only [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-s 1. Click on **Add DNS Entry**. 1. Enter the **FQDN** you wish to program on the external DNS. 1. Select a Global DNS **Provider** from the list. -1. Select if this DNS entry will be for a [multi-cluster application]({{< baseurl >}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or for workloads in different [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). You will need to ensure that [annotations are added to any ingresses](#adding-annotations-to-ingresses-to-program-the-external-dns) for the applications that you want to target. +1. Select if this DNS entry will be for a [multi-cluster application]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or for workloads in different [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). You will need to ensure that [annotations are added to any ingresses](#adding-annotations-to-ingresses-to-program-the-external-dns) for the applications that you want to target. 1. Configure the **DNS TTL** value in seconds. By default, it will be 300 seconds. 1. Under **Member Access**, search for any users that you want to have the ability to manage this Global DNS entry. @@ -85,11 +85,11 @@ In order for Global DNS entries to be programmed, you will need to add a specifi 1. In order for the DNS to be programmed, the following requirements must be met: * The ingress routing rule must be set to use a `hostname` that matches the FQDN of the Global DNS entry. * The ingress must have an annotation (`rancher.io/globalDNS.hostname`) and the value of this annotation should match the FQDN of the Global DNS entry. -1. Once the ingress in your [multi-cluster application]({{< baseurl >}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or in your target projects are in `active` state, the FQDN will be programmed on the external DNS against the Ingress IP addresses. +1. Once the ingress in your [multi-cluster application]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or in your target projects are in `active` state, the FQDN will be programmed on the external DNS against the Ingress IP addresses. ## Editing a Global DNS Provider -The [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), creator of the Global DNS provider and any users added as `members` to a Global DNS provider, have _owner_ access to that provider. Any members can edit the following fields: +The [global administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), creator of the Global DNS provider and any users added as `members` to a Global DNS provider, have _owner_ access to that provider. Any members can edit the following fields: - Root Domain - Access Key & Secret Key @@ -101,7 +101,7 @@ The [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/ ## Editing a Global DNS Entry -The [global administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), creator of the Global DNS entry and any users added as `members` to a Global DNS entry, have _owner_ access to that DNS entry. Any members can edit the following fields: +The [global administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), creator of the Global DNS entry and any users added as `members` to a Global DNS entry, have _owner_ access to that DNS entry. Any members can edit the following fields: - FQDN - Global DNS Provider diff --git a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md index e1ec64524d8..282835a53e4 100644 --- a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md +++ b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md @@ -6,9 +6,9 @@ _Available as of v2.2.0_ Typically, most applications are deployed on a single Kubernetes cluster, but there will be times you might want to deploy multiple copies of the same application across different clusters and/or projects. In Rancher, a _multi-cluster application_, is an application deployed using a Helm chart across multiple clusters. With the ability to deploy the same application across multiple clusters, it avoids the repetition of the same action on each cluster, which could introduce user error during application configuration. With multi-cluster applications, you can customize to have the same configuration across all projects/clusters as well as have the ability to change the configuration based on your target project. Since multi-cluster application is considered a single application, it's easy to manage and maintain this application. -Any Helm charts from a [global catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/#catalog-scope) can be used to deploy and manage multi-cluster applications. +Any Helm charts from a [global catalog]({{}}/rancher/v2.x/en/catalog/#catalog-scope) can be used to deploy and manage multi-cluster applications. -After creating a multi-cluster application, you can program a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/) to make it easier to access the application. +After creating a multi-cluster application, you can program a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/) to make it easier to access the application. # Prerequisites @@ -45,7 +45,7 @@ Rancher has divided the configuration option for the multi-cluster application i #### Targets -In the **Targets** section, select the [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects) that you want the application to be deployed in. The list of projects is based on what projects you have access to. For each project that you select, it will be added to the list, which shows the cluster name and project name that were selected. To remove a target project, click on **-**. +In the **Targets** section, select the [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects) that you want the application to be deployed in. The list of projects is based on what projects you have access to. For each project that you select, it will be added to the list, which shows the cluster name and project name that were selected. To remove a target project, click on **-**. #### Upgrades @@ -57,15 +57,15 @@ In the **Upgrades** section, select the upgrade strategy to use, when you decide #### Roles -In the **Roles** section, you define the role of the multi-cluster application. Typically, when a user [launches catalog applications]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/#launching-catalog-applications), that specific user's permissions are used for creation of all workloads/resources that is required by the app. +In the **Roles** section, you define the role of the multi-cluster application. Typically, when a user [launches catalog applications]({{}}/rancher/v2.x/en/catalog/apps/#launching-catalog-applications), that specific user's permissions are used for creation of all workloads/resources that is required by the app. For multi-cluster applications, the application is deployed by a _system user_ and is assigned as the creator of all underlying resources. A _system user_ is used instead of the actual user due to the fact that the actual user could be removed from one of the target projects. If the actual user was removed from one of the projects, then that user would no longer be able to manage the application for the other projects. Rancher will let you select from two options for Roles, **Project** and **Cluster**. Rancher will allow creation using any of these roles based on the user's permissions. -- **Project** - This is the equivalent of a [project member]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). If you select this role, Rancher will check that in all the target projects, the user has minimally the [project member]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) role. While the user might not be explicitly granted the _project member_ role, if the user is an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), a [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or a [project owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles), then the user is considered to have the appropriate level of permissions. +- **Project** - This is the equivalent of a [project member]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). If you select this role, Rancher will check that in all the target projects, the user has minimally the [project member]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) role. While the user might not be explicitly granted the _project member_ role, if the user is an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), a [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or a [project owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles), then the user is considered to have the appropriate level of permissions. -- **Cluster** - This is the equivalent of a [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles). If you select this role, Rancher will check that in all the target projects, the user has minimally the [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) role. While the user might not be explicitly granted the _cluster owner_ role, if the user is an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), then the user is considered to have the appropriate level of permissions. +- **Cluster** - This is the equivalent of a [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles). If you select this role, Rancher will check that in all the target projects, the user has minimally the [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) role. While the user might not be explicitly granted the _cluster owner_ role, if the user is an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), then the user is considered to have the appropriate level of permissions. When launching the application, Rancher will confirm if you have these permissions in the target projects before launching the application. @@ -83,7 +83,7 @@ If the Helm chart that you are deploying contains a `questions.yml` file, Ranche #### Key Value Pairs for Native Helm Charts -For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. +For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. ### Members diff --git a/content/rancher/v2.x/en/cli/_index.md b/content/rancher/v2.x/en/cli/_index.md index 0baa8f9da86..dd4d656fd19 100644 --- a/content/rancher/v2.x/en/cli/_index.md +++ b/content/rancher/v2.x/en/cli/_index.md @@ -16,8 +16,8 @@ The binary can be downloaded directly from the UI. The link can be found in the After you download the Rancher CLI, you need to make a few configurations. Rancher CLI requires: -- Your [Rancher Server URL]({{< baseurl >}}/rancher/v2.x/en/admin-settings/server-url), which is used to connect to Rancher Server. -- An API Bearer Token, which is used to authenticate with Rancher. For more information about obtaining a Bearer Token, see [Creating an API Key]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/). +- Your [Rancher Server URL]({{}}/rancher/v2.x/en/admin-settings/server-url), which is used to connect to Rancher Server. +- An API Bearer Token, which is used to authenticate with Rancher. For more information about obtaining a Bearer Token, see [Creating an API Key]({{}}/rancher/v2.x/en/user-settings/api-keys/). ### CLI Authentication @@ -31,7 +31,7 @@ If Rancher Server uses a self-signed certificate, Rancher CLI prompts you to con ### Project Selection -Before you can perform any commands, you must select a Rancher project to perform those commands against. To select a [project]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) to work on, use the command `./rancher context switch`. When you enter this command, a list of available projects displays. Enter a number to choose your project. +Before you can perform any commands, you must select a Rancher project to perform those commands against. To select a [project]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) to work on, use the command `./rancher context switch`. When you enter this command, a list of available projects displays. Enter a number to choose your project. **Example: `./rancher context switch` Output** ``` @@ -57,17 +57,17 @@ The following commands are available for use in Rancher CLI. | Command | Result | |---|---| -| `apps, [app]` | Performs operations on catalog applications (i.e. individual [Helm charts](https://docs.helm.sh/developing_charts/) or [Rancher charts]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/#chart-directory-structure)). | -| `catalog` | Performs operations on [catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/). | -| `clusters, [cluster]` | Performs operations on your [clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/). | -| `context` | Switches between Rancher [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). For an example, see [Project Selection](#project-selection). | -| `inspect [OPTIONS] [RESOURCEID RESOURCENAME]` | Displays details about [Kubernetes resources](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#resource-types) or Rancher resources (i.e.: [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) and [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/)). Specify resources by name or ID. | +| `apps, [app]` | Performs operations on catalog applications (i.e. individual [Helm charts](https://docs.helm.sh/developing_charts/) or [Rancher charts]({{}}/rancher/v2.x/en/catalog/custom/#chart-directory-structure)). | +| `catalog` | Performs operations on [catalogs]({{}}/rancher/v2.x/en/catalog/). | +| `clusters, [cluster]` | Performs operations on your [clusters]({{}}/rancher/v2.x/en/cluster-provisioning/). | +| `context` | Switches between Rancher [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). For an example, see [Project Selection](#project-selection). | +| `inspect [OPTIONS] [RESOURCEID RESOURCENAME]` | Displays details about [Kubernetes resources](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#resource-types) or Rancher resources (i.e.: [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) and [workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/)). Specify resources by name or ID. | | `kubectl` |Runs [kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/#operations). | | `login, [l]` | Logs into a Rancher Server. For an example, see [CLI Authentication](#cli-authentication). | -| `namespaces, [namespace]` |Performs operations on [namespaces]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). | -| `nodes, [node]` |Performs operations on [nodes]({{< baseurl >}}/rancher/v2.x/en/overview/architecture/#kubernetes). | -| `projects, [project]` | Performs operations on [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). | -| `ps` | Displays [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads) in a project. | +| `namespaces, [namespace]` |Performs operations on [namespaces]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). | +| `nodes, [node]` |Performs operations on [nodes]({{}}/rancher/v2.x/en/overview/architecture/#kubernetes). | +| `projects, [project]` | Performs operations on [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). | +| `ps` | Displays [workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads) in a project. | | `settings, [setting]` | Shows the current settings for your Rancher Server. | | `ssh` | Connects to one of your cluster nodes using the SSH protocol. | | `help, [h]` | Shows a list of commands or help for one command. | diff --git a/content/rancher/v2.x/en/cluster-admin/_index.md b/content/rancher/v2.x/en/cluster-admin/_index.md index 09397d9c2c7..ec93dd077f7 100644 --- a/content/rancher/v2.x/en/cluster-admin/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/_index.md @@ -21,22 +21,22 @@ Alternatively, you can switch between projects and clusters directly in the navi ## Managing Clusters in Rancher -After clusters have been [provisioned into Rancher]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/), [cluster owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) will need to manage these clusters. There are many different options of how to manage your cluster. +After clusters have been [provisioned into Rancher]({{}}/rancher/v2.x/en/cluster-provisioning/), [cluster owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) will need to manage these clusters. There are many different options of how to manage your cluster. -| Action | [Rancher launched Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) | [Hosted Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) | [Imported Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters) | +| Action | [Rancher launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) | [Hosted Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) | [Imported Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters) | | --- | --- | ---| ---| -| [Using kubectl and a kubeconfig file to Access a Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/) | * | * | * | -| [Adding Cluster Members]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/) | * | * | * | -| [Editing Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/editing-clusters/) | * | * | * | -| [Managing Nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/nodes) | * | * | * | -| [Managing Persistent Volumes and Storage Classes]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) | * | * | * | -| [Managing Projects and Namespaces]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/projects-and-namespaces/) | * | * | * | +| [Using kubectl and a kubeconfig file to Access a Cluster]({{}}/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/) | * | * | * | +| [Adding Cluster Members]({{}}/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/) | * | * | * | +| [Editing Clusters]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) | * | * | * | +| [Managing Nodes]({{}}/rancher/v2.x/en/cluster-admin/nodes) | * | * | * | +| [Managing Persistent Volumes and Storage Classes]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) | * | * | * | +| [Managing Projects and Namespaces]({{}}/rancher/v2.x/en/cluster-admin/projects-and-namespaces/) | * | * | * | | [Configuring Tools](#configuring-tools) | * | * | * | -| [Cloning Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/cloning-clusters/)| | * | * | -| [Ability to rotate certificates]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/certificate-rotation/) | * | | | -| [Ability to back up your Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) | * | | | -| [Ability to recover and restore etcd]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) | * | | | -| [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/) | * | | | +| [Cloning Clusters]({{}}/rancher/v2.x/en/cluster-admin/cloning-clusters/)| | * | * | +| [Ability to rotate certificates]({{}}/rancher/v2.x/en/cluster-admin/certificate-rotation/) | * | | | +| [Ability to back up your Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) | * | | | +| [Ability to recover and restore etcd]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) | * | | | +| [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{}}/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/) | * | | | ## Configuring Tools @@ -47,4 +47,4 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring -For more information, see [Tools]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/) +For more information, see [Tools]({{}}/rancher/v2.x/en/cluster-admin/tools/) diff --git a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md index e4aa716ccbb..227c4cee080 100644 --- a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md @@ -5,11 +5,11 @@ weight: 2045 _Available as of v2.2.0_ -In the Rancher UI, etcd backup and recovery for [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either [locally onto the etcd nodes](#local-backup-target) or to a [S3 compatible target](#s3-backup-target). The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. +In the Rancher UI, etcd backup and recovery for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either [locally onto the etcd nodes](#local-backup-target) or to a [S3 compatible target](#s3-backup-target). The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. Rancher recommends configuring recurrent `etcd` snapshots for all production clusters. Additionally, one-time snapshots can easily be taken as well. ->**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the updated snapshot features. Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to [back up and restore etcd through the UI]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). +>**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the updated snapshot features. Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to [back up and restore etcd through the UI]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). # Snapshot Creation Period and Retention Count @@ -17,7 +17,7 @@ Select how often you want recurring snapshots to be taken as well as how many sn ### Configuring Recurring Snapshots for the Cluster -By default, [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) are configured to take recurring snapshots (saved to local disk). To protect against local disk failure, using the [S3 Target](#s3-backup-target) or replicating the path on disk is advised. +By default, [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) are configured to take recurring snapshots (saved to local disk). To protect against local disk failure, using the [S3 Target](#s3-backup-target) or replicating the path on disk is advised. During cluster provisioning or editing the cluster, the configuration for snapshots can be found in the advanced section for **Cluster Options**. Click on **Show advanced options**. @@ -49,7 +49,7 @@ Rancher supports two different backup targets: ### Local Backup Target -By default, the `local` backup target is selected. The benefits of this option is that there is no external configuration. Snapshots are automatically saved locally to the etcd nodes in the [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) in `/opt/rke/etcd-snapshots`. All recurring snapshots are taken at configured intervals. The downside of using the `local` backup target is that if there is a total disaster and _all_ etcd nodes are lost, there is no ability to restore the cluster. +By default, the `local` backup target is selected. The benefits of this option is that there is no external configuration. Snapshots are automatically saved locally to the etcd nodes in the [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) in `/opt/rke/etcd-snapshots`. All recurring snapshots are taken at configured intervals. The downside of using the `local` backup target is that if there is a total disaster and _all_ etcd nodes are lost, there is no ability to restore the cluster. #### Safe Timestamps diff --git a/content/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/_index.md index c5929f81b0c..8ce29334dda 100644 --- a/content/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cleaning-cluster-nodes/_index.md @@ -6,7 +6,7 @@ weight: 2055 This section describes how to disconnect a node from a Rancher-launched Kubernetes cluster and remove all of the Kubernetes components from the node. This process allows you to use the node for other purposes. -When you use Rancher to [launch nodes for a cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher), resources (containers/virtual network interfaces) and configuration items (certificates/configuration files) are created. +When you use Rancher to [launch nodes for a cluster]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher), resources (containers/virtual network interfaces) and configuration items (certificates/configuration files) are created. When removing nodes from your Rancher launched Kubernetes cluster (provided that they are in `Active` state), those resources are automatically cleaned, and the only action needed is to restart the node. When a node has become unreachable and the automatic cleanup process cannot be used, we describe the steps that need to be executed before the node can be added to a cluster again. @@ -24,10 +24,10 @@ When cleaning nodes provisioned using Rancher, the following components are dele | All resources create under the `management.cattle.io` API Group | ✓ | ✓ | ✓ | | | All CRDs created by Rancher v2.x | ✓ | ✓ | ✓ | | -[1]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ -[2]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/ -[3]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ -[4]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/ +[1]: {{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ +[2]: {{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/ +[3]: {{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ +[4]: {{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/ ## Removing a Node from a Cluster by Rancher UI @@ -59,7 +59,7 @@ After the imported cluster is detached from Rancher, the cluster's workloads wil {{% tab "By UI / API" %}} >**Warning:** This process will remove data from your cluster. Make sure you have created a backup of files you want to keep before executing the command, as data will be lost. -After you initiate the removal of an [imported cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#import-existing-cluster) using the Rancher UI (or API), the following events occur. +After you initiate the removal of an [imported cluster]({{}}/rancher/v2.x/en/cluster-provisioning/#import-existing-cluster) using the Rancher UI (or API), the following events occur. 1. Rancher creates a `serviceAccount` that it uses to remove the Rancher components from the cluster. This account is assigned the [clusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) and [clusterRoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) permissions, which are required to remove the Rancher components. diff --git a/content/rancher/v2.x/en/cluster-admin/cloning-clusters/_index.md b/content/rancher/v2.x/en/cluster-admin/cloning-clusters/_index.md index b097e8b7b12..9e9335b1dd7 100644 --- a/content/rancher/v2.x/en/cluster-admin/cloning-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cloning-clusters/_index.md @@ -13,16 +13,16 @@ Duplication of imported clusters, clusters in hosted Kubernetes providers, and c | Cluster Type | Cloneable? | |----------------------------------|---------------| -| [Nodes Hosted by Infrastructure Provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) | ✓ | -| [Hosted Kubernetes Providers]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) | | -| [Custom Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) | | -| [Imported Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) | | +| [Nodes Hosted by Infrastructure Provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) | ✓ | +| [Hosted Kubernetes Providers]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) | | +| [Custom Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) | | +| [Imported Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) | | > **Warning:** During the process of duplicating a cluster, you will edit a config file full of cluster settings. However, we recommend editing only values explicitly listed in this document, as cluster duplication is designed for simple cluster copying, _not_ wide scale configuration changes. Editing other values may invalidate the config file, which will lead to cluster deployment failure. ## Prerequisites -Download and install [Rancher CLI]({{< baseurl >}}/rancher/v2.x/en/cli). Remember to [create an API bearer token]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys) if necessary. +Download and install [Rancher CLI]({{}}/rancher/v2.x/en/cli). Remember to [create an API bearer token]({{}}/rancher/v2.x/en/user-settings/api-keys) if necessary. ## 1. Export Cluster Config diff --git a/content/rancher/v2.x/en/cluster-admin/cluster-access/_index.md b/content/rancher/v2.x/en/cluster-admin/cluster-access/_index.md index 973ba43dcce..1e530ae86cf 100644 --- a/content/rancher/v2.x/en/cluster-admin/cluster-access/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cluster-access/_index.md @@ -17,18 +17,18 @@ There are many ways you can interact with Kubernetes clusters that are managed b Interact with your clusters by launching a kubectl shell available in the Rancher UI. This option requires no configuration actions on your part. - For more information, see [Accessing Clusters with kubectl Shell]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-shell). + For more information, see [Accessing Clusters with kubectl Shell]({{}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-shell). - **Terminal remote connection** You can also interact with your clusters by installing [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your local desktop and then copying the cluster's kubeconfig file to your local `~/.kube/config` directory. - For more information, see [Accessing Clusters with kubectl and a kubeconfig File]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-and-a-kubeconfig-file). + For more information, see [Accessing Clusters with kubectl and a kubeconfig File]({{}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-and-a-kubeconfig-file). - **Rancher CLI** - You can control your clusters by downloading Rancher's own command-line interface, [Rancher CLI]({{< baseurl >}}/rancher/v2.x/en/cli/). This CLI tool can interact directly with different clusters and projects or pass them `kubectl` commands. + You can control your clusters by downloading Rancher's own command-line interface, [Rancher CLI]({{}}/rancher/v2.x/en/cli/). This CLI tool can interact directly with different clusters and projects or pass them `kubectl` commands. - **Rancher API** - Finally, you can interact with your clusters over the Rancher API. Before you use the API, you must obtain an [API key]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/). To view the different resource fields and actions for an API object, open the API UI, which can be accessed by clicking on **View in API** for any Rancher UI object. \ No newline at end of file + Finally, you can interact with your clusters over the Rancher API. Before you use the API, you must obtain an [API key]({{}}/rancher/v2.x/en/user-settings/api-keys/). To view the different resource fields and actions for an API object, open the API UI, which can be accessed by clicking on **View in API** for any Rancher UI object. \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/_index.md b/content/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/_index.md index 154fea58a24..0edd67b0730 100644 --- a/content/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cluster-access/cluster-members/_index.md @@ -9,7 +9,7 @@ aliases: If you want to provide a user with access and permissions to _all_ projects, nodes, and resources within a cluster, assign the user a cluster membership. ->**Tip:** Want to provide a user with access to a _specific_ project within a cluster? See [Adding Project Members]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/project-members/) instead. +>**Tip:** Want to provide a user with access to a _specific_ project within a cluster? See [Adding Project Members]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/project-members/) instead. There are two contexts where you can add cluster members: @@ -33,23 +33,23 @@ Cluster administrators can edit the membership for a cluster, controlling which If external authentication is configured: - - Rancher returns users from your [external authentication]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/) source as you type. + - Rancher returns users from your [external authentication]({{}}/rancher/v2.x/en/admin-settings/authentication/) source as you type. >**Using AD but can't find your users?** - >There may be an issue with your search attribute configuration. See [Configuring Active Directory Authentication: Step 5]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/ad/). + >There may be an issue with your search attribute configuration. See [Configuring Active Directory Authentication: Step 5]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/). - A drop-down allows you to add groups instead of individual users. The drop-down only lists groups that you, the logged in user, are part of. - >**Note:** If you are logged in as a local user, external users do not display in your search results. For more information, see [External Authentication Configuration and Principal Users]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). + >**Note:** If you are logged in as a local user, external users do not display in your search results. For more information, see [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 4. Assign the user or group **Cluster** roles. - [What are Cluster Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) + [What are Cluster Roles?]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) >**Tip:** For Custom Roles, you can modify the list of individual roles available for assignment. > - > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/). - > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles). + > - To add roles to the list, [Add a Custom Role]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/). + > - To remove roles from the list, [Lock/Unlock Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/locked-roles). **Result:** The chosen users are added to the cluster. diff --git a/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md b/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md index 5c2cf122f0c..1b2d42d582a 100644 --- a/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md @@ -8,7 +8,7 @@ After you provision a Kubernetes cluster using Rancher, you can still edit optio To Edit an Existing Cluster ![Edit Cluster]({{}}/img/rancher/edit-cluster.png) -The options and settings available for an existing cluster change based on the method that you used to provision it. For example, only clusters [provisioned by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) have **Cluster Options** available for editing. +The options and settings available for an existing cluster change based on the method that you used to provision it. For example, only clusters [provisioned by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) have **Cluster Options** available for editing. The following table summarizes the options and settings available for each cluster type: @@ -24,7 +24,7 @@ Cluster administrators can [edit the membership for a cluster,]({{}}/ra ## Cluster Options -When editing clusters, clusters that are [launched using RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) feature more options than clusters that are imported or hosted by a Kubernetes provider. The headings that follow document options available only for RKE clusters. +When editing clusters, clusters that are [launched using RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) feature more options than clusters that are imported or hosted by a Kubernetes provider. The headings that follow document options available only for RKE clusters. ### Updating ingress-nginx @@ -34,26 +34,26 @@ If the `updateStrategy` of `ingress-nginx` is `OnDelete`, you will need to delet # Editing Other Cluster Options -In [clusters launched by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), you can edit any of the remaining options that follow. +In [clusters launched by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), you can edit any of the remaining options that follow. >**Note:** These options are not available for imported clusters or hosted Kubernetes clusters. Options for RKE Clusters -![Cluster Options]({{< baseurl >}}/img/rancher/cluster-options.png) +![Cluster Options]({{}}/img/rancher/cluster-options.png) Option | Description | ---------|----------| Kubernetes Version | The version of Kubernetes installed on each cluster node. For more detail, see [Upgrading Kubernetes]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes). | - Network Provider | The [container networking interface]({{< baseurl >}}/rancher/v2.x/en/faq/networking/#cni-providers) that powers networking for your cluster.

    **Note:** You can only choose this option while provisioning your cluster. It cannot be edited later. | + Network Provider | The [container networking interface]({{}}/rancher/v2.x/en/faq/networking/#cni-providers) that powers networking for your cluster.

    **Note:** You can only choose this option while provisioning your cluster. It cannot be edited later. | Project Network Isolation | As of Rancher v2.0.7, if you're using the Canal network provider, you can choose whether to enable or disable inter-project communication. | Nginx Ingress | If you want to publish your applications in a high-availability configuration, and you're hosting your nodes with a cloud-provider that doesn't have a native load-balancing feature, enable this option to use Nginx ingress within the cluster. | Metrics Server Monitoring | Each cloud provider capable of launching a cluster using RKE can collect metrics and monitor for your cluster nodes. Enable this option to view your node metrics from your cloud provider's portal. | - Pod Security Policy Support | Enables [pod security policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/) for the cluster. After enabling this option, choose a policy using the **Default Pod Security Policy** drop-down. | - Docker version on nodes | Configures whether nodes are allowed to run versions of Docker that Rancher doesn't officially support. If you choose to require a [supported Docker version]({{< baseurl >}}/rancher/v2.x/en/installation/options/rke-add-on/layer-7-lb/), Rancher will stop pods from running on nodes that don't have a supported Docker version installed. | + Pod Security Policy Support | Enables [pod security policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/) for the cluster. After enabling this option, choose a policy using the **Default Pod Security Policy** drop-down. | + Docker version on nodes | Configures whether nodes are allowed to run versions of Docker that Rancher doesn't officially support. If you choose to require a [supported Docker version]({{}}/rancher/v2.x/en/installation/options/rke-add-on/layer-7-lb/), Rancher will stop pods from running on nodes that don't have a supported Docker version installed. | Docker Root Directory | The directory on your cluster nodes where you've installed Docker. If you install Docker on your nodes to a non-default directory, update this path. | Default Pod Security Policy | If you enable **Pod Security Policy Support**, use this drop-down to choose the pod security policy that's applied to the cluster. | - Cloud Provider | If you're using a cloud provider to host cluster nodes launched by RKE, enable [this option]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) so that you can use the cloud provider's native features. If you want to store persistent data for your cloud-hosted cluster, this option is required. | + Cloud Provider | If you're using a cloud provider to host cluster nodes launched by RKE, enable [this option]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) so that you can use the cloud provider's native features. If you want to store persistent data for your cloud-hosted cluster, this option is required. |
    # Editing Cluster as YAML @@ -67,6 +67,6 @@ Instead of using the Rancher UI to choose Kubernetes options for the cluster, ad In Rancher v2.0.0-v2.2.x, the config file is identical to the [cluster config file for the Rancher Kubernetes Engine]({{}}/rke/latest/en/config-options/), which is the tool Rancher uses to provision clusters. In Rancher v2.3.0, the RKE information is still included in the config file, but it is separated from other options, so that the RKE cluster config options are nested under the `rancher_kubernetes_engine_config` directive. For more information, see the [cluster configuration reference.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options) -![image]({{< baseurl >}}/img/rancher/cluster-options-yaml.png) +![image]({{}}/img/rancher/cluster-options-yaml.png) -For an example of RKE config file syntax, see the [RKE documentation]({{< baseurl >}}/rke/latest/en/example-yamls/). +For an example of RKE config file syntax, see the [RKE documentation]({{}}/rke/latest/en/example-yamls/). diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index 31c3e595bae..352a34c2242 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.x/en/k8s-in-rancher/nodes/ --- -After you launch a Kubernetes cluster in Rancher, you can manage individual nodes from the cluster's **Node** tab. Depending on the [option used]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) to provision the cluster, there are different node options available. +After you launch a Kubernetes cluster in Rancher, you can manage individual nodes from the cluster's **Node** tab. Depending on the [option used]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) to provision the cluster, there are different node options available. This page covers the following topics: @@ -20,11 +20,11 @@ This page covers the following topics: To manage individual nodes, browse to the cluster that you want to manage and then select **Nodes** from the main menu. You can open the options menu for a node by clicking its **Ellipsis** icon (**...**). ->**Note:** If you want to manage the _cluster_ and not individual nodes, see [Editing Clusters]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters). +>**Note:** If you want to manage the _cluster_ and not individual nodes, see [Editing Clusters]({{}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters). # Node Options for Each Type of Cluster -The following table lists which node options are available for each [type of cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-options) in Rancher. Click the links in the **Option** column for more detailed information about each feature. +The following table lists which node options are available for each [type of cluster]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-options) in Rancher. Click the links in the **Option** column for more detailed information about each feature. | Option | [Nodes Hosted by an Infrastructure Provider][1] | [Custom Node][2] | [Hosted Cluster][3] | [Imported Nodes][4] | Description | | ------------------------------------------------ | ------------------------------------------------ | ---------------- | ------------------- | ------------------- | ------------------------------------------------------------------ | @@ -36,22 +36,22 @@ The following table lists which node options are available for each [type of clu | [Download Keys](#ssh-into-a-node-hosted-by-an-infrastructure-provider) | ✓ | | | | Download SSH key for in order to SSH into the node. | | [Node Scaling](#scaling-nodes) | ✓ | | | | Scale the number of nodes in the node pool up or down. | -[1]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ -[2]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/ -[3]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ -[4]: {{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/ +[1]: {{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ +[2]: {{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/ +[3]: {{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ +[4]: {{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/ ### Notes for Node Pool Nodes -Clusters provisioned using [one of the node pool options]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-pools) automatically maintain the node scale that's set during the initial cluster provisioning. This scale determines the number of active nodes that Rancher maintains for the cluster. +Clusters provisioned using [one of the node pool options]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-pools) automatically maintain the node scale that's set during the initial cluster provisioning. This scale determines the number of active nodes that Rancher maintains for the cluster. ### Notes for Nodes Provisioned by Hosted Kubernetes Providers -Options for managing nodes [hosted by a Kubernetes provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) are somewhat limited in Rancher. Rather than using the Rancher UI to make edits such as scaling the number of nodes up or down, edit the cluster directly. +Options for managing nodes [hosted by a Kubernetes provider]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) are somewhat limited in Rancher. Rather than using the Rancher UI to make edits such as scaling the number of nodes up or down, edit the cluster directly. ### Notes for Imported Nodes -Although you can deploy workloads to an [imported cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) using Rancher, you cannot manage individual cluster nodes. All management of imported cluster nodes must take place outside of Rancher. +Although you can deploy workloads to an [imported cluster]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) using Rancher, you cannot manage individual cluster nodes. All management of imported cluster nodes must take place outside of Rancher. # Cordoning and Draining Nodes @@ -135,7 +135,7 @@ Editing a node lets you: # Viewing a Node API -Select this option to view the node's [API endpoints]({{< baseurl >}}/rancher/v2.x/en/api/). +Select this option to view the node's [API endpoints]({{}}/rancher/v2.x/en/api/). # Deleting a Node @@ -151,7 +151,7 @@ For nodes hosted by an infrastructure provider, you can scale the number of node # SSH into a Node Hosted by an Infrastructure Provider -For [nodes hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), you have the option of downloading its SSH key so that you can connect to it remotely from your desktop. +For [nodes hosted by an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), you have the option of downloading its SSH key so that you can connect to it remotely from your desktop. 1. From the cluster hosted by an infrastructure provider, select **Nodes** from the main menu. @@ -172,11 +172,11 @@ For [nodes hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en # Managing Node Pools -> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) The node pool features are not available for imported clusters or clusters hosted by a Kubernetes provider. +> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) The node pool features are not available for imported clusters or clusters hosted by a Kubernetes provider. -In clusters [launched by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), you can: +In clusters [launched by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), you can: -- Add new [pools of nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to your cluster. The nodes added to the pool are provisioned according to the [node template]({{< baseurl >}}/rancher/v2.x/en/user-settings/node-templates/) that you use. +- Add new [pools of nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to your cluster. The nodes added to the pool are provisioned according to the [node template]({{}}/rancher/v2.x/en/user-settings/node-templates/) that you use. - Click **+** and follow the directions on screen to create a new template. @@ -184,4 +184,4 @@ In clusters [launched by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioni - Redistribute Kubernetes roles amongst your node pools by making different checkbox selections -- Scale the number of nodes in a pool up or down (although, if you simply want to maintain your node scale, we recommend using the cluster's [Nodes tab]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/nodes/#nodes-provisioned-by-node-pool) instead.) +- Scale the number of nodes in a pool up or down (although, if you simply want to maintain your node scale, we recommend using the cluster's [Nodes tab]({{}}/rancher/v2.x/en/k8s-in-rancher/nodes/#nodes-provisioned-by-node-pool) instead.) diff --git a/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md b/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md index 11e415f5b3a..730255113e3 100644 --- a/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md @@ -3,9 +3,9 @@ title: Adding a Pod Security Policy weight: 80 --- -> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) +> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) -When your cluster is running pods with security-sensitive configurations, assign it a [pod security policy]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/), which is a set of rules that monitors the conditions and settings in your pods. If a pod doesn't meet the rules specified in your policy, the policy stops it from running. +When your cluster is running pods with security-sensitive configurations, assign it a [pod security policy]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/), which is a set of rules that monitors the conditions and settings in your pods. If a pod doesn't meet the rules specified in your policy, the policy stops it from running. You can assign a pod security policy when you provision a cluster. However, if you need to relax or restrict security for your pods later, you can update the policy while editing your cluster. @@ -15,11 +15,11 @@ You can assign a pod security policy when you provision a cluster. However, if y 3. From **Pod Security Policy Support**, select **Enabled**. - >**Note:** This option is only available for clusters [provisioned by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). + >**Note:** This option is only available for clusters [provisioned by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). 4. From the **Default Pod Security Policy** drop-down, select the policy you want to apply to the cluster. - Rancher ships with [policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/#default-pod-security-policies) of `restricted` and `unrestricted`, although you can [create custom policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/#default-pod-security-policies) as well. + Rancher ships with [policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/#default-pod-security-policies) of `restricted` and `unrestricted`, although you can [create custom policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/#default-pod-security-policies) as well. 5. Click **Save**. diff --git a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md index 0c70a823b0d..2194f5c43b1 100644 --- a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md @@ -5,11 +5,11 @@ weight: 2050 _Available as of v2.2.0_ -etcd backup and recovery for [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either locally onto the etcd nodes or to a S3 compatible target. The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. +etcd backup and recovery for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either locally onto the etcd nodes or to a S3 compatible target. The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. -Rancher recommends enabling the [ability to set up recurring snapshots of etcd]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots-for-the-cluster), but [one-time snapshots]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#one-time-snapshots) can easily be taken as well. Rancher allows restore from [saved snapshots](#restoring-your-cluster-from-a-snapshot) or if you don't have any snapshots, you can still [restore etcd](#recovering-etcd-without-a-snapshot). +Rancher recommends enabling the [ability to set up recurring snapshots of etcd]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots-for-the-cluster), but [one-time snapshots]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#one-time-snapshots) can easily be taken as well. Rancher allows restore from [saved snapshots](#restoring-your-cluster-from-a-snapshot) or if you don't have any snapshots, you can still [restore etcd](#recovering-etcd-without-a-snapshot). ->**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the [updated snapshot features]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to back up and restore etcd through the UI. +>**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the [updated snapshot features]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to back up and restore etcd through the UI. ## Viewing Available Snapshots @@ -33,11 +33,11 @@ If your Kubernetes cluster is broken, you can restore the cluster from a snapsho **Result:** The cluster will go into `updating` state and the process of restoring the `etcd` nodes from the snapshot will start. The cluster is restored when it returns to an `active` state. -> **Note:** If you are restoring a cluster with unavailable etcd nodes, it's recommended that all etcd nodes are removed from Rancher before attempting to restore. For clusters that were provisioned using [nodes hosted in an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), new etcd nodes will automatically be created. For [custom clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/), please ensure that you add new etcd nodes to the cluster. +> **Note:** If you are restoring a cluster with unavailable etcd nodes, it's recommended that all etcd nodes are removed from Rancher before attempting to restore. For clusters that were provisioned using [nodes hosted in an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), new etcd nodes will automatically be created. For [custom clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/), please ensure that you add new etcd nodes to the cluster. ## Recovering etcd without a Snapshot -If the group of etcd nodes loses quorum, the Kubernetes cluster will report a failure because no operations, e.g. deploying workloads, can be executed in the Kubernetes cluster. Please review the best practices for the what the [number of etcd nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/production/#count-of-etcd-nodes) should be in a Kubernetes cluster. If you want to recover your set of etcd nodes, follow these instructions: +If the group of etcd nodes loses quorum, the Kubernetes cluster will report a failure because no operations, e.g. deploying workloads, can be executed in the Kubernetes cluster. Please review the best practices for the what the [number of etcd nodes]({{}}/rancher/v2.x/en/cluster-provisioning/production/#count-of-etcd-nodes) should be in a Kubernetes cluster. If you want to recover your set of etcd nodes, follow these instructions: 1. Keep only one etcd node in the cluster by removing all other etcd nodes. @@ -63,4 +63,4 @@ If the group of etcd nodes loses quorum, the Kubernetes cluster will report a fa 5. Run the revised command. -6. After the single nodes is up and running, Rancher recommends adding additional etcd nodes to your cluster. If you have a [custom cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) and you want to reuse an old node, you are required to [clean up the nodes]({{< baseurl >}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) before attempting to add them back into a cluster. +6. After the single nodes is up and running, Rancher recommends adding additional etcd nodes to your cluster. If you have a [custom cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) and you want to reuse an old node, you are required to [clean up the nodes]({{}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) before attempting to add them back into a cluster. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md index d8d19368108..0ba6ff6df0b 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md @@ -11,7 +11,7 @@ Before you can receive alerts, you must configure one or more notifier in Ranche When you create a cluster, some alert rules are predefined. You can receive these alerts if you configure a [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers) for them. -For details about what triggers the predefined alerts, refer to the [documentation on default alerts.]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts) +For details about what triggers the predefined alerts, refer to the [documentation on default alerts.]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts) This section covers the following topics: @@ -25,8 +25,8 @@ This section covers the following topics: Some examples of alert events are: -- A Kubernetes [master component]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) entering an unhealthy state. -- A node or [workload]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/) error occurring. +- A Kubernetes [master component]({{}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) entering an unhealthy state. +- A node or [workload]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/) error occurring. - A scheduled deployment taking place as planned. - A node's hardware resources becoming overstressed. @@ -36,7 +36,7 @@ You can set an urgency level for each alert. This urgency appears in the notific # Scope of Alerts -The scope for alerts can be set at either the cluster level or [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/alerts/). +The scope for alerts can be set at either the cluster level or [project level]({{}}/rancher/v2.x/en/project-admin/tools/alerts/). At the cluster level, Rancher monitors components in your Kubernetes cluster, and sends you alerts related to: @@ -47,9 +47,9 @@ At the cluster level, Rancher monitors components in your Kubernetes cluster, an # Adding Cluster Alerts -As a [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to send you alerts for cluster events. +As a [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to send you alerts for cluster events. ->**Prerequisite:** Before you can receive cluster alerts, you must [add a notifier]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers). +>**Prerequisite:** Before you can receive cluster alerts, you must [add a notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers). 1. From the **Global** view, navigate to the cluster that you want to configure cluster alerts for. Select **Tools > Alerts**. Then click **Add Alert Group**. @@ -180,7 +180,7 @@ This alert type monitors for the overload from Prometheus expression querying, i - [**ETCD**](https://etcd.io/docs/v3.4.0/op-guide/monitoring/) - [**Kubernetes Components**](https://github.com/kubernetes/metrics) - [**Kubernetes Resources**](https://github.com/kubernetes/kube-state-metrics) - - [**Fluentd**](https://docs.fluentd.org/v1.0/articles/monitoring-prometheus) (supported by [Logging]({{< baseurl >}}/rancher/v2.x/en/tools/logging)) + - [**Fluentd**](https://docs.fluentd.org/v1.0/articles/monitoring-prometheus) (supported by [Logging]({{}}/rancher/v2.x/en/tools/logging)) - [**Cluster Level Grafana**](http://docs.grafana.org/administration/metrics/) - **Cluster Level Prometheus** @@ -218,7 +218,7 @@ This alert type monitors for the overload from Prometheus expression querying, i 1. Continue adding more **Alert Rule** to the group. -1. Finally, choose the [notifiers]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) to send the alerts to. +1. Finally, choose the [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) to send the alerts to. - You can set up multiple notifiers. - You can change notifier recipients on the fly. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts/_index.md index 13277b3fbc4..ea7f91ff0e0 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/alerts/default-alerts/_index.md @@ -5,7 +5,7 @@ weight: 1 When you create a cluster, some alert rules are predefined. These alerts notify you about signs that the cluster could be unhealthy. You can receive these alerts if you configure a [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers) for them. -Several of the alerts use Prometheus expressions as the metric that triggers the alert. For more information on how expressions work, you can refer to the Rancher [documentation about Prometheus expressions]({{< baseurl >}} +Several of the alerts use Prometheus expressions as the metric that triggers the alert. For more information on how expressions work, you can refer to the Rancher [documentation about Prometheus expressions]({{}} /rancher/v2.x/en/cluster-admin/tools/monitoring/expression/) or the Prometheus [documentation about querying metrics](https://prometheus.io/docs/prometheus/latest/querying/basics/). # Alerts for etcd diff --git a/content/rancher/v2.x/en/cluster-admin/tools/logging/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/logging/_index.md index b1431bf3750..07c80a651cf 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/logging/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/logging/_index.md @@ -55,8 +55,8 @@ Logging Driver: json-file You can configure logging at either cluster level or project level. -- Cluster logging writes logs for every pod in the cluster, i.e. in all the projects. For [RKE clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), it also writes logs for all the Kubernetes system components. -- [Project logging]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/logging/) writes logs for every pod in that particular project. +- Cluster logging writes logs for every pod in the cluster, i.e. in all the projects. For [RKE clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), it also writes logs for all the Kubernetes system components. +- [Project logging]({{}}/rancher/v2.x/en/project-admin/tools/logging/) writes logs for every pod in that particular project. Logs that are sent to your logging service are from the following locations: @@ -65,7 +65,7 @@ Logs that are sent to your logging service are from the following locations: # Enabling Cluster Logging -As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to send Kubernetes logs to a logging service. +As an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to send Kubernetes logs to a logging service. 1. From the **Global** view, navigate to the cluster that you want to configure cluster logging. @@ -73,11 +73,11 @@ As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global 1. Select a logging service and enter the configuration. Refer to the specific service for detailed configuration. Rancher supports integration with the following services: - - [Elasticsearch]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/elasticsearch/) - - [Splunk]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/splunk/) - - [Kafka]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/kafka/) - - [Syslog]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/syslog/) - - [Fluentd]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/fluentd/) + - [Elasticsearch]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/elasticsearch/) + - [Splunk]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/splunk/) + - [Kafka]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/kafka/) + - [Syslog]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/syslog/) + - [Fluentd]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/fluentd/) 1. (Optional) Instead of using the UI to configure the logging services, you can enter custom advanced configurations by clicking on **Edit as File**, which is located above the logging targets. This link is only visible after you select a logging service. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/logging/splunk/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/logging/splunk/_index.md index 00002ac3c71..0d4edcf49ba 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/logging/splunk/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/logging/splunk/_index.md @@ -55,10 +55,10 @@ If your instance of Splunk uses SSL, your **Endpoint** will need to begin with ` 1. Click on **Search & Reporting**. The number of **Indexed Events** listed should be increasing. 1. Click on Data Summary and select the Sources tab. - ![View Logs]({{< baseurl >}}/img/rancher/splunk/splunk4.jpg) + ![View Logs]({{}}/img/rancher/splunk/splunk4.jpg) 1. To view the actual logs, click on the source that you declared earlier. - ![View Logs]({{< baseurl >}}/img/rancher/splunk/splunk5.jpg) + ![View Logs]({{}}/img/rancher/splunk/splunk5.jpg) ## Troubleshooting diff --git a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/_index.md index ede960e2578..9e9703a2d32 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/_index.md @@ -33,29 +33,29 @@ Multi-tenancy support in terms of cluster-only and project-only Prometheus insta # Monitoring Scope -Using Prometheus, you can monitor Rancher at both the cluster level and [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/). For each cluster and project that is enabled for monitoring, Rancher deploys a Prometheus server. +Using Prometheus, you can monitor Rancher at both the cluster level and [project level]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/). For each cluster and project that is enabled for monitoring, Rancher deploys a Prometheus server. - Cluster monitoring allows you to view the health of your Kubernetes cluster. Prometheus collects metrics from the cluster components below, which you can view in graphs and charts. - - [Kubernetes control plane]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#kubernetes-components-metrics) - - [etcd database]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#etcd-metrics) - - [All nodes (including workers)]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#cluster-metrics) + - [Kubernetes control plane]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#kubernetes-components-metrics) + - [etcd database]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#etcd-metrics) + - [All nodes (including workers)]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#cluster-metrics) -- [Project monitoring]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/) allows you to view the state of pods running in a given project. Prometheus collects metrics from the project's deployed HTTP and TCP/UDP workloads. +- [Project monitoring]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/) allows you to view the state of pods running in a given project. Prometheus collects metrics from the project's deployed HTTP and TCP/UDP workloads. # Enabling Cluster Monitoring -As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to deploy Prometheus to monitor your Kubernetes cluster. +As an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to deploy Prometheus to monitor your Kubernetes cluster. 1. From the **Global** view, navigate to the cluster that you want to configure cluster monitoring. 1. Select **Tools > Monitoring** in the navigation bar. -1. Select **Enable** to show the [Prometheus configuration options]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/). Review the [resource consumption recommendations](#resource-consumption) to ensure you have enough resources for Prometheus and on your worker nodes to enable monitoring. Enter in your desired configuration options. +1. Select **Enable** to show the [Prometheus configuration options]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/). Review the [resource consumption recommendations](#resource-consumption) to ensure you have enough resources for Prometheus and on your worker nodes to enable monitoring. Enter in your desired configuration options. 1. Click **Save**. -**Result:** The Prometheus server will be deployed as well as two monitoring applications. The two monitoring applications, `cluster-monitoring` and `monitoring-operator`, are added as an [application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) to the cluster's `system` project. After the applications are `active`, you can start viewing [cluster metrics]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/) through the [Rancher dashboard]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/#rancher-dashboard) or directly from [Grafana]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#grafana). +**Result:** The Prometheus server will be deployed as well as two monitoring applications. The two monitoring applications, `cluster-monitoring` and `monitoring-operator`, are added as an [application]({{}}/rancher/v2.x/en/catalog/apps/) to the cluster's `system` project. After the applications are `active`, you can start viewing [cluster metrics]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/) through the [Rancher dashboard]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/#rancher-dashboard) or directly from [Grafana]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#grafana). # Resource Consumption diff --git a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/_index.md index 14c797848cf..61c20f040c0 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/_index.md @@ -35,11 +35,11 @@ Some of the biggest metrics to look out for: 1. Click on **Node Metrics**. -[_Get expressions for Cluster Metrics_]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#cluster-metrics) +[_Get expressions for Cluster Metrics_]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#cluster-metrics) ### Etcd Metrics ->**Note:** Only supported for [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). +>**Note:** Only supported for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). Etcd metrics display the operations of the etcd database on each of your cluster nodes. After establishing a baseline of normal etcd operational metrics, observe them for abnormal deltas between metric refreshes, which indicate potential issues with etcd. Always address etcd issues immediately! @@ -55,13 +55,13 @@ Some of the biggest metrics to look out for: If this statistic suddenly grows, it usually indicates network communication issues that constantly force the cluster to elect a new leader. -[_Get expressions for Etcd Metrics_]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#etcd-metrics) +[_Get expressions for Etcd Metrics_]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#etcd-metrics) ### Kubernetes Components Metrics Kubernetes components metrics display data about the cluster's individual Kubernetes components. Primarily, it displays information about connections and latency for each component: the API server, controller manager, scheduler, and ingress controller. ->**Note:** The metrics for the controller manager, scheduler and ingress controller are only supported for [Rancher launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). +>**Note:** The metrics for the controller manager, scheduler and ingress controller are only supported for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). When analyzing Kubernetes component metrics, don't be concerned about any single standalone metric in the charts and graphs that display. Rather, you should establish a baseline for metrics considered normal following a period of observation, e.g. the range of values that your components usually operate within and are considered normal. After you establish this baseline, be on the lookout for large deltas in the charts and graphs, as these big changes usually indicate a problem that you need to investigate. @@ -87,13 +87,13 @@ Some of the more important component metrics to monitor are: How fast ingress is routing connections to your cluster services. -[_Get expressions for Kubernetes Component Metrics_]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#kubernetes-components-metrics) +[_Get expressions for Kubernetes Component Metrics_]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#kubernetes-components-metrics) ## Rancher Logging Metrics -Although the Dashboard for a cluster primarily displays data sourced from Prometheus, it also displays information for cluster logging, provided that you have [configured Rancher to use a logging service]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/). +Although the Dashboard for a cluster primarily displays data sourced from Prometheus, it also displays information for cluster logging, provided that you have [configured Rancher to use a logging service]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/). -[_Get expressions for Rancher Logging Metrics_]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#rancher-logging-metrics) +[_Get expressions for Rancher Logging Metrics_]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#rancher-logging-metrics) ## Finding Workload Metrics @@ -110,4 +110,4 @@ Workload metrics display the hardware utilization for a Kubernetes workload. You - **View the Pod Metrics:** Click on **Pod Metrics**. - **View the Container Metrics:** In the **Containers** section, select a specific container and click on its name. Click on **Container Metrics**. -[_Get expressions for Workload Metrics_]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#workload-metrics) +[_Get expressions for Workload Metrics_]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/#workload-metrics) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/_index.md index 0f667bcd1a6..c5cadbc83aa 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/_index.md @@ -6,7 +6,7 @@ weight: 1 _Available as of v2.2.0_ -While configuring monitoring at either the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), there are multiple options that can be configured. +While configuring monitoring at either the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), there are multiple options that can be configured. Option | Description -------|------------- @@ -20,7 +20,7 @@ Prometheus [CPU Reservation](https://kubernetes.io/docs/concepts/configuration/m Prometheus [Memory Limit](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory) | Memory resource limit for the Prometheus pod. Prometheus [Memory Reservation](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory) | Memory resource requests for the Prometheus pod. Selector | Ability to select the nodes in which Prometheus and Grafana pods are deployed to. To use this option, the nodes must have labels. -Advanced Options | Since monitoring is an [application](https://github.com/rancher/system-charts/tree/dev/charts/rancher-monitoring) from the [Rancher catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/), it can be [configured like other catalog application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/#configuration-options). _Warning: Any modification to the application without understanding the entire application can lead to catastrophic errors._ +Advanced Options | Since monitoring is an [application](https://github.com/rancher/system-charts/tree/dev/charts/rancher-monitoring) from the [Rancher catalog]({{}}/rancher/v2.x/en/catalog/), it can be [configured like other catalog application]({{}}/rancher/v2.x/en/catalog/apps/#configuration-options). _Warning: Any modification to the application without understanding the entire application can lead to catastrophic errors._ ## Node Exporter @@ -32,8 +32,8 @@ When configuring Prometheus and enabling the node exporter, enter a host port in ## Persistent Storage ->**Prerequisite:** Configure one or more [storage class]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#adding-storage-classes) to use as [persistent storage]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) for your Prometheus or Grafana pod. +>**Prerequisite:** Configure one or more [storage class]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#adding-storage-classes) to use as [persistent storage]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) for your Prometheus or Grafana pod. By default, when you enable Prometheus for either a cluster or project, all monitoring data that Prometheus collects is stored on its own pod. With local storage, if the Prometheus or Grafana pods fail, all the data is lost. Rancher recommends configuring an external persistent storage to the cluster. With the external persistent storage, if the Prometheus or Grafana pods fail, the new pods can recover using data from the persistent storage. -When enabling persistent storage for Prometheus or Grafana, specify the size of the persistent volume and select the [storage class]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#storage-classes). +When enabling persistent storage for Prometheus or Grafana, specify the size of the persistent volume and select the [storage class]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#storage-classes). diff --git a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/_index.md index 28ccf295c9b..a1dd3946219 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/viewing-metrics/_index.md @@ -5,11 +5,11 @@ weight: 2 _Available as of v2.2.0_ -After you've enabled monitoring at either the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), you will want to be start viewing the data being collected. There are multiple ways to view this data. +After you've enabled monitoring at either the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), you will want to be start viewing the data being collected. There are multiple ways to view this data. ## Rancher Dashboard ->**Note:** This is only available if you've enabled monitoring at the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring). Project specific analytics must be viewed using the project's Grafana instance. +>**Note:** This is only available if you've enabled monitoring at the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring). Project specific analytics must be viewed using the project's Grafana instance. Rancher's dashboards are available at multiple locations: @@ -33,13 +33,13 @@ When analyzing these metrics, don't be concerned about any single standalone met ## Grafana -If you've enabled monitoring at either the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), Rancher automatically creates a link to Grafana instance. Use this link to view monitoring data. +If you've enabled monitoring at either the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [project level]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring), Rancher automatically creates a link to Grafana instance. Use this link to view monitoring data. Grafana allows you to query, visualize, alert, and ultimately, understand your cluster and workload data. For more information on Grafana and its capabilities, visit the [Grafana website](https://grafana.com/grafana). ### Authentication -Rancher determines which users can access the new Grafana instance, as well as the objects they can view within it, by validating them against the user's [cluster or project roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/). In other words, a user's access in Grafana mirrors their access in Rancher. +Rancher determines which users can access the new Grafana instance, as well as the objects they can view within it, by validating them against the user's [cluster or project roles]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/). In other words, a user's access in Grafana mirrors their access in Rancher. When you go to the Grafana instance, you will be logged in with the username `admin` and the password `admin`. If you log out and log in again, you will be prompted to change your password. You will only have access to the URL of the Grafana instance if you have access to view the corresponding metrics in Rancher. So for example, if your Rancher permissions are scoped to the project level, you won't be able to see the Grafana instance for cluster-level metrics. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md index 107184659f6..1fc9c115451 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md @@ -74,8 +74,8 @@ _Available as of v2.2.0_ After creating a notifier, set up alerts to receive notifications of Rancher system events. -- [Cluster owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) can set up alerts at the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/alerts/). -- [Project owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can set up alerts at the [project level]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/alerts/). +- [Cluster owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) can set up alerts at the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/). +- [Project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can set up alerts at the [project level]({{}}/rancher/v2.x/en/project-admin/tools/alerts/). ## Managing Notifiers diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index 2d7f62ea392..513d31f1fab 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -3,7 +3,7 @@ title: Upgrading Kubernetes weight: 70 --- -> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) +> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) Following an upgrade to the latest version of Rancher, you can update your existing clusters to use the latest supported version of Kubernetes. @@ -11,7 +11,7 @@ Before a new version of Rancher is released, it's tested with the latest minor v As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Rancher to ship Kubernetes patch versions without upgrading Rancher. For details, refer to the [section on Kubernetes metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata) ->**Recommended:** Before upgrading Kubernetes, [backup your cluster]({{< baseurl >}}/rancher/v2.x/en/backups). +>**Recommended:** Before upgrading Kubernetes, [backup your cluster]({{}}/rancher/v2.x/en/backups). 1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md index bd1debc8674..8cd6adf86e2 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md @@ -16,7 +16,7 @@ To set up storage, follow these steps: ### Prerequisites -- To create a persistent volume as a Kubernetes resource, you must have the `Manage Volumes` [role.]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-role-reference) +- To create a persistent volume as a Kubernetes resource, you must have the `Manage Volumes` [role.]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-role-reference) - If you are provisioning storage for a cluster hosted in the cloud, the storage and cluster hosts must have the same cloud provider. ### 1. Set up persistent storage in an infrastructure provider diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/_index.md index 895e45a11ef..2fc9d2799df 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/_index.md @@ -10,5 +10,5 @@ Rancher supports persistent storage with a variety of volume plugins. However, b For your convenience, Rancher offers documentation on how to configure some of the popular storage methods: -- [NFS]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/examples/nfs/) -- [vSphere]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/examples/vsphere/) +- [NFS]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/examples/nfs/) +- [vSphere]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/examples/vsphere/) diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/nfs/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/nfs/_index.md index c91713c4bb0..a9be8884a31 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/nfs/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/nfs/_index.md @@ -65,4 +65,4 @@ Before you can use the NFS storage volume plug-in with Rancher deployments, you ## What's Next? -Within Rancher, add the NFS server as a [storage volume]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#adding-a-persistent-volume) and/or [storage class]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#adding-storage-classes). After adding the server, you can use it for storage for your deployments. +Within Rancher, add the NFS server as a [storage volume]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#adding-a-persistent-volume) and/or [storage class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#adding-storage-classes). After adding the server, you can use it for storage for your deployments. diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/vsphere/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/vsphere/_index.md index 8fcc55db032..0750143fe22 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/vsphere/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/vsphere/_index.md @@ -5,11 +5,11 @@ aliases: - /rancher/v2.x/en/tasks/clusters/adding-storage/provisioning-storage/vsphere/ --- -To provide stateful workloads with vSphere storage, we recommend creating a vSphereVolume [storage class]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes). This practice dynamically provisions vSphere storage when workloads request volumes through a [persistent volume claim]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/persistent-volume-claims/). +To provide stateful workloads with vSphere storage, we recommend creating a vSphereVolume [storage class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes). This practice dynamically provisions vSphere storage when workloads request volumes through a [persistent volume claim]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/persistent-volume-claims/). ### Prerequisites -In order to provision vSphere volumes in a cluster created with the [Rancher Kubernetes Engine (RKE)]({{< baseurl>}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the [vSphere cloud provider]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/vsphere) must be explicitly enabled in the [cluster options]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/). +In order to provision vSphere volumes in a cluster created with the [Rancher Kubernetes Engine (RKE)]({{< baseurl>}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the [vSphere cloud provider]({{}}/rke/latest/en/config-options/cloud-providers/vsphere) must be explicitly enabled in the [cluster options]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/). ### Creating A Storage Class @@ -29,7 +29,7 @@ In order to provision vSphere volumes in a cluster created with the [Rancher Kub ### Creating a Workload with a vSphere Volume -1. From the cluster where you configured vSphere storage, begin creating a workload as you would in [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). +1. From the cluster where you configured vSphere storage, begin creating a workload as you would in [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). 2. For **Workload Type**, select **Stateful set of 1 pod**. 3. Expand the **Volumes** section and click **Add Volume**. 4. Choose **Add a new persistent volume (claim)**. This option will implicitly create the claim once you deploy the workload. @@ -54,7 +54,7 @@ In order to provision vSphere volumes in a cluster created with the [Rancher Kub 9. Once the replacement pod is running, click **Execute Shell**. 10. Inspect the contents of the directory where the volume is mounted by entering `ls -l /`. Note that the file you created earlier is still present. - ![workload-persistent-data]({{< baseurl >}}/img/rancher/workload-persistent-data.png) + ![workload-persistent-data]({{}}/img/rancher/workload-persistent-data.png) ## Why to Use StatefulSets Instead of Deployments diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/how-storage-works/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/how-storage-works/_index.md index a67c767cadd..a2565bd2b5b 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/how-storage-works/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/how-storage-works/_index.md @@ -16,7 +16,7 @@ To use an existing PV, your application will need to use a PVC that is bound to For dynamic storage provisioning, your application will need to use a PVC that is bound to a storage class. The storage class contains the authorization to provision new persistent volumes. -![Setting Up New and Existing Persistent Storage]({{< baseurl >}}/img/rancher/rancher-storage.svg) +![Setting Up New and Existing Persistent Storage]({{}}/img/rancher/rancher-storage.svg) For more information, refer to the [official Kubernetes documentation on storage](https://kubernetes.io/docs/concepts/storage/volumes/) diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/iscsi-volumes/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/iscsi-volumes/_index.md index 0672bbbf6ee..049a654217d 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/iscsi-volumes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/iscsi-volumes/_index.md @@ -3,7 +3,7 @@ title: iSCSI Volumes weight: 6000 --- -In [Rancher Launched Kubernetes clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) that store data on iSCSI volumes, you may experience an issue where kubelets fail to automatically connect with iSCSI volumes. This failure is likely due to an incompatibility issue involving the iSCSI initiator tool. You can resolve this issue by installing the iSCSI initiator tool on each of your cluster nodes. +In [Rancher Launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) that store data on iSCSI volumes, you may experience an issue where kubelets fail to automatically connect with iSCSI volumes. This failure is likely due to an incompatibility issue involving the iSCSI initiator tool. You can resolve this issue by installing the iSCSI initiator tool on each of your cluster nodes. Rancher Launched Kubernetes clusters storing data on iSCSI volumes leverage the [iSCSI initiator tool](http://www.open-iscsi.com/), which is embedded in the kubelet's `rancher/hyperkube` Docker image. From each kubelet (i.e., the _initiator_), the tool discovers and launches sessions with an iSCSI volume (i.e., the _target_). However, in some instances, the versions of the iSCSI initiator tool installed on the initiator and the target may not match, resulting in a connection failure. diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md index 05ecaf4f436..9aaffd5accc 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md @@ -66,7 +66,7 @@ These steps describe how to set up a PVC in the namespace where your stateful wo 1. Enter a **Name** for the volume claim. -1. Select the [Namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) of the volume claim. +1. Select the [Namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) of the volume claim. 1. In the **Source** field, click **Use a Storage Class to provision a new persistent volume.** diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/_index.md index 8a5fc2495de..e2da323ee7a 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/_index.md @@ -24,9 +24,9 @@ Kubernetes Providers | Available as of | When using Rancher to create a cluster hosted by a provider, you are prompted for authentication information. This information is required to access the provider's API. For more information on how to obtain this information, see the following procedures: -- [Creating a GKE Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke) -- [Creating an EKS Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks) -- [Creating an AKS Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/aks) -- [Creating an ACK Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack) -- [Creating a TKE Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke) -- [Creating a CCE Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce) +- [Creating a GKE Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/gke) +- [Creating an EKS Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks) +- [Creating an AKS Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/aks) +- [Creating an ACK Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack) +- [Creating a TKE Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke) +- [Creating a CCE Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce) diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/_index.md index cb3951e4e68..32d75c76a00 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ack/_index.md @@ -6,7 +6,7 @@ weight: 2120 _Available as of v2.2.0_ -You can use Rancher to create a cluster hosted in Alibaba Cloud Kubernetes (ACK). Rancher has already implemented and packaged the [cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for ACK, but by default, this cluster driver is `inactive`. In order to launch ACK clusters, you will need to [enable the ACK cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning ACK clusters. +You can use Rancher to create a cluster hosted in Alibaba Cloud Kubernetes (ACK). Rancher has already implemented and packaged the [cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for ACK, but by default, this cluster driver is `inactive`. In order to launch ACK clusters, you will need to [enable the ACK cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning ACK clusters. ## Prerequisites diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/_index.md index 39bb5c1c44b..f01af1c27b3 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/cce/_index.md @@ -6,7 +6,7 @@ weight: 2130 _Available as of v2.2.0_ -You can use Rancher to create a cluster hosted in Huawei Cloud Container Engine (CCE). Rancher has already implemented and packaged the [cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for CCE, but by default, this cluster driver is `inactive`. In order to launch CCE clusters, you will need to [enable the CCE cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning CCE clusters. +You can use Rancher to create a cluster hosted in Huawei Cloud Container Engine (CCE). Rancher has already implemented and packaged the [cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for CCE, but by default, this cluster driver is `inactive`. In order to launch CCE clusters, you will need to [enable the CCE cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning CCE clusters. ## Prerequisites in Huawei diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md index d3a3af145b5..e93fef1472a 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md @@ -38,7 +38,7 @@ For more detailed information on IAM policies for EKS, refer to the official [do The figure below illustrates the high-level architecture of Rancher 2.x. The figure depicts a Rancher Server installation that manages two Kubernetes clusters: one created by RKE and another created by EKS. -![Rancher architecture with EKS hosted cluster]({{< baseurl >}}/img/rancher/rancher-architecture.svg) +![Rancher architecture with EKS hosted cluster]({{}}/img/rancher/rancher-architecture.svg) ## Create the EKS Cluster diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/_index.md index c3f8087e741..dc6c66b9efb 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/tke/_index.md @@ -6,7 +6,7 @@ weight: 2125 _Available as of v2.2.0_ -You can use Rancher to create a cluster hosted in Tencent Kubernetes Engine (TKE). Rancher has already implemented and packaged the [cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for TKE, but by default, this cluster driver is `inactive`. In order to launch TKE clusters, you will need to [enable the TKE cluster driver]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning TKE clusters. +You can use Rancher to create a cluster hosted in Tencent Kubernetes Engine (TKE). Rancher has already implemented and packaged the [cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/) for TKE, but by default, this cluster driver is `inactive`. In order to launch TKE clusters, you will need to [enable the TKE cluster driver]({{}}/rancher/v2.x/en/admin-settings/drivers/cluster-drivers/#activating-deactivating-cluster-drivers). After enabling the cluster driver, you can start provisioning TKE clusters. ## Prerequisites in Tencent diff --git a/content/rancher/v2.x/en/cluster-provisioning/production/nodes-and-roles/_index.md b/content/rancher/v2.x/en/cluster-provisioning/production/nodes-and-roles/_index.md index da12ee46111..3722a97e451 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/production/nodes-and-roles/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/production/nodes-and-roles/_index.md @@ -7,7 +7,7 @@ This section describes the roles for etcd nodes, controlplane nodes, and worker This diagram is applicable to Kubernetes clusters [launched with Rancher using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). -![Cluster diagram]({{< baseurl >}}/img/rancher/clusterdiagram.svg)
    +![Cluster diagram]({{}}/img/rancher/clusterdiagram.svg)
    Lines show the traffic flow between components. Colors are used purely for visual aid # etcd diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/_index.md index 9835c53a18c..c964b58e162 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/_index.md @@ -53,18 +53,18 @@ Provision the host according to the [installation requirements]({{}}/ra >**Using Windows nodes as Kubernetes workers?** > - >- See [Enable the Windows Support Option]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#enable-the-windows-support-option). - >- The only Network Provider available for clusters with Windows support is Flannel. See [Networking Option]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#networking-option). + >- See [Enable the Windows Support Option]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#enable-the-windows-support-option). + >- The only Network Provider available for clusters with Windows support is Flannel. See [Networking Option]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#networking-option). 6.     Click **Next**. 7. From **Node Role**, choose the roles that you want filled by a cluster node. >**Notes:** > - >- Using Windows nodes as Kubernetes workers? See [Node Configuration]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#node-configuration). + >- Using Windows nodes as Kubernetes workers? See [Node Configuration]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/#node-configuration). >- Bare-Metal Server Reminder: If you plan on dedicating bare-metal servers to each role, you must provision a bare-metal server for each role (i.e. provision multiple bare-metal servers). -8. **Optional**: Click **[Show advanced options]({{< baseurl >}}/rancher/v2.x/en/admin-settings/agent-options/)** to specify IP address(es) to use when registering the node, override the hostname of the node, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. +8. **Optional**: Click **[Show advanced options]({{}}/rancher/v2.x/en/admin-settings/agent-options/)** to specify IP address(es) to use when registering the node, override the hostname of the node, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 9. Copy the command displayed on screen to your clipboard. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md index 0d7a0e5ab67..7d0c6c6e8e4 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md @@ -46,7 +46,7 @@ Since taints can be added at a node template and node pool, if there is no confl Using Rancher, you can create pools of nodes based on a [node template](#node-templates). The benefit of using a node pool is that if a node is destroyed or deleted, you can increase the number of live nodes to compensate for the node that was lost. The node pool helps you ensure that the count of the node pool is as expected. -Each node pool is assigned with a [node component]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) to specify how these nodes should be configured for the Kubernetes cluster. +Each node pool is assigned with a [node component]({{}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) to specify how these nodes should be configured for the Kubernetes cluster. ### Node Pool Taints @@ -112,9 +112,9 @@ Node templates can use cloud credentials to store credentials for launching node - Multiple node templates can share the same cloud credential to create node pools. If your key is compromised or expired, the cloud credential can be updated in a single place, which allows all node templates that are using it to be updated at once. -> **Note:** As of v2.2.0, the default `active` [node drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) and any node driver, that has fields marked as `password`, are required to use cloud credentials. If you have upgraded to v2.2.0, existing node templates will continue to work with the previous account access information, but when you edit the node template, you will be required to create a cloud credential and the node template will start using it. +> **Note:** As of v2.2.0, the default `active` [node drivers]({{}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) and any node driver, that has fields marked as `password`, are required to use cloud credentials. If you have upgraded to v2.2.0, existing node templates will continue to work with the previous account access information, but when you edit the node template, you will be required to create a cloud credential and the node template will start using it. -After cloud credentials are created, the user can start [managing the cloud credentials that they created]({{< baseurl >}}/rancher/v2.x/en/user-settings/cloud-credentials/). +After cloud credentials are created, the user can start [managing the cloud credentials that they created]({{}}/rancher/v2.x/en/user-settings/cloud-credentials/). # Node Drivers diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/_index.md index 94a58722719..4754951afde 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/_index.md @@ -11,7 +11,7 @@ Use Rancher to create a Kubernetes cluster in Amazon EC2. - **AWS EC2 Access Key and Secret Key** that will be used to create the instances. See [Amazon Documentation: Creating Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) how to create an Access Key and Secret Key. - **IAM Policy created** to add to the user of the Access Key And Secret Key. See [Amazon Documentation: Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) how to create an IAM policy. See our three example JSON policies below: - [Example IAM Policy](#example-iam-policy) - - [Example IAM Policy with PassRole](#example-iam-policy-with-passrole) (needed if you want to use [Kubernetes Cloud Provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) or want to pass an IAM Profile to an instance) + - [Example IAM Policy with PassRole](#example-iam-policy-with-passrole) (needed if you want to use [Kubernetes Cloud Provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) or want to pass an IAM Profile to an instance) - [Example IAM Policy to allow encrypted EBS volumes](#example-iam-policy-to-allow-encrypted-ebs-volumes) - **IAM Policy added as Permission** to the user. See [Amazon Documentation: Adding Permissions to a User (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) how to attach it to an user. @@ -99,7 +99,7 @@ Optional: In the **Engine Options** section of the node template, you can config - **Security Groups** creates or configures the Security Groups applied to your nodes. Please refer to [Amazon EC2 security group when using Node Driver]({{}}/rancher/v2.x/en/cluster-provisioning/node-requirements/#security-group-for-nodes-on-aws-ec2) to see what rules are created in the `rancher-nodes` Security Group. - **Instance** configures the instances that will be created. Make sure you configure the correct **SSH User** for the configured AMI.

    - If you need to pass an **IAM Instance Profile Name** (not ARN), for example, when you want to use a [Kubernetes Cloud Provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers), you will need an additional permission in your policy. See [Example IAM policy with PassRole](#example-iam-policy-with-passrole) for an example policy. + If you need to pass an **IAM Instance Profile Name** (not ARN), for example, when you want to use a [Kubernetes Cloud Provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers), you will need an additional permission in your policy. See [Example IAM policy with PassRole](#example-iam-policy-with-passrole) for an example policy. 1. {{< step_rancher-template >}} 1. Click **Create**. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md index ecee7787ccc..ce0cfc1ac5f 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md @@ -162,7 +162,7 @@ Only VMs booting from RancherOS ISO are supported. Ensure that the [OS ISO URL](#instance-options) contains the URL of the VMware ISO release for RancherOS: `rancheros-vmware.iso`. - ![image]({{< baseurl >}}/img/rancher/vsphere-node-template-1.png) + ![image]({{}}/img/rancher/vsphere-node-template-1.png) {{% /tab %}} {{% /tabs %}} diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md index cdc3d70e232..4b6dfcf0339 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md @@ -48,7 +48,7 @@ The options for creating and configuring an instance are different depending on | Creation method | * | The method for setting up an operating system on the node. The operating system can be installed from an ISO or from a VM template. Depending on the creation method, you will also have to specify a VM template, content library, existing VM, or ISO. For more information on creation methods, refer to the section on [configuring instances.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/#c-configure-instances-and-operating-systems) | | Cloud Init | | URL of a `cloud-config.yml` file or URL to provision VMs with. This file allows further customization of the operating system, such as network configuration, DNS servers, or system daemons. The operating system must support `cloud-init`. | | Networks | | Name(s) of the network to attach the VM to. | -| Configuration Parameters used for guestinfo | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | +| Configuration Parameters used for guestinfo | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | {{% /tab %}} {{% tab "Rancher prior to v2.3.3" %}} @@ -58,9 +58,9 @@ The options for creating and configuring an instance are different depending on | CPUs | * | Number of vCPUS to assign to VMs. | | Memory | * | Amount of memory to assign to VMs. | | Disk | * | Size of the disk (in MB) to attach to the VMs. | -| Cloud Init | | URL of a [RancherOS cloud-config]({{< baseurl >}}/os/v1.x/en/installation/configuration/) file to provision VMs with. This file allows further customization of the RancherOS operating system, such as network configuration, DNS servers, or system daemons.| +| Cloud Init | | URL of a [RancherOS cloud-config]({{}}/os/v1.x/en/installation/configuration/) file to provision VMs with. This file allows further customization of the RancherOS operating system, such as network configuration, DNS servers, or system daemons.| | OS ISO URL | * | URL of a RancherOS vSphere ISO file to boot the VMs from. You can find URLs for specific versions in the [Rancher OS GitHub Repo](https://github.com/rancher/os). | -| Configuration Parameters | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{< baseurl >}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | +| Configuration Parameters | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | {{% /tab %}} {{% /tabs %}} diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md index bd6c563029c..20922c7d3b2 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md @@ -36,7 +36,7 @@ This section is a cluster configuration reference, covering the following topics # Rancher UI Options -When creating a cluster using one of the options described in [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), you can configure basic Kubernetes options using the **Cluster Options** section. +When creating a cluster using one of the options described in [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), you can configure basic Kubernetes options using the **Cluster Options** section. ### Kubernetes Version @@ -44,7 +44,7 @@ The version of Kubernetes installed on your cluster nodes. Rancher packages its ### Network Provider -The [Network Provider](https://kubernetes.io/docs/concepts/cluster-administration/networking/) that the cluster uses. For more details on the different networking providers, please view our [Networking FAQ]({{< baseurl >}}/rancher/v2.x/en/faq/networking/cni-providers/). +The [Network Provider](https://kubernetes.io/docs/concepts/cluster-administration/networking/) that the cluster uses. For more details on the different networking providers, please view our [Networking FAQ]({{}}/rancher/v2.x/en/faq/networking/cni-providers/). >**Note:** After you launch the cluster, you cannot change your network provider. Therefore, choose which network provider you want to use carefully, as Kubernetes doesn't allow switching between network providers. Once a cluster is created with a network provider, changing network providers would require you tear down the entire cluster and all its applications. @@ -57,9 +57,9 @@ Out of the box, Rancher is compatible with the following network providers: **Notes on Canal:** -In v2.0.0 - v2.0.4 and v2.0.6, this was the default option for these clusters was Canal with network isolation. With the network isolation automatically enabled, it prevented any pod communication between [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). +In v2.0.0 - v2.0.4 and v2.0.6, this was the default option for these clusters was Canal with network isolation. With the network isolation automatically enabled, it prevented any pod communication between [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). -As of v2.0.7, if you use Canal, you also have the option of using **Project Network Isolation**, which will enable or disable communication between pods in different [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). +As of v2.0.7, if you use Canal, you also have the option of using **Project Network Isolation**, which will enable or disable communication between pods in different [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/). >**Attention Rancher v2.0.0 - v2.0.6 Users** > @@ -72,13 +72,13 @@ In v2.0.5, this was the default option, which did not prevent any network isolat **Notes on Weave:** -When Weave is selected as network provider, Rancher will automatically enable encryption by generating a random password. If you want to specify the password manually, please see how to configure your cluster using a [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) and the [Weave Network Plug-in Options]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/#weave-network-plug-in-options). +When Weave is selected as network provider, Rancher will automatically enable encryption by generating a random password. If you want to specify the password manually, please see how to configure your cluster using a [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) and the [Weave Network Plug-in Options]({{}}/rke/latest/en/config-options/add-ons/network-plugins/#weave-network-plug-in-options). ### Kubernetes Cloud Providers You can configure a [Kubernetes cloud provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers). If you want to use [volumes and storage]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/) in Kubernetes, typically you must select the specific cloud provider in order to use it. For example, if you want to use Amazon EBS, you would need to select the `aws` cloud provider. ->**Note:** If the cloud provider you want to use is not listed as an option, you will need to use the [config file option](#config-file) to configure the cloud provider. Please reference the [RKE cloud provider documentation]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/) on how to configure the cloud provider. +>**Note:** If the cloud provider you want to use is not listed as an option, you will need to use the [config file option](#config-file) to configure the cloud provider. Please reference the [RKE cloud provider documentation]({{}}/rke/latest/en/config-options/cloud-providers/) on how to configure the cloud provider. If you want to see all the configuration options for a cluster, please click **Show advanced options** on the bottom right. The advanced options are described below: @@ -119,7 +119,7 @@ The following options are available when you create clusters in the Rancher UI. ### NGINX Ingress -Option to enable or disable the [NGINX ingress controller]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/). +Option to enable or disable the [NGINX ingress controller]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/). ### Node Port Range @@ -127,15 +127,15 @@ Option to change the range of ports that can be used for [NodePort services](htt ### Metrics Server Monitoring -Option to enable or disable [Metrics Server]({{< baseurl >}}/rke/latest/en/config-options/add-ons/metrics-server/). +Option to enable or disable [Metrics Server]({{}}/rke/latest/en/config-options/add-ons/metrics-server/). ### Pod Security Policy Support -Option to enable and select a default [Pod Security Policy]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies). You must have an existing Pod Security Policy configured before you can use this option. +Option to enable and select a default [Pod Security Policy]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies). You must have an existing Pod Security Policy configured before you can use this option. ### Docker Version on Nodes -Option to require [a supported Docker version]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/) installed on the cluster nodes that are added to the cluster, or to allow unsupported Docker versions installed on the cluster nodes. +Option to require [a supported Docker version]({{}}/rancher/v2.x/en/installation/requirements/) installed on the cluster nodes that are added to the cluster, or to allow unsupported Docker versions installed on the cluster nodes. ### Docker Root Directory @@ -143,7 +143,7 @@ If the nodes you are adding to the cluster have Docker configured with a non-def ### Recurring etcd Snapshots -Option to enable or disable [recurring etcd snapshots]({{< baseurl >}}/rke/latest/en/etcd-snapshots/#etcd-recurring-snapshots). +Option to enable or disable [recurring etcd snapshots]({{}}/rke/latest/en/etcd-snapshots/#etcd-recurring-snapshots). # Cluster Config File @@ -154,7 +154,7 @@ Instead of using the Rancher UI to choose Kubernetes options for the cluster, ad - To edit an RKE config file directly from the Rancher UI, click **Edit as YAML**. - To read from an existing RKE file, click **Read from a file**. -![image]({{< baseurl >}}/img/rancher/cluster-options-yaml.png) +![image]({{}}/img/rancher/cluster-options-yaml.png) The structure of the config file is different depending on your version of Rancher. Below are example config files for Rancher v2.0.0-v2.2.x and for Rancher v2.3.0+. @@ -341,7 +341,7 @@ ssh_agent_auth: false ### Default DNS provider -The table below indicates what DNS provider is deployed by default. See [RKE documentation on DNS provider]({{< baseurl >}}/rke/latest/en/config-options/add-ons/dns/) for more information how to configure a different DNS provider. CoreDNS can only be used on Kubernetes v1.12.0 and higher. +The table below indicates what DNS provider is deployed by default. See [RKE documentation on DNS provider]({{}}/rke/latest/en/config-options/add-ons/dns/) for more information how to configure a different DNS provider. CoreDNS can only be used on Kubernetes v1.12.0 and higher. | Rancher version | Kubernetes version | Default DNS provider | |-------------|--------------------|----------------------| @@ -361,7 +361,7 @@ See [Docker Root Directory](#docker-root-directory). ### enable_cluster_monitoring -Option to enable or disable [Cluster Monitoring]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/). +Option to enable or disable [Cluster Monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/). ### enable_network_policy diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md index c9680df8478..009fca03abb 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/pod-security-policies/_index.md @@ -10,7 +10,7 @@ _Pod Security Policies_ are objects that control security-sensitive aspects of p When you create a new cluster with RKE, you can configure it to apply a PSP immediately. As you create the cluster, use the **Cluster Options** to enable a PSP. The PSP assigned to the cluster will be the default PSP for projects within the cluster. >**Prerequisite:** ->Create a Pod Security Policy within Rancher. Before you can assign a default PSP to a new cluster, you must have a PSP available for assignment. For instruction, see [Creating Pod Security Policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/). +>Create a Pod Security Policy within Rancher. Before you can assign a default PSP to a new cluster, you must have a PSP available for assignment. For instruction, see [Creating Pod Security Policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/). >**Note:** >For security purposes, we recommend assigning a PSP as you create your clusters. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/rancher-agents/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/rancher-agents/_index.md index de3e9ba5058..0c5c967613c 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/rancher-agents/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/rancher-agents/_index.md @@ -12,11 +12,11 @@ For a conceptual overview of how the Rancher server provisions clusters and comm ### cattle-cluster-agent -The `cattle-cluster-agent` is used to connect to the Kubernetes API of [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. The `cattle-cluster-agent` is deployed using a Deployment resource. +The `cattle-cluster-agent` is used to connect to the Kubernetes API of [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. The `cattle-cluster-agent` is deployed using a Deployment resource. ### cattle-node-agent -The `cattle-node-agent` is used to interact with nodes in a [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) cluster when performing cluster operations. Examples of cluster operations are upgrading Kubernetes version and creating/restoring etcd snapshots. The `cattle-node-agent` is deployed using a DaemonSet resource to make sure it runs on every node. The `cattle-node-agent` is used as fallback option to connect to the Kubernetes API of [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters when `cattle-cluster-agent` is unavailable. +The `cattle-node-agent` is used to interact with nodes in a [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) cluster when performing cluster operations. Examples of cluster operations are upgrading Kubernetes version and creating/restoring etcd snapshots. The `cattle-node-agent` is deployed using a DaemonSet resource to make sure it runs on every node. The `cattle-node-agent` is used as fallback option to connect to the Kubernetes API of [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters when `cattle-cluster-agent` is unavailable. > **Note:** In Rancher v2.2.4 and lower, the `cattle-node-agent` pods did not tolerate all taints, causing Kubernetes upgrades to fail on these nodes. The fix for this has been included in Rancher v2.2.5 and higher. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md index 337a4452bcc..f6bec63c232 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md @@ -5,7 +5,7 @@ weight: 2240 _Available as of v2.3.0_ -When provisioning a [custom cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) using Rancher, Rancher uses RKE (the Rancher Kubernetes Engine) to provision the Kubernetes custom cluster on your existing infrastructure. +When provisioning a [custom cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) using Rancher, Rancher uses RKE (the Rancher Kubernetes Engine) to provision the Kubernetes custom cluster on your existing infrastructure. You can use a mix of Linux and Windows hosts as your cluster nodes. Windows nodes can only be used for deploying workloads, while Linux nodes are required for cluster management. @@ -32,13 +32,13 @@ This guide covers the following topics: # Prerequisites -Before provisioning a new cluster, be sure that you have already installed Rancher on a device that accepts inbound network traffic. This is required in order for the cluster nodes to communicate with Rancher. If you have not already installed Rancher, please refer to the [installation documentation]({{< baseurl >}}/rancher/v2.x/en/installation/) before proceeding with this guide. +Before provisioning a new cluster, be sure that you have already installed Rancher on a device that accepts inbound network traffic. This is required in order for the cluster nodes to communicate with Rancher. If you have not already installed Rancher, please refer to the [installation documentation]({{}}/rancher/v2.x/en/installation/) before proceeding with this guide. > **Note on Cloud Providers:** If you set a Kubernetes cloud provider in your cluster, some additional steps are required. You might want to set a cloud provider if you want to want to leverage a cloud provider's capabilities, for example, to automatically provision storage, load balancers, or other infrastructure for your cluster. Refer to [this page]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) for details on how to configure a cloud provider cluster of nodes that meet the prerequisites. # Requirements for Windows Clusters -For a custom cluster, the general node requirements for networking, operating systems, and Docker are the same as the node requirements for a [Rancher installation]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/). +For a custom cluster, the general node requirements for networking, operating systems, and Docker are the same as the node requirements for a [Rancher installation]({{}}/rancher/v2.x/en/installation/requirements/). ### OS and Docker Requirements @@ -84,9 +84,9 @@ We recommend the minimum three-node architecture listed in the table below, but | Node | Operating System | Kubernetes Cluster Role(s) | Purpose | | ------ | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | -| Node 1 | Linux (Ubuntu Server 18.04 recommended) | [Control Plane]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#control-plane-nodes), [etcd]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#etcd-nodes), [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Manage the Kubernetes cluster | -| Node 2 | Linux (Ubuntu Server 18.04 recommended) | [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | -| Node 3 | Windows (Windows Server core version 1809 or above) | [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Run your Windows containers | +| Node 1 | Linux (Ubuntu Server 18.04 recommended) | [Control Plane]({{}}/rancher/v2.x/en/cluster-provisioning/#control-plane-nodes), [etcd]({{}}/rancher/v2.x/en/cluster-provisioning/#etcd-nodes), [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Manage the Kubernetes cluster | +| Node 2 | Linux (Ubuntu Server 18.04 recommended) | [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | +| Node 3 | Windows (Windows Server core version 1809 or above) | [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) | Run your Windows containers | ### Container Requirements @@ -130,11 +130,11 @@ You will provision three nodes: | Node 2 | Linux (Ubuntu Server 18.04 recommended) | | Node 3 | Windows (Windows Server core version 1809 or above required) | -If your nodes are hosted by a **Cloud Provider** and you want automation support such as loadbalancers or persistent storage devices, your nodes have additional configuration requirements. For details, see [Selecting Cloud Providers.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) +If your nodes are hosted by a **Cloud Provider** and you want automation support such as loadbalancers or persistent storage devices, your nodes have additional configuration requirements. For details, see [Selecting Cloud Providers.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) # 2. Create the Custom Cluster -The instructions for creating a custom cluster that supports Windows nodes are very similar to the general [instructions for creating a custom cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster) with some Windows-specific requirements. +The instructions for creating a custom cluster that supports Windows nodes are very similar to the general [instructions for creating a custom cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster) with some Windows-specific requirements. Windows support only be enabled if the cluster uses Kubernetes v1.15+ and the Flannel network provider. @@ -170,7 +170,7 @@ In this section, we fill out a form on the Rancher UI to get a custom command to 1. In the **Node Role** section, choose at least **etcd** and **Control Plane**. We recommend selecting all three. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent]({{< baseurl >}}/rancher/v2.x/en/admin-settings/agent-options/) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent]({{}}/rancher/v2.x/en/admin-settings/agent-options/) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) 1. Copy the command displayed on the screen to your clipboard. @@ -239,11 +239,11 @@ After creating your cluster, you can access it through the Rancher UI. As a best # Configuration for Storage Classes in Azure -If you are using Azure VMs for your nodes, you can use [Azure files](https://docs.microsoft.com/en-us/azure/aks/azure-files-dynamic-pv) as a [storage class]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#adding-storage-classes) for the cluster. +If you are using Azure VMs for your nodes, you can use [Azure files](https://docs.microsoft.com/en-us/azure/aks/azure-files-dynamic-pv) as a [storage class]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/#adding-storage-classes) for the cluster. In order to have the Azure platform create the required storage resources, follow these steps: -1. [Configure the Azure cloud provider.]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/#azure) +1. [Configure the Azure cloud provider.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/#azure) 1. Configure `kubectl` to connect to your cluster. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/docs-for-2.1-and-2.2/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/docs-for-2.1-and-2.2/_index.md index e9986f6abae..988427179b4 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/docs-for-2.1-and-2.2/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/docs-for-2.1-and-2.2/_index.md @@ -5,9 +5,9 @@ weight: 9100 _Available from v2.1.0 to v2.1.9 and v2.2.0 to v2.2.3_ -This section describes how to provision Windows clusters in Rancher v2.1.x and v2.2.x. If you are using Rancher v2.3.0 or later, please refer to the new documentation for [v2.3.0 or later]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/). +This section describes how to provision Windows clusters in Rancher v2.1.x and v2.2.x. If you are using Rancher v2.3.0 or later, please refer to the new documentation for [v2.3.0 or later]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/). -When you create a [custom cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/), Rancher uses RKE (the Rancher Kubernetes Engine) to provision the Kubernetes cluster on your existing infrastructure. +When you create a [custom cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/), Rancher uses RKE (the Rancher Kubernetes Engine) to provision the Kubernetes cluster on your existing infrastructure. You can provision a custom Windows cluster using Rancher by using a mix of Linux and Windows hosts as your cluster nodes. @@ -43,23 +43,23 @@ When setting up a custom cluster with support for Windows nodes and containers, ## 1. Provision Hosts -To begin provisioning a custom cluster with Windows support, prepare your host servers. Provision three nodes according to our [requirements]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/)—two Linux, one Windows. Your hosts can be: +To begin provisioning a custom cluster with Windows support, prepare your host servers. Provision three nodes according to our [requirements]({{}}/rancher/v2.x/en/installation/requirements/)—two Linux, one Windows. Your hosts can be: - Cloud-hosted VMs - VMs from virtualization clusters - Bare-metal servers -The table below lists the [Kubernetes roles]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) you'll assign to each host, although you won't enable these roles until further along in the configuration process—we're just informing you of each node's purpose. The first node, a Linux host, is primarily responsible for managing the Kubernetes control plane, although, in this use case, we're installing all three roles on this node. Node 2 is also a Linux worker, which is responsible for Ingress support. Finally, the third node is your Windows worker, which will run your Windows applications. +The table below lists the [Kubernetes roles]({{}}/rancher/v2.x/en/cluster-provisioning/#kubernetes-cluster-node-components) you'll assign to each host, although you won't enable these roles until further along in the configuration process—we're just informing you of each node's purpose. The first node, a Linux host, is primarily responsible for managing the Kubernetes control plane, although, in this use case, we're installing all three roles on this node. Node 2 is also a Linux worker, which is responsible for Ingress support. Finally, the third node is your Windows worker, which will run your Windows applications. Node | Operating System | Future Cluster Role(s) --------|------------------|------ -Node 1 | Linux (Ubuntu Server 16.04 recommended) | [Control Plane]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#control-plane-nodes), [etcd]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#etcd), [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) -Node 2 | Linux (Ubuntu Server 16.04 recommended) | [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) (This node is used for Ingress support) -Node 3 | Windows (Windows Server core version 1809 or above) | [Worker]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) +Node 1 | Linux (Ubuntu Server 16.04 recommended) | [Control Plane]({{}}/rancher/v2.x/en/cluster-provisioning/#control-plane-nodes), [etcd]({{}}/rancher/v2.x/en/cluster-provisioning/#etcd), [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) +Node 2 | Linux (Ubuntu Server 16.04 recommended) | [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) (This node is used for Ingress support) +Node 3 | Windows (Windows Server core version 1809 or above) | [Worker]({{}}/rancher/v2.x/en/cluster-provisioning/#worker-nodes) ### Requirements -- You can view node requirements for Linux and Windows nodes in the [installation section]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/). +- You can view node requirements for Linux and Windows nodes in the [installation section]({{}}/rancher/v2.x/en/installation/requirements/). - All nodes in a virtualization cluster or a bare metal cluster must be connected using a layer 2 network. - To support [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/), your cluster must include at least one Linux node dedicated to the worker role. - Although we recommend the three node architecture listed in the table above, you can add additional Linux and Windows workers to scale up your cluster for redundancy. @@ -79,20 +79,20 @@ Azure VM | [Enable or Disable IP Forwarding](https://docs.microsoft.com/en-us/az ## 3. Create the Custom Cluster -To create a custom cluster that supports Windows nodes, follow the instructions in [Creating a Cluster with Custom Nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster), starting from [2. Create the Custom Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster). While completing the linked instructions, look for steps that requires special actions for Windows nodes, which are flagged with a note. These notes will link back here, to the special Windows instructions listed in the subheadings below. +To create a custom cluster that supports Windows nodes, follow the instructions in [Creating a Cluster with Custom Nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster), starting from [2. Create the Custom Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#2-create-the-custom-cluster). While completing the linked instructions, look for steps that requires special actions for Windows nodes, which are flagged with a note. These notes will link back here, to the special Windows instructions listed in the subheadings below. ### Enable the Windows Support Option While choosing **Cluster Options**, set **Windows Support (Experimental)** to **Enabled**. -After you select this option, resume [Creating a Cluster with Custom Nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#create-the-custom-cluster) from [step 6]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#step-6). +After you select this option, resume [Creating a Cluster with Custom Nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#create-the-custom-cluster) from [step 6]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#step-6). ### Networking Option When choosing a network provider for a cluster that supports Windows, the only option available is Flannel, as [host-gw](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) is needed for IP routing. -If your nodes are hosted by a cloud provider and you want automation support such as load balancers or persistent storage devices, see [Selecting Cloud Providers]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) for configuration info. +If your nodes are hosted by a cloud provider and you want automation support such as load balancers or persistent storage devices, see [Selecting Cloud Providers]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers) for configuration info. ### Node Configuration @@ -103,7 +103,7 @@ Option | Setting Node Operating System | Linux Node Roles | etcd
    Control Plane
    Worker -When you're done with these configurations, resume [Creating a Cluster with Custom Nodes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#create-the-custom-cluster) from [step 8]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#step-8). +When you're done with these configurations, resume [Creating a Cluster with Custom Nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#create-the-custom-cluster) from [step 8]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/#step-8). diff --git a/content/rancher/v2.x/en/contributing/_index.md b/content/rancher/v2.x/en/contributing/_index.md index 3965c2e7783..1cbf8bd694e 100644 --- a/content/rancher/v2.x/en/contributing/_index.md +++ b/content/rancher/v2.x/en/contributing/_index.md @@ -38,7 +38,7 @@ loglevel repository | https://github.com/rancher/loglevel | This repository is t To see all libraries/projects used in Rancher, see the [`go.mod` file](https://github.com/rancher/rancher/blob/master/go.mod) in the `rancher/rancher` repository. -![Rancher diagram]({{< baseurl >}}/img/rancher/ranchercomponentsdiagram.svg)
    +![Rancher diagram]({{}}/img/rancher/ranchercomponentsdiagram.svg)
    Rancher components used for provisioning/managing Kubernetes clusters. # Building diff --git a/content/rancher/v2.x/en/faq/networking/_index.md b/content/rancher/v2.x/en/faq/networking/_index.md index ef4a030f7a8..863ad97169d 100644 --- a/content/rancher/v2.x/en/faq/networking/_index.md +++ b/content/rancher/v2.x/en/faq/networking/_index.md @@ -5,5 +5,5 @@ weight: 8005 Networking FAQ's -- [CNI Providers]({{< baseurl >}}/rancher/v2.x/en/faq/networking/cni-providers/) +- [CNI Providers]({{}}/rancher/v2.x/en/faq/networking/cni-providers/) diff --git a/content/rancher/v2.x/en/faq/networking/cni-providers/_index.md b/content/rancher/v2.x/en/faq/networking/cni-providers/_index.md index 08ae7cf4f70..ec07fe5018d 100644 --- a/content/rancher/v2.x/en/faq/networking/cni-providers/_index.md +++ b/content/rancher/v2.x/en/faq/networking/cni-providers/_index.md @@ -10,7 +10,7 @@ CNI (Container Network Interface), a [Cloud Native Computing Foundation project] Kubernetes uses CNI as an interface between network providers and Kubernetes pod networking. -![CNI Logo]({{< baseurl >}}/img/rancher/cni-logo.png) +![CNI Logo]({{}}/img/rancher/cni-logo.png) For more information visit [CNI GitHub project](https://github.com/containernetworking/cni). @@ -28,7 +28,7 @@ This network model is used when an extended L2 bridge is preferred. This network CNI network providers using this network model include Flannel, Canal, and Weave. -![Encapsulated Network]({{< baseurl >}}/img/rancher/encapsulated-network.png) +![Encapsulated Network]({{}}/img/rancher/encapsulated-network.png) #### What is an Unencapsulated Network? @@ -40,7 +40,7 @@ This network model is used when a routed L3 network is preferred. This mode dyna CNI network providers using this network model include Calico and Romana. -![Unencapsulated Network]({{< baseurl >}}/img/rancher/unencapsulated-network.png) +![Unencapsulated Network]({{}}/img/rancher/unencapsulated-network.png) ### What CNI Providers are Provided by Rancher? @@ -48,7 +48,7 @@ Out-of-the-box, Rancher provides the following CNI network providers for Kuberne #### Canal -![Canal Logo]({{< baseurl >}}/img/rancher/canal-logo.png) +![Canal Logo]({{}}/img/rancher/canal-logo.png) Canal is a CNI network provider that gives you the best of Flannel and Calico. It allows users to easily deploy Calico and Flannel networking together as a unified networking solution, combining Calico’s network policy enforcement with the rich superset of Calico (unencapsulated) and/or Flannel (encapsulated) network connectivity options. @@ -62,7 +62,7 @@ For more information, see the [Canal GitHub Page.](https://github.com/projectcal #### Flannel -![Flannel Logo]({{< baseurl >}}/img/rancher/flannel-logo.png) +![Flannel Logo]({{}}/img/rancher/flannel-logo.png) Flannel is a simple and easy way to configure L3 network fabric designed for Kubernetes. Flannel runs a single binary agent named flanneld on each host, which is responsible for allocating a subnet lease to each host out of a larger, preconfigured address space. Flannel uses either the Kubernetes API or etcd directly to store the network configuration, the allocated subnets, and any auxiliary data (such as the host's public IP). Packets are forwarded using one of several backend mechanisms, with the default encapsulation being [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan). @@ -70,13 +70,13 @@ Encapsulated traffic is unencrypted by default. Therefore, flannel provides an e Kubernetes workers should open UDP port `8472` (VXLAN) and TCP port `9099` (healthcheck). See [the port requirements for user clusters]({{}}/rancher/v2.x/en/cluster-provisioning/node-requirements/#networking-requirements/) for more details. -![Flannel Diagram]({{< baseurl >}}/img/rancher/flannel-diagram.png) +![Flannel Diagram]({{}}/img/rancher/flannel-diagram.png) For more information, see the [Flannel GitHub Page](https://github.com/coreos/flannel). #### Calico -![Calico Logo]({{< baseurl >}}/img/rancher/calico-logo.png) +![Calico Logo]({{}}/img/rancher/calico-logo.png) Calico enables networking and network policy in Kubernetes clusters across the cloud. Calico uses a pure, unencapsulated IP network fabric and policy engine to provide networking for your Kubernetes workloads. Workloads are able to communicate over both cloud infrastructure and on-premise using BGP. @@ -84,7 +84,7 @@ Calico also provides a stateless IP-in-IP encapsulation mode that can be used, i Kubernetes workers should open TCP port `179` (BGP). See [the port requirements for user clusters]({{}}/rancher/v2.x/en/cluster-provisioning/node-requirements/#networking-requirements/) for more details. -![Calico Diagram]({{< baseurl >}}/img/rancher/calico-diagram.svg) +![Calico Diagram]({{}}/img/rancher/calico-diagram.svg) For more information, see the following pages: @@ -94,7 +94,7 @@ For more information, see the following pages: #### Weave -![Weave Logo]({{< baseurl >}}/img/rancher/weave-logo.png) +![Weave Logo]({{}}/img/rancher/weave-logo.png) _Available as of v2.2.0_ @@ -151,4 +151,4 @@ As of Rancher v2.0.7, Canal is the default CNI network provider. We recommend it ### How can I configure a CNI network provider? -Please see [Cluster Options]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/) on how to configure a network provider for your cluster. For more advanced configuration options, please see how to configure your cluster using a [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) and the options for [Network Plug-ins]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/). +Please see [Cluster Options]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/) on how to configure a network provider for your cluster. For more advanced configuration options, please see how to configure your cluster using a [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) and the options for [Network Plug-ins]({{}}/rke/latest/en/config-options/add-ons/network-plugins/). diff --git a/content/rancher/v2.x/en/faq/security/_index.md b/content/rancher/v2.x/en/faq/security/_index.md index 733b79dbf05..f9d6ec86452 100644 --- a/content/rancher/v2.x/en/faq/security/_index.md +++ b/content/rancher/v2.x/en/faq/security/_index.md @@ -6,10 +6,10 @@ weight: 8007 **Is there a Hardening Guide?** -The Hardening Guide is now located in the main [Security]({{< baseurl >}}/rancher/v2.x/en/security/) section. +The Hardening Guide is now located in the main [Security]({{}}/rancher/v2.x/en/security/) section.
    **What are the results of Rancher's Kubernetes cluster when it is CIS benchmarked?** -We have run the CIS Kubernetes benchmark against a hardened Rancher Kubernetes cluster. The results of that assessment can be found in the main [Security]({{< baseurl >}}/rancher/v2.x/en/security/) section. +We have run the CIS Kubernetes benchmark against a hardened Rancher Kubernetes cluster. The results of that assessment can be found in the main [Security]({{}}/rancher/v2.x/en/security/) section. diff --git a/content/rancher/v2.x/en/faq/technical/_index.md b/content/rancher/v2.x/en/faq/technical/_index.md index e901475ca57..d5b22464771 100644 --- a/content/rancher/v2.x/en/faq/technical/_index.md +++ b/content/rancher/v2.x/en/faq/technical/_index.md @@ -116,7 +116,7 @@ Node Templates can be accessed by opening your account menu (top right) and sele ### Why is my Layer-4 Load Balancer in `Pending` state? -The Layer-4 Load Balancer is created as `type: LoadBalancer`. In Kubernetes, this needs a cloud provider or controller that can satisfy these requests, otherwise these will be in `Pending` state forever. More information can be found on [Cloud Providers]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) or [Create External Load Balancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) +The Layer-4 Load Balancer is created as `type: LoadBalancer`. In Kubernetes, this needs a cloud provider or controller that can satisfy these requests, otherwise these will be in `Pending` state forever. More information can be found on [Cloud Providers]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) or [Create External Load Balancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) ### Where is the state of Rancher stored? @@ -131,7 +131,7 @@ We follow the validated Docker versions for upstream Kubernetes releases. The va SSH keys to access the nodes created by Rancher can be downloaded via the **Nodes** view. Choose the node which you want to access and click on the vertical ellipsis button at the end of the row, and choose **Download Keys** as shown in the picture below. -![Download Keys]({{< baseurl >}}/img/rancher/downloadsshkeys.png) +![Download Keys]({{}}/img/rancher/downloadsshkeys.png) Unzip the downloaded zip file, and use the file `id_rsa` to connect to you host. Be sure to use the correct username (`rancher` or `docker` for RancherOS, `ubuntu` for Ubuntu, `ec2-user` for Amazon Linux) @@ -150,13 +150,13 @@ The UI consists of static files, and works based on responses of the API. That m A node is required to have a static IP configured (or a reserved IP via DHCP). If the IP of a node has changed, you will have to remove it from the cluster and readd it. After it is removed, Rancher will update the cluster to the correct state. If the cluster is no longer in `Provisioning` state, the node is removed from the cluster. -When the IP address of the node changed, Rancher lost connection to the node, so it will be unable to clean the node properly. See [Cleaning cluster nodes]({{< baseurl >}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) to clean the node. +When the IP address of the node changed, Rancher lost connection to the node, so it will be unable to clean the node properly. See [Cleaning cluster nodes]({{}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) to clean the node. When the node is removed from the cluster, and the node is cleaned, you can readd the node to the cluster. ### How can I add additional arguments/binds/environment variables to Kubernetes components in a Rancher Launched Kubernetes cluster? -You can add additional arguments/binds/environment variables via the [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) option in Cluster Options. For more information, see the [Extra Args, Extra Binds, and Extra Environment Variables]({{< baseurl >}}/rke/latest/en/config-options/services/services-extras/) in the RKE documentation or browse the [Example Cluster.ymls]({{< baseurl >}}/rke/latest/en/example-yamls/). +You can add additional arguments/binds/environment variables via the [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) option in Cluster Options. For more information, see the [Extra Args, Extra Binds, and Extra Environment Variables]({{}}/rke/latest/en/config-options/services/services-extras/) in the RKE documentation or browse the [Example Cluster.ymls]({{}}/rke/latest/en/example-yamls/). ### How do I check if my certificate chain is valid? diff --git a/content/rancher/v2.x/en/k8s-in-rancher/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/_index.md index 5b112b5725e..71830fc1f00 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/_index.md @@ -7,19 +7,19 @@ aliases: - /rancher/v2.x/en/concepts/resources/ --- -When your project is set up, [project members]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can start managing their applications and all the components that comprise it. +When your project is set up, [project members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can start managing their applications and all the components that comprise it. ## Workloads -Deploy applications to your cluster nodes using [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/), which are objects that contain pods that run your apps, along with metadata that set rules for the deployment's behavior. Workloads can be deployed within the scope of the entire clusters or within a namespace. +Deploy applications to your cluster nodes using [workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/), which are objects that contain pods that run your apps, along with metadata that set rules for the deployment's behavior. Workloads can be deployed within the scope of the entire clusters or within a namespace. -When deploying a workload, you can deploy from any image. There are a variety of [workload types]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/#workload-types) to choose from which determine how your application should run. +When deploying a workload, you can deploy from any image. There are a variety of [workload types]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/#workload-types) to choose from which determine how your application should run. Following a workload deployment, you can continue working with it. You can: -- [Upgrade]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads) the workload to a newer version of the application it's running. -- [Roll back]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads) a workload to a previous version, if an issue occurs during upgrade. -- [Add a sidecar]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar), which is a workload that supports a primary workload. +- [Upgrade]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads) the workload to a newer version of the application it's running. +- [Roll back]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads) a workload to a previous version, if an issue occurs during upgrade. +- [Add a sidecar]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar), which is a workload that supports a primary workload. ## Load Balancing and Ingress @@ -31,10 +31,10 @@ If you want your applications to be externally accessible, you must add a load b Rancher supports two types of load balancers: -- [Layer-4 Load Balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-4-load-balancer) -- [Layer-7 Load Balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-7-load-balancer) +- [Layer-4 Load Balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-4-load-balancer) +- [Layer-7 Load Balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-7-load-balancer) -For more information, see [load balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers). +For more information, see [load balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers). #### Ingress @@ -42,29 +42,29 @@ Load Balancers can only handle one IP address per service, which means if you ru Ingress is a set or rules that act as a load balancer. Ingress works in conjunction with one or more ingress controllers to dynamically route service requests. When the ingress receives a request, the ingress controller(s) in your cluster program the load balancer to direct the request to the correct service based on service subdomains or path rules that you've configured. -For more information, see [Ingress]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress). +For more information, see [Ingress]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress). When using ingresses in a project, you can program the ingress hostname to an external DNS by setting up a Global DNS entry. -For more information, see [Global DNS]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/). +For more information, see [Global DNS]({{}}/rancher/v2.x/en/catalog/globaldns/). ## Service Discovery After you expose your cluster to external requests using a load balancer and/or ingress, it's only available by IP address. To create a resolveable hostname, you must create a service record, which is a record that maps an IP address, external hostname, DNS record alias, workload(s), or labelled pods to a specific hostname. -For more information, see [Service Discovery]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/service-discovery). +For more information, see [Service Discovery]({{}}/rancher/v2.x/en/k8s-in-rancher/service-discovery). ## Pipelines -After your project has been [configured to a version control provider]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines/#version-control-providers), you can add the repositories and start configuring a pipeline for each repository. +After your project has been [configured to a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines/#version-control-providers), you can add the repositories and start configuring a pipeline for each repository. -For more information, see [Pipelines]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/). +For more information, see [Pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/). ## Applications Besides launching individual components of an application, you can use the Rancher catalog to start launching applications, which are Helm charts. -For more information, see [Applications in a Project]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/). +For more information, see [Applications in a Project]({{}}/rancher/v2.x/en/catalog/apps/). ## Kubernetes Resources @@ -72,7 +72,7 @@ Within the context of a Rancher project or namespace, _resources_ are files and Resources include: -- [Certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/): Files used to encrypt/decrypt data entering or leaving the cluster. -- [ConfigMaps]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps/): Files that store general configuration information, such as a group of config files. -- [Secrets]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/): Files that store sensitive data like passwords, tokens, or keys. -- [Registries]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/registries/): Files that carry credentials used to authenticate with private registries. +- [Certificates]({{}}/rancher/v2.x/en/k8s-in-rancher/certificates/): Files used to encrypt/decrypt data entering or leaving the cluster. +- [ConfigMaps]({{}}/rancher/v2.x/en/k8s-in-rancher/configmaps/): Files that store general configuration information, such as a group of config files. +- [Secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/): Files that store sensitive data like passwords, tokens, or keys. +- [Registries]({{}}/rancher/v2.x/en/k8s-in-rancher/registries/): Files that carry credentials used to authenticate with private registries. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md index e4c3b501564..2ab2329eeeb 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md @@ -24,7 +24,7 @@ Add SSL certificates to either projects, namespaces, or both. A project scoped c - **Available to all namespaces in this project:** The certificate is available for any deployment in any namespaces in the project. - - **Available to a single namespace:** The certificate is only available for the deployments in one [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). If you choose this option, select a **Namespace** from the drop-down list or click **Add to a new namespace** to add the certificate to a namespace you create on the fly. + - **Available to a single namespace:** The certificate is only available for the deployments in one [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). If you choose this option, select a **Namespace** from the drop-down list or click **Add to a new namespace** to add the certificate to a namespace you create on the fly. 1. From **Private Key**, either copy and paste your certificate's private key into the text box (include the header and footer), or click **Read from a file** to browse to the private key on your file system. If possible, we recommend using **Read from a file** to reduce likelihood of error. @@ -42,4 +42,4 @@ Add SSL certificates to either projects, namespaces, or both. A project scoped c ## What's Next? -Now you can add the certificate when launching an ingress within the current project or namespace. For more information, see [Adding Ingress]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/). +Now you can add the certificate when launching an ingress within the current project or namespace. For more information, see [Adding Ingress]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md index ea62cc86e4f..acd710150de 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md @@ -26,7 +26,7 @@ ConfigMaps accept key value pairs in common string formats, like config files or 1. Click **Save**. - >**Note:** Don't use ConfigMaps to store sensitive data [use a secret]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/). + >**Note:** Don't use ConfigMaps to store sensitive data [use a secret]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/). > >**Tip:** You can add multiple key value pairs to the ConfigMap by copying and pasting. > @@ -41,4 +41,4 @@ Now that you have a ConfigMap added to a namespace, you can add it to a workload - Application environment variables. - Specifying parameters for a Volume mounted to the workload. -For more information on adding ConfigMaps to a workload, see [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). +For more information on adding ConfigMaps to a workload, see [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/_index.md index 2301619cd7a..b5f6ea2d0b2 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/_index.md @@ -19,17 +19,17 @@ The way that you manage HPAs is different based on your version of the Kubernete HPAs are also managed differently based on your version of Rancher: -- **For Rancher v2.3.0+**: You can create, manage, and delete HPAs using the Rancher UI. From the Rancher UI you can configure the HPA to scale based on CPU and memory utilization. For more information, refer to [Managing HPAs with the Rancher UI]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui). To scale the HPA based on custom metrics, you still need to use `kubectl`. For more information, refer to [Configuring HPA to Scale Using Custom Metrics with Prometheus]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). -- **For Rancher Prior to v2.3.0:** To manage and configure HPAs, you need to use `kubectl`. For instructions on how to create, manage, and scale HPAs, refer to [Managing HPAs with kubectl]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl). +- **For Rancher v2.3.0+**: You can create, manage, and delete HPAs using the Rancher UI. From the Rancher UI you can configure the HPA to scale based on CPU and memory utilization. For more information, refer to [Managing HPAs with the Rancher UI]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui). To scale the HPA based on custom metrics, you still need to use `kubectl`. For more information, refer to [Configuring HPA to Scale Using Custom Metrics with Prometheus]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). +- **For Rancher Prior to v2.3.0:** To manage and configure HPAs, you need to use `kubectl`. For instructions on how to create, manage, and scale HPAs, refer to [Managing HPAs with kubectl]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl). You might have additional HPA installation steps if you are using an older version of Rancher: - **For Rancher v2.0.7+:** Clusters created in Rancher v2.0.7 and higher automatically have all the requirements needed (metrics-server and Kubernetes cluster configuration) to use HPA. -- **For Rancher Prior to v2.0.7:** Clusters created in Rancher prior to v2.0.7 don't automatically have the requirements needed to use HPA. For instructions on installing HPA for these clusters, refer to [Manual HPA Installation for Clusters Created Before Rancher v2.0.7]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7). +- **For Rancher Prior to v2.0.7:** Clusters created in Rancher prior to v2.0.7 don't automatically have the requirements needed to use HPA. For instructions on installing HPA for these clusters, refer to [Manual HPA Installation for Clusters Created Before Rancher v2.0.7]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7). ## Testing HPAs with a Service Deployment -In Rancher v2.3.x+, you can see your HPA's current number of replicas by going to your project and clicking **Resources > HPA.** For more information, refer to [Get HPA Metrics and Status]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/). +In Rancher v2.3.x+, you can see your HPA's current number of replicas by going to your project and clicking **Resources > HPA.** For more information, refer to [Get HPA Metrics and Status]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/). You can also use `kubectl` to get the status of HPAs that you test with your load testing tool. For more information, refer to [Testing HPAs with kubectl] -({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/). +({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-background/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-background/_index.md index 222b0cb3d8c..d0d487a49ed 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-background/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-background/_index.md @@ -20,7 +20,7 @@ HPA improves your services by: ## How HPA Works -![HPA Schema]({{< baseurl >}}/img/rancher/horizontal-pod-autoscaler.jpg) +![HPA Schema]({{}}/img/rancher/horizontal-pod-autoscaler.jpg) HPA is implemented as a control loop, with a period controlled by the `kube-controller-manager` flags below: diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/_index.md index 2d3cf10c87c..0d19fa185e2 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/_index.md @@ -13,11 +13,11 @@ This section describes HPA management with `kubectl`. This document has instruct ### Note For Rancher v2.3.x -In Rancher v2.3.x, you can create, view, and delete HPAs from the Rancher UI. You can also configure them to scale based on CPU or memory usage from the Rancher UI. For more information, refer to [Managing HPAs with the Rancher UI]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui). For scaling HPAs based on other metrics than CPU or memory, you still need `kubectl`. +In Rancher v2.3.x, you can create, view, and delete HPAs from the Rancher UI. You can also configure them to scale based on CPU or memory usage from the Rancher UI. For more information, refer to [Managing HPAs with the Rancher UI]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui). For scaling HPAs based on other metrics than CPU or memory, you still need `kubectl`. ### Note For Rancher Prior to v2.0.7 -Clusters created with older versions of Rancher don't automatically have all the requirements to create an HPA. To install an HPA on these clusters, refer to [Manual HPA Installation for Clusters Created Before Rancher v2.0.7]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7). +Clusters created with older versions of Rancher don't automatically have all the requirements to create an HPA. To install an HPA on these clusters, refer to [Manual HPA Installation for Clusters Created Before Rancher v2.0.7]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7). ##### Basic kubectl Command for Managing HPAs diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md index 5a3af016138..6b812cf8dd7 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md @@ -7,7 +7,7 @@ _Available as of v2.3.0_ The Rancher UI supports creating, managing, and deleting HPAs. You can configure CPU or memory usage as the metric that the HPA uses to scale. -If you want to create HPAs that scale based on other metrics than CPU and memory, refer to [Configuring HPA to Scale Using Custom Metrics with Prometheus]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). +If you want to create HPAs that scale based on other metrics than CPU and memory, refer to [Configuring HPA to Scale Using Custom Metrics with Prometheus]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). ## Creating an HPA @@ -25,7 +25,7 @@ If you want to create HPAs that scale based on other metrics than CPU and memory 1. Specify the **Minimum Scale** and **Maximum Scale** for the HPA. -1. Configure the metrics for the HPA. You can choose memory or CPU usage as the metric that will cause the HPA to scale the service up or down. In the **Quantity** field, enter the percentage of the workload's memory or CPU usage that will cause the HPA to scale the service. To configure other HPA metrics, including metrics available from Prometheus, you need to [manage HPAs using kubectl]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). +1. Configure the metrics for the HPA. You can choose memory or CPU usage as the metric that will cause the HPA to scale the service up or down. In the **Quantity** field, enter the percentage of the workload's memory or CPU usage that will cause the HPA to scale the service. To configure other HPA metrics, including metrics available from Prometheus, you need to [manage HPAs using kubectl]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/#configuring-hpa-to-scale-using-custom-metrics-with-prometheus). 1. Click **Create** to create the HPA. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/_index.md index cb49344658d..7df9409d618 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/testing-hpa/_index.md @@ -3,7 +3,7 @@ title: Testing HPAs with kubectl weight: 3031 --- -This document describes how to check the status of your HPAs after scaling them up or down with your load testing tool. For information on how to check the status from the Rancher UI (at least version 2.3.x), refer to [Managing HPAs with the Rancher UI]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/). +This document describes how to check the status of your HPAs after scaling them up or down with your load testing tool. For information on how to check the status from the Rancher UI (at least version 2.3.x), refer to [Managing HPAs with the Rancher UI]({{}}/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-kubectl/). For HPA to work correctly, service deployments should have resources request definitions for containers. Follow this hello-world example to test if HPA is working correctly. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/_index.md index 096c69a6c17..6c56007e544 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/_index.md @@ -14,10 +14,10 @@ If you want your applications to be externally accessible, you must add a load b Rancher supports two types of load balancers: -- [Layer-4 Load Balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-4-load-balancer) -- [Layer-7 Load Balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-7-load-balancer) +- [Layer-4 Load Balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-4-load-balancer) +- [Layer-7 Load Balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#layer-7-load-balancer) -For more information, see [load balancers]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers). +For more information, see [load balancers]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers). ### Load Balancer Limitations @@ -28,9 +28,9 @@ Load Balancers have a couple of limitations you should be aware of: - If you want to use a load balancer with a Hosted Kubernetes cluster (i.e., clusters hosted in GKE, EKS, or AKS), the load balancer must be running within that cloud provider's infrastructure. Please review the compatibility tables regarding support for load balancers based on how you've provisioned your clusters: - - [Support for Layer-4 Load Balancing]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-4-load-balancing) + - [Support for Layer-4 Load Balancing]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-4-load-balancing) - - [Support for Layer-7 Load Balancing]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-7-load-balancing) + - [Support for Layer-7 Load Balancing]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-7-load-balancing) ## Ingress @@ -48,7 +48,7 @@ Ingress works in conjunction with one or more ingress controllers to dynamically Each Kubernetes Ingress resource corresponds roughly to a file in `/etc/nginx/sites-available/` containing a `server{}` configuration block, where requests for specific files and folders are configured. -Your ingress, which creates a port of entry to your cluster similar to a load balancer, can reside within your cluster or externally. Ingress and ingress controllers residing in RKE-launcher clusters are powered by [Nginx](https://www.nginx.com/). +Your ingress, which creates a port of entry to your cluster similar to a load balancer, can reside within your cluster or externally. Ingress and ingress controllers residing in RKE-launched clusters are powered by [Nginx](https://www.nginx.com/). Ingress can provide other functionality as well, such as SSL termination, name-based virtual hosting, and more. @@ -56,6 +56,6 @@ Ingress can provide other functionality as well, such as SSL termination, name-b > >Refrain from adding an Ingress to the `local` cluster. The Nginx Ingress Controller that Rancher uses acts as a global entry point for _all_ clusters managed by Rancher, including the `local` cluster. Therefore, when users try to access an application, your Rancher connection may drop due to the Nginx configuration being reloaded. We recommend working around this issue by deploying applications only in clusters that you launch using Rancher. -- For more information on how to set up ingress in Rancher, see [Ingress]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress). +- For more information on how to set up ingress in Rancher, see [Ingress]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress). - For complete information about ingress and ingress controllers, see the [Kubernetes Ingress Documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) -- When using ingresses in a project, you can program the ingress hostname to an external DNS by setting up a Global DNS entry, see [Global DNS]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/). +- When using ingresses in a project, you can program the ingress hostname to an external DNS by setting up a Global DNS entry, see [Global DNS]({{}}/rancher/v2.x/en/catalog/globaldns/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/_index.md index d90fc336f02..4392f9fedd8 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/ingress/_index.md @@ -6,7 +6,7 @@ aliases: - /rancher/v2.x/en/tasks/workloads/add-ingress/ --- -Ingress can be added for workloads to provide load balancing, SSL termination and host/path based routing. When using ingresses in a project, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/). +Ingress can be added for workloads to provide load balancing, SSL termination and host/path based routing. When using ingresses in a project, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/). 1. From the **Global** view, open the project that you want to add ingress to. @@ -14,7 +14,7 @@ Ingress can be added for workloads to provide load balancing, SSL termination an 1. Enter a **Name** for the ingress. -1. Select an existing **Namespace** from the drop-down list. Alternatively, you can create a new [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) on the fly by clicking **Add to a new namespace**. +1. Select an existing **Namespace** from the drop-down list. Alternatively, you can create a new [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) on the fly by clicking **Add to a new namespace**. 1. Create ingress forwarding **Rules**. @@ -65,7 +65,7 @@ Ingress can be added for workloads to provide load balancing, SSL termination an 1. If any of your ingress rules handle requests for encrypted ports, add a certificate to encrypt/decrypt communications. - >**Note:** You must have an SSL certificate that the ingress can use to encrypt/decrypt communications. For more information see [Adding SSL Certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/). + >**Note:** You must have an SSL certificate that the ingress can use to encrypt/decrypt communications. For more information see [Adding SSL Certificates]({{}}/rancher/v2.x/en/k8s-in-rancher/certificates/). 1. Click **Add Certificate**. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/_index.md index 9edfc95f878..7ae7742018d 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/_index.md @@ -67,8 +67,8 @@ The benefit of using xip.io is that you obtain a working entrypoint URL immediat #### Tutorials -- [Kubernetes installation with External Load Balancer (HTTPS/Layer 7)]({{< baseurl >}}/rancher/v2.x/en/installation/ha-server-install-external-lb) -- [Kubernetes installation with External Load Balancer (TCP/Layer 4)]({{< baseurl >}}/rancher/v2.x/en/installation/ha-server-install) -- [Docker Installation with External Load Balancer]({{< baseurl >}}/rancher/v2.x/en/installation/single-node-install-external-lb) +- [Kubernetes installation with External Load Balancer (HTTPS/Layer 7)]({{}}/rancher/v2.x/en/installation/ha-server-install-external-lb) +- [Kubernetes installation with External Load Balancer (TCP/Layer 4)]({{}}/rancher/v2.x/en/installation/ha-server-install) +- [Docker Installation with External Load Balancer]({{}}/rancher/v2.x/en/installation/single-node-install-external-lb) diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md index e39437f23a7..bfe10301d3f 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md @@ -9,11 +9,11 @@ aliases: >**Notes:** > >- Pipelines are new and improved for Rancher v2.1! Therefore, if you configured pipelines while using v2.0.x, you'll have to reconfigure them after upgrading to v2.1. ->- Still using v2.0.x? See the pipeline documentation for [previous versions]({{< baseurl >}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). +>- Still using v2.0.x? See the pipeline documentation for [previous versions]({{}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). -Before setting up any pipelines, review the [pipeline overview]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines/) and ensure that the project has [configured authentication to your version control provider]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines/#version-control-providers), e.g. GitHub, GitLab, Bitbucket. If you haven't configured a version control provider, you can always use [Rancher's example repositories]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/) to view some common pipeline deployments. +Before setting up any pipelines, review the [pipeline overview]({{}}/rancher/v2.x/en/project-admin/pipelines/) and ensure that the project has [configured authentication to your version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines/#version-control-providers), e.g. GitHub, GitLab, Bitbucket. If you haven't configured a version control provider, you can always use [Rancher's example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/) to view some common pipeline deployments. -If you can access a project, you can enable repositories to start building pipelines. Only an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owner or member]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can authorize version control providers. +If you can access a project, you can enable repositories to start building pipelines. Only an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owner or member]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can authorize version control providers. ## Concepts @@ -131,7 +131,7 @@ stages: 1. _Available as of v2.2.0_ - **Notifications:** Decide if you want to set up notifications for your pipeline. You can enable notifications to any [notifiers]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) based on the build status of a pipeline. Before enabling notifications, Rancher recommends [setting up notifiers]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) so it will be easy to add recipients immediately. + **Notifications:** Decide if you want to set up notifications for your pipeline. You can enable notifications to any [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) based on the build status of a pipeline. Before enabling notifications, Rancher recommends [setting up notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) so it will be easy to add recipients immediately. {{% accordion id="notification" label="Configuring Notifications" %}} @@ -145,7 +145,7 @@ _Available as of v2.2.0_ 1. Select the conditions for the notification. You can select to get a notification for the following statuses: `Failed`, `Success`, `Changed`. For example, if you want to receive notifications when an execution fails, select **Failed**. -1. If you don't have any existing [notifiers]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers), Rancher will provide a warning that no notifiers are set up and provide a link to be able to go to the notifiers page. Follow the [instructions]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) to add a notifier. If you already have notifiers, you can add them to the notification by clicking the **Add Recipient** button. +1. If you don't have any existing [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers), Rancher will provide a warning that no notifiers are set up and provide a link to be able to go to the notifiers page. Follow the [instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) to add a notifier. If you already have notifiers, you can add them to the notification by clicking the **Add Recipient** button. > **Note:** Notifiers are configured at a cluster level and require a different level of permissions. @@ -233,7 +233,7 @@ timeout: 30 Run your pipeline for the first time. From the project view in Rancher, go to **Resources > Pipelines.** (In versions prior to v2.3.0, go to the **Pipelines** tab.) Find your pipeline and select the vertical **Ellipsis (...) > Run**. -During this initial run, your pipeline is tested, and the following [pipeline components]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines/#how-pipelines-work) are deployed to your project as workloads in a new namespace dedicated to the pipeline: +During this initial run, your pipeline is tested, and the following [pipeline components]({{}}/rancher/v2.x/en/project-admin/pipelines/#how-pipelines-work) are deployed to your project as workloads in a new namespace dedicated to the pipeline: - `docker-registry` - `jenkins` @@ -251,7 +251,7 @@ Available Events: * **Pull Request**: Whenever a pull request is made to the repository, the pipeline is triggered. * **Tag**: When a tag is created in the repository, the pipeline is triggered. -> **Note:** This option doesn't exist for Rancher's [example repositories]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/). +> **Note:** This option doesn't exist for Rancher's [example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/). ### Modifying the Event Triggers for the Repository @@ -374,7 +374,7 @@ stages: _Available as of v2.2.0_ -The **Publish Catalog Template** step publishes a version of a catalog app template (i.e. Helm chart) to a [git hosted chart repository]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/). It generates a git commit and pushes it to your chart repository. This process requires a chart folder in your source code's repository and a pre-configured secret in the dedicated pipeline namespace to complete successfully. Any variables in the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) is supported for any file in the chart folder. +The **Publish Catalog Template** step publishes a version of a catalog app template (i.e. Helm chart) to a [git hosted chart repository]({{}}/rancher/v2.x/en/catalog/custom/). It generates a git commit and pushes it to your chart repository. This process requires a chart folder in your source code's repository and a pre-configured secret in the dedicated pipeline namespace to complete successfully. Any variables in the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) is supported for any file in the chart folder. {{% tabs %}} @@ -691,7 +691,7 @@ stages: ### Secrets -If you need to use security-sensitive information in your pipeline scripts (like a password), you can pass them in using Kubernetes [secrets]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/). +If you need to use security-sensitive information in your pipeline scripts (like a password), you can pass them in using Kubernetes [secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/). #### Prerequisite Create a secret in the same project as your pipeline, or explicitly in the namespace where pipeline build pods run. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md index 00ddc2f207f..75619cd6702 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md @@ -11,7 +11,7 @@ Rancher ships with several example repositories that you can use to familiarize - Maven - php -> **Note:** The example repositories are only available if you have not [configured a version control provider]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines). +> **Note:** The example repositories are only available if you have not [configured a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines). ## Configure Repositories @@ -67,4 +67,4 @@ After enabling an example repository, run the pipeline to see how it works. ## What's Next? -For detailed information about setting up your own pipeline for your repository, [configure a version control provider]({{< baseurl >}}/rancher/v2.x/en/project-admin/pipelines), [enable a repository](#configure-repositories) and finally [configure your pipeline]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). +For detailed information about setting up your own pipeline for your repository, [configure a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines), [enable a repository](#configure-repositories) and finally [configure your pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md index 80c621c65fb..76a6887a055 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md @@ -30,7 +30,7 @@ Currently, deployments pull the private registry credentials automatically only >**Note:** Kubernetes classifies secrets, certificates, ConfigMaps, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your registry must have a unique name among all secrets within your workspace. -1. Select a **Scope** for the registry. You can either make the registry available for the entire project or a single [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). +1. Select a **Scope** for the registry. You can either make the registry available for the entire project or a single [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). 1. Select the website that hosts your private registry. Then enter credentials that authenticate with the registry. For example, if you use DockerHub, provide your DockerHub username and password. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md index b6f31611d9e..88f2c9603af 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md @@ -25,7 +25,7 @@ When creating a secret, you can make it available for any deployment within a pr >**Note:** Kubernetes classifies secrets, certificates, ConfigMaps, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your secret must have a unique name among all secrets within your workspace. -4. Select a **Scope** for the secret. You can either make the registry available for the entire project or a single [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). +4. Select a **Scope** for the secret. You can either make the registry available for the entire project or a single [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). 5. From **Secret Values**, click **Add Secret Value** to add a key value pair. Add as many values as you need. @@ -43,4 +43,4 @@ Any update to an active secrets won't automatically update the pods that are usi Now that you have a secret added to the project or namespace, you can add it to a workload that you deploy. -For more information on adding secret to a workload, see [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). +For more information on adding secret to a workload, see [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/service-discovery/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/service-discovery/_index.md index 6b0b289ef04..09334ecc2a0 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/service-discovery/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/service-discovery/_index.md @@ -8,7 +8,7 @@ aliases: For every workload created, a complementing Service Discovery entry is created. This Service Discovery entry enables DNS resolution for the workload's pods using the following naming convention: `..svc.cluster.local`. -However, you also have the option of creating additional Service Discovery records. You can use these additional records so that a given [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) resolves with one or more external IP addresses, an external hostname, an alias to another DNS record, other workloads, or a set of pods that match a selector that you create. +However, you also have the option of creating additional Service Discovery records. You can use these additional records so that a given [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces) resolves with one or more external IP addresses, an external hostname, an alias to another DNS record, other workloads, or a set of pods that match a selector that you create. 1. From the **Global** view, open the project that you want to add a DNS record to. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/workloads/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/workloads/_index.md index 617929af284..3eed10c697d 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/workloads/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/workloads/_index.md @@ -71,9 +71,9 @@ There are several types of services available in Rancher. The descriptions below This section of the documentation contains instructions for deploying workloads and using workload options. -- [Deploy Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/) -- [Upgrade Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/) -- [Rollback Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/) +- [Deploy Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/) +- [Upgrade Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/) +- [Rollback Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/) ## Related Links diff --git a/content/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/_index.md index 123c2fd295f..b899d310fe6 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/_index.md @@ -14,25 +14,25 @@ Deploy a workload to run an application in one or more containers. 1. Enter a **Name** for the workload. -1. Select a [workload type]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/). The workload defaults to a scalable deployment, by can change the workload type by clicking **More options.** +1. Select a [workload type]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/). The workload defaults to a scalable deployment, by can change the workload type by clicking **More options.** 1. From the **Docker Image** field, enter the name of the Docker image that you want to deploy to the project, optionally prefacing it with the registry host (e.g. `quay.io`, `registry.gitlab.com`, etc.). During deployment, Rancher pulls this image from the specified public or private registry. If no registry host is provided, Rancher will pull the image from [Docker Hub](https://hub.docker.com/explore/). Enter the name exactly as it appears in the registry server, including any required path, and optionally including the desired tag (e.g. `registry.gitlab.com/user/path/image:tag`). If no tag is provided, the `latest` tag will be automatically used. -1. Either select an existing [namespace]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces), or click **Add to a new namespace** and enter a new namespace. +1. Either select an existing [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces), or click **Add to a new namespace** and enter a new namespace. -1. Click **Add Port** to enter a port mapping, which enables access to the application inside and outside of the cluster . For more information, see [Services]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/#services). +1. Click **Add Port** to enter a port mapping, which enables access to the application inside and outside of the cluster . For more information, see [Services]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/#services). 1. Configure the remaining options: - **Environment Variables** - Use this section to either specify environment variables for your workload to consume on the fly, or to pull them from another source, such as a secret or [ConfigMap]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps/). + Use this section to either specify environment variables for your workload to consume on the fly, or to pull them from another source, such as a secret or [ConfigMap]({{}}/rancher/v2.x/en/k8s-in-rancher/configmaps/). - **Node Scheduling** - **Health Check** - **Volumes** - Use this section to add storage for your workload. You can manually specify the volume that you want to add, use a persistent volume claim to dynamically create a volume for the workload, or read data for a volume to use from a file such as a [ConfigMap]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps/). + Use this section to add storage for your workload. You can manually specify the volume that you want to add, use a persistent volume claim to dynamically create a volume for the workload, or read data for a volume to use from a file such as a [ConfigMap]({{}}/rancher/v2.x/en/k8s-in-rancher/configmaps/). When you are deploying a Stateful Set, you should use a Volume Claim Template when using Persistent Volumes. This will ensure that Persistent Volumes are created dynamically when you scale your Stateful Set. This option is available in the UI as of Rancher v2.2.0. @@ -44,7 +44,7 @@ Deploy a workload to run an application in one or more containers. > >- In [Amazon AWS](https://aws.amazon.com/), the nodes must be in the same Availability Zone and possess IAM permissions to attach/unattach volumes. > - >- The cluster must be using the [AWS cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws) option. For more information on enabling this option see [Creating an Amazon EC2 Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/) or [Creating a Custom Cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/). + >- The cluster must be using the [AWS cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws) option. For more information on enabling this option see [Creating an Amazon EC2 Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/) or [Creating a Custom Cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/). 1. Click **Show Advanced Options** and configure: diff --git a/content/rancher/v2.x/en/overview/_index.md b/content/rancher/v2.x/en/overview/_index.md index 92c84b5cb81..9a6b66224c3 100644 --- a/content/rancher/v2.x/en/overview/_index.md +++ b/content/rancher/v2.x/en/overview/_index.md @@ -22,7 +22,7 @@ Rancher provides an intuitive user interface for DevOps engineers to manage thei The following figure illustrates the role Rancher plays in IT and DevOps organizations. Each team deploys their applications on the public or private clouds they choose. IT administrators gain visibility and enforce policies across all users, clusters, and clouds. -![Platform]({{< baseurl >}}/img/rancher/platform.png) +![Platform]({{}}/img/rancher/platform.png) # Features of the Rancher API Server @@ -54,7 +54,7 @@ The Rancher API server is built on top of an embedded Kubernetes API server and # Editing Downstream Clusters with Rancher -The options and settings available for an existing cluster change based on the method that you used to provision it. For example, only clusters [provisioned by RKE]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) have **Cluster Options** available for editing. +The options and settings available for an existing cluster change based on the method that you used to provision it. For example, only clusters [provisioned by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) have **Cluster Options** available for editing. After a cluster is created with Rancher, a cluster administrator can manage cluster membership, enable pod security policies, and manage node pools, among [other options.]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) diff --git a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md index 016f7a8ce62..eb13e5562a9 100644 --- a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md +++ b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md @@ -45,14 +45,14 @@ We recommend the following configurations for the load balancer and Ingress cont * The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment.
    Rancher installed on a Kubernetes cluster with layer 4 load balancer, depicting SSL termination at ingress controllers
    -![Rancher HA]({{< baseurl >}}/img/rancher/ha/rancher2ha.svg) +![Rancher HA]({{}}/img/rancher/ha/rancher2ha.svg) Rancher installed on a Kubernetes cluster with Layer 4 load balancer (TCP), depicting SSL termination at ingress controllers # Environment for Kubernetes Installations It is strongly recommended to install Rancher on a Kubernetes cluster on hosted infrastructure such as Amazon's EC2 or Google Compute Engine. -For the best performance and greater security, we recommend a dedicated Kubernetes cluster for the Rancher management server. Running user workloads on this cluster is not advised. After deploying Rancher, you can [create or import clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) for running your workloads. +For the best performance and greater security, we recommend a dedicated Kubernetes cluster for the Rancher management server. Running user workloads on this cluster is not advised. After deploying Rancher, you can [create or import clusters]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) for running your workloads. It is not recommended to install Rancher on top of a managed Kubernetes service such as Amazon’s EKS or Google Kubernetes Engine. These hosted Kubernetes solutions do not expose etcd to a degree that is manageable for Rancher, and their customizations can interfere with Rancher operations. diff --git a/content/rancher/v2.x/en/overview/architecture/_index.md b/content/rancher/v2.x/en/overview/architecture/_index.md index ffed8139364..8c05752602d 100644 --- a/content/rancher/v2.x/en/overview/architecture/_index.md +++ b/content/rancher/v2.x/en/overview/architecture/_index.md @@ -31,13 +31,13 @@ The majority of Rancher 2.x software runs on the Rancher Server. Rancher Server The figure below illustrates the high-level architecture of Rancher 2.x. The figure depicts a Rancher Server installation that manages two downstream Kubernetes clusters: one created by RKE and another created by Amazon EKS (Elastic Kubernetes Service). -For the best performance and security, we recommend a dedicated Kubernetes cluster for the Rancher management server. Running user workloads on this cluster is not advised. After deploying Rancher, you can [create or import clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) for running your workloads. +For the best performance and security, we recommend a dedicated Kubernetes cluster for the Rancher management server. Running user workloads on this cluster is not advised. After deploying Rancher, you can [create or import clusters]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) for running your workloads. The diagram below shows how users can manipulate both [Rancher-launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters and [hosted Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) clusters through Rancher's authentication proxy:
    Managing Kubernetes Clusters through Rancher's Authentication Proxy
    -![Architecture]({{< baseurl >}}/img/rancher/rancher-architecture-rancher-api-server.svg) +![Architecture]({{}}/img/rancher/rancher-architecture-rancher-api-server.svg) You can install Rancher on a single node, or on a high-availability Kubernetes cluster. diff --git a/content/rancher/v2.x/en/project-admin/_index.md b/content/rancher/v2.x/en/project-admin/_index.md index 1fa9df84378..508e627147d 100644 --- a/content/rancher/v2.x/en/project-admin/_index.md +++ b/content/rancher/v2.x/en/project-admin/_index.md @@ -18,19 +18,19 @@ Rancher projects resolve this issue by allowing you to apply resources and acces You can use projects to perform actions like: -- [Assign users access to a group of namespaces]({{< baseurl >}}/rancher/v2.x/en/project-admin/project-members) -- Assign users [specific roles in a project]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). A role can be owner, member, read-only, or [custom]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/) -- [Set resource quotas]({{< baseurl >}}/rancher/v2.x/en/project-admin/resource-quotas/) -- [Manage namespaces]({{< baseurl >}}/rancher/v2.x/en/project-admin/namespaces/) -- [Configure tools]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/) +- [Assign users access to a group of namespaces]({{}}/rancher/v2.x/en/project-admin/project-members) +- Assign users [specific roles in a project]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). A role can be owner, member, read-only, or [custom]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/) +- [Set resource quotas]({{}}/rancher/v2.x/en/project-admin/resource-quotas/) +- [Manage namespaces]({{}}/rancher/v2.x/en/project-admin/namespaces/) +- [Configure tools]({{}}/rancher/v2.x/en/project-admin/tools/) - [Set up pipelines for continuous integration and deployment]({{}}/rancher/v2.x/en/project-admin/pipelines) - [Configure pod security policies]({{}}/rancher/v2.x/en/project-admin/pod-security-policies) ### Authorization -Non-administrative users are only authorized for project access after an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owner or member]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) adds them to the project's **Members** tab. +Non-administrative users are only authorized for project access after an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owner or member]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) adds them to the project's **Members** tab. -Whoever creates the project automatically becomes a [project owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). +Whoever creates the project automatically becomes a [project owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles). ## Switching between Projects diff --git a/content/rancher/v2.x/en/project-admin/namespaces/_index.md b/content/rancher/v2.x/en/project-admin/namespaces/_index.md index b8a400c9a79..82b308daf17 100644 --- a/content/rancher/v2.x/en/project-admin/namespaces/_index.md +++ b/content/rancher/v2.x/en/project-admin/namespaces/_index.md @@ -9,14 +9,14 @@ Although you assign resources at the project level so that each namespace in the Resources that you can assign directly to namespaces include: -- [Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/) -- [Load Balancers/Ingress]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/) -- [Service Discovery Records]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/service-discovery/) -- [Persistent Volume Claims]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/persistent-volume-claims/) -- [Certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/) -- [ConfigMaps]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps/) -- [Registries]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/registries/) -- [Secrets]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/secrets/) +- [Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/) +- [Load Balancers/Ingress]({{}}/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/) +- [Service Discovery Records]({{}}/rancher/v2.x/en/k8s-in-rancher/service-discovery/) +- [Persistent Volume Claims]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/persistent-volume-claims/) +- [Certificates]({{}}/rancher/v2.x/en/k8s-in-rancher/certificates/) +- [ConfigMaps]({{}}/rancher/v2.x/en/k8s-in-rancher/configmaps/) +- [Registries]({{}}/rancher/v2.x/en/k8s-in-rancher/registries/) +- [Secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/) To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project. @@ -27,7 +27,7 @@ To manage permissions in a vanilla Kubernetes cluster, cluster admins configure Create a new namespace to isolate apps and resources in a project. -When working with project resources that you can assign to a namespace (i.e., [workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/), [certificates]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/), [ConfigMaps]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/configmaps), etc.) you can create a namespace on the fly. +>**Tip:** When working with project resources that you can assign to a namespace (i.e., [workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/), [certificates]({{}}/rancher/v2.x/en/k8s-in-rancher/certificates/), [ConfigMaps]({{}}/rancher/v2.x/en/k8s-in-rancher/configmaps), etc.) you can create a namespace on the fly. 1. From the **Global** view, open the project where you want to create a namespace. @@ -35,7 +35,7 @@ When working with project resources that you can assign to a namespace (i.e., [w 1. From the main menu, select **Namespace**. The click **Add Namespace**. -1. **Optional:** If your project has [Resource Quotas]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) in effect, you can override the default resource **Limits** (which places a cap on the resources that the namespace can consume). +1. **Optional:** If your project has [Resource Quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) in effect, you can override the default resource **Limits** (which places a cap on the resources that the namespace can consume). 1. Enter a **Name** and then click **Create**. @@ -54,7 +54,7 @@ Cluster admins and members may occasionally need to move a namespace to another >**Notes:** > >- Don't move the namespaces in the `System` project. Moving these namespaces can adversely affect cluster networking. - >- You cannot move a namespace into a project that already has a [resource quota]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/) configured. + >- You cannot move a namespace into a project that already has a [resource quota]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/) configured. >- If you move a namespace from a project that has a quota set to a project with no quota set, the quota is removed from the namespace. 1. Choose a new project for the new namespace and then click **Move**. Alternatively, you can remove the namespace from all projects by selecting **None**. @@ -65,4 +65,4 @@ Cluster admins and members may occasionally need to move a namespace to another You can always override the namespace default limit to provide a specific namespace with access to more (or less) project resources. -For more information, see how to [edit namespace resource quotas]({{< baseurl >}}/rancher/v2.x/en/project-admin//resource-quotas/override-namespace-default/#editing-namespace-resource-quotas). \ No newline at end of file +For more information, see how to [edit namespace resource quotas]({{}}/rancher/v2.x/en/project-admin//resource-quotas/override-namespace-default/#editing-namespace-resource-quotas). \ No newline at end of file diff --git a/content/rancher/v2.x/en/project-admin/pipelines/_index.md b/content/rancher/v2.x/en/project-admin/pipelines/_index.md index 0c65147cd77..521b01f16de 100644 --- a/content/rancher/v2.x/en/project-admin/pipelines/_index.md +++ b/content/rancher/v2.x/en/project-admin/pipelines/_index.md @@ -39,13 +39,13 @@ Typically, pipeline stages include: After the artifacts are published, you would release your application so users could start using the updated product. -Only [administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can [configure version control providers](#version-control-providers) and [manage global pipeline execution settings](#managing-global-pipeline-execution-settings). Project members can only configure [repositories]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) and [pipelines]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). +Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can [configure version control providers](#version-control-providers) and [manage global pipeline execution settings](#managing-global-pipeline-execution-settings). Project members can only configure [repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) and [pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). > **Notes:** > > - Pipelines were improved in Rancher v2.1. Therefore, if you configured pipelines while using v2.0.x, you'll have to reconfigure them after upgrading to v2.1. -> - Still using v2.0.x? See the pipeline documentation for [previous versions]({{< baseurl >}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). +> - Still using v2.0.x? See the pipeline documentation for [previous versions]({{}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). ## Overview @@ -95,7 +95,7 @@ After you configure a pipeline, you can trigger it using different methods: ## Version Control Providers -Before you can start [configuring a pipeline]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) for your repository, you must configure and authorize a version control provider. +Before you can start [configuring a pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) for your repository, you must configure and authorize a version control provider. | Provider | Available as of | | --- | --- | @@ -182,11 +182,11 @@ _Available as of v2.2.0_ {{% /tab %}} {{% /tabs %}} -**Result:** After the version control provider is authenticated, you will be automatically re-directed to start [configuring which repositories]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) that you want start using with a pipeline. Once a repository is enabled, you can start to [configure the pipeline]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). +**Result:** After the version control provider is authenticated, you will be automatically re-directed to start [configuring which repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) that you want start using with a pipeline. Once a repository is enabled, you can start to [configure the pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). ## Managing Global Pipeline Execution Settings -After configuring a version control provider, there are several options that can be configured globally on how [pipelines]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) are executed in Rancher. +After configuring a version control provider, there are several options that can be configured globally on how [pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) are executed in Rancher. 1. From the **Global** view, navigate to the project that you want to configure pipelines. @@ -213,7 +213,7 @@ To configure compute resources for pipeline-step containers: You can configure compute resources for pipeline-step containers in the `.rancher-pipeline.yml` file. -In a [step type]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#step-types), you will provide the following information: +In a [step type]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#step-types), you will provide the following information: * **CPU Reservation (`CpuRequest`)**: CPU request for the container of a pipeline step. * **CPU Limit (`CpuLimit`)**: CPU limit for the container of a pipeline step. @@ -267,7 +267,7 @@ The internal [Docker registry](#how-pipelines-work) and the [Minio](#how-pipelin >**Prerequisites (for both parts A and B):** > ->[Persistent volumes]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#persistent-volumes) must be available for the cluster. +>[Persistent volumes]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#persistent-volumes) must be available for the cluster. ### A. Configuring Persistent Data for Docker Registry @@ -289,7 +289,7 @@ The internal [Docker registry](#how-pipelines-work) and the [Minio](#how-pipelin 1. Select a volume claim **Source**: - - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. + - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. 1. From the **Customize** section, choose the read/write access for the volume. @@ -334,7 +334,7 @@ The internal [Docker registry](#how-pipelines-work) and the [Minio](#how-pipelin 1. Select a volume claim **Source**: - - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. + - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. 1. From the **Customize** section, choose the read/write access for the volume. diff --git a/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md b/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md index 5febdc414c6..3a7ea74b4ba 100644 --- a/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md +++ b/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.x/en/project-admin/tools/pipelines/docs-for-v2.0.x --- ->**Note:** This section describes the pipeline feature as implemented in Rancher v2.0.x. If you are using Rancher v2.1 or later, where pipelines have been significantly improved, please refer to the new documentation for [v2.1 or later]({{< baseurl >}}/rancher/v2.x/en/tools/pipelines). +>**Note:** This section describes the pipeline feature as implemented in Rancher v2.0.x. If you are using Rancher v2.1 or later, where pipelines have been significantly improved, please refer to the new documentation for [v2.1 or later]({{}}/rancher/v2.x/en/tools/pipelines). diff --git a/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md b/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md index e92356c11c6..c5e7417df02 100644 --- a/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md @@ -3,14 +3,14 @@ title: Pod Security Policies weight: 5600 --- -> These cluster options are only available for [clusters in which Rancher has launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). +> These cluster options are only available for [clusters in which Rancher has launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/). You can always assign a pod security policy (PSP) to an existing project if you didn't assign one during creation. ### Prerequisites -- Create a Pod Security Policy within Rancher. Before you can assign a default PSP to an existing project, you must have a PSP available for assignment. For instruction, see [Creating Pod Security Policies]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies/). -- Assign a default Pod Security Policy to the project's cluster. You can't assign a PSP to a project until one is already applied to the cluster. For more information, see [Existing Cluster: Adding a Pod Security Policy]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/#adding-changing-a-pod-security-policy). +- Create a Pod Security Policy within Rancher. Before you can assign a default PSP to an existing project, you must have a PSP available for assignment. For instruction, see [Creating Pod Security Policies]({{}}/rancher/v2.x/en/admin-settings/pod-security-policies/). +- Assign a default Pod Security Policy to the project's cluster. You can't assign a PSP to a project until one is already applied to the cluster. For more information, see [Existing Cluster: Adding a Pod Security Policy]({{}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/#adding-changing-a-pod-security-policy). ### Applying a Pod Security Policy diff --git a/content/rancher/v2.x/en/project-admin/project-members/_index.md b/content/rancher/v2.x/en/project-admin/project-members/_index.md index 00c97f2098a..c1848a0de7c 100644 --- a/content/rancher/v2.x/en/project-admin/project-members/_index.md +++ b/content/rancher/v2.x/en/project-admin/project-members/_index.md @@ -10,11 +10,11 @@ If you want to provide a user with access and permissions to _specific_ projects You can add members to a project as it is created, or add them to an existing project. ->**Tip:** Want to provide a user with access to _all_ projects within a cluster? See [Adding Cluster Members]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/cluster-members/) instead. +>**Tip:** Want to provide a user with access to _all_ projects within a cluster? See [Adding Cluster Members]({{}}/rancher/v2.x/en/cluster-provisioning/cluster-members/) instead. ### Adding Members to a New Project -You can add members to a project as you create it (recommended if possible). For details on creating a new project, refer to the [cluster administration section.]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) +You can add members to a project as you create it (recommended if possible). For details on creating a new project, refer to the [cluster administration section.]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/) ### Adding Members to an Existing Project @@ -36,7 +36,7 @@ Following project creation, you can add users as project members so that they ca 1. Assign the user or group **Project** roles. - [What are Project Roles?]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) + [What are Project Roles?]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) >**Notes:** > @@ -44,8 +44,8 @@ Following project creation, you can add users as project members so that they ca > >- For `Custom` roles, you can modify the list of individual roles available for assignment. > - > - To add roles to the list, [Add a Custom Role]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). - > - To remove roles from the list, [Lock/Unlock Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). + > - To add roles to the list, [Add a Custom Role]({{}}/rancher/v2.x/en/admin-settings/rbac/default-custom-roles). + > - To remove roles from the list, [Lock/Unlock Roles]({{}}/rancher/v2.x/en/admin-settings/rbac/locked-roles/). **Result:** The chosen users are added to the project. diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md index 03bcf25570a..ad9f464df25 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md @@ -9,15 +9,15 @@ In situations where several teams share a cluster, one team may overconsume the This page is a how-to guide for creating resource quotas in existing projects. -Resource quotas can also be set when a new project is created. For details, refer to the section on [creating new projects.]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/projects-and-namespaces/#creating-projects) +Resource quotas can also be set when a new project is created. For details, refer to the section on [creating new projects.]({{}}/rancher/v2.x/en/cluster-admin/projects-and-namespaces/#creating-projects) -> Resource quotas in Rancher include the same functionality as the [native version of Kubernetes](https://kubernetes.io/docs/concepts/policy/resource-quotas/). However, in Rancher, resource quotas have been extended so that you can apply them to [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects). For details on how resource quotas work with projects in Rancher, refer to [this page.](./quotas-for-projects) +> Resource quotas in Rancher include the same functionality as the [native version of Kubernetes](https://kubernetes.io/docs/concepts/policy/resource-quotas/). However, in Rancher, resource quotas have been extended so that you can apply them to [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects). For details on how resource quotas work with projects in Rancher, refer to [this page.](./quotas-for-projects) ### Applying Resource Quotas to Existing Projects _Available as of v2.0.1_ -Edit [resource quotas]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) when: +Edit [resource quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) when: - You want to limit the resources that a project and its namespaces can use. - You want to scale the resources available to a project up or down when a research quota is already in effect. @@ -30,7 +30,7 @@ Edit [resource quotas]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-a 1. Expand **Resource Quotas** and click **Add Quota**. Alternatively, you can edit existing quotas. -1. Select a [Resource Type]({{< baseurl >}}/rancher/v2.x/en/project-admin/resource-quotas/#resource-quota-types). +1. Select a [Resource Type]({{}}/rancher/v2.x/en/project-admin/resource-quotas/#resource-quota-types). 1. Enter values for the **Project Limit** and the **Namespace Default Limit**. diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md index bd9d1517459..b20230f7c14 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md @@ -13,7 +13,7 @@ To avoid setting these limits on each and every container during workload creati _Available as of v2.2.0_ -Edit [container default resource limit]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#setting-container-default-resource-limit) when: +Edit [container default resource limit]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#setting-container-default-resource-limit) when: - You have a CPU or Memory resource quota set on a project, and want to supply the corresponding default values for a container. - You want to edit the default container resource limit. diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md index 0501008f985..2d7f83b4162 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md @@ -5,16 +5,16 @@ weight: 2 Although the **Namespace Default Limit** propagates from the project to each namespace, in some cases, you may need to increase (or decrease) the performance for a specific namespace. In this situation, you can override the default limits by editing the namespace. -In the diagram below, the Rancher administrator has a resource quota in effect for their project. However, the administrator wants to override the namespace limits for `Namespace 3` so that it performs better. Therefore, the administrator [raises the namespace limits]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#editing-namespace-resource-quotas) for `Namespace 3` so that the namespace can access more resources. +In the diagram below, the Rancher administrator has a resource quota in effect for their project. However, the administrator wants to override the namespace limits for `Namespace 3` so that it performs better. Therefore, the administrator [raises the namespace limits]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#editing-namespace-resource-quotas) for `Namespace 3` so that the namespace can access more resources. Namespace Default Limit Override -![Namespace Default Limit Override]({{< baseurl >}}/img/rancher/rancher-resource-quota-override.svg) +![Namespace Default Limit Override]({{}}/img/rancher/rancher-resource-quota-override.svg) -How to: [Editing Namespace Resource Quotas]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#editing-namespace-resource-quotas) +How to: [Editing Namespace Resource Quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#editing-namespace-resource-quotas) ### Editing Namespace Resource Quotas -If there is a [resource quota]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) configured for a project, you can override the namespace default limit to provide a specific namespace with access to more (or less) project resources. +If there is a [resource quota]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) configured for a project, you can override the namespace default limit to provide a specific namespace with access to more (or less) project resources. 1. From the **Global** view, open the cluster that contains the namespace for which you want to edit the resource quota. @@ -24,7 +24,7 @@ If there is a [resource quota]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/pr 1. Edit the Resource Quota **Limits**. These limits determine the resources available to the namespace. The limits must be set within the configured project limits. - For more information about each **Resource Type**, see [Resource Quota Types]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#resource-quota-types). + For more information about each **Resource Type**, see [Resource Quota Types]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/#resource-quota-types). >**Note:** > diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/quotas-for-projects/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/quotas-for-projects/_index.md index 73d7c180f80..3b1691f60b0 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/quotas-for-projects/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/quotas-for-projects/_index.md @@ -3,16 +3,16 @@ title: How Resource Quotas Work in Rancher Projects weight: 1 --- -Resource quotas in Rancher include the same functionality as the [native version of Kubernetes](https://kubernetes.io/docs/concepts/policy/resource-quotas/). However, in Rancher, resource quotas have been extended so that you can apply them to [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects). +Resource quotas in Rancher include the same functionality as the [native version of Kubernetes](https://kubernetes.io/docs/concepts/policy/resource-quotas/). However, in Rancher, resource quotas have been extended so that you can apply them to [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects). In a standard Kubernetes deployment, resource quotas are applied to individual namespaces. However, you cannot apply the quota to your namespaces simultaneously with a single action. Instead, the resource quota must be applied multiple times. In the following diagram, a Kubernetes administrator is trying to enforce a resource quota without Rancher. The administrator wants to apply a resource quota that sets the same CPU and memory limit to every namespace in his cluster (`Namespace 1-4`) . However, in the base version of Kubernetes, each namespace requires a unique resource quota. The administrator has to create four different resource quotas that have the same specs configured (`Resource Quota 1-4`) and apply them individually. Base Kubernetes: Unique Resource Quotas Being Applied to Each Namespace -![Native Kubernetes Resource Quota Implementation]({{< baseurl >}}/img/rancher/kubernetes-resource-quota.svg) +![Native Kubernetes Resource Quota Implementation]({{}}/img/rancher/kubernetes-resource-quota.svg) -Resource quotas are a little different in Rancher. In Rancher, you apply a resource quota to the [project]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects), and then the quota propagates to each namespace, whereafter Kubernetes enforces your limits using the native version of resource quotas. If you want to change the quota for a specific namespace, you can [override it](#overriding-the-default-limit-for-a-namespace). +Resource quotas are a little different in Rancher. In Rancher, you apply a resource quota to the [project]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects), and then the quota propagates to each namespace, whereafter Kubernetes enforces your limits using the native version of resource quotas. If you want to change the quota for a specific namespace, you can [override it](#overriding-the-default-limit-for-a-namespace). The resource quota includes two limits, which you set while creating or editing a project: @@ -28,7 +28,7 @@ The resource quota includes two limits, which you set while creating or editing In the following diagram, a Rancher administrator wants to apply a resource quota that sets the same CPU and memory limit for every namespace in their project (`Namespace 1-4`). However, in Rancher, the administrator can set a resource quota for the project (`Project Resource Quota`) rather than individual namespaces. This quota includes resource limits for both the entire project (`Project Limit`) and individual namespaces (`Namespace Default Limit`). Rancher then propagates the `Namespace Default Limit` quotas to each namespace (`Namespace Resource Quota`). Rancher: Resource Quotas Propagating to Each Namespace -![Rancher Resource Quota Implementation]({{< baseurl >}}/img/rancher/rancher-resource-quota.svg) +![Rancher Resource Quota Implementation]({{}}/img/rancher/rancher-resource-quota.svg) The following table explains the key differences between the two quota types. diff --git a/content/rancher/v2.x/en/project-admin/tools/alerts/_index.md b/content/rancher/v2.x/en/project-admin/tools/alerts/_index.md index fa9c7b0bdaa..786722a3827 100644 --- a/content/rancher/v2.x/en/project-admin/tools/alerts/_index.md +++ b/content/rancher/v2.x/en/project-admin/tools/alerts/_index.md @@ -9,7 +9,7 @@ Notifiers and alerts are built on top of the [Prometheus Alertmanager](https://p Before you can receive alerts, one or more [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers) must be configured at the cluster level. -Only [administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can manage project alerts. +Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can manage project alerts. This section covers the following topics: @@ -20,7 +20,7 @@ This section covers the following topics: ## Alerts Scope -The scope for alerts can be set at either the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/alerts/) or project level. +The scope for alerts can be set at either the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) or project level. At the project level, Rancher monitors specific deployments and sends alerts for: @@ -123,13 +123,13 @@ This alert type monitors for the availability of all workloads marked with tags
    _Available as of v2.2.4_ -If you enable [project monitoring]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/#monitoring), this alert type monitors for the overload from Prometheus expression querying. +If you enable [project monitoring]({{}}/rancher/v2.x/en/project-admin/tools/#monitoring), this alert type monitors for the overload from Prometheus expression querying. 1. Input or select an **Expression**, the drop down shows the original metrics from Prometheus, including: - [**Container**](https://github.com/google/cadvisor) - [**Kubernetes Resources**](https://github.com/kubernetes/kube-state-metrics) - - [**Customize**]({{< baseurl >}}/rancher/v2.x/en/project-admin/tools/monitoring/#project-metrics) + - [**Customize**]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/#project-metrics) - [**Project Level Grafana**](http://docs.grafana.org/administration/metrics/) - **Project Level Prometheus** @@ -167,7 +167,7 @@ If you enable [project monitoring]({{< baseurl >}}/rancher/v2.x/en/project-admin 1. Continue adding more **Alert Rule** to the group. -1. Finally, choose the [notifiers]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) that send you alerts. +1. Finally, choose the [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) that send you alerts. - You can set up multiple notifiers. - You can change notifier recipients on the fly. diff --git a/content/rancher/v2.x/en/project-admin/tools/logging/_index.md b/content/rancher/v2.x/en/project-admin/tools/logging/_index.md index 5e842ce96c7..8c60ddf64eb 100644 --- a/content/rancher/v2.x/en/project-admin/tools/logging/_index.md +++ b/content/rancher/v2.x/en/project-admin/tools/logging/_index.md @@ -17,7 +17,7 @@ Rancher supports the following services: >**Note:** You can only configure one logging service per cluster or per project. -Only [administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can configure Rancher to send Kubernetes logs to a logging service. +Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can configure Rancher to send Kubernetes logs to a logging service. ## Requirements @@ -41,7 +41,7 @@ Setting up a logging service to collect logs from your cluster/project has sever You can configure logging at either cluster level or project level. -- [Cluster logging]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/) writes logs for every pod in the cluster, i.e. in all the projects. For [RKE clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), it also writes logs for all the Kubernetes system components. +- [Cluster logging]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) writes logs for every pod in the cluster, i.e. in all the projects. For [RKE clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters), it also writes logs for all the Kubernetes system components. - Project logging writes logs for every pod in that particular project. @@ -59,11 +59,11 @@ Logs that are sent to your logging service are from the following locations: 1. Select a logging service and enter the configuration. Refer to the specific service for detailed configuration. Rancher supports the following services: - - [Elasticsearch]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/elasticsearch/) - - [Splunk]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/splunk/) - - [Kafka]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/kafka/) - - [Syslog]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/syslog/) - - [Fluentd]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/logging/fluentd/) + - [Elasticsearch]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/elasticsearch/) + - [Splunk]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/splunk/) + - [Kafka]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/kafka/) + - [Syslog]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/syslog/) + - [Fluentd]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/fluentd/) 1. (Optional) Instead of using the UI to configure the logging services, you can enter custom advanced configurations by clicking on **Edit as File**, which is located above the logging targets. This link is only visible after you select a logging service. diff --git a/content/rancher/v2.x/en/project-admin/tools/monitoring/_index.md b/content/rancher/v2.x/en/project-admin/tools/monitoring/_index.md index 7174c065867..c5372b0ba6d 100644 --- a/content/rancher/v2.x/en/project-admin/tools/monitoring/_index.md +++ b/content/rancher/v2.x/en/project-admin/tools/monitoring/_index.md @@ -19,19 +19,19 @@ This section covers the following topics: ### Monitoring Scope -Using Prometheus, you can monitor Rancher at both the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and project level. For each cluster and project that is enabled for monitoring, Rancher deploys a Prometheus server. +Using Prometheus, you can monitor Rancher at both the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and project level. For each cluster and project that is enabled for monitoring, Rancher deploys a Prometheus server. -- [Cluster monitoring]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) allows you to view the health of your Kubernetes cluster. Prometheus collects metrics from the cluster components below, which you can view in graphs and charts. +- [Cluster monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) allows you to view the health of your Kubernetes cluster. Prometheus collects metrics from the cluster components below, which you can view in graphs and charts. - - [Kubernetes control plane]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#kubernetes-components-metrics) - - [etcd database]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#etcd-metrics) - - [All nodes (including workers)]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#cluster-metrics) + - [Kubernetes control plane]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#kubernetes-components-metrics) + - [etcd database]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#etcd-metrics) + - [All nodes (including workers)]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#cluster-metrics) - Project monitoring allows you to view the state of pods running in a given project. Prometheus collects metrics from the project's deployed HTTP and TCP/UDP workloads. ### Permissions to Configure Project Monitoring -Only [administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can configure project level monitoring. Project members can only view monitoring metrics. +Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can configure project level monitoring. Project members can only view monitoring metrics. ### Enabling Project Monitoring @@ -41,7 +41,7 @@ Only [administrators]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global 1. Select **Tools > Monitoring** in the navigation bar. -1. Select **Enable** to show the [Prometheus configuration options]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/). Enter in your desired configuration options. +1. Select **Enable** to show the [Prometheus configuration options]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/prometheus/). Enter in your desired configuration options. 1. Click **Save**. @@ -53,11 +53,11 @@ Prometheus|750m| 750Mi | 1000m | 1000Mi | Yes Grafana | 100m | 100Mi | 200m | 200Mi | No -**Result:** A single application,`project-monitoring`, is added as an [application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) to the project. After the application is `active`, you can start viewing [project metrics](#project-metrics) through the [Rancher dashboard]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#rancher-dashboard) or directly from [Grafana]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#grafana). +**Result:** A single application,`project-monitoring`, is added as an [application]({{}}/rancher/v2.x/en/catalog/apps/) to the project. After the application is `active`, you can start viewing [project metrics](#project-metrics) through the [Rancher dashboard]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#rancher-dashboard) or directly from [Grafana]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#grafana). ### Project Metrics -[Workload metrics]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#workload-metrics) are available for the project if monitoring is enabled at the [cluster level]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and at the [project level.](#enabling-project-monitoring) +[Workload metrics]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/cluster-metrics/#workload-metrics) are available for the project if monitoring is enabled at the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and at the [project level.](#enabling-project-monitoring) You can monitor custom metrics from any [exporters.](https://prometheus.io/docs/instrumenting/exporters/) You can also expose some custom endpoints on deployments without needing to configure Prometheus for your project. diff --git a/content/rancher/v2.x/en/quick-start-guide/_index.md b/content/rancher/v2.x/en/quick-start-guide/_index.md index 630450f42d2..be103b469ef 100644 --- a/content/rancher/v2.x/en/quick-start-guide/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/_index.md @@ -4,14 +4,14 @@ metaDescription: Use this section to jump start your Rancher deployment and test short title: Use this section to jump start your Rancher deployment and testing. It contains instructions for a simple Rancher setup and some common use cases. weight: 25 --- ->**Note:** The intent of these guides is to quickly launch a sandbox that you can use to evaluate Rancher. These guides are not intended for production environments. For comprehensive setup instructions, see [Installation]({{< baseurl >}}/rancher/v2.x/en/installation/). +>**Note:** The intent of these guides is to quickly launch a sandbox that you can use to evaluate Rancher. These guides are not intended for production environments. For comprehensive setup instructions, see [Installation]({{}}/rancher/v2.x/en/installation/). Howdy buckaroos! Use this section of the docs to jump start your deployment and testing of Rancher 2.x! It contains instructions for a simple Rancher setup and some common use cases. We plan on adding more content to this section in the future. We have Quick Start Guides for: -- [Deploying Rancher Server]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/): Get started running Rancher using the method most convenient for you. +- [Deploying Rancher Server]({{}}/rancher/v2.x/en/quick-start-guide/deployment/): Get started running Rancher using the method most convenient for you. -- [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload/): Deploy a simple workload and expose it, letting you access it from outside the cluster. +- [Deploying Workloads]({{}}/rancher/v2.x/en/quick-start-guide/workload/): Deploy a simple workload and expose it, letting you access it from outside the cluster. -- [Using the CLI]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/cli/): Use `kubectl` or Rancher command line interface (CLI) to interact with your Rancher instance. +- [Using the CLI]({{}}/rancher/v2.x/en/quick-start-guide/cli/): Use `kubectl` or Rancher command line interface (CLI) to interact with your Rancher instance. diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md index 8023d181f51..3e9ddae02c2 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/_index.md @@ -61,7 +61,7 @@ Two Kubernetes clusters are deployed into your AWS account, one running Rancher ### What's Next? -Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{}}/rancher/v2.x/en/quick-start-guide/workload). ## Destroying the Environment diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md index 3e1f67b37e2..95b4820090d 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/_index.md @@ -59,7 +59,7 @@ Two Kubernetes clusters are deployed into your DigitalOcean account, one running ### What's Next? -Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{}}/rancher/v2.x/en/quick-start-guide/workload). ## Destroying the Environment diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md index ee362745c46..b4c2457eeaa 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-manual-setup/_index.md @@ -38,7 +38,7 @@ This Quick Start Guide is divided into different tasks for easier consumption. > > For a full list of port requirements, refer to [Docker Installation]({{}}/rancher/v2.x/en/cluster-provisioning/node-requirements/). - Provision the host according to our [Requirements]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/). + Provision the host according to our [Requirements]({{}}/rancher/v2.x/en/installation/requirements/). ### 2. Install Rancher @@ -105,4 +105,4 @@ Congratulations! You have created your first cluster. #### What's Next? -Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{}}/rancher/v2.x/en/quick-start-guide/workload). diff --git a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/_index.md b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/_index.md index c9bb875285a..bf8db298c3c 100644 --- a/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/_index.md @@ -29,7 +29,7 @@ The following steps quickly deploy a Rancher Server with a single node cluster a ### What's Next? -Use Rancher to create a deployment. For more information, see [Creating Deployments]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/workload). +Use Rancher to create a deployment. For more information, see [Creating Deployments]({{}}/rancher/v2.x/en/quick-start-guide/workload). ## Destroying the Environment diff --git a/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-ingress/_index.md b/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-ingress/_index.md index ebf52672472..df4b32406cc 100644 --- a/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-ingress/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-ingress/_index.md @@ -77,6 +77,6 @@ Congratulations! You have successfully deployed a workload exposed via an ingres When you're done using your sandbox, destroy the Rancher Server and your cluster. See one of the following: -- [Amazon AWS: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/#destroying-the-environment) -- [DigitalOcean: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/#destroying-the-environment) -- [Vagrant: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/#destroying-the-environment) +- [Amazon AWS: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/#destroying-the-environment) +- [DigitalOcean: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/#destroying-the-environment) +- [Vagrant: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/#destroying-the-environment) diff --git a/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-nodeport/_index.md b/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-nodeport/_index.md index ace03022684..71d79215dd9 100644 --- a/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-nodeport/_index.md +++ b/content/rancher/v2.x/en/quick-start-guide/workload/quickstart-deploy-workload-nodeport/_index.md @@ -33,15 +33,15 @@ For this workload, you'll be deploying the application Rancher Hello-World. 9. From the **As a** drop-down, make sure that **NodePort (On every node)** is selected. - ![As a dropdown, NodePort (On every node selected)]({{< baseurl >}}/img/rancher/nodeport-dropdown.png) + ![As a dropdown, NodePort (On every node selected)]({{}}/img/rancher/nodeport-dropdown.png) 10. From the **On Listening Port** field, leave the **Random** value in place. - ![On Listening Port, Random selected]({{< baseurl >}}/img/rancher/listening-port-field.png) + ![On Listening Port, Random selected]({{}}/img/rancher/listening-port-field.png) 11. From the **Publish the container port** field, enter port `80`. - ![Publish the container port, 80 entered]({{< baseurl >}}/img/rancher/container-port-field.png) + ![Publish the container port, 80 entered]({{}}/img/rancher/container-port-field.png) 12. Leave the remaining options on their default setting. We'll tell you about them later. @@ -151,6 +151,6 @@ Congratulations! You have successfully deployed a workload exposed via a NodePor When you're done using your sandbox, destroy the Rancher Server and your cluster. See one of the following: -- [Amazon AWS: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/#destroying-the-environment) -- [DigitalOcean: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/#destroying-the-environment) -- [Vagrant: Destroying the Environment]({{< baseurl >}}/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/#destroying-the-environment) +- [Amazon AWS: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/#destroying-the-environment) +- [DigitalOcean: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/digital-ocean-qs/#destroying-the-environment) +- [Vagrant: Destroying the Environment]({{}}/rancher/v2.x/en/quick-start-guide/deployment/quickstart-vagrant/#destroying-the-environment) diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index b7a56c2fc96..8cae4eebe29 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -98,7 +98,7 @@ Rancher is committed to informing the community of security issues in our produc | ID | Description | Date | Resolution | |----|-------------|------|------------| -| [CVE-2018-20321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20321) | Any project member with access to the `default` namespace can mount the `netes-default` service account in a pod and then use that pod to execute administrative privileged commands against the Kubernetes cluster. | 29 Jan 2019 | [Rancher v2.1.6](https://github.com/rancher/rancher/releases/tag/v2.1.6) and [Rancher v2.0.11](https://github.com/rancher/rancher/releases/tag/v2.0.11) - Rolling back from these versions or greater have specific [instructions]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/). | +| [CVE-2018-20321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20321) | Any project member with access to the `default` namespace can mount the `netes-default` service account in a pod and then use that pod to execute administrative privileged commands against the Kubernetes cluster. | 29 Jan 2019 | [Rancher v2.1.6](https://github.com/rancher/rancher/releases/tag/v2.1.6) and [Rancher v2.0.11](https://github.com/rancher/rancher/releases/tag/v2.0.11) - Rolling back from these versions or greater have specific [instructions]({{}}/rancher/v2.x/en/upgrades/rollbacks/). | | [CVE-2019-6287](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6287) | Project members continue to get access to namespaces from projects that they were removed from if they were added to more than one project. | 29 Jan 2019 | [Rancher v2.1.6](https://github.com/rancher/rancher/releases/tag/v2.1.6) and [Rancher v2.0.11](https://github.com/rancher/rancher/releases/tag/v2.0.11) | | [CVE-2019-11202](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11202) | The default admin, that is shipped with Rancher, will be re-created upon restart of Rancher despite being explicitly deleted. | 16 Apr 2019 | [Rancher v2.2.2](https://github.com/rancher/rancher/releases/tag/v2.2.2), [Rancher v2.1.9](https://github.com/rancher/rancher/releases/tag/v2.1.9) and [Rancher v2.0.14](https://github.com/rancher/rancher/releases/tag/v2.0.14) | | [CVE-2019-12274](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12274) | Nodes using the built-in node drivers using a file path option allows the machine to read arbitrary files including sensitive ones from inside the Rancher server container. | 5 Jun 2019 | [Rancher v2.2.4](https://github.com/rancher/rancher/releases/tag/v2.2.4), [Rancher v2.1.10](https://github.com/rancher/rancher/releases/tag/v2.1.10) and [Rancher v2.0.15](https://github.com/rancher/rancher/releases/tag/v2.0.15) | diff --git a/content/rancher/v2.x/en/security/hardening-2.1/_index.md b/content/rancher/v2.x/en/security/hardening-2.1/_index.md index 890f17f35a8..0248d9f3f9d 100644 --- a/content/rancher/v2.x/en/security/hardening-2.1/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.1/_index.md @@ -15,7 +15,7 @@ Hardening Guide v2.1 | Rancher v2.1.x | Benchmark v1.3.0 | Kubernetes 1.11 [Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.1.x/Rancher_Hardening_Guide.pdf) -For more detail on how a hardened cluster scores against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.1.x]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.1/). +For more detail on how a hardened cluster scores against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.1.x]({{}}/rancher/v2.x/en/security/benchmark-2.1/). ### Profile Definitions diff --git a/content/rancher/v2.x/en/security/hardening-2.2/_index.md b/content/rancher/v2.x/en/security/hardening-2.2/_index.md index 64db81ee176..de19613499f 100644 --- a/content/rancher/v2.x/en/security/hardening-2.2/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.2/_index.md @@ -15,7 +15,7 @@ Hardening Guide v2.2 | Rancher v2.2.x | Benchmark v1.4.1, 1.4.0 | Kubernetes 1.1 [Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.2.x/Rancher_Hardening_Guide.pdf) -For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.2.x]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/). +For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.2.x]({{}}/rancher/v2.x/en/security/benchmark-2.2/). ### Profile Definitions diff --git a/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md index 488c6fbcc4d..d25489d2e06 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.3/_index.md @@ -15,7 +15,7 @@ Hardening Guide v2.3.3 | Rancher v2.3.3 | Benchmark v1.4.1 | Kubernetes 1.14, 1. [Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.3.3/Rancher_Hardening_Guide.pdf) -For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide v2.3.3]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.3.3/). +For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide v2.3.3]({{}}/rancher/v2.x/en/security/benchmark-2.3.3/). ### Profile Definitions @@ -149,7 +149,7 @@ Verify that the permissions are `700` or more restrictive. **Remediation** -Follow the steps as documented in [1.4.12]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.3.3/#1-4-12-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd) remediation. +Follow the steps as documented in [1.4.12]({{}}/rancher/v2.x/en/security/hardening-2.3.3/#1-4-12-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd) remediation. ### 1.4.12 - Ensure that the etcd data directory ownership is set to `etcd:etcd` diff --git a/content/rancher/v2.x/en/security/hardening-2.3/_index.md b/content/rancher/v2.x/en/security/hardening-2.3/_index.md index dfa51e8eb20..f237643c192 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3/_index.md @@ -14,7 +14,7 @@ Hardening Guide v2.3 | Rancher v2.3.0-v2.3.2 | Benchmark v1.4.1 | Kubernetes 1.1 [Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.3.x/Rancher_Hardening_Guide.pdf) -For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.x]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.3/). +For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.x]({{}}/rancher/v2.x/en/security/benchmark-2.3/). ### Profile Definitions @@ -411,7 +411,7 @@ Verify that the permissions are `700` or more restrictive. **Remediation** -Follow the steps as documented in [1.4.12]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.3/#1-4-12-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd) remediation. +Follow the steps as documented in [1.4.12]({{}}/rancher/v2.x/en/security/hardening-2.3/#1-4-12-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd) remediation. ### 1.4.12 - Ensure that the etcd data directory ownership is set to `etcd:etcd` diff --git a/content/rancher/v2.x/en/system-tools/_index.md b/content/rancher/v2.x/en/system-tools/_index.md index 10a48611e45..a34bc1a9b8d 100644 --- a/content/rancher/v2.x/en/system-tools/_index.md +++ b/content/rancher/v2.x/en/system-tools/_index.md @@ -3,7 +3,7 @@ title: System Tools weight: 6001 --- -System Tools is a tool to perform operational tasks on [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters or [RKE cluster as used for installing Rancher on Kubernetes]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/). The tasks include: +System Tools is a tool to perform operational tasks on [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters or [RKE cluster as used for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/). The tasks include: * Collect logging and system metrics from nodes. * Remove Kubernetes resources created by Rancher. @@ -41,7 +41,7 @@ After you download the tools, complete the following actions: # Logs -The logs subcommand will collect log files of core Kubernetes cluster components from nodes in [Rancher-launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) or nodes on an [RKE Kubernetes cluster that Rancher is installed on.]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/). See [Troubleshooting]({{< baseurl >}}//rancher/v2.x/en/troubleshooting/) for a list of core Kubernetes cluster components. +The logs subcommand will collect log files of core Kubernetes cluster components from nodes in [Rancher-launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) or nodes on an [RKE Kubernetes cluster that Rancher is installed on.]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/). See [Troubleshooting]({{}}//rancher/v2.x/en/troubleshooting/) for a list of core Kubernetes cluster components. System Tools will use the provided kubeconfig file to deploy a DaemonSet, that will copy all the logfiles from the core Kubernetes cluster components and add them to a single tar file (`cluster-logs.tar` by default). If you only want to collect logging from a single node, you can specify the node by using `--node NODENAME` or `-n NODENAME`. @@ -81,7 +81,7 @@ The following are the options for the stats command: # Remove ->**Warning:** This command will remove data from your etcd nodes. Make sure you have created a [backup of etcd]({{< baseurl >}}/rancher/v2.x/en/backups/backups) before executing the command. +>**Warning:** This command will remove data from your etcd nodes. Make sure you have created a [backup of etcd]({{}}/rancher/v2.x/en/backups/backups) before executing the command. When you install Rancher on a Kubernetes cluster, it will create Kubernetes resources to run and to store configuration data. If you want to remove Rancher from your cluster, you can use the `remove` subcommand to remove the Kubernetes resources. When you use the `remove` subcommand, the following resources will be removed: @@ -101,7 +101,7 @@ When you install Rancher on a Kubernetes cluster, it will create Kubernetes reso When you run the command below, all the resources listed [above](#remove) will be removed from the cluster. ->**Warning:** This command will remove data from your etcd nodes. Make sure you have created a [backup of etcd]({{< baseurl >}}/rancher/v2.x/en/backups/backups) before executing the command. +>**Warning:** This command will remove data from your etcd nodes. Make sure you have created a [backup of etcd]({{}}/rancher/v2.x/en/backups/backups) before executing the command. ``` ./system-tools remove --kubeconfig --namespace diff --git a/content/rancher/v2.x/en/troubleshooting/_index.md b/content/rancher/v2.x/en/troubleshooting/_index.md index 7f6b30c3891..aa6c57afe66 100644 --- a/content/rancher/v2.x/en/troubleshooting/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/_index.md @@ -5,7 +5,7 @@ weight: 8100 This section contains information to help you troubleshoot issues when using Rancher. -- [Kubernetes components]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/kubernetes-components/) +- [Kubernetes components]({{}}/rancher/v2.x/en/troubleshooting/kubernetes-components/) If you need help troubleshooting core Kubernetes cluster components like: * `etcd` @@ -16,22 +16,22 @@ This section contains information to help you troubleshoot issues when using Ran * `kube-proxy` * `nginx-proxy` -- [Kubernetes resources]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/) +- [Kubernetes resources]({{}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/) Options for troubleshooting Kubernetes resources like Nodes, Ingress Controller and Rancher Agents are described in this section. -- [Networking]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/networking/) +- [Networking]({{}}/rancher/v2.x/en/troubleshooting/networking/) Steps to troubleshoot networking issues can be found here. -- [DNS]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/dns/) +- [DNS]({{}}/rancher/v2.x/en/troubleshooting/dns/) When you experience name resolution issues in your cluster. -- [Troubleshooting Rancher installed on Kubernetes]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/rancherha/) +- [Troubleshooting Rancher installed on Kubernetes]({{}}/rancher/v2.x/en/troubleshooting/rancherha/) - If you experience issues with your [Rancher server installed on Kubernetes]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/) + If you experience issues with your [Rancher server installed on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install/) -- [Imported clusters]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/imported-clusters/) +- [Imported clusters]({{}}/rancher/v2.x/en/troubleshooting/imported-clusters/) - If you experience issues when [Importing Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) + If you experience issues when [Importing Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) diff --git a/content/rancher/v2.x/en/troubleshooting/dns/_index.md b/content/rancher/v2.x/en/troubleshooting/dns/_index.md index f64f6e5729b..ecbe88a7588 100644 --- a/content/rancher/v2.x/en/troubleshooting/dns/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/dns/_index.md @@ -7,7 +7,7 @@ The commands/steps listed on this page can be used to check name resolution issu Make sure you configured the correct kubeconfig (for example, `export KUBECONFIG=$PWD/kube_config_rancher-cluster.yml` for Rancher HA) or are using the embedded kubectl via the UI. -Before running the DNS checks, check the [default DNS provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#default-dns-provider) for your cluster and make sure that [the overlay network is functioning correctly]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/networking/#check-if-overlay-network-is-functioning-correctly) as this can also be the reason why DNS resolution (partly) fails. +Before running the DNS checks, check the [default DNS provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#default-dns-provider) for your cluster and make sure that [the overlay network is functioning correctly]({{}}/rancher/v2.x/en/troubleshooting/networking/#check-if-overlay-network-is-functioning-correctly) as this can also be the reason why DNS resolution (partly) fails. ### Check if DNS pods are running @@ -196,7 +196,7 @@ services: > **Note:** As the `kubelet` is running inside a container, the path for files located in `/etc` and `/usr` are in `/host/etc` and `/host/usr` inside the `kubelet` container. -See [Editing Cluster as YAML]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/#editing-cluster-as-yaml) how to apply this change. When the provisioning of the cluster has finished, you have to remove the kube-dns pod to activate the new setting in the pod: +See [Editing Cluster as YAML]({{}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters/#editing-cluster-as-yaml) how to apply this change. When the provisioning of the cluster has finished, you have to remove the kube-dns pod to activate the new setting in the pod: ``` kubectl delete pods -n kube-system -l k8s-app=kube-dns diff --git a/content/rancher/v2.x/en/troubleshooting/kubernetes-components/_index.md b/content/rancher/v2.x/en/troubleshooting/kubernetes-components/_index.md index 0c73699ee9f..d2e32f91537 100644 --- a/content/rancher/v2.x/en/troubleshooting/kubernetes-components/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/kubernetes-components/_index.md @@ -3,7 +3,7 @@ title: Kubernetes Components weight: 100 --- -The commands and steps listed in this section apply to the core Kubernetes components on [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. +The commands and steps listed in this section apply to the core Kubernetes components on [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. This section includes troubleshooting tips in the following categories: @@ -14,5 +14,5 @@ This section includes troubleshooting tips in the following categories: # Kubernetes Component Diagram -![Cluster diagram]({{< baseurl >}}/img/rancher/clusterdiagram.svg)
    +![Cluster diagram]({{}}/img/rancher/clusterdiagram.svg)
    Lines show the traffic flow between components. Colors are used purely for visual aid \ No newline at end of file diff --git a/content/rancher/v2.x/en/troubleshooting/kubernetes-components/controlplane/_index.md b/content/rancher/v2.x/en/troubleshooting/kubernetes-components/controlplane/_index.md index a94b1a04ee7..1ca42591cf2 100644 --- a/content/rancher/v2.x/en/troubleshooting/kubernetes-components/controlplane/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/kubernetes-components/controlplane/_index.md @@ -29,7 +29,7 @@ bdf3898b8063 rancher/hyperkube:v1.11.5-rancher1 "/opt/rke-tools/en..." # Controlplane Container Logging -> **Note:** If you added multiple nodes with the `controlplane` role, both `kube-controller-manager` and `kube-scheduler` use a leader election process to determine the leader. Only the current leader will log the performed actions. See [Kubernetes leader election]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/#kubernetes-leader-election) how to retrieve the current leader. +> **Note:** If you added multiple nodes with the `controlplane` role, both `kube-controller-manager` and `kube-scheduler` use a leader election process to determine the leader. Only the current leader will log the performed actions. See [Kubernetes leader election]({{}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/#kubernetes-leader-election) how to retrieve the current leader. The logging of the containers can contain information on what the problem could be. diff --git a/content/rancher/v2.x/en/troubleshooting/kubernetes-resources/_index.md b/content/rancher/v2.x/en/troubleshooting/kubernetes-resources/_index.md index c8eae70b743..f4a6b8aecf1 100644 --- a/content/rancher/v2.x/en/troubleshooting/kubernetes-resources/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/kubernetes-resources/_index.md @@ -3,7 +3,7 @@ title: Kubernetes resources weight: 101 --- -The commands/steps listed on this page can be used to check the most important Kubernetes resources and apply to [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. +The commands/steps listed on this page can be used to check the most important Kubernetes resources and apply to [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters. Make sure you configured the correct kubeconfig (for example, `export KUBECONFIG=$PWD/kube_config_rancher-cluster.yml` for Rancher HA) or are using the embedded kubectl via the UI. diff --git a/content/rancher/v2.x/en/troubleshooting/networking/_index.md b/content/rancher/v2.x/en/troubleshooting/networking/_index.md index d76fbf67773..7259b61a3e0 100644 --- a/content/rancher/v2.x/en/troubleshooting/networking/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/networking/_index.md @@ -112,7 +112,7 @@ If there is no output, the cluster is not affected. |------------|------------| | GitHub issue | [#15146](https://github.com/rancher/rancher/issues/15146) | -If pods in system namespaces cannot communicate with pods in other system namespaces, you will need to follow the instructions in [Upgrading to v2.0.7+ — Namespace Migration]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/) to restore connectivity. Symptoms include: +If pods in system namespaces cannot communicate with pods in other system namespaces, you will need to follow the instructions in [Upgrading to v2.0.7+ — Namespace Migration]({{}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/) to restore connectivity. Symptoms include: - NGINX ingress controller showing `504 Gateway Time-out` when accessed. - NGINX ingress controller logging `upstream timed out (110: Connection timed out) while connecting to upstream` when accessed. diff --git a/content/rancher/v2.x/en/upgrades/_index.md b/content/rancher/v2.x/en/upgrades/_index.md index 5fdcdc3dc16..1d0ce9190a5 100644 --- a/content/rancher/v2.x/en/upgrades/_index.md +++ b/content/rancher/v2.x/en/upgrades/_index.md @@ -7,7 +7,7 @@ aliases: ### Upgrading Rancher -- [Upgrades]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/) +- [Upgrades]({{}}/rancher/v2.x/en/upgrades/upgrades/) ### Rolling Back Unsuccessful Upgrades @@ -16,7 +16,7 @@ In the event that your Rancher Server does not upgrade successfully, you can rol - [Rollbacks for Rancher installed with Docker]({{}}/rancher/v2.x/en/upgrades/single-node-rollbacks) - [Rollbacks for Rancher installed on a Kubernetes cluster]({{}}/rancher/v2.x/en/upgrades/ha-server-rollbacks) -> **Note:** If you are rolling back to versions in either of these scenarios, you must follow some extra [instructions]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/) in order to get your clusters working. +> **Note:** If you are rolling back to versions in either of these scenarios, you must follow some extra [instructions]({{}}/rancher/v2.x/en/upgrades/rollbacks/) in order to get your clusters working. > >- Rolling back from v2.1.6+ to any version between v2.1.0 - v2.1.5 or v2.0.0 - v2.0.10. >- Rolling back from v2.0.11+ to any version between v2.0.0 - v2.0.10. diff --git a/content/rancher/v2.x/en/upgrades/rollbacks/_index.md b/content/rancher/v2.x/en/upgrades/rollbacks/_index.md index 245af441455..4a3c79a010a 100644 --- a/content/rancher/v2.x/en/upgrades/rollbacks/_index.md +++ b/content/rancher/v2.x/en/upgrades/rollbacks/_index.md @@ -32,7 +32,7 @@ Because of the changes necessary to address [CVE-2018-20321](https://cve.mitre.o 2. After executing the command a `tokens.json` file will be created. Important! Back up this file in a safe place.** You will need it to restore functionality to your clusters after rolling back Rancher. **If you lose this file, you may lose access to your clusters.** -3. Rollback Rancher following the [normal instructions]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/). +3. Rollback Rancher following the [normal instructions]({{}}/rancher/v2.x/en/upgrades/rollbacks/). 4. Once Rancher comes back up, every cluster managed by Rancher (except for Imported clusters) will be in an `Unavailable` state. diff --git a/content/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/_index.md b/content/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/_index.md index 3288777bd26..2cca7a4b78a 100644 --- a/content/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/_index.md +++ b/content/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/_index.md @@ -7,7 +7,7 @@ aliases: If you upgrade Rancher and the upgrade does not complete successfully, you may need to rollback your Rancher Server to its last healthy state. -To restore Rancher follow the procedure detailed here: [Restoring Backups — Kubernetes installs]({{< baseurl >}}/rancher/v2.x/en/backups/restorations/ha-restoration) +To restore Rancher follow the procedure detailed here: [Restoring Backups — Kubernetes installs]({{}}/rancher/v2.x/en/backups/restorations/ha-restoration) Restoring a snapshot of the Rancher Server cluster will revert Rancher to the version and state at the time of the snapshot. diff --git a/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md b/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md index 0a041e08ae8..3ad649798e0 100644 --- a/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md +++ b/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md @@ -24,7 +24,7 @@ In this command, `` is the version of Rancher you were ru Cross reference the image and reference table below to learn how to obtain this placeholder data. Write down or copy this information before starting the [procedure below](#creating-a-backup). Terminal `docker ps` Command, Displaying Where to Find `` and `` -![Placeholder Reference]({{< baseurl >}}/img/rancher/placeholder-ref-2.png) +![Placeholder Reference]({{}}/img/rancher/placeholder-ref-2.png) | Placeholder | Example | Description | | -------------------------- | -------------------------- | ------------------------------------------------------- | @@ -59,9 +59,9 @@ If you have issues upgrading Rancher, roll it back to its latest known healthy s ``` You can obtain the name for your Rancher container by entering `docker ps`. -1. Move the backup tarball that you created during completion of [Docker Upgrade]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/single-node-upgrade/) onto your Rancher Server. Change to the directory that you moved it to. Enter `dir` to confirm that it's there. +1. Move the backup tarball that you created during completion of [Docker Upgrade]({{}}/rancher/v2.x/en/upgrades/upgrades/single-node-upgrade/) onto your Rancher Server. Change to the directory that you moved it to. Enter `dir` to confirm that it's there. - If you followed the naming convention we suggested in [Docker Upgrade]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/single-node-upgrade/), it will have a name similar to (`rancher-data-backup--.tar.gz`). + If you followed the naming convention we suggested in [Docker Upgrade]({{}}/rancher/v2.x/en/upgrades/upgrades/single-node-upgrade/), it will have a name similar to (`rancher-data-backup--.tar.gz`). 1. Run the following command to replace the data in the `rancher-data` container with the data in the backup tarball, replacing the [placeholder](#before-you-start). Don't forget to close the quotes. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/_index.md index d83b0af6f5a..68539cc09c1 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/_index.md @@ -14,17 +14,17 @@ The following table lists some of the most noteworthy issues to be considered wh Upgrade Scenario | Issue ---|--- Upgrading to v2.3.0+ | Any user provisioned cluster will be automatically updated upon any edit as tolerations were added to the images used for Kubernetes provisioning. -Upgrading to v2.2.0-v2.2.x | Rancher introduced the [system charts](https://github.com/rancher/system-charts) repository which contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. To be able to use these features in an air gap install, you will need to mirror the `system-charts` repository locally and configure Rancher to use that repository. Please follow the instructions to [configure Rancher system charts]({{< baseurl >}}/rancher/v2.x/en/installation/options/local-system-charts/#setting-up-system-charts-for-rancher-prior-to-v2-3-0). +Upgrading to v2.2.0-v2.2.x | Rancher introduced the [system charts](https://github.com/rancher/system-charts) repository which contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. To be able to use these features in an air gap install, you will need to mirror the `system-charts` repository locally and configure Rancher to use that repository. Please follow the instructions to [configure Rancher system charts]({{}}/rancher/v2.x/en/installation/options/local-system-charts/#setting-up-system-charts-for-rancher-prior-to-v2-3-0). Upgrading from v2.0.13 or earlier | If your cluster's certificates have expired, you will need to perform [additional steps]({{}}/rancher/v2.x/en/cluster-admin/certificate-rotation/#rotating-expired-certificates-after-upgrading-older-rancher-versions) to rotate the certificates. -Upgrading from v2.0.7 or earlier | Rancher introduced the `system` project, which is a project that's automatically created to store important namespaces that Kubernetes needs to operate. During upgrade to v2.0.7+, Rancher expects these namespaces to be unassigned from all projects. Before beginning upgrade, check your system namespaces to make sure that they're unassigned to [prevent cluster networking issues]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#preventing-cluster-networking-issues). +Upgrading from v2.0.7 or earlier | Rancher introduced the `system` project, which is a project that's automatically created to store important namespaces that Kubernetes needs to operate. During upgrade to v2.0.7+, Rancher expects these namespaces to be unassigned from all projects. Before beginning upgrade, check your system namespaces to make sure that they're unassigned to [prevent cluster networking issues]({{}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#preventing-cluster-networking-issues). ### Caveats -Upgrades _to_ or _from_ any chart in the [rancher-alpha repository]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories/) aren't supported. +Upgrades _to_ or _from_ any chart in the [rancher-alpha repository]({{}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories/) aren't supported. ### RKE Add-on Installs **Important: RKE add-on install is only supported up to Rancher v2.0.8** -Please use the Rancher helm chart to install Rancher on a Kubernetes cluster. For details, see the [Kubernetes Install - Installation Outline]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/#installation-outline). +Please use the Rancher helm chart to install Rancher on a Kubernetes cluster. For details, see the [Kubernetes Install - Installation Outline]({{}}/rancher/v2.x/en/installation/k8s-install/#installation-outline). -If you are currently using the RKE add-on install method, see [Migrating from a RKE add-on install]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/) for details on how to move to using the helm chart. +If you are currently using the RKE add-on install method, see [Migrating from a RKE add-on install]({{}}/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/) for details on how to move to using the helm chart. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md index 8522ff2f813..7e74a35c0ed 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md @@ -8,7 +8,7 @@ aliases: The following instructions will guide you through using Helm to upgrade a Rancher server that was installed on a Kubernetes cluster. -To upgrade the components in your Kubernetes cluster, or the definition of the [Kubernetes services]({{}}/rke/latest/en/config-options/services/) or [add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/), refer to the [upgrade documentation for RKE]({{}}/rke/latest/en/upgrades/), the Rancher Kubernetes Engine. +To upgrade the components in your Kubernetes cluster, or the definition of the [Kubernetes services]({{}}/rke/latest/en/config-options/services/) or [add-ons]({{}}/rke/latest/en/config-options/add-ons/), refer to the [upgrade documentation for RKE]({{}}/rke/latest/en/upgrades/), the Rancher Kubernetes Engine. If you installed Rancher using the RKE Add-on yaml, follow the directions to [migrate or upgrade]({{}}/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on). @@ -34,7 +34,7 @@ Follow the steps to upgrade Rancher server: ### A. Back up Your Kubernetes Cluster that is Running Rancher Server -[Take a one-time snapshot]({{< baseurl >}}/rancher/v2.x/en/backups/backups/ha-backups/#option-b-one-time-snapshots) +[Take a one-time snapshot]({{}}/rancher/v2.x/en/backups/backups/ha-backups/#option-b-one-time-snapshots) of your Kubernetes cluster running Rancher server. You'll use the snapshot as a restoration point if something goes wrong during upgrade. ### B. Update the Helm chart repository @@ -47,7 +47,7 @@ of your Kubernetes cluster running Rancher server. You'll use the snapshot as a 1. Get the repository name that you used to install Rancher. - For information about the repos and their differences, see [Helm Chart Repositories]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories). + For information about the repos and their differences, see [Helm Chart Repositories]({{}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories). {{< release-channel >}} @@ -59,7 +59,7 @@ of your Kubernetes cluster running Rancher server. You'll use the snapshot as a rancher- https://releases.rancher.com/server-charts/ ``` - > **Note:** If you want to switch to a different Helm chart repository, please follow the [steps on how to switch repositories]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/#switching-to-a-different-helm-chart-repository). If you switch repositories, make sure to list the repositories again before continuing onto Step 3 to ensure you have the correct one added. + > **Note:** If you want to switch to a different Helm chart repository, please follow the [steps on how to switch repositories]({{}}/rancher/v2.x/en/installation/options/server-tags/#switching-to-a-different-helm-chart-repository). If you switch repositories, make sure to list the repositories again before continuing onto Step 3 to ensure you have the correct one added. 1. Fetch the latest chart to install Rancher from the Helm chart repository. @@ -109,7 +109,7 @@ helm upgrade rancher rancher-/rancher \ If you are currently running the cert-manger whose version is older than v0.11, and want to upgrade both Rancher and cert-manager to a newer version, then you need to reinstall both Rancher and cert-manger due to the API change in cert-manger v0.11. -Please refer the [Upgrading Cert-Manager]({{< baseurl >}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page for more information. +Please refer the [Upgrading Cert-Manager]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page for more information. 1. Uninstall Rancher @@ -190,8 +190,8 @@ Log into Rancher to confirm that the upgrade succeeded. >**Having network issues following upgrade?** > -> See [Restoring Cluster Networking]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). +> See [Restoring Cluster Networking]({{}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). ## Rolling Back -Should something go wrong, follow the [roll back]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/) instructions to restore the snapshot you took before you preformed the upgrade. +Should something go wrong, follow the [roll back]({{}}/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/) instructions to restore the snapshot you took before you preformed the upgrade. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md index 1c717cd0a03..f5d762cc5f5 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md @@ -11,7 +11,7 @@ weight: 1050 The following instructions will guide you through using Helm to upgrade a Rancher server that is installed on a Kubernetes cluster. -To upgrade the components in your Kubernetes cluster, or the definition of the [Kubernetes services]({{}}/rke/latest/en/config-options/services/) or [add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/), refer to the [upgrade documentation for RKE]({{}}/rke/latest/en/upgrades/), the Rancher Kubernetes Engine. +To upgrade the components in your Kubernetes cluster, or the definition of the [Kubernetes services]({{}}/rke/latest/en/config-options/services/) or [add-ons]({{}}/rke/latest/en/config-options/add-ons/), refer to the [upgrade documentation for RKE]({{}}/rke/latest/en/upgrades/), the Rancher Kubernetes Engine. If you installed Rancher using the RKE Add-on yaml, follow the directions to [migrate or upgrade]({{}}/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on). @@ -37,7 +37,7 @@ Follow the steps to upgrade Rancher server: ### A. Back up Your Kubernetes Cluster that is Running Rancher Server -[Take a one-time snapshot]({{< baseurl >}}/rancher/v2.x/en/backups/backups/ha-backups/#option-b-one-time-snapshots) +[Take a one-time snapshot]({{}}/rancher/v2.x/en/backups/backups/ha-backups/#option-b-one-time-snapshots) of your Kubernetes cluster running Rancher server. You'll use the snapshot as a restoration point if something goes wrong during upgrade. ### B. Update the Helm chart repository @@ -50,7 +50,7 @@ of your Kubernetes cluster running Rancher server. You'll use the snapshot as a 1. Get the repository name that you used to install Rancher. - For information about the repos and their differences, see [Helm Chart Repositories]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories). + For information about the repos and their differences, see [Helm Chart Repositories]({{}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories). {{< release-channel >}} @@ -62,7 +62,7 @@ of your Kubernetes cluster running Rancher server. You'll use the snapshot as a rancher- https://releases.rancher.com/server-charts/ ``` - > **Note:** If you want to switch to a different Helm chart repository, please follow the [steps on how to switch repositories]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/#switching-to-a-different-helm-chart-repository). If you switch repositories, make sure to list the repositories again before continuing onto Step 3 to ensure you have the correct one added. + > **Note:** If you want to switch to a different Helm chart repository, please follow the [steps on how to switch repositories]({{}}/rancher/v2.x/en/installation/options/server-tags/#switching-to-a-different-helm-chart-repository). If you switch repositories, make sure to list the repositories again before continuing onto Step 3 to ensure you have the correct one added. 1. Fetch the latest chart to install Rancher from the Helm chart repository. @@ -110,7 +110,7 @@ helm upgrade rancher-/rancher \ If you are currently running the cert-manger whose version is older than v0.11, and want to upgrade both Rancher and cert-manager to a newer version, then you need to reinstall both Rancher and cert-manger due to the API change in cert-manger v0.11. -Please refer the [Upgrading Cert-Manager]({{< baseurl >}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page for more information. +Please refer the [Upgrading Cert-Manager]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page for more information. 1. Uninstall Rancher @@ -192,8 +192,8 @@ Log into Rancher to confirm that the upgrade succeeded. >**Having network issues following upgrade?** > -> See [Restoring Cluster Networking]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). +> See [Restoring Cluster Networking]({{}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). ## Rolling Back -Should something go wrong, follow the [roll back]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/) instructions to restore the snapshot you took before you preformed the upgrade. +Should something go wrong, follow the [roll back]({{}}/rancher/v2.x/en/upgrades/rollbacks/ha-server-rollbacks/) instructions to restore the snapshot you took before you preformed the upgrade. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/_index.md index c5e8091bdba..77b7a515e7a 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/migrating-from-rke-add-on/_index.md @@ -57,7 +57,7 @@ kubectl -n cattle-system get secret cattle-keys-server -o jsonpath --template='{ Remove the Kubernetes objects created by the RKE install. -> **Note:** Removing these Kubernetes components will not affect the Rancher configuration or database, but with any maintenance it is a good idea to create a backup of the data before hand. See [Creating Backups-Kubernetes Install]({{< baseurl >}}/rancher/v2.x/en/backups/backups/ha-backups) for details. +> **Note:** Removing these Kubernetes components will not affect the Rancher configuration or database, but with any maintenance it is a good idea to create a backup of the data before hand. See [Creating Backups-Kubernetes Install]({{}}/rancher/v2.x/en/backups/backups/ha-backups) for details. ``` kubectl -n cattle-system delete ingress cattle-ingress-http @@ -105,5 +105,5 @@ addons: |- From here follow the standard install steps. -* [3 - Initialize Helm]({{< baseurl >}}/rancher/v2.x/en/installation/options/helm2/helm-init/) -* [4 - Install Rancher]({{< baseurl >}}/rancher/v2.x/en/installation/options/helm2/helm-rancher/) +* [3 - Initialize Helm]({{}}/rancher/v2.x/en/installation/options/helm2/helm-init/) +* [4 - Install Rancher]({{}}/rancher/v2.x/en/installation/options/helm2/helm-rancher/) diff --git a/content/rancher/v2.x/en/upgrades/upgrades/namespace-migration/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/namespace-migration/_index.md index 2d85fdad4d6..56855eb7b5e 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/namespace-migration/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/namespace-migration/_index.md @@ -52,11 +52,11 @@ You can prevent cluster networking issues from occurring during your upgrade to >1 Only displays if this feature is enabled for the cluster.
    Moving namespaces out of projects
    - ![Moving Namespaces]({{< baseurl >}}/img/rancher/move-namespaces.png) + ![Moving Namespaces]({{}}/img/rancher/move-namespaces.png) 1. Repeat these steps for each cluster where you've assigned system namespaces to projects. -**Result:** All system namespaces are moved out of Rancher projects. You can now safely begin the [upgrade]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades). +**Result:** All system namespaces are moved out of Rancher projects. You can now safely begin the [upgrade]({{}}/rancher/v2.x/en/upgrades/upgrades). ## Restoring Cluster Networking @@ -171,8 +171,8 @@ Reset the cluster nodes' network policies to restore connectivity.
    If you can access Rancher, but one or more of the clusters that you launched using Rancher has no networking, you can repair them by moving the -- From the cluster's [embedded kubectl shell]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-shell). -- By [downloading the cluster kubeconfig file and running it]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-and-a-kubeconfig-file) from your workstation. +- From the cluster's [embedded kubectl shell]({{}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-shell). +- By [downloading the cluster kubeconfig file and running it]({{}}/rancher/v2.x/en/k8s-in-rancher/kubectl/#accessing-clusters-with-kubectl-and-a-kubeconfig-file) from your workstation. ``` for namespace in $(kubectl --kubeconfig kube_config_rancher-cluster.yml get ns -o custom-columns=NAME:.metadata.name --no-headers); do diff --git a/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md index 6e859c2f9b0..3b1448cc156 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/single-node/_index.md @@ -28,7 +28,7 @@ In this command, `` is the name of your Rancher containe Cross reference the image and reference table below to learn how to obtain this placeholder data. Write down or copy this information before starting the upgrade. Terminal `docker ps` Command, Displaying Where to Find `` and `` -![Placeholder Reference]({{< baseurl >}}/img/rancher/placeholder-ref.png) +![Placeholder Reference]({{}}/img/rancher/placeholder-ref.png) | Placeholder | Example | Description | | -------------------------- | -------------------------- | --------------------------------------------------------- | @@ -95,7 +95,7 @@ Pull the image of the Rancher version that you want to upgrade to. Placeholder | Description ------------|------------- -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. ``` docker pull rancher/rancher: @@ -129,7 +129,7 @@ If you have selected to use the Rancher generated self-signed certificate, you a Placeholder | Description ------------|------------- -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. ``` docker run -d --volumes-from rancher-data \ @@ -152,7 +152,7 @@ Placeholder | Description `` | The path to your full certificate chain. `` | The path to the private key for your certificate. `` | The path to the certificate authority's certificate. -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. ``` docker run -d --volumes-from rancher-data \ @@ -176,7 +176,7 @@ Placeholder | Description `` | The path to the directory containing your certificate files. `` | The path to your full certificate chain. `` | The path to the private key for your certificate. -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. ``` docker run -d --volumes-from rancher-data \ @@ -201,7 +201,7 @@ If you have selected to use [Let's Encrypt](https://letsencrypt.org/) certificat Placeholder | Description ------------|------------- -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. `` | The domain address that you had originally started with ``` @@ -230,7 +230,7 @@ If you have selected to use the Rancher generated self-signed certificate, you a Placeholder | Description ------------|------------- `` | Your private registry URL and port. -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to to upgrade to. ``` docker run -d --volumes-from rancher-data \ @@ -255,7 +255,7 @@ Placeholder | Description `` | The path to the private key for your certificate. `` | The path to the certificate authority's certificate. `` | Your private registry URL and port. -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. ``` docker run -d --restart=unless-stopped \ @@ -281,7 +281,7 @@ Placeholder | Description `` | The path to your full certificate chain. `` | The path to the private key for your certificate. `` | Your private registry URL and port. -`` | The release tag of the [Rancher version]({{< baseurl >}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. +`` | The release tag of the [Rancher version]({{}}/rancher/v2.x/en/installation/options/server-tags/) that you want to upgrade to. > **Note:** Use the `--no-cacerts` as argument to the container to disable the default CA certificate generated by Rancher. @@ -308,7 +308,7 @@ Log into Rancher. Confirm that the upgrade succeeded by checking the version dis >**Having network issues in your user clusters following upgrade?** > -> See [Restoring Cluster Networking]({{< baseurl >}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). +> See [Restoring Cluster Networking]({{}}/rancher/v2.x/en/upgrades/upgrades/namespace-migration/#restoring-cluster-networking). ### F. Clean up Your Old Rancher Server Container @@ -317,4 +317,4 @@ Remove the previous Rancher server container. If you only stop the previous Ranc ## Rolling Back -If your upgrade does not complete successfully, you can roll back Rancher server and its data back to its last healthy state. For more information, see [Docker Rollback]({{< baseurl >}}/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/). +If your upgrade does not complete successfully, you can roll back Rancher server and its data back to its last healthy state. For more information, see [Docker Rollback]({{}}/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/). diff --git a/content/rancher/v2.x/en/user-settings/_index.md b/content/rancher/v2.x/en/user-settings/_index.md index 4fea8416f2c..c048530c560 100644 --- a/content/rancher/v2.x/en/user-settings/_index.md +++ b/content/rancher/v2.x/en/user-settings/_index.md @@ -7,12 +7,12 @@ aliases: Within Rancher, each user has a number of settings associated with their login: personal preferences, API keys, etc. You can configure these settings by choosing from the **User Settings** menu. You can open this menu by clicking your avatar, located within the main menu. -![User Settings Menu]({{< baseurl >}}/img/rancher/user-settings.png) +![User Settings Menu]({{}}/img/rancher/user-settings.png) The available user settings are: -- [API & Keys]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/): If you want to interact with Rancher programmatically, you need an API key. Follow the directions in this section to obtain a key.gferfgre -- [Cloud Credentials]({{< baseurl >}}/rancher/v2.x/en/user-settings/cloud-credentials/): Manage cloud credentials [used by node templates]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) to [provision nodes for clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). Note: Available as of v2.2.0. -- [Node Templates]({{< baseurl >}}/rancher/v2.x/en/user-settings/node-templates): Manage templates [used by Rancher to provision nodes for clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). -- [Preferences]({{< baseurl >}}/rancher/v2.x/en/user-settings/preferences): Sets superficial preferences for the Rancher UI. +- [API & Keys]({{}}/rancher/v2.x/en/user-settings/api-keys/): If you want to interact with Rancher programmatically, you need an API key. Follow the directions in this section to obtain a key.gferfgre +- [Cloud Credentials]({{}}/rancher/v2.x/en/user-settings/cloud-credentials/): Manage cloud credentials [used by node templates]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) to [provision nodes for clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). Note: Available as of v2.2.0. +- [Node Templates]({{}}/rancher/v2.x/en/user-settings/node-templates): Manage templates [used by Rancher to provision nodes for clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). +- [Preferences]({{}}/rancher/v2.x/en/user-settings/preferences): Sets superficial preferences for the Rancher UI. - Log Out: Ends your user session. diff --git a/content/rancher/v2.x/en/user-settings/api-keys/_index.md b/content/rancher/v2.x/en/user-settings/api-keys/_index.md index a824b0d58f5..bddabe76c3c 100644 --- a/content/rancher/v2.x/en/user-settings/api-keys/_index.md +++ b/content/rancher/v2.x/en/user-settings/api-keys/_index.md @@ -29,7 +29,7 @@ API Keys are composed of four components: The API key won't be valid after expiration. Shorter expiration periods are more secure. - A scope will limit the API key so that it will only work against the Kubernetes API of the specified cluster. If the cluster is configured with an Authorized Cluster Endpoint, you will be able to use a scoped token directly against the cluster's API without proxying through the Rancher server. See [Authorized Cluster Endpoints]({{< baseurl >}}/rancher/v2.x/en/overview/architecture/#4-authorized-cluster-endpoint) for more information. + A scope will limit the API key so that it will only work against the Kubernetes API of the specified cluster. If the cluster is configured with an Authorized Cluster Endpoint, you will be able to use a scoped token directly against the cluster's API without proxying through the Rancher server. See [Authorized Cluster Endpoints]({{}}/rancher/v2.x/en/overview/architecture/#4-authorized-cluster-endpoint) for more information. 4. Click **Create**. @@ -43,7 +43,7 @@ API Keys are composed of four components: - Enter your API key information into the application that will send requests to the Rancher API. - Learn more about the Rancher endpoints and parameters by selecting **View in API** for an object in the Rancher UI. -- API keys are used for API calls and [Rancher CLI]({{< baseurl >}}/rancher/v2.x/en/cli). +- API keys are used for API calls and [Rancher CLI]({{}}/rancher/v2.x/en/cli). ## Deleting API Keys diff --git a/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md b/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md index 57884ad24d5..39a516475c1 100644 --- a/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md +++ b/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md @@ -5,7 +5,7 @@ weight: 7011 _Available as of v2.2.0_ -When you create a cluster [hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools), [node templates]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) are used to provision the cluster nodes. These templates use Docker Machine configuration options to define an operating system image and settings/parameters for the node. +When you create a cluster [hosted by an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools), [node templates]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) are used to provision the cluster nodes. These templates use Docker Machine configuration options to define an operating system image and settings/parameters for the node. Node templates can use cloud credentials to access the credential information required to provision nodes in the infrastructure providers. The same cloud credential can be used by multiple node templates. By using a cloud credential, you do not have to re-enter access keys for the same cloud provider. Cloud credentials are stored as Kubernetes secrets. @@ -13,7 +13,7 @@ Cloud credentials are only used by node templates if there are fields marked as You can create cloud credentials in two contexts: -- [During creation of a node template]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) for a cluster. +- [During creation of a node template]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) for a cluster. - In the **User Settings** All cloud credentials are bound to the user profile of who created it. They **cannot** be shared across users. @@ -23,11 +23,11 @@ All cloud credentials are bound to the user profile of who created it. They **ca 1. From your user settings, select **User Avatar > Cloud Credentials**. 1. Click **Add Cloud Credential**. 1. Enter a name for the cloud credential. -1. Select a **Cloud Credential Type** from the drop down. The values of this dropdown is based on the `active` [node drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) in Rancher. +1. Select a **Cloud Credential Type** from the drop down. The values of this dropdown is based on the `active` [node drivers]({{}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) in Rancher. 1. Based on the selected cloud credential type, enter the required values to authenticate with the infrastructure provider. 1. Click **Create**. -**Result:** The cloud credential is created and can immediately be used to [create node templates]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates). +**Result:** The cloud credential is created and can immediately be used to [create node templates]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates). ## Updating a Cloud Credential @@ -37,11 +37,11 @@ When access credentials are changed or compromised, updating a cloud credential 1. Choose the cloud credential you want to edit and click the **Vertical Ellipsis (...) > Edit**. 1. Update the credential information and click **Save**. -**Result:** The cloud credential is updated with the new access credentials. All existing node templates using this cloud credential will automatically use the updated information whenever [new nodes are added]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/). +**Result:** The cloud credential is updated with the new access credentials. All existing node templates using this cloud credential will automatically use the updated information whenever [new nodes are added]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/). ## Deleting a Cloud Credential -In order to delete cloud credentials, there must not be any node template associated with it. If you are unable to delete the cloud credential, [delete any node templates]({{< baseurl >}}/rancher/v2.x/en/user-settings/node-templates/#deleting-a-node-template) that are still associated to that cloud credential. +In order to delete cloud credentials, there must not be any node template associated with it. If you are unable to delete the cloud credential, [delete any node templates]({{}}/rancher/v2.x/en/user-settings/node-templates/#deleting-a-node-template) that are still associated to that cloud credential. 1. From your user settings, select **User Avatar > Cloud Credentials**. 1. You can either individually delete a cloud credential or bulk delete. diff --git a/content/rancher/v2.x/en/user-settings/node-templates/_index.md b/content/rancher/v2.x/en/user-settings/node-templates/_index.md index 2ebd89b0bd7..c91fa4ca695 100644 --- a/content/rancher/v2.x/en/user-settings/node-templates/_index.md +++ b/content/rancher/v2.x/en/user-settings/node-templates/_index.md @@ -3,9 +3,9 @@ title: Managing Node Templates weight: 7010 --- -When you provision a cluster [hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools), [node templates]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) are used to provision the cluster nodes. These templates use Docker Machine configuration options to define an operating system image and settings/parameters for the node. You can create node templates in two contexts: +When you provision a cluster [hosted by an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools), [node templates]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) are used to provision the cluster nodes. These templates use Docker Machine configuration options to define an operating system image and settings/parameters for the node. You can create node templates in two contexts: -- While [provisioning a node pool cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). +- While [provisioning a node pool cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). - At any time, from your [user settings](#creating-a-node-template-from-user-settings). When you create a node template, it is bound to your user profile. Node templates cannot be shared among users. You can delete stale node templates that you no longer user from your user settings. @@ -16,14 +16,14 @@ When you create a node template, it is bound to your user profile. Node template 1. Click **Add Template**. 1. Select one of the cloud providers available. Then follow the instructions on screen to configure the template. -**Result:** The template is configured. You can use the template later when you [provision a node pool cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). +**Result:** The template is configured. You can use the template later when you [provision a node pool cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). ## Updating a Node Template 1. From your user settings, select **User Avatar > Node Templates**. 1. Choose the node template that you want to edit and click the **Vertical Ellipsis (...) > Edit**. - > **Note:** As of v2.2.0, the default `active` [node drivers]({{< baseurl >}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) and any node driver, that has fields marked as `password`, are required to use [cloud credentials]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#cloud-credentials). If you have upgraded to v2.2.0, existing node templates will continue to work with the previous account access information, but when you edit the node template, you will be required to create a cloud credential and the node template will start using it. + > **Note:** As of v2.2.0, the default `active` [node drivers]({{}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) and any node driver, that has fields marked as `password`, are required to use [cloud credentials]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#cloud-credentials). If you have upgraded to v2.2.0, existing node templates will continue to work with the previous account access information, but when you edit the node template, you will be required to create a cloud credential and the node template will start using it. 1. Edit the required information and click **Save**. @@ -37,7 +37,7 @@ When creating new node templates from your user settings, you can clone an exist 1. Find the template you want to clone. Then select **Ellipsis > Clone**. 1. Complete the rest of the form. -**Result:** The template is cloned and configured. You can use the template later when you [provision a node pool cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). +**Result:** The template is cloned and configured. You can use the template later when you [provision a node pool cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). ## Deleting a Node Template diff --git a/content/rancher/v2.x/en/v1.6-migration/_index.md b/content/rancher/v2.x/en/v1.6-migration/_index.md index 8d065e00458..0766c009821 100644 --- a/content/rancher/v2.x/en/v1.6-migration/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/_index.md @@ -13,20 +13,20 @@ This video demonstrates a complete walk through of migration from Rancher v1.6 t ## Migration Plan ->**Want to more about Kubernetes before getting started?** Read our [Kubernetes Introduction]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/kub-intro). +>**Want to more about Kubernetes before getting started?** Read our [Kubernetes Introduction]({{}}/rancher/v2.x/en/v1.6-migration/kub-intro). -- [1. Get Started]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/get-started) +- [1. Get Started]({{}}/rancher/v2.x/en/v1.6-migration/get-started) >**Already a Kubernetes user in v1.6?** > > _Get Started_ is the only section you need to review for migration to v2.x. You can skip everything else. -- [2. Migrate Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/) -- [3. Expose Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/expose-services/) -- [4. Configure Health Checks]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/monitor-apps) -- [5. Schedule Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/) -- [6. Service Discovery]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/discover-services/) -- [7. Load Balancing]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/load-balancing/) +- [2. Migrate Your Services]({{}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/) +- [3. Expose Your Services]({{}}/rancher/v2.x/en/v1.6-migration/expose-services/) +- [4. Configure Health Checks]({{}}/rancher/v2.x/en/v1.6-migration/monitor-apps) +- [5. Schedule Your Services]({{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/) +- [6. Service Discovery]({{}}/rancher/v2.x/en/v1.6-migration/discover-services/) +- [7. Load Balancing]({{}}/rancher/v2.x/en/v1.6-migration/load-balancing/) ## Migration Example Files @@ -48,4 +48,4 @@ During migration, we'll export these services from Rancher v1.6. The export gen A file for Rancher-specific functionality such as health checks and load balancers. These files cannot be read by Rancher v2.x, so don't worry about their contents—we're discarding them and recreating them using the v2.x UI. -### [Next: Get Started]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/get-started) +### [Next: Get Started]({{}}/rancher/v2.x/en/v1.6-migration/get-started) diff --git a/content/rancher/v2.x/en/v1.6-migration/discover-services/_index.md b/content/rancher/v2.x/en/v1.6-migration/discover-services/_index.md index 90112383200..0df7741ae6b 100644 --- a/content/rancher/v2.x/en/v1.6-migration/discover-services/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/discover-services/_index.md @@ -9,7 +9,7 @@ This document will also show you how to link the workloads and services that you
    Resolve the output.txt Link Directive
    -![Resolve Link Directive]({{< baseurl >}}/img/rancher/resolve-links.png) +![Resolve Link Directive]({{}}/img/rancher/resolve-links.png) ## In This Document @@ -27,7 +27,7 @@ This document will also show you how to link the workloads and services that you For Rancher v2.x, we've replaced the Rancher DNS microservice used in v1.6 with native [Kubernetes DNS support](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/), which provides equivalent service discovery for Kubernetes workloads and pods. Former Cattle users can replicate all the service discovery features from Rancher v1.6 in v2.x. There's no loss of functionality. -Kubernetes schedules a DNS pod and service in the cluster, which is similar to the [Rancher v1.6 DNS microservice]({{< baseurl >}}/rancher/v1.6/en/cattle/internal-dns-service/#internal-dns-service-in-cattle-environments). Kubernetes then configures its kubelets to route all DNS lookups to this DNS service, which is skyDNS, a flavor of the default Kube-DNS implementation. +Kubernetes schedules a DNS pod and service in the cluster, which is similar to the [Rancher v1.6 DNS microservice]({{}}/rancher/v1.6/en/cattle/internal-dns-service/#internal-dns-service-in-cattle-environments). Kubernetes then configures its kubelets to route all DNS lookups to this DNS service, which is skyDNS, a flavor of the default Kube-DNS implementation. The following table displays each service discovery feature available in the two Rancher releases. @@ -60,11 +60,11 @@ Pods can also be resolved using the `hostname` and `subdomain` fields if set in When you migrate v1.6 services to v2.x, Rancher does not automatically create a Kubernetes service record for each migrated deployment. Instead, you'll have to link the deployment and service together manually, using any of the methods listed below. -In the image below, the `web-deployment.yml` and `web-service.yml` files [created after parsing]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/#migration-example-file-output) our [migration example services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) are linked together. +In the image below, the `web-deployment.yml` and `web-service.yml` files [created after parsing]({{}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/#migration-example-file-output) our [migration example services]({{}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) are linked together.
    Linked Workload and Kubernetes Service
    -![Linked Workload and Kubernetes Service]({{< baseurl >}}/img/rancher/linked-service-workload.png) +![Linked Workload and Kubernetes Service]({{}}/img/rancher/linked-service-workload.png) ### Service Name Alias Creation @@ -76,7 +76,7 @@ Using the v2.x UI, use the context menu to navigate to the `Project` view. Then Click **Add Record** to create new DNS records. Then view the various options supported to link to external services or to create aliases for another workload, DNS record, or set of pods.
    Add Service Discovery Record
    -![Add Service Discovery Record]({{< baseurl >}}/img/rancher/add-record.png) +![Add Service Discovery Record]({{}}/img/rancher/add-record.png) The following table indicates which alias options are implemented natively by Kubernetes and which options are implemented by Rancher leveraging Kubernetes. @@ -89,4 +89,4 @@ Pointing to another workload | | ✓ Create alias for another DNS record | | ✓ -### [Next: Load Balancing]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/load-balancing/) +### [Next: Load Balancing]({{}}/rancher/v2.x/en/v1.6-migration/load-balancing/) diff --git a/content/rancher/v2.x/en/v1.6-migration/expose-services/_index.md b/content/rancher/v2.x/en/v1.6-migration/expose-services/_index.md index 35c81ae5e58..5e7207b1630 100644 --- a/content/rancher/v2.x/en/v1.6-migration/expose-services/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/expose-services/_index.md @@ -9,7 +9,7 @@ Use this document to correct workloads that list `ports` in `output.txt`. You ca
    Resolve ports for the web Workload
    -![Resolve Ports]({{< baseurl >}}/img/rancher/resolve-ports.png) +![Resolve Ports]({{}}/img/rancher/resolve-ports.png) ## In This Document @@ -38,7 +38,7 @@ A _HostPort_ is a port exposed to the public on a _specific node_ running one or In the following diagram, a user is trying to access an instance of Nginx, which is running within a pod on port 80. However, the Nginx deployment is assigned a HostPort of 9890. The user can connect to this pod by browsing to its host IP address, followed by the HostPort in use (9890 in case). -![HostPort Diagram]({{< baseurl >}}/img/rancher/hostPort.svg) +![HostPort Diagram]({{}}/img/rancher/hostPort.svg) #### HostPort Pros @@ -71,7 +71,7 @@ NodePorts help you circumvent an IP address shortcoming. Although pods can be re In the following diagram, a user is trying to connect to an instance of Nginx running in a Kubernetes cluster managed by Rancher. Although he knows what NodePort Nginx is operating on (30216 in this case), he does not know the IP address of the specific node that the pod is running on. However, with NodePort enabled, he can connect to the pod using the IP address for _any_ node in the cluster. Kubeproxy will forward the request to the correct node and pod. -![NodePort Diagram]({{< baseurl >}}/img/rancher/nodePort.svg) +![NodePort Diagram]({{}}/img/rancher/nodePort.svg) NodePorts are available within your Kubernetes cluster on an internal IP. If you want to expose pods external to the cluster, use NodePorts in conjunction with an external load balancer. Traffic requests from outside your cluster for `:` are directed to the workload. The `` can be the IP address of any node in your Kubernetes cluster. @@ -101,4 +101,4 @@ For example, for the `web-deployment.yml` file parsed from v1.6 that we've been {{< img "/img/rancher/set-nodeport.gif" "Set NodePort" >}} -### [Next: Configure Health Checks]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/monitor-apps) +### [Next: Configure Health Checks]({{}}/rancher/v2.x/en/v1.6-migration/monitor-apps) diff --git a/content/rancher/v2.x/en/v1.6-migration/get-started/_index.md b/content/rancher/v2.x/en/v1.6-migration/get-started/_index.md index 4d4f2d9ad40..453f833724e 100644 --- a/content/rancher/v2.x/en/v1.6-migration/get-started/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/get-started/_index.md @@ -22,7 +22,7 @@ The first step in migrating from v1.6 to v2.x is to install the Rancher v2.x Ser New for v2.x, all communication to Rancher Server is encrypted. The procedures below instruct you not only on installation of Rancher, but also creation and installation of these certificates. -Before installing v2.x, provision one host or more to function as your Rancher Server(s). You can find the requirements for these hosts in [Server Requirements]({{< baseurl >}}/rancher/v2.x/en/installation/requirements/). +Before installing v2.x, provision one host or more to function as your Rancher Server(s). You can find the requirements for these hosts in [Server Requirements]({{}}/rancher/v2.x/en/installation/requirements/). After provisioning your node(s), install Rancher: @@ -34,19 +34,19 @@ After provisioning your node(s), install Rancher: For production environments where your user base requires constant access to your cluster, we recommend installing Rancher in a high availability Kubernetes installation. This installation procedure provisions a three-node cluster and installs Rancher on each node using a Helm chart. - >**Important Difference:** Although you could install Rancher v1.6 in a high-availability Kubernetes configuration using an external database and a Docker command on each node, Rancher v2.x in a Kubernetes install requires an existing Kubernetes cluster. Review [Kubernetes Install]({{< baseurl >}}/rancher/v2.x/en/installation/k8s-install/) for full requirements. + >**Important Difference:** Although you could install Rancher v1.6 in a high-availability Kubernetes configuration using an external database and a Docker command on each node, Rancher v2.x in a Kubernetes install requires an existing Kubernetes cluster. Review [Kubernetes Install]({{}}/rancher/v2.x/en/installation/k8s-install/) for full requirements. ## B. Configure Authentication -After your Rancher v2.x Server is installed, we recommend configuring external authentication (like Active Directory or GitHub) so that users can log into Rancher using their single sign-on. For a full list of supported authentication providers and instructions on how to configure them, see [Authentication]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication). +After your Rancher v2.x Server is installed, we recommend configuring external authentication (like Active Directory or GitHub) so that users can log into Rancher using their single sign-on. For a full list of supported authentication providers and instructions on how to configure them, see [Authentication]({{}}/rancher/v2.x/en/admin-settings/authentication).
    Rancher v2.x Authentication
    -![Rancher v2.x Authentication]({{< baseurl >}}/img/rancher/auth-providers.svg) +![Rancher v2.x Authentication]({{}}/img/rancher/auth-providers.svg) ### Local Users -Although we recommend using an external authentication provider, Rancher v1.6 and v2.x both offer support for users local to Rancher. However, these users cannot be migrated from Rancher v1.6 to v2.x. If you used local users in Rancher v1.6 and want to continue this practice in v2.x, you'll need to [manually recreate these user accounts]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/) and assign them access rights. +Although we recommend using an external authentication provider, Rancher v1.6 and v2.x both offer support for users local to Rancher. However, these users cannot be migrated from Rancher v1.6 to v2.x. If you used local users in Rancher v1.6 and want to continue this practice in v2.x, you'll need to [manually recreate these user accounts]({{}}/rancher/v2.x/en/admin-settings/authentication/) and assign them access rights. As a best practice, you should use a hybrid of external _and_ local authentication. This practice provides access to Rancher should your external authentication experience an interruption, as you can still log in using a local user account. Set up a few local accounts as administrative users of Rancher. @@ -61,7 +61,7 @@ Begin work in Rancher v2.x by using it to provision a new Kubernetes cluster, wh A cluster and project in combined together in Rancher v2.x is equivalent to a v1.6 environment. A _cluster_ is the compute boundary (i.e., your hosts) and a _project_ is an administrative boundary (i.e., a grouping of namespaces used to assign access rights to users). -There's more basic info on provisioning clusters in the headings below, but for full information, see [Provisioning Kubernetes Clusters]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/). +There's more basic info on provisioning clusters in the headings below, but for full information, see [Provisioning Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/). ### Clusters @@ -69,32 +69,32 @@ In Rancher v1.6, compute nodes were added to an _environment_. Rancher v2.x esch Rancher v2.x lets you launch a Kubernetes cluster anywhere. Host your cluster using: -- A [hosted Kubernetes provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/). -- A [pool of nodes from an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/). Rancher launches Kubernetes on the nodes. -- Any [custom node(s)]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/). Rancher can launch Kubernetes on the nodes, be they bare metal servers, virtual machines, or cloud hosts on a less popular infrastructure provider. +- A [hosted Kubernetes provider]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/). +- A [pool of nodes from an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/). Rancher launches Kubernetes on the nodes. +- Any [custom node(s)]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/). Rancher can launch Kubernetes on the nodes, be they bare metal servers, virtual machines, or cloud hosts on a less popular infrastructure provider. ### Projects -Additionally, Rancher v2.x introduces [projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/), which are objects that divide clusters into different application groups that are useful for applying user permissions. This model of clusters and projects allow for multi-tenancy because hosts are owned by the cluster, and the cluster can be further divided into multiple projects where users can manage their apps, but not those of others. +Additionally, Rancher v2.x introduces [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/), which are objects that divide clusters into different application groups that are useful for applying user permissions. This model of clusters and projects allow for multi-tenancy because hosts are owned by the cluster, and the cluster can be further divided into multiple projects where users can manage their apps, but not those of others. When you create a cluster, two projects are automatically created: - The `System` project, which includes system namespaces where important Kubernetes resources are running (like ingress controllers and cluster dns services) - The `Default` project. -However, for production environments, we recommend [creating your own project]({{< baseurl >}}/rancher/v2.x/en/project-admin/namespaces/#creating-projects) and giving it a descriptive name. +However, for production environments, we recommend [creating your own project]({{}}/rancher/v2.x/en/project-admin/namespaces/#creating-projects) and giving it a descriptive name. -After provisioning a new cluster and project, you can authorize your users to access and use project resources. Similarly to Rancher v1.6 environments, Rancher v2.x allows you to [assign users to projects]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/). By assigning users to projects, you can limit what applications and resources a user can access. +After provisioning a new cluster and project, you can authorize your users to access and use project resources. Similarly to Rancher v1.6 environments, Rancher v2.x allows you to [assign users to projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/editing-projects/). By assigning users to projects, you can limit what applications and resources a user can access. ## D. Create Stacks -In Rancher v1.6, _stacks_ were used to group together the services that belong to your application. In v2.x, you need to [create namespaces]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#creating-namespaces), which are the v2.x equivalent of stacks, for the same purpose. +In Rancher v1.6, _stacks_ were used to group together the services that belong to your application. In v2.x, you need to [create namespaces]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#creating-namespaces), which are the v2.x equivalent of stacks, for the same purpose. In Rancher v2.x, namespaces are child objects to projects. When you create a project, a `default` namespace is added to the project, but you can create your own to parallel your stacks from v1.6. During migration, if you don't explicitly define which namespace a service should be deployed to, it's deployed to the `default` namespace. -Just like v1.6, Rancher v2.x supports service discovery within and across namespaces (we'll get to [service discovery]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/discover-services) soon). +Just like v1.6, Rancher v2.x supports service discovery within and across namespaces (we'll get to [service discovery]({{}}/rancher/v2.x/en/v1.6-migration/discover-services) soon). -### [Next: Migrate Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/run-migration-tool) +### [Next: Migrate Your Services]({{}}/rancher/v2.x/en/v1.6-migration/run-migration-tool) diff --git a/content/rancher/v2.x/en/v1.6-migration/kub-intro/_index.md b/content/rancher/v2.x/en/v1.6-migration/kub-intro/_index.md index e3b188466f7..a29115d4d13 100644 --- a/content/rancher/v2.x/en/v1.6-migration/kub-intro/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/kub-intro/_index.md @@ -36,4 +36,4 @@ Because Rancher v1.6 defaulted to our Cattle container orchestrator, it primaril More detailed information on Kubernetes concepts can be found in the [Kubernetes Concepts Documentation](https://kubernetes.io/docs/concepts/). -### [Next: Get Started]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/get-started/) +### [Next: Get Started]({{}}/rancher/v2.x/en/v1.6-migration/get-started/) diff --git a/content/rancher/v2.x/en/v1.6-migration/load-balancing/_index.md b/content/rancher/v2.x/en/v1.6-migration/load-balancing/_index.md index 6885d6794a1..183eef1bee3 100644 --- a/content/rancher/v2.x/en/v1.6-migration/load-balancing/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/load-balancing/_index.md @@ -5,13 +5,13 @@ weight: 700 If your applications are public-facing and consume significant traffic, you should place a load balancer in front of your cluster so that users can always access their apps without service interruption. Typically, you can fulfill a high volume of service requests by [horizontally scaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) your deployment, which spins up additional application containers as traffic ramps up. However, this technique requires routing that distributes traffic across your nodes efficiently. In cases where you need to accommodate public traffic that scales up and down, you'll need a load balancer. -As outlined in [its documentation]({{< baseurl >}}/rancher/v1.6/en/cattle/adding-load-balancers/), Rancher v1.6 provided rich support for load balancing using its own microservice powered by HAProxy, which supports HTTP, HTTPS, TCP hostname, and path-based routing. Most of these same features are available in v2.x. However, load balancers that you used with v1.6 cannot be migrated to v2.x. You'll have to manually recreate your v1.6 load balancer in v2.x. +As outlined in [its documentation]({{}}/rancher/v1.6/en/cattle/adding-load-balancers/), Rancher v1.6 provided rich support for load balancing using its own microservice powered by HAProxy, which supports HTTP, HTTPS, TCP hostname, and path-based routing. Most of these same features are available in v2.x. However, load balancers that you used with v1.6 cannot be migrated to v2.x. You'll have to manually recreate your v1.6 load balancer in v2.x. If you encounter the `output.txt` text below after parsing your v1.6 Compose files to Kubernetes manifests, you'll have to resolve it by manually creating a load balancer in v2.x.
    output.txt Load Balancer Directive
    -![Resolve Load Balancer Directive]({{< baseurl >}}/img/rancher/resolve-load-balancer.png) +![Resolve Load Balancer Directive]({{}}/img/rancher/resolve-load-balancer.png) ## In This Document @@ -35,7 +35,7 @@ By default, Rancher v2.x replaces the v1.6 load balancer microservice with the n ## Load Balancer Deployment -In Rancher v1.6, you could add port/service rules for configuring your HAProxy to load balance for target services. You could also configure the hostname/path-based routing rules. +In Rancher v1.6, you could add port/service rules for configuring your HA proxy to load balance for target services. You could also configure the hostname/path-based routing rules. Rancher v2.x offers similar functionality, but load balancing is instead handled by Ingress. An Ingress is a specification of rules that a controller component applies to your load balancer. The actual load balancer can run outside of your cluster or within it. @@ -43,7 +43,7 @@ By default, Rancher v2.x deploys NGINX Ingress Controller on clusters provisione RKE deploys NGINX Ingress Controller as a [Kubernetes DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/), meaning that an NGINX instance is deployed on every node in the cluster. NGINX acts like an Ingress Controller listening to Ingress creation within your entire cluster, and it also configures itself as the load balancer to satisfy the Ingress rules. The DaemonSet is configured with hostNetwork to expose two ports: 80 and 443. -For more information NGINX Ingress Controller, their deployment as DaemonSets, deployment configuration options, see the [RKE documentation]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/). +For more information NGINX Ingress Controller, their deployment as DaemonSets, deployment configuration options, see the [RKE documentation]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/). ## Load Balancing Architecture @@ -55,13 +55,13 @@ In Rancher v1.6 you could deploy a scalable load balancer service within your st
    Rancher v1.6 Load Balancing Architecture
    -![Rancher v1.6 Load Balancing]({{< baseurl >}}/img/rancher/cattle-load-balancer.svg) +![Rancher v1.6 Load Balancing]({{}}/img/rancher/cattle-load-balancer.svg) The Rancher v2.x Ingress Controller is a DaemonSet, it is globally deployed on all schedulable nodes to serve your entire Kubernetes Cluster. Therefore, when you program the Ingress rules, you must use a unique hostname and path to point to your workloads, as the load balancer node IP addresses and ports 80 and 443 are common access points for all workloads.
    Rancher v2.x Load Balancing Architecture
    -![Rancher v2.x Load Balancing]({{< baseurl >}}/img/rancher/kubernetes-load-balancer.svg) +![Rancher v2.x Load Balancing]({{}}/img/rancher/kubernetes-load-balancer.svg) ## Ingress Caveats @@ -79,13 +79,13 @@ You can launch a new load balancer to replace your load balancer from v1.6. Usin >**Prerequisite:** Before deploying Ingress, you must have a workload deployed that's running a scale of two or more pods. > -![Workload Scale]({{< baseurl >}}/img/rancher/workload-scale.png) +![Workload Scale]({{}}/img/rancher/workload-scale.png) For balancing between these two pods, you must create a Kubernetes Ingress rule. To create this rule, navigate to your cluster and project, and click **Resources > Workloads > Load Balancing.** (In versions prior to v2.3.0, click **Workloads > Load Balancing.**) Then click **Add Ingress**. This GIF below depicts how to add Ingress to one of your projects.
    Browsing to Load Balancer Tab and Adding Ingress
    -![Adding Ingress]({{< baseurl >}}/img/rancher/add-ingress.gif) +![Adding Ingress]({{}}/img/rancher/add-ingress.gif) Similar to a service/port rules in Rancher v1.6, here you can specify rules targeting your workload's container port. The sections below demonstrate how to create Ingress rules. @@ -97,13 +97,13 @@ For example, let's say you have multiple workloads deployed to a single namespac
    Ingress: Path-Based Routing Configuration
    -![Ingress: Path-Based Routing Configuration]({{< baseurl >}}/img/rancher/add-ingress-form.png) +![Ingress: Path-Based Routing Configuration]({{}}/img/rancher/add-ingress-form.png) Rancher v2.x also places a convenient link to the workloads on the Ingress record. If you configure an external DNS to program the DNS records, this hostname can be mapped to the Kubernetes Ingress address.
    Workload Links
    -![Load Balancer Links to Workloads]({{< baseurl >}}/img/rancher/load-balancer-links.png) +![Load Balancer Links to Workloads]({{}}/img/rancher/load-balancer-links.png) The Ingress address is the IP address in your cluster that the Ingress Controller allocates for your workload. You can reach your workload by browsing to this IP address. Use `kubectl` command below to see the Ingress address assigned by the controller: @@ -115,24 +115,24 @@ kubectl get ingress Rancher v2.x Ingress functionality supports the HTTPS protocol, but if you want to use it, you need to use a valid SSL/TLS certificate. While configuring Ingress rules, use the **SSL/TLS Certificates** section to configure a certificate. -- We recommend [uploading a certificate]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/certificates/) from a known certificate authority (you'll have to do this before configuring Ingress). Then, while configuring your load balancer, use the **Choose a certificate** option and select the uploaded certificate that you want to use. -- If you have configured [NGINX default certificate]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/#configuring-an-nginx-default-certificate), you can select **Use default ingress controller certificate**. +- We recommend [uploading a certificate]({{}}/rancher/v2.x/en/k8s-in-rancher/certificates/) from a known certificate authority (you'll have to do this before configuring Ingress). Then, while configuring your load balancer, use the **Choose a certificate** option and select the uploaded certificate that you want to use. +- If you have configured [NGINX default certificate]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/#configuring-an-nginx-default-certificate), you can select **Use default ingress controller certificate**.
    Load Balancer Configuration: SSL/TLS Certificate Section
    -![SSL/TLS Certificates Section]({{< baseurl >}}/img/rancher/load-balancer-ssl-certs.png) +![SSL/TLS Certificates Section]({{}}/img/rancher/load-balancer-ssl-certs.png) ### TCP Load Balancing Options #### Layer-4 Load Balancer -For the TCP protocol, Rancher v2.x supports configuring a Layer 4 load balancer using the cloud provider in which your Kubernetes cluster is deployed. Once this load balancer appliance is configured for your cluster, when you choose the option of a `Layer-4 Load Balancer` for port-mapping during workload deployment, Rancher automatically creates a corresponding load balancer service. This service will call the corresponding cloud provider and configure the load balancer appliance to route requests to the appropriate pods. See [Cloud Providers]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) for information on how to configure LoadBalancer services for your cloud provider. +For the TCP protocol, Rancher v2.x supports configuring a Layer 4 load balancer using the cloud provider in which your Kubernetes cluster is deployed. Once this load balancer appliance is configured for your cluster, when you choose the option of a `Layer-4 Load Balancer` for port-mapping during workload deployment, Rancher automatically creates a corresponding load balancer service. This service will call the corresponding cloud provider and configure the load balancer appliance to route requests to the appropriate pods. See [Cloud Providers]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) for information on how to configure LoadBalancer services for your cloud provider. For example, if we create a deployment named `myapp` and specify a Layer 4 load balancer in the **Port Mapping** section, Rancher will automatically add an entry to the **Load Balancer** tab named `myapp-loadbalancer`.
    Workload Deployment: Layer 4 Load Balancer Creation
    -![Deploy Layer-4 Load Balancer]({{< baseurl >}}/img/rancher/deploy-workload-load-balancer.png) +![Deploy Layer-4 Load Balancer]({{}}/img/rancher/deploy-workload-load-balancer.png) Once configuration of the load balancer succeeds, the Rancher UI provides a link to your workload's public endpoint. @@ -144,13 +144,13 @@ However, there is a workaround to use NGINX's TCP balancing by creating a Kubern To configure NGINX to expose your services via TCP, you can add the ConfigMap `tcp-services` that should exist in the `ingress-nginx` namespace. This namespace also contains the NGINX Ingress Controller pods. -![Layer-4 Load Balancer: ConfigMap Workaround]({{< baseurl >}}/img/rancher/layer-4-lb-config-map.png) +![Layer-4 Load Balancer: ConfigMap Workaround]({{}}/img/rancher/layer-4-lb-config-map.png) The key in the ConfigMap entry should be the TCP port that you want to expose for public access: `:`. As shown above, two workloads are listed in the `Default` namespace. For example, the first entry in the ConfigMap above instructs NGINX to expose the `myapp` workload (the one in the `default` namespace that's listening on private port 80) over external port `6790`. Adding these entries to the ConfigMap automatically updates the NGINX pods to configure these workloads for TCP balancing. The workloads exposed should be available at `:`. If they are not accessible, you might have to expose the TCP port explicitly using a NodePort service. ## Rancher v2.x Load Balancing Limitations -Cattle provided feature-rich load balancer support that is [well documented]({{< baseurl >}}/rancher/v1.6/en/cattle/adding-load-balancers/#load-balancers). Some of these features do not have equivalents in Rancher v2.x. This is the list of such features: +Cattle provided feature-rich load balancer support that is [well documented]({{}}/rancher/v1.6/en/cattle/adding-load-balancers/#load-balancers). Some of these features do not have equivalents in Rancher v2.x. This is the list of such features: - No support for SNI in current NGINX Ingress Controller. - TCP load balancing requires a load balancer appliance enabled by cloud provider within the cluster. There is no Ingress support for TCP on Kubernetes. diff --git a/content/rancher/v2.x/en/v1.6-migration/monitor-apps/_index.md b/content/rancher/v2.x/en/v1.6-migration/monitor-apps/_index.md index c9ea17668c4..b1a2f1cc110 100644 --- a/content/rancher/v2.x/en/v1.6-migration/monitor-apps/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/monitor-apps/_index.md @@ -13,7 +13,7 @@ For example, for the image below, we would configure liveness probes for the `we
    Resolve health_check for the web and webLB Workloads
    -![Resolve health_check]({{< baseurl >}}/img/rancher/resolve-health-checks.png) +![Resolve health_check]({{}}/img/rancher/resolve-health-checks.png) ## In This Document @@ -33,7 +33,7 @@ The health check microservice features two types of health checks, which have a - **TCP health checks**: - These health checks check if a TCP connection opens at the specified port for the monitored service. For full details, see the [Rancher v1.6 documentation]({{< baseurl >}}/rancher/v1.6/en/cattle/health-checks/). + These health checks check if a TCP connection opens at the specified port for the monitored service. For full details, see the [Rancher v1.6 documentation]({{}}/rancher/v1.6/en/cattle/health-checks/). - **HTTP health checks**: @@ -73,7 +73,7 @@ The following diagram displays kubelets running probes on containers they are mo ## Configuring Probes in Rancher v2.x -The [migration-tool CLI]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/) cannot parse health checks from Compose files to Kubernetes manifest. Therefore, if want you to add health checks to your Rancher v2.x workloads, you'll have to add them manually. +The [migration-tool CLI]({{}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/) cannot parse health checks from Compose files to Kubernetes manifest. Therefore, if want you to add health checks to your Rancher v2.x workloads, you'll have to add them manually. Using the Rancher v2.x UI, you can add TCP or HTTP health checks to Kubernetes workloads. By default, Rancher asks you to configure a readiness check for your workloads and applies a liveness check using the same configuration. Optionally, you can define a separate liveness check. @@ -83,7 +83,7 @@ Configure probes by using the **Health Check** section while editing deployments
    Edit Deployment: Health Check Section
    -![Health Check Section]({{< baseurl >}}/img/rancher/health-check-section.png) +![Health Check Section]({{}}/img/rancher/health-check-section.png) ### Configuring Checks @@ -95,7 +95,7 @@ While you create a workload using Rancher v2.x, we recommend configuring a check TCP checks monitor your deployment's health by attempting to open a connection to the pod over a specified port. If the probe can open the port, it's considered healthy. Failure to open it is considered unhealthy, which notifies Kubernetes that it should kill the pod and then replace it according to its [restart policy](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy). (this applies to Liveness probes, for Readiness probes, it will mark the pod as Unready). -You can configure the probe along with values for specifying its behavior by selecting the **TCP connection opens successfully** option in the **Health Check** section. For more information, see [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). For help setting probe timeout and threshold values, see [Health Check Parameter Mappings](#health-check-parameter-mappings). +You can configure the probe along with values for specifying its behavior by selecting the **TCP connection opens successfully** option in the **Health Check** section. For more information, see [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). For help setting probe timeout and threshold values, see [Health Check Parameter Mappings](#health-check-parameter-mappings). ![TCP Check]({{}}/img/rancher/readiness-check-tcp.png) @@ -133,7 +133,7 @@ When you configure a readiness check using Rancher v2.x, the `readinessProbe` di HTTP checks monitor your deployment's health by sending an HTTP GET request to a specific URL path that you define. If the pod responds with a message range of `200`-`400`, the health check is considered successful. If the pod replies with any other value, the check is considered unsuccessful, so Kubernetes kills and replaces the pod according to its [restart policy](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy). (this applies to Liveness probes, for Readiness probes, it will mark the pod as Unready). -You can configure the probe along with values for specifying its behavior by selecting the **HTTP returns successful status** or **HTTPS returns successful status**. For more information, see [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). For help setting probe timeout and threshold values, see [Health Check Parameter Mappings](#healthcheck-parameter-mappings). +You can configure the probe along with values for specifying its behavior by selecting the **HTTP returns successful status** or **HTTPS returns successful status**. For more information, see [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). For help setting probe timeout and threshold values, see [Health Check Parameter Mappings](#healthcheck-parameter-mappings). ![HTTP Check]({{}}/img/rancher/readiness-check-http.png) @@ -153,7 +153,7 @@ While configuring a readiness check for either the TCP or HTTP protocol, you can Rancher v2.x, like v1.6, lets you perform health checks using the TCP and HTTP protocols. However, Rancher v2.x also lets you check the health of a pod by running a command inside of it. If the container exits with a code of `0` after running the command, the pod is considered healthy. -You can configure a liveness or readiness check that executes a command that you specify by selecting the `Command run inside the container exits with status 0` option from **Health Checks** while [deploying a workload]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). +You can configure a liveness or readiness check that executes a command that you specify by selecting the `Command run inside the container exits with status 0` option from **Health Checks** while [deploying a workload]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). ![Healthcheck Execute Command]({{}}/img/rancher/healthcheck-cmd-exec.png) @@ -171,4 +171,4 @@ Rancher v1.6 Compose Parameter | Rancher v2.x Kubernetes Parameter `initializing_timeout` | `initialDelaySeconds` `strategy` | `restartPolicy` -### [Next: Schedule Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/) +### [Next: Schedule Your Services]({{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/) diff --git a/content/rancher/v2.x/en/v1.6-migration/run-migration-tool/_index.md b/content/rancher/v2.x/en/v1.6-migration/run-migration-tool/_index.md index f1d02645957..ebdebd5b9bd 100644 --- a/content/rancher/v2.x/en/v1.6-migration/run-migration-tool/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/run-migration-tool/_index.md @@ -50,7 +50,7 @@ After you download migration-tools CLI, rename it and make it executable. Next, use the migration-tools CLI to export all stacks in all of the Cattle environments into Compose files. Then, for stacks that you want to migrate to Rancher v2.x, convert the Compose files into Kubernetes manifest. ->**Prerequisite:** Create an [Account API Key]({{< baseurl >}}/rancher/v1.6/en/api/v2-beta/api-keys/#account-api-keys) to authenticate with Rancher v1.6 when using the migration-tools CLI. +>**Prerequisite:** Create an [Account API Key]({{}}/rancher/v1.6/en/api/v2-beta/api-keys/#account-api-keys) to authenticate with Rancher v1.6 when using the migration-tools CLI. 1. Export the Docker Compose files for your Cattle environments and stacks from Rancher v1.6. @@ -62,7 +62,7 @@ Next, use the migration-tools CLI to export all stacks in all of the Cattle envi **Step Result:** migration-tools exports Compose files (`docker-compose.yml` and `rancher-compose.yml`) for each stack in the `--export-dir` directory. If you omitted this option, Compose files are output to your current directory. - A unique directory is created for each environment and stack. For example, if we export each [environment/stack]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) from Rancher v1.6, the following directory structure is created: + A unique directory is created for each environment and stack. For example, if we export each [environment/stack]({{}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) from Rancher v1.6, the following directory structure is created: ``` export/ # migration-tools --export-dir @@ -85,7 +85,7 @@ Next, use the migration-tools CLI to export all stacks in all of the Cattle envi >**Note:** If you omit the `--docker-file` and `--rancher-file` options from your command, migration-tools uses the current working directory to find Compose files. ->**Want full usage and options for the migration-tools CLI?** See the [Migration Tools CLI Reference]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/migration-tools-ref/). +>**Want full usage and options for the migration-tools CLI?** See the [Migration Tools CLI Reference]({{}}/rancher/v2.x/en/v1.6-migration/run-migration-tool/migration-tools-ref/). ### migration-tools CLI Output @@ -104,7 +104,7 @@ When a you export a service from Rancher v1.6 that exposes public ports, migrati #### Migration Example File Output -If we parse the two example files from [Migration Example Files]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/#migration-example-files), `docker-compose.yml` and `rancher-compose.yml`, the following files are output: +If we parse the two example files from [Migration Example Files]({{}}/rancher/v2.x/en/v1.6-migration/#migration-example-files), `docker-compose.yml` and `rancher-compose.yml`, the following files are output: File | Description -----|------------ @@ -244,13 +244,13 @@ You can deploy the Kubernetes manifests created by migration-tools by importing
    Deploy Services: Import Kubernetes Manifest
    -![Deploy Services]({{< baseurl >}}/img/rancher/deploy-service.gif) +![Deploy Services]({{}}/img/rancher/deploy-service.gif) {{% /tab %}} {{% tab "Rancher CLI" %}} ->**Prerequisite:** [Install Rancher CLI]({{< baseurl >}}/rancher/v2.x/en/cli/) for Rancher v2.x. +>**Prerequisite:** [Install Rancher CLI]({{}}/rancher/v2.x/en/cli/) for Rancher v2.x. Use the following Rancher CLI commands to deploy your application using Rancher v2.x. For each Kubernetes manifest output by migration-tools CLI, enter one of the commands below to import it into Rancher v2.x. @@ -267,7 +267,7 @@ Following importation, you can view your v1.6 services in the v2.x UI as Kuberne
    Imported Services
    -![Imported Services]({{< baseurl >}}/img/rancher/imported-workloads.png) +![Imported Services]({{}}/img/rancher/imported-workloads.png) ## What Now? @@ -275,15 +275,15 @@ Although the migration-tool CLI parses your Rancher v1.6 Compose files to Kubern
    Edit Migrated Services
    -![Edit Migrated Workload]({{< baseurl >}}/img/rancher/edit-migration-workload.gif) +![Edit Migrated Workload]({{}}/img/rancher/edit-migration-workload.gif) As mentioned in [Migration Tools CLI Output](#migration-tools-cli-output), the `output.txt` files generated during parsing lists the manual steps you must make for each deployment. Review the upcoming topics for more information on manually editing your Kubernetes specs. -Open your `output.txt` file and take a look at its contents. When you parsed your Compose files into Kubernetes manifests, migration-tools CLI output a manifest for each workload that it creates for Kubernetes. For example, our when our [Migration Example Files]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) are parsed into Kubernetes manifests, `output.txt` lists each resultant parsed [Kubernetes manifest file](#migration-example-file-output) (i.e., workloads). Each workload features a list of action items to restore operations for the workload in v2.x. +Open your `output.txt` file and take a look at its contents. When you parsed your Compose files into Kubernetes manifests, migration-tools CLI output a manifest for each workload that it creates for Kubernetes. For example, our when our [Migration Example Files]({{}}/rancher/v2.x/en/v1.6-migration/#migration-example-files) are parsed into Kubernetes manifests, `output.txt` lists each resultant parsed [Kubernetes manifest file](#migration-example-file-output) (i.e., workloads). Each workload features a list of action items to restore operations for the workload in v2.x.
    Output.txt Example
    -![output.txt]({{< baseurl >}}/img/rancher/output-dot-text.png) +![output.txt]({{}}/img/rancher/output-dot-text.png) The following table lists possible directives that may appear in `output.txt`, what they mean, and links on how to resolve them. @@ -296,16 +296,16 @@ Directive | Instructions [scale][5] | In v1.6, scale refers to the number of container replicas running on a single node. In v2.x, this feature is replaced by replica sets. start_on_create | No Kubernetes equivalent. No action is required from you. -[1]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/monitor-apps/#configuring-probes-in-rancher-v2-x -[2]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-using-labels -[3]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/discover-services -[4]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/expose-services -[5]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-pods-to-a-specific-node +[1]:{{}}/rancher/v2.x/en/v1.6-migration/monitor-apps/#configuring-probes-in-rancher-v2-x +[2]:{{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-using-labels +[3]:{{}}/rancher/v2.x/en/v1.6-migration/discover-services +[4]:{{}}/rancher/v2.x/en/v1.6-migration/expose-services +[5]:{{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-pods-to-a-specific-node -[7]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-using-labels -[8]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-global-services -[9]:{{< baseurl >}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#label-affinity-antiaffinity +[7]:{{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-using-labels +[8]:{{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#scheduling-global-services +[9]:{{}}/rancher/v2.x/en/v1.6-migration/schedule-workloads/#label-affinity-antiaffinity -### [Next: Expose Your Services]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/expose-services/) +### [Next: Expose Your Services]({{}}/rancher/v2.x/en/v1.6-migration/expose-services/) diff --git a/content/rancher/v2.x/en/v1.6-migration/schedule-workloads/_index.md b/content/rancher/v2.x/en/v1.6-migration/schedule-workloads/_index.md index 5d070f1638f..e78fa280b0c 100644 --- a/content/rancher/v2.x/en/v1.6-migration/schedule-workloads/_index.md +++ b/content/rancher/v2.x/en/v1.6-migration/schedule-workloads/_index.md @@ -13,7 +13,7 @@ You can schedule your migrated v1.6 services while editing a deployment. Schedul
    Editing Workloads: Workload Type and Node Scheduling Sections
    -![Workload Type and Node Scheduling Sections]({{< baseurl >}}/img/rancher/migrate-schedule-workloads.png) +![Workload Type and Node Scheduling Sections]({{}}/img/rancher/migrate-schedule-workloads.png) ## In This Document @@ -39,7 +39,7 @@ Rancher v2.x retains _all_ methods available in v1.6 for scheduling your service In v1.6, you would schedule a service to a host while adding a service to a Stack. In Rancher v2.x., the equivalent action is to schedule a workload for deployment. The following composite image shows a comparison of the UI used for scheduling in Rancher v2.x versus v1.6. -![Node Scheduling: Rancher v2.x vs v1.6]({{< baseurl >}}/img/rancher/node-scheduling.png) +![Node Scheduling: Rancher v2.x vs v1.6]({{}}/img/rancher/node-scheduling.png) ## Node Scheduling Options @@ -47,7 +47,7 @@ Rancher offers a variety of options when scheduling nodes to host workload pods You can choose a scheduling option as you deploy a workload. The term _workload_ is synonymous with adding a service to a Stack in Rancher v1.6). You can deploy a workload by using the context menu to browse to a cluster project (` > > Workloads`). -The sections that follow provide information on using each scheduling options, as well as any notable changes from Rancher v1.6. For full instructions on deploying a workload in Rancher v2.x beyond just scheduling options, see [Deploying Workloads]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). +The sections that follow provide information on using each scheduling options, as well as any notable changes from Rancher v1.6. For full instructions on deploying a workload in Rancher v2.x beyond just scheduling options, see [Deploying Workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/deploy-workloads/). Option | v1.6 Feature | v2.x Feature -------|------|------ @@ -64,13 +64,13 @@ Option | v1.6 Feature | v2.x Feature In v1.6, you could control the number of container replicas deployed for a service. You can schedule pods the same way in v2.x, but you'll have to set the scale manually while editing a workload. -![Resolve Scale]({{< baseurl >}}/img/rancher/resolve-scale.png) +![Resolve Scale]({{}}/img/rancher/resolve-scale.png) During migration, you can resolve `scale` entries in `output.txt` by setting a value for the **Workload Type** option **Scalable deployment** depicted below.
    Scalable Deployment Option
    -![Workload Scale]({{< baseurl >}}/img/rancher/workload-type-option.png) +![Workload Scale]({{}}/img/rancher/workload-type-option.png) ### Scheduling Pods to a Specific Node @@ -81,7 +81,7 @@ As you deploy a workload, use the **Node Scheduling** section to choose a node t
    Rancher v2.x: Workload Deployment
    -![Workload Tab and Group by Node Icon]({{< baseurl >}}/img/rancher/schedule-specific-node.png) +![Workload Tab and Group by Node Icon]({{}}/img/rancher/schedule-specific-node.png) Rancher schedules pods to the node you select if 1) there are compute resource available for the node and 2) you've configured port mapping to use the HostPort option, that there are no port conflicts. @@ -89,7 +89,7 @@ If you expose the workload using a NodePort that conflicts with another workload After the workload is created, you can confirm that the pods are scheduled to your chosen node. From the project view, click **Resources > Workloads.** (In versions prior to v2.3.0, click the **Workloads** tab.) Click the **Group by Node** icon to sort your workloads by node. Note that both Nginx pods are scheduled to the same node. -![Pods Scheduled to Same Node]({{< baseurl >}}/img/rancher/scheduled-nodes.png) +![Pods Scheduled to Same Node]({{}}/img/rancher/scheduled-nodes.png) ). A _DaemonSet_ functions exactly like a Rancher v1.6 global service. The Kubernetes scheduler deploys a pod on each node of the cluster, and as new nodes are added, the scheduler will start new pods on them provided they match the scheduling requirements of the workload. Additionally, in v2.x, you can also limit a DaemonSet to be deployed to nodes that have a specific label. @@ -217,7 +217,7 @@ To create a daemonset while configuring a workload, choose **Run one pod on each
    Workload Configuration: Choose run one pod on each node to configure daemonset
    -![choose Run one pod on each node]({{< baseurl >}}/img/rancher/workload-type.png) +![choose Run one pod on each node]({{}}/img/rancher/workload-type.png) ### Scheduling Pods Using Resource Constraints @@ -240,8 +240,8 @@ To declare resource constraints, edit your migrated workloads, editing the **Sec
    Scheduling: Resource Constraint Settings
    -![Resource Constraint Settings]({{< baseurl >}}/img/rancher/resource-constraint-settings.png) +![Resource Constraint Settings]({{}}/img/rancher/resource-constraint-settings.png) You can find more detail about these specs and how to use them in the [Kubernetes Documentation](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container). -### [Next: Service Discovery]({{< baseurl >}}/rancher/v2.x/en/v1.6-migration/discover-services/) +### [Next: Service Discovery]({{}}/rancher/v2.x/en/v1.6-migration/discover-services/) diff --git a/content/rke/latest/en/cert-mgmt/_index.md b/content/rke/latest/en/cert-mgmt/_index.md index 5d202d6bbdc..21f9f53011e 100644 --- a/content/rke/latest/en/cert-mgmt/_index.md +++ b/content/rke/latest/en/cert-mgmt/_index.md @@ -12,9 +12,9 @@ Certificates are an important part of Kubernetes clusters and are used for all K ## Generating Certificate Signing Requests (CSRs) and Keys -If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to [generate a set of Certificate Signing Requests (CSRs) and keys]({{< baseurl >}}/rke/latest/en/installation/certs/#generating-certificate-signing-requests-csrs-and-keys). +If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to [generate a set of Certificate Signing Requests (CSRs) and keys]({{}}/rke/latest/en/installation/certs/#generating-certificate-signing-requests-csrs-and-keys). -You can use the CSRs and keys to sign the certificates by a real CA. After the certificates are signed, these custom certificates can be used by RKE to as [custom certificates]({{< baseurl >}}/rke/latest/en/installation/certs/) for the Kubernetes cluster. +You can use the CSRs and keys to sign the certificates by a real CA. After the certificates are signed, these custom certificates can be used by RKE to as [custom certificates]({{}}/rke/latest/en/installation/certs/) for the Kubernetes cluster. ## Certificate Rotation diff --git a/content/rke/latest/en/config-options/_index.md b/content/rke/latest/en/config-options/_index.md index ecf29f2a412..abbf6e2209a 100644 --- a/content/rke/latest/en/config-options/_index.md +++ b/content/rke/latest/en/config-options/_index.md @@ -6,35 +6,35 @@ weight: 200 When setting up your `cluster.yml` for RKE, there are a lot of different options that can be configured to control the behavior of how RKE launches Kubernetes. -There are several options that can be configured in cluster configuration option. There are several [example yamls]({{< baseurl >}}/rke/latest/en/example-yamls/) that contain all the options. +There are several options that can be configured in cluster configuration option. There are several [example yamls]({{}}/rke/latest/en/example-yamls/) that contain all the options. ### Configuring Nodes -* [Nodes]({{< baseurl >}}/rke/latest/en/config-options/nodes/) +* [Nodes]({{}}/rke/latest/en/config-options/nodes/) * [Ignoring unsupported Docker versions](#supported-docker-versions) -* [Private Registries]({{< baseurl >}}/rke/latest/en/config-options/private-registries/) +* [Private Registries]({{}}/rke/latest/en/config-options/private-registries/) * [Cluster Level SSH Key Path](#cluster-level-ssh-key-path) * [SSH Agent](#ssh-agent) -* [Bastion Host]({{< baseurl >}}/rke/latest/en/config-options/bastion-host/) +* [Bastion Host]({{}}/rke/latest/en/config-options/bastion-host/) ### Configuring Kubernetes Cluster * [Cluster Name](#cluster-name) * [Kubernetes Version](#kubernetes-version) * [Prefix Path](#prefix-path) -* [System Images]({{< baseurl >}}/rke/latest/en/config-options/system-images/) -* [Services]({{< baseurl >}}/rke/latest/en/config-options/services/) -* [Extra Args and Binds and Environment Variables]({{< baseurl >}}/rke/latest/en/config-options/services/services-extras/) -* [External Etcd]({{< baseurl >}}/rke/latest/en/config-options/services/external-etcd/) -* [Authentication]({{< baseurl >}}/rke/latest/en/config-options/authentication/) -* [Authorization]({{< baseurl >}}/rke/latest/en/config-options/authorization/) +* [System Images]({{}}/rke/latest/en/config-options/system-images/) +* [Services]({{}}/rke/latest/en/config-options/services/) +* [Extra Args and Binds and Environment Variables]({{}}/rke/latest/en/config-options/services/services-extras/) +* [External Etcd]({{}}/rke/latest/en/config-options/services/external-etcd/) +* [Authentication]({{}}/rke/latest/en/config-options/authentication/) +* [Authorization]({{}}/rke/latest/en/config-options/authorization/) * [Rate Limiting]({{}}/rke/latest/en/config-options/rate-limiting/) -* [Cloud Providers]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/) +* [Cloud Providers]({{}}/rke/latest/en/config-options/cloud-providers/) * [Audit Log]({{}}/rke/latest/en/config-options/audit-log) -* [Add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/) - * [Network Plug-ins]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/) - * [DNS providers]({{< baseurl >}}/rke/latest/en/config-options/add-ons/dns/) - * [Ingress Controllers]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/) - * [Metrics Server]({{< baseurl >}}/rke/latest/en/config-options/add-ons/metrics-server/) - * [User-Defined Add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/user-defined-add-ons/) +* [Add-ons]({{}}/rke/latest/en/config-options/add-ons/) + * [Network Plug-ins]({{}}/rke/latest/en/config-options/add-ons/network-plugins/) + * [DNS providers]({{}}/rke/latest/en/config-options/add-ons/dns/) + * [Ingress Controllers]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/) + * [Metrics Server]({{}}/rke/latest/en/config-options/add-ons/metrics-server/) + * [User-Defined Add-ons]({{}}/rke/latest/en/config-options/add-ons/user-defined-add-ons/) * [Add-ons Job Timeout](#add-ons-job-timeout) @@ -79,7 +79,7 @@ prefix_path: /opt/custom_path ### Cluster Level SSH Key Path -RKE connects to host(s) using `ssh`. Typically, each node will have an independent path for each ssh key, i.e. `ssh_key_path`, in the `nodes` section, but if you have a SSH key that is able to access **all** hosts in your cluster configuration file, you can set the path to that ssh key at the top level. Otherwise, you would set the ssh key path in the [nodes]({{< baseurl >}}/rke/latest/en/config-options/nodes/). +RKE connects to host(s) using `ssh`. Typically, each node will have an independent path for each ssh key, i.e. `ssh_key_path`, in the `nodes` section, but if you have a SSH key that is able to access **all** hosts in your cluster configuration file, you can set the path to that ssh key at the top level. Otherwise, you would set the ssh key path in the [nodes]({{}}/rke/latest/en/config-options/nodes/). If ssh key paths are defined at the cluster level and at the node level, the node-level key will take precedence. @@ -109,4 +109,4 @@ $ echo $SSH_AUTH_SOCK ### Add-ons Job Timeout -You can define [add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/) to be deployed after the Kubernetes cluster comes up, which uses Kubernetes [jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/). RKE will stop attempting to retrieve the job status after the timeout, which is in seconds. The default timeout value is `30` seconds. +You can define [add-ons]({{}}/rke/latest/en/config-options/add-ons/) to be deployed after the Kubernetes cluster comes up, which uses Kubernetes [jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/). RKE will stop attempting to retrieve the job status after the timeout, which is in seconds. The default timeout value is `30` seconds. diff --git a/content/rke/latest/en/config-options/add-ons/_index.md b/content/rke/latest/en/config-options/add-ons/_index.md index a665230b268..f2cb7765e3b 100644 --- a/content/rke/latest/en/config-options/add-ons/_index.md +++ b/content/rke/latest/en/config-options/add-ons/_index.md @@ -5,12 +5,12 @@ weight: 260 RKE supports configuring pluggable add-ons in the cluster YML. Add-ons are used to deploy several cluster components including: -* [Network plug-ins]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/) -* [Ingress controller]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/) -* [DNS provider]({{< baseurl >}}/rke/latest/en/config-options/add-ons/dns/) -* [Metrics Server]({{< baseurl >}}/rke/latest/en/config-options/add-ons/metrics-server/) +* [Network plug-ins]({{}}/rke/latest/en/config-options/add-ons/network-plugins/) +* [Ingress controller]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/) +* [DNS provider]({{}}/rke/latest/en/config-options/add-ons/dns/) +* [Metrics Server]({{}}/rke/latest/en/config-options/add-ons/metrics-server/) -These add-ons require images that can be found under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with each add-on, but these can be overridden by changing the image tag in `system_images`. +These add-ons require images that can be found under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with each add-on, but these can be overridden by changing the image tag in `system_images`. There are a few things worth noting: @@ -25,7 +25,7 @@ As of version v0.1.7, add-ons are split into two categories: - **Critical add-ons:** If these add-ons fail to deploy for any reason, RKE will error out. - **Non-critical add-ons:** If these add-ons fail to deploy, RKE will only log a warning and continue deploying any other add-ons. -Currently, only the [network plug-in]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/) is considered critical. KubeDNS, [ingress controllers]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/) and [user-defined add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/user-defined-add-ons/) are considered non-critical. +Currently, only the [network plug-in]({{}}/rke/latest/en/config-options/add-ons/network-plugins/) is considered critical. KubeDNS, [ingress controllers]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/) and [user-defined add-ons]({{}}/rke/latest/en/config-options/add-ons/user-defined-add-ons/) are considered non-critical. ## Add-on deployment jobs diff --git a/content/rke/latest/en/config-options/add-ons/dns/_index.md b/content/rke/latest/en/config-options/add-ons/dns/_index.md index a00aa2e5a12..6168f1fc4e7 100644 --- a/content/rke/latest/en/config-options/add-ons/dns/_index.md +++ b/content/rke/latest/en/config-options/add-ons/dns/_index.md @@ -26,7 +26,7 @@ CoreDNS can only be used on Kubernetes v1.12.0 and higher. RKE will deploy CoreDNS as a Deployment with the default replica count of 1. The pod consists of 1 container: `coredns`. RKE will also deploy coredns-autoscaler as a Deployment, which will scale the coredns Deployment by using the number of cores and nodes. Please see [Linear Mode](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler#linear-mode) for more information about this logic. -The images used for CoreDNS are under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with CoreDNS, but these can be overridden by changing the image tag in `system_images`. +The images used for CoreDNS are under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with CoreDNS, but these can be overridden by changing the image tag in `system_images`. ## Scheduling CoreDNS @@ -66,7 +66,7 @@ dns: RKE will deploy kube-dns as a Deployment with the default replica count of 1. The pod consists of 3 containers: `kubedns`, `dnsmasq` and `sidecar`. RKE will also deploy kube-dns-autoscaler as a Deployment, which will scale the kube-dns Deployment by using the number of cores and nodes. Please see [Linear Mode](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler#linear-mode) for more information about this logic. -The images used for kube-dns are under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with kube-dns, but these can be overridden by changing the image tag in `system_images`. +The images used for kube-dns are under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with kube-dns, but these can be overridden by changing the image tag in `system_images`. ## Scheduling kube-dns diff --git a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md index a7da4af0cd6..4e32fb33858 100644 --- a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md +++ b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md @@ -10,7 +10,7 @@ By default, RKE deploys the NGINX ingress controller on all schedulable nodes. RKE will deploy the ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed. -The images used for ingress controller is under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in `system_images`. +The images used for ingress controller is under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in `system_images`. ## Scheduling Ingress Controllers diff --git a/content/rke/latest/en/config-options/add-ons/metrics-server/_index.md b/content/rke/latest/en/config-options/add-ons/metrics-server/_index.md index 88775ac5577..61f0d303601 100644 --- a/content/rke/latest/en/config-options/add-ons/metrics-server/_index.md +++ b/content/rke/latest/en/config-options/add-ons/metrics-server/_index.md @@ -7,7 +7,7 @@ By default, RKE deploys [Metrics Server](https://github.com/kubernetes-incubator RKE will deploy Metrics Server as a Deployment. -The image used for Metrics Server is under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there is a default image associated with the Metrics Server, but these can be overridden by changing the image tag in `system_images`. +The image used for Metrics Server is under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there is a default image associated with the Metrics Server, but these can be overridden by changing the image tag in `system_images`. ## Disabling the Metrics Server diff --git a/content/rke/latest/en/config-options/add-ons/network-plugins/_index.md b/content/rke/latest/en/config-options/add-ons/network-plugins/_index.md index cb26c78fe57..7da2af08643 100644 --- a/content/rke/latest/en/config-options/add-ons/network-plugins/_index.md +++ b/content/rke/latest/en/config-options/add-ons/network-plugins/_index.md @@ -20,7 +20,7 @@ network: plugin: flannel ``` -The images used for network plug-ins are under the [`system_images` directive]({{< baseurl >}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with each network plug-in, but these can be overridden by changing the image tag in `system_images`. +The images used for network plug-ins are under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with each network plug-in, but these can be overridden by changing the image tag in `system_images`. # Disabling Deployment of a Network Plug-in diff --git a/content/rke/latest/en/config-options/add-ons/user-defined-add-ons/_index.md b/content/rke/latest/en/config-options/add-ons/user-defined-add-ons/_index.md index 3f2dd072f91..72808d38936 100644 --- a/content/rke/latest/en/config-options/add-ons/user-defined-add-ons/_index.md +++ b/content/rke/latest/en/config-options/add-ons/user-defined-add-ons/_index.md @@ -3,7 +3,7 @@ title: User-Defined Add-Ons weight: 263 --- -Besides the [network plug-in]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins) and [ingress controllers]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/), you can define any add-on that you want deployed after the Kubernetes cluster is deployed. +Besides the [network plug-in]({{}}/rke/latest/en/config-options/add-ons/network-plugins) and [ingress controllers]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/), you can define any add-on that you want deployed after the Kubernetes cluster is deployed. There are two ways that you can specify an add-on. diff --git a/content/rke/latest/en/config-options/bastion-host/_index.md b/content/rke/latest/en/config-options/bastion-host/_index.md index 3b6848759c6..d2710e8c42d 100644 --- a/content/rke/latest/en/config-options/bastion-host/_index.md +++ b/content/rke/latest/en/config-options/bastion-host/_index.md @@ -3,7 +3,7 @@ title: Bastion/Jump Host Configuration weight: 220 --- -Since RKE uses `ssh` to connect to [nodes]({{< baseurl >}}/rke/latest/en/config-options/nodes/), you can configure the `cluster.yml` so RKE will use a bastion host. Keep in mind that the [port requirements]({{< baseurl >}}/rke/latest/en/os/#ports) for the RKE node move to the configured bastion host. Our private SSH key(s) only needs to reside on the host running RKE. You do not need to copy your private SSH key(s) to the bastion host. +Since RKE uses `ssh` to connect to [nodes]({{}}/rke/latest/en/config-options/nodes/), you can configure the `cluster.yml` so RKE will use a bastion host. Keep in mind that the [port requirements]({{}}/rke/latest/en/os/#ports) for the RKE node move to the configured bastion host. Our private SSH key(s) only needs to reside on the host running RKE. You do not need to copy your private SSH key(s) to the bastion host. ```yaml bastion_host: diff --git a/content/rke/latest/en/config-options/cloud-providers/_index.md b/content/rke/latest/en/config-options/cloud-providers/_index.md index 27881c437e2..45501bcf784 100644 --- a/content/rke/latest/en/config-options/cloud-providers/_index.md +++ b/content/rke/latest/en/config-options/cloud-providers/_index.md @@ -6,9 +6,9 @@ weight: 250 RKE supports the ability to set your specific [cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/) for your Kubernetes cluster. There are specific cloud configurations for these cloud providers. To enable a cloud provider its name as well as any required configuration options must be provided under the `cloud_provider` directive in the cluster YML. -* [AWS]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/aws) -* [Azure]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/azure) -* [OpenStack]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/openstack) -* [vSphere]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/vsphere) +* [AWS]({{}}/rke/latest/en/config-options/cloud-providers/aws) +* [Azure]({{}}/rke/latest/en/config-options/cloud-providers/azure) +* [OpenStack]({{}}/rke/latest/en/config-options/cloud-providers/openstack) +* [vSphere]({{}}/rke/latest/en/config-options/cloud-providers/vsphere) -Outside of this list, RKE also supports the ability to handle any [custom cloud provider]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/custom). +Outside of this list, RKE also supports the ability to handle any [custom cloud provider]({{}}/rke/latest/en/config-options/cloud-providers/custom). diff --git a/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md b/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md index 6d2cffca67f..74801997ee5 100644 --- a/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md +++ b/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md @@ -8,11 +8,11 @@ If you are experiencing issues while provisioning a cluster with enabled vSphere - controller-manager (Manages volumes in vCenter) - kubelet: (Mounts vSphere volumes to pods) -If your cluster is not configured with external [Cluster Logging]({{< baseurl >}}/rancher/v2.x/en/tools/logging/), you will need to SSH into nodes to get the logs of the `kube-controller-manager` (running on one of the control plane nodes) and the `kubelet` (pertaining to the node where the stateful pod has been scheduled). +If your cluster is not configured with external [Cluster Logging]({{}}/rancher/v2.x/en/tools/logging/), you will need to SSH into nodes to get the logs of the `kube-controller-manager` (running on one of the control plane nodes) and the `kubelet` (pertaining to the node where the stateful pod has been scheduled). The easiest way to create a SSH session with a node is the Rancher CLI tool. -1. [Configure the Rancher CLI]({{< baseurl >}}/rancher/v2.x/en/cli/) for your cluster. +1. [Configure the Rancher CLI]({{}}/rancher/v2.x/en/cli/) for your cluster. 2. Run the following command to get a shell to the corresponding nodes: ```sh diff --git a/content/rke/latest/en/config-options/nodes/_index.md b/content/rke/latest/en/config-options/nodes/_index.md index 75321c4c6b9..e15b7e98f21 100644 --- a/content/rke/latest/en/config-options/nodes/_index.md +++ b/content/rke/latest/en/config-options/nodes/_index.md @@ -116,7 +116,7 @@ The `internal_address` provides the ability to have nodes with multiple addresse The `hostname_override` is used to be able to provide a friendly name for RKE to use when registering the node in Kubernetes. This hostname doesn't need to be a routable address, but it must be a valid [Kubernetes resource name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). If the `hostname_override` isn't set, then the `address` directive is used when registering the node in Kubernetes. -> **Note:** When [cloud providers]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/) are configured, you may need to override the hostname in order to use the cloud provider correctly. There is an exception for the [AWS cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws), where the `hostname_override` field will be explicitly ignored. +> **Note:** When [cloud providers]({{}}/rke/latest/en/config-options/cloud-providers/) are configured, you may need to override the hostname in order to use the cloud provider correctly. There is an exception for the [AWS cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws), where the `hostname_override` field will be explicitly ignored. ### SSH Port @@ -130,7 +130,7 @@ For each node, you specify the `user` to be used when connecting to this node. T For each node, you specify the path, i.e. `ssh_key_path`, for the SSH private key to be used when connecting to this node. The default key path for each node is `~/.ssh/id_rsa`. -> **Note:** If you have a private key that can be used across all nodes, you can set the [SSH key path at the cluster level]({{< baseurl >}}/rke/latest/en/config-options/#cluster-level-ssh-key-path). The SSH key path set in each node will always take precedence. +> **Note:** If you have a private key that can be used across all nodes, you can set the [SSH key path at the cluster level]({{}}/rke/latest/en/config-options/#cluster-level-ssh-key-path). The SSH key path set in each node will always take precedence. ### SSH Key @@ -150,7 +150,7 @@ If the Docker socket is different than the default, you can set the `docker_sock ### Labels -You have the ability to add an arbitrary map of labels for each node. It can be used when using the [ingress controller's]({{< baseurl >}}/rke/latest/en/config-options/add-ons/ingress-controllers/) `node_selector` option. +You have the ability to add an arbitrary map of labels for each node. It can be used when using the [ingress controller's]({{}}/rke/latest/en/config-options/add-ons/ingress-controllers/) `node_selector` option. ### Taints diff --git a/content/rke/latest/en/config-options/private-registries/_index.md b/content/rke/latest/en/config-options/private-registries/_index.md index 5a5c1a4d18e..2f448920312 100644 --- a/content/rke/latest/en/config-options/private-registries/_index.md +++ b/content/rke/latest/en/config-options/private-registries/_index.md @@ -19,7 +19,7 @@ private_registries: ### Default Registry -As of v0.1.10, RKE supports specifying a default registry from the list of private registries to be used with all [system images]({{< baseurl >}}/rke/latest/en/config-options/system-images/) . In this example .RKE will use `registry.com` as the default registry for all system images, e.g. `rancher/rke-tools:v0.1.14` will become `registry.com/rancher/rke-tools:v0.1.14`. +As of v0.1.10, RKE supports specifying a default registry from the list of private registries to be used with all [system images]({{}}/rke/latest/en/config-options/system-images/) . In this example .RKE will use `registry.com` as the default registry for all system images, e.g. `rancher/rke-tools:v0.1.14` will become `registry.com/rancher/rke-tools:v0.1.14`. ```yaml private_registries: @@ -31,9 +31,9 @@ private_registries: ### Air-gapped Setups -By default, all system images are being pulled from DockerHub. If you are on a system that does not have access to DockerHub, you will need to create a private registry that is populated with all the required [system images]({{< baseurl >}}/rke/latest/en/config-options/system-images/). +By default, all system images are being pulled from DockerHub. If you are on a system that does not have access to DockerHub, you will need to create a private registry that is populated with all the required [system images]({{}}/rke/latest/en/config-options/system-images/). -As of v0.1.10, you have to configure your private registry credentials, but you can specify this registry as a default registry so that all [system images]({{< baseurl >}}/rke/latest/en/config-options/system-images/) are pulled from the designated private registry. You can use the command `rke config --system-images` to get the list of default system images to populate your private registry. +As of v0.1.10, you have to configure your private registry credentials, but you can specify this registry as a default registry so that all [system images]({{}}/rke/latest/en/config-options/system-images/) are pulled from the designated private registry. You can use the command `rke config --system-images` to get the list of default system images to populate your private registry. -Prior to v0.1.10, you had to configure your private registry credentials **and** update the names of all the [system images]({{< baseurl >}}/rke/latest/en/config-options/system-images/) in the `cluster.yml` so that the image names would have the private registry URL appended before each image name. +Prior to v0.1.10, you had to configure your private registry credentials **and** update the names of all the [system images]({{}}/rke/latest/en/config-options/system-images/) in the `cluster.yml` so that the image names would have the private registry URL appended before each image name. diff --git a/content/rke/latest/en/config-options/services/_index.md b/content/rke/latest/en/config-options/services/_index.md index cfd88cc39a9..b1c7a4d4c1e 100644 --- a/content/rke/latest/en/config-options/services/_index.md +++ b/content/rke/latest/en/config-options/services/_index.md @@ -6,7 +6,7 @@ weight: 230 To deploy Kubernetes, RKE deploys several core components or services in Docker containers on the nodes. Based on the roles of the node, the containers deployed may be different. -**All services support additional [custom arguments, Docker mount binds and extra environment variables]({{< baseurl >}}/rke/latest/en/config-options/services/services-extras/).** +**All services support additional [custom arguments, Docker mount binds and extra environment variables]({{}}/rke/latest/en/config-options/services/services-extras/).** | Component | Services key name in cluster.yml | |-------------------------|----------------------------------| @@ -23,13 +23,13 @@ Kubernetes uses [etcd](https://etcd.io/) as a store for cluster state and data. RKE supports running etcd in a single node mode or in HA cluster mode. It also supports adding and removing etcd nodes to the cluster. -You can enable etcd to [take recurring snapshots]({{< baseurl >}}/rke/latest/en/etcd-snapshots/#recurring-snapshots). These snapshots can be used to [restore etcd]({{< baseurl >}}/rke/latest/en/etcd-snapshots/#etcd-disaster-recovery). +You can enable etcd to [take recurring snapshots]({{}}/rke/latest/en/etcd-snapshots/#recurring-snapshots). These snapshots can be used to [restore etcd]({{}}/rke/latest/en/etcd-snapshots/#etcd-disaster-recovery). -By default, RKE will deploy a new etcd service, but you can also run Kubernetes with an [external etcd service]({{< baseurl >}}/rke/latest/en/config-options/services/external-etcd/). +By default, RKE will deploy a new etcd service, but you can also run Kubernetes with an [external etcd service]({{}}/rke/latest/en/config-options/services/external-etcd/). ## Kubernetes API Server -> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_api`. This only applies to Rancher v2.0.5 and v2.0.6. +> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_api`. This only applies to Rancher v2.0.5 and v2.0.6. The [Kubernetes API](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) REST service, which handles requests and data for all Kubernetes objects and provide shared state for all the other Kubernetes components. @@ -58,10 +58,10 @@ RKE supports the following options for the `kube-api` service : - **Pod Security Policy** (`pod_security_policy`) - An option to enable the [Kubernetes Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). By default, we do not enable pod security policies as it is set to `false`. > **Note:** If you set `pod_security_policy` value to `true`, RKE will configure an open policy to allow any pods to work on the cluster. You will need to configure your own policies to fully utilize PSP. - **Always Pull Images** (`always_pull_images`) - Enable `AlwaysPullImages` Admission controller plugin. Enabling `AlwaysPullImages` is a security best practice. It forces Kubernetes to validate the image and pull credentials with the remote image registry. Local image layer cache will still be used, but it does add a small bit of overhead when launching containers to pull and compare image hashes. _Note: Available as of v0.2.0_ -- **Secrets Encryption Config** (`secrets_encryption_config`) - Manage Kubernetes at-rest data encryption. Documented [here]({{< baseurl >}}//rke/latest/en/config-options/secrets-encryption) +- **Secrets Encryption Config** (`secrets_encryption_config`) - Manage Kubernetes at-rest data encryption. Documented [here]({{}}//rke/latest/en/config-options/secrets-encryption) ## Kubernetes Controller Manager -> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6. +> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6. The [Kubernetes Controller Manager](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) service is the component responsible for running Kubernetes main control loops. The controller manager monitors the cluster desired state through the Kubernetes API server and makes the necessary changes to the current state to reach the desired state. diff --git a/content/rke/latest/en/config-options/services/external-etcd/_index.md b/content/rke/latest/en/config-options/services/external-etcd/_index.md index 173fa826972..8ee04bb7797 100644 --- a/content/rke/latest/en/config-options/services/external-etcd/_index.md +++ b/content/rke/latest/en/config-options/services/external-etcd/_index.md @@ -5,7 +5,7 @@ weight: 232 By default, RKE will launch etcd servers, but RKE also supports being able to use an external etcd. RKE only supports connecting to a TLS enabled etcd setup. -> **Note:** RKE will not accept having external etcd servers in conjunction with [nodes]({{< baseurl >}}/rke/latest/en/config-options/nodes/) with the `etcd` role. +> **Note:** RKE will not accept having external etcd servers in conjunction with [nodes]({{}}/rke/latest/en/config-options/nodes/) with the `etcd` role. ```yaml services: diff --git a/content/rke/latest/en/config-options/system-images/_index.md b/content/rke/latest/en/config-options/system-images/_index.md index ae16387c7cc..041a99a186e 100644 --- a/content/rke/latest/en/config-options/system-images/_index.md +++ b/content/rke/latest/en/config-options/system-images/_index.md @@ -75,4 +75,4 @@ system_images: ### Air-gapped Setups -If you have an air-gapped setup and cannot access `docker.io`, you will need to set up your [private registry]({{< baseurl >}}/rke/latest/en/config-options/private-registries/) in your cluster configuration file. After you set up private registry, you will need to update these images to pull from your private registry. +If you have an air-gapped setup and cannot access `docker.io`, you will need to set up your [private registry]({{}}/rke/latest/en/config-options/private-registries/) in your cluster configuration file. After you set up private registry, you will need to update these images to pull from your private registry. diff --git a/content/rke/latest/en/etcd-snapshots/_index.md b/content/rke/latest/en/etcd-snapshots/_index.md index d973feb3d2f..735fb8bab96 100644 --- a/content/rke/latest/en/etcd-snapshots/_index.md +++ b/content/rke/latest/en/etcd-snapshots/_index.md @@ -13,7 +13,7 @@ _Available as of v0.2.0_ RKE can upload your snapshots to a S3 compatible backend. -**Note:** As of RKE v0.2.0, the `pki.bundle.tar.gz` file is no longer required because of a change in how the [Kubernetes cluster state is stored]({{< baseurl >}}/rke/latest/en/installation/#kubernetes-cluster-state). +**Note:** As of RKE v0.2.0, the `pki.bundle.tar.gz` file is no longer required because of a change in how the [Kubernetes cluster state is stored]({{}}/rke/latest/en/installation/#kubernetes-cluster-state). # Backing Up a Cluster diff --git a/content/rke/latest/en/etcd-snapshots/one-time-snapshots/_index.md b/content/rke/latest/en/etcd-snapshots/one-time-snapshots/_index.md index b98f7e4ed42..400aee3b3e3 100644 --- a/content/rke/latest/en/etcd-snapshots/one-time-snapshots/_index.md +++ b/content/rke/latest/en/etcd-snapshots/one-time-snapshots/_index.md @@ -54,8 +54,8 @@ $ rke etcd snapshot-save \ | `--bucket-name` value | Specify s3 bucket name | * | | `--folder` value | Specify folder inside bucket where backup will be stored. This is optional. _Available as of v0.3.0_ | * | | `--region` value | Specify the s3 bucket location (optional) | * | -| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | | -| `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{}}/rke/latest/en/config-options/#ssh-agent) | | +| `--ignore-docker-version` | [Disable Docker version check]({{}}/rke/latest/en/config-options/#supported-docker-versions) | The `--access-key` and `--secret-key` options are not required if the `etcd` nodes are AWS EC2 instances that have been configured with a suitable IAM instance profile. @@ -116,8 +116,8 @@ $ rke etcd snapshot-save --config cluster.yml --name snapshot-name | --- | --- | | `--name` value | Specify snapshot name | | `--config` value | Specify an alternate cluster YAML file (default: `cluster.yml`) [$RKE_CONFIG] | -| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | -| `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{}}/rke/latest/en/config-options/#ssh-agent) | +| `--ignore-docker-version` | [Disable Docker version check]({{}}/rke/latest/en/config-options/#supported-docker-versions) | {{% /tab %}} {{% /tabs %}} diff --git a/content/rke/latest/en/etcd-snapshots/restoring-from-backup/_index.md b/content/rke/latest/en/etcd-snapshots/restoring-from-backup/_index.md index a4e0ce38419..3f26ea9ee47 100644 --- a/content/rke/latest/en/etcd-snapshots/restoring-from-backup/_index.md +++ b/content/rke/latest/en/etcd-snapshots/restoring-from-backup/_index.md @@ -33,7 +33,7 @@ $ rke etcd snapshot-restore --config cluster.yml --name mysnapshot The snapshot is assumed to be located in `/opt/rke/etcd-snapshots`. -**Note:** The `pki.bundle.tar.gz` file is not needed because RKE v0.2.0 changed how the [Kubernetes cluster state is stored]({{< baseurl >}}/rke/latest/en/installation/#kubernetes-cluster-state). +**Note:** The `pki.bundle.tar.gz` file is not needed because RKE v0.2.0 changed how the [Kubernetes cluster state is stored]({{}}/rke/latest/en/installation/#kubernetes-cluster-state). ### Example of Restoring from a Snapshot in S3 @@ -67,8 +67,8 @@ $ rke etcd snapshot-restore \ | `--bucket-name` value | Specify s3 bucket name | *| | `--folder` value | Specify folder inside bucket where backup will be stored. This is optional. This is optional. _Available as of v0.3.0_ | *| | `--region` value | Specify the s3 bucket location (optional) | *| -| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | | -| `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{}}/rke/latest/en/config-options/#ssh-agent) | | +| `--ignore-docker-version` | [Disable Docker version check]({{}}/rke/latest/en/config-options/#supported-docker-versions) | {{% /tab %}} {{% tab "RKE prior to v0.2.0"%}} @@ -109,8 +109,8 @@ The `pki.bundle.tar.gz` file is also expected to be in the same location. | --- | --- | | `--name` value | Specify snapshot name | | `--config` value | Specify an alternate cluster YAML file (default: `cluster.yml`) [$RKE_CONFIG] | -| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | -| `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +| `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{}}/rke/latest/en/config-options/#ssh-agent) | +| `--ignore-docker-version` | [Disable Docker version check]({{}}/rke/latest/en/config-options/#supported-docker-versions) | {{% /tab %}} {{% /tabs %}} diff --git a/content/rke/latest/en/example-yamls/_index.md b/content/rke/latest/en/example-yamls/_index.md index 9b155eecca8..9fe11e634f8 100644 --- a/content/rke/latest/en/example-yamls/_index.md +++ b/content/rke/latest/en/example-yamls/_index.md @@ -5,9 +5,9 @@ aliases: - /rke/latest/en/config-options/example-yamls/ --- -There are lots of different [configuration options]({{< baseurl >}}/rke/latest/en/config-options/) that can be set in the cluster configuration file for RKE. Here are some examples of files: +There are lots of different [configuration options]({{}}/rke/latest/en/config-options/) that can be set in the cluster configuration file for RKE. Here are some examples of files: -> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_api` and `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6. +> **Note for Rancher 2 users** If you are configuring Cluster Options using a [Config File]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#config-file) when creating [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), the names of services should contain underscores only: `kube_api` and `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6. ## Minimal `cluster.yml` example diff --git a/content/rke/latest/en/installation/_index.md b/content/rke/latest/en/installation/_index.md index 2017df4c853..30d5dc73842 100644 --- a/content/rke/latest/en/installation/_index.md +++ b/content/rke/latest/en/installation/_index.md @@ -74,20 +74,20 @@ $ brew upgrade rke The Kubernetes cluster components are launched using Docker on a Linux distro. You can use any Linux you want, as long as you can install Docker on it. -Review the [OS requirements]({{< baseurl >}}/rke/latest/en/installation/os/) and configure each node appropriately. +Review the [OS requirements]({{}}/rke/latest/en/installation/os/) and configure each node appropriately. ## Creating the Cluster Configuration File -RKE uses a cluster configuration file, referred to as `cluster.yml` to determine what nodes will be in the cluster and how to deploy Kubernetes. There are [many configuration options]({{< baseurl >}}/rke/latest/en/config-options/) that can be set in the `cluster.yml`. In our example, we will be assuming the minimum of one [node]({{< baseurl >}}/rke/latest/en/config-options/nodes) for your Kubernetes cluster. +RKE uses a cluster configuration file, referred to as `cluster.yml` to determine what nodes will be in the cluster and how to deploy Kubernetes. There are [many configuration options]({{}}/rke/latest/en/config-options/) that can be set in the `cluster.yml`. In our example, we will be assuming the minimum of one [node]({{}}/rke/latest/en/config-options/nodes) for your Kubernetes cluster. There are two easy ways to create a `cluster.yml`: -- Using our [minimal `cluster.yml`]({{< baseurl >}}/rke/latest/en/example-yamls/#minimal-cluster-yml-example) and updating it based on the node that you will be using. +- Using our [minimal `cluster.yml`]({{}}/rke/latest/en/example-yamls/#minimal-cluster-yml-example) and updating it based on the node that you will be using. - Using `rke config` to query for all the information needed. ### Using `rke config` -Run `rke config` to create a new `cluster.yml` in the current directory. This command will prompt you for all the information needed to build a cluster. See [cluster configuration options]({{< baseurl >}}/rke/latest/en/config-options/) for details on the various options. +Run `rke config` to create a new `cluster.yml` in the current directory. This command will prompt you for all the information needed to build a cluster. See [cluster configuration options]({{}}/rke/latest/en/config-options/) for details on the various options. ``` rke config --name cluster.yml @@ -117,7 +117,7 @@ To create an HA cluster, specify more than one host with role `controlplane`. _Available as of v0.2.0_ -By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all cluster components. You can also use [custom certificates]({{< baseurl >}}/rke/latest/en/installation/certs/). After the Kubernetes cluster is deployed, you can [manage these auto-generated certificates]({{< baseurl >}}/rke/latest/en/cert-mgmt/#certificate-rotation). +By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all cluster components. You can also use [custom certificates]({{}}/rke/latest/en/installation/certs/). After the Kubernetes cluster is deployed, you can [manage these auto-generated certificates]({{}}/rke/latest/en/cert-mgmt/#certificate-rotation). ## Deploying Kubernetes with RKE @@ -146,7 +146,7 @@ The last line should read `Finished building Kubernetes cluster successfully` to Save a copy of the following files in a secure location: - `cluster.yml`: The RKE cluster configuration file. -- `kube_config_cluster.yml`: The [Kubeconfig file]({{< baseurl >}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. +- `kube_config_cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `cluster.rkestate`: The [Kubernetes Cluster State file](#kubernetes-cluster-state), this file contains credentials for full access to the cluster.

    _The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ > **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. @@ -161,9 +161,9 @@ Prior to v0.2.0, RKE saved the Kubernetes cluster state as a secret. When updati ## Interacting with your Kubernetes cluster -After your cluster is up and running, you can start using the [generated kubeconfig file]({{< baseurl >}}/rke/latest/en/kubeconfig) to start interacting with your Kubernetes cluster using `kubectl`. +After your cluster is up and running, you can start using the [generated kubeconfig file]({{}}/rke/latest/en/kubeconfig) to start interacting with your Kubernetes cluster using `kubectl`. After installation, there are several maintenance items that might arise: -* [Certificate Management]({{< baseurl >}}/rke/latest/en/cert-mgmt/) -* [Adding and Removing Nodes in the cluster]({{< baseurl >}}/rke/latest/en/managing-clusters) +* [Certificate Management]({{}}/rke/latest/en/cert-mgmt/) +* [Adding and Removing Nodes in the cluster]({{}}/rke/latest/en/managing-clusters) diff --git a/content/rke/latest/en/installation/certs/_index.md b/content/rke/latest/en/installation/certs/_index.md index 19e5a04a0e9..1907a0a68eb 100644 --- a/content/rke/latest/en/installation/certs/_index.md +++ b/content/rke/latest/en/installation/certs/_index.md @@ -7,7 +7,7 @@ _Available as of v0.2.0_ By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all the Kubernetes services. RKE can also use custom certificates for these Kubernetes services. -When [deploying Kubernetes with RKE]({{< baseurl >}}/rke/latest/en/installation/#deploying-kubernetes-with-rke), there are two additional options that can be used with `rke up` so that RKE uses custom certificates. +When [deploying Kubernetes with RKE]({{}}/rke/latest/en/installation/#deploying-kubernetes-with-rke), there are two additional options that can be used with `rke up` so that RKE uses custom certificates. | Option | Description | | --- | --- | @@ -45,7 +45,7 @@ The following certificates must exist in the certificate directory. If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to generate a set of Certificate Signing Requests (CSRs) and keys. Using the `rke cert generate-csr` command, you can generate the CSRs and keys. -1. Set up your `cluster.yml` with the [node information]({{< baseurl >}}/rke/latest/en/config-options/nodes/). +1. Set up your `cluster.yml` with the [node information]({{}}/rke/latest/en/config-options/nodes/). 2. Run `rke cert generate-csr` to generate certificates for the node(s) in the `cluster.yml`. By default, the CSRs and keys will be saved in `./cluster_certs`. To have them saved in a different directory, use `--cert-dir` to define what directory to have them saved in. diff --git a/content/rke/latest/en/managing-clusters/_index.md b/content/rke/latest/en/managing-clusters/_index.md index 5f0b6422df9..5cb87f3a6d4 100644 --- a/content/rke/latest/en/managing-clusters/_index.md +++ b/content/rke/latest/en/managing-clusters/_index.md @@ -8,7 +8,7 @@ aliases: ### Adding/Removing Nodes -RKE supports adding/removing [nodes]({{< baseurl >}}/rke/latest/en/config-options/nodes/) for worker and controlplane hosts. +RKE supports adding/removing [nodes]({{}}/rke/latest/en/config-options/nodes/) for worker and controlplane hosts. In order to add additional nodes, you update the original `cluster.yml` file with any additional nodes and specify their role in the Kubernetes cluster. @@ -26,7 +26,7 @@ You can add/remove only worker nodes, by running `rke up --update-only`. This wi In order to remove the Kubernetes components from nodes, you use the `rke remove` command. -> **Warning:** This command is irreversible and will destroy the Kubernetes cluster, including etcd snapshots on S3. If there is a disaster and your cluster is inaccessible, refer to the process for [restoring your cluster from a snapshot]({{< baseurl >}}/rke/latest/en/etcd-snapshots/#etcd-disaster-recovery). +> **Warning:** This command is irreversible and will destroy the Kubernetes cluster, including etcd snapshots on S3. If there is a disaster and your cluster is inaccessible, refer to the process for [restoring your cluster from a snapshot]({{}}rke/latest/en/etcd-snapshots/#etcd-disaster-recovery). The `rke remove` command does the following to each node in the `cluster.yml`: diff --git a/content/rke/latest/en/os/_index.md b/content/rke/latest/en/os/_index.md index d9da146c135..9c09b13e0b8 100644 --- a/content/rke/latest/en/os/_index.md +++ b/content/rke/latest/en/os/_index.md @@ -31,7 +31,7 @@ weight: 5 RKE runs on almost any Linux OS with Docker installed. Most of the development and testing of RKE occurred on Ubuntu 16.04. However, some OS's have restrictions and specific requirements. -- [SSH user]({{< baseurl >}}/rke/latest/en/config-options/nodes/#ssh-user) - The SSH user used for node access must be a member of the `docker` group on the node: +- [SSH user]({{}}/rke/latest/en/config-options/nodes/#ssh-user) - The SSH user used for node access must be a member of the `docker` group on the node: ``` usermod -aG docker @@ -100,7 +100,7 @@ net.bridge.bridge-nf-call-iptables=1 ### Red Hat Enterprise Linux (RHEL) / Oracle Enterprise Linux (OEL) / CentOS -If using Red Hat Enterprise Linux, Oracle Enterprise Linux or CentOS, you cannot use the `root` user as [SSH user]({{< baseurl >}}/rke/latest/en/config-options/nodes/#ssh-user) due to [Bugzilla 1527565](https://bugzilla.redhat.com/show_bug.cgi?id=1527565). Please follow the instructions below how to setup Docker correctly, based on the way you installed Docker on the node. +If using Red Hat Enterprise Linux, Oracle Enterprise Linux or CentOS, you cannot use the `root` user as [SSH user]({{}}/rke/latest/en/config-options/nodes/#ssh-user) due to [Bugzilla 1527565](https://bugzilla.redhat.com/show_bug.cgi?id=1527565). Please follow the instructions below how to setup Docker correctly, based on the way you installed Docker on the node. #### Using upstream Docker If you are using upstream Docker, the package name is `docker-ce` or `docker-ee`. You can check the installed package by executing: diff --git a/content/rke/latest/en/troubleshooting/_index.md b/content/rke/latest/en/troubleshooting/_index.md index fa39cdc4053..c05e95884df 100644 --- a/content/rke/latest/en/troubleshooting/_index.md +++ b/content/rke/latest/en/troubleshooting/_index.md @@ -3,5 +3,5 @@ title: Troubleshooting weight: 400 --- -* [SSH Connectivity Errors]({{< baseurl >}}/rke/latest/en/troubleshooting/ssh-connectivity-errors/) -* [Provisioning Errors]({{< baseurl >}}/rke/latest/en/troubleshooting/provisioning-errors/) +* [SSH Connectivity Errors]({{}}/rke/latest/en/troubleshooting/ssh-connectivity-errors/) +* [Provisioning Errors]({{}}/rke/latest/en/troubleshooting/provisioning-errors/) diff --git a/content/rke/latest/en/troubleshooting/provisioning-errors/_index.md b/content/rke/latest/en/troubleshooting/provisioning-errors/_index.md index 71cabddb9cc..a9867b3271a 100644 --- a/content/rke/latest/en/troubleshooting/provisioning-errors/_index.md +++ b/content/rke/latest/en/troubleshooting/provisioning-errors/_index.md @@ -5,7 +5,7 @@ weight: 200 ### Failed to get job complete status -Most common reason for this error is that a node is having issues that block the deploy job from completing successfully. See [Get node conditions]({{< baseurl >}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/#get-node-conditions) how to check node conditions. +Most common reason for this error is that a node is having issues that block the deploy job from completing successfully. See [Get node conditions]({{}}/rancher/v2.x/en/troubleshooting/kubernetes-resources/#get-node-conditions) how to check node conditions. You can also retrieve the log from the job to see if it has an indication of the error, make sure you replace `rke-network-plugin-deploy-job` with the job name from the error: diff --git a/content/rke/latest/en/upgrades/_index.md b/content/rke/latest/en/upgrades/_index.md index 5e47ee6ab09..c080194433c 100644 --- a/content/rke/latest/en/upgrades/_index.md +++ b/content/rke/latest/en/upgrades/_index.md @@ -3,7 +3,7 @@ title: Upgrades weight: 100 --- -After RKE has deployed Kubernetes, you can upgrade the versions of the components in your Kubernetes cluster, the [definition of the Kubernetes services]({{< baseurl >}}/rke/latest/en/config-options/services/) or the [add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/). +After RKE has deployed Kubernetes, you can upgrade the versions of the components in your Kubernetes cluster, the [definition of the Kubernetes services]({{}}/rke/latest/en/config-options/services/) or the [add-ons]({{}}/rke/latest/en/config-options/add-ons/). The default Kubernetes version for each RKE version can be found in [the RKE release notes](https://github.com/rancher/rke/releases/). @@ -27,7 +27,7 @@ This page covers the following topics: ### Prerequisites - Ensure that any `system_images` configuration is absent from the `cluster.yml`. The Kubernetes version should only be listed under the `system_images` directive if an [unsupported version](#using-an-unsupported-kubernetes-version) is being used. Refer to [Kubernetes version precedence](#kubernetes-version-precedence) for more information. -- Ensure that the correct files to manage [Kubernetes cluster state]({{< baseurl >}}/rke/latest/en/installation/#kubernetes-cluster-state) are present in the working directory. Refer to the tabs below for the required files, which differ based on the RKE version. +- Ensure that the correct files to manage [Kubernetes cluster state]({{}}/rke/latest/en/installation/#kubernetes-cluster-state) are present in the working directory. Refer to the tabs below for the required files, which differ based on the RKE version. {{% tabs %}} {{% tab "RKE v0.2.0+" %}} @@ -86,7 +86,7 @@ As of v0.2.0, if a version is defined in `kubernetes_version` and is not found i Prior to v0.2.0, if a version is defined in `kubernetes_version` and is not found in the specific list of supported Kubernetes versions, the default version from the supported list is used. -If you want to use a different version from the supported list, please use the [system images]({{< baseurl >}}/rke/latest/en/config-options/system-images/) option. +If you want to use a different version from the supported list, please use the [system images]({{}}/rke/latest/en/config-options/system-images/) option. ### Mapping the Kubernetes Version to Services @@ -98,7 +98,7 @@ For RKE prior to v0.3.0, the service defaults are located [here](https://github. ### Service Upgrades -[Services]({{< baseurl >}}/rke/latest/en/config-options/services/) can be upgraded by changing any of the services arguments or `extra_args` and running `rke up` again with the updated configuration file. +[Services]({{}}/rke/latest/en/config-options/services/) can be upgraded by changing any of the services arguments or `extra_args` and running `rke up` again with the updated configuration file. > **Note:** The following arguments, `service_cluster_ip_range` or `cluster_cidr`, cannot be changed as any changes to these arguments will result in a broken cluster. Currently, network pods are not automatically upgraded. @@ -106,4 +106,4 @@ For RKE prior to v0.3.0, the service defaults are located [here](https://github. As of v0.1.8, upgrades to add-ons are supported. -[Add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. +[Add-ons]({{}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. From 1755a970dead51f5086e8d0515fdc345e3be9f45 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 11 Feb 2020 16:14:49 -0700 Subject: [PATCH 067/183] Add K3s to overview of Rancher installation options --- .../rancher/v2.x/en/installation/_index.md | 36 +++++++++++++------ .../rancher/v2.x/en/system-tools/_index.md | 2 +- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/content/rancher/v2.x/en/installation/_index.md b/content/rancher/v2.x/en/installation/_index.md index 234d9457590..611beca8ccb 100644 --- a/content/rancher/v2.x/en/installation/_index.md +++ b/content/rancher/v2.x/en/installation/_index.md @@ -10,28 +10,39 @@ This section provides an overview of the architecture options of installing Ranc In this section, -**The Rancher server** manages and provisions Kubernetes clusters. You can interact with downstream Kubernetes clusters through the Rancher server's user interface. - -**RKE (Rancher Kubernetes Engine)** is a certified Kubernetes distribution and CLI/library which creates and manages a Kubernetes cluster. When you create a cluster in the Rancher UI, it calls RKE as a library to provision Rancher-launched Kubernetes clusters. +- **The Rancher server** manages and provisions Kubernetes clusters. You can interact with downstream Kubernetes clusters through the Rancher server's user interface. +- **RKE (Rancher Kubernetes Engine)** is a certified Kubernetes distribution and CLI/library which creates and manages a Kubernetes cluster. When you create a cluster in the Rancher UI, it calls RKE as a library to provision Rancher-launched Kubernetes clusters. +- **K3s (5 less than K8s)** is also a fully compliant Kubernetes distribution. It is newer than RKE, easier to use, and more lightweight, with a binary size of less than 40 MB. As of Rancher v2.4, Rancher can be installed on a K3s cluster. ### Overview of Installation Options -If you use Rancher to deploy Kubernetes clusters, it is important to ensure that the Rancher server doesn't fail, because if it goes down, you could lose access to the Kubernetes clusters that are managed by Rancher. For that reason, we recommend that for a production-grade architecture, you should set up a Kubernetes cluster with RKE, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. +If you use Rancher to deploy Kubernetes clusters, it is important to ensure that the Rancher server doesn't fail, because if it goes down, you could lose access to the Kubernetes clusters that are managed by Rancher. For that reason, we recommend that for a production-grade architecture, you should set up a high-availability Kubernetes cluster with RKE, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. For testing or demonstration purposes, you can install Rancher in single Docker container. In this installation, you can use Rancher to set up Kubernetes clusters out-of-the-box. -Our [instructions for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install) describe how to first use RKE to create and manage a cluster, then install Rancher onto that cluster. For this type of architecture, you will need to deploy three nodes - typically virtual machines - in the infrastructure provider of your choice. You will also need to configure a load balancer to direct front-end traffic to the three nodes. When the nodes are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you can use RKE to deploy Kubernetes onto them, then use Helm to deploy Rancher onto Kubernetes. +Our [instructions for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install) describe how to first use K3s or RKE to create and manage a Kubernetes cluster, then install Rancher onto that cluster. + +For a high-availability K3s cluster, we recommend setting up the following infrastructure: + +- **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice +- **A load balancer** to direct traffic to the two nodes. +- **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. + +For a high-availability RKE cluster, we recommend setting up the following infrastructure: + +- **Three Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. +- **A load balancer** to direct front-end traffic to the three nodes. + +When the nodes in your Kubernetes cluster are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you will use RKE or K3s to deploy Kubernetes onto them. Then you will use Helm to deploy Rancher onto Kubernetes. For a longer discussion of Rancher architecture, refer to the [architecture overview,]({{}}/rancher/v2.x/en/overview/architecture) [recommendations for production-grade architecture,]({{}}/rancher/v2.x/en/overview/architecture-recommendations) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/deployment-types) -Rancher can be installed on these main architectures: +To summarize, Rancher can be installed on these main architectures: -- **High-availability Kubernetes Install:** We recommend using [Helm,]({{}}/rancher/v2.x/en/overview/concepts/#about-helm) a Kubernetes package manager, to install Rancher on a dedicated Kubernetes cluster. We recommend using three nodes in the cluster because increased availability is achieved by running Rancher on multiple nodes. +- **High-availability Kubernetes Install:** We recommend using [Helm,]({{}}/rancher/v2.x/en/overview/concepts/#about-helm) a Kubernetes package manager, to install Rancher on multiple nodes on a dedicated Kubernetes cluster. For RKE clusters, three nodes are required to achieve a high-availability cluster. For K3s clusters, only two nodes are required. - **Single-node Kubernetes Install:** Another option is to install Rancher with Helm on a Kubernetes cluster, but to only use a single node in the cluster. In this case, the Rancher server doesn't have high availability, which is important for running Rancher in production. However, this option is useful if you want to save resources by using a single node in the short term, while preserving a high-availability migration path. In the future, you can add nodes to the cluster to get a high-availability Rancher server. - **Docker Install:** For test and demonstration purposes, Rancher can be installed with Docker on a single node. This installation works out-of-the-box, but there is no migration path from a Docker installation to a high-availability installation on a Kubernetes cluster. Therefore, you may want to use a Kubernetes installation from the start. -The single-node Kubernetes install is achieved by describing only one node in the `cluster.yml` when provisioning the Kubernetes cluster with RKE. The single node should have all three roles: `etcd`, `controlplane`, and `worker`. Then Rancher can be installed with Helm on the cluster in the same way that it would be installed on any other cluster. - There are also separate instructions for installing Rancher in an air gap environment or behind an HTTP proxy: | Level of Internet Access | Kubernetes Installation - Strongly Recommended | Docker Installation | @@ -57,11 +68,14 @@ Refer to the [Helm chart options]({{}}/rancher/v2.x/en/installation/opt - With [TLS termination on a load balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) - With a [custom Ingress]({{}}/rancher/v2.x/en/installation/options/chart-options/#customizing-your-ingress) -In the Rancher installation instructions, we recommend using RKE (Rancher Kubernetes Engine) to set up a Kubernetes cluster before installing Rancher on the cluster. RKE has many configuration options for customizing the Kubernetes cluster to suit your specific environment. Please see the [RKE Documentation]({{}}/rke/latest/en/config-options/) for the full list of options and capabilities. +In the Rancher installation instructions, we recommend using K3s or RKE to set up a Kubernetes cluster before installing Rancher on the cluster. Both K3s and RKE have many configuration options for customizing the Kubernetes cluster to suit your specific environment. For the full list of their capabilities, refer to their documentation: + +- [RKE configuration options]({{}}/rke/latest/en/config-options/) +- [K3s configuration options]({{}}/k3s/latest/en/installation/install-options/) ### More Options for Installations with Docker -Refer to the [Docker installation docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) for details other configurations including: +Refer to the [Docker installation docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) for details about other configurations including: - With [API auditing to record all transactions]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/#api-audit-log) - With an [external load balancer]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/) diff --git a/content/rancher/v2.x/en/system-tools/_index.md b/content/rancher/v2.x/en/system-tools/_index.md index a34bc1a9b8d..257f73cf171 100644 --- a/content/rancher/v2.x/en/system-tools/_index.md +++ b/content/rancher/v2.x/en/system-tools/_index.md @@ -3,7 +3,7 @@ title: System Tools weight: 6001 --- -System Tools is a tool to perform operational tasks on [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters or [RKE cluster as used for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/). The tasks include: +System Tools is a tool to perform operational tasks on [Rancher Launched Kubernetes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) clusters or [installations of Rancher on an RKE cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/) The tasks include: * Collect logging and system metrics from nodes. * Remove Kubernetes resources created by Rancher. From c8866d4a9a629d8afee116702fd7d32b667dac42 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 12 Feb 2020 18:16:23 -0700 Subject: [PATCH 068/183] Update port requirements for Rancher on K3s --- .../en/installation/requirements/_index.md | 83 +++++++++++++++---- .../installation/requirements/ports/_index.md | 75 ++++++++++++++++- 2 files changed, 139 insertions(+), 19 deletions(-) diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index 65c9a808a6a..4afebe9277f 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -92,13 +92,65 @@ Each node used should have a static IP configured, regardless of whether you are This section describes the port requirements for nodes running the `rancher/rancher` container. -The port requirements are different depending on whether you are installing Rancher on a single node or on a high-availability Kubernetes cluster. - -- **For a Docker installation,** you only need to open the ports required to enable Rancher to communicate with downstream user clusters. -- **For a high-availability installation,** the same ports need to be opened, as well as additional ports required to set up the Kubernetes cluster that Rancher is installed on. +The port requirements are different depending on whether you are installing Rancher on a K3s cluster, on an RKE cluster, or in a single Docker container. {{% tabs %}} -{{% tab "Kubernetes Install Port Requirements" %}} +{{% tab "K3s" %}} +### Ports for Communication with Downstream Clusters + +To communicate with downstream clusters, Rancher requires different ports to be open depending on the infrastructure you are using. + +For example, if you are deploying Rancher on nodes hosted by an infrastructure provider, port `22` must be open for SSH. + +The following diagram depicts the ports that are opened for each [cluster type]({{}}/rancher/v2.x/en/cluster-provisioning). + +
    Port Requirements for the Rancher Management Plane
    + +![Basic Port Requirements]({{}}/img/rancher/port-communications.svg) + +The following tables break down the port requirements for inbound and outbound traffic: + +
    Inbound Rules for Rancher Nodes
    + +| Protocol | Port | Source | Description | +| -------- | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | +| TCP | 80 | Load balancer/proxy that does external SSL termination | Rancher UI/API when external SSL termination is used | +| TCP | 443 |
    • server nodes
    • agent nodes
    • hosted/imported Kubernetes
    • any source that needs to be able to use the Rancher UI or API
    | Rancher agent, Rancher UI/API, kubectl | + +
    Outbound Rules for Rancher Nodes
    + +| Protocol | Port | Destination | Description | +| -------- | ---- | -------------------------------------------------------- | --------------------------------------------- | +| TCP | 22 | Any node IP from a node created using Node Driver | SSH provisioning of nodes using Node Driver | +| TCP | 443 | `35.160.43.145/32`, `35.167.242.46/32`, `52.33.59.17/32` | git.rancher.io (catalogs) | +| TCP | 2376 | Any node IP from a node created using Node driver | Docker daemon TLS port used by Docker Machine | +| TCP | 6443 | Hosted/Imported Kubernetes API | Kubernetes API server | + +**Note** Rancher nodes may also require additional outbound access for any external [authentication provider]({{}}/rancher/v2.x/en/admin-settings/authentication/) which is configured (LDAP for example). + +### Additional Port Requirements for Nodes in a K3s Kubernetes Cluster + +You will need to open additional ports to launch the Kubernetes cluster that is required for a high-availability installation of Rancher. + +The K3s server needs port 6443 to be accessible by the nodes. + +The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. + +If you wish to utilize the metrics server, you will need to open port 10250 on each node. + +> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. + +
    Inbound Rules for Rancher Server Nodes
    + +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 6443 | K3s server nodes | Kubernetes API +| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN +| TCP | 10250 | K3s server and agent nodes | kubelet + +Typically all outbound traffic is allowed. +{{% /tab %}} +{{% tab "RKE" %}} ### Ports for Communication with Downstream Clusters To communicate with downstream clusters, Rancher requires different ports to be open depending on the infrastructure you are using. @@ -131,11 +183,13 @@ The following tables break down the port requirements for inbound and outbound t **Note** Rancher nodes may also require additional outbound access for any external [authentication provider]({{}}/rancher/v2.x/en/admin-settings/authentication/) which is configured (LDAP for example). -### Additional Port Requirements for Nodes in an HA/Kubernetes Cluster +### Additional Port Requirements for Nodes in an RKE Kubernetes Cluster -You will need to open additional ports to launch the Kubernetes cluster that are required for a high-availability installation of Rancher. +You will need to open additional ports to launch the Kubernetes cluster that is required for a high-availability installation of Rancher. -If you follow the Rancher installation documentation for setting up a Kubernetes cluster using RKE, you will set up a cluster in which all three nodes have all three roles: etcd, controlplane, and worker. In that case, you can refer to this list of requirements for each node with all three roles: +If you follow the Rancher installation documentation for setting up a Kubernetes cluster using RKE, you will set up a cluster in which all three nodes have all three roles: etcd, controlplane, and worker. In that case, you can refer to this list of requirements for each node with all three roles. + +If you installed Rancher on a Kubernetes cluster that doesn't have all three roles on each node, refer to the [port requirements for the Rancher Kubernetes Engine (RKE).]({{}}/rke/latest/en/os/#ports) The RKE docs show a breakdown of the port requirements for each role.
    Inbound Rules for Nodes with All Three Roles: etcd, Controlplane, and Worker
    @@ -170,14 +224,13 @@ TCP | 9099 | the node itself (local traffic, not across nodes) | Canal/Flannel l TCP | 10250 | etcd nodes, controlplane nodes, and worker nodes | kubelet | TCP | 10254 | the node itself (local traffic, not across nodes) | Ingress controller livenessProbe/readinessProbe -The ports that need to be opened for each node depend on the node's Kubernetes role: etcd, controlplane, or worker. If you installed Rancher on a Kubernetes cluster that doesn't have all three roles on each node, refer to the [port requirements for the Rancher Kubernetes Engine (RKE).]({{}}/rke/latest/en/os/#ports) The RKE docs show a breakdown of the port requirements for each role. {{% /tab %}} -{{% tab "Single Node Port Requirements" %}} +{{% tab "Docker" %}} ### Ports for Communication with Downstream Clusters -To communicate with downstream clusters, Rancher requires different ports to be open depending on the infrastructure you are using. +For a Docker installation, you only need to open the ports required to enable Rancher to communicate with downstream user clusters. -For example, if you are deploying Rancher on nodes hosted by an infrastructure provider, port `22` must be open for SSH. +The port requirements depend on the infrastructure you are using. For example, if you are deploying Rancher on nodes hosted by an infrastructure provider, port `22` must be open for SSH. The following diagram depicts the ports that are opened for each [cluster type]({{}}/rancher/v2.x/en/cluster-provisioning). @@ -185,12 +238,12 @@ The following diagram depicts the ports that are opened for each [cluster type]( ![Basic Port Requirements]({{}}/img/rancher/port-communications.svg) -The following tables break down the port requirements for inbound and outbound traffic: +The following tables break down the port requirements for Rancher nodes, for inbound and outbound traffic: **Note** Rancher nodes may also require additional outbound access for any external [authentication provider]({{}}/rancher/v2.x/en/admin-settings/authentication/) which is configured (LDAP for example). -
    Inbound Rules for Rancher Nodes
    +
    Inbound Rules
    | Protocol | Port | Source | Description | | -------- | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | @@ -198,7 +251,7 @@ The following tables break down the port requirements for inbound and outbound t | TCP | 443 |
    • etcd nodes
    • controlplane nodes
    • worker nodes
    • hosted/imported Kubernetes
    • any source that needs to be able to use the Rancher UI or API
    | Rancher agent, Rancher UI/API, kubectl | -
    Outbound Rules for Rancher Nodes
    +
    Outbound Rules
    | Protocol | Port | Source | Description | | -------- | ---- | -------------------------------------------------------- | --------------------------------------------- | diff --git a/content/rancher/v2.x/en/installation/requirements/ports/_index.md b/content/rancher/v2.x/en/installation/requirements/ports/_index.md index 7a2a7ec8dce..26278915bf0 100644 --- a/content/rancher/v2.x/en/installation/requirements/ports/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/ports/_index.md @@ -8,15 +8,82 @@ To operate properly, Rancher requires a number of ports to be open on Rancher no ## Rancher Nodes -The following table lists the ports that need to be open to and from nodes that are running the Rancher server container for [Docker installs]({{}}/rancher/v2.x/en/installation/single-node-install/) or pods for [installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install/). +The following table lists the ports that need to be open to and from nodes that are running the Rancher server. -{{< ports-rancher-nodes >}} +The port requirements differ based on whether Rancher is installed in a K3s Kubernetes cluster, an RKE Kubernetes cluster, or a single Docker container. -**Note** Rancher nodes may also require additional outbound access for any external authentication provider which is configured (LDAP for example). +{{% tabs %}} +{{% tab "K3s" %}} + +The K3s server needs port 6443 to be accessible by the nodes. + +The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. + +If you wish to utilize the metrics server, you will need to open port 10250 on each node. + +> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. + +
    Inbound Rules for Rancher Server Nodes
    + +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 6443 | K3s server nodes | Kubernetes API +| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN. +| TCP | 10250 | K3s server and agent nodes | kubelet + +Typically all outbound traffic is allowed. + +{{% /tab %}} +{{% tab "RKE" %}} +
    Inbound Rules for Rancher Nodes
    + +| Protocol | Port | Source | Description | +|-----|-----|----------------|---| +| TCP | 80 | Load Balancer/Reverse Proxy | HTTP traffic to Rancher UI/API | +| TCP | 443 |
    • Load Balancer/Reverse Proxy
    • IPs of all cluster nodes and other API/UI clients
    | HTTPS traffic to Rancher UI/API | + +
    Outbound Rules for Rancher Nodes
    + +| Protocol | Port | Destination | Description | +|-----|-----|----------------|---| +| TCP | 443 | `35.160.43.145`,`35.167.242.46`,`52.33.59.17` | Rancher catalog (git.rancher.io) | +| TCP | 22 | Any node created using a node driver | SSH provisioning of node by node driver | +| TCP | 2376 | Any node created using a node driver | Docker daemon TLS port used by node driver | +| TCP | Provider dependent | Port of the Kubernetes API endpoint in hosted cluster | Kubernetes API | + +{{% /tab %}} +{{% tab "Docker" %}} + +
    Inbound Rules for Rancher Node
    + +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 80 | Load balancer/proxy that does external SSL termination | Rancher UI/API when external SSL termination is used +| TCP | 443 |
    • hosted/imported Kubernetes
    • any source that needs to be able to use the Rancher UI or API
    | Rancher agent, Rancher UI/API, kubectl + +
    Outbound Rules for Rancher Node
    + +| Protocol | Port | Source | Description | +|-----|-----|----------------|---| +| TCP | 22 | Any node IP from a node created using Node Driver | SSH provisioning of nodes using Node Driver | +| TCP | 443 | `35.160.43.145/32`,`35.167.242.46/32`,`52.33.59.17/32` | git.rancher.io (catalogs) | +| TCP | 2376 | Any node IP from a node created using a node driver | Docker daemon TLS port used by Docker Machine | +| TCP | 6443 | Hosted/Imported Kubernetes API | Kubernetes API server | + +{{% /tab %}} +{{% /tabs %}} + +> **Notes:** +> +> - Rancher nodes may also require additional outbound access for any external authentication provider which is configured (LDAP for example). +> - Kubernetes recommends TCP 30000-32767 for node port services. +> - For firewalls, traffic may need to be enabled within the cluster and pod CIDR. ## Downstream Kubernetes Cluster Nodes -The ports required to be open for cluster nodes changes depending on how the cluster was launched. Each of the tabs below list the ports that need to be opened for different [cluster creation options]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-options). +Downstream Kubernetes clusters run your apps and services. This section describes what ports need to be opened on the nodes in downstream clusters so that Rancher can communicate with them. + +The port requirements differ depending on how the downstream cluster was launched. Each of the tabs below list the ports that need to be opened for different [cluster types]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-options). >**Tip:** > From fc2201f34fd5acafdd93349a5675b55ec5e37289 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 13 Feb 2020 21:59:17 -0700 Subject: [PATCH 069/183] Explain K3s Rancher install --- content/_index.html | 2 +- content/k3s/latest/en/_index.md | 2 +- .../rancher/v2.x/en/installation/_index.md | 27 ++-- .../en/installation/k8s-install/_index.md | 29 +--- .../k8s-install/create-nodes-lb/_index.md | 101 ++++++++++-- .../create-nodes-lb/ec2-node/_index.md | 62 ++++++++ .../create-nodes-lb/nginx/_index.md | 9 +- .../k8s-install/create-nodes-lb/nlb/_index.md | 2 + .../k8s-install/create-nodes-lb/rds/_index.md | 34 ++++ .../k8s-install/helm-rancher/_index.md | 15 +- .../k8s-install/kubernetes-rke/_index.md | 146 +++++++++++++++--- .../en/installation/requirements/_index.md | 8 +- 12 files changed, 356 insertions(+), 81 deletions(-) create mode 100644 content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md create mode 100644 content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md diff --git a/content/_index.html b/content/_index.html index fd31063084b..ccad7160a18 100644 --- a/content/_index.html +++ b/content/_index.html @@ -215,7 +215,7 @@
    -

    Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 40mb.

    +

    Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 50mb.

    diff --git a/content/k3s/latest/en/_index.md b/content/k3s/latest/en/_index.md index a1b0508c132..2b47eee622b 100644 --- a/content/k3s/latest/en/_index.md +++ b/content/k3s/latest/en/_index.md @@ -4,7 +4,7 @@ shortTitle: K3s name: "menu" --- -Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 50mb. +Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 50mb. Great for: diff --git a/content/rancher/v2.x/en/installation/_index.md b/content/rancher/v2.x/en/installation/_index.md index 611beca8ccb..205bdd57c56 100644 --- a/content/rancher/v2.x/en/installation/_index.md +++ b/content/rancher/v2.x/en/installation/_index.md @@ -2,6 +2,8 @@ title: Installing Rancher description: Learn how to install Rancher in development and production environments. Read about single node and high availability installation weight: 50 +aliases: + - /rancher/v2.x/en/installation/how-ha-works/ --- This section provides an overview of the architecture options of installing Rancher, describing advantages of each option. @@ -11,29 +13,20 @@ This section provides an overview of the architecture options of installing Ranc In this section, - **The Rancher server** manages and provisions Kubernetes clusters. You can interact with downstream Kubernetes clusters through the Rancher server's user interface. -- **RKE (Rancher Kubernetes Engine)** is a certified Kubernetes distribution and CLI/library which creates and manages a Kubernetes cluster. When you create a cluster in the Rancher UI, it calls RKE as a library to provision Rancher-launched Kubernetes clusters. -- **K3s (5 less than K8s)** is also a fully compliant Kubernetes distribution. It is newer than RKE, easier to use, and more lightweight, with a binary size of less than 40 MB. As of Rancher v2.4, Rancher can be installed on a K3s cluster. +- **RKE (Rancher Kubernetes Engine)** is a certified Kubernetes distribution and CLI/library which creates and manages a Kubernetes cluster. +- **K3s (5 less than K8s)** is also a fully compliant Kubernetes distribution. It is newer than RKE, easier to use, and more lightweight, with a binary size of less than 50 MB. As of Rancher v2.4, Rancher can be installed on a K3s cluster. ### Overview of Installation Options -If you use Rancher to deploy Kubernetes clusters, it is important to ensure that the Rancher server doesn't fail, because if it goes down, you could lose access to the Kubernetes clusters that are managed by Rancher. For that reason, we recommend that for a production-grade architecture, you should set up a high-availability Kubernetes cluster with RKE, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. +We recommend installing Rancher on a Kubernetes cluster, because in a multi-node cluster, the Rancher management server becomes highly available. This high-availability configuration helps maintain consistent access to the downstream Kubernetes clusters that Rancher will manage. -For testing or demonstration purposes, you can install Rancher in single Docker container. In this installation, you can use Rancher to set up Kubernetes clusters out-of-the-box. +For that reason, we recommend that for a production-grade architecture, you should set up a high-availability Kubernetes cluster, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. + +For testing or demonstration purposes, you can install Rancher in single Docker container. In this Docker install, you can use Rancher to set up Kubernetes clusters out-of-the-box. Our [instructions for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install) describe how to first use K3s or RKE to create and manage a Kubernetes cluster, then install Rancher onto that cluster. -For a high-availability K3s cluster, we recommend setting up the following infrastructure: - -- **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice -- **A load balancer** to direct traffic to the two nodes. -- **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. - -For a high-availability RKE cluster, we recommend setting up the following infrastructure: - -- **Three Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. -- **A load balancer** to direct front-end traffic to the three nodes. - -When the nodes in your Kubernetes cluster are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you will use RKE or K3s to deploy Kubernetes onto them. Then you will use Helm to deploy Rancher onto Kubernetes. +When the nodes in your Kubernetes cluster are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you will use RKE or K3s to deploy Kubernetes onto them. Then you will use Helm to deploy Rancher onto Kubernetes. Helm uses Rancher's Helm chart to install a replica of Rancher on each node in the Kubernetes cluster. We recommend using a load balancer to direct traffic to each replica of Rancher in the cluster. For a longer discussion of Rancher architecture, refer to the [architecture overview,]({{}}/rancher/v2.x/en/overview/architecture) [recommendations for production-grade architecture,]({{}}/rancher/v2.x/en/overview/architecture-recommendations) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/deployment-types) @@ -75,7 +68,7 @@ In the Rancher installation instructions, we recommend using K3s or RKE to set u ### More Options for Installations with Docker -Refer to the [Docker installation docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) for details about other configurations including: +Refer to the [docs about options for Docker installs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) for details about other configurations including: - With [API auditing to record all transactions]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/#api-audit-log) - With an [external load balancer]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/) diff --git a/content/rancher/v2.x/en/installation/k8s-install/_index.md b/content/rancher/v2.x/en/installation/k8s-install/_index.md index 36d6949e90d..cfbb0aa7643 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/_index.md @@ -16,37 +16,24 @@ If you only have one node, but you want to use the Rancher server in production One option is to install Rancher with Helm on a Kubernetes cluster, but to only use a single node in the cluster. In this case, the Rancher server does not have high availability, which is important for running Rancher in production. However, this option is useful if you want to save resources by using a single node in the short term, while preserving a high-availability migration path. In the future, you can add nodes to the cluster to get a high-availability Rancher server. -The single-node Kubernetes install can be achieved by describing only one node in the `cluster.yml` when provisioning the Kubernetes cluster with RKE. The single node would have all three roles: `etcd`, `controlplane`, and `worker`. Then Rancher would be installed with Helm on the cluster in the same way that it would be installed on any other cluster. +To set up a single-node RKE cluster, configure only one node in the `cluster.yml` . The single node should have all three roles: `etcd`, `controlplane`, and `worker`. + +To set up a single-node K3s cluster, run the Rancher server installation command on just one node instead of two nodes. + +In both single-node Kubernetes setups, Rancher can be installed with Helm on the Kubernetes cluster in the same way that it would be installed on any other cluster. ### Important Notes on Architecture -The Rancher management server can only be run on an RKE-managed Kubernetes cluster. Use of Rancher on hosted Kubernetes or other providers is not supported. +The Rancher management server can only be run on Kubernetes cluster in an infrastructure provider where Kubernetes is installed using K3s or RKE. Use of Rancher on hosted Kubernetes providers, such as EKS, is not supported. For the best performance and security, we recommend a dedicated Kubernetes cluster for the Rancher management server. Running user workloads on this cluster is not advised. After deploying Rancher, you can [create or import clusters]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) for running your workloads. -We recommend the following architecture and configurations for the load balancer and Ingress controllers: - -- DNS for Rancher should resolve to a Layer 4 load balancer (TCP) -- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. -- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. -- The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment. - -For more information on how a Kubernetes Installation works, refer to [this page.]({{}}/rancher/v2.x/en/installation/how-ha-works) - For information on how Rancher works, regardless of the installation method, refer to the [architecture section.]({{}}/rancher/v2.x/en/overview/architecture) -## Required CLI Tools - -The following CLI tools are required for this install. Please make sure these tools are installed and available in your `$PATH` - -- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) - Kubernetes command-line tool. -- [rke]({{}}/rke/latest/en/installation/) - Rancher Kubernetes Engine, cli for building Kubernetes clusters. -- [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements]({{}}/rancher/v2.x/en/installation/options/helm-version) to choose a version of Helm to install Rancher. - ## Installation Outline -- [Create Nodes and Load Balancer]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/) -- [Install Kubernetes with RKE]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/) +- [Set up Infrastructure]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/) +- [Set up a Kubernetes Cluster]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/) - [Install Rancher]({{}}/rancher/v2.x/en/installation/k8s-install/helm-rancher/) ## Additional Install Options diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index f414d2ccbf4..573bcee1d5c 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -1,32 +1,111 @@ --- -title: '1. Create Nodes and Load Balancer' +title: '1. Set up Infrastructure' weight: 185 aliases: - /rancher/v2.x/en/installation/ha/create-nodes-lb --- -Use your infrastructure provider of choice to provision three nodes and a load balancer endpoint for your RKE install. +In this section, you will provision the underlying infrastructure for your Rancher management server. + +The recommended infrastructure for the Rancher-only Kubernetes cluster differs depending on whether K3s or RKE is used to install Kubernetes. > **Note:** These nodes must be in the same region. You may place these servers in separate availability zones (datacenter). -### Requirements for OS, Docker, Hardware, and Networking +{{% tabs %}} +{{% tab "K3s" %}} +To install the Rancher management server on a high-availability K3s cluster, we recommend setting up the following infrastructure: -Make sure that your nodes fulfill the general [installation requirements.]({{}}/rancher/v2.x/en/installation/requirements/) +- **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. +- **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. +- **A load balancer** to direct traffic to the two nodes. -View the OS requirements for RKE at [RKE Requirements.]({{}}/rke/latest/en/os/) +### 1. Set up Linux Nodes -### Load Balancer +Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) -RKE will configure an Ingress controller pod, on each of your nodes. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. +For an example of one way to set up Linux nodes, refer to this [tutorial](./ec2-node) for setting up nodes as instances in Amazon EC2. + +### 2. Set up External Datastore + +The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. + +For a high-availability K3s installation, you will need to set up one of the following external databases: + +* [PostgreSQL](https://www.postgresql.org/) (certified against versions 10.7 and 11.5) +* [MySQL](https://www.mysql.com/) (certified against version 5.7) +* [etcd](https://etcd.io/) (certified against version 3.3.15) + +When you install Kubernetes using the K3s installation script, you will pass in details for K3s to connect to the database. + +For an example of one way to set up the database, refer to this [tutorial](./rds) for setting up a MySQL database on Amazon's RDS service. + +For the complete list of options that are available for configuring a K3s cluster datastore, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/datastore/) + +### 3. Set up the Load Balancer + +You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. Configure a load balancer as a basic Layer 4 TCP forwarder. The exact configuration will vary depending on your environment. +External traffic will enter the Rancher management server cluster through an Ingress controller pod on each node. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. In a later step, you will use the Helm package manager to install Rancher's Helm chart on the Kubernetes cluster. This Helm chart will set up a replica of Rancher on each node in the cluster. Therefore, we recommend using a load balancer to direct traffic to ports 80 and 443 on each replica of Rancher in the cluster. + +- The DNS for Rancher should resolve to a layer 4 load balancer. +- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. +- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. +- The Ingress controller will forward traffic to port TCP/80 on the Ingress pod in the Rancher deployment. + +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) + +For a how-to guide for setting up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/) + > **Important:** > Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. -#### How-to Guides +{{% /tab %}} +{{% tab "RKE" %}} +To install the Rancher management server on a high-availability RKE cluster, we recommend setting up the following infrastructure: -- For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) -- For an example showing how to setup an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/) +- **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2 or Google Compute Engine. +- **A load balancer** to direct front-end traffic to the three nodes. -### [Next: Install Kubernetes with RKE]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/) +These nodes must be in the same region/data center. You may place these servers in separate availability zones. + +### Why three nodes? + +In an RKE cluster, Rancher server data is stored on etcd. This etcd database runs on all three nodes. + +The etcd database requires an odd number of nodes is so that it can always elect a leader with a majority of the etcd cluster. If the etcd database cannot elect a leader, etcd can fail, requiring the cluster to be restored from backup. If one of the three etcd nodes fails, the two remaining nodes can safely elect a leader because they have the majority of the total number of etcd nodes. + +### 1. Set up Linux Nodes + +Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) + +For an example of one way to set up Linux nodes, refer to this [tutorial](./ec2-node) for setting up nodes as instances in Amazon EC2. + +### 2. Set up the Load Balancer + +You will also need to set up a load balancer to direct traffic to the Rancher replica on each of the three nodes. + +Configure a load balancer as a basic Layer 4 TCP forwarder. The exact configuration will vary depending on your environment. + +RKE will configure an Ingress controller pod on each node. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. In a later step, you will use the Helm package manager to install Rancher's Helm chart on the Kubernetes cluster. This Helm chart will set up a replica of Rancher on each node in the cluster. Therefore, we recommend using a load balancer to direct traffic to ports 80 and 443 on each replica of Rancher in the cluster. + +- The DNS for Rancher should resolve to a layer 4 load balancer +- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. +- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. +- The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment. + +
    Kubernetes Rancher install with layer 4 load balancer, depicting SSL termination at ingress controllers
    +![High-availability Kubernetes Installation of Rancher]({{}}/img/rancher/ha/rancher2ha.svg) +Kubernetes Rancher install with Layer 4 load balancer (TCP), depicting SSL termination at ingress controllers + +> **Important:** +> Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. + +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) + +For a how-to guide for setting up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/) +{{% /tab %}} +{{% /tabs %}} + +### [Next: Set up a Kubernetes Cluster]({{}}/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md new file mode 100644 index 00000000000..0321861e458 --- /dev/null +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md @@ -0,0 +1,62 @@ +--- +title: Setting up Nodes in Amazon EC2 +weight: 280 +--- + +In this tutorial, you will learn one way to set up Linux nodes for the Rancher management server. These nodes will fulfill the node requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) + +If the Rancher server will be installed on an RKE Kubernetes cluster, you should provision three instances. + +If the Rancher server will be installed on a K3s Kubernetes cluster, you only need to provision two instances. + +### 1. Optional Preparation + +- **Create IAM role:** To allow Rancher to manipulate AWS resources, such as provisioning new storage or new nodes, you will need to configure Amazon as a cloud provider. There are several things you'll need to do to set up the cloud provider on EC2, but part of this process is setting up an IAM role for the Rancher server nodes. For the full details on setting up the cloud provider, refer to this [page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) +- **Create security group:** We also recommend setting up a security group for the Rancher nodes that complies with the [port requirements for Rancher nodes.]({{}}/rancher/v2.x/en/installation/requirements/#port-requirements) The exact requirements will differ depending on whether Kubernetes is installed with RKE or K3s. + +### 2. Provision Instances + +1. Log into the [Amazon AWS EC2 Console](https://console.aws.amazon.com/ec2/) to get started. Make sure to take note of the **Region** where your EC2 instances (Linux nodes) are created, because all of the infrastructure for the Rancher management server should be in the same region. +1. In the left panel, click **Instances.** +1. Click **Launch Instance.** +1. In the section called **Step 1: Choose an Amazon Machine Image (AMI),** we will use Ubuntu 18.04 as the Linux OS, using `ami-0d1cd67c26f5fca19 (64-bit x86)`. Go to the Ubuntu AMI and click **Select.** +1. In the **Step 2: Choose an Instance Type** section, select the `t2.medium` type. +1. Click **Next: Configure Instance Details.** +1. In the **Number of instances** field, enter the number of instances. A high-availability K3s cluster requires only two instances, while a high-availability RKE cluster requires three instances. +1. Optional: If you created an IAM role for Rancher to manipulate AWS resources, select the new IAM role in the **IAM role** field. +1. Click **Next: Add Storage,** **Next: Add Tags,** and **Next: Configure Security Group.** +1. In **Step 6: Configure Security Group,** select a security group that complies with the [port requirements]({{}}/rancher/v2.x/en/installation/requirements/#port-requirements) for Rancher nodes. +1. Click **Review and Launch.** +1. Click **Launch.** +1. Choose a new or existing key pair that you will use to connect to your instance later. If you are using an existing key pair, make sure you already have access to the private key. +1. Click **Launch Instances.** + +**Result:** You have created Rancher nodes that satisfy the requirements for OS, hardware, and networking. Next, you will install Docker on each node. + +### 3. Install Docker and Create User + +1. From the [AWS EC2 console,](https://console.aws.amazon.com/ec2/) click **Instances** in the left panel. +1. Go to the instance that you want to install Docker on. Select the instance and click **Actions > Connect.** +1. Connect to the instance by following the instructions on the screen that appears. Copy the Public DNS of the instance. An example command to SSH into the instance is as follows: +``` +sudo ssh -i [path-to-private-key] ubuntu@[public-DNS-of-instance] +``` +1. When you are connected to the instance, run the following command on the instance to create a user: +``` +sudo usermod -aG docker ubuntu +``` +1. Run the following command on the instance to install Docker with one of Rancher's installation scripts: +``` +curl https://releases.rancher.com/install-docker/18.09.sh | sh +``` +1. Repeat these steps so that Docker is installed on each node that will eventually run the Rancher management server. + +> To find out whether a script is available for installing a certain Docker version, refer to this [GitHub repository,](https://github.com/rancher/install-docker) which contains all of Rancher’s Docker installation scripts. + +**Result:** You have set up Rancher server nodes that fulfill all the node requirements for OS, Docker, hardware and networking. + +### Next Steps for RKE Kubernetes Cluster Nodes + +If you are going to install an RKE cluster on the new nodes, take note of the **IPv4 Public IP** and **Private IP** of each node. This information can be found on the **Description** tab for each node after it is created. The public and private IP will be used to populate the `address` and `internal_address` of each node in the RKE cluster configuration file, `rancher-cluster.yml`. + +RKE will also need access to the private key to connect to each node. Therefore, you might want to take note of the path to your private keys to connect to the nodes, which can also be included in the `rancher-cluster.yml` under the `ssh_key_path` directive for each node. \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md index f915f340d59..30af71c22c1 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md @@ -7,10 +7,11 @@ aliases: NGINX will be configured as Layer 4 load balancer (TCP) that forwards connections to one of your Rancher nodes. -> **Note:** -> In this configuration, the load balancer is positioned in front of your nodes. The load balancer can be any host capable of running NGINX. -> -> One caveat: do not use one of your Rancher nodes as the load balancer. +In this configuration, the load balancer is positioned in front of your nodes. The load balancer can be any host capable of running NGINX. + +One caveat: do not use one of your Rancher nodes as the load balancer. + +> These examples show the load balancer being configured to direct traffic to three Rancher server nodes. If Rancher is installed on an RKE Kubernetes cluster, three nodes are required. If Rancher is installed on a K3s Kubernetes cluster, only two nodes are required. ## Install NGINX diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md index 29aca8a2e39..36032575e8a 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md @@ -7,6 +7,8 @@ aliases: This how-to guide describes how to set up a load balancer in Amazon's EC2 service that will direct traffic to multiple instances on EC2. +These examples show the load balancer being configured to direct traffic to three Rancher server nodes. If Rancher is installed on an RKE Kubernetes cluster, three nodes are required. If Rancher is installed on a K3s Kubernetes cluster, only two nodes are required. + > **Note:** Rancher only supports using the Amazon NLB when terminating traffic in `tcp` mode for port 443 rather than `tls` mode. This is due to the fact that the NLB does not inject the correct headers into requests when terminated at the NLB. This means that if you want to use certificates managed by the Amazon Certificate Manager (ACM), you should use an ELB or ALB. Configuring an Amazon NLB is a multistage process: diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md new file mode 100644 index 00000000000..41d7b8eb501 --- /dev/null +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md @@ -0,0 +1,34 @@ +--- +title: Setting up a MySQL Database in Amazon RDS +weight: 290 +--- +This tutorial describes how to set up a MySQL database in Amazon's RDS. + +This database can later be used as an external datastore for a high-availability K3s Kubernetes cluster. + +1. Log into the [Amazon AWS RDS Console](https://console.aws.amazon.com/rds/) to get started. Make sure to select the **Region** where your EC2 instances (Linux nodes) are created. +1. In the left panel, click **Databases.** +1. Click **Create database.** +1. In the **Engine type** section, click **MySQL.** +1. In the **Version** section, choose **MySQL 5.7.22.** +1. In **Settings** section, under **Credentials Settings,** enter a master password for the **admin** master username. Confirm the password. +1. Expand the **Additional configuration** section. In the **Initial database name** field, enter a name. The name can have only letters, numbers, and underscores. This name will be used to connect to the database. +1. Click **Create database.** + +You'll need to capture the following information about the new database so that the K3s Kubernetes cluster can connect to it. + +To see this information in the Amazon RDS console, click **Databases,** and click the name of the database that you created. + +- **Username:** Use the admin username. +- **Password:** Use the admin password. +- **Hostname:** Use the **Endpoint** as the hostname. The endpoint is available in the **Connectivity & security** section. +- **Port:** The port should be 3306 by default. You can confirm it in the **Connectivity & security** section. +- **Database name:** Confirm the name by going to the **Configuration** tab. The name is listed under **DB name.** + +This information will be used to connect to the database in the following format: + +``` +mysql://username:password@tcp(hostname:3306)/database-name +``` + +For more information on configuring the datastore for K3s, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/datastore/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md index 5dd4d41cb66..0aeae37ce0c 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md @@ -16,11 +16,16 @@ To choose a Rancher version to install, refer to [Choosing a Rancher Version.]({ To choose a version of Helm to install Rancher with, refer to the [Helm version requirements]({{}}/rancher/v2.x/en/installation/options/helm-version) -> **Note:** The installation instructions assume you are using Helm 3. For migration of installs started with Helm 2, refer to the official [Helm 2 to 3 migration docs.](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) This [section]({{}}/rancher/v2.x/en/installation/options/helm2) provides a copy of the older installation instructions for Rancher installed on Kubernetes with Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible. +> **Note:** The installation instructions assume you are using Helm 3. For migration of installs started with Helm 2, refer to the official [Helm 2 to 3 migration docs.](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) This [section]({{}}/rancher/v2.x/en/installation/options/helm2) provides a copy of the older installation instructions for Rancher installed on an RKE Kubernetes cluster with Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible. -### Install Helm +# Required CLI Tools -Helm requires a simple CLI tool to be installed. Refer to the [instructions provided by the Helm project](https://helm.sh/docs/intro/install/) for your specific platform. +The following CLI tools are required for setting up the Kubernetes cluster. Please make sure these tools are installed and available in your `$PATH`. + +Refer to the [instructions provided by the Helm project](https://helm.sh/docs/intro/install/) for your specific platform. + +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) - Kubernetes command-line tool. +- [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements]({{}}/rancher/v2.x/en/installation/options/helm-version) to choose a version of Helm to install Rancher. ### Add the Helm Chart Repository @@ -42,9 +47,9 @@ kubectl create namespace cattle-system ### Choose your SSL Configuration -Rancher Server is designed to be secure by default and requires SSL/TLS configuration. +The Rancher management server is designed to be secure by default and requires SSL/TLS configuration. -There are three recommended options for the source of the certificate. +There are three recommended options for the source of the certificate. For discussion of each option and its use case, refer to this [blog post.](https://rancher.com/blog/2020/transport-layer-security-p2) > **Note:** If you want terminate SSL/TLS externally, see [TLS termination on an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination). diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 0a7fd9eed28..5a6ef54e701 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -6,21 +6,123 @@ aliases: - /rancher/v2.x/en/installation/ha/kubernetes-rke/ --- -This section describes how to install a Kubernetes cluster on your three nodes according to our [best practices for the Rancher server environment.]({{}}/rancher/v2.x/en/overview/architecture-recommendations/#environment-for-kubernetes-installations) This cluster should be dedicated to run only the Rancher server. We recommend using RKE to install Kubernetes on this cluster. Hosted Kubernetes providers such as EKS should not be used. +This section describes how to install a Kubernetes cluster according to our [best practices for the Rancher server environment.]({{}}/rancher/v2.x/en/overview/architecture-recommendations/#environment-for-kubernetes-installations) This cluster should be dedicated to run only the Rancher server. + +For Rancher prior to v2.4, Rancher should be installed on an RKE Kubernetes cluster. RKE is a CNCF-certified Kubernetes distribution and that runs entirely within Docker containers. + +As of Rancher v2.4, the Rancher management server can be installed on either an RKE cluster or a K3s Kubernetes cluster. K3s is also a fully certified Kubernetes distribution released by Rancher, but is newer than RKE. We recommend installing Rancher on K3s because K3s is easier to use, and more lightweight, with a binary size of less than 50 MB. Note: After Rancher is installed on an RKE cluster, there is no migration path to a K3s setup at this time. + +The Rancher management server can only be run on Kubernetes cluster in an infrastructure provider where Kubernetes is installed using RKE or K3s. Use of Rancher on hosted Kubernetes providers, such as EKS, is not supported. For systems without direct internet access, refer to [Air Gap: Kubernetes install.]({{}}/rancher/v2.x/en/installation/air-gap-high-availability/) > **Single-node Installation Tip:** > In a single-node Kubernetes cluster, the Rancher server does not have high availability, which is important for running Rancher in production. However, installing Rancher on a single-node cluster can be useful if you want to save resources by using a single node in the short term, while preserving a high-availability migration path. > -> To set up a single-node cluster, configure only one node in the `cluster.yml` when provisioning the cluster with RKE. The single node should have all three roles: `etcd`, `controlplane` and `worker`. Then Rancher can be installed with Helm on the cluster in the same way that it would be installed on any other cluster. +> To set up a single-node RKE cluster, configure only one node in the `cluster.yml` . The single node should have all three roles: `etcd`, `controlplane`, and `worker`. +> +> To set up a single-node K3s cluster, run the Rancher server installation command on just one node instead of two nodes. +> +> In both single-node setups, Rancher can be installed with Helm on the Kubernetes cluster in the same way that it would be installed on any other cluster. -### Create the `rancher-cluster.yml` File +# Installing Kubernetes -Using the sample below, create the `rancher-cluster.yml` file. Replace the IP Addresses in the `nodes` list with the IP address or DNS names of the 3 nodes you created. + +The steps to set up the Kubernetes cluster differ depending on whether you are using RKE or K3s. + +{{% tabs %}} +{{% tab "K3s" %}} + +### 1. Install Kubernetes and Set up the K3s Server + +When running the command to start the K3s Kubernetes API server, you will pass in two options: one option to use the external datastore that you set up earlier, and one to prevent K3s from deploying Traefik, which is the default ingress in K3s. You need to disable Traefik because Rancher will use NGINX as the ingress to allow external traffic into the cluster. + +1. Connect to one of the Linux nodes that you have prepared to run the Rancher server. +1. On the Linux node, run this command to start the K3s server and connect it to the external datastore: + ``` + curl -sfL https://get.k3s.io | sh -s - server \ + --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" \ + --no-deploy=traefik + ``` + Note: The datastore endpoint can also be passed in using the environment variable `$K3S_DATASTORE_ENDPOINT`. + +1. Repeat the same command on your second K3s server node. + +### 2. Confirm that K3s is Running + +To confirm that K3s has been set up successfully, run the following command on either of the K3s server nodes: +``` +sudo k3s kubectl get nodes +``` + +Then you should see two nodes with the master role: +``` +ubuntu@ip-172-31-60-194:~$ sudo k3s kubectl get nodes +NAME STATUS ROLES AGE VERSION +ip-172-31-60-194 Ready master 44m v1.17.2+k3s1 +ip-172-31-63-88 Ready master 6m8s v1.17.2+k3s1 +``` + +Then test the health of the cluster pods: +``` +sudo k3s kubectl get pods --all-namespaces +``` + +**Result:** You have successfully set up a K3s Kubernetes cluster. + +### 3. Save and Start Using the kubeconfig File + +When you installed K3s on each Rancher server node, a `kubeconfig` file was created on the node at `/etc/rancher/k3s/k3s.yaml`. This file contains credentials for full access to the cluster, and you should save this file in a secure location. + +To use this `kubeconfig` file, + +1. Install [kubectl,](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) a Kubernetes command-line tool. +2. Copy the file at `/etc/rancher/k3s/k3s.yaml` and save it to the directory `~/.kube/config` on your local machine. +3. Replace `localhost` in the kubeconfig file with the IP or name of your K3s server. + +**Result:** You can now use `kubectl` to manage your K3s cluster. + +For more information about the `kubeconfig` file, refer to the [K3s documentation]({{}}/k3s/latest/en/cluster-access/) or the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) about organizing cluster access using `kubeconfig` files. + +### 4. Check the Health of Your Cluster Pods + +Now that you have set up the `kubeconfig` file, you can use `kubectl` to access the cluster from your local machine. + +Check that all the required pods and containers are healthy are ready to continue: +``` +ubuntu@ip-172-31-60-194:~$ sudo kubectl get pods --all-namespaces +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system metrics-server-6d684c7b5-bw59k 1/1 Running 0 8d +kube-system local-path-provisioner-58fb86bdfd-fmkvd 1/1 Running 0 8d +kube-system coredns-d798c9dd-ljjnf 1/1 Running 0 8d +cert-manager cert-manager-cainjector-85fbdf788-ct5cp 1/1 Running 0 7d22h +cert-manager cert-manager-754d9b75d9-29llx 1/1 Running 0 7d22h +cert-manager cert-manager-webhook-76f9b64b45-lnhdl 1/1 Running 0 7d22h +cattle-system rancher-ddf788bbf-2zdb4 1/1 Running 0 7d22h +cattle-system rancher-ddf788bbf-22dxm 1/1 Running 1 7d22h +cattle-system rancher-ddf788bbf-k6vk4 1/1 Running 1 7d22h +``` + +**Result:** You have confirmed that you can access the cluster with `kubectl` and the K3s cluster is running successfully. Now the Rancher management server can be installed on the cluster. +{{% /tab %}} +{{% tab "RKE" %}} + +### Required CLI Tools + +Install [kubectl,](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) a Kubernetes command-line tool. + +Also install [RKE,]({{}}/rke/latest/en/installation/) the Rancher Kubernetes Engine, a Kubernetes distribution and command-line tool. + +### 1. Create the cluster configuration file + +In this section, you will create a Kubernetes cluster configuration file called `rancher-cluster.yml`. In a later step, when you set up the cluster with an RKE command, it will use this file to install Kubernetes on your nodes. + +Using the sample below as a guide, create the `rancher-cluster.yml` file. Replace the IP addresses in the `nodes` list with the IP address or DNS names of the 3 nodes you created. If your node has public and internal addresses, it is recommended to set the `internal_address:` so Kubernetes will use it for intra-cluster communication. Some services like AWS EC2 require setting the `internal_address:` if you want to use self-referencing security groups or firewalls. +RKE will need to connect to each node over SSH, and it will look for a private key in the default location of `~/.ssh/id_rsa`. If your private key for a certain node is in a different location than the default, you will also need to configure the `ssh_key_path` option for that node. + ```yaml nodes: - address: 165.227.114.63 @@ -50,7 +152,7 @@ ingress: use-forwarded-headers: "true" ``` -#### Common RKE Nodes Options +
    Common RKE Nodes Options
    | Option | Required | Description | | ------------------ | -------- | -------------------------------------------------------------------------------------- | @@ -60,15 +162,13 @@ ingress: | `internal_address` | no | The private DNS or IP address for internal cluster traffic | | `ssh_key_path` | no | Path to SSH private key used to authenticate to the node (defaults to `~/.ssh/id_rsa`) | -#### Advanced Configurations +> **Advanced Configurations:** RKE has many configuration options for customizing the install to suit your specific environment. +> +> Please see the [RKE Documentation]({{}}/rke/latest/en/config-options/) for the full list of options and capabilities. +> +> For tuning your etcd cluster for larger Rancher installations, see the [etcd settings guide]({{}}/rancher/v2.x/en/installation/options/etcd/). -RKE has many configuration options for customizing the install to suit your specific environment. - -Please see the [RKE Documentation]({{}}/rke/latest/en/config-options/) for the full list of options and capabilities. - -For tuning your etcd cluster for larger Rancher installations see the [etcd settings guide]({{}}/rancher/v2.x/en/installation/options/etcd/). - -### Run RKE +### 2. Run RKE ``` rke up --config ./rancher-cluster.yml @@ -76,19 +176,23 @@ rke up --config ./rancher-cluster.yml When finished, it should end with the line: `Finished building Kubernetes cluster successfully`. -### Testing Your Cluster +### 3. Test Your Cluster -RKE should have created a file `kube_config_rancher-cluster.yml`. This file has the credentials for `kubectl` and `helm`. +This section describes how to set up your workspace so that you can interact with this cluster using the `kubectl` command-line tool. + +Assuming you have installed `kubectl`, you need to place the `kubeconfig` file in a location where `kubectl` can reach it. The `kubeconfig` file contains the credentials necessary to access your cluster with `kubectl`. + +When you ran `rke up`, RKE should have created a `kubeconfig` file named `kube_config_rancher-cluster.yml`. This file has the credentials for `kubectl` and `helm`. > **Note:** If you have used a different file name from `rancher-cluster.yml`, then the kube config file will be named `kube_config_.yml`. -You can copy this file to `$HOME/.kube/config` or if you are working with multiple Kubernetes clusters, set the `KUBECONFIG` environmental variable to the path of `kube_config_rancher-cluster.yml`. +Move this file to `$HOME/.kube/config`, or if you are working with multiple Kubernetes clusters, set the `KUBECONFIG` environmental variable to the path of `kube_config_rancher-cluster.yml`: ``` export KUBECONFIG=$(pwd)/kube_config_rancher-cluster.yml ``` -Test your connectivity with `kubectl` and see if all your nodes are in `Ready` state. +Test your connectivity with `kubectl` and see if all your nodes are in `Ready` state: ``` kubectl get nodes @@ -99,7 +203,7 @@ NAME STATUS ROLES AGE VER 165.227.127.226 Ready controlplane,etcd,worker 11m v1.13.5 ``` -### Check the Health of Your Cluster Pods +### 4. Check the Health of Your Cluster Pods Check that all the required pods and containers are healthy are ready to continue. @@ -126,7 +230,9 @@ kube-system rke-metrics-addon-deploy-job-7ljkc 0/1 Completed kube-system rke-network-plugin-deploy-job-6pbgj 0/1 Completed 0 30s ``` -### Save Your Files +This confirms that you have successfully installed a Kubernetes cluster that the Rancher server will run on. + +### 5. Save Your Files > **Important** > The files mentioned below are needed to maintain, troubleshoot and upgrade your cluster. @@ -142,5 +248,7 @@ Save a copy of the following files in a secure location: ### Issues or errors? See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. +{{% /tab %}} +{{% /tabs %}} ### [Next: Install Rancher]({{}}/rancher/v2.x/en/installation/k8s-install/helm-rancher/) diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index 4afebe9277f..ce3fc738bde 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -48,10 +48,10 @@ This section describes the CPU, memory, and disk requirements for the nodes wher ### CPU and Memory -Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements. The requirements are different depending on if you are installing Rancher with Docker or on a Kubernetes cluster. +Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements. The requirements are different depending on if you are installing Rancher in a single container with Docker, or if you are installing Rancher on a Kubernetes cluster. {{% tabs %}} -{{% tab "Nodes in Kubernetes Install" %}} +{{% tab "Kubernetes Install Requirements" %}} These requirements apply to [installing Rancher on a Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) @@ -64,7 +64,11 @@ These requirements apply to [installing Rancher on a Kubernetes cluster.]({{>>>>>> Explain K3s Rancher install These requirements apply to [single node]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) installations of Rancher. From 1e475baaa4179d8517b5c8a0966b6618b7046132 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 20 Feb 2020 18:19:55 -0700 Subject: [PATCH 070/183] Edit Rancher-on-K3s install docs --- content/k3s/latest/en/_index.md | 4 +-- content/rancher/v2.x/en/backups/_index.md | 5 +++- .../rancher/v2.x/en/backups/backups/_index.md | 5 ++-- .../en/backups/backups/ha-backups/_index.md | 4 +-- .../en/backups/backups/k3s-backups/_index.md | 4 +++ .../backups/single-node-backups/_index.md | 4 +-- .../restorations/k3s-restoration/_index.md | 0 .../k8s-install/kubernetes-rke/_index.md | 27 ++++++++++++++++--- 8 files changed, 41 insertions(+), 12 deletions(-) create mode 100644 content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md create mode 100644 content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md diff --git a/content/k3s/latest/en/_index.md b/content/k3s/latest/en/_index.md index 2b47eee622b..952027f0c93 100644 --- a/content/k3s/latest/en/_index.md +++ b/content/k3s/latest/en/_index.md @@ -4,7 +4,7 @@ shortTitle: K3s name: "menu" --- -Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 50mb. +Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 50mb. Great for: @@ -12,7 +12,7 @@ Great for: * IoT * CI * ARM -* Situations where a PhD in k8s clusterology is infeasible +* Situations where a PhD in K8s clusterology is infeasible # What is K3s? diff --git a/content/rancher/v2.x/en/backups/_index.md b/content/rancher/v2.x/en/backups/_index.md index d51850c3fe9..e88b97fbbd3 100644 --- a/content/rancher/v2.x/en/backups/_index.md +++ b/content/rancher/v2.x/en/backups/_index.md @@ -8,7 +8,10 @@ This section is devoted to protecting your data in a disaster scenario. To protect yourself from a disaster scenario, you should create backups on a regular basis. - - [Rancher Server Backups]({{}}/rancher/v2.x/en/backups/backups) + - Rancher server backups: + - [Rancher installed on a K3s Kubernetes cluster](./backups/k3s-backups) + - [Rancher installed on an RKE Kubernetes cluster](./backups/ha-backups) + - Rancher installed with Docker - [Backing up Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) diff --git a/content/rancher/v2.x/en/backups/backups/_index.md b/content/rancher/v2.x/en/backups/backups/_index.md index 57e2150b516..072c1913cac 100644 --- a/content/rancher/v2.x/en/backups/backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/_index.md @@ -7,7 +7,8 @@ aliases: --- This section contains information about how to create backups of your Rancher data and how to restore them in a disaster scenario. -- [Docker Install Backups](./single-node-backups/) -- [Kubernetes Install Backups](./ha-backups/) +- [Backing up Rancher installed on a K3s Kubernetes cluster](./k3s-backups) +- [Backing up Rancher installed on an RKE Kubernetes cluster](./ha-backups/) +- [Backing up Rancher installed with Docker](./single-node-backups/) If you are looking to back up your [Rancher launched Kubernetes cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), please refer [here]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). diff --git a/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md b/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md index 08fce60c0b2..acbd2aab431 100644 --- a/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md @@ -1,6 +1,6 @@ --- -title: Creating Backups for Rancher Installed on Kubernetes -weight: 50 +title: Backing up Rancher Installed on an RKE Kubernetes Cluster +weight: 2 aliases: - /rancher/v2.x/en/installation/after-installation/k8s-install-backup-and-restoration/ - /rancher/v2.x/en/installation/backups-and-restoration/ha-backup-and-restoration/ diff --git a/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md new file mode 100644 index 00000000000..f96f3466a43 --- /dev/null +++ b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md @@ -0,0 +1,4 @@ +--- +title: Backing up Rancher Installed on a K3s Kubernetes Cluster +weight: 1 +--- \ No newline at end of file diff --git a/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md b/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md index bd2cb04d8d5..ae0ee7b1ae7 100644 --- a/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/single-node-backups/_index.md @@ -1,6 +1,6 @@ --- -title: Creating Backups for Rancher Installed with Docker -weight: 25 +title: Backing up Rancher Installed with Docker +weight: 3 aliases: - /rancher/v2.x/en/installation/after-installation/single-node-backup-and-restoration/ --- diff --git a/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md b/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 5a6ef54e701..52f27af109e 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -41,8 +41,7 @@ When running the command to start the K3s Kubernetes API server, you will pass i 1. On the Linux node, run this command to start the K3s server and connect it to the external datastore: ``` curl -sfL https://get.k3s.io | sh -s - server \ - --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" \ - --no-deploy=traefik + --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" ``` Note: The datastore endpoint can also be passed in using the environment variable `$K3S_DATASTORE_ENDPOINT`. @@ -78,7 +77,29 @@ To use this `kubeconfig` file, 1. Install [kubectl,](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) a Kubernetes command-line tool. 2. Copy the file at `/etc/rancher/k3s/k3s.yaml` and save it to the directory `~/.kube/config` on your local machine. -3. Replace `localhost` in the kubeconfig file with the IP or name of your K3s server. +3. In the kubeconfig file, the `server` directive is defined as localhost. Configure the server as the DNS of your load balancer, referring to port 6443. (The Kubernetes API server will be reached at port 6443, while the Rancher server will be reached at ports 80 and 443.) Here is an example `k3s.yaml`: + +``` +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: [CERTIFICATE-DATA] + server: [LOAD-BALANCER-DNS]:6443 # Edit this line + name: default +contexts: +- context: + cluster: default + user: default + name: default +current-context: default +kind: Config +preferences: {} +users: +- name: default + user: + password: [PASSWORD] + username: admin +``` **Result:** You can now use `kubectl` to manage your K3s cluster. From 75b3eef7777df5685cbc0e5fbde6bfed6e432501 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 21 Feb 2020 18:30:23 -0700 Subject: [PATCH 071/183] Add info to K3s Rancher install docs --- .../rancher/v2.x/en/installation/_index.md | 4 +- .../en/installation/k8s-install/_index.md | 2 +- .../k8s-install/create-nodes-lb/_index.md | 77 ++++--- .../k8s-install/helm-rancher/_index.md | 123 +++++++---- .../k8s-install/kubernetes-rke/_index.md | 8 +- .../air-gap-helm2/prepare-nodes/_index.md | 4 +- .../ec2-node/_index.md | 2 + .../nginx/_index.md | 1 + .../create-nodes-lb => options}/nlb/_index.md | 7 +- .../create-nodes-lb => options}/rds/_index.md | 0 .../single-node-install-external-lb/_index.md | 17 +- .../air-gap/_index.md | 22 +- .../air-gap/launch-kubernetes/_index.md | 174 +++++++++++++-- .../populate-private-registry/_index.md | 8 +- .../air-gap/prepare-nodes/_index.md | 204 ++++++++++++------ .../single-node-docker/_index.md | 2 +- .../en/installation/requirements/_index.md | 12 +- .../architecture-recommendations/_index.md | 2 +- 18 files changed, 474 insertions(+), 195 deletions(-) rename content/rancher/v2.x/en/installation/{k8s-install/create-nodes-lb => options}/ec2-node/_index.md (98%) rename content/rancher/v2.x/en/installation/{k8s-install/create-nodes-lb => options}/nginx/_index.md (98%) rename content/rancher/v2.x/en/installation/{k8s-install/create-nodes-lb => options}/nlb/_index.md (95%) rename content/rancher/v2.x/en/installation/{k8s-install/create-nodes-lb => options}/rds/_index.md (100%) rename content/rancher/v2.x/en/installation/{other-installation-methods/single-node-docker => options}/single-node-install-external-lb/_index.md (90%) diff --git a/content/rancher/v2.x/en/installation/_index.md b/content/rancher/v2.x/en/installation/_index.md index 205bdd57c56..328c7234fce 100644 --- a/content/rancher/v2.x/en/installation/_index.md +++ b/content/rancher/v2.x/en/installation/_index.md @@ -41,7 +41,7 @@ There are also separate instructions for installing Rancher in an air gap enviro | Level of Internet Access | Kubernetes Installation - Strongly Recommended | Docker Installation | | ---------------------------------- | ------------------------------ | ---------- | | With direct access to the Internet | [Docs]({{}}/rancher/v2.x/en/installation/k8s-install/) | [Docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) | -| Behind an HTTP proxy | These [docs,]({{}}/rancher/v2.x/en/installation/k8s-install/) plus this [configuration]({{}}/rancher/v2.x/en/installation/options/chart-options/#http-proxy) | These [docs,]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node) plus this [configuration]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node/proxy/) | +| Behind an HTTP proxy | These [docs,]({{}}/rancher/v2.x/en/installation/k8s-install/) plus this [configuration]({{}}/rancher/v2.x/en/installation/options/chart-options/#http-proxy) | These [docs,]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) plus this [configuration]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/proxy/) | | In an air gap environment | [Docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap) | [Docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap) | ### Prerequisites @@ -71,5 +71,5 @@ In the Rancher installation instructions, we recommend using K3s or RKE to set u Refer to the [docs about options for Docker installs]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) for details about other configurations including: - With [API auditing to record all transactions]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/#api-audit-log) -- With an [external load balancer]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/) +- With an [external load balancer]({{}}/rancher/v2.x/en/installation/options/single-node-install-external-lb/) - With a [persistent data store]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/#persistent-data) diff --git a/content/rancher/v2.x/en/installation/k8s-install/_index.md b/content/rancher/v2.x/en/installation/k8s-install/_index.md index cfbb0aa7643..4a51dbf90b3 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/_index.md @@ -8,7 +8,7 @@ aliases: For production environments, we recommend installing Rancher in a high-availability configuration so that your user base can always access Rancher Server. When installed in a Kubernetes cluster, Rancher will integrate with the cluster's etcd database and take advantage of Kubernetes scheduling for high-availability. -This section describes how to first use RKE to create and manage a cluster, then install Rancher onto that cluster. For this type of architecture, you will need to deploy three VMs in the infrastructure provider of your choice. You will also need to configure a load balancer to direct front-end traffic to the three VMs. When the VMs are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you can use RKE to deploy Kubernetes onto them, then use the Helm package manager to deploy Rancher onto Kubernetes. +This section describes how to create and manage a Kubernetes cluster, then install Rancher onto that cluster. For this type of architecture, you will need to deploy nodes - typically virtual machines - in the infrastructure provider of your choice. You will also need to configure a load balancer to direct front-end traffic to the three VMs. When the VMs are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you can use RKE or K3s to deploy Kubernetes onto them, then use the Helm package manager to deploy Rancher onto Kubernetes. ### Optional: Installing Rancher on a Single-node Kubernetes Cluster diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index 573bcee1d5c..d6ee83d7097 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -7,7 +7,9 @@ aliases: In this section, you will provision the underlying infrastructure for your Rancher management server. -The recommended infrastructure for the Rancher-only Kubernetes cluster differs depending on whether K3s or RKE is used to install Kubernetes. +The recommended infrastructure for the Rancher-only Kubernetes cluster differs depending on whether Rancher will be installed on a K3s Kubernetes cluster, an RKE Kubernetes cluster, or a single Docker container. + +For more information about each installation option, refer to [this page.]({{}}/rancher/v2.x/en/installation) > **Note:** These nodes must be in the same region. You may place these servers in separate availability zones (datacenter). @@ -18,16 +20,17 @@ To install the Rancher management server on a high-availability K3s cluster, we - **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. - **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. - **A load balancer** to direct traffic to the two nodes. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL. ### 1. Set up Linux Nodes Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) -For an example of one way to set up Linux nodes, refer to this [tutorial](./ec2-node) for setting up nodes as instances in Amazon EC2. +For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/ec2-node) for setting up nodes as instances in Amazon EC2. ### 2. Set up External Datastore -The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. +The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available options allow you to select a datastore that best fits your use case. For a high-availability K3s installation, you will need to set up one of the following external databases: @@ -43,30 +46,43 @@ For the complete list of options that are available for configuring a K3s cluste ### 3. Set up the Load Balancer -You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. +You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. That will prevent an outage of any single node from taking down communications to the Rancher management server. -Configure a load balancer as a basic Layer 4 TCP forwarder. The exact configuration will vary depending on your environment. +When Kubernetes gets set up in a later step, the K3s tool will deploy a Traefik Ingress controller. This controller will listen on ports 80 and 443 of the worker nodes, answering traffic destined for specific hostnames. -External traffic will enter the Rancher management server cluster through an Ingress controller pod on each node. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. In a later step, you will use the Helm package manager to install Rancher's Helm chart on the Kubernetes cluster. This Helm chart will set up a replica of Rancher on each node in the cluster. Therefore, we recommend using a load balancer to direct traffic to ports 80 and 443 on each replica of Rancher in the cluster. +When Rancher is installed (also in a later step), the Rancher system creates an Ingress resource. That Ingress tells the Traefik Ingress controller to listen for traffic destined for the Rancher hostname. The Traefik Ingress controller, when receiving traffic destined for the Rancher hostname, will forward that traffic to the running Rancher pods in the cluster. -- The DNS for Rancher should resolve to a layer 4 load balancer. -- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. -- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. -- The Ingress controller will forward traffic to port TCP/80 on the Ingress pod in the Rancher deployment. +For your implementation, consider if you want or need to use a Layer-4 or Layer-7 load balancer: -For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) +- **A layer-4 load balancer** is the simpler of the two choices, in which you are forwarding TCP traffic to your nodes. We recommend configuring your load balancer as a Layer 4 balancer, forwarding traffic to ports TCP/80 and TCP/443 to the Rancher management cluster nodes. The Ingress controller on the cluster will redirect HTTP traffic to HTTPS and terminate SSL/TLS on port TCP/443. The Ingress controller will forward traffic to port TCP/80 to the Ingress pod in the Rancher deployment. +- **A layer-7 load balancer** is a bit more complicated but can offer features that you may want. For instance, a layer-7 load balancer is capable of handling TLS termination at the load balancer, as opposed to Rancher doing TLS termination itself. This can be beneficial if you want to centralize your TLS termination in your infrastructure. Layer-7 load balancing also offers the capability for your load balancer to make decisions based on HTTP attributes such as cookies, etc. that a layer-4 load balancer is not able to concern itself with. If you decide to terminate the SSL/TLS traffic on a layer-7 load balancer, you will need to use the `--set tls=external` option when installing Rancher in a later step. For more information, refer to the [Rancher Helm chart options.]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) -For a how-to guide for setting up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/) +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nginx/) + +For a how-to guide for setting up an Amazon ELB Network Load Balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nlb/) > **Important:** > Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. +### 4. Set up the DNS Record + +Once you have set up your load balancer, you will need to create a DNS record to send traffic to this load balancer. + +Depending on your environment, this may be an A record pointing to the load balancer IP, or it may be a CNAME pointing to the load balancer hostname. In either case, make sure this record is the hostname that you intend Rancher to respond on. + +You will need to specify this hostname in a later step when you install Rancher, and it is not possible to change it later. Make sure that your decision is a final one. + +For a how-to guide for setting up a DNS record to route domain traffic to an Amazon ELB load balancer, refer to the [official AWS documentation.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer) + + + {{% /tab %}} {{% tab "RKE" %}} To install the Rancher management server on a high-availability RKE cluster, we recommend setting up the following infrastructure: -- **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2 or Google Compute Engine. +- **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2, Google Compute Engine, or vSphere. - **A load balancer** to direct front-end traffic to the three nodes. +- **A DNS record** to map a URL to the load balancer. These nodes must be in the same region/data center. You may place these servers in separate availability zones. @@ -74,37 +90,44 @@ These nodes must be in the same region/data center. You may place these servers In an RKE cluster, Rancher server data is stored on etcd. This etcd database runs on all three nodes. -The etcd database requires an odd number of nodes is so that it can always elect a leader with a majority of the etcd cluster. If the etcd database cannot elect a leader, etcd can fail, requiring the cluster to be restored from backup. If one of the three etcd nodes fails, the two remaining nodes can safely elect a leader because they have the majority of the total number of etcd nodes. +The etcd database requires an odd number of nodes so that it can always elect a leader with a majority of the etcd cluster. If the etcd database cannot elect a leader, etcd can suffer from [split brain](https://www.quora.com/What-is-split-brain-in-distributed-systems), requiring the cluster to be restored from backup. If one of the three etcd nodes fails, the two remaining nodes can elect a leader because they have the majority of the total number of etcd nodes. ### 1. Set up Linux Nodes Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) -For an example of one way to set up Linux nodes, refer to this [tutorial](./ec2-node) for setting up nodes as instances in Amazon EC2. +For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node) for setting up nodes as instances in Amazon EC2. ### 2. Set up the Load Balancer -You will also need to set up a load balancer to direct traffic to the Rancher replica on each of the three nodes. +You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. That will prevent an outage of any single node from taking down communications to the Rancher management server. -Configure a load balancer as a basic Layer 4 TCP forwarder. The exact configuration will vary depending on your environment. +When Kubernetes gets set up in a later step, the RKE tool will deploy an NGINX Ingress controller. This controller will listen on ports 80 and 443 of the worker nodes, answering traffic destined for specific hostnames. -RKE will configure an Ingress controller pod on each node. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. In a later step, you will use the Helm package manager to install Rancher's Helm chart on the Kubernetes cluster. This Helm chart will set up a replica of Rancher on each node in the cluster. Therefore, we recommend using a load balancer to direct traffic to ports 80 and 443 on each replica of Rancher in the cluster. +When Rancher is installed (also in a later step), the Rancher system creates an Ingress resource. That Ingress tells the NGINX Ingress controller to listen for traffic destined for the Rancher hostname. The NGINX Ingress controller, when receiving traffic destined for the Rancher hostname, will forward that traffic to the running Rancher pods in the cluster. -- The DNS for Rancher should resolve to a layer 4 load balancer -- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. -- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. -- The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment. +For your implementation, consider if you want or need to use a Layer-4 or Layer-7 load balancer: -
    Kubernetes Rancher install with layer 4 load balancer, depicting SSL termination at ingress controllers
    -![High-availability Kubernetes Installation of Rancher]({{}}/img/rancher/ha/rancher2ha.svg) -Kubernetes Rancher install with Layer 4 load balancer (TCP), depicting SSL termination at ingress controllers +- **A layer-4 load balancer** is the simpler of the two choices, in which you are forwarding TCP traffic to your nodes. We recommend configuring your load balancer as a Layer 4 balancer, forwarding traffic to ports TCP/80 and TCP/443 to the Rancher management cluster nodes. The Ingress controller on the cluster will redirect HTTP traffic to HTTPS and terminate SSL/TLS on port TCP/443. The Ingress controller will forward traffic to port TCP/80 to the Ingress pod in the Rancher deployment. +- **A layer-7 load balancer** is a bit more complicated but can offer features that you may want. For instance, a layer-7 load balancer is capable of handling TLS termination at the load balancer, as opposed to Rancher doing TLS termination itself. This can be beneficial if you want to centralize your TLS termination in your infrastructure. Layer-7 load balancing also offers the capability for your load balancer to make decisions based on HTTP attributes such as cookies, etc. that a layer-4 load balancer is not able to concern itself with. If you decide to terminate the SSL/TLS traffic on a layer-7 load balancer, you will need to use the `--set tls=external` option when installing Rancher in a later step. For more information, refer to the [Rancher Helm chart options.]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) + +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nginx/) + +For a how-to guide for setting up an Amazon ELB Network Load Balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nlb/) > **Important:** > Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. -For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) +### 3. Set up the DNS Record + +Once you have set up your load balancer, you will need to create a DNS record to send traffic to this load balancer. + +Depending on your environment, this may be an A record pointing to the LB IP, or it may be a CNAME pointing to the load balancer hostname. In either case, make sure this record is the hostname that you intend Rancher to respond on. + +You will need to specify this hostname in a later step when you install Rancher, and it is not possible to change it later. Make sure that your decision is a final one. + +For a how-to guide for setting up a DNS record to route domain traffic to an Amazon ELB load balancer, refer to the [official AWS documentation.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer) -For a how-to guide for setting up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/) {{% /tab %}} {{% /tabs %}} diff --git a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md index 0aeae37ce0c..84b002d3f8f 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/helm-rancher/_index.md @@ -18,7 +18,18 @@ To choose a version of Helm to install Rancher with, refer to the [Helm version > **Note:** The installation instructions assume you are using Helm 3. For migration of installs started with Helm 2, refer to the official [Helm 2 to 3 migration docs.](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) This [section]({{}}/rancher/v2.x/en/installation/options/helm2) provides a copy of the older installation instructions for Rancher installed on an RKE Kubernetes cluster with Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible. -# Required CLI Tools +To set up Rancher, + +1. [Install the required CLI tools](#1-install-the-required-cli-tools) +2. [Add the Helm chart repository](#2-add-the-helm-chart-repository) +3. [Create a namespace for Rancher](#3-create-a-namespace-for-rancher) +4. [Choose your SSL configuration](#4-choose-your-ssl-configuration) +5. [Install cert-manager](#5-install-cert-manager) (unless you are bringing your own certificates, or TLS will be terminated on a load balancer) +6. [Install Rancher with Helm and your chosen certificate option](#6-install-rancher-with-helm-and-your-chosen-certificate-option) +7. [Verify that the Rancher server is successfully deployed](#7-verify-that-the-rancher-server-is-successfully-deployed) +8. [Save your options](#8-save-your-options) + +### 1. Install the Required CLI Tools The following CLI tools are required for setting up the Kubernetes cluster. Please make sure these tools are installed and available in your `$PATH`. @@ -27,7 +38,7 @@ Refer to the [instructions provided by the Helm project](https://helm.sh/docs/in - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) - Kubernetes command-line tool. - [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements]({{}}/rancher/v2.x/en/installation/options/helm-version) to choose a version of Helm to install Rancher. -### Add the Helm Chart Repository +### 2. Add the Helm Chart Repository Use `helm repo add` command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see [Choosing a Version of Rancher]({{}}/rancher/v2.x/en/installation/options/server-tags/#helm-chart-repositories). @@ -37,40 +48,42 @@ Use `helm repo add` command to add the Helm chart repository that contains chart helm repo add rancher- https://releases.rancher.com/server-charts/ ``` -### Create a Namespace for Rancher +### 3. Create a Namespace for Rancher -We'll need to define a namespace where the resources created by the Chart should be installed. This should always be `cattle-system`: +We'll need to define a Kubernetes namespace where the resources created by the Chart should be installed. This should always be `cattle-system`: ``` kubectl create namespace cattle-system ``` -### Choose your SSL Configuration +### 4. Choose your SSL Configuration The Rancher management server is designed to be secure by default and requires SSL/TLS configuration. -There are three recommended options for the source of the certificate. For discussion of each option and its use case, refer to this [blog post.](https://rancher.com/blog/2020/transport-layer-security-p2) - > **Note:** If you want terminate SSL/TLS externally, see [TLS termination on an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination). -| Configuration | Chart option | Description | Requires cert-manager | -| ------------------------------ | -------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------- | -| Rancher Generated Certificates | `ingress.tls.source=rancher` | Use certificates issued by Rancher's generated CA (self signed)
    This is the **default** | [yes](#optional-install-cert-manager) | -| Let’s Encrypt | `ingress.tls.source=letsEncrypt` | Use Let's Encrypt to issue a certificate | [yes](#optional-install-cert-manager) | -| Certificates from Files | `ingress.tls.source=secret` | Use your own certificate files by creating Kubernetes Secret(s) | no | +There are three recommended options for the source of the certificate used for TLS termination at the Rancher server: -### Optional: Install cert-manager +- **Rancher-generated TLS certificate:** In this case, you will need to install `cert-manager` into the cluster. Rancher utilizes `cert-manager` to issue and maintain its certificates. Rancher will generate a CA certificate of its own, and sign a cert using that CA. `cert-manager` is then responsible for managing that certificate. +- **Let's Encrypt:** The Let's Encrypt option also uses `cert-manager`. However, in this case, cert-manager is combined with a special Issuer for Let's Encrypt that performs all actions (including request and validation) necessary for getting a Let's Encrypt issued cert. This configuration uses HTTP validation (`HTTP-01`), so the load balancer must have a public DNS record and be accessible from the internet. +- **Bring your own certificate:** This option allows you to bring your own public- or private-CA signed certificate. Rancher will use that certificate to secure websocket and HTTPS traffic. In this case, you must upload this certificate (and associated key) as PEM-encoded files with the name `tls.crt` and `tls.key`. If you are using a private CA, you must also upload that certificate. This is due to the fact that this private CA may not be trusted by your nodes. Rancher will take that CA certificate, and generate a checksum from it, which the various Rancher components will use to validate their connection to Rancher. -Rancher relies on [cert-manager](https://github.com/jetstack/cert-manager) to issue certificates from Rancher's own generated CA or to request Let's Encrypt certificates. -`cert-manager` is only required for certificates issued by Rancher's generated CA (`ingress.tls.source=rancher`) and Let's Encrypt issued certificates (`ingress.tls.source=letsEncrypt`). You should skip this step if you are using your own certificate files (option `ingress.tls.source=secret`) or if you use [TLS termination on an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination). +| Configuration | Helm Chart Option | Requires cert-manager | +| ------------------------------ | ----------------------- | ------------------------------------- | +| Rancher Generated Certificates (Default) | `ingress.tls.source=rancher` | [yes](#5-install-cert-manager) | +| Let’s Encrypt | `ingress.tls.source=letsEncrypt` | [yes](#5-install-cert-manager) | +| Certificates from Files | `ingress.tls.source=secret` | no | + +### 5. Install cert-manager + +> You should skip this step if you are bringing your own certificate files (option `ingress.tls.source=secret`), or if you use [TLS termination on an external load balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination). + +This step is only required to use certificates issued by Rancher's generated CA (`ingress.tls.source=rancher`) or to request Let's Encrypt issued certificates (`ingress.tls.source=letsEncrypt`). {{% accordion id="cert-manager" label="Click to Expand" %}} -> **Important:** -> Due to an issue with Helm v2.12.0 and cert-manager, please use Helm v2.12.1 or higher. - -> Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.11.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). +> **Important:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.11.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). These instructions are adapted from the [official cert-manager documentation](https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm). @@ -78,8 +91,15 @@ These instructions are adapted from the [official cert-manager documentation](ht # Install the CustomResourceDefinition resources separately kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml -> **Important:** -> If you are running Kubernetes v1.15 or below, you will need to add the `--validate=false flag to your kubectl apply command above else you will receive a validation error relating to the x-kubernetes-preserve-unknown-fields field in cert-manager’s CustomResourceDefinition resources. This is a benign error and occurs due to the way kubectl performs resource validation. +# **Important:** +# If you are running Kubernetes v1.15 or below, you +# will need to add the `--validate=false` flag to your +# kubectl apply command, or else you will receive a +# validation error relating to the +# x-kubernetes-preserve-unknown-fields field in +# cert-manager’s CustomResourceDefinition resources. +# This is a benign error and occurs due to the way kubectl +# performs resource validation. # Create the namespace for cert-manager kubectl create namespace cert-manager @@ -110,14 +130,17 @@ cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m {{% /accordion %}} -### Install Rancher with Helm and Your Chosen Certificate Option +### 6. Install Rancher with Helm and Your Chosen Certificate Option + +The exact command to install Rancher differs depending on the certificate configuration. {{% tabs %}} {{% tab "Rancher-generated Certificates" %}} -> **Note:** You need to have [cert-manager](#optional-install-cert-manager) installed before proceeding. -The default is for Rancher to generate a CA and uses `cert-manager` to issue the certificate for access to the Rancher server interface. Because `rancher` is the default option for `ingress.tls.source`, we are not specifying `ingress.tls.source` when running the `helm install` command. +The default is for Rancher to generate a CA and uses `cert-manager` to issue the certificate for access to the Rancher server interface. + +Because `rancher` is the default option for `ingress.tls.source`, we are not specifying `ingress.tls.source` when running the `helm install` command. - Set the `hostname` to the DNS name you pointed at your load balancer. - If you are installing an alpha version, Helm requires adding the `--devel` option to the command. @@ -139,11 +162,13 @@ deployment "rancher" successfully rolled out {{% /tab %}} {{% tab "Let's Encrypt" %}} -> **Note:** You need to have [cert-manager](#optional-install-cert-manager) installed before proceeding. +This option uses `cert-manager` to automatically request and renew [Let's Encrypt](https://letsencrypt.org/) certificates. This is a free service that provides you with a valid certificate as Let's Encrypt is a trusted CA. -This option uses `cert-manager` to automatically request and renew [Let's Encrypt](https://letsencrypt.org/) certificates. This is a free service that provides you with a valid certificate as Let's Encrypt is a trusted CA. This configuration uses HTTP validation (`HTTP-01`) so the load balancer must have a public DNS record and be accessible from the internet. +In the following command, -- Set `hostname` to the public DNS record, set `ingress.tls.source` to `letsEncrypt` and `letsEncrypt.email` to the email address used for communication about your certificate (for example, expiry notices) +- `hostname` is set to the public DNS record, +- `ingress.tls.source` is set to `letsEncrypt` +- `letsEncrypt.email` is set to the email address used for communication about your certificate (for example, expiry notices) - If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ``` @@ -164,11 +189,16 @@ deployment "rancher" successfully rolled out {{% /tab %}} {{% tab "Certificates from Files" %}} -Create Kubernetes secrets from your own certificates for Rancher to use. +In this option, Kubernetes secrets are created from your own certificates for Rancher to use. -> **Note:** The `Common Name` or a `Subject Alternative Names` entry in the server certificate must match the `hostname` option, or the ingress controller will fail to configure correctly. Although an entry in the `Subject Alternative Names` is technically required, having a matching `Common Name` maximizes compatibility with older browsers/applications. If you want to check if your certificates are correct, see [How do I check Common Name and Subject Alternative Names in my server certificate?]({{}}/rancher/v2.x/en/faq/technical/#how-do-i-check-common-name-and-subject-alternative-names-in-my-server-certificate) +When you run this command, the `hostname` option must match the `Common Name` or a `Subject Alternative Names` entry in the server certificate or the Ingress controller will fail to configure correctly. -- Set `hostname` and set `ingress.tls.source` to `secret`. +Although an entry in the `Subject Alternative Names` is technically required, having a matching `Common Name` maximizes compatibility with older browsers and applications. + +> If you want to check if your certificates are correct, see [How do I check Common Name and Subject Alternative Names in my server certificate?]({{}}/rancher/v2.x/en/faq/technical/#how-do-i-check-common-name-and-subject-alternative-names-in-my-server-certificate) + +- Set the `hostname`. +- Set `ingress.tls.source` to `secret`. - If you are using a Private CA signed certificate , add `--set privateCA=true` to the command shown below. - If you are installing an alpha version, Helm requires adding the `--devel` option to the command. @@ -179,7 +209,20 @@ helm install rancher rancher-/rancher \ --set ingress.tls.source=secret ``` -Now that Rancher is deployed, see [Adding TLS Secrets]({{}}/rancher/v2.x/en/installation/options/tls-secrets/) to publish the certificate files so Rancher and the ingress controller can use them. +Now that Rancher is deployed, see [Adding TLS Secrets]({{}}/rancher/v2.x/en/installation/options/tls-secrets/) to publish the certificate files so Rancher and the Ingress controller can use them. +{{% /tab %}} +{{% /tabs %}} + +The Rancher chart configuration has many options for customizing the installation to suit your specific environment. Here are some common advanced scenarios. + +- [HTTP Proxy]({{}}/rancher/v2.x/en/installation/options/chart-options/#http-proxy) +- [Private Docker Image Registry]({{}}/rancher/v2.x/en/installation/options/chart-options/#private-registry-and-air-gap-installs) +- [TLS Termination on an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) + +See the [Chart Options]({{}}/rancher/v2.x/en/installation/options/chart-options/) for the full list of options. + + +### 7. Verify that the Rancher Server is Successfully Deployed After adding the secrets, check if Rancher was rolled out successfully: @@ -198,25 +241,15 @@ rancher 3 3 3 3 3m ``` It should show the same count for `DESIRED` and `AVAILABLE`. -{{% /tab %}} -{{% /tabs %}} -### Advanced Configurations - -The Rancher chart configuration has many options for customizing the install to suit your specific environment. Here are some common advanced scenarios. - -- [HTTP Proxy]({{}}/rancher/v2.x/en/installation/options/chart-options/#http-proxy) -- [Private Docker Image Registry]({{}}/rancher/v2.x/en/installation/options/chart-options/#private-registry-and-air-gap-installs) -- [TLS Termination on an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) - -See the [Chart Options]({{}}/rancher/v2.x/en/installation/options/chart-options/) for the full list of options. - -### Save your options +### 8. Save Your Options Make sure you save the `--set` options you used. You will need to use the same options when you upgrade Rancher to new versions with Helm. ### Finishing Up -That's it you should have a functional Rancher server. Point a browser at the hostname you picked and you should be greeted by the colorful login page. +That's it. You should have a functional Rancher server. + +In a web browser, go to the DNS name that forwards traffic to your load balancer. Then you should be greeted by the colorful login page. Doesn't work? Take a look at the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) Page diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 52f27af109e..556b4e4f299 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -8,7 +8,7 @@ aliases: This section describes how to install a Kubernetes cluster according to our [best practices for the Rancher server environment.]({{}}/rancher/v2.x/en/overview/architecture-recommendations/#environment-for-kubernetes-installations) This cluster should be dedicated to run only the Rancher server. -For Rancher prior to v2.4, Rancher should be installed on an RKE Kubernetes cluster. RKE is a CNCF-certified Kubernetes distribution and that runs entirely within Docker containers. +For Rancher prior to v2.4, Rancher should be installed on an RKE Kubernetes cluster. RKE is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. As of Rancher v2.4, the Rancher management server can be installed on either an RKE cluster or a K3s Kubernetes cluster. K3s is also a fully certified Kubernetes distribution released by Rancher, but is newer than RKE. We recommend installing Rancher on K3s because K3s is easier to use, and more lightweight, with a binary size of less than 50 MB. Note: After Rancher is installed on an RKE cluster, there is no migration path to a K3s setup at this time. @@ -101,7 +101,11 @@ users: username: admin ``` -**Result:** You can now use `kubectl` to manage your K3s cluster. +**Result:** You can now use `kubectl` to manage your K3s cluster. If you have more than one kubeconfig file, you can specify which one you want to use by passing in the path to the file when using `kubectl`: + +``` +kubectl --kubeconfig ~/.kube/config/k3s.yaml get pods --all-namespaces +``` For more information about the `kubeconfig` file, refer to the [K3s documentation]({{}}/k3s/latest/en/cluster-access/) or the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) about organizing cluster access using `kubeconfig` files. diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/prepare-nodes/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/prepare-nodes/_index.md index ff9080548ef..554c05bd98b 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/prepare-nodes/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/prepare-nodes/_index.md @@ -81,8 +81,8 @@ You will need to configure a load balancer as a basic Layer 4 TCP forwarder to d **Load Balancer Configuration Samples:** -- For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx) -- For an example showing how to set up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb) +- For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nginx) +- For an example showing how to set up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nlb) {{% /tab %}} {{% tab "Docker Install" %}} diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md b/content/rancher/v2.x/en/installation/options/ec2-node/_index.md similarity index 98% rename from content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md rename to content/rancher/v2.x/en/installation/options/ec2-node/_index.md index 0321861e458..0df051accda 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ec2-node/_index.md +++ b/content/rancher/v2.x/en/installation/options/ec2-node/_index.md @@ -9,6 +9,8 @@ If the Rancher server will be installed on an RKE Kubernetes cluster, you should If the Rancher server will be installed on a K3s Kubernetes cluster, you only need to provision two instances. +If the Rancher server is installed in a single Docker container, you only need one instance. + ### 1. Optional Preparation - **Create IAM role:** To allow Rancher to manipulate AWS resources, such as provisioning new storage or new nodes, you will need to configure Amazon as a cloud provider. There are several things you'll need to do to set up the cloud provider on EC2, but part of this process is setting up an IAM role for the Rancher server nodes. For the full details on setting up the cloud provider, refer to this [page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md b/content/rancher/v2.x/en/installation/options/nginx/_index.md similarity index 98% rename from content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md rename to content/rancher/v2.x/en/installation/options/nginx/_index.md index 30af71c22c1..02beb3f87ae 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/_index.md +++ b/content/rancher/v2.x/en/installation/options/nginx/_index.md @@ -3,6 +3,7 @@ title: Setting up an NGINX Load Balancer weight: 270 aliases: - /rancher/v2.x/en/installation/ha/create-nodes-lb/nginx + - /rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx --- NGINX will be configured as Layer 4 load balancer (TCP) that forwards connections to one of your Rancher nodes. diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md b/content/rancher/v2.x/en/installation/options/nlb/_index.md similarity index 95% rename from content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md rename to content/rancher/v2.x/en/installation/options/nlb/_index.md index 36032575e8a..35d00153769 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb/_index.md +++ b/content/rancher/v2.x/en/installation/options/nlb/_index.md @@ -1,15 +1,16 @@ --- -title: Setting up an Amazon NLB Load Balancer +title: Setting up an Amazon ELB Network Load Balancer weight: 277 aliases: - /rancher/v2.x/en/installation/ha/create-nodes-lb/nlb + - /rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb --- -This how-to guide describes how to set up a load balancer in Amazon's EC2 service that will direct traffic to multiple instances on EC2. +This how-to guide describes how to set up a Network Load Balancer (NLB) in Amazon's EC2 service that will direct traffic to multiple instances on EC2. These examples show the load balancer being configured to direct traffic to three Rancher server nodes. If Rancher is installed on an RKE Kubernetes cluster, three nodes are required. If Rancher is installed on a K3s Kubernetes cluster, only two nodes are required. -> **Note:** Rancher only supports using the Amazon NLB when terminating traffic in `tcp` mode for port 443 rather than `tls` mode. This is due to the fact that the NLB does not inject the correct headers into requests when terminated at the NLB. This means that if you want to use certificates managed by the Amazon Certificate Manager (ACM), you should use an ELB or ALB. +> **Note:** Rancher only supports using the Amazon NLB when terminating traffic in `tcp` mode for port 443 rather than `tls` mode. This is due to the fact that the NLB does not inject the correct headers into requests when terminated at the NLB. This means that if you want to use certificates managed by the Amazon Certificate Manager (ACM), you should use an ALB. Configuring an Amazon NLB is a multistage process: diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md b/content/rancher/v2.x/en/installation/options/rds/_index.md similarity index 100% rename from content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/rds/_index.md rename to content/rancher/v2.x/en/installation/options/rds/_index.md diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/_index.md b/content/rancher/v2.x/en/installation/options/single-node-install-external-lb/_index.md similarity index 90% rename from content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/_index.md rename to content/rancher/v2.x/en/installation/options/single-node-install-external-lb/_index.md index cbc9d67ab9f..c2aa176b058 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb/_index.md +++ b/content/rancher/v2.x/en/installation/options/single-node-install-external-lb/_index.md @@ -1,11 +1,16 @@ --- -title: Docker Install with External Load Balancer +title: Docker Install with TLS Termination at Layer-7 NGINX Load Balancer weight: 252 aliases: - /rancher/v2.x/en/installation/single-node/single-node-install-external-lb/ + - /rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb --- -For development and testing environments that have a special requirement to terminate TLS/SSL at a load balancer instead of your Rancher Server container, deploy Rancher and configure a load balancer to work with it conjunction. This install procedure walks you through deployment of Rancher using a single container, and then provides a sample configuration for a layer 7 Nginx load balancer. +For development and testing environments that have a special requirement to terminate TLS/SSL at a load balancer instead of your Rancher Server container, deploy Rancher and configure a load balancer to work with it conjunction. + +A layer-7 load balancer can be beneficial if you want to centralize your TLS termination in your infrastructure. Layer-7 load balancing also offers the capability for your load balancer to make decisions based on HTTP attributes such as cookies, etc. that a layer-4 load balancer is not able to concern itself with. + +This install procedure walks you through deployment of Rancher using a single container, and then provides a sample configuration for a layer-7 NGINX load balancer. > **Want to skip the external load balancer?** > See [Docker Installation]({{}}/rancher/v2.x/en/installation/single-node) instead. @@ -98,11 +103,11 @@ The load balancer or proxy has to be configured to support the following: | `X-Forwarded-Proto` | `https` | To identify the protocol that a client used to connect to the load balancer or proxy.

    **Note:** If this header is present, `rancher/rancher` does not redirect HTTP to HTTPS. | `X-Forwarded-Port` | Port used to reach Rancher. | To identify the protocol that client used to connect to the load balancer or proxy. | `X-Forwarded-For` | IP of the client connection. | To identify the originating IP address of a client. -### Example Nginx configuration +### Example NGINX configuration This NGINX configuration is tested on NGINX 1.14. -> **Note:** This Nginx configuration is only an example and may not suit your environment. For complete documentation, see [NGINX Load Balancing - HTTP Load Balancing](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/). +> **Note:** This NGINX configuration is only an example and may not suit your environment. For complete documentation, see [NGINX Load Balancing - HTTP Load Balancing](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/). - Replace `rancher-server` with the IP address or hostname of the node running the Rancher container. - Replace both occurrences of `FQDN` to the DNS name for Rancher. @@ -192,9 +197,9 @@ If you are visiting this page to complete an [Air Gap Installation]({{} {{< persistentdata >}} -This layer 7 Nginx configuration is tested on Nginx version 1.13 (mainline) and 1.14 (stable). +This layer 7 NGINX configuration is tested on NGINX version 1.13 (mainline) and 1.14 (stable). -> **Note:** This Nginx configuration is only an example and may not suit your environment. For complete documentation, see [NGINX Load Balancing - TCP and UDP Load Balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/). +> **Note:** This NGINX configuration is only an example and may not suit your environment. For complete documentation, see [NGINX Load Balancing - TCP and UDP Load Balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/). ``` upstream rancher { diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md index 0ebdced73b0..267d1e6634f 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md @@ -9,29 +9,19 @@ aliases: This section is about installations of Rancher server in an air gapped environment. An air gapped environment could be where Rancher server will be installed offline, behind a firewall, or behind a proxy. -Throughout the installations instructions, there will be _tabs_ for either a high availability Kubernetes installation or a single-node Docker installation. +The steps to install Rancher differ depending on whether Rancher is installed on an RKE Kubernetes cluster, a K3s Kubernetes cluster, or a single Docker container. -### Air Gapped Kubernetes Installations +For more information on each installation option, refer to [this page.]({{}}/rancher/v2.x/en/installation/) -This section covers how to install Rancher on a Kubernetes cluster in an air gapped environment. - -A Kubernetes install is composed of three nodes running the Rancher server components on a Kubernetes cluster. The persistence layer (etcd) is also replicated on these three nodes, providing redundancy and data duplication in case one of the nodes fails. - -### Air Gapped Docker Installations - -These instructions also cover how to install Rancher on a single node in an air gapped environment. - -The Docker installation is for Rancher users that are wanting to test out Rancher. Instead of running on a Kubernetes cluster, you install the Rancher server component on a single node using a `docker run` command. Since there is only one node and a single Docker container, if the node goes down, there is no copy of the etcd data available on other nodes and you will lose all the data of your Rancher server. +Throughout the installation instructions, there will be _tabs_ for each installation option. > **Important:** If you install Rancher following the Docker installation guide, there is no upgrade path to transition your Docker Installation to a Kubernetes Installation. -Instead of running the Docker installation, you have the option to follow the Kubernetes Install guide, but only use one node to install Rancher. Afterwards, you can scale up the etcd nodes in your Kubernetes cluster to make it a Kubernetes Installation. - # Installation Outline -- [1. Prepare your Node(s)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) -- [2. Collect and Publish Images to your Private Registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/) -- [3. Launch a Kubernetes Cluster with RKE]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) +- [1. Set up infrastructure and private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) +- [2. Collect and publish images to your private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/) +- [3. Set up a Kubernetes cluster (Skip this step for Docker installations)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) - [4. Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/) ### [Next: Prepare your Node(s)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md index 36aa73e5fc8..b7e6d5194b5 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md @@ -1,21 +1,165 @@ --- -title: '3. Install Kubernetes with RKE (Kubernetes Installs Only)' +title: '3. Install Kubernetes (Skip for Docker installs)' weight: 300 aliases: - /rancher/v2.x/en/installation/air-gap-high-availability/install-kube --- -This section is about how to prepare to launch a Kubernetes cluster which is used to deploy Rancher server for your air gapped environment. +This section describes how to install a Kubernetes cluster according to our [best practices for the Rancher server environment.]({{}}/rancher/v2.x/en/overview/architecture-recommendations/#environment-for-kubernetes-installations) This cluster should be dedicated to run only the Rancher server. -Since a Kubernetes Installation requires a Kubernetes cluster, we will create a Kubernetes cluster using [Rancher Kubernetes Engine]({{}}/rke/latest/en/) (RKE). Before being able to start your Kubernetes cluster, you'll need to [install RKE]({{}}/rke/latest/en/installation/) and create a RKE config file. +For Rancher prior to v2.4, Rancher should be installed on an [RKE]({{}}/rke/latest/en/) (Rancher Kubernetes Engine) Kubernetes cluster. RKE is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. -- [A. Create an RKE Config File](#a-create-an-rke-config-file) -- [B. Run RKE](#b-run-rke) -- [C. Save Your Files](#c-save-your-files) +As of Rancher v2.4, the Rancher management server can be installed on either an RKE cluster or a K3s Kubernetes cluster. K3s is also a fully certified Kubernetes distribution released by Rancher, but is newer than RKE. We recommend installing Rancher on K3s because K3s is easier to use, and more lightweight, with a binary size of less than 50 MB. Note: After Rancher is installed on an RKE cluster, there is no migration path to a K3s setup at this time. -### A. Create an RKE Config File +The Rancher management server can only be run on Kubernetes cluster in an infrastructure provider where Kubernetes is installed using RKE or K3s. Use of Rancher on hosted Kubernetes providers, such as EKS, is not supported. -From a system that can access ports 22/tcp and 6443/tcp on your host nodes, use the sample below to create a new file named `rancher-cluster.yml`. This file is a Rancher Kubernetes Engine configuration file (RKE config file), which is a configuration for the cluster you're deploying Rancher to. +The steps to set up an air-gapped Kubernetes cluster depend on whether RKE or K3s is used to install Kubernetes. + +{{% tabs %}} +{{% tab "K3s" %}} + +### 1. Install Kubernetes and Set up the K3s Server + + +In this guide, we are assuming you have created your nodes in your air-gap environment and have a secure Docker private registry on your bastion server. + +# Installation Outline + +1. [Prepare Images Directory](#1-prepare-images-directory) +2. [Create Registry YAML](#2-create-registry-YAML) +3. [Install K3s](#3-install-k3s) +4. [Confirm that K3s is Running](#4-confirm-that-k3s-is-running) +5. [Save and Start Using the kubeconfig File](#5-save-and-start-using-the-kubeconfig-file) +6. [Check the Health of Your Cluster Pods](#6-check-the-health-of-your-cluster-pods) + +### 1. Prepare Images Directory +Obtain the images tar file for your architecture from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be running. + +Place the tar file in the `images` directory before starting K3s on each node, for example: + +```sh +sudo mkdir -p /var/lib/rancher/k3s/agent/images/ +sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/ +``` + +### 2. Create Registry YAML +Create the registries.yaml file at `/etc/rancher/k3s/registries.yaml`. This will tell K3s the necessary details to connect to your private registry. +The registries.yaml file should look like this before plugging in the necessary information: + +``` +--- +mirrors: + customreg: + endpoint: + - "https://ip-to-server:5000" +configs: + customreg: + auth: + username: xxxxxx # this is the registry username + password: xxxxxx # this is the registry password + tls: + cert_file: + key_file: + ca_file: +``` + +Note, at this time only secure registries are supported with K3s (SSL with custom CA) + +### 3. Install K3s + +Obtain the K3s binary from the [releases](https://github.com/rancher/k3s/releases) page, matching the same version used to get the airgap images tar. +Also obtain the K3s install script at https://get.k3s.io + +Place the binary in `/usr/local/bin` on each node. +Place the install script anywhere on each node, name it `install.sh`. + +Install K3s on each server: + +``` +INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh +``` + +Install K3s on each agent: + +``` +INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken ./install.sh +``` + +Note, take care to ensure you replace `myserver` with the IP or valid DNS of the server and replace `mynodetoken` with the node-token from the server. +The node-token is on the server at `/var/lib/rancher/k3s/server/node-token` + + +>**Note:** K3s additionally provides a `--resolv-conf` flag for kubelets, which may help with configuring DNS in air-gap networks. + + + +### 4. Confirm that K3s is Running + +Placeholder + +### 5. Save and Start Using the kubeconfig File + +When you installed K3s on each Rancher server node, a `kubeconfig` file was created on the node at `/etc/rancher/k3s/k3s.yaml`. This file contains credentials for full access to the cluster, and you should save this file in a secure location. + +To use this `kubeconfig` file, + +1. Install [kubectl,](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) a Kubernetes command-line tool. +2. Copy the file at `/etc/rancher/k3s/k3s.yaml` and save it to the directory `~/.kube/config` on your local machine. +3. In the kubeconfig file, the `server` directive is defined as localhost. Configure the server as the DNS of your load balancer, referring to port 6443. (The Kubernetes API server will be reached at port 6443, while the Rancher server will be reached at ports 80 and 443.) Here is an example `k3s.yaml`: + +``` +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: [CERTIFICATE-DATA] + server: [LOAD-BALANCER-DNS]:6443 # Edit this line + name: default +contexts: +- context: + cluster: default + user: default + name: default +current-context: default +kind: Config +preferences: {} +users: +- name: default + user: + password: [PASSWORD] + username: admin +``` + +**Result:** You can now use `kubectl` to manage your K3s cluster. If you have more than one kubeconfig file, you can specify which one you want to use by passing in the path to the file when using `kubectl`: + +``` +kubectl --kubeconfig ~/.kube/config/k3s.yaml get pods --all-namespaces +``` + +For more information about the `kubeconfig` file, refer to the [K3s documentation]({{}}/k3s/latest/en/cluster-access/) or the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) about organizing cluster access using `kubeconfig` files. + +### 6. Check the Health of Your Cluster Pods + + +### Note on Upgrading + +Upgrading an air-gap environment can be accomplished in the following manner: + +1. Download the new air-gap images (tar file) from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be upgrading to. Place the tar in the `/var/lib/rancher/k3s/agent/images/` directory on each node. Delete the old tar file. +2. Copy and replace the old K3s binary in `/usr/local/bin` on each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past with the same environment variables. +3. Restart the K3s service (if not restarted automatically by installer). +{{% /tab %}} +{{% tab "RKE" %}} +We will create a Kubernetes cluster using Rancher Kubernetes Engine (RKE). Before being able to start your Kubernetes cluster, you’ll need to install RKE and create a RKE config file. + +### 1. Install RKE + +Install RKE by following the instructions in the [RKE documentation.]({{}}/rke/latest/en/installation/) + +### 2. Create an RKE Config File + +From a system that can access ports 22/TCP and 6443/TCP on the Linux host node(s) that you set up in a previous step, use the sample below to create a new file named `rancher-cluster.yml`. + +This file is an RKE configuration file, which is a configuration for the cluster you're deploying Rancher to. Replace values in the code sample below with help of the _RKE Options_ table. Use the IP address or DNS names of the [3 nodes]({{}}/rancher/v2.x/en/installation/air-gap-high-availability/provision-hosts) you created. @@ -25,11 +169,11 @@ Replace values in the code sample below with help of the _RKE Options_ table. Us | Option | Required | Description | | ------------------ | -------------------- | --------------------------------------------------------------------------------------- | -| `address` | ✓ | The DNS or IP address for the node within the air gap network. | -| `user` | ✓ | A user that can run docker commands. | +| `address` | ✓ | The DNS or IP address for the node within the air gapped network. | +| `user` | ✓ | A user that can run Docker commands. | | `role` | ✓ | List of Kubernetes roles assigned to the node. | | `internal_address` | optional1 | The DNS or IP address used for internal cluster traffic. | -| `ssh_key_path` | | Path to SSH private key used to authenticate to the node (defaults to `~/.ssh/id_rsa`). | +| `ssh_key_path` | | Path to the SSH private key used to authenticate to the node (defaults to `~/.ssh/id_rsa`). | > 1 Some services like AWS EC2 require setting the `internal_address` if you want to use self-referencing security groups or firewalls. @@ -58,7 +202,7 @@ private_registries: is_default: true ``` -### B. Run RKE +### 3. Run RKE After configuring `rancher-cluster.yml`, bring up your Kubernetes cluster: @@ -66,7 +210,7 @@ After configuring `rancher-cluster.yml`, bring up your Kubernetes cluster: rke up --config ./rancher-cluster.yml ``` -### C. Save Your Files +### 4. Save Your Files > **Important** > The files mentioned below are needed to maintain, troubleshoot and upgrade your cluster. @@ -76,6 +220,8 @@ Save a copy of the following files in a secure location: - `rancher-cluster.yml`: The RKE cluster configuration file. - `kube_config_rancher-cluster.yml`: The [Kubeconfig file]({{}}/rke/latest/en/kubeconfig/) for the cluster, this file contains credentials for full access to the cluster. - `rancher-cluster.rkestate`: The [Kubernetes Cluster State file]({{}}/rke/latest/en/installation/#kubernetes-cluster-state), this file contains the current state of the cluster including the RKE configuration and the certificates.

    _The Kubernetes Cluster State file is only created when using RKE v0.2.0 or higher._ +{{% /tab %}} +{{% /tabs %}} > **Note:** The "rancher-cluster" parts of the two latter file names are dependent on how you name the RKE cluster configuration file. @@ -87,4 +233,4 @@ See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/tro See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. -### [Next: Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher) +### [Next: Install Rancher](./install-rancher) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index 4e2dc902c30..954280bc28b 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -16,7 +16,7 @@ By default, all images used to [provision Kubernetes clusters]({{}}/ran This section describes how to set up your private registry so that when you install Rancher, Rancher will pull all the required images from this registry. -By default, we provide the steps of how to populate your private registry assuming you are provisioning Linux only clusters, but if you plan on provisioning any [Windows clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/), there are separate instructions to support the images needed for a Windows cluster. +By default, we provide the steps of how to populate your private registry assuming that Rancher will provision downstream Kubernetes clusters with only Linux nodes. But if you plan on provisioning any [downstream Kubernetes clusters using Windows nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/), there are separate instructions to support the images needed. {{% tabs %}} {{% tab "Linux Only Clusters" %}} @@ -46,7 +46,7 @@ These steps expect you to use a Linux workstation that has internet access, acce ### B. Collect all the required images (For Kubernetes Installs using Rancher Generated Self-Signed Certificate) -In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using you using your own certificates. +In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using your own certificates, or if you are terminating TLS on an external load balancer. 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: @@ -281,6 +281,6 @@ The image list, `rancher-images.txt` or `rancher-windows-images.txt`, is expecte {{% /tab %}} {{% /tabs %}} -### [Next: Kubernetes Installs - Launch a Kubernetes Cluster with RKE]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) +### [Next step for Kubernetes Installs - Launch a Kubernetes Cluster]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) -### [Next: Docker Installs - Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/) +### [Next step for Docker Installs - Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md index 791d25bfa4b..657a6d70653 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md @@ -1,102 +1,168 @@ --- -title: '1. Prepare your Node(s)' +title: '1. Set up Infrastructure and Private Registry' weight: 100 aliases: - /rancher/v2.x/en/installation/air-gap-single-node/provision-host --- -This section is about how to prepare your node(s) to install Rancher for your air gapped environment. An air gapped environment could be where Rancher server will be installed offline, behind a firewall, or behind a proxy. There are _tabs_ for either a high availability (recommended) or a Docker installation. +In this section, you will provision the underlying infrastructure for your Rancher management server in an air gapped environment. You will also set up the private Docker registry that must be available to your Rancher node(s). -# Prerequisites +An air gapped environment is an environment where the Rancher server is installed offline or behind a firewall. + +The infrastructure depends on whether you are installing Rancher on a K3s Kubernetes cluster, an RKE Kubernetes cluster, or a single Docker container. For more information on each installation option, refer to [this page.]({{}}/rancher/v2.x/en/installation/) {{% tabs %}} -{{% tab "Kubernetes Install (Recommended)" %}} +{{% tab "K3s" %}} +We recommend setting up the following infrastructure: -### OS, Docker, Hardware, and Networking +- **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. +- **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. +- **A load balancer** to direct traffic to the two nodes. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL. +- **A private Docker registry** to distribute Docker images to your machines. -Make sure that your node(s) fulfill the general [installation requirements.]({{}}/rancher/v2.x/en/installation/requirements/) - -### Private Registry - -Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. - -If you need help with creating a private registry, please refer to the [Docker documentation](https://docs.docker.com/registry/). - -### CLI Tools - -The following CLI tools are required for the Kubernetes Install. Make sure these tools are installed on your workstation and available in your `$PATH`. - -- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) - Kubernetes command-line tool. -- [rke]({{}}/rke/latest/en/installation/) - Rancher Kubernetes Engine, cli for building Kubernetes clusters. -- [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements]({{}}/rancher/v2.x/en/installation/options/helm-version) to choose a version of Helm to install Rancher. - -{{% /tab %}} -{{% tab "Docker Install" %}} - -### OS, Docker, Hardware, and Networking - -Make sure that your node(s) fulfill the general [installation requirements.]({{}}/rancher/v2.x/en/installation/requirements/) - -### Private Registry - -Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. - -If you need help with creating a private registry, please refer to the [Docker documentation](https://docs.docker.com/registry/). -{{% /tab %}} -{{% /tabs %}} - -# Set up Infrastructure - -{{% tabs %}} -{{% tab "Kubernetes Install (Recommended)" %}} - -Rancher recommends installing Rancher on a Kubernetes cluster. A highly available Kubernetes install is comprised of three nodes running the Rancher server components on a Kubernetes cluster. The persistence layer (etcd) is also replicated on these three nodes, providing redundancy and data duplication in case one of the nodes fails. - -### Recommended Architecture - -- DNS for Rancher should resolve to a layer 4 load balancer -- The Load Balancer should forward port TCP/80 and TCP/443 to all 3 nodes in the Kubernetes cluster. -- The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. -- The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment. - -
    Rancher installed on a Kubernetes cluster with layer 4 load balancer, depicting SSL termination at ingress controllers
    - -![Rancher HA]({{}}/img/rancher/ha/rancher2ha.svg) - -### A. Provision three air gapped Linux hosts according to our requirements +### 1. Set up Linux Nodes These hosts will be disconnected from the internet, but require being able to connect with your private registry. -View hardware and software requirements for each of your cluster nodes in [Requirements]({{}}/rancher/v2.x/en/installation/requirements). +Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) -### B. Set up your Load Balancer +For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/ec2-node) for setting up nodes as instances in Amazon EC2. -When setting up the Kubernetes cluster that will run the Rancher server components, an Ingress controller pod will be deployed on each of your nodes. The Ingress controller pods are bound to ports TCP/80 and TCP/443 on the host network and are the entry point for HTTPS traffic to the Rancher server. +### 2. Set up External Datastore -You will need to configure a load balancer as a basic Layer 4 TCP forwarder to direct traffic to these ingress controller pods. The exact configuration will vary depending on your environment. +The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available options allow you to select a datastore that best fits your use case. + +For a high-availability K3s installation, you will need to set up one of the following external databases: + +* [PostgreSQL](https://www.postgresql.org/) (certified against versions 10.7 and 11.5) +* [MySQL](https://www.mysql.com/) (certified against version 5.7) +* [etcd](https://etcd.io/) (certified against version 3.3.15) + +When you install Kubernetes, you will pass in details for K3s to connect to the database. + +For an example of one way to set up the database, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/rds) for setting up a MySQL database on Amazon's RDS service. + +For the complete list of options that are available for configuring a K3s cluster datastore, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/datastore/) + +### 3. Set up the Load Balancer + +You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. That will prevent an outage of any single node from taking down communications to the Rancher management server. + +When Kubernetes gets set up in a later step, the K3s tool will deploy a Traefik Ingress controller. This controller will listen on ports 80 and 443 of the worker nodes, answering traffic destined for specific hostnames. + +When Rancher is installed (also in a later step), the Rancher system creates an Ingress resource. That Ingress tells the Traefik Ingress controller to listen for traffic destined for the Rancher hostname. The Traefik Ingress controller, when receiving traffic destined for the Rancher hostname, will forward that traffic to the running Rancher pods in the cluster. + +For your implementation, consider if you want or need to use a Layer-4 or Layer-7 load balancer: + +- **A layer-4 load balancer** is the simpler of the two choices, in which you are forwarding TCP traffic to your nodes. We recommend configuring your load balancer as a Layer 4 balancer, forwarding traffic to ports TCP/80 and TCP/443 to the Rancher management cluster nodes. The Ingress controller on the cluster will redirect HTTP traffic to HTTPS and terminate SSL/TLS on port TCP/443. The Ingress controller will forward traffic to port TCP/80 to the Ingress pod in the Rancher deployment. +- **A layer-7 load balancer** is a bit more complicated but can offer features that you may want. For instance, a layer-7 load balancer is capable of handling TLS termination at the load balancer, as opposed to Rancher doing TLS termination itself. This can be beneficial if you want to centralize your TLS termination in your infrastructure. Layer-7 load balancing also offers the capability for your load balancer to make decisions based on HTTP attributes such as cookies, etc. that a layer-4 load balancer is not able to concern itself with. If you decide to terminate the SSL/TLS traffic on a layer-7 load balancer, you will need to use the `--set tls=external` option when installing Rancher in a later step. For more information, refer to the [Rancher Helm chart options.]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) + +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nginx/) + +For a how-to guide for setting up an Amazon ELB Network Load Balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nlb/) > **Important:** -> Only use this load balancer (i.e, the `local` cluster Ingress) to load balance the Rancher server. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. +> Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. -**Load Balancer Configuration Samples:** +### 4. Set up the DNS Record -- For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx) -- For an example showing how to set up an Amazon NLB load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nlb) +Once you have set up your load balancer, you will need to create a DNS record to send traffic to this load balancer. +Depending on your environment, this may be an A record pointing to the load balancer IP, or it may be a CNAME pointing to the load balancer hostname. In either case, make sure this record is the hostname that you intend Rancher to respond on. + +You will need to specify this hostname in a later step when you install Rancher, and it is not possible to change it later. Make sure that your decision is a final one. + +For a how-to guide for setting up a DNS record to route domain traffic to an Amazon ELB load balancer, refer to the [official AWS documentation.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer) + +### 5. Set up a Private Docker Registry + +Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. + +If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) {{% /tab %}} -{{% tab "Docker Install" %}} +{{% tab "RKE" %}} -The Docker installation is for Rancher users that are wanting to test out Rancher. Instead of running on a Kubernetes cluster, you install the Rancher server component on a single node using a `docker run` command. Since there is only one node and a single Docker container, if the node goes down, there is no copy of the etcd data available on other nodes and you will lose all the data of your Rancher server. +To install the Rancher management server on a high-availability RKE cluster, we recommend setting up the following infrastructure: -> **Important:** If you install Rancher following the Docker installation guide, there is no upgrade path to transition your Docker installation to a Kubernetes Installation. +- **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2, Google Compute Engine, or vSphere. +- **A load balancer** to direct front-end traffic to the three nodes. +- **A DNS record** to map a URL to the load balancer. +- **A private Docker registry** to distribute Docker images to your machines. -Instead of running the Docker installation, you have the option to follow the Kubernetes Install guide, but only use one node to install Rancher. Afterwards, you can scale up the etcd nodes in your Kubernetes cluster to make it a Kubernetes Installation. +These nodes must be in the same region/data center. You may place these servers in separate availability zones. -### A. Provision a single, air gapped Linux host according to our Requirements +### Why three nodes? + +In an RKE cluster, Rancher server data is stored on etcd. This etcd database runs on all three nodes. + +The etcd database requires an odd number of nodes so that it can always elect a leader with a majority of the etcd cluster. If the etcd database cannot elect a leader, etcd can suffer from [split brain](https://www.quora.com/What-is-split-brain-in-distributed-systems), requiring the cluster to be restored from backup. If one of the three etcd nodes fails, the two remaining nodes can elect a leader because they have the majority of the total number of etcd nodes. + +### 1. Set up Linux Nodes These hosts will be disconnected from the internet, but require being able to connect with your private registry. -View hardware and software requirements for each of your cluster nodes in [Requirements]({{}}/rancher/v2.x/en/installation/requirements). +Make sure that your nodes fulfill the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) + +For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/ec2-node) for setting up nodes as instances in Amazon EC2. + +### 2. Set up the Load Balancer + +You will also need to set up a load balancer to direct traffic to the Rancher replica on both nodes. That will prevent an outage of any single node from taking down communications to the Rancher management server. + +When Kubernetes gets set up in a later step, the RKE tool will deploy an NGINX Ingress controller. This controller will listen on ports 80 and 443 of the worker nodes, answering traffic destined for specific hostnames. + +When Rancher is installed (also in a later step), the Rancher system creates an Ingress resource. That Ingress tells the NGINX Ingress controller to listen for traffic destined for the Rancher hostname. The NGINX Ingress controller, when receiving traffic destined for the Rancher hostname, will forward that traffic to the running Rancher pods in the cluster. + +For your implementation, consider if you want or need to use a Layer-4 or Layer-7 load balancer: + +- **A layer-4 load balancer** is the simpler of the two choices, in which you are forwarding TCP traffic to your nodes. We recommend configuring your load balancer as a Layer 4 balancer, forwarding traffic to ports TCP/80 and TCP/443 to the Rancher management cluster nodes. The Ingress controller on the cluster will redirect HTTP traffic to HTTPS and terminate SSL/TLS on port TCP/443. The Ingress controller will forward traffic to port TCP/80 to the Ingress pod in the Rancher deployment. +- **A layer-7 load balancer** is a bit more complicated but can offer features that you may want. For instance, a layer-7 load balancer is capable of handling TLS termination at the load balancer, as opposed to Rancher doing TLS termination itself. This can be beneficial if you want to centralize your TLS termination in your infrastructure. Layer-7 load balancing also offers the capability for your load balancer to make decisions based on HTTP attributes such as cookies, etc. that a layer-4 load balancer is not able to concern itself with. If you decide to terminate the SSL/TLS traffic on a layer-7 load balancer, you will need to use the `--set tls=external` option when installing Rancher in a later step. For more information, refer to the [Rancher Helm chart options.]({{}}/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination) + +For an example showing how to set up an NGINX load balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nginx/) + +For a how-to guide for setting up an Amazon ELB Network Load Balancer, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/nlb/) + +> **Important:** +> Do not use this load balancer (i.e, the `local` cluster Ingress) to load balance applications other than Rancher following installation. Sharing this Ingress with other applications may result in websocket errors to Rancher following Ingress configuration reloads for other apps. We recommend dedicating the `local` cluster to Rancher and no other applications. + +### 3. Set up the DNS Record + +Once you have set up your load balancer, you will need to create a DNS record to send traffic to this load balancer. + +Depending on your environment, this may be an A record pointing to the LB IP, or it may be a CNAME pointing to the load balancer hostname. In either case, make sure this record is the hostname that you intend Rancher to respond on. + +You will need to specify this hostname in a later step when you install Rancher, and it is not possible to change it later. Make sure that your decision is a final one. + +For a how-to guide for setting up a DNS record to route domain traffic to an Amazon ELB load balancer, refer to the [official AWS documentation.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer) + +### 4. Set up a Private Docker Registry + +Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. + +If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) + +{{% /tab %}} +{{% tab "Docker" %}} +> The Docker installation is for Rancher users that are wanting to test out Rancher. Since there is only one node and a single Docker container, if the node goes down, you will lose all the data of your Rancher server. +> +> For running Rancher in production, we recommend installing Rancher on a high-availability Kubernetes cluster. There is no upgrade path to transition your Docker installation to a Kubernetes Installation. +> +> If you want to save resources by using a single node in the short term, while preserving a migration path to a high-availability installation, we recommend installing Rancher on a single-node Kubernetes cluster. + +### 1. Set up a Linux Node + +This host will be disconnected from the Internet, but needs to be able to connect to your private registry. + +Make sure that your node fulfills the general installation requirements for [OS, Docker, hardware, and networking.]({{}}/rancher/v2.x/en/installation/requirements/) + +For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/ec2-node) for setting up nodes as instances in Amazon EC2. + +### 2. Set up a Private Docker Registry + +Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. + +If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) {{% /tab %}} {{% /tabs %}} diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md index 2626d4a96f7..ac06ed134eb 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/_index.md @@ -13,7 +13,7 @@ For development and testing environments only, Rancher can be installed by runni In this installation scenario, you'll install Docker on a single Linux host, and then deploy Rancher on your host using a single Docker container. > **Want to use an external load balancer?** -> See [Docker Install with an External Load Balancer]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/single-node-install-external-lb) instead. +> See [Docker Install with an External Load Balancer]({{}}/rancher/v2.x/en/installation/options/single-node-install-external-lb) instead. # Requirements for OS, Docker, Hardware, and Networking diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index ce3fc738bde..12480547553 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -26,7 +26,15 @@ The Rancher UI works best in Firefox or Chrome. Rancher should work with any modern Linux distribution and any modern Docker version. -Rancher has been tested and is supported with Ubuntu, CentOS, Oracle Linux, RancherOS, and RedHat Enterprise Linux. +Rancher and RKE have been tested and are supported on Ubuntu, CentOS, Oracle Linux, RancherOS, and RedHat Enterprise Linux. + +K3s should run on just about any flavor of Linux. However, K3s is tested on the following operating systems and their subsequent non-major releases: + +- Ubuntu 16.04 (amd64) +- Ubuntu 18.04 (amd64) +- Raspbian Buster (armhf) + +If you are installing Rancher on a K3s cluster with Alpine Linux, follow [these steps]({{}}/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup) for additional setup. For details on which OS and Docker versions were tested with each Rancher version, refer to the [support maintenance terms.](https://rancher.com/support-maintenance-terms/) @@ -34,7 +42,7 @@ All supported operating systems are 64-bit x86. The `ntp` (Network Time Protocol) package should be installed. This prevents errors with certificate validation that can occur when the time is not synchronized between the client and server. -Some distributions of Linux derived from RHEL, including Oracle Linux, may have default firewall rules that block communication with Helm. This [how-to guide]({{}}/rancher/v2.x/en/installation/options/firewall) shows how to check the default firewall rules and how to open the ports with `firewalld` if necessary. +Some distributions of Linux may have default firewall rules that block communication with Helm. This [how-to guide]({{}}/rancher/v2.x/en/installation/options/firewall) shows how to check the default firewall rules for Oracle Linux and how to open the ports with `firewalld` if necessary. If you plan to run Rancher on ARM64, see [Running on ARM64 (Experimental).]({{}}/rancher/v2.x/en/installation/options/arm64-platform/) diff --git a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md index eb13e5562a9..05a3c228ef3 100644 --- a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md +++ b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md @@ -33,7 +33,7 @@ When Rancher is installed on a single node, if the node goes down, there is no c By contrast, in the high-availability installation, - The etcd data is replicated on three nodes in the cluster, providing redundancy and data duplication in case one of the nodes fails. -- A load balancer serves as the single point of contact for clients, distributing network traffic across multiple servers in the cluster and helping to prevent any one server from becoming a point of failure. Note: This [example]({{}}/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/nginx/) of how to configure an NGINX server as a basic layer 4 load balancer (TCP). +- A load balancer serves as the single point of contact for clients, distributing network traffic across multiple servers in the cluster and helping to prevent any one server from becoming a point of failure. Note: This [example]({{}}/rancher/v2.x/en/installation/options/nginx/) of how to configure an NGINX server as a basic layer 4 load balancer (TCP). # Recommended Load Balancer Configuration for Kubernetes Installations From 844a73d6c5a3a8e104dd89b47f281f48200394d2 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 25 Feb 2020 02:44:50 -0700 Subject: [PATCH 072/183] Update docs for installing Rancher on air gapped K3s cluster --- .../en/cluster-admin/tools/alerts/_index.md | 2 +- .../k8s-install/create-nodes-lb/_index.md | 4 +- .../populate-private-registry/_index.md | 8 ++-- .../options/api-audit-log/_index.md | 2 +- .../options/chart-options/_index.md | 4 +- .../helm-rancher/chart-options/_index.md | 4 +- .../air-gap/_index.md | 8 ++-- .../air-gap/launch-kubernetes/_index.md | 27 +++-------- .../populate-private-registry/_index.md | 45 ++++++++++--------- .../air-gap/prepare-nodes/_index.md | 14 +++--- .../pipelines/docs-for-v2.0.x/_index.md | 2 +- .../vsphere/troubleshooting/_index.md | 2 +- 12 files changed, 55 insertions(+), 67 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md index 0ba6ff6df0b..7fdca61df02 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md @@ -180,7 +180,7 @@ This alert type monitors for the overload from Prometheus expression querying, i - [**ETCD**](https://etcd.io/docs/v3.4.0/op-guide/monitoring/) - [**Kubernetes Components**](https://github.com/kubernetes/metrics) - [**Kubernetes Resources**](https://github.com/kubernetes/kube-state-metrics) - - [**Fluentd**](https://docs.fluentd.org/v1.0/articles/monitoring-prometheus) (supported by [Logging]({{}}/rancher/v2.x/en/tools/logging)) + - [**Fluentd**](https://docs.fluentd.org/v1.0/articles/monitoring-prometheus) (supported by [Logging]({{}}/rancher/v2.x//en/cluster-admin/tools/logging)) - [**Cluster Level Grafana**](http://docs.grafana.org/administration/metrics/) - **Cluster Level Prometheus** diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index d6ee83d7097..8fb2e197579 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -20,7 +20,7 @@ To install the Rancher management server on a high-availability K3s cluster, we - **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. - **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. - **A load balancer** to direct traffic to the two nodes. -- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL, and downstream Kubernetes clusters will need to reach it. ### 1. Set up Linux Nodes @@ -82,7 +82,7 @@ To install the Rancher management server on a high-availability RKE cluster, we - **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2, Google Compute Engine, or vSphere. - **A load balancer** to direct front-end traffic to the three nodes. -- **A DNS record** to map a URL to the load balancer. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL, and downstream Kubernetes clusters will need to reach it. These nodes must be in the same region/data center. You may place these servers in separate availability zones. diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md index 3eefbd5fd3b..cb9f4698034 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md @@ -13,7 +13,7 @@ aliases: > > **Note:** Populating the private registry with images is the same process for HA and Docker installations, the differences in this section is based on whether or not you are planning to provision a Windows cluster or not. -By default, all images used to [provision Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/) or launch any [tools]({{}}/rancher/v2.x/en/tools/) in Rancher, e.g. monitoring, pipelines, alerts, are pulled from Docker Hub. In an air gap installation of Rancher, you will need a private registry that is located somewhere accessible by your Rancher server. Then, you will load the registry with all the images. +By default, all images used to [provision Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/) or launch any [tools]({{}}/rancher/v2.x/en/cluster-admin/tools/) in Rancher, e.g. monitoring, pipelines, alerts, are pulled from Docker Hub. In an air gap installation of Rancher, you will need a private registry that is located somewhere accessible by your Rancher server. Then, you will load the registry with all the images. This section describes how to set up your private registry so that when you install Rancher, Rancher will pull all the required images from this registry. @@ -35,9 +35,9 @@ These steps expect you to use a Linux workstation that has internet access, acce ### A. Find the required assets for your Rancher version -1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. +1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. Click **Assets*.* -2. From the release's **Assets** section (pictured above), download the following files, which are required to install Rancher in an air gap environment: +2. From the release's **Assets** section, download the following files: | Release File | Description | | ---------------- | -------------- | @@ -200,7 +200,7 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. -2. From the release's **Assets** section (pictured above), download the following files, which are required to install Rancher in an air gap environment: +2. From the release's **Assets** section, download the following files, which are required to install Rancher in an air gap environment: | Release File | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | diff --git a/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md b/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md index cdb9c07ac57..7ade1298509 100644 --- a/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md +++ b/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md @@ -80,7 +80,7 @@ kubectl -n cattle-system logs -f rancher-84d886bdbb-s4s69 rancher-audit-log #### Shipping the Audit Log -You can enable Rancher's built in log collection and shipping for the cluster to ship the audit and other services logs to a supported collection endpoint. See [Rancher Tools - Logging]({{}}/rancher/v2.x/en/tools/logging) for details. +You can enable Rancher's built in log collection and shipping for the cluster to ship the audit and other services logs to a supported collection endpoint. See [Rancher Tools - Logging]({{}}/rancher/v2.x/en/cluster-admin/tools/logging) for details. ## Audit Log Samples diff --git a/content/rancher/v2.x/en/installation/options/chart-options/_index.md b/content/rancher/v2.x/en/installation/options/chart-options/_index.md index 7bc68cce822..85978052274 100644 --- a/content/rancher/v2.x/en/installation/options/chart-options/_index.md +++ b/content/rancher/v2.x/en/installation/options/chart-options/_index.md @@ -51,13 +51,13 @@ weight: 276 Enabling the [API Audit Log]({{}}/rancher/v2.x/en/installation/api-auditing/). -You can collect this log as you would any container log. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/tools/logging/) for the `System` Project on the Rancher server cluster. +You can collect this log as you would any container log. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) for the `System` Project on the Rancher server cluster. ```plain --set auditLog.level=1 ``` -By default enabling Audit Logging will create a sidecar container in the Rancher pod. This container (`rancher-audit-log`) will stream the log to `stdout`. You can collect this log as you would any container log. When using the sidecar as the audit log destination, the `hostPath`, `maxAge`, `maxBackups`, and `maxSize` options do not apply. It's advised to use your OS or Docker daemon's log rotation features to control disk space use. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/tools/logging/) for the Rancher server cluster or System Project. +By default enabling Audit Logging will create a sidecar container in the Rancher pod. This container (`rancher-audit-log`) will stream the log to `stdout`. You can collect this log as you would any container log. When using the sidecar as the audit log destination, the `hostPath`, `maxAge`, `maxBackups`, and `maxSize` options do not apply. It's advised to use your OS or Docker daemon's log rotation features to control disk space use. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) for the Rancher server cluster or System Project. Set the `auditLog.destination` to `hostPath` to forward logs to volume shared with the host system instead of streaming to a sidecar container. When setting the destination to `hostPath` you may want to adjust the other auditLog parameters for log rotation. diff --git a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/chart-options/_index.md b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/chart-options/_index.md index b9940f9cac5..e773074fc13 100644 --- a/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/chart-options/_index.md +++ b/content/rancher/v2.x/en/installation/options/helm2/helm-rancher/chart-options/_index.md @@ -49,13 +49,13 @@ weight: 276 Enabling the [API Audit Log]({{}}/rancher/v2.x/en/installation/api-auditing/). -You can collect this log as you would any container log. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/tools/logging/) for the `System` Project on the Rancher server cluster. +You can collect this log as you would any container log. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) for the `System` Project on the Rancher server cluster. ```plain --set auditLog.level=1 ``` -By default enabling Audit Logging will create a sidecar container in the Rancher pod. This container (`rancher-audit-log`) will stream the log to `stdout`. You can collect this log as you would any container log. When using the sidecar as the audit log destination, the `hostPath`, `maxAge`, `maxBackups`, and `maxSize` options do not apply. It's advised to use your OS or Docker daemon's log rotation features to control disk space use. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/tools/logging/) for the Rancher server cluster or System Project. +By default enabling Audit Logging will create a sidecar container in the Rancher pod. This container (`rancher-audit-log`) will stream the log to `stdout`. You can collect this log as you would any container log. When using the sidecar as the audit log destination, the `hostPath`, `maxAge`, `maxBackups`, and `maxSize` options do not apply. It's advised to use your OS or Docker daemon's log rotation features to control disk space use. Enable the [Logging service under Rancher Tools]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) for the Rancher server cluster or System Project. Set the `auditLog.destination` to `hostPath` to forward logs to volume shared with the host system instead of streaming to a sidecar container. When setting the destination to `hostPath` you may want to adjust the other auditLog parameters for log rotation. diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md index 267d1e6634f..b00bd50e581 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md @@ -19,9 +19,9 @@ Throughout the installation instructions, there will be _tabs_ for each installa # Installation Outline -- [1. Set up infrastructure and private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) -- [2. Collect and publish images to your private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/) -- [3. Set up a Kubernetes cluster (Skip this step for Docker installations)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) -- [4. Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/) +1. [Set up infrastructure and private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) +2. [Collect and publish images to your private registry]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/) +3. [Set up a Kubernetes cluster (Skip this step for Docker installations)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/) +4. [Install Rancher]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/) ### [Next: Prepare your Node(s)]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md index b7e6d5194b5..28f2de5f713 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md @@ -18,19 +18,14 @@ The steps to set up an air-gapped Kubernetes cluster depend on whether RKE or K3 {{% tabs %}} {{% tab "K3s" %}} -### 1. Install Kubernetes and Set up the K3s Server - - In this guide, we are assuming you have created your nodes in your air-gap environment and have a secure Docker private registry on your bastion server. -# Installation Outline +### Installation Outline 1. [Prepare Images Directory](#1-prepare-images-directory) -2. [Create Registry YAML](#2-create-registry-YAML) +2. [Create Registry YAML](#2-create-registry-yaml) 3. [Install K3s](#3-install-k3s) -4. [Confirm that K3s is Running](#4-confirm-that-k3s-is-running) -5. [Save and Start Using the kubeconfig File](#5-save-and-start-using-the-kubeconfig-file) -6. [Check the Health of Your Cluster Pods](#6-check-the-health-of-your-cluster-pods) +4. [Save and Start Using the kubeconfig File](#4-save-and-start-using-the-kubeconfig-file) ### 1. Prepare Images Directory Obtain the images tar file for your architecture from the [releases](https://github.com/rancher/k3s/releases) page for the version of K3s you will be running. @@ -71,7 +66,7 @@ Obtain the K3s binary from the [releases](https://github.com/rancher/k3s/release Also obtain the K3s install script at https://get.k3s.io Place the binary in `/usr/local/bin` on each node. -Place the install script anywhere on each node, name it `install.sh`. +Place the install script anywhere on each node, and name it `install.sh`. Install K3s on each server: @@ -88,16 +83,9 @@ INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetok Note, take care to ensure you replace `myserver` with the IP or valid DNS of the server and replace `mynodetoken` with the node-token from the server. The node-token is on the server at `/var/lib/rancher/k3s/server/node-token` - >**Note:** K3s additionally provides a `--resolv-conf` flag for kubelets, which may help with configuring DNS in air-gap networks. - - -### 4. Confirm that K3s is Running - -Placeholder - -### 5. Save and Start Using the kubeconfig File +### 4. Save and Start Using the kubeconfig File When you installed K3s on each Rancher server node, a `kubeconfig` file was created on the node at `/etc/rancher/k3s/k3s.yaml`. This file contains credentials for full access to the cluster, and you should save this file in a secure location. @@ -137,9 +125,6 @@ kubectl --kubeconfig ~/.kube/config/k3s.yaml get pods --all-namespaces For more information about the `kubeconfig` file, refer to the [K3s documentation]({{}}/k3s/latest/en/cluster-access/) or the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) about organizing cluster access using `kubeconfig` files. -### 6. Check the Health of Your Cluster Pods - - ### Note on Upgrading Upgrading an air-gap environment can be accomplished in the following manner: @@ -233,4 +218,4 @@ See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/tro See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. -### [Next: Install Rancher](./install-rancher) +### [Next: Install Rancher](../install-rancher) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index 954280bc28b..a7b4e8be62c 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -8,35 +8,35 @@ aliases: - /rancher/v2.x/en/installation/air-gap-high-availability/config-rancher-for-private-reg/ --- -> **Prerequisites:** You must have a [private registry](https://docs.docker.com/registry/deploying/) available to use. -> -> **Note:** Populating the private registry with images is the same process for HA and Docker installations, the differences in this section is based on whether or not you are planning to provision a Windows cluster or not. - -By default, all images used to [provision Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/) or launch any [tools]({{}}/rancher/v2.x/en/tools/) in Rancher, e.g. monitoring, pipelines, alerts, are pulled from Docker Hub. In an air gap installation of Rancher, you will need a private registry that is located somewhere accessible by your Rancher server. Then, you will load the registry with all the images. - This section describes how to set up your private registry so that when you install Rancher, Rancher will pull all the required images from this registry. -By default, we provide the steps of how to populate your private registry assuming that Rancher will provision downstream Kubernetes clusters with only Linux nodes. But if you plan on provisioning any [downstream Kubernetes clusters using Windows nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/), there are separate instructions to support the images needed. +By default, all images used to [provision Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/) or launch any [tools]({{}}/rancher/v2.x/en/cluster-admin/tools/) in Rancher, e.g. monitoring, pipelines, alerts, are pulled from Docker Hub. In an air gapped installation of Rancher, you will need a private registry that is located somewhere accessible by your Rancher server. Then, you will load the registry with all the images. + +Populating the private registry with images is the same process for installing Rancher with Docker and for installing Rancher on a Kubernetes cluster. + +The steps in this section differ depending on whether or not you are planning to use Rancher to provision a downstream cluster with Windows nodes or not. By default, we provide the steps of how to populate your private registry assuming that Rancher will provision downstream Kubernetes clusters with only Linux nodes. But if you plan on provisioning any [downstream Kubernetes clusters using Windows nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/), there are separate instructions to support the images needed. + +> **Prerequisites:** You must have a [private registry](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) available to use. {{% tabs %}} {{% tab "Linux Only Clusters" %}} For Rancher servers that will only provision Linux clusters, these are the steps to populate your private registry. -A. Find the required assets for your Rancher version
    -B. Collect all the required images
    -C. Save the images to your workstation
    -D. Populate the private registry +1. [Find the required assets for your Rancher version](#1-find-the-required-assets-for-your-rancher-version) +2. [Collect the cert-manager image](#2-collect-the-cert-manager-image) (unless you are bringing your own certificates or terminating TLS on a load balancer) +3. [Save the images to your workstation](#3-save-the-images-to-your-workstation) +4. [Populate the private registry](#4-populate-the-private-registry) ### Prerequisites These steps expect you to use a Linux workstation that has internet access, access to your private registry, and at least 20 GB of disk space. -### A. Find the required assets for your Rancher version +### 1. Find the required assets for your Rancher version -1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. +1. Go to our [releases page,](https://github.com/rancher/rancher/releases) find the Rancher v2.x.x release that you want to install, and click **Assets.** Note: Don't use releases marked `rc` or `Pre-release`, as they are not stable for production environments. -2. From the release's **Assets** section (pictured above), download the following files, which are required to install Rancher in an air gap environment: +2. From the release's **Assets** section, download the following files, which are required to install Rancher in an air gap environment: | Release File | Description | | ---------------- | -------------- | @@ -44,9 +44,11 @@ These steps expect you to use a Linux workstation that has internet access, acce | `rancher-save-images.sh` | This script pulls all the images in the `rancher-images.txt` from Docker Hub and saves all of the images as `rancher-images.tar.gz`. | | `rancher-load-images.sh` | This script loads images from the `rancher-images.tar.gz` file and pushes them to your private registry. | -### B. Collect all the required images (For Kubernetes Installs using Rancher Generated Self-Signed Certificate) +### 2. Collect the cert-manager image -In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using your own certificates, or if you are terminating TLS on an external load balancer. +> Skip this step if you are using your own certificates, or if you are terminating TLS on an external load balancer. + +In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: @@ -65,7 +67,7 @@ In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS sort -u rancher-images.txt -o rancher-images.txt ``` -### C. Save the images to your workstation +### 3. Save the images to your workstation 1. Make `rancher-save-images.sh` an executable: ``` @@ -78,7 +80,9 @@ In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS ``` **Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-images.tar.gz`. Check that the output is in the directory. -### D. Populate the private registry +### 4. Populate the private registry + +Next, you will move the images in the `rancher-images.tar.gz` to your private registry using the scripts to load the images. Move the images in the `rancher-images.tar.gz` to your private registry using the scripts to load the images. @@ -88,7 +92,6 @@ The `rancher-images.txt` is expected to be on the workstation in the same direct ```plain docker login ``` - 1. Make `rancher-load-images.sh` an executable: ``` chmod +x rancher-load-images.sh @@ -202,9 +205,9 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### A. Find the required assets for your Rancher version -1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. +1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. Click **Assets*.* -2. From the release's **Assets** section (pictured above), download the following files, which are required to install Rancher in an air gap environment: +2. From the release's **Assets** section, download the following files: | Release File | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md index 657a6d70653..7158e4b7225 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md @@ -13,12 +13,12 @@ The infrastructure depends on whether you are installing Rancher on a K3s Kubern {{% tabs %}} {{% tab "K3s" %}} -We recommend setting up the following infrastructure: +We recommend setting up the following infrastructure for a high-availability installation: - **Two Linux nodes,** typically virtual machines, in the infrastructure provider of your choice. - **An external database** to store the cluster data. PostgreSQL, MySQL, and etcd are supported. - **A load balancer** to direct traffic to the two nodes. -- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL, and downstream Kubernetes clusters will need to reach it. - **A private Docker registry** to distribute Docker images to your machines. ### 1. Set up Linux Nodes @@ -79,7 +79,7 @@ For a how-to guide for setting up a DNS record to route domain traffic to an Ama Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. -If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) +If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) {{% /tab %}} {{% tab "RKE" %}} @@ -87,7 +87,7 @@ To install the Rancher management server on a high-availability RKE cluster, we - **Three Linux nodes,** typically virtual machines, in an infrastructure provider such as Amazon's EC2, Google Compute Engine, or vSphere. - **A load balancer** to direct front-end traffic to the three nodes. -- **A DNS record** to map a URL to the load balancer. +- **A DNS record** to map a URL to the load balancer. This will become the Rancher server URL, and downstream Kubernetes clusters will need to reach it. - **A private Docker registry** to distribute Docker images to your machines. These nodes must be in the same region/data center. You may place these servers in separate availability zones. @@ -138,9 +138,9 @@ For a how-to guide for setting up a DNS record to route domain traffic to an Ama ### 4. Set up a Private Docker Registry -Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. +Rancher supports air gap installs using a secure Docker private registry. You must have your own private registry or other means of distributing Docker images to your machines. -If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) +If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) {{% /tab %}} {{% tab "Docker" %}} @@ -160,7 +160,7 @@ For an example of one way to set up Linux nodes, refer to this [tutorial]({{**Note:** This section describes the pipeline feature as implemented in Rancher v2.0.x. If you are using Rancher v2.1 or later, where pipelines have been significantly improved, please refer to the new documentation for [v2.1 or later]({{}}/rancher/v2.x/en/tools/pipelines). +>**Note:** This section describes the pipeline feature as implemented in Rancher v2.0.x. If you are using Rancher v2.1 or later, where pipelines have been significantly improved, please refer to the new documentation for [v2.1 or later]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/). diff --git a/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md b/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md index 74801997ee5..a63f81c36ba 100644 --- a/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md +++ b/content/rke/latest/en/config-options/cloud-providers/vsphere/troubleshooting/_index.md @@ -8,7 +8,7 @@ If you are experiencing issues while provisioning a cluster with enabled vSphere - controller-manager (Manages volumes in vCenter) - kubelet: (Mounts vSphere volumes to pods) -If your cluster is not configured with external [Cluster Logging]({{}}/rancher/v2.x/en/tools/logging/), you will need to SSH into nodes to get the logs of the `kube-controller-manager` (running on one of the control plane nodes) and the `kubelet` (pertaining to the node where the stateful pod has been scheduled). +If your cluster is not configured with external [Cluster Logging]({{}}/rancher/v2.x//en/cluster-admin/tools//logging/), you will need to SSH into nodes to get the logs of the `kube-controller-manager` (running on one of the control plane nodes) and the `kubelet` (pertaining to the node where the stateful pod has been scheduled). The easiest way to create a SSH session with a node is the Rancher CLI tool. From 5dc10d7406ca3423e277ba70ae510930b9639e36 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 25 Feb 2020 10:50:05 -0700 Subject: [PATCH 073/183] Edit installation options page --- .../rancher/v2.x/en/installation/_index.md | 27 ++++++++++--------- .../air-gap/_index.md | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/content/rancher/v2.x/en/installation/_index.md b/content/rancher/v2.x/en/installation/_index.md index 328c7234fce..eb463283c70 100644 --- a/content/rancher/v2.x/en/installation/_index.md +++ b/content/rancher/v2.x/en/installation/_index.md @@ -18,24 +18,13 @@ In this section, ### Overview of Installation Options -We recommend installing Rancher on a Kubernetes cluster, because in a multi-node cluster, the Rancher management server becomes highly available. This high-availability configuration helps maintain consistent access to the downstream Kubernetes clusters that Rancher will manage. - -For that reason, we recommend that for a production-grade architecture, you should set up a high-availability Kubernetes cluster, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. - -For testing or demonstration purposes, you can install Rancher in single Docker container. In this Docker install, you can use Rancher to set up Kubernetes clusters out-of-the-box. - -Our [instructions for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install) describe how to first use K3s or RKE to create and manage a Kubernetes cluster, then install Rancher onto that cluster. - -When the nodes in your Kubernetes cluster are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you will use RKE or K3s to deploy Kubernetes onto them. Then you will use Helm to deploy Rancher onto Kubernetes. Helm uses Rancher's Helm chart to install a replica of Rancher on each node in the Kubernetes cluster. We recommend using a load balancer to direct traffic to each replica of Rancher in the cluster. - -For a longer discussion of Rancher architecture, refer to the [architecture overview,]({{}}/rancher/v2.x/en/overview/architecture) [recommendations for production-grade architecture,]({{}}/rancher/v2.x/en/overview/architecture-recommendations) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/deployment-types) - -To summarize, Rancher can be installed on these main architectures: +Rancher can be installed on these main architectures: - **High-availability Kubernetes Install:** We recommend using [Helm,]({{}}/rancher/v2.x/en/overview/concepts/#about-helm) a Kubernetes package manager, to install Rancher on multiple nodes on a dedicated Kubernetes cluster. For RKE clusters, three nodes are required to achieve a high-availability cluster. For K3s clusters, only two nodes are required. - **Single-node Kubernetes Install:** Another option is to install Rancher with Helm on a Kubernetes cluster, but to only use a single node in the cluster. In this case, the Rancher server doesn't have high availability, which is important for running Rancher in production. However, this option is useful if you want to save resources by using a single node in the short term, while preserving a high-availability migration path. In the future, you can add nodes to the cluster to get a high-availability Rancher server. - **Docker Install:** For test and demonstration purposes, Rancher can be installed with Docker on a single node. This installation works out-of-the-box, but there is no migration path from a Docker installation to a high-availability installation on a Kubernetes cluster. Therefore, you may want to use a Kubernetes installation from the start. + There are also separate instructions for installing Rancher in an air gap environment or behind an HTTP proxy: | Level of Internet Access | Kubernetes Installation - Strongly Recommended | Docker Installation | @@ -44,6 +33,18 @@ There are also separate instructions for installing Rancher in an air gap enviro | Behind an HTTP proxy | These [docs,]({{}}/rancher/v2.x/en/installation/k8s-install/) plus this [configuration]({{}}/rancher/v2.x/en/installation/options/chart-options/#http-proxy) | These [docs,]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) plus this [configuration]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/proxy/) | | In an air gap environment | [Docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap) | [Docs]({{}}/rancher/v2.x/en/installation/other-installation-methods/air-gap) | +We recommend installing Rancher on a Kubernetes cluster, because in a multi-node cluster, the Rancher management server becomes highly available. This high-availability configuration helps maintain consistent access to the downstream Kubernetes clusters that Rancher will manage. + +For that reason, we recommend that for a production-grade architecture, you should set up a high-availability Kubernetes cluster using either RKE or K3s, then install Rancher on it. After Rancher is installed, you can use Rancher to deploy and manage Kubernetes clusters. + +For testing or demonstration purposes, you can install Rancher in single Docker container. In this Docker install, you can use Rancher to set up Kubernetes clusters out-of-the-box. + +Our [instructions for installing Rancher on Kubernetes]({{}}/rancher/v2.x/en/installation/k8s-install) describe how to first use K3s or RKE to create and manage a Kubernetes cluster, then install Rancher onto that cluster. + +When the nodes in your Kubernetes cluster are running and fulfill the [node requirements,]({{}}/rancher/v2.x/en/installation/requirements) you will use Helm to deploy Rancher onto Kubernetes. Helm uses Rancher's Helm chart to install a replica of Rancher on each node in the Kubernetes cluster. We recommend using a load balancer to direct traffic to each replica of Rancher in the cluster. + +For a longer discussion of Rancher architecture, refer to the [architecture overview,]({{}}/rancher/v2.x/en/overview/architecture) [recommendations for production-grade architecture,]({{}}/rancher/v2.x/en/overview/architecture-recommendations) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/deployment-types) + ### Prerequisites Before installing Rancher, make sure that your nodes fulfill all of the [installation requirements.]({{}}/rancher/v2.x/en/installation/requirements/) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md index b00bd50e581..fb264adc5e9 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/_index.md @@ -9,7 +9,7 @@ aliases: This section is about installations of Rancher server in an air gapped environment. An air gapped environment could be where Rancher server will be installed offline, behind a firewall, or behind a proxy. -The steps to install Rancher differ depending on whether Rancher is installed on an RKE Kubernetes cluster, a K3s Kubernetes cluster, or a single Docker container. +The installation steps differ depending on whether Rancher is installed on an RKE Kubernetes cluster, a K3s Kubernetes cluster, or a single Docker container. For more information on each installation option, refer to [this page.]({{}}/rancher/v2.x/en/installation/) From ff6d8b428497292ddcac6a14dbe71a734994509a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 25 Feb 2020 16:54:53 -0700 Subject: [PATCH 074/183] Edit docs about Rancher on air gapped K3s --- .../air-gap/launch-kubernetes/_index.md | 15 ++++++++------- .../air-gap/prepare-nodes/_index.md | 2 ++ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md index 28f2de5f713..cf96f997ea1 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/launch-kubernetes/_index.md @@ -1,10 +1,12 @@ --- -title: '3. Install Kubernetes (Skip for Docker installs)' +title: '3. Install Kubernetes (RKE and K3s installs only)' weight: 300 aliases: - /rancher/v2.x/en/installation/air-gap-high-availability/install-kube --- +> Skip this section if you are installing Rancher on a single node with Docker. + This section describes how to install a Kubernetes cluster according to our [best practices for the Rancher server environment.]({{}}/rancher/v2.x/en/overview/architecture-recommendations/#environment-for-kubernetes-installations) This cluster should be dedicated to run only the Rancher server. For Rancher prior to v2.4, Rancher should be installed on an [RKE]({{}}/rke/latest/en/) (Rancher Kubernetes Engine) Kubernetes cluster. RKE is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. @@ -18,7 +20,7 @@ The steps to set up an air-gapped Kubernetes cluster depend on whether RKE or K3 {{% tabs %}} {{% tab "K3s" %}} -In this guide, we are assuming you have created your nodes in your air-gap environment and have a secure Docker private registry on your bastion server. +In this guide, we are assuming you have created your nodes in your air gapped environment and have a secure Docker private registry on your bastion server. ### Installation Outline @@ -39,6 +41,7 @@ sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/ ### 2. Create Registry YAML Create the registries.yaml file at `/etc/rancher/k3s/registries.yaml`. This will tell K3s the necessary details to connect to your private registry. + The registries.yaml file should look like this before plugging in the necessary information: ``` @@ -58,7 +61,9 @@ configs: ca_file: ``` -Note, at this time only secure registries are supported with K3s (SSL with custom CA) +Note, at this time only secure registries are supported with K3s (SSL with custom CA). + +For more information on private registries configuration file for K3s, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/private-registry/) ### 3. Install K3s @@ -214,8 +219,4 @@ Save a copy of the following files in a secure location: See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. -### Issues or errors? - -See the [Troubleshooting]({{}}/rancher/v2.x/en/installation/options/troubleshooting/) page. - ### [Next: Install Rancher](../install-rancher) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md index 7158e4b7225..e26b5b31cb5 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md @@ -79,6 +79,8 @@ For a how-to guide for setting up a DNS record to route domain traffic to an Ama Rancher supports air gap installs using a private registry. You must have your own private registry or other means of distributing Docker images to your machines. +In a later step, when you set up your K3s Kubernetes cluster, you will create a [private registries configuration file]({{}}/k3s/latest/en/installation/private-registry/) with details from this registry. + If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) {{% /tab %}} {{% tab "RKE" %}} From 3cc83fa7b185b1bf37ced36d00116f25023128f1 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 26 Feb 2020 13:27:42 -0700 Subject: [PATCH 075/183] Mention K3s registry config file --- .../air-gap/prepare-nodes/_index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md index e26b5b31cb5..ec59eb1582a 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/prepare-nodes/_index.md @@ -142,6 +142,8 @@ For a how-to guide for setting up a DNS record to route domain traffic to an Ama Rancher supports air gap installs using a secure Docker private registry. You must have your own private registry or other means of distributing Docker images to your machines. +In a later step, when you set up your K3s Kubernetes cluster, you will create a [private registries configuration file]({{}}/k3s/latest/en/installation/private-registry/) with details from this registry. + If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) {{% /tab %}} @@ -164,6 +166,8 @@ For an example of one way to set up Linux nodes, refer to this [tutorial]({{}}/k3s/latest/en/installation/private-registry/) with details from this registry. + If you need help with creating a private registry, please refer to the [official Docker documentation.](https://docs.docker.com/registry/) {{% /tab %}} From cec21e4e9b5cc71c86a13fe3d0136967d157a3a5 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 21 Jan 2020 14:56:31 -0700 Subject: [PATCH 076/183] Explain how to set up Shibboleth auth --- .../authentication/shibboleth/_index.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md new file mode 100644 index 00000000000..c9d284fe901 --- /dev/null +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -0,0 +1,31 @@ +--- +title: Configuring Shibboleth (SAML) +weight: 1210 +--- + +_Available as of v2.4.0_ + + +Shibboleth + +Select the Shibboleth icon. Fill in the configuration for the Shibboleth account, Save the information and Test that access control is working. + +With Shibboleth, there are some known issues that you should be aware of if you are configuring to validate against it. + + There is no search or lookup support. When adding in users, the exact IDs must be inputted for the correct users to get access. + When adding users to an environment, group IDs are not supported unless the admin, who turned on access control, is a member of the group. + +Site Access + +Depending on your authentication type, Rancher provides different levels of site access. +Active Directory/GitHub/Shibboleth + +If you have authenticated with AD or GitHub, there will be 3 options available. + +- Allow any valid Users - Any user within GitHub or Active Directory would be able to access your Rancher instance. This is not recommended for GitHub as it would be any user in GitHub! +- Allow members of Environments, plus Authorized Users and Organizations - Any user who is a member or owner of an environment will also have access to the Rancher instance as well as any user added to the Authorized Users and Organizations list. +- Restrict access only to Authorized Users and Organizations - Only users who are added to the Authorized Users and Organizations would have access to the Rancher instance. Even if a user has been added to an environment, they would not have access unless they are also added to the Authorized Users and Organizations section. + +Anyone with the permissions for the Rancher instance will be given user permissions. They will not be able to view the Admin tab. You would explicitly need to change their account to be an admin account. + +In order for users to view different environments, they will need to be added to the environment by an owner of the environment. \ No newline at end of file From 1fdcc573989750456e1dbdf5a9288afb437304ab Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 26 Feb 2020 16:11:22 -0700 Subject: [PATCH 077/183] Add Shibboleth first draft --- .../authentication/shibboleth/_index.md | 190 ++++++++++++++++-- 1 file changed, 176 insertions(+), 14 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md index c9d284fe901..0e10c20617b 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -5,27 +5,189 @@ weight: 1210 _Available as of v2.4.0_ +This section covers the following topics: -Shibboleth +- Prerequisites for Shibboleth +- Configuring Shibboleth -Select the Shibboleth icon. Fill in the configuration for the Shibboleth account, Save the information and Test that access control is working. +- About OpenLDAP +- OpenLDAP Authentication Flow +- Prerequisites for OpenLDAP +- OpenLDAP Configuration +- Configure OpenLDAP Server Settings +- Configure User/Group Schema + - User Schema + - Group Schema +- Test Authentication +- Troubleshooting -With Shibboleth, there are some known issues that you should be aware of if you are configuring to validate against it. +### Prerequisites for Shibboleth +> +>- You must have a Shibboleth IdP Server configured. +>- Following are the Rancher Service Provider URLs needed for configuration: +Metadata URL: `https:///v1-saml/shibboleth/saml/metadata` +Assertion Consumer Service (ACS) URL: `https:///v1-saml/shibboleth/saml/acs` +>- Export a `metadata.xml` file from your IdP Server. For more information, see the Shibboleth documentation. - There is no search or lookup support. When adding in users, the exact IDs must be inputted for the correct users to get access. - When adding users to an environment, group IDs are not supported unless the admin, who turned on access control, is a member of the group. -Site Access +### Configuring Shibboleth +If your organization uses Shibboleth for user authentication, you can configure Rancher to allow your users to log in using their IdP credentials. -Depending on your authentication type, Rancher provides different levels of site access. -Active Directory/GitHub/Shibboleth +1. From the **Global** view, select **Security > Authentication** from the main menu. -If you have authenticated with AD or GitHub, there will be 3 options available. +1. Select **Shibboleth**. -- Allow any valid Users - Any user within GitHub or Active Directory would be able to access your Rancher instance. This is not recommended for GitHub as it would be any user in GitHub! -- Allow members of Environments, plus Authorized Users and Organizations - Any user who is a member or owner of an environment will also have access to the Rancher instance as well as any user added to the Authorized Users and Organizations list. -- Restrict access only to Authorized Users and Organizations - Only users who are added to the Authorized Users and Organizations would have access to the Rancher instance. Even if a user has been added to an environment, they would not have access unless they are also added to the Authorized Users and Organizations section. +1. Complete the **Configure Shibboleth Account** form. Shibboleth IdP lets you specify what data store you want to use. You can either add a database or use an existing ldap server. For example, if you select your Active Directory (AD) server, the examples below describe how you can map AD attributes to fields within Rancher. -Anyone with the permissions for the Rancher instance will be given user permissions. They will not be able to view the Admin tab. You would explicitly need to change their account to be an admin account. + 1. **Display Name Field**: Enter the AD attribute that contains the display name of users (example: `displayName`). -In order for users to view different environments, they will need to be added to the environment by an owner of the environment. \ No newline at end of file + 1. **User Name Field**: Enter the AD attribute that contains the user name/given name (example: `givenName`). + + 1. **UID Field**: Enter an AD attribute that is unique to every user (example: `sAMAccountName`, `distinguishedName`). + + 1. **Groups Field**: Make entries for managing group memberships (example: `memberOf`). + + 1. **Rancher API Host**: Enter the URL for your Rancher Server. + + 1. **Private Key** and **Certificate**: This is a key-certificate pair to create a secure shell between Rancher and your IdP. + + You can generate one using an openssl command. For example: + + ``` + openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" + ``` + 1. **IDP-metadata**: The `metadata.xml` file that you exported from your IdP server. + + +1. After you complete the **Configure Shibboleth Account** form, click **Authenticate with Shibboleth**, which is at the bottom of the page. + + Rancher redirects you to the IdP login page. Enter credentials that authenticate with Shibboleth IdP to validate your Rancher Shibboleth configuration. + + >**Note:** You may have to disable your popup blocker to see the IdP login page. + +**Result:** Rancher is configured to work with Shibboleth. Your users can now sign into Rancher using their Shibboleth logins. + + +# About OpenLDAP + +If your organization uses LDAP for user authentication, you can configure Rancher to communicate with an OpenLDAP server to authenticate users. This allows Rancher admins to control access to clusters and projects based on users and groups managed externally in the organisation's central user repository, while allowing end-users to authenticate with their LDAP credentials when logging in to the Rancher UI. + +### OpenLDAP Authentication Flow + +1. When a user attempts to log in with his LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. +2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. +3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. +4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. + +> **Note:** +> +> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). + + +### Prerequisites for OpenLDAP + +Rancher must be configured with a LDAP bind account (aka service account) to search and retrieve LDAP entries pertaining to users and groups that should have access. It is recommended to not use an administrator account or personal account for this purpose and instead create a dedicated account in OpenLDAP with read-only access to users and groups under the configured search base (see below). + +> **Using TLS?** +> +> If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. + +### Open OpenLDAP Configuration + +1. Log into the Rancher UI using the initial local `admin` account. +2. From the **Global** view, navigate to **Security** > **Authentication** +3. Select **OpenLDAP**. The **Configure an OpenLDAP server** form will be displayed. + +### Configure OpenLDAP Server Settings + +In the section titled `1. Configure an OpenLDAP server`, complete the fields with the information specific to your server. Please refer to the following table for detailed information on the required values for each parameter. + +> **Note:** +> +> If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. + +**Table 1: OpenLDAP server parameters** + +| Parameter | Description | +|:--|:--| +| Hostname | Specify the hostname or IP address of the OpenLDAP server | +| Port | Specify the port at which the OpenLDAP server is listening for connections. Unencrypted LDAP normally uses the standard port of 389, while LDAPS uses port 636.| +| TLS | Check this box to enable LDAP over SSL/TLS (commonly known as LDAPS). You will also need to paste in the CA certificate if the server uses a self-signed/enterprise-signed certificate. | +| Server Connection Timeout | The duration in number of seconds that Rancher waits before considering the server unreachable. | +| Service Account Distinguished Name | Enter the Distinguished Name (DN) of the user that should be used to bind, search and retrieve LDAP entries. (see [Prerequisites](#prerequisites)). | +| Service Account Password | The password for the service account. | +| User Search Base | Enter the Distinguished Name of the node in your directory tree from which to start searching for user objects. All users must be descendents of this base DN. For example: "ou=people,dc=acme,dc=com".| +| Group Search Base | If your groups live under a different node than the one configured under `User Search Base` you will need to provide the Distinguished Name here. Otherwise leave this field empty. For example: "ou=groups,dc=acme,dc=com".| + +--- + +# Configure User/Group Schema + +If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the **Customize Schema** section to match it. +Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP. + +> **Note:** +> +> If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. + +### User Schema + +The table below details the parameters for the user schema configuration. + +**Table 2: User schema configuration parameters** + +| Parameter | Description | +|:--|:--| +| Object Class | The name of the object class used for user objects in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | +| Username Attribute | The user attribute whose value is suitable as a display name. | +| Login Attribute | The attribute whose value matches the username part of credentials entered by your users when logging in to Rancher. This is typically `uid`. | +| User Member Attribute | The user attribute containing the Distinguished Name of groups a user is member of. Usually this is one of `memberOf` or `isMemberOf`. | +| Search Attribute | When a user enters text to add users or groups in the UI, Rancher queries the LDAP server and attempts to match users by the attributes provided in this setting. Multiple attributes can be specified by separating them with the pipe ("\|") symbol. | +| User Enabled Attribute | If the schema of your OpenLDAP server supports a user attribute whose value can be evaluated to determine if the account is disabled or locked, enter the name of that attribute. The default OpenLDAP schema does not support this and the field should usually be left empty. | +| Disabled Status Bitmask | This is the value for a disabled/locked user account. The parameter is ignored if `User Enabled Attribute` is empty. | + +--- + +### Group Schema + +The table below details the parameters for the group schema configuration. + +**Table 3: Group schema configuration parameters** + +| Parameter | Description | +|:--|:--| +| Object Class | The name of the object class used for group entries in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | +| Name Attribute | The group attribute whose value is suitable for a display name. | +| Group Member User Attribute | The name of the **user attribute** whose format matches the group members in the `Group Member Mapping Attribute`. | +| Group Member Mapping Attribute | The name of the group attribute containing the members of a group. | +| Search Attribute | Attribute used to construct search filters when adding groups to clusters or projects in the UI. See description of user schema `Search Attribute`. | +| Group DN Attribute | The name of the group attribute whose format matches the values in the user's group membership attribute. See `User Member Attribute`. | +| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organisation makes use of these nested memberships (ie. you have groups that contain other groups as members). | + +--- + +# Test Authentication + +Once you have completed the configuration, proceed by testing the connection to the OpenLDAP server. Authentication with OpenLDAP will be enabled implicitly if the test is successful. + +> **Note:** +> +> The OpenLDAP user pertaining to the credentials entered in this step will be mapped to the local principal account and assigned administrator privileges in Rancher. You should therefore make a conscious decision on which LDAP account you use to perform this step. + +1. Enter the **username** and **password** for the OpenLDAP account that should be mapped to the local principal account. +2. Click **Authenticate With OpenLDAP** to test the OpenLDAP connection and finalise the setup. + +**Result:** + +- OpenLDAP authentication is configured. +- The LDAP user pertaining to the entered credentials is mapped to the local principal (administrative) account. + +> **Note:** +> +> You will still be able to login using the locally configured `admin` account and password in case of a disruption of LDAP services. + +# Troubleshooting + +If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. + +{{< saml_caveats >}} From 91c28cb38701298c2f53b8815c4dad592d34605c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 27 Feb 2020 18:44:43 -0700 Subject: [PATCH 078/183] Revise docs on Shibboleth and OpenLDAP --- .../authentication/openldap/_index.md | 69 +------- .../openldap/openldap-config/_index.md | 72 +++++++++ .../authentication/shibboleth/_index.md | 148 ++++-------------- .../authentication/shibboleth/about/_index.md | 49 ++++++ .../shibboleth-with-openldap-groups.svg | 3 + 5 files changed, 155 insertions(+), 186 deletions(-) create mode 100644 content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md create mode 100644 content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md create mode 100644 static/img/rancher/shibboleth-with-openldap-groups.svg diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md index 2a59301ad9b..4338bc3f86a 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md @@ -29,79 +29,12 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea > If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. ## Configuration Steps -### Open OpenLDAP Configuration 1. Log into the Rancher UI using the initial local `admin` account. 2. From the **Global** view, navigate to **Security** > **Authentication** 3. Select **OpenLDAP**. The **Configure an OpenLDAP server** form will be displayed. -### Configure OpenLDAP Server Settings - -In the section titled `1. Configure an OpenLDAP server`, complete the fields with the information specific to your server. Please refer to the following table for detailed information on the required values for each parameter. - -> **Note:** -> -> If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. - -**Table 1: OpenLDAP server parameters** - -| Parameter | Description | -|:--|:--| -| Hostname | Specify the hostname or IP address of the OpenLDAP server | -| Port | Specify the port at which the OpenLDAP server is listening for connections. Unencrypted LDAP normally uses the standard port of 389, while LDAPS uses port 636.| -| TLS | Check this box to enable LDAP over SSL/TLS (commonly known as LDAPS). You will also need to paste in the CA certificate if the server uses a self-signed/enterprise-signed certificate. | -| Server Connection Timeout | The duration in number of seconds that Rancher waits before considering the server unreachable. | -| Service Account Distinguished Name | Enter the Distinguished Name (DN) of the user that should be used to bind, search and retrieve LDAP entries. (see [Prerequisites](#prerequisites)). | -| Service Account Password | The password for the service account. | -| User Search Base | Enter the Distinguished Name of the node in your directory tree from which to start searching for user objects. All users must be descendents of this base DN. For example: "ou=people,dc=acme,dc=com".| -| Group Search Base | If your groups live under a different node than the one configured under `User Search Base` you will need to provide the Distinguished Name here. Otherwise leave this field empty. For example: "ou=groups,dc=acme,dc=com".| - ---- - -### Configure User/Group Schema - -If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the **Customize Schema** section to match it. -Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP. - -> **Note:** -> -> If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. - -#### User Schema - -The table below details the parameters for the user schema configuration. - -**Table 2: User schema configuration parameters** - -| Parameter | Description | -|:--|:--| -| Object Class | The name of the object class used for user objects in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | -| Username Attribute | The user attribute whose value is suitable as a display name. | -| Login Attribute | The attribute whose value matches the username part of credentials entered by your users when logging in to Rancher. This is typically `uid`. | -| User Member Attribute | The user attribute containing the Distinguished Name of groups a user is member of. Usually this is one of `memberOf` or `isMemberOf`. | -| Search Attribute | When a user enters text to add users or groups in the UI, Rancher queries the LDAP server and attempts to match users by the attributes provided in this setting. Multiple attributes can be specified by separating them with the pipe ("\|") symbol. | -| User Enabled Attribute | If the schema of your OpenLDAP server supports a user attribute whose value can be evaluated to determine if the account is disabled or locked, enter the name of that attribute. The default OpenLDAP schema does not support this and the field should usually be left empty. | -| Disabled Status Bitmask | This is the value for a disabled/locked user account. The parameter is ignored if `User Enabled Attribute` is empty. | - ---- - -#### Group Schema - -The table below details the parameters for the group schema configuration. - -**Table 3: Group schema configuration parameters** - -| Parameter | Description | -|:--|:--| -| Object Class | The name of the object class used for group entries in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | -| Name Attribute | The group attribute whose value is suitable for a display name. | -| Group Member User Attribute | The name of the **user attribute** whose format matches the group members in the `Group Member Mapping Attribute`. | -| Group Member Mapping Attribute | The name of the group attribute containing the members of a group. | -| Search Attribute | Attribute used to construct search filters when adding groups to clusters or projects in the UI. See description of user schema `Search Attribute`. | -| Group DN Attribute | The name of the group attribute whose format matches the values in the user's group membership attribute. See `User Member Attribute`. | -| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organisation makes use of these nested memberships (ie. you have groups that contain other groups as members). | - ---- +Then configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.](../openldap-config) ### Test Authentication diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md new file mode 100644 index 00000000000..047a20919e5 --- /dev/null +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md @@ -0,0 +1,72 @@ +--- +title: OpenLDAP Configuration Reference +weight: 2 +--- + +This section is intended to be used as a reference when setting up an OpenLDAP authentication provider in Rancher. + +For further details on configuring OpenLDAP, refer to the [official documentation.](https://www.openldap.org/doc/) + +- [OpenLDAP server configuration](#openldap-server-configuration) +- [User/group schema configuration](#user-group-schema-configuration) + - [User schema configuration](#user-schema-configuration) + - [Group schema configuration](#group-schema-configuration) + +# OpenLDAP Server Configuration + +You will need to enter the address, port, and protocol to connect to your OpenLDAP server. `389` is the standard port for insecure traffic, `636` for TLS traffic. + +If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. + +
    OpenLDAP Server Parameters
    + +| Parameter | Description | +|:--|:--| +| Hostname | Specify the hostname or IP address of the OpenLDAP server | +| Port | Specify the port at which the OpenLDAP server is listening for connections. Unencrypted LDAP normally uses the standard port of 389, while LDAPS uses port 636.| +| TLS | Check this box to enable LDAP over SSL/TLS (commonly known as LDAPS). You will also need to paste in the CA certificate if the server uses a self-signed/enterprise-signed certificate. | +| Server Connection Timeout | The duration in number of seconds that Rancher waits before considering the server unreachable. | +| Service Account Distinguished Name | Enter the Distinguished Name (DN) of the user that should be used to bind, search and retrieve LDAP entries. (see [Prerequisites](#prerequisites)). | +| Service Account Password | The password for the service account. | +| User Search Base | Enter the Distinguished Name of the node in your directory tree from which to start searching for user objects. All users must be descendents of this base DN. For example: "ou=people,dc=acme,dc=com".| +| Group Search Base | If your groups live under a different node than the one configured under `User Search Base` you will need to provide the Distinguished Name here. Otherwise leave this field empty. For example: "ou=groups,dc=acme,dc=com".| + +# User/Group Schema Configuration + +If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the **Customize Schema** section to match it. + +Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP. + +If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. + +### User Schema Configuration + +The table below details the parameters for the user schema configuration. + +
    User Schema Configuration Parameters
    + +| Parameter | Description | +|:--|:--| +| Object Class | The name of the object class used for user objects in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | +| Username Attribute | The user attribute whose value is suitable as a display name. | +| Login Attribute | The attribute whose value matches the username part of credentials entered by your users when logging in to Rancher. This is typically `uid`. | +| User Member Attribute | The user attribute containing the Distinguished Name of groups a user is member of. Usually this is one of `memberOf` or `isMemberOf`. | +| Search Attribute | When a user enters text to add users or groups in the UI, Rancher queries the LDAP server and attempts to match users by the attributes provided in this setting. Multiple attributes can be specified by separating them with the pipe ("\|") symbol. | +| User Enabled Attribute | If the schema of your OpenLDAP server supports a user attribute whose value can be evaluated to determine if the account is disabled or locked, enter the name of that attribute. The default OpenLDAP schema does not support this and the field should usually be left empty. | +| Disabled Status Bitmask | This is the value for a disabled/locked user account. The parameter is ignored if `User Enabled Attribute` is empty. | + +### Group Schema Configuration + +The table below details the parameters for the group schema configuration. + +
    Group Schema Configuration Parameters
    + +| Parameter | Description | +|:--|:--| +| Object Class | The name of the object class used for group entries in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | +| Name Attribute | The group attribute whose value is suitable for a display name. | +| Group Member User Attribute | The name of the **user attribute** whose format matches the group members in the `Group Member Mapping Attribute`. | +| Group Member Mapping Attribute | The name of the group attribute containing the members of a group. | +| Search Attribute | Attribute used to construct search filters when adding groups to clusters or projects in the UI. See description of user schema `Search Attribute`. | +| Group DN Attribute | The name of the group attribute whose format matches the values in the user's group membership attribute. See `User Member Attribute`. | +| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organisation makes use of these nested memberships (ie. you have groups that contain other groups as members). | \ No newline at end of file diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md index 0e10c20617b..5ca461f13c7 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -5,30 +5,34 @@ weight: 1210 _Available as of v2.4.0_ +If your organization uses Shibboleth Identity Provider (IdP) for user authentication, you can configure Rancher to allow your users to log in to Rancher using their Shibboleth credentials. + +In this configuration, when Rancher users log in, they will be redirected to the Shibboleth IdP to enter their credentials. After authentication, they will be redirected back to the Rancher UI. + +If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then the authenticated user will be able to access resources in Rancher that their groups have permissions for. + +> The instructions in this section assume that you understand how Rancher, Shibboleth, and OpenLDAP work together. For a more detailed explanation of how it works, refer to [this page.](./about) + This section covers the following topics: -- Prerequisites for Shibboleth -- Configuring Shibboleth +- [Setting up Shibboleth in Rancher](#setting-up-shibboleth-in-rancher) + - [Shibboleth Prerequisites](#shibboleth-prerequisites) + - [Configuring Shibboleth](#configuring-shibboleth) + - [SAML Provider Caveats](#saml-provider-caveats) +- [Setting up OpenLDAP in Rancher](#setting-up-openldap-in-rancher) + - [OpenLDAP Prerequisites](#openldap-prerequisites) + - [Configuring OpenLDAP](#configuring-openldap) + - [Troubleshooting](#troubleshooting) -- About OpenLDAP -- OpenLDAP Authentication Flow -- Prerequisites for OpenLDAP -- OpenLDAP Configuration -- Configure OpenLDAP Server Settings -- Configure User/Group Schema - - User Schema - - Group Schema -- Test Authentication -- Troubleshooting +# Setting up Shibboleth in Rancher -### Prerequisites for Shibboleth +### Shibboleth Prerequisites > >- You must have a Shibboleth IdP Server configured. >- Following are the Rancher Service Provider URLs needed for configuration: Metadata URL: `https:///v1-saml/shibboleth/saml/metadata` Assertion Consumer Service (ACS) URL: `https:///v1-saml/shibboleth/saml/acs` ->- Export a `metadata.xml` file from your IdP Server. For more information, see the Shibboleth documentation. - +>- Export a `metadata.xml` file from your IdP Server. For more information, see the [Shibboleth documentation.](https://wiki.shibboleth.net/confluence/display/SP3/Home) ### Configuring Shibboleth If your organization uses Shibboleth for user authentication, you can configure Rancher to allow your users to log in using their IdP credentials. @@ -67,24 +71,20 @@ If your organization uses Shibboleth for user authentication, you can configure **Result:** Rancher is configured to work with Shibboleth. Your users can now sign into Rancher using their Shibboleth logins. +### SAML Provider Caveats -# About OpenLDAP +If you configure Shibboleth without OpenLDAP, the following caveats apply due to the fact that SAML Protocol does not support search or lookup for users or groups. -If your organization uses LDAP for user authentication, you can configure Rancher to communicate with an OpenLDAP server to authenticate users. This allows Rancher admins to control access to clusters and projects based on users and groups managed externally in the organisation's central user repository, while allowing end-users to authenticate with their LDAP credentials when logging in to the Rancher UI. - -### OpenLDAP Authentication Flow - -1. When a user attempts to log in with his LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. -2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. -3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. -4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. +- There is no validation on users or groups when assigning permissions to them in Rancher. +- When adding users, the exact user IDs (i.e. UID Field) must be entered correctly. As you type the user ID, there will be no search for other user IDs that may match. +- When adding groups, you must select the group from the drop-down that is next to the text box. Rancher assumes that any input from the text box is a user. +- The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. -> **Note:** -> -> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. +# Setting up OpenLDAP in Rancher -### Prerequisites for OpenLDAP +### OpenLDAP Prerequisites Rancher must be configured with a LDAP bind account (aka service account) to search and retrieve LDAP entries pertaining to users and groups that should have access. It is recommended to not use an administrator account or personal account for this purpose and instead create a dedicated account in OpenLDAP with read-only access to users and groups under the configured search base (see below). @@ -92,102 +92,14 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea > > If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. -### Open OpenLDAP Configuration +### Configuring OpenLDAP 1. Log into the Rancher UI using the initial local `admin` account. 2. From the **Global** view, navigate to **Security** > **Authentication** 3. Select **OpenLDAP**. The **Configure an OpenLDAP server** form will be displayed. -### Configure OpenLDAP Server Settings - -In the section titled `1. Configure an OpenLDAP server`, complete the fields with the information specific to your server. Please refer to the following table for detailed information on the required values for each parameter. - -> **Note:** -> -> If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. - -**Table 1: OpenLDAP server parameters** - -| Parameter | Description | -|:--|:--| -| Hostname | Specify the hostname or IP address of the OpenLDAP server | -| Port | Specify the port at which the OpenLDAP server is listening for connections. Unencrypted LDAP normally uses the standard port of 389, while LDAPS uses port 636.| -| TLS | Check this box to enable LDAP over SSL/TLS (commonly known as LDAPS). You will also need to paste in the CA certificate if the server uses a self-signed/enterprise-signed certificate. | -| Server Connection Timeout | The duration in number of seconds that Rancher waits before considering the server unreachable. | -| Service Account Distinguished Name | Enter the Distinguished Name (DN) of the user that should be used to bind, search and retrieve LDAP entries. (see [Prerequisites](#prerequisites)). | -| Service Account Password | The password for the service account. | -| User Search Base | Enter the Distinguished Name of the node in your directory tree from which to start searching for user objects. All users must be descendents of this base DN. For example: "ou=people,dc=acme,dc=com".| -| Group Search Base | If your groups live under a different node than the one configured under `User Search Base` you will need to provide the Distinguished Name here. Otherwise leave this field empty. For example: "ou=groups,dc=acme,dc=com".| - ---- - -# Configure User/Group Schema - -If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the **Customize Schema** section to match it. -Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP. - -> **Note:** -> -> If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. - -### User Schema - -The table below details the parameters for the user schema configuration. - -**Table 2: User schema configuration parameters** - -| Parameter | Description | -|:--|:--| -| Object Class | The name of the object class used for user objects in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | -| Username Attribute | The user attribute whose value is suitable as a display name. | -| Login Attribute | The attribute whose value matches the username part of credentials entered by your users when logging in to Rancher. This is typically `uid`. | -| User Member Attribute | The user attribute containing the Distinguished Name of groups a user is member of. Usually this is one of `memberOf` or `isMemberOf`. | -| Search Attribute | When a user enters text to add users or groups in the UI, Rancher queries the LDAP server and attempts to match users by the attributes provided in this setting. Multiple attributes can be specified by separating them with the pipe ("\|") symbol. | -| User Enabled Attribute | If the schema of your OpenLDAP server supports a user attribute whose value can be evaluated to determine if the account is disabled or locked, enter the name of that attribute. The default OpenLDAP schema does not support this and the field should usually be left empty. | -| Disabled Status Bitmask | This is the value for a disabled/locked user account. The parameter is ignored if `User Enabled Attribute` is empty. | - ---- - -### Group Schema - -The table below details the parameters for the group schema configuration. - -**Table 3: Group schema configuration parameters** - -| Parameter | Description | -|:--|:--| -| Object Class | The name of the object class used for group entries in your domain. If defined, only specify the name of the object class - *don't* include it in an LDAP wrapper such as &(objectClass=xxxx) | -| Name Attribute | The group attribute whose value is suitable for a display name. | -| Group Member User Attribute | The name of the **user attribute** whose format matches the group members in the `Group Member Mapping Attribute`. | -| Group Member Mapping Attribute | The name of the group attribute containing the members of a group. | -| Search Attribute | Attribute used to construct search filters when adding groups to clusters or projects in the UI. See description of user schema `Search Attribute`. | -| Group DN Attribute | The name of the group attribute whose format matches the values in the user's group membership attribute. See `User Member Attribute`. | -| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organisation makes use of these nested memberships (ie. you have groups that contain other groups as members). | - ---- - -# Test Authentication - -Once you have completed the configuration, proceed by testing the connection to the OpenLDAP server. Authentication with OpenLDAP will be enabled implicitly if the test is successful. - -> **Note:** -> -> The OpenLDAP user pertaining to the credentials entered in this step will be mapped to the local principal account and assigned administrator privileges in Rancher. You should therefore make a conscious decision on which LDAP account you use to perform this step. - -1. Enter the **username** and **password** for the OpenLDAP account that should be mapped to the local principal account. -2. Click **Authenticate With OpenLDAP** to test the OpenLDAP connection and finalise the setup. - -**Result:** - -- OpenLDAP authentication is configured. -- The LDAP user pertaining to the entered credentials is mapped to the local principal (administrative) account. - -> **Note:** -> -> You will still be able to login using the locally configured `admin` account and password in case of a disruption of LDAP services. +Then configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config) # Troubleshooting If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. - -{{< saml_caveats >}} diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md new file mode 100644 index 00000000000..7af334d0c70 --- /dev/null +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md @@ -0,0 +1,49 @@ +--- +title: Group Permissions with Shibboleth and OpenLDAP +weight: 1 +--- + +_Available as of Rancher v2.4_ + +This page provides background information and context for Rancher users who intend to set up the Shibboleth authentication provider in Rancher. + +Because Shibboleth is a SAML provider, it does not support searching for groups. While a Shibboleth integration can validate user credentials, it can't be used to assign permissions to groups in Rancher without additional configuration. + +One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI. + +This section covers the following topics: + +- [Terminology] +- [OpenLDAP authentication flow] + +### Terminology + +- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships. +- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider. +- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider. +- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider. + +### Adding OpenLDAP Group Permissions to Rancher Resources + +The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for. + +For example, a cluster owner could add an OpenLDAP group to a cluster so that they have permissions view most cluster level resources and create new projects. Then the OpenLDAP group members will have access to the cluster as soon as they log in to Rancher. + +In this scenario, OpenLDAP allows the cluster owner to search for groups when assigning persmissions. Without OpenLDAP, the functionality to search for groups would not be supported. + +When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shibboleth and enters her username and password. + +Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups has permissions for. + +![Adding OpenLDAP Group Permissions to Rancher Resources]({{}}/img/rancher/shibboleth-with-openldap-groups.svg) + +### OpenLDAP Authentication Flow + +1. When a user attempts to log in with his or her LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. +2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. +3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. +4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. + +> **Note:** +> +> Before you proceed with the configuration, please familiarize yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). \ No newline at end of file diff --git a/static/img/rancher/shibboleth-with-openldap-groups.svg b/static/img/rancher/shibboleth-with-openldap-groups.svg new file mode 100644 index 00000000000..7f3694c842e --- /dev/null +++ b/static/img/rancher/shibboleth-with-openldap-groups.svg @@ -0,0 +1,3 @@ + + +
    First-time login to Rancher
    First-time...
    Adding OpenLDAP Group Permissions to Rancher Resources
    Adding OpenLDAP Group Permissions to Rancher Resources
    Redirect user to Shibboleth
    Redirect us...
    Rancher
    Ranch...
    Shibboleth
    Shibb...
    OpenLDAP
    OpenL...
    Rancher
    Admin
    Ranch...
    Search for groups
    Search for gro...
    Search for groups
    Search for gro...
    Provide groups to Rancher
    Provide groups t...
      OpenLDAP Group Member
      OpenLDAP Group Member
    Rancher admin or user with sufficient privileges can add an OpenLDAP group to a resource such as a cluster, project, or namespace.
    Rancher admin or...
    An existing OpenLDAP group member logs in to Rancher. Shibboleth validates credentials and provides group details from OpenLDAP.
    An existing Open...
    Select group for Rancher resource
    Select group for...
    Access resources that group has permissions for
    Access resources...
    User enters username and password
    User enters userna...
    Validate credentials
    Validate creden...
    Provide user details
    Provide user de...
    SAML assertion to Rancher with user attributes, including groups
    SAML assertion...    Viewer does not support full SVG 1.1     \ No newline at end of file From a352442a3a3a4e3461e36372229600f4f03e5d5e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 28 Feb 2020 14:35:01 -0700 Subject: [PATCH 079/183] Edit Shibboleth and OpenLDAP docs --- .../authentication/openldap/_index.md | 15 +++------------ .../openldap/openldap-config/_index.md | 14 ++++++++++++++ .../authentication/shibboleth/_index.md | 14 ++++++++------ .../authentication/shibboleth/about/_index.md | 15 +-------------- 4 files changed, 26 insertions(+), 32 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md index 4338bc3f86a..15cdf376100 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md @@ -8,17 +8,6 @@ aliases: _Available as of v2.0.5_ If your organization uses LDAP for user authentication, you can configure Rancher to communicate with an OpenLDAP server to authenticate users. This allows Rancher admins to control access to clusters and projects based on users and groups managed externally in the organisation's central user repository, while allowing end-users to authenticate with their LDAP credentials when logging in to the Rancher UI. - -## OpenLDAP Authentication Flow - -1. When a user attempts to login with his LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. -2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. -3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. -4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. - -> **Note:** -> -> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). ## Prerequisites @@ -28,7 +17,9 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea > > If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. -## Configuration Steps +## Configure OpenLDAP in Rancher + +> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 1. Log into the Rancher UI using the initial local `admin` account. 2. From the **Global** view, navigate to **Security** > **Authentication** diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md index 047a20919e5..f60c8be2589 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md @@ -7,15 +7,29 @@ This section is intended to be used as a reference when setting up an OpenLDAP a For further details on configuring OpenLDAP, refer to the [official documentation.](https://www.openldap.org/doc/) +> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). + +- [Background: OpenLDAP Authentication Flow](#background-openldap-authentication-flow) - [OpenLDAP server configuration](#openldap-server-configuration) - [User/group schema configuration](#user-group-schema-configuration) - [User schema configuration](#user-schema-configuration) - [Group schema configuration](#group-schema-configuration) +## Background: OpenLDAP Authentication Flow + +1. When a user attempts to login with his LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. +2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. +3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. +4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. + # OpenLDAP Server Configuration You will need to enter the address, port, and protocol to connect to your OpenLDAP server. `389` is the standard port for insecure traffic, `636` for TLS traffic. +> **Using TLS?** +> +> If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. + If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation.
    OpenLDAP Server Parameters
    diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md index 5ca461f13c7..114726f2659 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -17,11 +17,11 @@ This section covers the following topics: - [Setting up Shibboleth in Rancher](#setting-up-shibboleth-in-rancher) - [Shibboleth Prerequisites](#shibboleth-prerequisites) - - [Configuring Shibboleth](#configuring-shibboleth) + - [Configure Shibboleth in Rancher](#configure-shibboleth-in-rancher) - [SAML Provider Caveats](#saml-provider-caveats) - [Setting up OpenLDAP in Rancher](#setting-up-openldap-in-rancher) - [OpenLDAP Prerequisites](#openldap-prerequisites) - - [Configuring OpenLDAP](#configuring-openldap) + - [Configure OpenLDAP in Rancher](#configure-openldap-in-rancher) - [Troubleshooting](#troubleshooting) # Setting up Shibboleth in Rancher @@ -34,7 +34,7 @@ Metadata URL: `https:///v1-saml/shibboleth/saml/metadata` Assertion Consumer Service (ACS) URL: `https:///v1-saml/shibboleth/saml/acs` >- Export a `metadata.xml` file from your IdP Server. For more information, see the [Shibboleth documentation.](https://wiki.shibboleth.net/confluence/display/SP3/Home) -### Configuring Shibboleth +### Configure Shibboleth in Rancher If your organization uses Shibboleth for user authentication, you can configure Rancher to allow your users to log in using their IdP credentials. 1. From the **Global** view, select **Security > Authentication** from the main menu. @@ -92,14 +92,16 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea > > If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. -### Configuring OpenLDAP +### Configure OpenLDAP in Rancher + +Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.](../openldap-config) + +> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 1. Log into the Rancher UI using the initial local `admin` account. 2. From the **Global** view, navigate to **Security** > **Authentication** 3. Select **OpenLDAP**. The **Configure an OpenLDAP server** form will be displayed. -Then configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config) - # Troubleshooting If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.x/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md index 7af334d0c70..33e88250453 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md @@ -13,9 +13,6 @@ One solution to this problem is to configure an OpenLDAP identity provider. With This section covers the following topics: -- [Terminology] -- [OpenLDAP authentication flow] - ### Terminology - **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships. @@ -36,14 +33,4 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups has permissions for. ![Adding OpenLDAP Group Permissions to Rancher Resources]({{}}/img/rancher/shibboleth-with-openldap-groups.svg) - -### OpenLDAP Authentication Flow - -1. When a user attempts to log in with his or her LDAP credentials, Rancher creates an initial bind to the LDAP server using a service account with permissions to search the directory and read user/group attributes. -2. Rancher then searches the directory for the user by using a search filter based on the provided username and configured attribute mappings. -3. Once the user has been found, he is authenticated with another LDAP bind request using the user's DN and provided password. -4. Once authentication succeeded, Rancher then resolves the group memberships both from the membership attribute in the user's object and by performing a group search based on the configured user mapping attribute. - -> **Note:** -> -> Before you proceed with the configuration, please familiarize yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). \ No newline at end of file + \ No newline at end of file From ecfe76a5fab3cd6815f9c177c901840580c3c85d Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 28 Feb 2020 14:55:48 -0700 Subject: [PATCH 080/183] Remove unnecessary line --- .../en/admin-settings/authentication/shibboleth/about/_index.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md index 33e88250453..249fc6195d7 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md @@ -11,8 +11,6 @@ Because Shibboleth is a SAML provider, it does not support searching for groups. One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI. -This section covers the following topics: - ### Terminology - **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships. From df0e22022ceb219da3d1f0eb73f7682bc19d5f25 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 28 Feb 2020 15:09:08 -0700 Subject: [PATCH 081/183] Minor edit to OpenLDAP doc --- .../v2.x/en/admin-settings/authentication/openldap/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md index 15cdf376100..401d0259229 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/_index.md @@ -19,14 +19,14 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea ## Configure OpenLDAP in Rancher +Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.](../openldap-config) + > Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). 1. Log into the Rancher UI using the initial local `admin` account. 2. From the **Global** view, navigate to **Security** > **Authentication** 3. Select **OpenLDAP**. The **Configure an OpenLDAP server** form will be displayed. -Then configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.](../openldap-config) - ### Test Authentication Once you have completed the configuration, proceed by testing the connection to the OpenLDAP server. Authentication with OpenLDAP will be enabled implicitly if the test is successful. From 3ad06bc29519b645b43a81dd6058ffe7f2911aea Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 28 Feb 2020 15:24:45 -0700 Subject: [PATCH 082/183] Add backup and restore info for K3s external db --- .../en/backups/backups/k3s-backups/_index.md | 16 +++++++++++++++- .../restorations/k3s-restoration/_index.md | 18 ++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md index f96f3466a43..701ea669314 100644 --- a/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md @@ -1,4 +1,18 @@ --- title: Backing up Rancher Installed on a K3s Kubernetes Cluster weight: 1 ---- \ No newline at end of file +--- + +When Rancher is installed on a high-availability Kubernetes cluster, we recommend using an external database to store the cluster data. + +The database administrator will need to back up the external database, or restore it from a snapshot or dump. + +We recommend configuring the database to take recurring snapshots. + +### Creating Snapshots and Restoring Databases from Snapshots + +For details on taking database snapshots and restoring your database from them, refer to the official database documentation: + +- [Official MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html) +- [Official PostgreSQL documentation](https://www.postgresql.org/docs/8.3/backup-dump.html) +- [Official etcd documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/recovery.md) \ No newline at end of file diff --git a/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md b/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md index e69de29bb2d..16b242a6024 100644 --- a/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md +++ b/content/rancher/v2.x/en/backups/restorations/k3s-restoration/_index.md @@ -0,0 +1,18 @@ +--- +title: Restoring Rancher Installed on a K3s Kubernetes Cluster +weight: 1 +--- + +When Rancher is installed on a high-availability Kubernetes cluster, we recommend using an external database to store the cluster data. + +The database administrator will need to back up the external database, or restore it from a snapshot or dump. + +We recommend configuring the database to take recurring snapshots. + +### Creating Snapshots and Restoring Databases from Snapshots + +For details on taking database snapshots and restoring your database from them, refer to the official database documentation: + +- [Official MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html) +- [Official PostgreSQL documentation](https://www.postgresql.org/docs/8.3/backup-dump.html) +- [Official etcd documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/recovery.md) \ No newline at end of file From f8ab934e5d3173b68b2214de3f1d70507a454a09 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 28 Feb 2020 20:05:49 -0700 Subject: [PATCH 083/183] Fix typo --- .../en/admin-settings/authentication/shibboleth/about/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md index 249fc6195d7..6a057b2104a 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/about/_index.md @@ -28,7 +28,7 @@ In this scenario, OpenLDAP allows the cluster owner to search for groups when as When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shibboleth and enters her username and password. -Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups has permissions for. +Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for. ![Adding OpenLDAP Group Permissions to Rancher Resources]({{}}/img/rancher/shibboleth-with-openldap-groups.svg) \ No newline at end of file From e48147da94cfd5ed1b90b8a2e9a4e292ac877899 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 16 Mar 2020 14:35:39 -0700 Subject: [PATCH 084/183] Update security scan docs --- content/rancher/v2.x/en/security/_index.md | 2 +- .../v2.x/en/security/security-scan/_index.md | 147 ++++++++++++++++-- 2 files changed, 132 insertions(+), 17 deletions(-) diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 8cae4eebe29..7cb5e2b4713 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -71,7 +71,7 @@ Hardening Guide Version | Rancher Version | CIS Benchmark Version | Kubernetes V The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster. -Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the [CIS website](https://www.cisecurity.org/benchmark/kubernetes/). +Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the [CIS website](https://www.cisecurity.org/benchmark/kubernetes/). Each version of Rancher's self assessment guide corresponds to specific versions of the hardening guide, Rancher, Kubernetes, and the CIS Benchmark: diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index 4a5e6ebba8d..740b2bf3f8e 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -13,7 +13,24 @@ CIS Benchmarks are best practices for the secure configuration of a target syste The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. -When Rancher runs a CIS Security Scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. +- [About the CIS Benchmark](#about-the-cis-benchmark) +- [About the generated report](#about-the-generated-report) +- [Permissive and hardened test profiles](#permissive-and-hardened-test-profiles) +- [Prerequisites](#prerequisites) +- [Running a scan](#running-a-scan) +- [Scheduling recurring scans](#scheduling-recurring-scans) +- [Skipping tests](#skipping-tests) +- [Setting alerts](#setting-alerts) +- [Deleting a report](#deleting-a-report) +- [Downloading a report](#downloading-a-report) + +### About the CIS Benchmark + +The Center for Internet Security is a 501(c)(3) nonprofit organization, formed in October 2000, with a mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace". The organization is headquartered in East Greenbush, New York, with members including large corporations, government agencies, and academic institutions. + +CIS Benchmarks are best practices for the secure configuration of a target system. CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members, and the CIS Benchmark Development team. + +The official Benchmark documents are available through the CIS website. The sign-up form to access the documents is [here.](https://learn.cisecurity.org/benchmarks) To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security. @@ -21,11 +38,36 @@ To check clusters for CIS Kubernetes Benchmark compliance, the security scan lev Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. +As of Rancher v2.4, the CIS scan will use either the Benchmark v1.4 or v1.5, depending on the Kubernetes version. + To determine which version of the [Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) to use in the scan, Rancher chooses a version that is appropriate for the cluster's Kubernetes version. The Benchmark version is included in the generated report. -Each test in the report is identified by its corresponding Scored test in the Benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the section 1.3.6 in the Benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) Recommendations marked as Not Scored in the Benchmark are not included in the report. +The Benchmark provides recommendations of two types: Scored and Not Scored. Recommendations marked as Not Scored in the Benchmark are not included in the generated report. -Similarly, for information on how to manually audit the test result, you could look up section 1.3.6 in Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment) +Some tests are designated as "Not Applicable." These tests will not be run on any CIS scan because of the way that Rancher provisions RKE clusters. For information on how test results can be audited, and why some tests are designated to be not applicable, refer to Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment) + +The report contains the following information: + +| Column in Report | Description | +|------------------|-------------| +| ID | The ID number of the CIS Benchmark. | +| Description | The description of the CIS Benchmark test. | +| Remediation | What needs to be fixed in order to pass the test. | +| State of Test | Indicates if the test passed, failed, was skipped, or was not applicable. | +| Node type | The node role, which affects which tests are run on the node. Master tests are run on controlplane nodes, etcd tests are run on etcd nodes, and node tests are run on the worker nodes. | +| Nodes | The name(s) of the node that the test was run on. | +| Passed_Nodes | The name(s) of the nodes that the test passed on. | +| Failed_Nodes | The name(s) of the nodes that the test failed on. | + +Refer to [the table in the cluster hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) for information on which versions of Kubernetes, the Benchmark, Rancher, and our cluster hardening guide correspond to each other. Also refer to the hardening guide for configuration files of CIS-compliant clusters and information on remediating failed tests. + +### Permissive and Hardened Test Profiles + +Rancher ships with two types of profiles to run for each version of the CIS scan.  + +- **Permissive:** By default, this profile has a set of tests that have been configured to skip certain tests that fail on a default RKE Kubernetes cluster. These tests can be updated to pass based on following the steps on the [hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) + and using the `cluster.yml` defined in the hardening guide. +- **Hardened:** This profile will not skip any tests by default, except for the non-applicable tests. ### Prerequisites @@ -35,36 +77,109 @@ Rancher can only run security scans on clusters that were created with RKE, whic The security scan cannot run in a cluster that has Windows nodes. +You will only be able to see the CIS scan reports for clusters that you have access to. + ### Running a Scan 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Click **Run Scan.** +1. Choose a CIS scan profile. **Result:** A report is generated and displayed in the **CIS Scans** page. To see details of the report, click the report's name. -### Skipping a Test +### Scheduling Recurring Scans -1. From the cluster view in Rancher, click **Tools > CIS Scans.** -1. Click the name of the report that has tests you want to skip. -1. A **Skip** button is displayed next to each failed test. Click **Skip** for each test that should be skipped. +Recurring scans can be scheduled to run on any RKE Kubernetes cluster. -**Result:** The tests will be skipped on the next scan. +To enable recurring scans, edit the advanced options in the cluster configuration during cluster creation or after the cluster has been created. -To re-run the security scan, go to the top of the page and click **Run Scan.** +To schedule scans for an existing cluster: -### Un-skipping a Test +1. Go to the cluster view in Rancher. +1. Click **Ellipsis (...) > Edit.** +1. Go to the **Advanced Options** section. In the **CIS Scan Enabled** field, click **Yes.** +1. In the **CIS Scan Profile** field, choose a **Permissive** or **Hardened** profile. The corresponding CIS Benchmark version is included in the profile name. Any skipped tests [defined in a separate ConfigMap](#skipping-tests) will be skipped regardless of whether a **Permissive** or **Hardened** profile is selected. When selecting the the permissive profile, you should see which tests were skipped by Rancher (tests that are skipped by default for RKE clusters) and which tests were skipped by a Rancher user. In the hardened test profile, the only skipped tests will be skipped by users. +1. In the **CIS Scan Interval (cron)** job, enter a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) to define how often the cluster will be scanned. +1. In the **CIS Scan Report Retention** field, enter the number of past reports that should be kept. -1. From the cluster view in Rancher, click **Tools > CIS Scans.** -1. Click the name of the report that has tests you want to un-skip. -1. An **Unskip** button is displayed next to each skipped test. Click **Unskip** for each test that should not be skipped. +**Result:** The security scan will run and generate reports at the scheduled intervals. -**Result:** The tests will not be skipped on the next scan. +The test schedule can be configured in the `cluster.yml`: -To re-run the security scan, go to the top of the page and click **Run Scan.** +```yaml +scheduled_cluster_scan: +    enabled: true +    scan_config: +        cis_scan_config: +            override_benchmark_version: rke-cis-1.4 +            profile: permissive +    schedule_config: +        cron_schedule: 0 0 * * * +        retention: 24 +``` + + +### Skipping Tests + +You can define a set of tests that will be skipped by the CIS scan when the next report is generated. + +These tests will be skipped for subsequent CIS scans, including both manually triggered and scheduled scans, and the tests will be skipped in both the permissive and hardened CIS scan profiles. + +The skipped tests will be listed alongside the test profile name in the cluster configuration options when a test profile is selected for a recurring cluster scan. The skipped tests will also be shown every time a scan is triggered manually from the Rancher UI by clicking **Run Scan.** The display of skipped tests allows you to know ahead of time which tests will be run in each scan. + +To skip tests, you will need to define them in a Kubernetes ConfigMap resource. Each skipped CIS scan test is listed in the ConfigMap alongside the version of the CIS benchmark that the test belongs to. + +To skip tests by editing a ConfigMap resource, + +1. Create a `security-scan` namespace. +1. Create a ConfigMap named `security-scan-cfg`. +1. Enter the skip information under the key `config.json` in the following format. The CIS benchmark version is specified alongside the tests to be skipped for that version: + +```json +{ + "config.json": { + "skip": { + "rke-cis-1.4": [ "1.1.1", "1.2.2"] + } + } +} +``` + +**Result:** These tests will be skipped on subsequent scans that use the defined CIS Benchmark version. + +### Setting Alerts + +Rancher provides a set of alerts for cluster scans. which are not configured to have notifiers by default: + +- A manual cluster scan was completed +- A manual cluster scan has failures +- A scheduled cluster scan was completed +- A scheduled cluster scan has failures + +> **Prerequisite:** You need to configure a [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) before configuring, sending, or receiving alerts. + +To activate an alert for a CIS scan result, + +1. From the cluster view in Rancher, click **Tools > Alerts.** +1. Go to the section called **A set of alerts for cluster scans.** +1. Go to the alert you want to activate and click **Ellipsis (...) > Activate.** +1. Go to the alert rule group **A set of alerts for cluster scans** and click **Ellipsis (...) > Edit.** +1. Scroll down to the **Alert** section. In the **To** field, select the notifier that you would like to use for sending alert notifications. +1. Optional: To limit the frequency of the notifications, click on **Show advanced options** and configure the time interval of the alerts. +1. Click **Save.** + +**Result:** The notifications will be triggered when the a scan is run on a cluster and the active alerts have satisfied conditions. ### Deleting a Report 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Go to the report that should be deleted. 1. Click the **Ellipsis (...) > Delete.** -1. Click **Delete.** \ No newline at end of file +1. Click **Delete.** + +### Downloading a Report + +1. From the cluster view in Rancher, click **Tools > CIS Scans.** +1. Go to the report that you want to download. Click **Ellipsis (...) > Download.** + +**Result:** The report is downloaded in CSV format. For more information on each columns, refer to the [section about the generated report.](#about-the-generated-report) \ No newline at end of file From 06be3db694dac51feab3c035ed70e2cdc15e3664 Mon Sep 17 00:00:00 2001 From: Denise Schannon Date: Wed, 18 Mar 2020 14:12:23 -0700 Subject: [PATCH 085/183] Updates to CIS Scans --- .../v2.x/en/security/security-scan/_index.md | 74 ++++++++++++++++--- 1 file changed, 63 insertions(+), 11 deletions(-) diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index 740b2bf3f8e..e10a384a915 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -3,7 +3,7 @@ title: Security Scans weight: 1 --- -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. @@ -61,13 +61,65 @@ The report contains the following information: Refer to [the table in the cluster hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) for information on which versions of Kubernetes, the Benchmark, Rancher, and our cluster hardening guide correspond to each other. Also refer to the hardening guide for configuration files of CIS-compliant clusters and information on remediating failed tests. -### Permissive and Hardened Test Profiles +### Profiles -Rancher ships with two types of profiles to run for each version of the CIS scan.  +For every CIS benchmark version, Rancher ships with two types of profiles. These profiles are named based on the type of cluster (e.g. `RKE`), the CIS benchmark version (e.g. CIS 1.4) and the profile type (e.g. `Permissive` or `Hardened`). For example, a full profile name would be `RKE-CIS-1.4-Permissive` + +All profiles will have a set of not applicable tests that will be skipped during the CIS scan. These tests are not applicable based on how a RKE cluster manages Kubernetes. + +There are 2 types of profiles: + +- **Permissive:** This profile has a set of tests that have been will be skipped as these tests will fail on a default RKE Kubernetes cluster. Besides the list of skipped tests, the profile will also not run the not applicable tests. +- **Hardened:** This profile will not skip any tests, except for the non-applicable tests. + +In order to pass the "Hardened" profile, you will need to follow the steps on the [hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) and use the `cluster.yml` defined in the hardening guide to provision a hardened cluster. + +#### Skipped and Not Applicable Tests + +#### CIS 1.4 Skipped Tests + +Number | Description | Reason for Skipping +---|---|--- +1.1.11 | "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" | Enabling AlwaysPullImages can use significant bandwidth. +1.1.21 | "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. +1.1.24 | "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" | Enabling Pod Security Policy can cause applications to unexpectedly fail. +1.1.34 | "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" | Enabling encryption changes how data can be recovered as data is encrypted. +1.1.35 | "Ensure that the encryption provider is set to aescbc (Scored)" | Enabling encryption changes how data can be recovered as data is encrypted. +1.1.36 | "Ensure that the admission control plugin EventRateLimit is set (Scored)" | EventRateLimit needs to be tuned depending on the cluster. +1.2.2 | "Ensure that the --address argument is set to 127.0.0.1 (Scored)" | Adding this argument prevents Rancher's monitoring tool to collect metrics on the scheduler. +1.3.7 | "Ensure that the --address argument is set to 127.0.0.1 (Scored)" | Adding this argument prevents Rancher's monitoring tool to collect metrics on the controller manager. +1.4.12 | "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" | A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide for more details on how to configure this ownership. +1.7.2 | "Do not admit containers wishing to share the host process ID namespace (Scored)" | Enabling Pod Security Policy can cause applications to unexpectedly fail. +1.7.3 | "Do not admit containers wishing to share the host IPC namespace (Scored)" | Enabling Pod Security Policy can cause applications to unexpectedly fail. +1.7.4 | "Do not admit containers wishing to share the host network namespace (Scored)" | Enabling Pod Security Policy can cause applications to unexpectedly fail. +1.7.5 | " Do not admit containers with allowPrivilegeEscalation (Scored)" | Enabling Pod Security Policy can cause applications to unexpectedly fail. +2.1.6 | "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" | System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. +2.1.10 | "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. + +#### CIS 1.4 Not Applicable Tests + +Number | Description | Reason for being not applicable +---|---|--- +1.1.9 | "Ensure that the --repair-malformed-updates argument is set to false (Scored)" | The argument --repair-malformed-updates has been removed as of Kubernetes version 1.14 +1.3.6 | "Ensure that the RotateKubeletServerCertificate argument is set to true" | Cluster provisioned by RKE handles certificate rotation directly through RKE. +1.4.1 | "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. +1.4.2 | "Ensure that the API server pod specification file ownership is set to root:root (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. +1.4.3 | "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for controller-manager. +1.4.4 | "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for controller-manager. +1.4.5 | "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for scheduler. +1.4.6 | "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for scheduler. +1.4.7 | "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for etcd. +1.4.8 | "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" | Cluster provisioned by RKE doesn't require or maintain a configuration file for etcd. +1.4.13 | "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. +1.4.14 | "Ensure that the admin.conf file ownership is set to root:root (Scored)" | Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. +2.1.8 | "Ensure that the --hostname-override argument is not set (Scored)" | Clusters provisioned by RKE clusters and most cloud providers require hostnames. +2.1.12 | "Ensure that the --rotate-certificates argument is not set to false (Scored)" | Cluster provisioned by RKE handles certificate rotation directly through RKE. +2.1.13 | "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" | Cluster provisioned by RKE handles certificate rotation directly through RKE. +2.2.3 | "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" | Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. +2.2.4 | "Ensure that the kubelet service file ownership is set to root:root (Scored)" | Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. +2.2.9 | "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" | RKE doesn’t require or maintain a configuration file for the kubelet. +2.2.10 | "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" | RKE doesn’t require or maintain a configuration file for the kubelet. -- **Permissive:** By default, this profile has a set of tests that have been configured to skip certain tests that fail on a default RKE Kubernetes cluster. These tests can be updated to pass based on following the steps on the [hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) - and using the `cluster.yml` defined in the hardening guide. -- **Hardened:** This profile will not skip any tests by default, except for the non-applicable tests. ### Prerequisites @@ -123,7 +175,7 @@ scheduled_cluster_scan: You can define a set of tests that will be skipped by the CIS scan when the next report is generated. -These tests will be skipped for subsequent CIS scans, including both manually triggered and scheduled scans, and the tests will be skipped in both the permissive and hardened CIS scan profiles. +These tests will be skipped for subsequent CIS scans, including both manually triggered and scheduled scans, and the tests will be skipped with any profile. The skipped tests will be listed alongside the test profile name in the cluster configuration options when a test profile is selected for a recurring cluster scan. The skipped tests will also be shown every time a scan is triggered manually from the Rancher UI by clicking **Run Scan.** The display of skipped tests allows you to know ahead of time which tests will be run in each scan. @@ -132,14 +184,14 @@ To skip tests, you will need to define them in a Kubernetes ConfigMap resource. To skip tests by editing a ConfigMap resource, 1. Create a `security-scan` namespace. -1. Create a ConfigMap named `security-scan-cfg`. +1. Create a ConfigMap named `security-scan-cfg`. 1. Enter the skip information under the key `config.json` in the following format. The CIS benchmark version is specified alongside the tests to be skipped for that version: ```json { "config.json": { - "skip": { - "rke-cis-1.4": [ "1.1.1", "1.2.2"] + "skip": { + "rke-cis-1.4": [ "1.1.1", "1.2.2"] } } } @@ -182,4 +234,4 @@ To activate an alert for a CIS scan result, 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Go to the report that you want to download. Click **Ellipsis (...) > Download.** -**Result:** The report is downloaded in CSV format. For more information on each columns, refer to the [section about the generated report.](#about-the-generated-report) \ No newline at end of file +**Result:** The report is downloaded in CSV format. For more information on each columns, refer to the [section about the generated report.](#about-the-generated-report) From a4fcb7c4cff2db5c3a00299167284fff87afcfc3 Mon Sep 17 00:00:00 2001 From: catherineluse Date: Thu, 19 Mar 2020 06:33:37 -0700 Subject: [PATCH 086/183] Update imported K3s cluster docs --- .../upgrading-kubernetes/_index.md | 6 +-- .../v2.x/en/cluster-provisioning/_index.md | 38 ++++++++++---- .../imported-clusters/_index.md | 50 +++++++++++++++++-- 3 files changed, 77 insertions(+), 17 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index 513d31f1fab..ef5d7688644 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -3,7 +3,7 @@ title: Upgrading Kubernetes weight: 70 --- -> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) +> **Prerequisite:** The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) Following an upgrade to the latest version of Rancher, you can update your existing clusters to use the latest supported version of Kubernetes. @@ -11,7 +11,7 @@ Before a new version of Rancher is released, it's tested with the latest minor v As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Rancher to ship Kubernetes patch versions without upgrading Rancher. For details, refer to the [section on Kubernetes metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata) ->**Recommended:** Before upgrading Kubernetes, [backup your cluster]({{}}/rancher/v2.x/en/backups). +> **Recommended:** Before upgrading Kubernetes, [backup your cluster]({{}}/rancher/v2.x/en/backups). 1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. @@ -21,4 +21,4 @@ As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Ra 1. Click **Save**. -**Result:** Kubernetes begins upgrading for the cluster. During the upgrade, your cluster is unavailable. \ No newline at end of file +**Result:** Kubernetes begins upgrading for the cluster. During the upgrade, your cluster is unavailable. diff --git a/content/rancher/v2.x/en/cluster-provisioning/_index.md b/content/rancher/v2.x/en/cluster-provisioning/_index.md index ad6df2689bd..c9e23d21752 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/_index.md @@ -17,20 +17,21 @@ For a conceptual overview of how the Rancher server provisions clusters and what This section covers the following topics: + - [Setting up clusters in a hosted Kubernetes provider](#setting-up-clusters-in-a-hosted-kubernetes-cluster) - [Launching Kubernetes with Rancher](#launching-kubernetes-with-rancher) - - [Launching Kubernetes and Provisioning Nodes in an Infrastructure Provider](#launching-kubernetes-and-provisioning-nodes-in-an-infrastructure-provider) - - [Launching Kubernetes on Existing Custom Nodes](#launching-kubernetes-on-existing-custom-nodes) -- [Importing Existing Cluster](#importing-existing-cluster) - + - [Launching Kubernetes and Provisioning Nodes in an Infrastructure Provider](#launching-kubernetes-and-provisioning-nodes-in-an-infrastructure-provider) + - [Launching Kubernetes on Existing Custom Nodes](#launching-kubernetes-on-existing-custom-nodes) +- [Importing Existing Clusters](#importing-existing-clusters) + The following table summarizes the options and settings available for each cluster type: - Rancher Capability | RKE Launched | Hosted Kubernetes Cluster | Imported Cluster - ---------|----------|---------|---------| - Manage member roles | ✓ | ✓ | ✓ - Edit cluster options | ✓ | | - Manage node pools | ✓ | | +| Rancher Capability | RKE Launched | Hosted Kubernetes Cluster | Imported Cluster | +| -------------------- | ------------ | ------------------------- | ---------------- | +| Manage member roles | ✓ | ✓ | ✓ | +| Edit cluster options | ✓ | | +| Manage node pools | ✓ | | # Setting up Clusters in a Hosted Kubernetes Provider @@ -76,6 +77,23 @@ These nodes include on-premise bare metal servers, cloud-hosted virtual machines In this type of cluster, Rancher connects to a Kubernetes cluster that has already been set up. Therefore, Rancher does not provision Kubernetes, but only sets up the Rancher agents to communicate with the cluster. -Note that Rancher does not automate the provisioning, scaling, or upgrade of imported clusters. All other Rancher features, including management of cluster, policy, and workloads, are available for imported clusters. +Note that Rancher does not automate the provisioning, scaling, or upgrade of imported clusters. Other Rancher features, including management of cluster, role-based access control, policy, and workloads, are available for imported clusters. + +For all imported Kubernetes clusters except for K3s clusters, the configuration of an imported cluster still has to be edited outside of Rancher. Some examples of editing the cluster include adding and removing nodes, upgrading the Kubernetes version, and changing Kubernetes component parameters. + +In Rancher v2.4, it became possible to import a K3s cluster and upgrade Kubernetes by editing the cluster in the Rancher UI. For more information, refer to the section on [importing existing clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) + +### Importing and Editing K3s Clusters + +_Available as of Rancher v2.4.0_ + +[K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. K3s Kubernetes clusters can now be imported into Rancher. + +When a K3s cluster is imported, Rancher will recognize it as K3s, and the Rancher UI will expose the following features in addition to the functionality for other imported clusters: + +- The ability to upgrade the K3s version +- The ability to see a read-only version of the K3s cluster's configuration arguments and environment variables used to launch each node in the cluster. + +For more information, refer to the section on [imported K3s clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-of-imported-k3s-clusters) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index e1cf1478588..26e7321c85a 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -1,8 +1,8 @@ --- title: Importing Existing Clusters into Rancher description: Learn how you can create a cluster in Rancher by importing an existing Kubernetes cluster. Then, you can manage it using Rancher -metaTitle: "Kubernetes Cluster Management" -metaDescription: "Learn how you can import an existing Kubernetes cluster and then manage it using Rancher" +metaTitle: 'Kubernetes Cluster Management' +metaDescription: 'Learn how you can import an existing Kubernetes cluster and then manage it using Rancher' weight: 2300 aliases: - /rancher/v2.x/en/tasks/clusters/import-cluster/ @@ -10,7 +10,27 @@ aliases: When managing an imported cluster, Rancher connects to a Kubernetes cluster that has already been set up. Therefore, Rancher does not provision Kubernetes, but only sets up the Rancher agents to communicate with the cluster. -Keep in mind that editing your Kubernetes cluster still has to be done outside of Rancher. Some examples of editing the cluster include adding and removing nodes, upgrading the Kubernetes version, and changing Kubernetes component parameters. +Note that Rancher does not automate the provisioning, scaling, or upgrade of imported clusters. Other Rancher features, including management of cluster, role-based access control, policy, and workloads, are available for imported clusters. + +For all imported Kubernetes clusters except for K3s clusters, the configuration of an imported cluster still has to be edited outside of Rancher. Some examples of editing the cluster include adding and removing nodes, upgrading the Kubernetes version, and changing Kubernetes component parameters. + +In Rancher v2.4, it became possible to import a K3s cluster and upgrade Kubernetes by editing the cluster in the Rancher UI. + +- [Prerequisites](#prerequisites) +- [Importing a cluster](#importing-a-cluster) +- [Additional features for imported K3s clusters](#additional-features-for-imported-k3s-clusters) + +### Features + +After importing a cluster, the cluster owner can: + +- [Manage cluster access]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) through role-based access control +- Enable [monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and [logging]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) +- Enable [Istio]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/) +- Use [pipelines]({{}}/rancher/v2.x/en/project-admin/pipelines/) +- Configure [alerts] and [notifiers] + +After importing a K3s cluster, the cluster owner can also [upgrade Kubernetes from the Rancher UI.]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/) ### Prerequisites @@ -23,12 +43,15 @@ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin \ --user [USER_ACCOUNT] ``` + before running the `kubectl` command to import the cluster. By default, GKE users are not given this privilege, so you will need to run the command before importing GKE clusters. To learn more about role-based access control for GKE, please click [here](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control). ### Importing a Cluster +> **Prerequisites:** If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. + 1. From the **Clusters** page, click **Add Cluster**. 2. Choose **Import**. 3. Enter a **Cluster Name**. @@ -38,7 +61,26 @@ By default, GKE users are not given this privilege, so you will need to run the 7. Copy the `kubectl` command to your clipboard and run it on a node where kubeconfig is configured to point to the cluster you want to import. If you are unsure it is configured correctly, run `kubectl get nodes` to verify before running the command shown in {{< product >}}. 8. If you are using self signed certificates, you will receive the message `certificate signed by unknown authority`. To work around this validation, copy the command starting with `curl` displayed in {{< product >}} to your clipboard. Then run the command on a node where kubeconfig is configured to point to the cluster you want to import. 9. When you finish running the command(s) on your node, click **Done**. -{{< result_import-cluster >}} + {{< result_import-cluster >}} > **Note:** > You can not re-import a cluster that is currently active in a Rancher setup. + +### Additional Features for Imported K3s Clusters + +_Available as of v2.4.0_ + +You can now import a K3s cluster into Rancher. You can also upgrade Kubernetes by editing the cluster in the Rancher UI. + +[K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. + +When a K3s cluster is imported, Rancher will recognize it as K3s, and the Rancher UI will expose the following features in addition to the functionality for other imported clusters: + +- The ability to upgrade the K3s version +- The ability to see a read-only version of the K3s cluster's configuration arguments and environment variables used to launch each node in the cluster. + +On the cluster edit page, you will see the configuration of the Kubernetes controlplane nodes. In the K3s documentation, these nodes are called server nodes. Regardless of the terminology used, these nodes run the Kubernetes master, which maintains the desired state of the cluster. + +In K3s, nodes with the "server" (also known as "controlplane") role have the capability to have workloads scheduled to them by default. + +K3s nodes with the "agent" (also known as "worker") role will be managed by the controlplane. Any workloads or pods that are deployed in the cluster can be scheduled to these nodes. \ No newline at end of file From 24936f2eb55425573577731654ab123234957f7c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 19 Mar 2020 14:39:52 -0700 Subject: [PATCH 087/183] Add content to docs on importing K3s --- .../upgrading-kubernetes/_index.md | 2 + .../imported-clusters/_index.md | 37 ++++++++++++++----- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index ef5d7688644..d2afea7cd72 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -11,6 +11,8 @@ Before a new version of Rancher is released, it's tested with the latest minor v As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Rancher to ship Kubernetes patch versions without upgrading Rancher. For details, refer to the [section on Kubernetes metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata) +As of Rancher v2.4.0, the ability to import K3s Kubernetes clusters into Rancher was added, along with the ability to upgrade Kubernetes when editing those clusters. + > **Recommended:** Before upgrading Kubernetes, [backup your cluster]({{}}/rancher/v2.x/en/backups). 1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index 26e7321c85a..635a8349c44 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -14,7 +14,7 @@ Note that Rancher does not automate the provisioning, scaling, or upgrade of imp For all imported Kubernetes clusters except for K3s clusters, the configuration of an imported cluster still has to be edited outside of Rancher. Some examples of editing the cluster include adding and removing nodes, upgrading the Kubernetes version, and changing Kubernetes component parameters. -In Rancher v2.4, it became possible to import a K3s cluster and upgrade Kubernetes by editing the cluster in the Rancher UI. +Rancher v2.4 added the capability to import a K3s cluster into Rancher, as well as the ability to upgrade Kubernetes by editing the cluster in the Rancher UI. - [Prerequisites](#prerequisites) - [Importing a cluster](#importing-a-cluster) @@ -28,7 +28,8 @@ After importing a cluster, the cluster owner can: - Enable [monitoring]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/) and [logging]({{}}/rancher/v2.x/en/cluster-admin/tools/logging/) - Enable [Istio]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/) - Use [pipelines]({{}}/rancher/v2.x/en/project-admin/pipelines/) -- Configure [alerts] and [notifiers] +- Configure [alerts]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) and [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) +- Manage [projects]() and [workloads]() After importing a K3s cluster, the cluster owner can also [upgrade Kubernetes from the Rancher UI.]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/) @@ -50,7 +51,7 @@ By default, GKE users are not given this privilege, so you will need to run the ### Importing a Cluster -> **Prerequisites:** If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. +> **Prerequisites:** If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. For details, refer to [Configuring a K3s cluster to enable importation to Rancher.](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) 1. From the **Clusters** page, click **Add Cluster**. 2. Choose **Import**. @@ -70,17 +71,35 @@ By default, GKE users are not given this privilege, so you will need to run the _Available as of v2.4.0_ -You can now import a K3s cluster into Rancher. You can also upgrade Kubernetes by editing the cluster in the Rancher UI. - -[K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. +You can now import a K3s cluster into Rancher. [K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. You can also upgrade Kubernetes by editing the cluster in the Rancher UI. When a K3s cluster is imported, Rancher will recognize it as K3s, and the Rancher UI will expose the following features in addition to the functionality for other imported clusters: - The ability to upgrade the K3s version +- The ability to configure the maximum number of nodes that will be upgraded concurrently - The ability to see a read-only version of the K3s cluster's configuration arguments and environment variables used to launch each node in the cluster. -On the cluster edit page, you will see the configuration of the Kubernetes controlplane nodes. In the K3s documentation, these nodes are called server nodes. Regardless of the terminology used, these nodes run the Kubernetes master, which maintains the desired state of the cluster. +The **concurrency** is the maximum number of nodes that are permitted to be unavailable during an upgrade. If number of unavailable nodes is larger than the **concurrency,** the upgrade will fail. If an upgrade fails, you may need to repair or remove failed nodes before the upgrade can succeed. -In K3s, nodes with the "server" (also known as "controlplane") role have the capability to have workloads scheduled to them by default. +- **Server concurrency:** The maximum number of server nodes to upgrade at a single time; also the maximum unavailable server nodes +- **Worker concurrency:** The maximum number worker nodes to upgrade at the same time; also the maximum unavailable worker nodes -K3s nodes with the "agent" (also known as "worker") role will be managed by the controlplane. Any workloads or pods that are deployed in the cluster can be scheduled to these nodes. \ No newline at end of file +In the K3s documentation, controlplane nodes are called server nodes. These nodes run the Kubernetes master, which maintains the desired state of the cluster. In K3s, these controlplane nodes have the capability to have workloads scheduled to them by default. + +Also in the K3s documentation, nodes with the worker role are called agent nodes. Any workloads or pods that are deployed in the cluster can be scheduled to these nodes by default. + +### Configuring a K3s Cluster to Enable Importation to Rancher + +The K3s server needs to be configured to allow writing to the kubeconfig file. + +This can be accomplished by passing `--write-kubeconfig-mode 644` as a flag during installation: + +``` +$ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 +``` + +The option can also be specified using the environment variable `K3S_KUBECONFIG_MODE`: + +``` +$ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - +``` \ No newline at end of file From 635e1aae6a49b26e17f4aee81eb9dcd192a06cac Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 19 Mar 2020 15:41:32 -0700 Subject: [PATCH 088/183] Update docs on importing K3s clusters --- .../rancher/v2.x/en/cluster-provisioning/_index.md | 1 + .../cluster-provisioning/imported-clusters/_index.md | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/_index.md b/content/rancher/v2.x/en/cluster-provisioning/_index.md index c9e23d21752..31c97b0aa06 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/_index.md @@ -23,6 +23,7 @@ This section covers the following topics: - [Launching Kubernetes and Provisioning Nodes in an Infrastructure Provider](#launching-kubernetes-and-provisioning-nodes-in-an-infrastructure-provider) - [Launching Kubernetes on Existing Custom Nodes](#launching-kubernetes-on-existing-custom-nodes) - [Importing Existing Clusters](#importing-existing-clusters) + - [Importing and Editing K3s Clusters](#importing-and-editing-k3s-clusters) The following table summarizes the options and settings available for each cluster type: diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index 635a8349c44..5c32602c760 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -16,9 +16,11 @@ For all imported Kubernetes clusters except for K3s clusters, the configuration Rancher v2.4 added the capability to import a K3s cluster into Rancher, as well as the ability to upgrade Kubernetes by editing the cluster in the Rancher UI. +- [Features](#features) - [Prerequisites](#prerequisites) - [Importing a cluster](#importing-a-cluster) - [Additional features for imported K3s clusters](#additional-features-for-imported-k3s-clusters) +- [Configuring a K3s Cluster to Enable Importation to Rancher](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) ### Features @@ -29,7 +31,7 @@ After importing a cluster, the cluster owner can: - Enable [Istio]({{}}/rancher/v2.x/en/cluster-admin/tools/istio/) - Use [pipelines]({{}}/rancher/v2.x/en/project-admin/pipelines/) - Configure [alerts]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) and [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) -- Manage [projects]() and [workloads]() +- Manage [projects]({{}}/rancher/v2.x/en/project-admin/) and [workloads]({{}}/rancher/v2.x/en/k8s-in-rancher/workloads/) After importing a K3s cluster, the cluster owner can also [upgrade Kubernetes from the Rancher UI.]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/) @@ -49,9 +51,9 @@ before running the `kubectl` command to import the cluster. By default, GKE users are not given this privilege, so you will need to run the command before importing GKE clusters. To learn more about role-based access control for GKE, please click [here](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control). -### Importing a Cluster +> If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. For details, refer to [Configuring a K3s cluster to enable importation to Rancher.](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) -> **Prerequisites:** If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. For details, refer to [Configuring a K3s cluster to enable importation to Rancher.](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) +### Importing a Cluster 1. From the **Clusters** page, click **Add Cluster**. 2. Choose **Import**. @@ -71,7 +73,7 @@ By default, GKE users are not given this privilege, so you will need to run the _Available as of v2.4.0_ -You can now import a K3s cluster into Rancher. [K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. You can also upgrade Kubernetes by editing the cluster in the Rancher UI. +You can now import a K3s Kubernetes cluster into Rancher. [K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. You can also upgrade Kubernetes by editing the K3s cluster in the Rancher UI. When a K3s cluster is imported, Rancher will recognize it as K3s, and the Rancher UI will expose the following features in addition to the functionality for other imported clusters: @@ -81,7 +83,7 @@ When a K3s cluster is imported, Rancher will recognize it as K3s, and the Ranche The **concurrency** is the maximum number of nodes that are permitted to be unavailable during an upgrade. If number of unavailable nodes is larger than the **concurrency,** the upgrade will fail. If an upgrade fails, you may need to repair or remove failed nodes before the upgrade can succeed. -- **Server concurrency:** The maximum number of server nodes to upgrade at a single time; also the maximum unavailable server nodes +- **Controlplane concurrency:** The maximum number of server nodes to upgrade at a single time; also the maximum unavailable server nodes - **Worker concurrency:** The maximum number worker nodes to upgrade at the same time; also the maximum unavailable worker nodes In the K3s documentation, controlplane nodes are called server nodes. These nodes run the Kubernetes master, which maintains the desired state of the cluster. In K3s, these controlplane nodes have the capability to have workloads scheduled to them by default. From 7c1f278507e0e306782a42b6ec5530e999fcb01b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 19 Mar 2020 16:01:07 -0700 Subject: [PATCH 089/183] Minor correction --- .../v2.x/en/cluster-provisioning/imported-clusters/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index 5c32602c760..b8c053d4086 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -10,7 +10,7 @@ aliases: When managing an imported cluster, Rancher connects to a Kubernetes cluster that has already been set up. Therefore, Rancher does not provision Kubernetes, but only sets up the Rancher agents to communicate with the cluster. -Note that Rancher does not automate the provisioning, scaling, or upgrade of imported clusters. Other Rancher features, including management of cluster, role-based access control, policy, and workloads, are available for imported clusters. +Rancher features, including management of cluster, role-based access control, policy, and workloads, are available for imported clusters. Note that Rancher does not automate the provisioning or scaling of imported clusters. For all imported Kubernetes clusters except for K3s clusters, the configuration of an imported cluster still has to be edited outside of Rancher. Some examples of editing the cluster include adding and removing nodes, upgrading the Kubernetes version, and changing Kubernetes component parameters. From 5be8bebf1b57c948a64cbb4cc3ecf6306ca1f02c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 20 Mar 2020 17:11:30 -0700 Subject: [PATCH 090/183] Formatting and link fix --- .../authentication/shibboleth/_index.md | 6 ++-- .../v2.x/en/security/security-scan/_index.md | 31 ++++++++++--------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md index 114726f2659..d0e71c21ea7 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -84,17 +84,19 @@ To enable searching for groups when assigning permissions in Rancher, you will n # Setting up OpenLDAP in Rancher +If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. + ### OpenLDAP Prerequisites Rancher must be configured with a LDAP bind account (aka service account) to search and retrieve LDAP entries pertaining to users and groups that should have access. It is recommended to not use an administrator account or personal account for this purpose and instead create a dedicated account in OpenLDAP with read-only access to users and groups under the configured search base (see below). > **Using TLS?** > -> If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> If the certificate used by the OpenLDAP server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. ### Configure OpenLDAP in Rancher -Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.](../openldap-config) +Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config) > Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index e10a384a915..f23f3469a5d 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -15,7 +15,10 @@ The Benchmark provides recommendations of two types: Scored and Not Scored. We r - [About the CIS Benchmark](#about-the-cis-benchmark) - [About the generated report](#about-the-generated-report) -- [Permissive and hardened test profiles](#permissive-and-hardened-test-profiles) +- [Test profiles](#test-profiles) +- [Skipped and not applicable tests](#skipped-and-not-applicable-tests) + - [CIS Benchmark v1.4 skipped tests](#cis-benchmark-v1-4-skipped-tests) + - [CIS Benchmark v1.4 not applicable tests](#cis-benchmark-v1-4-not-applicable-tests) - [Prerequisites](#prerequisites) - [Running a scan](#running-a-scan) - [Scheduling recurring scans](#scheduling-recurring-scans) @@ -24,7 +27,7 @@ The Benchmark provides recommendations of two types: Scored and Not Scored. We r - [Deleting a report](#deleting-a-report) - [Downloading a report](#downloading-a-report) -### About the CIS Benchmark +# About the CIS Benchmark The Center for Internet Security is a 501(c)(3) nonprofit organization, formed in October 2000, with a mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace". The organization is headquartered in East Greenbush, New York, with members including large corporations, government agencies, and academic institutions. @@ -34,7 +37,7 @@ The official Benchmark documents are available through the CIS website. The sign To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security. -### About the Generated Report +# About the Generated Report Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. @@ -61,7 +64,7 @@ The report contains the following information: Refer to [the table in the cluster hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) for information on which versions of Kubernetes, the Benchmark, Rancher, and our cluster hardening guide correspond to each other. Also refer to the hardening guide for configuration files of CIS-compliant clusters and information on remediating failed tests. -### Profiles +# Test Profiles For every CIS benchmark version, Rancher ships with two types of profiles. These profiles are named based on the type of cluster (e.g. `RKE`), the CIS benchmark version (e.g. CIS 1.4) and the profile type (e.g. `Permissive` or `Hardened`). For example, a full profile name would be `RKE-CIS-1.4-Permissive` @@ -74,9 +77,9 @@ There are 2 types of profiles: In order to pass the "Hardened" profile, you will need to follow the steps on the [hardening guide]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) and use the `cluster.yml` defined in the hardening guide to provision a hardened cluster. -#### Skipped and Not Applicable Tests +# Skipped and Not Applicable Tests -#### CIS 1.4 Skipped Tests +### CIS Benchmark v1.4 Skipped Tests Number | Description | Reason for Skipping ---|---|--- @@ -96,7 +99,7 @@ Number | Description | Reason for Skipping 2.1.6 | "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" | System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. 2.1.10 | "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. -#### CIS 1.4 Not Applicable Tests +### CIS Benchmark v1.4 Not Applicable Tests Number | Description | Reason for being not applicable ---|---|--- @@ -121,7 +124,7 @@ Number | Description | Reason for being not applicable 2.2.10 | "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" | RKE doesn’t require or maintain a configuration file for the kubelet. -### Prerequisites +# Prerequisites To run security scans on a cluster and access the generated reports, you must be an [Administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [Cluster Owner.]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) @@ -131,7 +134,7 @@ The security scan cannot run in a cluster that has Windows nodes. You will only be able to see the CIS scan reports for clusters that you have access to. -### Running a Scan +# Running a Scan 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Click **Run Scan.** @@ -139,7 +142,7 @@ You will only be able to see the CIS scan reports for clusters that you have acc **Result:** A report is generated and displayed in the **CIS Scans** page. To see details of the report, click the report's name. -### Scheduling Recurring Scans +# Scheduling Recurring Scans Recurring scans can be scheduled to run on any RKE Kubernetes cluster. @@ -171,7 +174,7 @@ scheduled_cluster_scan: ``` -### Skipping Tests +# Skipping Tests You can define a set of tests that will be skipped by the CIS scan when the next report is generated. @@ -199,7 +202,7 @@ To skip tests by editing a ConfigMap resource, **Result:** These tests will be skipped on subsequent scans that use the defined CIS Benchmark version. -### Setting Alerts +# Setting Alerts Rancher provides a set of alerts for cluster scans. which are not configured to have notifiers by default: @@ -222,14 +225,14 @@ To activate an alert for a CIS scan result, **Result:** The notifications will be triggered when the a scan is run on a cluster and the active alerts have satisfied conditions. -### Deleting a Report +# Deleting a Report 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Go to the report that should be deleted. 1. Click the **Ellipsis (...) > Delete.** 1. Click **Delete.** -### Downloading a Report +# Downloading a Report 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Go to the report that you want to download. Click **Ellipsis (...) > Download.** From a057efeb3b2685b7e46e4d75199b65bccf476012 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Sat, 21 Mar 2020 20:55:31 -0700 Subject: [PATCH 091/183] Update docs on zero-downtime cluster maintenance --- .../upgrading-kubernetes/_index.md | 54 ++- .../en/cluster-admin/zero-downtime/_index.md | 337 +++++++++++++++++ content/rke/latest/en/zero-downtime/_index.md | 339 ++++++++++++++++++ 3 files changed, 725 insertions(+), 5 deletions(-) create mode 100644 content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md create mode 100644 content/rke/latest/en/zero-downtime/_index.md diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index d2afea7cd72..4e7e09b9c2b 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -1,10 +1,8 @@ --- -title: Upgrading Kubernetes +title: Upgrading and Rolling Back Kubernetes weight: 70 --- -> **Prerequisite:** The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) - Following an upgrade to the latest version of Rancher, you can update your existing clusters to use the latest supported version of Kubernetes. Before a new version of Rancher is released, it's tested with the latest minor versions of Kubernetes to ensure compatibility. For example, Rancher v2.3.0 is was tested with Kubernetes v1.15.4, v1.14.7, and v1.13.11. For details on which versions of Kubernetes were tested on each Rancher version, refer to the [support maintenance terms.](https://rancher.com/support-maintenance-terms/all-supported-versions/rancher-v2.3.0/) @@ -13,7 +11,47 @@ As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Ra As of Rancher v2.4.0, the ability to import K3s Kubernetes clusters into Rancher was added, along with the ability to upgrade Kubernetes when editing those clusters. -> **Recommended:** Before upgrading Kubernetes, [backup your cluster]({{}}/rancher/v2.x/en/backups). +### Zero-downtime Upgrades + +_Available as of v2.4_ + +It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. + +A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. + +For details, refer to [this section.]({{}}/rancher/v2.x/en/cluster-admin/zero-downtime) + +### Recommended Best Practice for Upgrades + +{{% tabs %}} +{{% tab "Rancher v2.4+" %}} +When upgrading the Kubernetes version of a cluster, we recommend that you: + +1. Take a snapshot. +1. Initiate a Kubernetes upgrade. +1. If the upgrade fails, revert the Kubernetes upgrade to the pre-upgrade version. Before restoring the cluster from the snapshot in the etcd datastore, the cluster should be running the pre-upgrade Kubernetes version. +1. Restore the cluster from the etcd snapshot. + +The restore operation will work on a cluster that is not in a healthy or active state. +{{% /tab %}} +{{% tab "Rancher prior to v2.4" %}} +When upgrading the Kubernetes version of a cluster, we recommend that you: + +1. Take a snapshot. +1. Initiate a Kubernetes upgrade. +1. If the upgrade fails, restore the cluster from the etcd snapshot. + +> The cluster cannot be downgraded to a previous Kubernetes version. +{{% /tab %}} +{{% /tabs %}} + +### Upgrading Kubernetes + +> **Prerequisites:** +> +> The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) +> +> Before upgrading Kubernetes, [back up your cluster]({{}}/rancher/v2.x/en/backups). 1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. @@ -23,4 +61,10 @@ As of Rancher v2.4.0, the ability to import K3s Kubernetes clusters into Rancher 1. Click **Save**. -**Result:** Kubernetes begins upgrading for the cluster. During the upgrade, your cluster is unavailable. +**Result:** Kubernetes begins upgrading for the cluster. + +### Rolling Back Kubernetes + +_Available as of v2.4_ + +A cluster can be restored to a backup in which the previous Kubernetes version was used. \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md b/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md new file mode 100644 index 00000000000..9378e57721e --- /dev/null +++ b/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md @@ -0,0 +1,337 @@ +--- +title: Zero-downtime Cluster Maintenance +weight: 71 +--- + +_Available as of v2.4.0_ + +It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. In this section, you'll learn how to configure your cluster to prevent downtime when you upgrade the cluster using `rke up`. + +A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. + +This availability is achieved by upgrading worker nodes in batches of a configurable size, and ensuring that your workloads run on a number of nodes that exceeds that maximum number of unavailable worker nodes. + +Several requirements must be met before zero-downtime cluster upgrades can succeed. For details, refer to [this section.](#requirements) + +- [How Upgrades Work](#how-upgrades-work) +- [Requirements for Zero-downtime Upgrades](#requirements-for-zero-downtime-upgrades) + - [Kubernetes Version Requirement](#1-kubernetes-version-requirement) + - [Cluster Requirements](#2-cluster-requirements) + - [Workload Requirements](#3-workload-requirements) +- [Configuring the Upgrade Strategy](#configuring-the-upgrade-strategy) + - [Maximum Unavailable Nodes](#maximum-unavailable-nodes) + - [Draining Nodes](#draining-nodes) + - [Replicas for Ingress and Networking Addons](#replicas-for-ingress-and-networking-addons) + - [Replicas for DNS and Monitoring Addons](#replicas-for-dns-and-monitoring-addons) +- [Example cluster.yml](#example-cluster-yml) +- [Troubleshooting](#troubleshooting) + +# How Upgrades Work + +The purpose of this section is to clarify how each type of node is upgraded by default. + +{{% tabs %}} +{{% tab "RKE v1.1.0+" %}} + +The following features are new in RKE v1.1.0: + +- The ability to upgrade or edit a cluster without downtime for your applications. +- The ability to manually upgrade nodes of a certain role without upgrading others. +- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +1. etcd nodes get updated first, one at a time. +1. Controlplane nodes get updated second, one at a time. +1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. +1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. + +The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. + +- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) +- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) +- [Upgrades of worker nodes](#upgrades-of-worker-nodes) +- [Upgrades of addons](#upgrades-of-addons) + +### Upgrades of etcd Nodes + +A cluster upgrade begins by upgrading the etcd nodes one at a time. + +If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. + +### Upgrades of Controlplane Nodes + +Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. + +As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. + +If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. + +### Upgrades of Worker Nodes + +By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. + +By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. + +For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. + +When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. + +RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. + +RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. + +RKE will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, RKE will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. + +### Upgrades of Addons + +The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. + +Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. + +For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) + +For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) + +{{% /tab %}} +{{% tab "RKE prior to v1.1.0" %}} + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +- etcd nodes get updated first, one at a time. +- Controlplane nodes get updated second, one at a time. +- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. +- Addons get upgraded one by one. + +### Upgrades of Controlplane and etcd Nodes + +Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. + +If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. + +### Upgrades of Worker Nodes + +Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. + +When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. + +{{% /tab %}} +{{% /tabs %}} + +# Requirements for Zero-downtime Upgrades + +To achieve a zero-downtime cluster upgrade, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. + +1. [Kubernetes version requirement](#2-kubernetes-version-requirement) +2. [Cluster requirements](#1-cluster-requirements) +3. [Workload requirements](#3-workload-requirements) + +### 1. Kubernetes Version Requirement + +When upgrading to a newer Kubernetes version, the upgrade must be from a minor release to the next minor version, or to within the same patch release series. + +### 2. Cluster Requirements + +The following must be true of the cluster that will be upgraded: + +1. The cluster has three or more etcd nodes. +1. The cluster has two or more controlplane nodes. +1. The cluster has two or more worker nodes. +1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. + +### 3. Workload Requirements + +The following must be true of the cluster's applications: + +1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. +1. The applications must make use of liveness and readiness probes. + +For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) + +For information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) + +# Configuring the Upgrade Strategy + +In this section, you'll learn how to configure the maximum number of unavailable controlplane and worker nodes, how to drain nodes before upgrading them, and how to configure the replicas for addons such as Ingress. + +### Maximum Unavailable Nodes + +Optionally, configure the following upgrade directives in the `cluster.yml` before upgrading the cluster: + +- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. +- **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* + +/* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. + +An example configuration of the cluster upgrade strategy is shown below: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 +``` + +### Draining Nodes + +By default, nodes are cordoned first before upgrading. Each node should always be cordoned before starting its upgrade so that new pods will not be scheduled to it, and traffic will not reach the node. In addition to cordoning each node, RKE can also be configured to drain each node before starting its upgrade. Draining a node will evict all the pods running on the computing resource. + +For information on draining and how to safely drain a node, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) + +If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes will be drained before they are upgraded. The default value is false: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +``` + +### Replicas for Ingress and Networking Addons + +The Ingress and network addons are launched as Kubernetes [daemonsets.](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) If no value is given for the [update strategy,](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 1. + +An example configuration of the Ingress and network addons is shown below: + +```yaml +ingress: + provider: nginx + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +``` + +### Replicas for DNS and Monitoring Addons + +The DNS and monitoring addons are launched as Kubernetes [deployments.](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) These addons include `coredns`, `kubedns`, and `metrics-server`, the monitoring deployment. + +If no value is configured for their [update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) in the `cluster.yml`, Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 25% and `maxSurge` set to 25%. + +The DNS addons use `cluster-proportional-autoscaler`, which is an [open-source container image](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler) that watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality is useful for applications that need to be autoscaled with the number of nodes in the cluster. For the DNS addon, the fields needed for the `cluster-proportional-autoscaler` are made configurable. + +The following table shows the default values for these fields: + +Field Name | Default Value +-----------|-------------- +coresPerReplica | 128 +nodesPerReplica | 4 +min | 1 +preventSinglePointFailure | true + +The `cluster-proportional-autoscaler` uses this formula to calculate the number of replicas: + +```plain +replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) +replicas = min(replicas, max) +replicas = max(replicas, min) +``` + +An example configuration of the DNS and monitoring addons is shown below: + +```yaml +dns: + provider: coredns + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` + +### Example cluster.yml + +```yaml +# If you intened to deploy Kubernetes in an air-gapped environment, +# please consult the documentation on how to configure custom RKE images. +nodes: +# At least three etcd nodes, two controlplane nodes, and two worker nodes, +# nodes skipped for brevity +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +ingress: + provider: nginx + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +dns: + provider: coredns + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` + +# Upgrading Nodes Manually + +You can manually update each type of node separately. As a best practice, upgrade the etcd nodes first, followed by controlplane and then worker nodes. + +A cluster can be rolled back to a snapshot that uses a previous Kubernetes version. + +# Troubleshooting + +If a node doesn't come up after an upgrade, the `rke up` command errors out. + +No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. + +If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. + +A failed node could be in many different states: + +- Powered off +- Unavailable +- User drains a node while upgrade is in process, so there are no kubelets on the node +- The upgrade itself failed + +If the max unavailable number of nodes is reached during an upgrade, Rancher user clusters will be stuck in updating state and not move forward with upgrading any other control plane nodes. It will continue to evaluate the set of unavailable nodes in case one of the nodes becomes available. If the node cannot be fixed, you must remove the node in order to continue the upgrade. \ No newline at end of file diff --git a/content/rke/latest/en/zero-downtime/_index.md b/content/rke/latest/en/zero-downtime/_index.md new file mode 100644 index 00000000000..9e873a7a92a --- /dev/null +++ b/content/rke/latest/en/zero-downtime/_index.md @@ -0,0 +1,339 @@ +--- +title: Zero-downtime Cluster Maintenance +weight: 1 +--- +_Available as of v1.1.0_ + +It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. In this section, you'll learn how to configure your cluster to prevent downtime when you upgrade the cluster using `rke up`. + +A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. + +This availability is achieved by upgrading worker nodes in batches of a configurable size, and ensuring that your workloads run on a number of nodes that exceeds that maximum number of unavailable worker nodes. + +Several requirements must be met before zero-downtime cluster upgrades can succeed. For details, refer to [this section.](#requirements) + +- [How Upgrades Work](#how-upgrades-work) +- [Requirements for Zero-downtime Upgrades](#requirements-for-zero-downtime-upgrades) + 1. [Kubernetes Version Requirement](#1-kubernetes-version-requirement) + 2. [Cluster Requirements](#2-cluster-requirements) + 3. [Workload Requirements](#3-workload-requirements) +- [Configuring Upgrade Strategy](#configuring-upgrade-strategy) + - [Maximum Unavailable Nodes](#maximum-unavailable-nodes) + - [Draining Nodes](#draining-nodes) + - [Replicas for Ingress and Networking Addons](#replicas-for-ingress-and-networking-addons) + - [Replicas for DNS and Monitoring Addons](#replicas-for-dns-and-monitoring-addons) +- [Example cluster.yml](#example-cluster-yml) +- [Troubleshooting](#troubleshooting) + +# How Upgrades Work + +The purpose of this section is to clarify how each type of node is upgraded by default. + +{{% tabs %}} +{{% tab "RKE v1.1.0+" %}} + +The following features are new in RKE v1.1.0: + +- The ability to upgrade or edit a cluster without downtime for your applications. +- The ability to manually upgrade nodes of a certain role without upgrading others. +- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +1. etcd nodes get updated first, one at a time. +1. Controlplane nodes get updated second, one at a time. +1. Worker nodes get updated third, in a configurable batch size, where the default is 10 percent of worker nodes and the minimum is one. +1. [RKE Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. + +The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. + +- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) +- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) +- [Upgrades of worker nodes](#upgrades-of-worker-nodes) +- [Upgrades of addons](#upgrades-of-addons) + +### Upgrades of etcd Nodes + +A cluster upgrade begins by upgrading the etcd nodes one at a time. + +If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. The RKE CLI will error out and exit with a failure code. + +### Upgrades of Controlplane Nodes + +Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. + +As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. + +If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. + +### Upgrades of Worker Nodes + +By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. + +By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. + +For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. + +When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. + +RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. + +RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. + +The RKE CLI will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, the RKE CLI will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. + +### Upgrades of Addons + +The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. + +Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. + +For more information on configuring the number of replicas for each addon, refer to [this section.](#configuring-the-upgrade-strategy) + +For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) + +{{% /tab %}} +{{% tab "RKE prior to v1.1.0" %}} + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +- etcd nodes get updated first, one at a time. +- Controlplane nodes get updated second, one at a time. +- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. +- Addons get upgraded one by one. + +### Upgrades of Controlplane and etcd Nodes + +Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. + +If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. The RKE CLI errors out and exits. + +### Upgrades of Worker Nodes + +Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. The RKE CLI errors out and exits. + +When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. + +{{% /tab %}} +{{% /tabs %}} + +# Requirements for Zero-downtime Upgrades + +To achieve a zero-downtime cluster upgrade, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. + +1. [Kubernetes version requirement](#2-kubernetes-version-requirement) +2. [Cluster requirements](#1-cluster-requirements) +3. [Workload requirements](#3-workload-requirements) + +### 1. Kubernetes Version Requirement + +When upgrading to a newer Kubernetes version, the upgrade must be from a minor release to the next minor version, or to within the same patch release series. + +### 2. Cluster Requirements + +The following must be true of the cluster that will be upgraded: + +1. The cluster has three or more etcd nodes. +1. The cluster has two or more controlplane nodes. +1. The cluster has two or more worker nodes. +1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. + +### 3. Workload Requirements + +The following must be true of the cluster's applications: + +1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. +1. The applications must make use of liveness and readiness probes. + +For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) + +For information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) + +# Configuring the Upgrade Strategy + +In this section, you'll learn how to configure the maximum number of unavailable controlplane and worker nodes, how to drain nodes before upgrading them, and how to configure the replicas for addons such as Ingress. + +### Maximum Unavailable Nodes + +Optionally, configure the following upgrade directives in the `cluster.yml` before upgrading the cluster: + +- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. +- **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* + +/* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. + +An example configuration of the cluster upgrade strategy is shown below: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 +``` + +### Draining Nodes + +By default, nodes are cordoned first before upgrading. Each node should always be cordoned before starting its upgrade so that new pods will not be scheduled to it, and traffic will not reach the node. In addition to cordoning each node, RKE can also be configured to drain each node before starting its upgrade. Draining a node will evict all the pods running on the computing resource. + +For information on draining and how to safely drain a node, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) + +If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes will be drained before they are upgraded. The default value is false: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +``` + +### Replicas for Ingress and Networking Addons + +The Ingress and network addons are launched as Kubernetes [daemonsets.](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) If no value is given for the [update strategy,](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 1. + +An example configuration of the Ingress and network addons is shown below: + +```yaml +ingress: + provider: nginx + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +``` + +### Replicas for DNS and Monitoring Addons + +The DNS and monitoring addons are launched as Kubernetes [deployments.](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) These addons include `coredns`, `kubedns`, and `metrics-server`, the monitoring deployment. + +If no value is configured for their [update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) in the `cluster.yml`, Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 25% and `maxSurge` set to 25%. + +The DNS addons use `cluster-proportional-autoscaler`, which is an [open-source container image](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler) that watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality is useful for applications that need to be autoscaled with the number of nodes in the cluster. For the DNS addon, the fields needed for the `cluster-proportional-autoscaler` are made configurable. + +The following table shows the default values for these fields: + +Field Name | Default Value +-----------|-------------- +coresPerReplica | 128 +nodesPerReplica | 4 +min | 1 +preventSinglePointFailure | true + +The `cluster-proportional-autoscaler` uses this formula to calculate the number of replicas: + +```plain +replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) +replicas = min(replicas, max) +replicas = max(replicas, min) +``` + +An example configuration of the DNS and monitoring addons is shown below: + +```yaml +dns: + provider: coredns + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` + +### Example cluster.yml + +```yaml +# If you intened to deploy Kubernetes in an air-gapped environment, +# please consult the documentation on how to configure custom RKE images. +nodes: +# At least three etcd nodes, two controlplane nodes, and two worker nodes, +# nodes skipped for brevity +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +ingress: + provider: nginx + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +dns: + provider: coredns + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` + +# Upgrading Nodes Manually + +You can manually update each type of node separately. As a best practice, upgrade the etcd nodes first, followed by controlplane and then worker nodes. + +A cluster can be rolled back to a snapshot that uses a previous Kubernetes version. + +# Troubleshooting + +If a node doesn't come up after an upgrade, the `rke up` command errors out. + +No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. + +If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. + +A failed node could be in many different states: + +- Powered off +- Unavailable +- User drains a node while upgrade is in process, so there are no kubelets on the node +- The upgrade itself failed + +Some expected failure scenarios include the following: + +- If the maximum unavailable number of nodes is reached during an upgrade, the RKE CLI will error out and exit the CLI with a failure code. +- If some nodes fail to upgrade, but the number of failed nodes doesn't reach the maximum unavailable number of nodes, the RKE CLI logs the nodes that were unable to upgrade and continues to upgrade the add-ons. After the add-ons are upgraded, RKE will error out and exit the CLI with a failure code regardless of add-on upgrade status. \ No newline at end of file From 95802e6603d24fc817933eccfa342cd983f5758d Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 24 Mar 2020 11:40:18 -0700 Subject: [PATCH 092/183] Edit zero-downtime upgrade docs for RKE --- .../how-upgrades-work/_index.md | 95 +++++ .../en/cluster-admin/zero-downtime/_index.md | 93 +---- content/rke/latest/en/upgrades/_index.md | 53 ++- .../upgrades/configuring-strategy/_index.md | 171 +++++++++ .../en/upgrades/how-upgrades-work/_index.md | 94 +++++ .../maintaining-availability/_index.md | 44 +++ content/rke/latest/en/zero-downtime/_index.md | 339 ------------------ 7 files changed, 452 insertions(+), 437 deletions(-) create mode 100644 content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md create mode 100644 content/rke/latest/en/upgrades/configuring-strategy/_index.md create mode 100644 content/rke/latest/en/upgrades/how-upgrades-work/_index.md create mode 100644 content/rke/latest/en/upgrades/maintaining-availability/_index.md delete mode 100644 content/rke/latest/en/zero-downtime/_index.md diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md new file mode 100644 index 00000000000..73d1d02dd40 --- /dev/null +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md @@ -0,0 +1,95 @@ +--- +title: How Upgrades Work +weight: 1 +--- + +In this section, you'll learn how each type of node is upgraded by default when a cluster is upgraded. + +Rancher calls [RKE]({{}}/rke/latest/en/) (Rancher Kubernetes Engine) as a library when upgrading Kubernetes clusters. RKE v1.1.0 changed the way that clusters are upgraded to make it possible to maintain availability of your applications during the upgrade. +{{% tabs %}} +{{% tab "RKE v1.1.0+" %}} + +The following features are new in RKE v1.1.0: + +- The ability to upgrade or edit a cluster without downtime for your applications. +- The ability to manually upgrade nodes of a certain role without upgrading others. +- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +1. etcd nodes get updated first, one at a time. +1. Controlplane nodes get updated second, one at a time. +1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. +1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. + +The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. + +- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) +- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) +- [Upgrades of worker nodes](#upgrades-of-worker-nodes) +- [Upgrades of addons](#upgrades-of-addons) + +### Upgrades of etcd Nodes + +A cluster upgrade begins by upgrading the etcd nodes one at a time. + +If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. + +### Upgrades of Controlplane Nodes + +Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. + +As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. + +If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. + +### Upgrades of Worker Nodes + +By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. + +By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. + +For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. + +When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. + +RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. + +RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. + +RKE will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, RKE will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. + +### Upgrades of Addons + +The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. + +Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. + +For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) + +For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) + +{{% /tab %}} +{{% tab "RKE prior to v1.1.0" %}} + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +- etcd nodes get updated first, one at a time. +- Controlplane nodes get updated second, one at a time. +- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. +- Addons get upgraded one by one. + +### Upgrades of Controlplane and etcd Nodes + +Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. + +If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. + +### Upgrades of Worker Nodes + +Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. + +When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. + +{{% /tab %}} +{{% /tabs %}} \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md b/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md index 9378e57721e..68b0b4924de 100644 --- a/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md @@ -26,101 +26,10 @@ Several requirements must be met before zero-downtime cluster upgrades can succe - [Example cluster.yml](#example-cluster-yml) - [Troubleshooting](#troubleshooting) -# How Upgrades Work - -The purpose of this section is to clarify how each type of node is upgraded by default. - -{{% tabs %}} -{{% tab "RKE v1.1.0+" %}} - -The following features are new in RKE v1.1.0: - -- The ability to upgrade or edit a cluster without downtime for your applications. -- The ability to manually upgrade nodes of a certain role without upgrading others. -- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -1. etcd nodes get updated first, one at a time. -1. Controlplane nodes get updated second, one at a time. -1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. -1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. - -The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. - -- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) -- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) -- [Upgrades of worker nodes](#upgrades-of-worker-nodes) -- [Upgrades of addons](#upgrades-of-addons) - -### Upgrades of etcd Nodes - -A cluster upgrade begins by upgrading the etcd nodes one at a time. - -If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. - -### Upgrades of Controlplane Nodes - -Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. - -As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. - -If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. - -### Upgrades of Worker Nodes - -By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. - -By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. - -For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. - -When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. - -RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. - -RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. - -RKE will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, RKE will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. - -### Upgrades of Addons - -The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. - -Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. - -For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) - -For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) - -{{% /tab %}} -{{% tab "RKE prior to v1.1.0" %}} - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -- etcd nodes get updated first, one at a time. -- Controlplane nodes get updated second, one at a time. -- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. -- Addons get upgraded one by one. - -### Upgrades of Controlplane and etcd Nodes - -Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. - -If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. - -### Upgrades of Worker Nodes - -Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. - -When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. - -{{% /tab %}} -{{% /tabs %}} # Requirements for Zero-downtime Upgrades -To achieve a zero-downtime cluster upgrade, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. +To achieve a cluster upgrade without downtime for your applications, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. 1. [Kubernetes version requirement](#2-kubernetes-version-requirement) 2. [Cluster requirements](#1-cluster-requirements) diff --git a/content/rke/latest/en/upgrades/_index.md b/content/rke/latest/en/upgrades/_index.md index c080194433c..84c71932e65 100644 --- a/content/rke/latest/en/upgrades/_index.md +++ b/content/rke/latest/en/upgrades/_index.md @@ -7,11 +7,11 @@ After RKE has deployed Kubernetes, you can upgrade the versions of the component The default Kubernetes version for each RKE version can be found in [the RKE release notes](https://github.com/rancher/rke/releases/). -You can also select a newer version of Kubernetes to install for your cluster. Downgrading Kubernetes is not supported. +You can also select a newer version of Kubernetes to install for your cluster. Each version of RKE has a specific [list of supported Kubernetes versions.](#listing-supported-kubernetes-versions) -In case the Kubernetes version is defined in the `kubernetes_version` directive and under the `system-images` directive are defined, the `system-images` configuration will take precedence over `kubernetes_version`. +In case the Kubernetes version is defined in the `kubernetes_version` directive and under the `system-images` directive, the `system-images` configuration will take precedence over the `kubernetes_version`. This page covers the following topics: @@ -22,7 +22,10 @@ This page covers the following topics: - [Using an unsupported Kubernetes version](#using-an-unsupported-kubernetes-version) - [Mapping the Kubernetes version to services](#mapping-the-kubernetes-version-to-services) - [Service upgrades](#service-upgrades) -- [Add-ons upgrades](#add-ons-upgrades) +- [Configuring the upgrade strategy](#configuring-the-upgrade-strategy) +- [Upgrading Nodes Manually](#upgrading-nodes-manually) +- [Rolling Back the Kubernetes Version](#rolling-back-the-kubernetes-version) +- [Troubleshooting](#troubleshooting) ### Prerequisites @@ -102,8 +105,46 @@ For RKE prior to v0.3.0, the service defaults are located [here](https://github. > **Note:** The following arguments, `service_cluster_ip_range` or `cluster_cidr`, cannot be changed as any changes to these arguments will result in a broken cluster. Currently, network pods are not automatically upgraded. -### Add-Ons Upgrades +### Configuring the Upgrade Strategy -As of v0.1.8, upgrades to add-ons are supported. +As of v0.1.8, upgrades to add-ons are supported. [Add-ons]({{}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. -[Add-ons]({{}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. +As of v1.1.0, additional upgrade options became available to give you more granular control over the upgrade process. These options can be used to maintain availability of your applications during a cluster upgrade. + +For details on upgrade configuration options, refer to [Configuring the Upgrade Strategy.]({{}}/rke/latest/en/upgrades/configuring-strategy) + +For the requirements to maintain availability of applications during a cluster upgrade, refer to [this section.]({{}}/rke/latest/en/upgrades/maintaining-availability) + +### Upgrading Nodes Manually + +_Available as of v1.1.0_ + +You can manually update each type of node separately. As a best practice, upgrade the etcd nodes first, followed by controlplane and then worker nodes. + +### Rolling Back the Kubernetes Version + +_Available as of v1.1.0_ + +A cluster can be restored back to a snapshot that uses a previous Kubernetes version. + +### Troubleshooting + +_Applies to v1.1.0+_ + +If a node doesn't come up after an upgrade, the `rke up` command errors out. + +No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. + +If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. + +A failed node could be in many different states: + +- Powered off +- Unavailable +- User drains a node while upgrade is in process, so there are no kubelets on the node +- The upgrade itself failed + +Some expected failure scenarios include the following: + +- If the maximum unavailable number of nodes is reached during an upgrade, the RKE CLI will error out and exit the CLI with a failure code. +- If some nodes fail to upgrade, but the number of failed nodes doesn't reach the maximum unavailable number of nodes, the RKE CLI logs the nodes that were unable to upgrade and continues to upgrade the add-ons. After the add-ons are upgraded, RKE will error out and exit the CLI with a failure code regardless of add-on upgrade status. \ No newline at end of file diff --git a/content/rke/latest/en/upgrades/configuring-strategy/_index.md b/content/rke/latest/en/upgrades/configuring-strategy/_index.md new file mode 100644 index 00000000000..7424354adc8 --- /dev/null +++ b/content/rke/latest/en/upgrades/configuring-strategy/_index.md @@ -0,0 +1,171 @@ +--- +title: Configuring the Upgrade Strategy +weight: 2 +--- + +In this section, you'll learn how to configure the maximum number of unavailable controlplane and worker nodes, how to drain nodes before upgrading them, and how to configure the replicas for addons such as Ingress. + +- [Maximum Unavailable Nodes](#maximum-unavailable-nodes) +- [Draining Nodes](#draining-nodes) +- [Replicas for Ingress and Networking Addons](#replicas-for-ingress-and-networking-addons) +- [Replicas for DNS and Monitoring Addons](#replicas-for-dns-and-monitoring-addons) +- [Example cluster.yml](#example-cluster-yml) + +### Maximum Unavailable Nodes + +The maximum number of unavailable controlplane and worker nodes can be configured in the `cluster.yml` before upgrading the cluster: + +- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. +- **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* + +/* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. + +An example configuration of the cluster upgrade strategy is shown below: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 +``` + +### Draining Nodes + +By default, nodes are cordoned first before upgrading. Each node should always be cordoned before starting its upgrade so that new pods will not be scheduled to it, and traffic will not reach the node. In addition to cordoning each node, RKE can also be configured to drain each node before starting its upgrade. Draining a node will evict all the pods running on the computing resource. + +For information on draining and how to safely drain a node, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) + +If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes will be drained before they are upgraded. The default value is false: + +```yaml +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +``` + +### Replicas for Ingress and Networking Addons + +The Ingress and network addons are launched as Kubernetes [daemonsets.](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) If no value is given for the [update strategy,](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 1. + +An example configuration of the Ingress and network addons is shown below: + +```yaml +ingress: + provider: nginx + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +``` + +### Replicas for DNS and Monitoring Addons + +The DNS and monitoring addons are launched as Kubernetes [deployments.](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) These addons include `coredns`, `kubedns`, and `metrics-server`, the monitoring deployment. + +If no value is configured for their [update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) in the `cluster.yml`, Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 25% and `maxSurge` set to 25%. + +The DNS addons use `cluster-proportional-autoscaler`, which is an [open-source container image](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler) that watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality is useful for applications that need to be autoscaled with the number of nodes in the cluster. For the DNS addon, the fields needed for the `cluster-proportional-autoscaler` are made configurable. + +The following table shows the default values for these fields: + +Field Name | Default Value +-----------|-------------- +coresPerReplica | 128 +nodesPerReplica | 4 +min | 1 +preventSinglePointFailure | true + +The `cluster-proportional-autoscaler` uses this formula to calculate the number of replicas: + +```plain +replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) +replicas = min(replicas, max) +replicas = max(replicas, min) +``` + +An example configuration of the DNS and monitoring addons is shown below: + +```yaml +dns: + provider: coredns + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` + +### Example cluster.yml + +```yaml +# If you intened to deploy Kubernetes in an air-gapped environment, +# please consult the documentation on how to configure custom RKE images. +nodes: +# At least three etcd nodes, two controlplane nodes, and two worker nodes, +# nodes skipped for brevity +upgrade_strategy: + max_unavailable_worker: 10% + max_unavailable_controlplane: 2 + drain: false + node_drain_input: + force: false + ignore_daemonsets: true + delete_local_data: false + grace_period: -1 // grace period specified for each pod spec will be used + timeout: 60 +ingress: + provider: nginx + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5 +network: + plugin: canal + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 6 +dns: + provider: coredns + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 20% + maxSurge: 15% + linear_autoscaler_params: + cores_per_replica: 0.34 + nodes_per_replica: 4 + prevent_single_point_failure: true + min: 2 + max: 3 +monitoring: + provider: metrics-server + update_strategy: # Available in v2.4 + type: RollingUpdate + rollingUpdate: + maxUnavailable: 8 +``` diff --git a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md new file mode 100644 index 00000000000..7d2e6eb5408 --- /dev/null +++ b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md @@ -0,0 +1,94 @@ +--- +title: How Upgrades Work +weight: 1 +--- + +In this section, you'll learn how each type of node is upgraded by default when a cluster is upgraded using `rke up`. + +{{% tabs %}} +{{% tab "RKE v1.1.0+" %}} + +The following features are new in RKE v1.1.0: + +- The ability to upgrade or edit a cluster without downtime for your applications. +- The ability to manually upgrade nodes of a certain role without upgrading others. +- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +1. etcd nodes get updated first, one at a time. +1. Controlplane nodes get updated second, one at a time. +1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. +1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. + +The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. + +- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) +- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) +- [Upgrades of worker nodes](#upgrades-of-worker-nodes) +- [Upgrades of addons](#upgrades-of-addons) + +### Upgrades of etcd Nodes + +A cluster upgrade begins by upgrading the etcd nodes one at a time. + +If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. + +### Upgrades of Controlplane Nodes + +Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. + +As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. + +If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. + +### Upgrades of Worker Nodes + +By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. + +By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. + +For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. + +When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. + +RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. + +RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. + +RKE will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, RKE will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. + +### Upgrades of Addons + +The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. + +Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. + +For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) + +For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) + +{{% /tab %}} +{{% tab "RKE prior to v1.1.0" %}} + +When a cluster is upgraded with `rke up`, using the default options, the following process is used: + +- etcd nodes get updated first, one at a time. +- Controlplane nodes get updated second, one at a time. +- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. +- Addons get upgraded one by one. + +### Upgrades of Controlplane and etcd Nodes + +Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. + +If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. + +### Upgrades of Worker Nodes + +Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. + +When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. + +{{% /tab %}} +{{% /tabs %}} \ No newline at end of file diff --git a/content/rke/latest/en/upgrades/maintaining-availability/_index.md b/content/rke/latest/en/upgrades/maintaining-availability/_index.md new file mode 100644 index 00000000000..cc19876b13c --- /dev/null +++ b/content/rke/latest/en/upgrades/maintaining-availability/_index.md @@ -0,0 +1,44 @@ +--- +title: Maintaining Availability for Applications During Upgrades +weight: 1 +--- +_Available as of v1.1.0_ + +In this section, you'll learn the requirements to prevent downtime for your applications when you upgrade the cluster using `rke up`. + +An upgrade without downtime is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. + +The way that clusters are upgraded changed in RKE v1.1.0. For details, refer to [How Upgrades Work.]({{}}/rke/latest/en/upgrades/how-upgrades-work) + +This availability is achieved by upgrading worker nodes in batches of a configurable size, and ensuring that your workloads run on a number of nodes that exceeds that maximum number of unavailable worker nodes. + +To avoid downtime for your applications during an upgrade, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. + +1. [Kubernetes Version Requirement](#1-kubernetes-version-requirement) +2. [Cluster Requirements](#2-cluster-requirements) +3. [Workload Requirements](#3-workload-requirements) + +### 1. Kubernetes Version Requirement + +When upgrading to a newer Kubernetes version, the upgrade must be from a minor release to the next minor version, or to within the same patch release series. + +### 2. Cluster Requirements + +The following must be true of the cluster that will be upgraded: + +1. The cluster has three or more etcd nodes. +1. The cluster has two or more controlplane nodes. +1. The cluster has two or more worker nodes. +1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. + +### 3. Workload Requirements + +The following must be true of the cluster's applications: + +1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. +1. The applications must make use of liveness and readiness probes. + +For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) + +For information on configuring the number of replicas for each addon, refer to [this section.]({{}}/rke/latest/en/upgrades/configuring-strategy/) + diff --git a/content/rke/latest/en/zero-downtime/_index.md b/content/rke/latest/en/zero-downtime/_index.md deleted file mode 100644 index 9e873a7a92a..00000000000 --- a/content/rke/latest/en/zero-downtime/_index.md +++ /dev/null @@ -1,339 +0,0 @@ ---- -title: Zero-downtime Cluster Maintenance -weight: 1 ---- -_Available as of v1.1.0_ - -It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. In this section, you'll learn how to configure your cluster to prevent downtime when you upgrade the cluster using `rke up`. - -A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. - -This availability is achieved by upgrading worker nodes in batches of a configurable size, and ensuring that your workloads run on a number of nodes that exceeds that maximum number of unavailable worker nodes. - -Several requirements must be met before zero-downtime cluster upgrades can succeed. For details, refer to [this section.](#requirements) - -- [How Upgrades Work](#how-upgrades-work) -- [Requirements for Zero-downtime Upgrades](#requirements-for-zero-downtime-upgrades) - 1. [Kubernetes Version Requirement](#1-kubernetes-version-requirement) - 2. [Cluster Requirements](#2-cluster-requirements) - 3. [Workload Requirements](#3-workload-requirements) -- [Configuring Upgrade Strategy](#configuring-upgrade-strategy) - - [Maximum Unavailable Nodes](#maximum-unavailable-nodes) - - [Draining Nodes](#draining-nodes) - - [Replicas for Ingress and Networking Addons](#replicas-for-ingress-and-networking-addons) - - [Replicas for DNS and Monitoring Addons](#replicas-for-dns-and-monitoring-addons) -- [Example cluster.yml](#example-cluster-yml) -- [Troubleshooting](#troubleshooting) - -# How Upgrades Work - -The purpose of this section is to clarify how each type of node is upgraded by default. - -{{% tabs %}} -{{% tab "RKE v1.1.0+" %}} - -The following features are new in RKE v1.1.0: - -- The ability to upgrade or edit a cluster without downtime for your applications. -- The ability to manually upgrade nodes of a certain role without upgrading others. -- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -1. etcd nodes get updated first, one at a time. -1. Controlplane nodes get updated second, one at a time. -1. Worker nodes get updated third, in a configurable batch size, where the default is 10 percent of worker nodes and the minimum is one. -1. [RKE Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. - -The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. - -- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) -- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) -- [Upgrades of worker nodes](#upgrades-of-worker-nodes) -- [Upgrades of addons](#upgrades-of-addons) - -### Upgrades of etcd Nodes - -A cluster upgrade begins by upgrading the etcd nodes one at a time. - -If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. The RKE CLI will error out and exit with a failure code. - -### Upgrades of Controlplane Nodes - -Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. - -As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. - -If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. - -### Upgrades of Worker Nodes - -By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. - -By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. - -For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. - -When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. - -RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. - -RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. - -The RKE CLI will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, the RKE CLI will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. - -### Upgrades of Addons - -The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. - -Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. - -For more information on configuring the number of replicas for each addon, refer to [this section.](#configuring-the-upgrade-strategy) - -For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) - -{{% /tab %}} -{{% tab "RKE prior to v1.1.0" %}} - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -- etcd nodes get updated first, one at a time. -- Controlplane nodes get updated second, one at a time. -- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. -- Addons get upgraded one by one. - -### Upgrades of Controlplane and etcd Nodes - -Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. - -If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. The RKE CLI errors out and exits. - -### Upgrades of Worker Nodes - -Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. The RKE CLI errors out and exits. - -When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. - -{{% /tab %}} -{{% /tabs %}} - -# Requirements for Zero-downtime Upgrades - -To achieve a zero-downtime cluster upgrade, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. - -1. [Kubernetes version requirement](#2-kubernetes-version-requirement) -2. [Cluster requirements](#1-cluster-requirements) -3. [Workload requirements](#3-workload-requirements) - -### 1. Kubernetes Version Requirement - -When upgrading to a newer Kubernetes version, the upgrade must be from a minor release to the next minor version, or to within the same patch release series. - -### 2. Cluster Requirements - -The following must be true of the cluster that will be upgraded: - -1. The cluster has three or more etcd nodes. -1. The cluster has two or more controlplane nodes. -1. The cluster has two or more worker nodes. -1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. - -### 3. Workload Requirements - -The following must be true of the cluster's applications: - -1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. -1. The applications must make use of liveness and readiness probes. - -For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) - -For information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) - -# Configuring the Upgrade Strategy - -In this section, you'll learn how to configure the maximum number of unavailable controlplane and worker nodes, how to drain nodes before upgrading them, and how to configure the replicas for addons such as Ingress. - -### Maximum Unavailable Nodes - -Optionally, configure the following upgrade directives in the `cluster.yml` before upgrading the cluster: - -- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. -- **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* - -/* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. - -An example configuration of the cluster upgrade strategy is shown below: - -```yaml -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 -``` - -### Draining Nodes - -By default, nodes are cordoned first before upgrading. Each node should always be cordoned before starting its upgrade so that new pods will not be scheduled to it, and traffic will not reach the node. In addition to cordoning each node, RKE can also be configured to drain each node before starting its upgrade. Draining a node will evict all the pods running on the computing resource. - -For information on draining and how to safely drain a node, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) - -If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes will be drained before they are upgraded. The default value is false: - -```yaml -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 - drain: false - node_drain_input: - force: false - ignore_daemonsets: true - delete_local_data: false - grace_period: -1 // grace period specified for each pod spec will be used - timeout: 60 -``` - -### Replicas for Ingress and Networking Addons - -The Ingress and network addons are launched as Kubernetes [daemonsets.](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) If no value is given for the [update strategy,](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 1. - -An example configuration of the Ingress and network addons is shown below: - -```yaml -ingress: - provider: nginx - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 5 -network: - plugin: canal - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 6 -``` - -### Replicas for DNS and Monitoring Addons - -The DNS and monitoring addons are launched as Kubernetes [deployments.](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) These addons include `coredns`, `kubedns`, and `metrics-server`, the monitoring deployment. - -If no value is configured for their [update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) in the `cluster.yml`, Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 25% and `maxSurge` set to 25%. - -The DNS addons use `cluster-proportional-autoscaler`, which is an [open-source container image](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler) that watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality is useful for applications that need to be autoscaled with the number of nodes in the cluster. For the DNS addon, the fields needed for the `cluster-proportional-autoscaler` are made configurable. - -The following table shows the default values for these fields: - -Field Name | Default Value ------------|-------------- -coresPerReplica | 128 -nodesPerReplica | 4 -min | 1 -preventSinglePointFailure | true - -The `cluster-proportional-autoscaler` uses this formula to calculate the number of replicas: - -```plain -replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) -replicas = min(replicas, max) -replicas = max(replicas, min) -``` - -An example configuration of the DNS and monitoring addons is shown below: - -```yaml -dns: - provider: coredns - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 20% - maxSurge: 15% - linear_autoscaler_params: - cores_per_replica: 0.34 - nodes_per_replica: 4 - prevent_single_point_failure: true - min: 2 - max: 3 -monitoring: - provider: metrics-server - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 8 -``` - -### Example cluster.yml - -```yaml -# If you intened to deploy Kubernetes in an air-gapped environment, -# please consult the documentation on how to configure custom RKE images. -nodes: -# At least three etcd nodes, two controlplane nodes, and two worker nodes, -# nodes skipped for brevity -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 - drain: false - node_drain_input: - force: false - ignore_daemonsets: true - delete_local_data: false - grace_period: -1 // grace period specified for each pod spec will be used - timeout: 60 -ingress: - provider: nginx - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 5 -network: - plugin: canal - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 6 -dns: - provider: coredns - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 20% - maxSurge: 15% - linear_autoscaler_params: - cores_per_replica: 0.34 - nodes_per_replica: 4 - prevent_single_point_failure: true - min: 2 - max: 3 -monitoring: - provider: metrics-server - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 8 -``` - -# Upgrading Nodes Manually - -You can manually update each type of node separately. As a best practice, upgrade the etcd nodes first, followed by controlplane and then worker nodes. - -A cluster can be rolled back to a snapshot that uses a previous Kubernetes version. - -# Troubleshooting - -If a node doesn't come up after an upgrade, the `rke up` command errors out. - -No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. - -If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. - -A failed node could be in many different states: - -- Powered off -- Unavailable -- User drains a node while upgrade is in process, so there are no kubelets on the node -- The upgrade itself failed - -Some expected failure scenarios include the following: - -- If the maximum unavailable number of nodes is reached during an upgrade, the RKE CLI will error out and exit the CLI with a failure code. -- If some nodes fail to upgrade, but the number of failed nodes doesn't reach the maximum unavailable number of nodes, the RKE CLI logs the nodes that were unable to upgrade and continues to upgrade the add-ons. After the add-ons are upgraded, RKE will error out and exit the CLI with a failure code regardless of add-on upgrade status. \ No newline at end of file From 302b3ee918e97e5689426f11daf27047e555f1a6 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 24 Mar 2020 14:42:36 -0700 Subject: [PATCH 093/183] Edit zero-downtime upgrade docs for Rancher --- content/rancher/v2.x/en/_index.md | 11 +- .../v2.x/en/cluster-admin/nodes/_index.md | 11 +- .../upgrading-kubernetes/_index.md | 122 +++++++-- .../how-upgrades-work/_index.md | 95 ------- .../en/cluster-admin/zero-downtime/_index.md | 246 ------------------ content/rke/latest/en/upgrades/_index.md | 30 ++- .../en/upgrades/how-upgrades-work/_index.md | 11 +- .../maintaining-availability/_index.md | 7 +- 8 files changed, 143 insertions(+), 390 deletions(-) delete mode 100644 content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md delete mode 100644 content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md diff --git a/content/rancher/v2.x/en/_index.md b/content/rancher/v2.x/en/_index.md index 1cdb421ebd0..f7c4fdf6ac3 100644 --- a/content/rancher/v2.x/en/_index.md +++ b/content/rancher/v2.x/en/_index.md @@ -8,13 +8,14 @@ insertOneSix: true weight: 1 ctaBanner: intro-k8s-rancher-online-training --- +Rancher was originally built to work with multiple orchestrators, and it included its own orchestrator called Cattle. With the rise of Kubernetes in the marketplace, Rancher 2.x exclusively deploys and manages Kubernetes clusters running anywhere, on any provider. -# What's New? +Rancher can provision Kubernetes from a hosted provider, provision compute nodes and then install Kubernetes onto them, or import existing Kubernetes clusters running anywhere. -Rancher was originally built to work with multiple orchestrators, and it included its own orchestrator called Cattle. With the rise of Kubernetes in the marketplace, Rancher now exclusively deploys and manages multiple Kubernetes clusters running anywhere, on any provider. It can provision Kubernetes from a hosted provider, provision compute nodes and then install Kubernetes onto them, or inherit existing Kubernetes clusters running anywhere. +One Rancher server installation can manage up to 2,000 Kubernetes clusters and 100,000 nodes from the same user interface. -One Rancher server installation can manage hundreds of Kubernetes clusters from the same interface. +Rancher adds significant value on top of Kubernetes, first by centralizing authentication and role-based access control (RBAC) for all of the clusters, giving global admins the ability to control cluster access from one location. -Rancher adds significant value on top of Kubernetes, first by centralizing role-based access control (RBAC) for all of the clusters and giving global admins the ability to control cluster access from one location. It then enables detailed monitoring and alerting for clusters and their resources, ships logs to external providers, and integrates directly with Helm via the Application Catalog. If you have an external CI/CD system, you can plug it into Rancher, but if you don't, Rancher even includes a pipeline engine to help you automatically deploy and upgrade workloads. +It then enables detailed monitoring and alerting for clusters and their resources, ships logs to external providers, and integrates directly with Helm via the Application Catalog. If you have an external CI/CD system, you can plug it into Rancher, but if you don't, Rancher even includes a pipeline engine to help you automatically deploy and upgrade workloads. -Rancher is a _complete_ container management platform for Kubernetes, giving you the tools to successfully run Kubernetes anywhere. +Rancher is a _complete_ container management platform for Kubernetes, giving you the tools to successfully run Kubernetes anywhere. \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index 352a34c2242..c90ae67303b 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -71,8 +71,10 @@ However, you can override the conditions draining when you initiate the drain. Y The node draining options are different based on your version of Rancher. -### Aggressive and Safe Draining Options for Rancher v2.2.x+ +### Aggressive and Safe Draining Options +{{% tabs %}} +{{% tab "Rancher v2.2.x+" %}} There are two drain modes: aggressive and safe. - **Aggressive Mode** @@ -84,9 +86,8 @@ There are two drain modes: aggressive and safe. - **Safe Mode** If a node has standalone pods or ephemeral data it will be cordoned but not drained. - -### Aggressive and Safe Draining Options for Rancher Prior to v2.2.x - +{{% /tab %}} +{{% tab "Rancher Prior to v2.2.x" %}} The following list describes each drain option: - **Even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet** @@ -101,6 +102,8 @@ The following list describes each drain option: If a pod uses emptyDir to store local data, you might not be able to safely delete it, since the data in the emptyDir will be deleted once the pod is removed from the node. Similar to the first option, Kubernetes expects the implementation to decide what to do with these pods. Choosing this option will delete these pods. +{{% /tab %}} +{{% /tabs %}} ### Grace Period diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index 4e7e09b9c2b..ddfd641ce33 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -3,25 +3,46 @@ title: Upgrading and Rolling Back Kubernetes weight: 70 --- -Following an upgrade to the latest version of Rancher, you can update your existing clusters to use the latest supported version of Kubernetes. +Following an upgrade to the latest version of Rancher, downstream Kubernetes clusters can be upgraded to use the latest supported version of Kubernetes. -Before a new version of Rancher is released, it's tested with the latest minor versions of Kubernetes to ensure compatibility. For example, Rancher v2.3.0 is was tested with Kubernetes v1.15.4, v1.14.7, and v1.13.11. For details on which versions of Kubernetes were tested on each Rancher version, refer to the [support maintenance terms.](https://rancher.com/support-maintenance-terms/all-supported-versions/rancher-v2.3.0/) +Rancher calls RKE (Rancher Kubernetes Engine) as a library when provisioning and editing RKE clusters. For more information on configuring the upgrade strategy for RKE clusters, refer to the [RKE documentation]({{}}/rke/latest/en/). + +This section covers the following topics: + +- [New Features](#new-features) +- [Tested Kubernetes Versions](#tested-kubernetes-versions) +- [How Upgrades Work](#how-upgrades-work) +- [Recommended Best Practice for Upgrades](#recommended-best-practice-for-upgrades) +- [Upgrading the Kubernetes Version](#upgrading-the-kubernetes-version) +- [Rolling Back the Kubernetes Version](#rolling-back-the-kubernetes-version) +- [Configuring the Upgrade Strategy](#configuring-the-upgrade-strategy) + - [Configuring the Maximum Unavailable Worker Nodes in the Rancher UI](#configuring-the-maximum-unavailable-worker-nodes-in-the-rancher-ui) + - [Enabling Draining Nodes During Upgrades from the Rancher UI](#enabling-draining-nodes-during-upgrades-from-the-rancher-ui) + - [Maintaining Availability for Applications During Upgrades](#maintaining-availability-for-applications-during-upgrades) + - [Configuring the Upgrade Strategy in the cluster.yml](#configuring-the-upgrade-strategy-in-the-cluster-yml) +- [Troubleshooting](#troubleshooting) + +# New Features As of Rancher v2.3.0, the Kubernetes metadata feature was added, which allows Rancher to ship Kubernetes patch versions without upgrading Rancher. For details, refer to the [section on Kubernetes metadata.]({{}}/rancher/v2.x/en/admin-settings/k8s-metadata) -As of Rancher v2.4.0, the ability to import K3s Kubernetes clusters into Rancher was added, along with the ability to upgrade Kubernetes when editing those clusters. +As of Rancher v2.4.0, -### Zero-downtime Upgrades +- The ability to import K3s Kubernetes clusters into Rancher was added, along with the ability to upgrade Kubernetes when editing those clusters. For details, refer to the [section on imported clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters) +- New advanced options are exposed in the Rancher UI for configuring the upgrade strategy of an RKE cluster: **Maximum Worker Nodes Unavailable** and **Drain nodes.** These options leverage the new cluster upgrade process of RKE v1.1.0, in which worker nodes are upgraded in batches, so that applications can remain available during cluster upgrades, under [certain conditions.](#maintaining-availability-for-applications-during-upgrades) -_Available as of v2.4_ +# Tested Kubernetes Versions -It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. +Before a new version of Rancher is released, it's tested with the latest minor versions of Kubernetes to ensure compatibility. For example, Rancher v2.3.0 is was tested with Kubernetes v1.15.4, v1.14.7, and v1.13.11. For details on which versions of Kubernetes were tested on each Rancher version, refer to the [support maintenance terms.](https://rancher.com/support-maintenance-terms/all-supported-versions/rancher-v2.3.0/) -A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. +# How Upgrades Work -For details, refer to [this section.]({{}}/rancher/v2.x/en/cluster-admin/zero-downtime) +RKE v1.1.0 changed the way that clusters are upgraded. -### Recommended Best Practice for Upgrades +In this section of the [RKE documentation,]({{}}/rke/latest/en/upgrades/how-upgrades-work) you'll learn what happens when you edit or upgrade your RKE Kubernetes cluster. + + +# Recommended Best Practice for Upgrades {{% tabs %}} {{% tab "Rancher v2.4+" %}} @@ -29,7 +50,7 @@ When upgrading the Kubernetes version of a cluster, we recommend that you: 1. Take a snapshot. 1. Initiate a Kubernetes upgrade. -1. If the upgrade fails, revert the Kubernetes upgrade to the pre-upgrade version. Before restoring the cluster from the snapshot in the etcd datastore, the cluster should be running the pre-upgrade Kubernetes version. +1. If the upgrade fails, revert the cluster to the pre-upgrade Kubernetes version. Before restoring the cluster from the snapshot in the etcd datastore, the cluster should be running the pre-upgrade Kubernetes version. 1. Restore the cluster from the etcd snapshot. The restore operation will work on a cluster that is not in a healthy or active state. @@ -41,17 +62,16 @@ When upgrading the Kubernetes version of a cluster, we recommend that you: 1. Initiate a Kubernetes upgrade. 1. If the upgrade fails, restore the cluster from the etcd snapshot. -> The cluster cannot be downgraded to a previous Kubernetes version. +The cluster cannot be downgraded to a previous Kubernetes version. {{% /tab %}} {{% /tabs %}} -### Upgrading Kubernetes +# Upgrading the Kubernetes Version > **Prerequisites:** > -> The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) -> -> Before upgrading Kubernetes, [back up your cluster]({{}}/rancher/v2.x/en/backups). +> - The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) +> - Before upgrading Kubernetes, [back up your cluster.]({{}}/rancher/v2.x/en/backups) 1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. @@ -63,8 +83,76 @@ When upgrading the Kubernetes version of a cluster, we recommend that you: **Result:** Kubernetes begins upgrading for the cluster. -### Rolling Back Kubernetes +# Rolling Back the Kubernetes Version _Available as of v2.4_ -A cluster can be restored to a backup in which the previous Kubernetes version was used. \ No newline at end of file +A cluster can be restored to a backup in which the previous Kubernetes version was used. + +RKE v1.1.0 introduced the ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. + +# Configuring the Upgrade Strategy + +As of RKE v1.1.0, additional upgrade options became available to give you more granular control over the upgrade process. These options can be used to maintain availability of your applications during a cluster upgrade if certain [conditions and requirements]({{}}/rke/latest/en/upgrades/maintaining-availability) are met. + +The upgrade strategy can be configured in the Rancher UI, or by editing the `cluster.yml`. More advanced options are available by editing the `cluster.yml`. + +### Configuring the Maximum Unavailable Worker Nodes in the Rancher UI + +From the Rancher UI, the maximum number of unavailable worker nodes can be configured. During a cluster upgrade, worker nodes will be upgraded in batches of this size. + +By default, the maximum number of unavailable worker is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. + +To change the default number or percentage of worker nodes, + +1. Go to the cluster view in the Rancher UI. +1. Click **Ellipsis (...) > Edit.** +1. In the **Advanced Options** section, go to the **Maxiumum Worker Nodes Unavailable** field. Enter the percentage of worker nodes that can be upgraded in a batch. Optionally, select **Count** from the drop-down menu and enter the maximum unavailable worker nodes as an integer. +1. Click **Save.** + +**Result:** The cluster is updated to use the new upgrade strategy. + +### Enabling Draining Nodes During Upgrades from the Rancher UI + +By default, RKE [cordons](https://kubernetes.io/docs/concepts/architecture/nodes/#manual-node-administration) each node before upgrading it. [Draining](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) is disabled during upgrades by default. If draining is enabled in the cluster configuration, RKE will both cordon and drain the node before it is upgraded. + +To enable draining each node during a cluster upgrade, + +1. Go to the cluster view in the Rancher UI. +1. Click **Ellipsis (...) > Edit.** +1. In the **Advanced Options** section, go to the **Drain nodes** field and click **Yes.** +1. Choose a safe or aggressive drain option. For more information about each option, refer to [this section.]({{}}/rancher/v2.x/en/cluster-admin/nodes/#aggressive-and-safe-draining-options) +1. Optionally, configure a grace period. The grace period is the timeout given to each pod for cleaning things up, so they will have chance to exit gracefully. Pods might need to finish any outstanding requests, roll back transactions or save state to some external storage. If this value is negative, the default value specified in the pod will be used. +1. Optionally, configure a timeout, which is the amount of time the drain should continue to wait before giving up. +1. Click **Save.** + +**Result:** The cluster is updated to use the new upgrade strategy. + +### Maintaining Availability for Applications During Upgrades + +_Available as of RKE v1.1.0_ + +In [this section of the RKE documentation,]({{}}/rke/latest/en/upgrades/maintaining-availability/) you'll learn the requirements to prevent downtime for your applications when upgrading the cluster. + +### Configuring the Upgrade Strategy in the cluster.yml + +More advanced upgrade strategy configuration options are available by editing the `cluster.yml`. + +For details, refer to [Configuring the Upgrade Strategy]({{}}/rke/latest/en/upgrades/configuring-strategy) in the RKE documentation. The section also includes an example `cluster.yml` for configuring the upgrade strategy. + +# Troubleshooting + +If a node doesn't come up after an upgrade, the `rke up` command errors out. + +No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. + +If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. + +A failed node could be in many different states: + +- Powered off +- Unavailable +- User drains a node while upgrade is in process, so there are no kubelets on the node +- The upgrade itself failed + +If the max unavailable number of nodes is reached during an upgrade, Rancher user clusters will be stuck in updating state and not move forward with upgrading any other control plane nodes. It will continue to evaluate the set of unavailable nodes in case one of the nodes becomes available. If the node cannot be fixed, you must remove the node in order to continue the upgrade. \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md deleted file mode 100644 index 73d1d02dd40..00000000000 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/how-upgrades-work/_index.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: How Upgrades Work -weight: 1 ---- - -In this section, you'll learn how each type of node is upgraded by default when a cluster is upgraded. - -Rancher calls [RKE]({{}}/rke/latest/en/) (Rancher Kubernetes Engine) as a library when upgrading Kubernetes clusters. RKE v1.1.0 changed the way that clusters are upgraded to make it possible to maintain availability of your applications during the upgrade. -{{% tabs %}} -{{% tab "RKE v1.1.0+" %}} - -The following features are new in RKE v1.1.0: - -- The ability to upgrade or edit a cluster without downtime for your applications. -- The ability to manually upgrade nodes of a certain role without upgrading others. -- The ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. This capability allows you to safely upgrade one type of node at a time, because if an upgrade cannot be completed by all nodes in the cluster, you can downgrade the Kubernetes version of the nodes that were already upgraded. - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -1. etcd nodes get updated first, one at a time. -1. Controlplane nodes get updated second, one at a time. -1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. -1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. - -The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. - -- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) -- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) -- [Upgrades of worker nodes](#upgrades-of-worker-nodes) -- [Upgrades of addons](#upgrades-of-addons) - -### Upgrades of etcd Nodes - -A cluster upgrade begins by upgrading the etcd nodes one at a time. - -If an etcd node fails at any time, the upgrade will fail and no more nodes will be upgraded. The cluster will be stuck in an updating state and not move forward to upgrading controlplane or worker nodes. - -### Upgrades of Controlplane Nodes - -Controlplane nodes are upgraded one at a time by default. The maximum number of unavailable controlplane nodes can also be configured, so that they can be upgraded in batches. - -As long as the maximum unavailable number or percentage of controlplane nodes has not been reached, Rancher will continue to upgrade other controlplane nodes, then the worker nodes. - -If any controlplane nodes were unable to be upgraded, the upgrade will not proceed to the worker nodes. - -### Upgrades of Worker Nodes - -By default, worker nodes are upgraded in batches. The size of the batch is determined by the maximum number of unavailable worker nodes, configured as the `max_unavailable_worker` directive in the `cluster.yml`. - -By default, the `max_unavailable_worker` nodes is defined as 10 percent of all worker nodes. This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node. - -For example, if you have 11 worker nodes and `max_unavailable_worker` is 25%, two nodes will be upgraded at once because 25% of 11 is 2.75. If you have two worker nodes and `max_unavailable_worker` is 1%, the worker nodes will be upgraded one at a time because the minimum batch size is one. - -When each node in a batch returns to a Ready state, the next batch of nodes begins to upgrade. If `kubelet` and `kube-proxy` have started, the node is Ready. As long as the `max_unavailable_worker` number of nodes have not failed, Rancher will continue to upgrade other worker nodes. - -RKE scans the cluster before starting the upgrade to find the powered down or unreachable hosts. The upgrade will stop if that number matches or exceeds the maximum number of unavailable nodes. - -RKE will cordon each node before upgrading it, and uncordon the node afterward. RKE can also be configured to [drain](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) nodes before upgrading them. - -RKE will handle all worker node upgrades before upgrading any add-ons. As long as the maximum number of unavailable worker nodes is not reached, RKE will attempt to upgrade the [addons.](#upgrades-of-addons) For example, if a cluster has two worker nodes and one worker node fails, but the maximum unavailable worker nodes is greater than one, the addons will still be upgraded. - -### Upgrades of Addons - -The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. - -Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. - -For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) - -For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) - -{{% /tab %}} -{{% tab "RKE prior to v1.1.0" %}} - -When a cluster is upgraded with `rke up`, using the default options, the following process is used: - -- etcd nodes get updated first, one at a time. -- Controlplane nodes get updated second, one at a time. -- Worker nodes and addons get updated third, in batches of 50 or the total number of worker nodes, whichever is lower. -- Addons get upgraded one by one. - -### Upgrades of Controlplane and etcd Nodes - -Controlplane and etcd nodes would be upgraded in batches of 50 nodes or the total number of controlplane nodes, whichever is lower. - -If a node fails at any time, the upgrade will stop upgrading any other nodes and fail. - -### Upgrades of Worker Nodes - -Worker nodes are upgraded simultaneously, in batches of either 50 or the total number of worker nodes, whichever is lower. If a worker node fails at any time, the upgrade stops. - -When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. - -{{% /tab %}} -{{% /tabs %}} \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md b/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md deleted file mode 100644 index 68b0b4924de..00000000000 --- a/content/rancher/v2.x/en/cluster-admin/zero-downtime/_index.md +++ /dev/null @@ -1,246 +0,0 @@ ---- -title: Zero-downtime Cluster Maintenance -weight: 71 ---- - -_Available as of v2.4.0_ - -It is now possible to upgrade or edit an RKE Kubernetes cluster without downtime for your applications. In this section, you'll learn how to configure your cluster to prevent downtime when you upgrade the cluster using `rke up`. - -A zero-downtime upgrade is one in which your workloads are available on at least a single node, and all critical addon services, such as Ingress and DNS, are available during the upgrade. - -This availability is achieved by upgrading worker nodes in batches of a configurable size, and ensuring that your workloads run on a number of nodes that exceeds that maximum number of unavailable worker nodes. - -Several requirements must be met before zero-downtime cluster upgrades can succeed. For details, refer to [this section.](#requirements) - -- [How Upgrades Work](#how-upgrades-work) -- [Requirements for Zero-downtime Upgrades](#requirements-for-zero-downtime-upgrades) - - [Kubernetes Version Requirement](#1-kubernetes-version-requirement) - - [Cluster Requirements](#2-cluster-requirements) - - [Workload Requirements](#3-workload-requirements) -- [Configuring the Upgrade Strategy](#configuring-the-upgrade-strategy) - - [Maximum Unavailable Nodes](#maximum-unavailable-nodes) - - [Draining Nodes](#draining-nodes) - - [Replicas for Ingress and Networking Addons](#replicas-for-ingress-and-networking-addons) - - [Replicas for DNS and Monitoring Addons](#replicas-for-dns-and-monitoring-addons) -- [Example cluster.yml](#example-cluster-yml) -- [Troubleshooting](#troubleshooting) - - -# Requirements for Zero-downtime Upgrades - -To achieve a cluster upgrade without downtime for your applications, you will need to configure your workloads to continue running despite the rolling upgrade of worker nodes. There are also requirements for the cluster architecture and Kubernetes target version. - -1. [Kubernetes version requirement](#2-kubernetes-version-requirement) -2. [Cluster requirements](#1-cluster-requirements) -3. [Workload requirements](#3-workload-requirements) - -### 1. Kubernetes Version Requirement - -When upgrading to a newer Kubernetes version, the upgrade must be from a minor release to the next minor version, or to within the same patch release series. - -### 2. Cluster Requirements - -The following must be true of the cluster that will be upgraded: - -1. The cluster has three or more etcd nodes. -1. The cluster has two or more controlplane nodes. -1. The cluster has two or more worker nodes. -1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. - -### 3. Workload Requirements - -The following must be true of the cluster's applications: - -1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. -1. The applications must make use of liveness and readiness probes. - -For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) - -For information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) - -# Configuring the Upgrade Strategy - -In this section, you'll learn how to configure the maximum number of unavailable controlplane and worker nodes, how to drain nodes before upgrading them, and how to configure the replicas for addons such as Ingress. - -### Maximum Unavailable Nodes - -Optionally, configure the following upgrade directives in the `cluster.yml` before upgrading the cluster: - -- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. -- **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* - -/* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. - -An example configuration of the cluster upgrade strategy is shown below: - -```yaml -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 -``` - -### Draining Nodes - -By default, nodes are cordoned first before upgrading. Each node should always be cordoned before starting its upgrade so that new pods will not be scheduled to it, and traffic will not reach the node. In addition to cordoning each node, RKE can also be configured to drain each node before starting its upgrade. Draining a node will evict all the pods running on the computing resource. - -For information on draining and how to safely drain a node, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) - -If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes will be drained before they are upgraded. The default value is false: - -```yaml -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 - drain: false - node_drain_input: - force: false - ignore_daemonsets: true - delete_local_data: false - grace_period: -1 // grace period specified for each pod spec will be used - timeout: 60 -``` - -### Replicas for Ingress and Networking Addons - -The Ingress and network addons are launched as Kubernetes [daemonsets.](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) If no value is given for the [update strategy,](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 1. - -An example configuration of the Ingress and network addons is shown below: - -```yaml -ingress: - provider: nginx - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 5 -network: - plugin: canal - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 6 -``` - -### Replicas for DNS and Monitoring Addons - -The DNS and monitoring addons are launched as Kubernetes [deployments.](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) These addons include `coredns`, `kubedns`, and `metrics-server`, the monitoring deployment. - -If no value is configured for their [update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) in the `cluster.yml`, Kubernetes sets the update strategy to `rollingUpdate` by default, with `maxUnavailable` set to 25% and `maxSurge` set to 25%. - -The DNS addons use `cluster-proportional-autoscaler`, which is an [open-source container image](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler) that watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality is useful for applications that need to be autoscaled with the number of nodes in the cluster. For the DNS addon, the fields needed for the `cluster-proportional-autoscaler` are made configurable. - -The following table shows the default values for these fields: - -Field Name | Default Value ------------|-------------- -coresPerReplica | 128 -nodesPerReplica | 4 -min | 1 -preventSinglePointFailure | true - -The `cluster-proportional-autoscaler` uses this formula to calculate the number of replicas: - -```plain -replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) -replicas = min(replicas, max) -replicas = max(replicas, min) -``` - -An example configuration of the DNS and monitoring addons is shown below: - -```yaml -dns: - provider: coredns - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 20% - maxSurge: 15% - linear_autoscaler_params: - cores_per_replica: 0.34 - nodes_per_replica: 4 - prevent_single_point_failure: true - min: 2 - max: 3 -monitoring: - provider: metrics-server - update_strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 8 -``` - -### Example cluster.yml - -```yaml -# If you intened to deploy Kubernetes in an air-gapped environment, -# please consult the documentation on how to configure custom RKE images. -nodes: -# At least three etcd nodes, two controlplane nodes, and two worker nodes, -# nodes skipped for brevity -upgrade_strategy: - max_unavailable_worker: 10% - max_unavailable_controlplane: 2 - drain: false - node_drain_input: - force: false - ignore_daemonsets: true - delete_local_data: false - grace_period: -1 // grace period specified for each pod spec will be used - timeout: 60 -ingress: - provider: nginx - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 5 -network: - plugin: canal - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 6 -dns: - provider: coredns - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 20% - maxSurge: 15% - linear_autoscaler_params: - cores_per_replica: 0.34 - nodes_per_replica: 4 - prevent_single_point_failure: true - min: 2 - max: 3 -monitoring: - provider: metrics-server - update_strategy: # Available in v2.4 - type: RollingUpdate - rollingUpdate: - maxUnavailable: 8 -``` - -# Upgrading Nodes Manually - -You can manually update each type of node separately. As a best practice, upgrade the etcd nodes first, followed by controlplane and then worker nodes. - -A cluster can be rolled back to a snapshot that uses a previous Kubernetes version. - -# Troubleshooting - -If a node doesn't come up after an upgrade, the `rke up` command errors out. - -No upgrade will proceed if the number of unavailable nodes exceeds the configured maximum. - -If an upgrade stops, you may need to fix an unavailable node or remove it from the cluster before the upgrade can continue. - -A failed node could be in many different states: - -- Powered off -- Unavailable -- User drains a node while upgrade is in process, so there are no kubelets on the node -- The upgrade itself failed - -If the max unavailable number of nodes is reached during an upgrade, Rancher user clusters will be stuck in updating state and not move forward with upgrading any other control plane nodes. It will continue to evaluate the set of unavailable nodes in case one of the nodes becomes available. If the node cannot be fixed, you must remove the node in order to continue the upgrade. \ No newline at end of file diff --git a/content/rke/latest/en/upgrades/_index.md b/content/rke/latest/en/upgrades/_index.md index 84c71932e65..82fd69b72e6 100644 --- a/content/rke/latest/en/upgrades/_index.md +++ b/content/rke/latest/en/upgrades/_index.md @@ -15,18 +15,24 @@ In case the Kubernetes version is defined in the `kubernetes_version` directive This page covers the following topics: +- [How upgrades work](#how-upgrades-work) - [Prerequisites](#prerequisites) - [Upgrading Kubernetes](#upgrading-kubernetes) +- [Configuring the upgrade strategy](#configuring-the-upgrade-strategy) +- [Maintaining availability for applications during upgrades](#maintaining-availability-for-applications-during-upgrades) - [Listing supported Kubernetes versions](#listing-supported-kubernetes-versions) - [Kubernetes version precedence](#kubernetes-version-precedence) - [Using an unsupported Kubernetes version](#using-an-unsupported-kubernetes-version) - [Mapping the Kubernetes version to services](#mapping-the-kubernetes-version-to-services) - [Service upgrades](#service-upgrades) -- [Configuring the upgrade strategy](#configuring-the-upgrade-strategy) - [Upgrading Nodes Manually](#upgrading-nodes-manually) - [Rolling Back the Kubernetes Version](#rolling-back-the-kubernetes-version) - [Troubleshooting](#troubleshooting) +### How Upgrades Work + +In [this section,]({{}}/rke/latest/en/upgrades/how-upgrades-work) you'll learn what happens when you edit or upgrade your RKE Kubernetes cluster. + ### Prerequisites - Ensure that any `system_images` configuration is absent from the `cluster.yml`. The Kubernetes version should only be listed under the `system_images` directive if an [unsupported version](#using-an-unsupported-kubernetes-version) is being used. Refer to [Kubernetes version precedence](#kubernetes-version-precedence) for more information. @@ -63,6 +69,18 @@ Then invoke `rke up`: $ rke up --config cluster.yml ``` +### Configuring the Upgrade Strategy + +As of v0.1.8, upgrades to add-ons are supported. [Add-ons]({{}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. + +As of v1.1.0, additional upgrade options became available to give you more granular control over the upgrade process. These options can be used to maintain availability of your applications during a cluster upgrade. + +For details on upgrade configuration options, refer to [Configuring the Upgrade Strategy.]({{}}/rke/latest/en/upgrades/configuring-strategy) + +### Maintaining Availability for Applications During Upgrades + +In [this section,]({{}}/rke/latest/en/upgrades/maintaining-availability/) you'll learn the requirements to prevent downtime for your applications when you upgrade the cluster using `rke up`. + ### Listing Supported Kubernetes Versions Please refer to the [release notes](https://github.com/rancher/rke/releases) of the RKE version that you are running, to find the list of supported Kubernetes versions as well as the default Kubernetes version. @@ -105,16 +123,6 @@ For RKE prior to v0.3.0, the service defaults are located [here](https://github. > **Note:** The following arguments, `service_cluster_ip_range` or `cluster_cidr`, cannot be changed as any changes to these arguments will result in a broken cluster. Currently, network pods are not automatically upgraded. -### Configuring the Upgrade Strategy - -As of v0.1.8, upgrades to add-ons are supported. [Add-ons]({{}}/rke/latest/en/config-options/add-ons/) can also be upgraded by changing any of the add-ons and running `rke up` again with the updated configuration file. - -As of v1.1.0, additional upgrade options became available to give you more granular control over the upgrade process. These options can be used to maintain availability of your applications during a cluster upgrade. - -For details on upgrade configuration options, refer to [Configuring the Upgrade Strategy.]({{}}/rke/latest/en/upgrades/configuring-strategy) - -For the requirements to maintain availability of applications during a cluster upgrade, refer to [this section.]({{}}/rke/latest/en/upgrades/maintaining-availability) - ### Upgrading Nodes Manually _Available as of v1.1.0_ diff --git a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md index 7d2e6eb5408..2db6bd2933d 100644 --- a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md +++ b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md @@ -3,7 +3,7 @@ title: How Upgrades Work weight: 1 --- -In this section, you'll learn how each type of node is upgraded by default when a cluster is upgraded using `rke up`. +In this section, you'll learn what happens when you edit or upgrade your RKE Kubernetes cluster. The below sections describe how each type of node is upgraded by default when a cluster is upgraded using `rke up`. {{% tabs %}} {{% tab "RKE v1.1.0+" %}} @@ -23,11 +23,6 @@ When a cluster is upgraded with `rke up`, using the default options, the followi The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. -- [Upgrades of etcd nodes](#upgrades-of-etcd-nodes) -- [Upgrades of controlplane nodes](#upgrades-of-controlplane-nodes) -- [Upgrades of worker nodes](#upgrades-of-worker-nodes) -- [Upgrades of addons](#upgrades-of-addons) - ### Upgrades of etcd Nodes A cluster upgrade begins by upgrading the etcd nodes one at a time. @@ -62,11 +57,11 @@ RKE will handle all worker node upgrades before upgrading any add-ons. As long a The availability of your applications partly depends on the availability of [RKE addons.]({{}}/rke/latest/en/config-options/add-ons/) Addons are used to deploy several cluster components, including network plug-ins, the Ingress controller, DNS provider, and metrics server. -Because RKE addons are necessary for allowing traffic into the cluster, a zero-downtime upgrade requires them to be updated in batches. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. +Because RKE addons are necessary for allowing traffic into the cluster, they will need to be updated in batches to maintain availability. You will need to configure the maximum number of unavailable replicas for each addon in the `cluster.yml` to ensure that your cluster will retain enough available replicas during an upgrade. For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) -For an example showing how to configure the addons for zero downtime, refer to the [example cluster.yml.](#example-cluster-yml) +For an example showing how to configure the addons, refer to the [example cluster.yml.](#example-cluster-yml) {{% /tab %}} {{% tab "RKE prior to v1.1.0" %}} diff --git a/content/rke/latest/en/upgrades/maintaining-availability/_index.md b/content/rke/latest/en/upgrades/maintaining-availability/_index.md index cc19876b13c..03cc98b7517 100644 --- a/content/rke/latest/en/upgrades/maintaining-availability/_index.md +++ b/content/rke/latest/en/upgrades/maintaining-availability/_index.md @@ -29,16 +29,15 @@ The following must be true of the cluster that will be upgraded: 1. The cluster has three or more etcd nodes. 1. The cluster has two or more controlplane nodes. 1. The cluster has two or more worker nodes. -1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes. By default, the minimum number of unavailable worker nodes is one. +1. The Ingress, DNS, and other addons are schedulable to a number of nodes that exceeds the maximum number of unavailable worker nodes, also called the batch size. By default, the minimum number of unavailable worker nodes is 10 percent of worker nodes, rounded down to the nearest node, with a minimum batch size of one node. ### 3. Workload Requirements The following must be true of the cluster's applications: -1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes. +1. The application and Ingress are deployed across a number of nodes exceeding the maximum number of unavailable worker nodes, also called the batch size. By default, the minimum number of unavailable worker nodes is 10 percent of worker nodes, rounded down to the nearest node, with a minimum batch size of one node. 1. The applications must make use of liveness and readiness probes. For information on how to use node selectors to assign pods to nodes, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) -For information on configuring the number of replicas for each addon, refer to [this section.]({{}}/rke/latest/en/upgrades/configuring-strategy/) - +For information on configuring the number of replicas for each addon, refer to [this section.]({{}}/rke/latest/en/upgrades/configuring-strategy/) \ No newline at end of file From dd42046c80c49b05aba74fa7a51a6529ce507e2b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 25 Mar 2020 03:43:31 -0700 Subject: [PATCH 094/183] Update downstream cluster backup section --- content/rancher/v2.x/en/backups/_index.md | 4 +- .../cluster-admin/backing-up-etcd/_index.md | 60 ++++++++++++++----- .../en/cluster-admin/restoring-etcd/_index.md | 2 +- 3 files changed, 47 insertions(+), 19 deletions(-) diff --git a/content/rancher/v2.x/en/backups/_index.md b/content/rancher/v2.x/en/backups/_index.md index e88b97fbbd3..b4ca63cc4a0 100644 --- a/content/rancher/v2.x/en/backups/_index.md +++ b/content/rancher/v2.x/en/backups/_index.md @@ -5,7 +5,6 @@ weight: 1000 This section is devoted to protecting your data in a disaster scenario. - To protect yourself from a disaster scenario, you should create backups on a regular basis. - Rancher server backups: @@ -14,8 +13,7 @@ To protect yourself from a disaster scenario, you should create backups on a reg - Rancher installed with Docker - [Backing up Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) - In a disaster scenario, you can restore your `etcd` database by restoring a backup. - [Rancher Server Restorations]({{}}/rancher/v2.x/en/backups/restorations) - - [Restoring Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) + - [Restoring Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md index 227c4cee080..bcde7c059b9 100644 --- a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md @@ -1,15 +1,40 @@ --- -title: Backing up etcd +title: Backing up Cluster Data weight: 2045 --- _Available as of v2.2.0_ -In the Rancher UI, etcd backup and recovery for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either [locally onto the etcd nodes](#local-backup-target) or to a [S3 compatible target](#s3-backup-target). The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. +In the Rancher UI, etcd backup and recovery for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Rancher recommends configuring recurrent `etcd` snapshots for all production clusters. Additionally, one-time snapshots can easily be taken as well. ->**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the updated snapshot features. Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to [back up and restore etcd through the UI]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). +Snapshots of the etcd database are taken and saved either [locally onto the etcd nodes](#local-backup-target) or to a [S3 compatible target](#s3-backup-target). The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. + +This section covers the following topics: + +- [How snapshots work](#how-snapshots-work) +- [Snapshot creation period and retention count](#snapshot-creation-period-and-retention-count) + - [Configuring recurring snapshots for the cluster](#configuring-recurring-snapshots-for-the-cluster) +- [One-time snapshots](#one-time-snapshots) +- [Snapshot backup targets](#snapshot-backup-targets) + - [Local backup target](#local-backup-target) + - [S3 backup target](#s3-backup-target) + - [Using a custom CA certificate for S3](#using-a-custom-ca-certificate-for-s3) + - [IAM Support for storing snapshots in S3](#iam-support-for-storing-snapshots-in-s3) +- [Safe timestamps](#safe-timestamps) +- [Enabling snapshot features for clusters created before Rancher v2.2.0](#enabling-snapshot-features-for-clusters-created-before-Rancher-v2-2-0) + +# How Snapshots Work + +{{% tabs %}} +{{% tab "Rancher v2.4.0+" %}} + +{{% /tab %}} +{{% tab "Rancher prior to v2.4.0" %}} +When Rancher creates a snapshot, only the etcd data is included in the snapshot. +{{% /tab %}} +{{% /tabs %}} # Snapshot Creation Period and Retention Count @@ -30,7 +55,7 @@ In the **Advanced Cluster Options** section, there are several options available |[Recurring etcd Snapshot Creation Period](#snapshot-creation-period-and-retention-count) | Time in hours between recurring snapshots| 12 hours | |[Recurring etcd Snapshot Retention Count](#snapshot-creation-period-and-retention-count)| Number of snapshots to retain| 6 | -### One-Time Snapshots +# One-Time Snapshots In addition to recurring snapshots, you may want to take a "one-time" snapshot. For example, before upgrading the Kubernetes version of a cluster it's best to backup the state of the cluster to protect against upgrade failure. @@ -51,14 +76,6 @@ Rancher supports two different backup targets: By default, the `local` backup target is selected. The benefits of this option is that there is no external configuration. Snapshots are automatically saved locally to the etcd nodes in the [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) in `/opt/rke/etcd-snapshots`. All recurring snapshots are taken at configured intervals. The downside of using the `local` backup target is that if there is a total disaster and _all_ etcd nodes are lost, there is no ability to restore the cluster. -#### Safe Timestamps - -_Available as of v2.3.0_ - -As of v2.2.6, snapshot files are timestamped to simplify processing the files using external tools and scripts, but in some S3 compatible backends, these timestamps were unusable. As of Rancher v2.3.0, the option `safe_timestamp` is added to support compatible file names. When this flag is set to `true`, all special characters in the snapshot filename timestamp are replaced. - ->>**Note:** This option is not available directly in the UI, and is only available through the `Edit as Yaml` interface. - ### S3 Backup Target The `S3` backup target allows users to configure a S3 compatible backend to store the snapshots. The primary benefit of this option is that if the cluster loses all the etcd nodes, the cluster can still be restored as the snapshots are stored externally. Rancher recommends external targets like `S3` backup, however its configuration requirements do require additional effort that should be considered. @@ -72,13 +89,14 @@ The `S3` backup target allows users to configure a S3 compatible backend to stor |S3 Secret Key|S3 secret key with permission to access the backup bucket|*| | Custom CA Certificate | A custom certificate used to access private S3 backends _Available as of v2.2.5_ || -#### Using a custom CA certificate for S3 +### Using a custom CA certificate for S3 _Available as of v2.2.5_ The backup snapshot can be stored on a custom `S3` backup like [minio](https://min.io/). If the S3 back end uses a self-signed or custom certificate, provide a custom certificate using the `Custom CA Certificate` option to connect to the S3 backend. -# IAM Support for Storing Snapshots in S3 +### IAM Support for Storing Snapshots in S3 + The `S3` backup target supports using IAM authentication to AWS API in addition to using API credentials. An IAM role gives temporary permissions that an application can use when making API calls to S3 storage. To use IAM authentication, the following requirements must be met: - The cluster etcd nodes must have an instance role that has read/write access to the designated backup bucket. @@ -90,8 +108,20 @@ The `S3` backup target supports using IAM authentication to AWS API in addition # Viewing Available Snapshots -The list of all available snapshots for the cluster is available. +The list of all available snapshots for the cluster is available in the Rancher UI. 1. In the **Global** view, navigate to the cluster that you want to view snapshots. 2. Click **Tools > Snapshots** from the navigation bar to view the list of saved snapshots. These snapshots include a timestamp of when they were created. + +# Safe Timestamps + +_Available as of v2.3.0_ + +As of v2.2.6, snapshot files are timestamped to simplify processing the files using external tools and scripts, but in some S3 compatible backends, these timestamps were unusable. As of Rancher v2.3.0, the option `safe_timestamp` is added to support compatible file names. When this flag is set to `true`, all special characters in the snapshot filename timestamp are replaced. + +>>**Note:** This option is not available directly in the UI, and is only available through the `Edit as Yaml` interface. + +# Enabling Snapshot Features for Clusters Created Before Rancher v2.2.0 + +If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the updated snapshot features. Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to [back up and restore etcd through the UI]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). diff --git a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md index 2194f5c43b1..20c3141ac0c 100644 --- a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md @@ -1,5 +1,5 @@ --- -title: Restoring etcd +title: Restoring a Cluster from Backup weight: 2050 --- From ec9f8c9e63d720172e644a5b6f3e286875bcd419 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 25 Mar 2020 08:58:12 -0700 Subject: [PATCH 095/183] Update docs for atomic rollback feature --- .../cluster-admin/backing-up-etcd/_index.md | 32 +++++++--- .../en/cluster-admin/restoring-etcd/_index.md | 61 ++++++++++++++++--- .../upgrading-kubernetes/_index.md | 7 ++- 3 files changed, 83 insertions(+), 17 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md index bcde7c059b9..d0d3cfab5eb 100644 --- a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md @@ -1,5 +1,5 @@ --- -title: Backing up Cluster Data +title: Backing up a Cluster weight: 2045 --- @@ -14,34 +14,50 @@ Snapshots of the etcd database are taken and saved either [locally onto the etcd This section covers the following topics: - [How snapshots work](#how-snapshots-work) -- [Snapshot creation period and retention count](#snapshot-creation-period-and-retention-count) - - [Configuring recurring snapshots for the cluster](#configuring-recurring-snapshots-for-the-cluster) +- [Configuring recurring snapshots](#configuring-recurring-snapshots) - [One-time snapshots](#one-time-snapshots) - [Snapshot backup targets](#snapshot-backup-targets) - [Local backup target](#local-backup-target) - [S3 backup target](#s3-backup-target) - [Using a custom CA certificate for S3](#using-a-custom-ca-certificate-for-s3) - [IAM Support for storing snapshots in S3](#iam-support-for-storing-snapshots-in-s3) +- [Viewing available snapshots](#viewing-available-snapshots) - [Safe timestamps](#safe-timestamps) -- [Enabling snapshot features for clusters created before Rancher v2.2.0](#enabling-snapshot-features-for-clusters-created-before-Rancher-v2-2-0) +- [Enabling snapshot features for clusters created before Rancher v2.2.0](#enabling-snapshot-features-for-clusters-created-before-rancher-v2-2-0) # How Snapshots Work {{% tabs %}} {{% tab "Rancher v2.4.0+" %}} +When Rancher creates a snapshot, it includes three components: +- The cluster data in etcd +- The Kubernetes version +- The cluster configuration in the form of the `cluster.yml` + +Because the Kubernetes version is now included in the snapshot, it is possible to restore a cluster to a prior Kubernetes version. + +The multiple components of the snapshot allow you to select from the following options if you need to a cluster from a snapshot: + +- **Restore just the etcd contents:** This restoration is similar to restoring to snapshots in Rancher prior to v2.4.0. +- **Restore etcd and Kubernetes version:** This option should be used if a Kubernetes upgrade is the reason that your cluster is failing, and you haven't made any cluster configuration changes. +- **Restore etcd, Kubernetes versions and cluster configuration:** This option should be used if you changed both the Kubernetes version and cluster configuration when upgrading. + +It's always recommended to take a new snapshot before any upgrades. {{% /tab %}} {{% tab "Rancher prior to v2.4.0" %}} When Rancher creates a snapshot, only the etcd data is included in the snapshot. + +Because the Kubernetes version is not included in the snapshot, there is no option to restore a cluster to a different Kubernetes version. + +It's always recommended to take a new snapshot before any upgrades. {{% /tab %}} {{% /tabs %}} -# Snapshot Creation Period and Retention Count +# Configuring Recurring Snapshots Select how often you want recurring snapshots to be taken as well as how many snapshots to keep. The amount of time is measured in hours. With timestamped snapshots, the user has the ability to do a point-in-time recovery. -### Configuring Recurring Snapshots for the Cluster - By default, [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) are configured to take recurring snapshots (saved to local disk). To protect against local disk failure, using the [S3 Target](#s3-backup-target) or replicating the path on disk is advised. During cluster provisioning or editing the cluster, the configuration for snapshots can be found in the advanced section for **Cluster Options**. Click on **Show advanced options**. @@ -120,7 +136,7 @@ _Available as of v2.3.0_ As of v2.2.6, snapshot files are timestamped to simplify processing the files using external tools and scripts, but in some S3 compatible backends, these timestamps were unusable. As of Rancher v2.3.0, the option `safe_timestamp` is added to support compatible file names. When this flag is set to `true`, all special characters in the snapshot filename timestamp are replaced. ->>**Note:** This option is not available directly in the UI, and is only available through the `Edit as Yaml` interface. +This option is not available directly in the UI, and is only available through the `Edit as Yaml` interface. # Enabling Snapshot Features for Clusters Created Before Rancher v2.2.0 diff --git a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md index 20c3141ac0c..ec99c1732d1 100644 --- a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md @@ -7,9 +7,16 @@ _Available as of v2.2.0_ etcd backup and recovery for [Rancher launched Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) can be easily performed. Snapshots of the etcd database are taken and saved either locally onto the etcd nodes or to a S3 compatible target. The advantages of configuring S3 is that if all etcd nodes are lost, your snapshot is saved remotely and can be used to restore the cluster. -Rancher recommends enabling the [ability to set up recurring snapshots of etcd]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots-for-the-cluster), but [one-time snapshots]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#one-time-snapshots) can easily be taken as well. Rancher allows restore from [saved snapshots](#restoring-your-cluster-from-a-snapshot) or if you don't have any snapshots, you can still [restore etcd](#recovering-etcd-without-a-snapshot). +Rancher recommends enabling the [ability to set up recurring snapshots of etcd]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots), but [one-time snapshots]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#one-time-snapshots) can easily be taken as well. Rancher allows restore from [saved snapshots](#restoring-a-cluster-from-a-snapshot) or if you don't have any snapshots, you can still [restore etcd](#recovering-etcd-without-a-snapshot). ->**Note:** If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the [updated snapshot features]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/). Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to back up and restore etcd through the UI. +As of Rancher v2.4.0, clusters can also be restored to a prior Kubernetes version and cluster configuration. + +This section covers the following topics: + +- [Viewing Available Snapshots](#viewing-available-snapshots) +- [Restoring a Cluster from a Snapshot](#restoring-a-cluster-from-a-snapshot) +- [Recovering etcd without a Snapshot](#recovering-etcd-without-a-snapshot) +- [Enabling snapshot features for clusters created before Rancher v2.2.0](#enabling-snapshot-features-for-clusters-created-before-rancher-v2-2-0) ## Viewing Available Snapshots @@ -19,21 +26,57 @@ The list of all available snapshots for the cluster is available. 2. Click **Tools > Snapshots** from the navigation bar to view the list of saved snapshots. These snapshots include a timestamp of when they were created. -## Restoring your Cluster from a Snapshot +## Restoring a Cluster from a Snapshot If your Kubernetes cluster is broken, you can restore the cluster from a snapshot. -1. In the **Global** view, navigate to the cluster that you want to view snapshots. +Restorations changed in Rancher v2.4.0. + +{{% tabs %}} +{{% tab "Rancher v2.4.0+" %}} + +Snapshots are composed of the cluster data in etcd, the Kubernetes version, and the cluster configuration in the `cluster.yml.` These components allow you can select from the following options when restoring a cluster from a snapshot: + +- **Restore just the etcd contents:** This restoration is similar to restoring to snapshots in Rancher prior to v2.4.0. +- **Restore etcd and Kubernetes version:** This option should be used if a Kubernetes upgrade is the reason that your cluster is failing, and you haven't made any cluster configuration changes. +- **Restore etcd, Kubernetes versions and cluster configuration:** This option should be used if you changed both the Kubernetes version and cluster configuration when upgrading. + +When rolling back to a prior Kubernetes version, the [upgrade strategy options]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/#configuring-the-upgrade-strategy) are ignored. Worker nodes are not cordoned or drained before being reverted to the older Kubernetes version, so that an unhealthy cluster can be more quickly restored to a healthy state. + +> **Prerequisite:** To restore snapshots from S3, the cluster needs to be configured to [take recurring snapshots on S3.]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots) + +1. In the **Global** view, navigate to the cluster that you want to restore from a snapshots. 2. Click the **Vertical Ellipsis (...) > Restore Snapshot**. -3. Select the snapshot that you want to use for restoring your cluster from the dropdown of available snapshots. Click **Save**. +3. Select the snapshot that you want to use for restoring your cluster from the dropdown of available snapshots. - > **Note:** Snapshots from S3 can only be restored from if the cluster is configured to take recurring snapshots on S3. +4. In the **Restoration Type** field, choose one of the restoration options described above. + +5. Click **Save**. **Result:** The cluster will go into `updating` state and the process of restoring the `etcd` nodes from the snapshot will start. The cluster is restored when it returns to an `active` state. -> **Note:** If you are restoring a cluster with unavailable etcd nodes, it's recommended that all etcd nodes are removed from Rancher before attempting to restore. For clusters that were provisioned using [nodes hosted in an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), new etcd nodes will automatically be created. For [custom clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/), please ensure that you add new etcd nodes to the cluster. +{{% /tab %}} +{{% tab "Rancher prior to v2.4.0" %}} + +> **Prerequisites:** +> +> - Make sure your etcd nodes are healthy. If you are restoring a cluster with unavailable etcd nodes, it's recommended that all etcd nodes are removed from Rancher before attempting to restore. For clusters in which Rancher used node pools to provision [nodes in an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), new etcd nodes will automatically be created. For [custom clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/custom-nodes/), please ensure that you add new etcd nodes to the cluster. +> - To restore snapshots from S3, the cluster needs to be configured to [take recurring snapshots on S3.]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#configuring-recurring-snapshots) + +1. In the **Global** view, navigate to the cluster that you want to restore from a snapshot. + +2. Click the **Vertical Ellipsis (...) > Restore Snapshot**. + +3. Select the snapshot that you want to use for restoring your cluster from the dropdown of available snapshots. + +4. Click **Save**. + +**Result:** The cluster will go into `updating` state and the process of restoring the `etcd` nodes from the snapshot will start. The cluster is restored when it returns to an `active` state. + +{{% /tab %}} +{{% /tabs %}} ## Recovering etcd without a Snapshot @@ -64,3 +107,7 @@ If the group of etcd nodes loses quorum, the Kubernetes cluster will report a fa 5. Run the revised command. 6. After the single nodes is up and running, Rancher recommends adding additional etcd nodes to your cluster. If you have a [custom cluster]({{}}/rancher/v2.x/en/cluster-provisioning/custom-clusters/) and you want to reuse an old node, you are required to [clean up the nodes]({{}}/rancher/v2.x/en/faq/cleaning-cluster-nodes/) before attempting to add them back into a cluster. + +# Enabling Snapshot Features for Clusters Created Before Rancher v2.2.0 + +If you have any Rancher launched Kubernetes clusters that were created prior to v2.2.0, after upgrading Rancher, you must [edit the cluster]({{}}/rancher/v2.x/en/cluster-admin/editing-clusters/) and _save_ it, in order to enable the updated snapshot features. Even if you were already creating snapshots prior to v2.2.0, you must do this step as the older snapshots will not be available to use to [back up and restore etcd through the UI]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/). \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index ddfd641ce33..e2c44d9118d 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -87,9 +87,10 @@ The cluster cannot be downgraded to a previous Kubernetes version. _Available as of v2.4_ -A cluster can be restored to a backup in which the previous Kubernetes version was used. +A cluster can be restored to a backup in which the previous Kubernetes version was used. For more information, refer to the following sections: -RKE v1.1.0 introduced the ability to restore a Kubernetes cluster to an older Kubernetes version by restoring it to a snapshot that includes the older Kubernetes version. +- [Backing up a cluster]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#how-snapshots-work) +- [Restoring a cluster from backup]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/restoring-a-cluster-from-a-snapshot) # Configuring the Upgrade Strategy @@ -128,6 +129,8 @@ To enable draining each node during a cluster upgrade, **Result:** The cluster is updated to use the new upgrade strategy. +> **Note:** As of Rancher v2.4.0, there is a known issue in which the Rancher UI doesn't show state of nodes as drained, even though they are being drained. + ### Maintaining Availability for Applications During Upgrades _Available as of RKE v1.1.0_ From c12f9d90eb876b584acc9839fe800343c1a8b718 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Steenis Date: Wed, 25 Mar 2020 23:23:03 +0100 Subject: [PATCH 096/183] Add NodeLocal DNS option --- .../en/config-options/add-ons/dns/_index.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/content/rke/latest/en/config-options/add-ons/dns/_index.md b/content/rke/latest/en/config-options/add-ons/dns/_index.md index 6168f1fc4e7..a1e268bb988 100644 --- a/content/rke/latest/en/config-options/add-ons/dns/_index.md +++ b/content/rke/latest/en/config-options/add-ons/dns/_index.md @@ -116,3 +116,26 @@ You can disable the default DNS provider by specifying `none` to the dns `provi dns: provider: none ``` + +# NodeLocal DNS + +_Available as of v1.1.0_ + +> **Note:** The option to enable NodeLocal DNS is available for: +> +> * Kubernetes v1.15.11 and up +> * Kubernetes v1.16.8 and up +> * Kubernetes v1.17.4 and up + +NodeLocal DNS is an additional component that can be deployed on each node to improve DNS performance. It is not a replacement for the `provider` parameter, you will still need to have one of the available DNS providers configured. See [Using NodeLocal DNSCache in Kubernetes clusters](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) for more information on how NodeLocal DNS works. + +## Configuring NodeLocal DNS + +The `ip_address` parameter is used to configure what link-local IP address will be configured one each host to listen on, make sure this IP address is not already configured on the host. + +```yaml +dns: + provider: coredns + nodelocal: + ip_address: "169.254.20.10" +``` From 7575bfeb7761f4e1c6216422eb45695aa4cc3a4b Mon Sep 17 00:00:00 2001 From: Dan Ramich Date: Thu, 26 Mar 2020 16:00:31 -0700 Subject: [PATCH 097/183] Update sizing guide for 2.4 --- .../en/installation/requirements/_index.md | 38 +++++++++++++------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index 12480547553..e8ab97d803f 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -59,24 +59,38 @@ This section describes the CPU, memory, and disk requirements for the nodes wher Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements. The requirements are different depending on if you are installing Rancher in a single container with Docker, or if you are installing Rancher on a Kubernetes cluster. {{% tabs %}} -{{% tab "Kubernetes Install Requirements" %}} +{{% tab "RKE Install Requirements" %}} These requirements apply to [installing Rancher on a Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) -| Deployment Size | Clusters | Nodes | vCPUs | RAM | -| --------------- | --------- | ---------- | ----------------------------------------------- | ----------------------------------------------- | -| Small | Up to 5 | Up to 50 | 2 | 8 GB | -| Medium | Up to 15 | Up to 200 | 4 | 16 GB | -| Large | Up to 50 | Up to 500 | 8 | 32 GB | -| X-Large | Up to 100 | Up to 1000 | 32 | 128 GB | -| XX-Large | 100+ | 1000+ | [Contact Rancher](https://rancher.com/contact/) | [Contact Rancher](https://rancher.com/contact/) | +| Deployment Size | Clusters | Nodes | vCPUs | RAM | +| --------------- | --------- | ---------- | -------| ------- | +| Small | Up to 150 | Up to 1500 | 2 | 8 GB | +| Medium | Up to 300 | Up to 3000 | 4 | 16 GB | +| Large | Up to 500 | Up to 5000 | 8 | 32 GB | +| X-Large | Up to 1000 | Up to 10000 | 16 | 64 GB | +| XX-Large | Up to 2000 | Up to 20000 | 32 | 128GB | + +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20000 nodes. +{{% /tab %}} + +{{% tab "K3s Install Requirements" %}} + +These requirements apply to [installing Rancher on a K3s Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) + +| Deployment Size | Clusters | Nodes | vCPUs | RAM | Database Size | +| --------------- | ---------- | ------------ | -------| ---------| ------------ | +| Small | Up to 150 | Up to 1500 | 2 | 8 GB | 2 cores 4GB + 1000 IOPS | +| Medium | Up to 300 | Up to 3000 | 4 | 16 GB | 2 cores 4GB + 1000 IOPS | +| Large | Up to 500 | Up to 5000 | 8 | 32 GB | 2 cores 4GB + 1000 IOPS | +| X-Large | Up to 1000 | Up to 10000 | 16 | 64 GB | 2 cores 4GB + 1000 IOPS | +| XX-Large | Up to 2000 | Up to 20000 | 32 | 128GB | 2 cores 4GB + 1000 IOPS | + +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20000 nodes. {{% /tab %}} -<<<<<<< HEAD -{{% tab "Node in Docker Install" %}} -======= + {{% tab "Docker Install Requirements" %}} ->>>>>>> Explain K3s Rancher install These requirements apply to [single node]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) installations of Rancher. From b904035ec45c65b0de43f71652a402ca9ec7840f Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 26 Mar 2020 23:15:37 -0700 Subject: [PATCH 098/183] Include CPU/memory requirements for Rancher before v2.4 --- .../v2.x/en/installation/requirements/_index.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index e8ab97d803f..36ad1b23663 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -13,6 +13,7 @@ Make sure the node(s) for the Rancher server fulfill the following requirements: - [Operating Systems and Docker Requirements](#operating-systems-and-docker-requirements) - [Hardware Requirements](#hardware-requirements) - [CPU and Memory](#cpu-and-memory) + - [CPU and Memory for Rancher prior to v2.4.0](#cpu-and-memory-for-rancher-prior-to-v2-4-0) - [Disks](#disks) - [Networking Requirements](#networking-requirements) - [Node IP Addresses](#node-ip-addresses) @@ -63,6 +64,8 @@ Hardware requirements scale based on the size of your Rancher deployment. Provis These requirements apply to [installing Rancher on a Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) +Performance increased in Rancher v2.4.0. For the requirements of Rancher prior to v2.4.0, refer to [this section.](#cpu-and-memory-for-rancher-prior-to-v2-4-0) + | Deployment Size | Clusters | Nodes | vCPUs | RAM | | --------------- | --------- | ---------- | -------| ------- | | Small | Up to 150 | Up to 1500 | 2 | 8 GB | @@ -102,6 +105,20 @@ These requirements apply to [single node]({{}}/rancher/v2.x/en/installa {{% /tab %}} {{% /tabs %}} +### CPU and Memory for Rancher prior to v2.4.0 + +{{% accordion label="Click to expand" %}} +These requirements apply to installing Rancher on a Kubernetes cluster prior to Rancher v2.4.0: + +| Deployment Size | Clusters | Nodes | vCPUs | RAM | +| --------------- | --------- | ---------- | ----------------------------------------------- | ----------------------------------------------- | +| Small | Up to 5 | Up to 50 | 2 | 8 GB | +| Medium | Up to 15 | Up to 200 | 4 | 16 GB | +| Large | Up to 50 | Up to 500 | 8 | 32 GB | +| X-Large | Up to 100 | Up to 1000 | 32 | 128 GB | +| XX-Large | 100+ | 1000+ | [Contact Rancher](https://rancher.com/contact/) | [Contact Rancher](https://rancher.com/contact/) | +{{% /accordion %}} + ### Disks Rancher performance depends on etcd in the cluster performance. To ensure optimal speed, we recommend always using SSD disks to back your Rancher management Kubernetes cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS. In larger clusters, consider using dedicated storage devices for etcd data and wal directories. From 7cd87eac0e237b0dd97e7622f442a8d98943a808 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Fri, 27 Mar 2020 00:32:23 -0700 Subject: [PATCH 099/183] OPA Gatekeeper docs --- .../v2.x/en/cluster-admin/tools/_index.md | 5 ++ .../tools/opa-gatekeper/_index.md | 79 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md diff --git a/content/rancher/v2.x/en/cluster-admin/tools/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/_index.md index 8a1a01be91f..9857ba5a641 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/_index.md @@ -13,6 +13,7 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - [Logging](#logging) - [Monitoring](#monitoring) - [Istio](#istio) +- [OPA Gatekeeper](#opa) @@ -47,3 +48,7 @@ Using Rancher, you can monitor the state and processes of your cluster nodes, Ku ## Istio [Istio](https://istio.io/) is an open-source tool that makes it easier for DevOps teams to observe, control, troubleshoot, and secure the traffic within a complex network of microservices. For details on how to enable Istio in Rancher, refer to the [Istio section.]({{}}/rancher/v2.x/en/cluster-admin/tools/istio) + +## OPA Gatekeeper + + [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.]({{}}/rancher/v2.x/en/cluster-admin/tools/opa-gatekeeper) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md new file mode 100644 index 00000000000..aa9d1d0e895 --- /dev/null +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -0,0 +1,79 @@ +--- +title: OPA Gatekeeper +weight: 1 +--- +_Available as of v2.4.0_ + +Rancher v2.4 release provides the ability to enable OPA Gatekeeper in Kubernetes clusters and also installs a couple of builtin policy definitions aka constraint templates. +OPA Gatekeeper is made availale via Rancher's helm system chart and installs in a namespace "gatekeeper-system". +This is an experimental feature for v2.4 release. + +To ensure consistency and compliance, every organization needs ability to define and enforce policies in its environment in an automated way. +OPA [https://www.openpolicyagent.org/] is a policy engine that facilitates policy based control for Cloud native environments. +OPA provides a high-level declarative language that let’s you specify policy as code and ability to extend simple APIs to offload policy decision-making. +To read more about OPA, please refer https://www.openpolicyagent.org/docs/latest/ +OPA Gatekeeper[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: + +- An extensible, parameterized policy library. +- Native Kubernetes CRDs for instantiating the policy library (aka “constraints”). +- Native Kubernetes CRDs for extending the policy library (aka “constraint templates”). +- Audit functionality. + +Kubernetes provides ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resourse is created, updated or deleted. +Gatekeeper is installed as a validating webhook and enforces policies defined via Kubernetes CRDs. +In addition to the admission control usage, Gatekeeper also contains ability to audit existing resources in the Kubernetes clusters and mark current violations of enabled policies. + + +## Enabling Gatekeeper in your cluster +1. Only Global Admins or Cluster owners can enable Gatekeeper +1. Navigate to the cluster's Dashboard view +1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper +1. To install Gatekeeper with default config click on "Enable Gatekeeper (v0.1.0) with defaults". +1. To change any default configuration click on "Customize Gatekeeper yaml configuration" + +## Constraint templates +[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes CRs that define the schema and rego logic of the OPA policy to be applied by Gatekeeper. + +1. Enable OPA Gatekeeper in your cluster via the Dashboard view +1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Templates" to list the constraint templates installed in the cluster. +1. Rancher installs a couple of templates by default. +1. Rancher also provides ability to create your own constraint templates by importing yaml definition. + +## Constraints +[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes CRs that define the scope of objects to which a specific constraint template applies to. +Constraint templates and Constraints together define the complete policy. + +1. Enable OPA Gatekeeper in your cluster via the Dashboard view +1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Constraints" to list the constraints installed. +1. Users can create new constraints from a constraint template. +1. Rancher provides the ability to create a constraint via a convenient form that lets you input the various constraint fields. +1. Also Edit as yaml option is availble to input the constraint's yaml definition. + +## Enforcing constraints in your cluster +1. Create constraint using the form +1. Choose "Deny" for "Enforcement Action" field on the create constraint form +1. When the "Enforcement Action" is "Deny", the constraint is immediately enabled and will deny any requests that violates the policy defined. +1. By default, the value is "Deny" +1. When the "Enforcement Action" is "Dryrun" then any resources that violates the policy are only recorded under the constraint's status field. + +## Audit and violations in your cluster +1. Enable OPA Gatekeeper in your cluster via the Dashboard view. +1. Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. +1. The audit-interval (default 300s) can be configured while installing Gatekeeper. +1. On the Gatekeeper page, any violations of the defined constraints will be listed. +1. Also under "Constraints", number of violations of the constraint will be found. +1. Detail view of each constraint will list the information of the resource that violated the constraint + +## Disabling Gatekeeper +1. Navigate to the cluster's Dashboard view +1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper +1. Click the **Vertical Ellipsis (...) > Disable**. +1. Upon disabling, all constraint templates and constraints will also be deleted. + +## Exempting Rancher's System Namespaces from Constraints +1. When a Constraint is created, you need to ensure that it does not apply to any Rancher or Kubernetes system namespaces. +1. To limit the scope of the constraint only to user namespaces, always specify these Namespaces under "Match" field of the Constraint +1. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. +1. Also the constraint may interfere with any other Rancher functionality and deny any system workloads to get deployed. +1. To avoid this, please ensure to exclude all Rancher specific namespaces from your constraints. + From b7e2111d4ce033082eedcd34dfefa3d039f9e73f Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 26 Mar 2020 15:36:53 -0700 Subject: [PATCH 100/183] Update Helm 3 catalog docs --- content/rancher/v2.x/en/_index.md | 2 +- .../en/backups/backups/ha-backups/_index.md | 7 +++ .../en/backups/backups/k3s-backups/_index.md | 7 +++ content/rancher/v2.x/en/catalog/_index.md | 49 ++++++++-------- .../architecture-recommendations/_index.md | 58 ++++++++++++++----- content/rke/latest/en/upgrades/_index.md | 2 - 6 files changed, 82 insertions(+), 43 deletions(-) diff --git a/content/rancher/v2.x/en/_index.md b/content/rancher/v2.x/en/_index.md index f7c4fdf6ac3..0063d17f488 100644 --- a/content/rancher/v2.x/en/_index.md +++ b/content/rancher/v2.x/en/_index.md @@ -12,7 +12,7 @@ Rancher was originally built to work with multiple orchestrators, and it include Rancher can provision Kubernetes from a hosted provider, provision compute nodes and then install Kubernetes onto them, or import existing Kubernetes clusters running anywhere. -One Rancher server installation can manage up to 2,000 Kubernetes clusters and 100,000 nodes from the same user interface. +One Rancher server installation can manage hundreds of Kubernetes clusters and thousands of nodes from the same user interface. Rancher adds significant value on top of Kubernetes, first by centralizing authentication and role-based access control (RBAC) for all of the clusters, giving global admins the ability to control cluster access from one location. diff --git a/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md b/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md index acbd2aab431..362b867745f 100644 --- a/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/ha-backups/_index.md @@ -9,6 +9,13 @@ This section describes how to create backups of your high-availability Rancher i >**Prerequisites:** {{< requirements_rollback >}} +## RKE Kubernetes Cluster Data + +In an RKE installation, the cluster data is replicated on each of three etcd nodes in the cluster, providing redundancy and data duplication in case one of the nodes fails. + +
    Architecture of an RKE Kubernetes Cluster Running the Rancher Management Server
    +![Architecture of an RKE Kubernetes cluster running the Rancher management server]({{}}/img/rancher/rke-server-storage.svg) + ## Backup Outline Backing up your high-availability Rancher cluster is process that involves completing multiple tasks. diff --git a/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md index 701ea669314..01408849bb0 100644 --- a/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md +++ b/content/rancher/v2.x/en/backups/backups/k3s-backups/_index.md @@ -9,6 +9,13 @@ The database administrator will need to back up the external database, or restor We recommend configuring the database to take recurring snapshots. +### K3s Kubernetes Cluster Data + +One main advantage of this K3s architecture is that it allows an external datastore to hold the cluster data, allowing the K3s server nodes to be treated as ephemeral. + +
    Architecture of a K3s Kubernetes Cluster Running the Rancher Management Server
    +![Architecture of an RKE Kubernetes Cluster Running the Rancher Management Server]({{}}/img/rancher/k3s-server-storage.svg) + ### Creating Snapshots and Restoring Databases from Snapshots For details on taking database snapshots and restoring your database from them, refer to the official database documentation: diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index 2869abf5a3b..7500a67b3f6 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -19,6 +19,7 @@ This section covers the following topics: - [Prerequisites](#prerequisites) - [Catalog scopes](#catalog-scopes) +- [Catalog Helm Deployment Versions](#catalog-helm-deployment-versions) - [Enabling built-in global catalogs](#enabling-built-in-global-catalogs) - [Adding custom global catalogs](#adding-custom-global-catalogs) - [Add custom Git repositories](#add-custom-git-repositories) @@ -41,7 +42,7 @@ To launch a catalog app or a multi-cluster app, you should have at least one of # Catalog Scopes -Within Rancher, you can manage catalogs at three different scopes. Global catalogs are shared across all clusters and project. There are some use cases where you might not want to share catalogs across between different clusters or even projects in the same cluster. By leveraging cluster and project scoped catalogs, you will be able to provide applications for specific teams without needing to share them with all clusters and/or projects. +Within Rancher, you can manage catalogs at three different scopes. Global catalogs are shared across all clusters and project. There are some use cases where you might not want to share catalogs between different clusters or even projects in the same cluster. By leveraging cluster and project scoped catalogs, you will be able to provide applications for specific teams without needing to share them with all clusters and/or projects. Scope | Description | Available As of | --- | --- | --- | @@ -49,6 +50,20 @@ Global | All clusters and all projects can access the Helm charts in this catalo Cluster | All projects in the specific cluster can access the Helm charts in this catalog | v2.2.0 | Project | This specific cluster can access the Helm charts in this catalog | v2.2.0 | +# Catalog Helm Deployment Versions + +_Applicable as of v2.4.0_ + +In November 2019, Helm 3 was released, and some features were deprecated or refactored. It is not fully backwards compatible with Helm 2. Therefore, catalogs in Rancher need to be separated, with each catalog only using one Helm version. + +When you create a custom catalog, you will have to configure the catalog to use either Helm 2 or Helm 3. This version cannot be changed later. If the catalog is added with the wrong Helm version, it will need to be deleted and re-added. + +When you launch a new app from a catalog, the app will be managed by the catalog's Helm version. A Helm 2 catalog will use Helm 2 to manage all of the apps, and a Helm 3 catalog will use Helm 3 to manage all apps. + +By default, catalogs are assumed to be deployed using Helm 2. If you run an app in Rancher prior to v2.4.0, then upgrade to Rancher v2.4.0+, the app will still be managed by Helm 2. + +Charts that are specific to Helm 2 should only be added to a Helm 2 catalog, and Helm 3 specific charts should only be added to a Helm 3 catalog. + # Enabling Built-in Global Catalogs Within Rancher, there are default catalogs packaged as part of Rancher. These can be enabled or disabled by an administrator. @@ -57,19 +72,9 @@ Within Rancher, there are default catalogs packaged as part of Rancher. These ca 2. Toggle the default catalogs that you want use to a setting of **Enabled**. - - **Library** - - The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. - - This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. - - - **Helm Stable** - - This catalog, , which is maintained by the Kubernetes community, includes native [Helm charts](https://github.com/kubernetes/helm/blob/master/docs/chart_template_guide/getting_started.md). This catalog features the largest pool of apps. - - - **Helm Incubator** - - Similar in user experience to Helm Stable, but this catalog is filled with applications in **beta**. + - **Library:** The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. + - **Helm Stable:** This catalog, which is maintained by the Kubernetes community, includes native [Helm charts](https://helm.sh/docs/chart_template_guide/). This catalog features the largest pool of apps. + - **Helm Incubator:** Similar in user experience to Helm Stable, but this catalog is filled with applications in **beta**. **Result**: The chosen catalogs are enabled. Wait a few minutes for Rancher to replicate the catalog charts. When replication completes, you'll be able to see them in any of your projects by selecting **Apps** from the main navigation bar. In versions prior to v2.2.0, you can select **Catalog Apps** from the main navigation bar. @@ -77,6 +82,8 @@ Within Rancher, there are default catalogs packaged as part of Rancher. These ca Adding a catalog is as simple as adding a catalog name, a URL and a branch name. +**Prerequisite:** An [admin]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) of Rancher has the ability to add or remove catalogs globally in Rancher. + ### Add Custom Git Repositories The Git URL needs to be one that `git clone` [can handle](https://git-scm.com/docs/git-clone#_git_urls_a_id_urls_a) and must end in `.git`. The branch name must be a branch that is in your catalog URL. If no branch name is provided, it will use the `master` branch by default. Whenever you add a catalog to Rancher, it will be available immediately. @@ -91,23 +98,15 @@ In Rancher, you can add the custom Helm chart repository with only a catalog nam ### Add Private Git/Helm Chart Repositories _Available as of v2.2.0_ -In Rancher v2.2.0, you can add private catalog repositories using credentials like Username and Password. You may also want to use the -OAuth token if your Git or Helm repository server support that. +Private catalog repositories can be added using credentials like Username and Password. You may also want to use the OAuth token if your Git or Helm repository server supports that. [Read More About Adding Private Git/Helm Catalogs]({{}}/rancher/v2.x/en/catalog/custom/#private-repositories) - - 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. 2. Click **Add Catalog**. 3. Complete the form and click **Create**. - **Result**: Your catalog is added to Rancher. + **Result:** Your catalog is added to Rancher. # Launching Catalog Applications @@ -130,7 +129,7 @@ After you've either enabled the built-in catalogs or added your own custom catal * For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs), answers are provided as key value pairs in the **Answers** section. * Keys and values are available within **Detailed Descriptions**. - * When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of --set](https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of-set), as Rancher passes them as `--set` flags to Helm. + * When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of --set]https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. For example, when entering an answer that includes two values separated by a comma (i.e., `abc, bcd`), wrap the values with double quotes (i.e., `"abc, bcd"`). diff --git a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md index 05a3c228ef3..5d3eae71a72 100644 --- a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md +++ b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md @@ -20,20 +20,35 @@ A user cluster is a downstream Kubernetes cluster that runs your apps and servic If you have a Docker installation of Rancher, the node running the Rancher server should be separate from your downstream clusters. -In Kubernetes Installations of Rancher, the Rancher server cluster should also be separate from the user clusters. +In Kubernetes installations of Rancher, the Rancher server cluster should also be separate from the user clusters. ![Separation of Rancher Server from User Clusters]({{}}/img/rancher/rancher-architecture-separation-of-rancher-server.svg) # Why HA is Better for Rancher in Production -We recommend installing the Rancher server on a three-node Kubernetes cluster for production, primarily because it protects the Rancher server data. The Rancher server stores its data in etcd in both single-node and Kubernetes Installations. +We recommend installing the Rancher server on a high-availability Kubernetes cluster, primarily because it protects the Rancher server data. In a high-availability installation, a load balancer serves as the single point of contact for clients, distributing network traffic across multiple servers in the cluster and helping to prevent any one server from becoming a point of failure. -When Rancher is installed on a single node, if the node goes down, there is no copy of the etcd data available on other nodes and you could lose the data on your Rancher server. +We don't recommend installing Rancher in a single Docker container, because if the node goes down, there is no copy of the cluster data available on other nodes and you could lose the data on your Rancher server. -By contrast, in the high-availability installation, +Rancher needs to be installed on either a high-availability [RKE (Rancher Kubernetes Engine)]({{}}/rke/latest/en/) Kubernetes cluster, or a high-availability [K3s (5 less than K8s)]({{}}/k3s/latest/en/) Kubernetes cluster. Both RKE and K3s are fully certified Kubernetes distributions. -- The etcd data is replicated on three nodes in the cluster, providing redundancy and data duplication in case one of the nodes fails. -- A load balancer serves as the single point of contact for clients, distributing network traffic across multiple servers in the cluster and helping to prevent any one server from becoming a point of failure. Note: This [example]({{}}/rancher/v2.x/en/installation/options/nginx/) of how to configure an NGINX server as a basic layer 4 load balancer (TCP). +### K3s Kubernetes Cluster Installations + +If you are installing Rancher v2.4 for the first time, we recommend installing it on a K3s Kubernetes cluster. One main advantage of this K3s architecture is that it allows an external datastore to hold the cluster data, allowing the K3s server nodes to be treated as ephemeral. + +The option to install Rancher on a K3s cluster is a feature introduced in Rancher v2.4. K3s is easy to install, with half the memory of Kubernetes, all in a binary less than 50 MB. + +
    Architecture of a K3s Kubernetes Cluster Running the Rancher Management Server
    +![Architecture of an RKE Kubernetes Cluster Running the Rancher Management Server]({{}}/img/rancher/k3s-server-storage.svg) + +### RKE Kubernetes Cluster Installations + +If you are installing Rancher prior to v2.4, you will need to install Rancher on an RKE cluster, in which the cluster data is stored on each node with the etcd role. As of Rancher v2.4, there is no migration path to transition the Rancher server from an RKE cluster to a K3s cluster. All versions of the Rancher server, including v2.4+, can be installed on an RKE cluster. + +In an RKE installation, the cluster data is replicated on each of three etcd nodes in the cluster, providing redundancy and data duplication in case one of the nodes fails. + +
    Architecture of an RKE Kubernetes Cluster Running the Rancher Management Server
    +![Architecture of an RKE Kubernetes cluster running the Rancher management server]({{}}/img/rancher/rke-server-storage.svg) # Recommended Load Balancer Configuration for Kubernetes Installations @@ -44,9 +59,8 @@ We recommend the following configurations for the load balancer and Ingress cont * The Ingress controller will redirect HTTP to HTTPS and terminate SSL/TLS on port TCP/443. * The Ingress controller will forward traffic to port TCP/80 on the pod in the Rancher deployment. -
    Rancher installed on a Kubernetes cluster with layer 4 load balancer, depicting SSL termination at ingress controllers
    +
    Rancher installed on a Kubernetes cluster with layer 4 load balancer, depicting SSL termination at Ingress controllers
    ![Rancher HA]({{}}/img/rancher/ha/rancher2ha.svg) -Rancher installed on a Kubernetes cluster with Layer 4 load balancer (TCP), depicting SSL termination at ingress controllers # Environment for Kubernetes Installations @@ -56,17 +70,31 @@ For the best performance and greater security, we recommend a dedicated Kubernet It is not recommended to install Rancher on top of a managed Kubernetes service such as Amazon’s EKS or Google Kubernetes Engine. These hosted Kubernetes solutions do not expose etcd to a degree that is manageable for Rancher, and their customizations can interfere with Rancher operations. -# Recommended Node Roles for Kubernetes Installations +# Recommended Node Roles for Kubernetes Installations -We recommend installing Rancher on a Kubernetes cluster in which each node has all three Kubernetes roles: etcd, controlplane, and worker. +Our recommendations for the roles of each node differ depending on whether Rancher is installed on a K3s Kubernetes cluster or an RKE Kubernetes cluster. -### Comparing Node Roles for the Rancher Server Cluster and User Clusters +### K3s Cluster Roles -Our recommendation for node roles on the Rancher server cluster contrast with our recommendations for the downstream user clusters that run your apps and services. We recommend that each node in a user cluster should have a single role for stability and scalability. +In K3s clusters, there are two types of nodes: server nodes and agent nodes. Both servers and agents can have workloads scheduled on them. Server nodes run the Kubernetes master. + +For the cluster running the Rancher management server, we recommend using two server nodes. Agent nodes are not required. + +### RKE Cluster Roles + +If Rancher is installed on an RKE Kubernetes cluster, the cluster should have three nodes, and each node should have all three Kubernetes roles: etcd, controlplane, and worker. + +### Contrasting RKE Cluster Architecture for Rancher Server and for Downstream Kubernetes Clusters + +Our recommendation for RKE node roles on the Rancher server cluster contrasts with our recommendations for the downstream user clusters that run your apps and services. + +Rancher uses RKE as a library when provisioning downstream Kubernetes clusters. Note: The capability to provision downstream K3s clusters will be added in a future version of Rancher. + +For downstream Kubernetes clusters, we recommend that each node in a user cluster should have a single role for stability and scalability. ![Kubernetes Roles for Nodes in Rancher Server Cluster vs. User Clusters]({{}}/img/rancher/rancher-architecture-node-roles.svg) -Kubernetes only requires at least one node with each role and does not require nodes to be restricted to one role. However, for the clusters that run your apps, we recommend separate roles for each node so that workloads on worker nodes don't interfere with the Kubernetes master or cluster data as your services scale. +RKE only requires at least one node with each role and does not require nodes to be restricted to one role. However, for the clusters that run your apps, we recommend separate roles for each node so that workloads on worker nodes don't interfere with the Kubernetes master or cluster data as your services scale. We recommend that downstream user clusters should have at least: @@ -80,9 +108,9 @@ With that said, it is safe to use all three roles on three nodes when setting up * It maintains multiple instances of the master components by having multiple `controlplane` nodes. * No other workloads than Rancher itself should be created on this cluster. -Because no additional workloads will be deployed on the Rancher server cluster, in most cases it is not necessary to use the same architecture that we recommend for the scalability and reliability of user clusters. +Because no additional workloads will be deployed on the Rancher server cluster, in most cases it is not necessary to use the same architecture that we recommend for the scalability and reliability of downstream clusters. -For more best practices for user clusters, refer to the [production checklist]({{}}/rancher/v2.x/en/cluster-provisioning/production) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/management/#tips-for-scaling-and-reliability) +For more best practices for downstream clusters, refer to the [production checklist]({{}}/rancher/v2.x/en/cluster-provisioning/production) or our [best practices guide.]({{}}/rancher/v2.x/en/best-practices/management/#tips-for-scaling-and-reliability) # Architecture for an Authorized Cluster Endpoint diff --git a/content/rke/latest/en/upgrades/_index.md b/content/rke/latest/en/upgrades/_index.md index 82fd69b72e6..a90c542623d 100644 --- a/content/rke/latest/en/upgrades/_index.md +++ b/content/rke/latest/en/upgrades/_index.md @@ -55,8 +55,6 @@ RKE saves the Kubernetes cluster state as a secret. When updating the state, RKE ### Upgrading Kubernetes -> **Note:** RKE does not support rolling back to previous versions. - To upgrade the Kubernetes version of an RKE-provisioned cluster, set the `kubernetes_version` string in the `cluster.yml` to the desired version from the [list of supported Kubernetes versions](#listing-supported-kubernetes-versions) for the specific version of RKE: ```yaml From dad8cc30937724bf4a87362e7ddfaaa93e246216 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 27 Mar 2020 13:30:02 -0700 Subject: [PATCH 101/183] Refer to section on Helm version for catalogs --- .../rancher/v2.x/en/catalog/custom/adding/_index.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/catalog/custom/adding/_index.md b/content/rancher/v2.x/en/catalog/custom/adding/_index.md index f32ad5eeee8..785ac1bcdde 100644 --- a/content/rancher/v2.x/en/catalog/custom/adding/_index.md +++ b/content/rancher/v2.x/en/catalog/custom/adding/_index.md @@ -16,7 +16,9 @@ aliases: 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. 2. Click **Add Catalog**. - 3. Complete the form and click **Create**. + 3. Complete the form. Select the Helm version that will be used to launch all of the apps in the catalog. For more information about the Helm version, refer to [this section.]( +{{}}/rancher/v2.x/en/catalog/#catalog-helm-deployment-versions) +4. Click **Create**. **Result**: Your custom global catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [multi-cluster apps]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or [applications in any project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. @@ -33,7 +35,8 @@ _Available as of v2.2.0_ 1. From the **Global** view, navigate to your cluster that you want to start adding custom catalogs. 2. Choose the **Tools > Catalogs** in the navigation bar. 2. Click **Add Catalog**. -3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Cluster** scope, it is defaulted to `Cluster`. +3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Cluster** scope, it is defaulted to `Cluster`. Select the Helm version that will be used to launch all of the apps in the catalog. For more information about the Helm version, refer to [this section.]( +{{}}/rancher/v2.x/en/catalog/#catalog-helm-deployment-versions) 5. Click **Create**. **Result**: Your custom cluster catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in any project in that cluster]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. @@ -52,7 +55,8 @@ _Available as of v2.2.0_ 1. From the **Global** view, navigate to your project that you want to start adding custom catalogs. 2. Choose the **Tools > Catalogs** in the navigation bar. 2. Click **Add Catalog**. -3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Project** scope, it is defaulted to `Cluster`. +3. Complete the form. By default, the form will provide the ability to select `Scope` of the catalog. When you have added a catalog from the **Project** scope, it is defaulted to `Cluster`. Select the Helm version that will be used to launch all of the apps in the catalog. For more information about the Helm version, refer to [this section.]( +{{}}/rancher/v2.x/en/catalog/#catalog-helm-deployment-versions) 5. Click **Create**. **Result**: Your custom project catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in that project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. From bcc3f4f8e3e746c2a8f5ed6fad1332993159f05b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 27 Mar 2020 14:03:37 -0700 Subject: [PATCH 102/183] Edit architecture doc --- .../v2.x/en/overview/architecture-recommendations/_index.md | 2 +- static/img/rancher/k3s-server-storage.svg | 3 +++ static/img/rancher/rke-server-storage.svg | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 static/img/rancher/k3s-server-storage.svg create mode 100644 static/img/rancher/rke-server-storage.svg diff --git a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md index 5d3eae71a72..f7bf7597106 100644 --- a/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md +++ b/content/rancher/v2.x/en/overview/architecture-recommendations/_index.md @@ -39,7 +39,7 @@ If you are installing Rancher v2.4 for the first time, we recommend installing i The option to install Rancher on a K3s cluster is a feature introduced in Rancher v2.4. K3s is easy to install, with half the memory of Kubernetes, all in a binary less than 50 MB.
    Architecture of a K3s Kubernetes Cluster Running the Rancher Management Server
    -![Architecture of an RKE Kubernetes Cluster Running the Rancher Management Server]({{}}/img/rancher/k3s-server-storage.svg) +![Architecture of a K3s Kubernetes Cluster Running the Rancher Management Server]({{}}/img/rancher/k3s-server-storage.svg) ### RKE Kubernetes Cluster Installations diff --git a/static/img/rancher/k3s-server-storage.svg b/static/img/rancher/k3s-server-storage.svg new file mode 100644 index 00000000000..45fe9f58ac7 --- /dev/null +++ b/static/img/rancher/k3s-server-storage.svg @@ -0,0 +1,3 @@ + + +
    Server Node
    Server Node
    Server Node
    Server Node
    Load Balancer
    Load Balanc...
    External Datastore
    Extern...
    Cluster Data
    Cluster Data
    K3s Cluster
    K3s Cluster    Viewer does not support full SVG 1.1     \ No newline at end of file diff --git a/static/img/rancher/rke-server-storage.svg b/static/img/rancher/rke-server-storage.svg new file mode 100644 index 00000000000..f5529ef35c7 --- /dev/null +++ b/static/img/rancher/rke-server-storage.svg @@ -0,0 +1,3 @@ + + +
    Node with controlplane, etcd, and worker roles
    Node with controlpla...
    Node with controlplane, etcd, and worker roles
    Node with controlpla...
    Node with controlplane, etcd, and worker roles
    Node with controlpla...
    etcd
    etcd
    etcd
    etcd
    etcd
    etcd
    Load Balancer
    Load Balanc...
    Cluster Data
    Cluster Data
    RKE Cluster
    RKE Cluster    Viewer does not support full SVG 1.1     \ No newline at end of file From cef3390b51576b140bb67643d507b7950bb6e376 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 27 Mar 2020 19:39:25 -0700 Subject: [PATCH 103/183] Fix link --- .../en/cluster-admin/volumes-and-storage/examples/ebs/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/ebs/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/ebs/_index.md index 5eaa2de4859..b854daf0ef4 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/ebs/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/examples/ebs/_index.md @@ -13,4 +13,4 @@ This section describes how to set up Amazon's Elastic Block Store in EC2. **Result:** Persistent storage has been created. -For details on how to set up the newly created storage in Rancher, refer to the section on [setting up existing storage.](../attaching-existing-storage) \ No newline at end of file +For details on how to set up the newly created storage in Rancher, refer to the section on [setting up existing storage.]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/) \ No newline at end of file From 427b941c869b79b93803ed4152b73136f52ea407 Mon Sep 17 00:00:00 2001 From: Denise Schannon Date: Fri, 27 Mar 2020 19:49:15 -0700 Subject: [PATCH 104/183] Dashboard and Proxy Feature Flags --- .../options/feature-flags/_index.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md index 75e2fb89fc9..bf9cafea51f 100644 --- a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md +++ b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md @@ -24,18 +24,24 @@ Because the API sets the actual value and the command line sets the default valu For example, if you install Rancher, then set a feature flag to true with the Rancher API, then upgrade Rancher with a command that sets the feature flag to false, the default value will still be false, but the feature will still be enabled because it was set with the Rancher API. If you then deleted the set value (true) with the Rancher API, setting it to NULL, the default value (false) would take effect. +> **Note:** As of v2.4.0, there are some feature flags that may require a restart of the Rancher server container. These features that require a restart are marked in the table of these docs and in the UI. + The following is a list of the feature flags available in Rancher: -- `unsupported-storage-drivers`: This feature [allows unsupported storage drivers.]({{}}/rancher/v2.x/en/installation/options/feature-flags/enable-not-default-storage-drivers) In other words, it enables types for storage providers and provisioners that are not enabled by default. +- `dashboard`: This feature enables the new experimental UI that has a new look and feel. The dashboard also leverages a new API in Rancher which allows the UI to access the default Kubernetes resources without any intervention from Rancher. - `istio-virtual-service-ui`: This feature enables a [UI to create, read, update, and delete Istio virtual services and destination rules]({{}}/rancher/v2.x/en/installation/options/feature-flags/istio-virtual-service-ui), which are traffic management features of Istio. +- `proxy`: This feature enables Rancher to use a new simplified code base for the proxy, which can help enhance performance and security. The proxy feature is known to have issues with Helm deployments, which prevents any catalog applications to be deployed which includes Rancher's tools like monitoring, logging, Istio, etc. +- `unsupported-storage-drivers`: This feature [allows unsupported storage drivers.]({{}}/rancher/v2.x/en/installation/options/feature-flags/enable-not-default-storage-drivers) In other words, it enables types for storage providers and provisioners that are not enabled by default. The below table shows the availability and default value for feature flags in Rancher: -| Feature Flag Name | Default Value | Status | Available as of | -| ----------------------------- | ------------- | ------------ | --------------- | -| `unsupported-storage-drivers` | `false` | Experimental | v2.3.0 | -| `istio-virtual-service-ui` | `false` | Experimental | v2.3.0 | -| `istio-virtual-service-ui` | `true` | GA | v2.3.2 | +| Feature Flag Name | Default Value | Status | Available as of | Rancher Restart Required? | +| ----------------------------- | ------------- | ------------ | --------------- |---| +| `dashboard` | `true` | Experimental | v2.4.0 | x | +| `istio-virtual-service-ui` | `false` | Experimental | v2.3.0 | | +| `istio-virtual-service-ui` | `true` | GA | v2.3.2 | | +| `proxy` | `false` | Experimental | v2.4.0 | | +| `unsupported-storage-drivers` | `false` | Experimental | v2.3.0 | | # Enabling Features when Starting Rancher @@ -56,7 +62,7 @@ helm install rancher-latest/rancher \ --set 'extraEnv[0].value==true,=true' # Available as of v2.3.0 ``` -Note: If you are installing an alpha version, Helm requires adding the `--devel` option to the command. +Note: If you are installing an alpha version, Helm requires adding the `--devel` option to the command. ### Rendering the Helm Chart for Air Gap Installations From f07d176a116e1d6dc1c40419877b60ae636718b3 Mon Sep 17 00:00:00 2001 From: Dan Ramich Date: Thu, 26 Mar 2020 16:00:31 -0700 Subject: [PATCH 105/183] Update sizing guide for 2.4 --- .../rancher/v2.x/en/installation/requirements/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.x/en/installation/requirements/_index.md b/content/rancher/v2.x/en/installation/requirements/_index.md index 36ad1b23663..ec293b2fa0e 100644 --- a/content/rancher/v2.x/en/installation/requirements/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/_index.md @@ -62,7 +62,7 @@ Hardware requirements scale based on the size of your Rancher deployment. Provis {{% tabs %}} {{% tab "RKE Install Requirements" %}} -These requirements apply to [installing Rancher on a Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) +These requirements apply to each host in an [RKE Kubernetes cluster where the Rancher server is installed.]({{}}/rancher/v2.x/en/installation/k8s-install/) Performance increased in Rancher v2.4.0. For the requirements of Rancher prior to v2.4.0, refer to [this section.](#cpu-and-memory-for-rancher-prior-to-v2-4-0) @@ -79,7 +79,7 @@ Performance increased in Rancher v2.4.0. For the requirements of Rancher prior t {{% tab "K3s Install Requirements" %}} -These requirements apply to [installing Rancher on a K3s Kubernetes cluster.]({{}}/rancher/v2.x/en/installation/k8s-install/) +These requirements apply to each host in a [K3s Kubernetes cluster where the Rancher server is installed.]({{}}/rancher/v2.x/en/installation/k8s-install/) | Deployment Size | Clusters | Nodes | vCPUs | RAM | Database Size | | --------------- | ---------- | ------------ | -------| ---------| ------------ | @@ -95,7 +95,7 @@ These requirements apply to [installing Rancher on a K3s Kubernetes cluster.]({{ {{% tab "Docker Install Requirements" %}} -These requirements apply to [single node]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) installations of Rancher. +These requirements apply to a host with a [single-node]({{}}/rancher/v2.x/en/installation/other-installation-methods/single-node-docker) installation of Rancher. | Deployment Size | Clusters | Nodes | vCPUs | RAM | | --------------- | -------- | --------- | ----- | ---- | @@ -108,7 +108,7 @@ These requirements apply to [single node]({{}}/rancher/v2.x/en/installa ### CPU and Memory for Rancher prior to v2.4.0 {{% accordion label="Click to expand" %}} -These requirements apply to installing Rancher on a Kubernetes cluster prior to Rancher v2.4.0: +These requirements apply to installing Rancher on an RKE Kubernetes cluster prior to Rancher v2.4.0: | Deployment Size | Clusters | Nodes | vCPUs | RAM | | --------------- | --------- | ---------- | ----------------------------------------------- | ----------------------------------------------- | From 1bab175db527bfabc0625a96ada0b53eec5af8ee Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 07:42:11 -0700 Subject: [PATCH 106/183] Say nested group membership not available for Shibboleth --- .../authentication/openldap/openldap-config/_index.md | 6 +++--- .../en/admin-settings/authentication/shibboleth/_index.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md index f60c8be2589..addd6773a60 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config/_index.md @@ -7,7 +7,7 @@ This section is intended to be used as a reference when setting up an OpenLDAP a For further details on configuring OpenLDAP, refer to the [official documentation.](https://www.openldap.org/doc/) -> Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). +> Before you proceed with the configuration, please familiarize yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). - [Background: OpenLDAP Authentication Flow](#background-openldap-authentication-flow) - [OpenLDAP server configuration](#openldap-server-configuration) @@ -28,7 +28,7 @@ You will need to enter the address, port, and protocol to connect to your OpenLD > **Using TLS?** > -> If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> If the certificate used by the OpenLDAP server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.x/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation. @@ -83,4 +83,4 @@ The table below details the parameters for the group schema configuration. | Group Member Mapping Attribute | The name of the group attribute containing the members of a group. | | Search Attribute | Attribute used to construct search filters when adding groups to clusters or projects in the UI. See description of user schema `Search Attribute`. | | Group DN Attribute | The name of the group attribute whose format matches the values in the user's group membership attribute. See `User Member Attribute`. | -| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organisation makes use of these nested memberships (ie. you have groups that contain other groups as members). | \ No newline at end of file +| Nested Group Membership | This settings defines whether Rancher should resolve nested group memberships. Use only if your organization makes use of these nested memberships (ie. you have groups that contain other groups as members). This option is disabled if you are using Shibboleth. | \ No newline at end of file diff --git a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md index d0e71c21ea7..4e2c2001dbf 100644 --- a/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md +++ b/content/rancher/v2.x/en/admin-settings/authentication/shibboleth/_index.md @@ -96,7 +96,7 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea ### Configure OpenLDAP in Rancher -Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config) +Configure the settings for the OpenLDAP server, groups and users. For help filling out each field, refer to the [configuration reference.]({{}}/rancher/v2.x/en/admin-settings/authentication/openldap/openldap-config) Note that nested group membership is not available for Shibboleth. > Before you proceed with the configuration, please familiarise yourself with the concepts of [External Authentication Configuration and Principal Users]({{}}/rancher/v2.x/en/admin-settings/authentication/#external-authentication-configuration-and-principal-users). From b3e288a488f84c44a75a7120ab0860744cd35dc6 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 13:20:04 -0700 Subject: [PATCH 107/183] Copy edit --- .../tools/opa-gatekeper/_index.md | 126 ++++++++++-------- 1 file changed, 72 insertions(+), 54 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md index aa9d1d0e895..b55f459db22 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -4,76 +4,94 @@ weight: 1 --- _Available as of v2.4.0_ -Rancher v2.4 release provides the ability to enable OPA Gatekeeper in Kubernetes clusters and also installs a couple of builtin policy definitions aka constraint templates. -OPA Gatekeeper is made availale via Rancher's helm system chart and installs in a namespace "gatekeeper-system". -This is an experimental feature for v2.4 release. +> This is an experimental feature for the Rancher v2.4 release. + +To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. OPA [https://www.openpolicyagent.org/] (Open Policy Agent) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. + +OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. -To ensure consistency and compliance, every organization needs ability to define and enforce policies in its environment in an automated way. -OPA [https://www.openpolicyagent.org/] is a policy engine that facilitates policy based control for Cloud native environments. -OPA provides a high-level declarative language that let’s you specify policy as code and ability to extend simple APIs to offload policy decision-making. -To read more about OPA, please refer https://www.openpolicyagent.org/docs/latest/ OPA Gatekeeper[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - An extensible, parameterized policy library. -- Native Kubernetes CRDs for instantiating the policy library (aka “constraints”). -- Native Kubernetes CRDs for extending the policy library (aka “constraint templates”). +- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." +- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." - Audit functionality. -Kubernetes provides ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resourse is created, updated or deleted. -Gatekeeper is installed as a validating webhook and enforces policies defined via Kubernetes CRDs. -In addition to the admission control usage, Gatekeeper also contains ability to audit existing resources in the Kubernetes clusters and mark current violations of enabled policies. +To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) +# How the OPA Gatekeeper Integration Works -## Enabling Gatekeeper in your cluster -1. Only Global Admins or Cluster owners can enable Gatekeeper -1. Navigate to the cluster's Dashboard view -1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper -1. To install Gatekeeper with default config click on "Enable Gatekeeper (v0.1.0) with defaults". -1. To change any default configuration click on "Customize Gatekeeper yaml configuration" +Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. + +OPA Gatekeeper is made availale via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` + +# Enabling OPA Gatekeeper in a Cluster + +> **Prerequisites:** +> +> - Only administrators and cluster owners can enable OPA Gatekeeper. +> - The dashboard needs to be enabled using the `dashboard` feature flag. For more information, refer to the [section on enabling experimental features.]({{}}/rancher/v2.x/en/installation/options/feature-flags/) + +1. Navigate to the cluster's **Dashboard** view. +1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper.** +1. To install Gatekeeper with the default configuration, click on **Enable Gatekeeper (v0.1.0) with defaults.** +1. To change any default configuration, click on **Customize Gatekeeper yaml configuration.** -## Constraint templates -[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes CRs that define the schema and rego logic of the OPA policy to be applied by Gatekeeper. +# Constraint Templates -1. Enable OPA Gatekeeper in your cluster via the Dashboard view -1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Templates" to list the constraint templates installed in the cluster. -1. Rancher installs a couple of templates by default. -1. Rancher also provides ability to create your own constraint templates by importing yaml definition. +[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) + +When OPA Gatekeeper is enabled, Rancher installs some templates by default. + +To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates.** + +Rancher also provides the ability to create your own constraint templates by importing YAML definitions. -## Constraints -[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes CRs that define the scope of objects to which a specific constraint template applies to. -Constraint templates and Constraints together define the complete policy. +# Creating and Configuring Constraints -1. Enable OPA Gatekeeper in your cluster via the Dashboard view -1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Constraints" to list the constraints installed. -1. Users can create new constraints from a constraint template. -1. Rancher provides the ability to create a constraint via a convenient form that lets you input the various constraint fields. -1. Also Edit as yaml option is availble to input the constraint's yaml definition. +[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. + +> **Prerequisites:** OPA Gatekeeper must be enabled in the cluster. + +To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints.** + +New constraints can be created from a constraint template. + +Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. + +The **Edit as yaml** option is also availble to configure the the constraint's yaml definition. + +### Exempting Rancher's System Namespaces from Constraints + +When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. + +To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. + +Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. -## Enforcing constraints in your cluster -1. Create constraint using the form -1. Choose "Deny" for "Enforcement Action" field on the create constraint form -1. When the "Enforcement Action" is "Deny", the constraint is immediately enabled and will deny any requests that violates the policy defined. -1. By default, the value is "Deny" -1. When the "Enforcement Action" is "Dryrun" then any resources that violates the policy are only recorded under the constraint's status field. +# Enforcing Constraints in your Cluster -## Audit and violations in your cluster -1. Enable OPA Gatekeeper in your cluster via the Dashboard view. -1. Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. -1. The audit-interval (default 300s) can be configured while installing Gatekeeper. -1. On the Gatekeeper page, any violations of the defined constraints will be listed. -1. Also under "Constraints", number of violations of the constraint will be found. -1. Detail view of each constraint will list the information of the resource that violated the constraint +When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny.** + +When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. + +To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny.** + +# Audit and Violations in your Cluster + +OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. + +On the Gatekeeper page, any violations of the defined constraints are listed. + +Also under **Constraints,** the number of violations of the constraint can be found. + +The detail view of each constraint lists information about the resource that violated the constraint. + +# Disabling Gatekeeper -## Disabling Gatekeeper 1. Navigate to the cluster's Dashboard view -1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper +1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper.** 1. Click the **Vertical Ellipsis (...) > Disable**. -1. Upon disabling, all constraint templates and constraints will also be deleted. -## Exempting Rancher's System Namespaces from Constraints -1. When a Constraint is created, you need to ensure that it does not apply to any Rancher or Kubernetes system namespaces. -1. To limit the scope of the constraint only to user namespaces, always specify these Namespaces under "Match" field of the Constraint -1. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. -1. Also the constraint may interfere with any other Rancher functionality and deny any system workloads to get deployed. -1. To avoid this, please ensure to exclude all Rancher specific namespaces from your constraints. +**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. From c0659b98cb76ba7ec902a758bbceb1524b894b84 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 13:25:54 -0700 Subject: [PATCH 108/183] Minor edits --- .../en/admin-settings/rbac/default-custom-roles/_index.md | 8 ++++---- .../en/admin-settings/rbac/global-permissions/_index.md | 4 ++-- content/rancher/v2.x/en/cluster-admin/tools/_index.md | 2 +- .../v2.x/en/cluster-admin/upgrading-kubernetes/_index.md | 2 +- content/rancher/v2.x/en/security/_index.md | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md index 61993bb082d..11c7bd0f80b 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md @@ -95,7 +95,7 @@ The steps to add custom roles differ depending on the version of Rancher. ## Creating a Custom Global Role that Copies Rules from an Existing Role -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role in which all of the rules from another role, such as the administrator role, are copied into a new role. This allows you to only configure the variations between the existing role and the new role. @@ -112,7 +112,7 @@ To create a custom global role based on an existing role, ## Creating a Custom Global Role that Does Not Copy Rules from Another Role -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ Custom global roles don't have to be based on existing roles. To create a custom global role by choosing the specific Kubernetes resource operations that should be allowed for the role, follow these steps: @@ -125,7 +125,7 @@ Custom global roles don't have to be based on existing roles. To create a custom ## Deleting a Custom Global Role -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ When deleting a custom global role, all global role bindings with this custom role are deleted. @@ -141,7 +141,7 @@ To delete a custom global role, ## Assigning a Custom Global Role to a Group -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher. diff --git a/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md index 4f754a97d37..367d82bb81d 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md @@ -43,7 +43,7 @@ To see the default permissions for new users, go to the **Global** view and clic Permissions can be assigned to an individual user with [these steps.](#configuring-global-permissions-for-existing-individual-users) -As of Rancher v2.4.0-alpha1, you can [assign a role to everyone in the group at the same time](#configuring-global-permissions-for-groups) if the external authentication provider supports groups. +As of Rancher v2.4.0, you can [assign a role to everyone in the group at the same time](#configuring-global-permissions-for-groups) if the external authentication provider supports groups. # Custom Global Permissions @@ -128,7 +128,7 @@ To configure permission for a user, ### Configuring Global Permissions for Groups -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ If you have a group of individuals that need the same level of access in Rancher, it can save time to assign permissions to the entire group at once, so that the users in the group have the appropriate level of access the first time they sign into Rancher. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/_index.md index 9857ba5a641..ed8fd982157 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/_index.md @@ -13,7 +13,7 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - [Logging](#logging) - [Monitoring](#monitoring) - [Istio](#istio) -- [OPA Gatekeeper](#opa) +- [OPA Gatekeeper](#opa-gatekeeper) diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index e2c44d9118d..a407c06af2b 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -83,7 +83,7 @@ The cluster cannot be downgraded to a previous Kubernetes version. **Result:** Kubernetes begins upgrading for the cluster. -# Rolling Back the Kubernetes Version +# Rolling Back _Available as of v2.4_ diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 7cb5e2b4713..384657223f3 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -33,7 +33,7 @@ On this page, we provide security-related documentation along with resources to ### Running a CIS Security Scan on a Kubernetes Cluster -_Available as of v2.4.0-alpha1_ +_Available as of v2.4.0_ Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) to run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. From 5fa56f9e7d2aaf64f00523518fb150b17bb6cdbc Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 14:42:10 -0700 Subject: [PATCH 109/183] Add troubleshooting info for imported K3s cluster upgrades --- .../imported-clusters/_index.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index b8c053d4086..e5bd907d977 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -21,6 +21,7 @@ Rancher v2.4 added the capability to import a K3s cluster into Rancher, as well - [Importing a cluster](#importing-a-cluster) - [Additional features for imported K3s clusters](#additional-features-for-imported-k3s-clusters) - [Configuring a K3s Cluster to Enable Importation to Rancher](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) +- [Debug Logging and Troubleshooting for Imported K3s clusters](#debug-logging-and-troubleshooting-for-imported-k3s-clusters) ### Features @@ -104,4 +105,26 @@ The option can also be specified using the environment variable `K3S_KUBECONFIG_ ``` $ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - -``` \ No newline at end of file +``` + +### Debug Logging and Troubleshooting for Imported K3s Clusters + +Nodes are upgraded by the system upgrade controller running in the downstream cluster. Based on the cluster configuration, Rancher deploys two [plans](https://github.com/rancher/system-upgrade-controller#example-upgrade-plan) to upgrade K3s nodes: one for controlplane nodes and one for workers. The system upgrade controller follows the plans and upgrades the nodes. + +To enable debug logging on the system upgrade controller deployment, edit the [configmap](https://github.com/rancher/system-upgrade-controller/blob/50a4c8975543d75f1d76a8290001d87dc298bdb4/manifests/system-upgrade-controller.yaml#L32) to set the debug environment variable to true. Then restart the `system-upgrade-controller` pod. + +Logs created by the `system-upgrade-controller` can be viewed by running this command: + +``` +kubectl logs -n cattle-system system-upgrade-controller +``` + +The current status of the plans can be viewed with this command: + +``` +kubectl get plans -A -o yaml +``` + +If the cluster becomes stuck in upgrading, restart the `system-upgrade-controller`. + +To prevent issues when upgrading, the [Kubernetes upgrade best practices](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/) should be followed. \ No newline at end of file From c9fd11654f297c05aa122f5479223d2c5bbdc9b3 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 17:11:56 -0700 Subject: [PATCH 110/183] Update CIS scan doc --- .../v2.x/en/security/security-scan/_index.md | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index f23f3469a5d..2e9b25bb554 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -41,9 +41,7 @@ To check clusters for CIS Kubernetes Benchmark compliance, the security scan lev Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. -As of Rancher v2.4, the CIS scan will use either the Benchmark v1.4 or v1.5, depending on the Kubernetes version. - -To determine which version of the [Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) to use in the scan, Rancher chooses a version that is appropriate for the cluster's Kubernetes version. The Benchmark version is included in the generated report. +As of Rancher v2.4, the scan will use the CIS Benchmark v1.4. The Benchmark version is included in the generated report. The Benchmark provides recommendations of two types: Scored and Not Scored. Recommendations marked as Not Scored in the Benchmark are not included in the generated report. @@ -151,9 +149,10 @@ To enable recurring scans, edit the advanced options in the cluster configuratio To schedule scans for an existing cluster: 1. Go to the cluster view in Rancher. -1. Click **Ellipsis (...) > Edit.** -1. Go to the **Advanced Options** section. In the **CIS Scan Enabled** field, click **Yes.** -1. In the **CIS Scan Profile** field, choose a **Permissive** or **Hardened** profile. The corresponding CIS Benchmark version is included in the profile name. Any skipped tests [defined in a separate ConfigMap](#skipping-tests) will be skipped regardless of whether a **Permissive** or **Hardened** profile is selected. When selecting the the permissive profile, you should see which tests were skipped by Rancher (tests that are skipped by default for RKE clusters) and which tests were skipped by a Rancher user. In the hardened test profile, the only skipped tests will be skipped by users. +1. Click **Tools > CIS Scans.** +1. Click **Add Schedule.** This takes you to the section of the cluster editing page that is applicable to configuring a schedule for CIS scans. (This section can also be reached by going to the cluster view, clicking **Ellipsis (...) > Edit,** and going to the **Advanced Options.**) +1. In the **CIS Scan Enabled** field, click **Yes.** +1. In the **CIS Scan Profile** field, choose a **Permissive** or **Hardened** profile. The corresponding CIS Benchmark version is included in the profile name. Note: Any skipped tests [defined in a separate ConfigMap](#skipping-tests) will be skipped regardless of whether a **Permissive** or **Hardened** profile is selected. When selecting the the permissive profile, you should see which tests were skipped by Rancher (tests that are skipped by default for RKE clusters) and which tests were skipped by a Rancher user. In the hardened test profile, the only skipped tests will be skipped by users. 1. In the **CIS Scan Interval (cron)** job, enter a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) to define how often the cluster will be scanned. 1. In the **CIS Scan Report Retention** field, enter the number of past reports that should be kept. @@ -213,7 +212,7 @@ Rancher provides a set of alerts for cluster scans. which are not configured to > **Prerequisite:** You need to configure a [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) before configuring, sending, or receiving alerts. -To activate an alert for a CIS scan result, +To activate an existing alert for a CIS scan result, 1. From the cluster view in Rancher, click **Tools > Alerts.** 1. Go to the section called **A set of alerts for cluster scans.** @@ -225,6 +224,20 @@ To activate an alert for a CIS scan result, **Result:** The notifications will be triggered when the a scan is run on a cluster and the active alerts have satisfied conditions. +To create a new alert, + +1. Go to the cluster view and click **Tools > CIS Scans.** +1. Click **Add Alert.** +1. Fill out the form. +1. Enter a name for the alert. +1. In the **Is** field, set the alert to be triggered when a scan is completed or when a scan has a failure. +1. In the **Send a** field, set the alert as a **Critical,** **Warning,** or **Info** alert level. +1. Choose a [notifier]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) for the alert. + +**Result:** The alert is created and activated. The notifications will be triggered when the a scan is run on a cluster and the active alerts have satisfied conditions. + +For more information about alerts, refer to [this page.]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) + # Deleting a Report 1. From the cluster view in Rancher, click **Tools > CIS Scans.** From 1a46238bcd6d8638b3fa896a6d510231a0ff46e7 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 17:32:35 -0700 Subject: [PATCH 111/183] Say that max unavailable controlplane nodes is one --- .../rke/latest/en/upgrades/configuring-strategy/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/rke/latest/en/upgrades/configuring-strategy/_index.md b/content/rke/latest/en/upgrades/configuring-strategy/_index.md index 7424354adc8..14a5bb113b1 100644 --- a/content/rke/latest/en/upgrades/configuring-strategy/_index.md +++ b/content/rke/latest/en/upgrades/configuring-strategy/_index.md @@ -15,7 +15,7 @@ In this section, you'll learn how to configure the maximum number of unavailable The maximum number of unavailable controlplane and worker nodes can be configured in the `cluster.yml` before upgrading the cluster: -- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as 2 nodes. +- **max_unavailable_controlplane:** The maximum number of controlplane nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_controlplane` is defined as one node. - **max_unavailable_worker:** The maximum number of worker nodes that can fail without causing the cluster upgrade to fail. By default, `max_unavailable_worker` is defined as 10 percent of all worker nodes.* /* This number can be configured as a percentage or as an integer. When defined as a percentage, the batch size is rounded down to the nearest node, with a minimum of one node per batch. @@ -25,7 +25,7 @@ An example configuration of the cluster upgrade strategy is shown below: ```yaml upgrade_strategy: max_unavailable_worker: 10% - max_unavailable_controlplane: 2 + max_unavailable_controlplane: 1 ``` ### Draining Nodes @@ -39,7 +39,7 @@ If the `drain` directive is set to `true` in the `cluster.yml`, worker nodes wil ```yaml upgrade_strategy: max_unavailable_worker: 10% - max_unavailable_controlplane: 2 + max_unavailable_controlplane: 1 drain: false node_drain_input: force: false @@ -129,7 +129,7 @@ nodes: # nodes skipped for brevity upgrade_strategy: max_unavailable_worker: 10% - max_unavailable_controlplane: 2 + max_unavailable_controlplane: 1 drain: false node_drain_input: force: false From 2fecc1e21cd712df1d0f5798f2a64baf34a5fb51 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 17:45:19 -0700 Subject: [PATCH 112/183] Fix links --- .../v2.x/en/cluster-admin/upgrading-kubernetes/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index a407c06af2b..9df2fc6cf00 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -14,7 +14,7 @@ This section covers the following topics: - [How Upgrades Work](#how-upgrades-work) - [Recommended Best Practice for Upgrades](#recommended-best-practice-for-upgrades) - [Upgrading the Kubernetes Version](#upgrading-the-kubernetes-version) -- [Rolling Back the Kubernetes Version](#rolling-back-the-kubernetes-version) +- [Rolling Back](#rolling-back) - [Configuring the Upgrade Strategy](#configuring-the-upgrade-strategy) - [Configuring the Maximum Unavailable Worker Nodes in the Rancher UI](#configuring-the-maximum-unavailable-worker-nodes-in-the-rancher-ui) - [Enabling Draining Nodes During Upgrades from the Rancher UI](#enabling-draining-nodes-during-upgrades-from-the-rancher-ui) @@ -90,7 +90,7 @@ _Available as of v2.4_ A cluster can be restored to a backup in which the previous Kubernetes version was used. For more information, refer to the following sections: - [Backing up a cluster]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/#how-snapshots-work) -- [Restoring a cluster from backup]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/restoring-a-cluster-from-a-snapshot) +- [Restoring a cluster from backup]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/#restoring-a-cluster-from-a-snapshot) # Configuring the Upgrade Strategy @@ -129,7 +129,7 @@ To enable draining each node during a cluster upgrade, **Result:** The cluster is updated to use the new upgrade strategy. -> **Note:** As of Rancher v2.4.0, there is a known issue in which the Rancher UI doesn't show state of nodes as drained, even though they are being drained. +> **Note:** As of Rancher v2.4.0, there is a [known issue](https://github.com/rancher/rancher/issues/25478) in which the Rancher UI doesn't show state of etcd and controlplane as drained, even though they are being drained. ### Maintaining Availability for Applications During Upgrades From ec117fcc20d773199cdc2fd5ca5bc7747602c71b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 17:56:16 -0700 Subject: [PATCH 113/183] Fix link --- .../rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md index b55f459db22..3c7cdd264af 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -10,7 +10,7 @@ To ensure consistency and compliance, every organization needs the ability to de OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. -OPA Gatekeeper[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: +(OPA Gatekeeper)[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - An extensible, parameterized policy library. - Native Kubernetes CRDs for instantiating the policy library, also called “constraints." From 130079264c18f2d228cad2f09e0dee19a2d2701c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 17:56:43 -0700 Subject: [PATCH 114/183] Fix link --- .../rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md index 3c7cdd264af..1450ab5a496 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -10,7 +10,7 @@ To ensure consistency and compliance, every organization needs the ability to de OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. -(OPA Gatekeeper)[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - An extensible, parameterized policy library. - Native Kubernetes CRDs for instantiating the policy library, also called “constraints." From 2f2b9a772807f14153c5f8d6ec4b457f8c529a0e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 30 Mar 2020 18:17:30 -0700 Subject: [PATCH 115/183] Update RKE upgrade process per Sowmya feedback --- content/rke/latest/en/upgrades/how-upgrades-work/_index.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md index 2db6bd2933d..b5dd4af8c4b 100644 --- a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md +++ b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md @@ -16,9 +16,10 @@ The following features are new in RKE v1.1.0: When a cluster is upgraded with `rke up`, using the default options, the following process is used: -1. etcd nodes get updated first, one at a time. -1. Controlplane nodes get updated second, one at a time. -1. Worker nodes get updated third, one by one, because the default configuration for the maximum number of unavailable nodes is one. +1. The etcd plane gets get updated, one node at a time. +1. Controlplane nodes get updated, one node at a time. This includes the controlplane components and worker plane components of the controlplane nodes. +1. Worker plane components of etcd nodes get updated, one node at a time. +1. Worker nodes get updated in batches of a configurable size. The default configuration for the maximum number of unavailable nodes is ten percent, rounded down to the nearest node, with a minimum batch size of one node. 1. [Addons]({{}}/rke/latest/en/config-options/add-ons/) get upgraded one by one. The following sections break down in more detail what happens when etcd nodes, controlplane nodes, worker nodes, and addons are upgraded. This information is intended to be used to help you understand the update strategy for the cluster, and may be useful when troubleshooting problems with upgrading the cluster. From 924663747cb89874b9cdac5e1a80891a44948937 Mon Sep 17 00:00:00 2001 From: Denise Schannon Date: Mon, 30 Mar 2020 19:00:28 -0700 Subject: [PATCH 116/183] small updates around custom global roles --- .../rbac/default-custom-roles/_index.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md index 11c7bd0f80b..833462a1238 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md @@ -13,8 +13,7 @@ This section covers the following topics: - [Prerequisites](#prerequisites) - [Creating a custom role for a cluster or project](#creating-a-custom-role-for-a-cluster-or-project) -- [Creating a custom global role that copies rules from an existing role](#creating-a-custom-global-role-that-copies-rules-from-an-existing-role) -- [Creating a custom global role that does not copy rules from another role](#creating-a-custom-global-role-that-does-not-copy-rules-from-another-role) +- [Creating a custom global role](#creating-a-custom-global-role) - [Deleting a custom global role](#deleting-a-custom-global-role) - [Assigning a custom global role to a group](#assigning-a-custom-global-role-to-a-group) @@ -93,10 +92,12 @@ The steps to add custom roles differ depending on the version of Rancher. {{% /tab %}} {{% /tabs %}} -## Creating a Custom Global Role that Copies Rules from an Existing Role +## Creating a Custom Global Role _Available as of v2.4.0_ +### Creating a Custom Global Role that Copies Rules from an Existing Role + If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role in which all of the rules from another role, such as the administrator role, are copied into a new role. This allows you to only configure the variations between the existing role and the new role. The custom global role can then be assigned to a user or group so that the custom global role takes effect the first time the user or users sign into Rancher. @@ -110,9 +111,7 @@ To create a custom global role based on an existing role, 1. In the **Grant Resources** section, select the Kubernetes resource operations that will be enabled for users with the custom role. 1. Click **Save.** -## Creating a Custom Global Role that Does Not Copy Rules from Another Role - -_Available as of v2.4.0_ +### Creating a Custom Global Role that Does Not Copy Rules from Another Role Custom global roles don't have to be based on existing roles. To create a custom global role by choosing the specific Kubernetes resource operations that should be allowed for the role, follow these steps: @@ -164,4 +163,4 @@ To assign a custom global role to a group, follow these steps: 1. Optional: In the **Global Permissions** or **Built-in** sections, select any additional permissions that the group should have. 1. Click **Create.** -**Result:** The custom global role will take effect when the users in the group log into Rancher. \ No newline at end of file +**Result:** The custom global role will take effect when the users in the group log into Rancher. From f9044bb3f3ddb84ade6ba22d9c2704ae497065de Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Tue, 31 Mar 2020 10:33:49 -0700 Subject: [PATCH 117/183] move images --- .../img/rancher/new-app-registration-1.png | Bin .../img/rancher/new-app-registration-2.png | Bin .../img/rancher/select-client-secret.png | Bin .../img/rancher/select-required-permissions-1.png | Bin .../img/rancher/select-required-permissions-2.png | Bin 5 files changed, 0 insertions(+), 0 deletions(-) rename {src => static}/img/rancher/new-app-registration-1.png (100%) rename {src => static}/img/rancher/new-app-registration-2.png (100%) rename {src => static}/img/rancher/select-client-secret.png (100%) rename {src => static}/img/rancher/select-required-permissions-1.png (100%) rename {src => static}/img/rancher/select-required-permissions-2.png (100%) diff --git a/src/img/rancher/new-app-registration-1.png b/static/img/rancher/new-app-registration-1.png similarity index 100% rename from src/img/rancher/new-app-registration-1.png rename to static/img/rancher/new-app-registration-1.png diff --git a/src/img/rancher/new-app-registration-2.png b/static/img/rancher/new-app-registration-2.png similarity index 100% rename from src/img/rancher/new-app-registration-2.png rename to static/img/rancher/new-app-registration-2.png diff --git a/src/img/rancher/select-client-secret.png b/static/img/rancher/select-client-secret.png similarity index 100% rename from src/img/rancher/select-client-secret.png rename to static/img/rancher/select-client-secret.png diff --git a/src/img/rancher/select-required-permissions-1.png b/static/img/rancher/select-required-permissions-1.png similarity index 100% rename from src/img/rancher/select-required-permissions-1.png rename to static/img/rancher/select-required-permissions-1.png diff --git a/src/img/rancher/select-required-permissions-2.png b/static/img/rancher/select-required-permissions-2.png similarity index 100% rename from src/img/rancher/select-required-permissions-2.png rename to static/img/rancher/select-required-permissions-2.png From 7cf7425eb0ae18af2f061919e138ebda0310d15b Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 11:06:15 -0700 Subject: [PATCH 118/183] Fix broken links in K3s docs - Add alias to old node-requirements page on installation-requirements page so any old links / search engines will redirect node-requirements link accordingly - Fix broken legacy iptables link for raspian at /k3s/latest/en/installation/installation-requirements/#operating-systems - Fix broken installation requirements link at /k3s/latest/en/installation/ha/#2-launch-server-nodes - Fix broken installation requirements link at /k3s/latest/en/networking/#open-ports --- content/k3s/latest/en/installation/ha/_index.md | 2 +- .../en/installation/installation-requirements/_index.md | 4 +++- content/k3s/latest/en/networking/_index.md | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/content/k3s/latest/en/installation/ha/_index.md b/content/k3s/latest/en/installation/ha/_index.md index f7310184015..2ebc2970c9a 100644 --- a/content/k3s/latest/en/installation/ha/_index.md +++ b/content/k3s/latest/en/installation/ha/_index.md @@ -31,7 +31,7 @@ Setting up an HA cluster requires the following steps: You will first need to create an external datastore for the cluster. See the [Cluster Datastore Options]({{}}/k3s/latest/en/installation/datastore/) documentation for more details. ### 2. Launch Server Nodes -K3s requires two or more server nodes for this HA configuration. See the [Installation Requirements]({{}}/k3s/latest/en/installation/node-requirements/) guide for minimum machine requirements. +K3s requires two or more server nodes for this HA configuration. See the [Installation Requirements]({{}}/k3s/latest/en/installation/installation-requirements/) guide for minimum machine requirements. When running the `k3s server` command on these nodes, you must set the `datastore-endpoint` parameter so that K3s knows how to connect to the external datastore. diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index bd0c6e4f924..13da6c3d7ce 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -1,6 +1,8 @@ --- title: Installation Requirements weight: 1 +aliases: + - /k3s/latest/en/installation/node-requirements/ --- K3s is very lightweight, but has some minimum requirements as outlined below. @@ -18,7 +20,7 @@ K3s should run on just about any flavor of Linux. However, K3s is tested on the * Ubuntu 16.04 (amd64) * Ubuntu 18.04 (amd64) -> * If you are using **Raspbian Buster**, follow [these steps]({{}}/k3s/latest/en/advanced/#raspbian-buster---enable-legacy-iptables) to switch to legacy iptables. +> * If you are using **Raspbian Buster**, follow [these steps]({{}}/k3s/latest/en/advanced/#enabling-legacy-iptables-on-raspbian-buster) to switch to legacy iptables. > * If you are using **Alpine Linux**, follow [these steps]({{}}/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup) for additional setup. diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index 3689cdbd759..7bf35ce7c12 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -7,7 +7,7 @@ weight: 35 Open Ports ---------- -Please reference the [Installation Requirements]({{}}/k3s/latest/en/installation/node-requirements/#networking) page for port information. +Please reference the [Installation Requirements]({{}}/k3s/latest/en/installation/installation-requirements/#networking) page for port information. CoreDNS ------- From 3b4d47fe8fb2a4f80a43c1ad9fe4332ee9dc8dbe Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 31 Mar 2020 11:15:34 -0700 Subject: [PATCH 119/183] Change hundreds to thousands for v2.4 --- content/rancher/v2.x/en/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/_index.md b/content/rancher/v2.x/en/_index.md index 0063d17f488..9a7712bc041 100644 --- a/content/rancher/v2.x/en/_index.md +++ b/content/rancher/v2.x/en/_index.md @@ -12,7 +12,7 @@ Rancher was originally built to work with multiple orchestrators, and it include Rancher can provision Kubernetes from a hosted provider, provision compute nodes and then install Kubernetes onto them, or import existing Kubernetes clusters running anywhere. -One Rancher server installation can manage hundreds of Kubernetes clusters and thousands of nodes from the same user interface. +One Rancher server installation can manage thousands of Kubernetes clusters and thousands of nodes from the same user interface. Rancher adds significant value on top of Kubernetes, first by centralizing authentication and role-based access control (RBAC) for all of the clusters, giving global admins the ability to control cluster access from one location. From 2541b554a25c425ade48c53cf566ecbac75cc2e9 Mon Sep 17 00:00:00 2001 From: rajashree Date: Tue, 31 Mar 2020 11:20:43 -0700 Subject: [PATCH 120/183] Rename addon upgradeStrategy field to strategy --- .../en/upgrades/configuring-strategy/_index.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/rke/latest/en/upgrades/configuring-strategy/_index.md b/content/rke/latest/en/upgrades/configuring-strategy/_index.md index 14a5bb113b1..e9e8ce188c5 100644 --- a/content/rke/latest/en/upgrades/configuring-strategy/_index.md +++ b/content/rke/latest/en/upgrades/configuring-strategy/_index.md @@ -59,13 +59,13 @@ An example configuration of the Ingress and network addons is shown below: ingress: provider: nginx update_strategy: - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 5 network: plugin: canal update_strategy: - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 6 ``` @@ -101,7 +101,7 @@ An example configuration of the DNS and monitoring addons is shown below: dns: provider: coredns update_strategy: - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 20% maxSurge: 15% @@ -114,7 +114,7 @@ dns: monitoring: provider: metrics-server update_strategy: - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 8 ``` @@ -140,19 +140,19 @@ upgrade_strategy: ingress: provider: nginx update_strategy: # Available in v2.4 - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 5 network: plugin: canal update_strategy: # Available in v2.4 - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 6 dns: provider: coredns update_strategy: # Available in v2.4 - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 20% maxSurge: 15% @@ -165,7 +165,7 @@ dns: monitoring: provider: metrics-server update_strategy: # Available in v2.4 - type: RollingUpdate + strategy: RollingUpdate rollingUpdate: maxUnavailable: 8 ``` From 257e68eeef1f624477e5470fdb9da6b7883f5544 Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Tue, 31 Mar 2020 12:21:45 -0700 Subject: [PATCH 121/183] audit-39 --- .../cluster-access/kubectl/_index.md | 1 - .../v2.x/en/cluster-admin/nodes/_index.md | 2 - .../v2.x/en/faq/removing-rancher/_index.md | 3 +- .../air-gap-helm2/install-rancher/_index.md | 1 - .../helm2/rke-add-on/layer-4-lb/_index.md | 2 - .../air-gap/install-rancher/_index.md | 1 - content/rancher/v2.x/en/upgrades/_index.md | 2 - .../rollbacks/single-node-rollbacks/_index.md | 1 - nginx.conf | 43 +++++++++++++++++++ 9 files changed, 44 insertions(+), 12 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md b/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md index b6083597ff9..f8d6817e65f 100644 --- a/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/_index.md @@ -8,7 +8,6 @@ aliases: - /rancher/v2.x/en/concepts/clusters/kubeconfig-files/ - /rancher/v2.x/en/k8s-in-rancher/kubeconfig/ - /rancher/2.x/en/cluster-admin/kubeconfig - - /rancher/v2.x/en/cluster-admin/cluster-access/kubeconfig/ --- This section describes how to manipulate your downstream Kubernetes cluster with kubectl from the Rancher UI or from your workstation. diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index c90ae67303b..3290a860d9c 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -1,8 +1,6 @@ --- title: Nodes and Node Pools weight: 2030 -aliases: - - /rancher/v2.x/en/k8s-in-rancher/nodes/ --- After you launch a Kubernetes cluster in Rancher, you can manage individual nodes from the cluster's **Node** tab. Depending on the [option used]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) to provision the cluster, there are different node options available. diff --git a/content/rancher/v2.x/en/faq/removing-rancher/_index.md b/content/rancher/v2.x/en/faq/removing-rancher/_index.md index 01b53b46358..1cf26a9d8a0 100644 --- a/content/rancher/v2.x/en/faq/removing-rancher/_index.md +++ b/content/rancher/v2.x/en/faq/removing-rancher/_index.md @@ -6,7 +6,6 @@ aliases: - /rancher/v2.x/en/installation/removing-rancher/ - /rancher/v2.x/en/admin-settings/removing-rancher/ - /rancher/v2.x/en/admin-settings/removing-rancher/rancher-cluster-nodes/ - - /rancher/v2.x/en/removing-rancher/ --- This page is intended to answer questions about what happens if you don't want Rancher anymore, if you don't want a cluster to be managed by Rancher anymore, or if the Rancher server is deleted. @@ -55,4 +54,4 @@ At this time, there is no functionality to detach these clusters from Rancher. I The capability to manage these clusters without Rancher is being tracked in this [issue.](https://github.com/rancher/rancher/issues/25234) -For information about how to access clusters if the Rancher server is deleted, refer to [this section.](#if-the-rancher-server-is-deleted-how-do-i-access-my-downstream-clusters) \ No newline at end of file +For information about how to access clusters if the Rancher server is deleted, refer to [this section.](#if-the-rancher-server-is-deleted-how-do-i-access-my-downstream-clusters) diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/install-rancher/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/install-rancher/_index.md index 619c44dcc14..f5895de9604 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/install-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/install-rancher/_index.md @@ -5,7 +5,6 @@ aliases: - /rancher/v2.x/en/installation/air-gap-installation/install-rancher/ - /rancher/v2.x/en/installation/air-gap-high-availability/config-rancher-system-charts/ - /rancher/v2.x/en/installation/air-gap-high-availability/config-rancher-for-private-reg/ - - /rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/ - /rancher/v2.x/en/installation/air-gap-single-node/install-rancher - /rancher/v2.x/en/installation/air-gap/install-rancher --- diff --git a/content/rancher/v2.x/en/installation/options/helm2/rke-add-on/layer-4-lb/_index.md b/content/rancher/v2.x/en/installation/options/helm2/rke-add-on/layer-4-lb/_index.md index fecaef3d2b3..f3c16cb9404 100644 --- a/content/rancher/v2.x/en/installation/options/helm2/rke-add-on/layer-4-lb/_index.md +++ b/content/rancher/v2.x/en/installation/options/helm2/rke-add-on/layer-4-lb/_index.md @@ -1,8 +1,6 @@ --- title: Kubernetes Install with External Load Balancer (TCP/Layer 4) weight: 275 -aliases: -- /rancher/v2.x/en/installation/k8s-install-server-install/ --- > #### **Important: RKE add-on install is only supported up to Rancher v2.0.8** diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/_index.md index c12809c0695..bb1b4ae209c 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/_index.md @@ -4,7 +4,6 @@ weight: 400 aliases: - /rancher/v2.x/en/installation/air-gap-high-availability/config-rancher-system-charts/ - /rancher/v2.x/en/installation/air-gap-high-availability/config-rancher-for-private-reg/ - - /rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/ - /rancher/v2.x/en/installation/air-gap-single-node/install-rancher - /rancher/v2.x/en/installation/air-gap/install-rancher --- diff --git a/content/rancher/v2.x/en/upgrades/_index.md b/content/rancher/v2.x/en/upgrades/_index.md index 1d0ce9190a5..4debea3156e 100644 --- a/content/rancher/v2.x/en/upgrades/_index.md +++ b/content/rancher/v2.x/en/upgrades/_index.md @@ -1,8 +1,6 @@ --- title: Upgrades and Rollbacks weight: 150 -aliases: - - /rancher/v2.x/en/backups/rollbacks/ --- ### Upgrading Rancher diff --git a/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md b/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md index 3ad649798e0..4705d65d1d8 100644 --- a/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md +++ b/content/rancher/v2.x/en/upgrades/rollbacks/single-node-rollbacks/_index.md @@ -2,7 +2,6 @@ title: Docker Rollback weight: 1015 aliases: - - /rancher/v2.x/en/backups/rollbacks/single-node-rollbacks - /rancher/v2.x/en/upgrades/single-node-rollbacks --- diff --git a/nginx.conf b/nginx.conf index cbe1b9139c8..564352c0877 100644 --- a/nginx.conf +++ b/nginx.conf @@ -117,6 +117,49 @@ map $request_uri $redirect_uri { ~^/docs/rancher/v2.x/en/upgrades/upgrades/ha-server-upgrade-helm/?$ /docs/rancher/v2.x/en/upgrades/upgrades/ha/; ~^/docs/rancher/v2.x/en/upgrades/upgrades/single-node-upgrade/?$ /docs/rancher/v2.x/en/upgrades/upgrades/single-node/; ~^/docs/rke/latest/en/installation/os/?$ /docs/rke/latest/en/os/; + + ~^/docs/rancher/v2.x/en/k8s-in-rancher/nodes/?$ /docs/rancher/v2.x/en/cluster-admin/nodes/; + ~^/docs/rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/?$ /docs/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/; + ~^/docs/rancher/v2.x/en/installation/k8s-install-server-install/?$ /docs/rancher/v2.x/en/installation/options/helm2/rke-add-on/layer-4-lb/; + ~^/docs/rancher/v1.0/en/infrastructure/hosts/?$ /docs/rancher/v1.0/en/rancher-ui/infrastructure/hosts/; + ~^/docs/rancher/v2.x/en/cluster-admin/cluster-access/kubeconfig/?$ /docs/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/; + ~^/docs/os/v1.0/en/configuration/custom-console/?$ /docs/os/latest/en/configuration/switching-consoles/; + ~^/docs/os/latest/en/configuration/switching-consoles/?$ /docs/os/v1.x/en/configuration/switching-consoles/; + ~^/docs/os/v1.1/en/configuration/custom-console/?$ /docs/os/v1.1/en/configuration/switching-consoles/; + ~^/docs/os/v1.1/en/system-services/built-in-system-services/?$ /docs/os/v1.1/en/boot-process/built-in-system-services/; + ~^/docs/os/v1.2/en/configuration/custom-console/?$ /docs/os/v1.2/en/configuration/switching-consoles/; + ~^/docs/os/v1.2/en/system-services/built-in-system-services/?$ /docs/os/v1.2/en/boot-process/built-in-system-services/; + ~^/docs/rancher/v2.x/en/removing-rancher/?$ /docs/rancher/v2.x/en/faq/removing-rancher/; + ~^/docs/rancher/v2.x/en/installation/ha/?$ /docs/rancher/v2.x/en/installation/k8s-install/; + ~^/docs/rancher/v2.x/en/installation/ha/helm-rancher/?$ /docs/rancher/v2.x/en/installation/k8s-install/helm-rancher/; + ~^/docs/rancher/v2.x/en/installation/other-installation-methods/single-node/?$ /docs/rancher/v2.x/en/installation/other-installation-methods/single-node-docker/; + ~^/docs/rancher/v2.x/en/installation/air-gap/install-rancher/?$ /docs/rancher/v2.x/en/installation/other-installation-methods/air-gap/install-rancher/; + ~^/docs/rancher/v1.0/en/api/v1/access-control/?$ /docs/rancher/v1.0/en/api/v1/api-keys/; + ~^/docs/os/latest/en/storage/additional-mounts/?$ /docs/os/v1.x/en/storage/additional-mounts/; + ~^/docs/os/v1.0/en/configuration/custom-rancheros-iso/?$ /docs/os/latest/custom-builds/custom-rancheros-iso/; + ~^/docs/os/v1.0/en/configuration/custom-kernels/?$ /docs/os/latest/custom-builds/custom-kernels/; + ~^/docs/rancher/v1.0/en/environments/?$ /docs/rancher/v1.0/en/configuration/environments/; + ~^/docs/os/v1.1/en/configuration/custom-kernels/?$ /docs/os/v1.1/en/custom-builds/custom-kernels/; + ~^/docs/os/v1.0/en/system-services/built-in-system-services/?$ /docs/os/latest/boot-process/built-in-system-services/; + ~^/docs/os/latest/custom-builds/custom-rancheros-iso/?$ /docs/os/v1.x/en/custom-builds/custom-rancheros-iso/; + ~^/docs/os/v1.0/en/system-services/?$ /docs/os/latest/en/system-services/adding-system-services/; + ~^/docs/os/v1.0/en/configuration/additional-mounts/?$ /docs/os/latest/en/storage/additional-mounts/; + ~^/docs/os/latest/custom-builds/custom-kernels/?$ /docs/os/v1.x/en/custom-builds/custom-kernels/; + ~^/docs/os/v1.1/en/system-services/?$ /docs/os/v1.1/en/system-services/adding-system-services/; + ~^/docs/os/v1.1/en/configuration/additional-mounts/?$ /docs/os/v1.1/en/storage/additional-mounts/; + ~^/docs/os/latest/boot-process/built-in-system-services/?$ /docs/os/v1.x/en/boot-process/built-in-system-services/; + ~^/docs/os/latest/en/system-services/adding-system-services/?$ /docs/os/v1.x/en/system-services/adding-system-services/; + ~^/docs/rancher/v1.0/en/cattle/rancher-compose/?$ /docs/rancher/v1.0/en/rancher-compose/; + ~^/docs/os/v1.1/en/configuration/custom-docker/?$ /docs/os/v1.1/en/configuration/switching-docker-versions/; + ~^/docs/os/v1.2/en/configuration/custom-kernels/?$ /docs/os/v1.x/en/custom-builds/custom-kernels/; + ~^/docs/os/v1.2/en/configuration/custom-rancheros-iso/?$ /docs/os/v1.x/en/custom-builds/custom-rancheros-iso/; + ~^/docs/os/v1.2/en/system-services/?$ /docs/os/v1.2/en/system-services/adding-system-services/; + ~^/docs/os/v1.2/en/configuration/additional-mounts/?$ /docs/os/v1.2/en/storage/additional-mounts/; + ~^/docs/rancher/v2.x/en/backups/rollbacks/?$ /docs/rancher/v2.x/en/upgrades/; + ~^/docs/rancher/v2.x/en/admin-settings/feature-flags/enable-not-default-storage-drivers/?$ /docs/rancher/v2.x/en/installation/options/feature-flags/enable-not-default-storage-drivers/; + ~^/docs/rancher/v2.x/en/installation/server-tags/?$ /docs/rancher/v2.x/en/installation/options/server-tags/; + ~^/rancher/v2.x/en/admin-settings/feature-flags/istio-virtual-service-ui/?$ /docs/rancher/v2.x/en/installation/options/feature-flags/istio-virtual-service-ui/; + ~^/docs/os/v1.1/en/configuration/custom-rancheros-iso/?$ /docs/os/v1.1/en/custom-builds/custom-rancheros-iso/; } server { From 59bb8dd344d527be5344a75c7ad4ef5296f8b9da Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 31 Mar 2020 13:34:55 -0700 Subject: [PATCH 122/183] Remove outdated reference to disabling Traefik --- .../v2.x/en/cluster-provisioning/imported-clusters/_index.md | 4 ++++ .../v2.x/en/installation/k8s-install/kubernetes-rke/_index.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index e5bd907d977..010f949eabe 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -82,6 +82,10 @@ When a K3s cluster is imported, Rancher will recognize it as K3s, and the Ranche - The ability to configure the maximum number of nodes that will be upgraded concurrently - The ability to see a read-only version of the K3s cluster's configuration arguments and environment variables used to launch each node in the cluster. +### Configuring K3s Cluster Upgrades + +> **Important:** Before upgrading the Kubernetes version of a high-availability K3s cluster, back up the database in whichever way is recommended by the relational database provider. If the upgrade fails, restore the cluster from the snapshot. + The **concurrency** is the maximum number of nodes that are permitted to be unavailable during an upgrade. If number of unavailable nodes is larger than the **concurrency,** the upgrade will fail. If an upgrade fails, you may need to repair or remove failed nodes before the upgrade can succeed. - **Controlplane concurrency:** The maximum number of server nodes to upgrade at a single time; also the maximum unavailable server nodes diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 556b4e4f299..40b83086983 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -35,7 +35,7 @@ The steps to set up the Kubernetes cluster differ depending on whether you are u ### 1. Install Kubernetes and Set up the K3s Server -When running the command to start the K3s Kubernetes API server, you will pass in two options: one option to use the external datastore that you set up earlier, and one to prevent K3s from deploying Traefik, which is the default ingress in K3s. You need to disable Traefik because Rancher will use NGINX as the ingress to allow external traffic into the cluster. +When running the command to start the K3s Kubernetes API server, you will pass in an option to use the external datastore that you set up earlier. 1. Connect to one of the Linux nodes that you have prepared to run the Rancher server. 1. On the Linux node, run this command to start the K3s server and connect it to the external datastore: From 6ef73ea29e7e854847f7631ce163692896b44a69 Mon Sep 17 00:00:00 2001 From: dkeightley Date: Wed, 1 Apr 2020 09:48:10 +1300 Subject: [PATCH 123/183] Remove Rancher/cert-manager Pods from output In this codeblock Rancher/cert-manager appear already running/installed, which doesn't occur until the next step. Removing these lines from the codeblock to avoid confusion. --- .../en/installation/k8s-install/kubernetes-rke/_index.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 40b83086983..2791481d481 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -120,12 +120,6 @@ NAMESPACE NAME READY STATUS REST kube-system metrics-server-6d684c7b5-bw59k 1/1 Running 0 8d kube-system local-path-provisioner-58fb86bdfd-fmkvd 1/1 Running 0 8d kube-system coredns-d798c9dd-ljjnf 1/1 Running 0 8d -cert-manager cert-manager-cainjector-85fbdf788-ct5cp 1/1 Running 0 7d22h -cert-manager cert-manager-754d9b75d9-29llx 1/1 Running 0 7d22h -cert-manager cert-manager-webhook-76f9b64b45-lnhdl 1/1 Running 0 7d22h -cattle-system rancher-ddf788bbf-2zdb4 1/1 Running 0 7d22h -cattle-system rancher-ddf788bbf-22dxm 1/1 Running 1 7d22h -cattle-system rancher-ddf788bbf-k6vk4 1/1 Running 1 7d22h ``` **Result:** You have confirmed that you can access the cluster with `kubectl` and the K3s cluster is running successfully. Now the Rancher management server can be installed on the cluster. From 028e3ceb490673a52a3232324c25ded20800c584 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 13:54:17 -0700 Subject: [PATCH 124/183] Update installation-requirements networking section - Addresses comment around node-requirements page (now installation-requirements) in issue https://github.com/rancher/k3s/issues/1031 - Accompslishes this by adding a table to list ports, we actually took from /rancher/v2.x/en/installation/requirements/ports networking section so both guides are in alignment --- .../installation-requirements/_index.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 13da6c3d7ce..44e9bf5008f 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -37,12 +37,24 @@ K3s performance depends on the performance of the database. To ensure optimal sp ## Networking -The K3s server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach other nodes over UDP port 8472 (Flannel VXLAN). If you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. +The K3s server needs port 6443 to be accessible by the nodes. -IMPORTANT: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disabled access to port 8472. +The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. If you wish to utilize the metrics server, you will need to open port 10250 on each node. +> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. + +
    Inbound Rules for Rancher Server Nodes
    + +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 6443 | K3s server nodes | Kubernetes API +| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN +| TCP | 10250 | K3s server and agent nodes | kubelet + +Typically all outbound traffic is allowed. + ## Large Clusters Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: From 2d431d73c9c2aa6d1fb3d0b33c7ce66e33cd89ff Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 14:06:41 -0700 Subject: [PATCH 125/183] Address symlink issue on installation-requirements page - Resolves symlink issue in single-server section of https://github.com/rancher/k3s/issues/1031 - The INSTALL_K3S_SYMLINK env var now has a description that explains what binaries symlinks are created for --- content/k3s/latest/en/installation/install-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index e2bc4a2dbb2..d8c415cb96c 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -29,7 +29,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_SYMLINK` - If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. + By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. - `INSTALL_K3S_SKIP_START` From 88079937e5b75b7def5eb81e88f22d5d31106ea9 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 15:32:03 -0700 Subject: [PATCH 126/183] Tweaks to install-options page - Addresses additional issues outlined in https://github.com/rancher/k3s/issues/1031 single-server section --- content/k3s/latest/en/installation/install-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index d8c415cb96c..70b164b38aa 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -66,7 +66,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_NAME` - Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. + Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. - `INSTALL_K3S_TYPE` From b96fb448ea9045786047df319f0364beacb2c16a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 31 Mar 2020 13:43:51 -0700 Subject: [PATCH 127/183] Edit note on backing up K3s before upgrading --- .../v2.x/en/cluster-provisioning/imported-clusters/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index 010f949eabe..89b5174c57e 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -84,7 +84,7 @@ When a K3s cluster is imported, Rancher will recognize it as K3s, and the Ranche ### Configuring K3s Cluster Upgrades -> **Important:** Before upgrading the Kubernetes version of a high-availability K3s cluster, back up the database in whichever way is recommended by the relational database provider. If the upgrade fails, restore the cluster from the snapshot. +> **Important:** It is a Kubernetes best practice to back up the cluster before upgrading. When upgrading a high-availability K3s cluster with an external database, back up the database in whichever way is recommended by the relational database provider. The **concurrency** is the maximum number of nodes that are permitted to be unavailable during an upgrade. If number of unavailable nodes is larger than the **concurrency,** the upgrade will fail. If an upgrade fails, you may need to repair or remove failed nodes before the upgrade can succeed. From 09fcaa4ee9efa73e46b637450275bdfb3e08b546 Mon Sep 17 00:00:00 2001 From: Evan Date: Tue, 31 Mar 2020 23:21:40 -0400 Subject: [PATCH 128/183] Add Docker backup link to "Backups and Disaster Recovery" index --- content/rancher/v2.x/en/backups/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/backups/_index.md b/content/rancher/v2.x/en/backups/_index.md index b4ca63cc4a0..d9b66a43114 100644 --- a/content/rancher/v2.x/en/backups/_index.md +++ b/content/rancher/v2.x/en/backups/_index.md @@ -10,10 +10,10 @@ To protect yourself from a disaster scenario, you should create backups on a reg - Rancher server backups: - [Rancher installed on a K3s Kubernetes cluster](./backups/k3s-backups) - [Rancher installed on an RKE Kubernetes cluster](./backups/ha-backups) - - Rancher installed with Docker + - [Rancher installed with Docker](./backups/single-node-backups/) - [Backing up Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/backing-up-etcd/) In a disaster scenario, you can restore your `etcd` database by restoring a backup. - [Rancher Server Restorations]({{}}/rancher/v2.x/en/backups/restorations) - - [Restoring Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) \ No newline at end of file + - [Restoring Rancher Launched Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-admin/restoring-etcd/) From 7eb1c17dd1d8b0a929a59018e72c60252d95c9af Mon Sep 17 00:00:00 2001 From: Terdunov Vyacheslav Date: Wed, 1 Apr 2020 13:58:04 +0400 Subject: [PATCH 129/183] Fix How Upgrades Work link to cluster.yaml --- content/rke/latest/en/upgrades/how-upgrades-work/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md index b5dd4af8c4b..99eba360c5f 100644 --- a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md +++ b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md @@ -62,7 +62,7 @@ Because RKE addons are necessary for allowing traffic into the cluster, they wil For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) -For an example showing how to configure the addons, refer to the [example cluster.yml.](#example-cluster-yml) +For an example showing how to configure the addons, refer to the [example cluster.yml.]({{}}rke/latest/en/upgrades/configuring-strategy/#example-cluster-yml) {{% /tab %}} {{% tab "RKE prior to v1.1.0" %}} @@ -87,4 +87,4 @@ Worker nodes are upgraded simultaneously, in batches of either 50 or the total n When a worker node is upgraded, it restarts several Docker processes, including the `kubelet` and `kube-proxy`. When `kube-proxy` comes up, it flushes `iptables`. When this happens, pods on this node can’t be accessed, resulting in downtime for the applications. {{% /tab %}} -{{% /tabs %}} \ No newline at end of file +{{% /tabs %}} From 12b9b48f51cc5c71a1491acb5df0052eaf97dce0 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Steenis Date: Wed, 1 Apr 2020 14:15:59 +0200 Subject: [PATCH 130/183] Describe Rancher log levels --- .../rancher/v2.x/en/faq/technical/_index.md | 50 +------------------ .../rancher/v2.x/en/troubleshooting/_index.md | 5 ++ .../v2.x/en/troubleshooting/logging/_index.md | 48 ++++++++++++++++++ 3 files changed, 54 insertions(+), 49 deletions(-) create mode 100644 content/rancher/v2.x/en/troubleshooting/logging/_index.md diff --git a/content/rancher/v2.x/en/faq/technical/_index.md b/content/rancher/v2.x/en/faq/technical/_index.md index d5b22464771..1340d9623e3 100644 --- a/content/rancher/v2.x/en/faq/technical/_index.md +++ b/content/rancher/v2.x/en/faq/technical/_index.md @@ -56,55 +56,7 @@ New password for default admin user (user-xxxxx): ### How can I enable debug logging? -* Docker Install - * Enable -``` -$ docker exec -ti loglevel --set debug -OK -$ docker logs -f -``` - - * Disable -``` -$ docker exec -ti loglevel --set info -OK -``` - -* Kubernetes install (Helm) - * Enable -``` -$ KUBECONFIG=./kube_config_rancher-cluster.yml -$ kubectl --kubeconfig $KUBECONFIG -n cattle-system get pods -l app=rancher | grep '1/1' | awk '{ print $1 }' | xargs -I{} kubectl --kubeconfig $KUBECONFIG -n cattle-system exec {} -- loglevel --set debug -OK -OK -OK -$ kubectl --kubeconfig $KUBECONFIG -n cattle-system logs -l app=rancher -``` - - * Disable -``` -$ KUBECONFIG=./kube_config_rancher-cluster.yml -$ kubectl --kubeconfig $KUBECONFIG -n cattle-system get pods -l app=rancher | grep '1/1' | awk '{ print $1 }' | xargs -I{} kubectl --kubeconfig $KUBECONFIG -n cattle-system exec {} -- loglevel --set info -OK -OK -OK -``` - -* Kubernetes install (RKE add-on) - * Enable -``` -$ KUBECONFIG=./kube_config_rancher-cluster.yml -$ kubectl --kubeconfig $KUBECONFIG exec -n cattle-system $(kubectl --kubeconfig $KUBECONFIG get pods -n cattle-system -o json | jq -r '.items[] | select(.spec.containers[].name=="cattle-server") | .metadata.name') -- loglevel --set debug -OK -$ kubectl --kubeconfig $KUBECONFIG logs -n cattle-system -f $(kubectl --kubeconfig $KUBECONFIG get pods -n cattle-system -o json | jq -r '.items[] | select(.spec.containers[].name="cattle-server") | .metadata.name') -``` - - * Disable -``` -$ KUBECONFIG=./kube_config_rancher-cluster.yml -$ kubectl --kubeconfig $KUBECONFIG exec -n cattle-system $(kubectl --kubeconfig $KUBECONFIG get pods -n cattle-system -o json | jq -r '.items[] | select(.spec.containers[].name=="cattle-server") | .metadata.name') -- loglevel --set info -OK -``` +See [Troubleshooting: Logging]({{}}/rancher/v2.x/en/troubleshooting/logging/) ### My ClusterIP does not respond to ping diff --git a/content/rancher/v2.x/en/troubleshooting/_index.md b/content/rancher/v2.x/en/troubleshooting/_index.md index aa6c57afe66..edb5fb4f061 100644 --- a/content/rancher/v2.x/en/troubleshooting/_index.md +++ b/content/rancher/v2.x/en/troubleshooting/_index.md @@ -35,3 +35,8 @@ This section contains information to help you troubleshoot issues when using Ran - [Imported clusters]({{}}/rancher/v2.x/en/troubleshooting/imported-clusters/) If you experience issues when [Importing Kubernetes Clusters]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) + +- [Logging]({{}}/rancher/v2.x/en/troubleshooting/logging/) + + Read more about what log levels can be configured and how to configure a log level. + diff --git a/content/rancher/v2.x/en/troubleshooting/logging/_index.md b/content/rancher/v2.x/en/troubleshooting/logging/_index.md new file mode 100644 index 00000000000..50024334901 --- /dev/null +++ b/content/rancher/v2.x/en/troubleshooting/logging/_index.md @@ -0,0 +1,48 @@ +--- +title: Logging +weight: 110 +--- + +The following log levels are used in Rancher: + +| Name | Description | +|---------|-------------| +| `info` | Logs informational messages. This is the default log level. | +| `debug` | Logs more detailed messages that can be used to debug. | +| `trace` | Logs very detailed messages on internal functions. This is very verbose and can contain sensitive information. | + +### How to configure a log level + +* Kubernetes install + * Configure debug log level +``` +$ KUBECONFIG=./kube_config_rancher-cluster.yml +$ kubectl --kubeconfig $KUBECONFIG -n cattle-system get pods -l app=rancher | grep '1/1' | awk '{ print $1 }' | while read rancherpod; do kubectl --kubeconfig $KUBECONFIG -n cattle-system exec $rancherpod -- loglevel --set debug; done +OK +OK +OK +$ kubectl --kubeconfig $KUBECONFIG -n cattle-system logs -l app=rancher +``` + + * Configure info log level +``` +$ KUBECONFIG=./kube_config_rancher-cluster.yml +$ kubectl --kubeconfig $KUBECONFIG -n cattle-system get pods -l app=rancher | grep '1/1' | awk '{ print $1 }' | while read rancherpod; do kubectl --kubeconfig $KUBECONFIG -n cattle-system exec $rancherpod -- loglevel --set info; done +OK +OK +OK +``` + +* Docker Install + * Configure debug log level +``` +$ docker exec -ti loglevel --set debug +OK +$ docker logs -f +``` + + * Configure info log level +``` +$ docker exec -ti loglevel --set info +OK +``` From f335afbad817a1fd1b5865580939033511f9a354 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Steenis Date: Wed, 1 Apr 2020 14:32:35 +0200 Subject: [PATCH 131/183] Fix RDS tutorial link in Set up Infrastructure --- .../v2.x/en/installation/k8s-install/create-nodes-lb/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index 8fb2e197579..863ab0522eb 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -40,7 +40,7 @@ For a high-availability K3s installation, you will need to set up one of the fol When you install Kubernetes using the K3s installation script, you will pass in details for K3s to connect to the database. -For an example of one way to set up the database, refer to this [tutorial](./rds) for setting up a MySQL database on Amazon's RDS service. +For an example of one way to set up the database, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/rds/) for setting up a MySQL database on Amazon's RDS service. For the complete list of options that are available for configuring a K3s cluster datastore, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/datastore/) From 63ab07fe11a370fbdd074d2511af53488072430b Mon Sep 17 00:00:00 2001 From: Tejeev Date: Wed, 1 Apr 2020 13:38:24 +0100 Subject: [PATCH 132/183] Fixed link and clarified The first two sentences were confusing and the link was broken. I think this clarifies. --- content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md index f5d762cc5f5..da4d7ba5cd6 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md @@ -3,9 +3,9 @@ title: Upgrading Rancher Installed on Kubernetes with Helm 2 weight: 1050 --- -> After Helm 3 was released, the [instructions for upgrading Rancher on a Kubernetes cluster](./ha) were updated to use Helm 3. +> Helm 3 has been released. If you are using Helm 2, we recommend [migrating to Helm 3](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) because it is simpler to use and more secure than Helm 2. > -> If you are using Helm 2, we recommend [migrating to Helm 3](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) because it is simpler to use and more secure than Helm 2. +> The [current instructions for Upgrading Rancher Installed on Kubernetes](https://rancher.com/docs/rancher/v2.x/en/upgrades/upgrades/ha/) use Helm 3. > > This section provides a copy of the older instructions for upgrading Rancher with Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible. From 7d7c5976e52bbb17926b4f35dd5c1ee1acff52ed Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 13:00:37 -0700 Subject: [PATCH 133/183] Fix link --- content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md index f5d762cc5f5..2260c6988c5 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/helm2/_index.md @@ -3,7 +3,7 @@ title: Upgrading Rancher Installed on Kubernetes with Helm 2 weight: 1050 --- -> After Helm 3 was released, the [instructions for upgrading Rancher on a Kubernetes cluster](./ha) were updated to use Helm 3. +> After Helm 3 was released, the [instructions for upgrading Rancher on a Kubernetes cluster]({{}}/rancher/v2.x/en/upgrades/upgrades/ha) were updated to use Helm 3. > > If you are using Helm 2, we recommend [migrating to Helm 3](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) because it is simpler to use and more secure than Helm 2. > From a02c1d240f3bc4fbd40a5ab2a1348e99ee605dc7 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 13:14:10 -0700 Subject: [PATCH 134/183] Remove reference to Rancher in K3s doc --- .../latest/en/installation/installation-requirements/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 44e9bf5008f..ee053e09e0c 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -45,7 +45,7 @@ If you wish to utilize the metrics server, you will need to open port 10250 on e > **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. -
    Inbound Rules for Rancher Server Nodes
    +
    Inbound Rules for K3s Server Nodes
    | Protocol | Port | Source | Description |-----|-----|----------------|---| From f698b97d3e4284e494efff4a767f22a88efcea20 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 13:15:36 -0700 Subject: [PATCH 135/183] Revert "WIP: Misc changes and improvements to K3s docs" --- .../en/installation/install-options/_index.md | 4 ++-- .../installation-requirements/_index.md | 16 ++-------------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 70b164b38aa..e2bc4a2dbb2 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -29,7 +29,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_SYMLINK` - By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. + If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. - `INSTALL_K3S_SKIP_START` @@ -66,7 +66,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_NAME` - Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. + Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. - `INSTALL_K3S_TYPE` diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index ee053e09e0c..13da6c3d7ce 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -37,24 +37,12 @@ K3s performance depends on the performance of the database. To ensure optimal sp ## Networking -The K3s server needs port 6443 to be accessible by the nodes. +The K3s server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach other nodes over UDP port 8472 (Flannel VXLAN). If you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. -The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. +IMPORTANT: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disabled access to port 8472. If you wish to utilize the metrics server, you will need to open port 10250 on each node. -> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. - -
    Inbound Rules for K3s Server Nodes
    - -| Protocol | Port | Source | Description -|-----|-----|----------------|---| -| TCP | 6443 | K3s server nodes | Kubernetes API -| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN -| TCP | 10250 | K3s server and agent nodes | kubelet - -Typically all outbound traffic is allowed. - ## Large Clusters Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: From b34a624e36a69ddbf9cb9245a64485309e49a595 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 13:38:30 -0700 Subject: [PATCH 136/183] Fix pipeline link --- .../rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md index 0b756ed4de9..82e10d93ddf 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md @@ -7,7 +7,7 @@ aliases: Pipelines can be configured either through the UI or using a yaml file in the repository, i.e. `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. -In the [pipeline configuration docs](), we provide examples of each available feature within pipelines. Here is a full example for those who want to jump right in. +In the [pipeline configuration docs]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration), we provide examples of each available feature within pipelines. Here is a full example `rancher-pipeline.yml` for those who want to jump right in. ```yaml # example From b478606c09efed78b7c05500ec27b5d4b10e87d0 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 17:32:16 -0700 Subject: [PATCH 137/183] Reorganize pipeline docs --- .../en/k8s-in-rancher/pipelines/_index.md | 857 ++++-------------- .../pipelines/concepts/_index.md | 36 + .../k8s-in-rancher/pipelines/config/_index.md | 658 ++++++++++++++ .../pipelines/docs-for-v2.0.x/_index.md | 1 + .../pipelines/example-repos/_index.md | 18 +- .../pipelines/example/_index.md | 4 +- .../pipelines/storage/_index.md | 103 +++ .../v2.x/en/project-admin/pipelines/_index.md | 346 +------ 8 files changed, 1003 insertions(+), 1020 deletions(-) create mode 100644 content/rancher/v2.x/en/k8s-in-rancher/pipelines/concepts/_index.md create mode 100644 content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md rename content/rancher/v2.x/en/{project-admin => k8s-in-rancher}/pipelines/docs-for-v2.0.x/_index.md (98%) create mode 100644 content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md index bfe10301d3f..767ecc6bbac 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md @@ -6,36 +6,176 @@ aliases: --- +Rancher's pipeline provides a simple CI/CD experience. Use it to automatically checkout code, run builds or scripts, publish Docker images or catalog applications, and deploy the updated software to users. + +Setting up a pipeline can help developers deliver new software as quickly and efficiently as possible. Using Rancher, you can integrate with a GitHub repository to setup a continuous integration (CI) pipeline. + +After configuring Rancher and GitHub, you can deploy containers running Jenkins to automate a pipeline execution: + +- Build your application from code to image. +- Validate your builds. +- Deploy your build images to your cluster. +- Run unit tests. +- Run regression tests. + >**Notes:** > ->- Pipelines are new and improved for Rancher v2.1! Therefore, if you configured pipelines while using v2.0.x, you'll have to reconfigure them after upgrading to v2.1. ->- Still using v2.0.x? See the pipeline documentation for [previous versions]({{}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). +>- Pipelines improved in Rancher v2.1. Therefore, if you configured pipelines while using v2.0.x, you'll have to reconfigure them after upgrading to v2.1. +>- Still using v2.0.x? See the pipeline documentation for [previous versions]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/docs-for-v2.0.x). +>- Rancher's pipeline provides a simple CI/CD experience, but it does not offer the full power and flexibility of and is not a replacement of enterprise-grade Jenkins or other CI tools your team uses. -Before setting up any pipelines, review the [pipeline overview]({{}}/rancher/v2.x/en/project-admin/pipelines/) and ensure that the project has [configured authentication to your version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines/#version-control-providers), e.g. GitHub, GitLab, Bitbucket. If you haven't configured a version control provider, you can always use [Rancher's example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/) to view some common pipeline deployments. +This section covers the following topics: -If you can access a project, you can enable repositories to start building pipelines. Only an [administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owner or member]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owner]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can authorize version control providers. +- [Concepts](#concepts) +- [How Pipelines Work](#how-pipelines-work) +- [Roles-based Access Control for Pipelines](#roles-based-access-control-for-pipelines) +- [Setting up Pipelines](#setting-up-pipelines) + - [Configure version control providers](#1-configure-version-control-providers) + - [Configure repositories](#2-configure-repositories) + - [Configure the pipeline](#3-configure-the-pipeline) +- [Pipeline Configuration Reference](#pipeline-configuration-reference) +- [Running your Pipelines](#running-your-pipelines) +- [Triggering a Pipeline](#triggering-a-pipeline) + - [Modifying the Event Triggers for the Repository](#modifying-the-event-triggers-for-the-repository) -## Concepts +# Concepts -When setting up a pipeline, it's helpful to know a few related terms. +For an explanation of concepts and terminology used in this section, refer to [this page.]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/concepts) -- **Pipeline:** +# How Pipelines Work - A pipeline consists of stages and steps. It is based on a specific repository. It defines the process to build, test, and deploy your code. Rancher uses the [pipeline as code](https://jenkins.io/doc/book/pipeline-as-code/) model. Pipeline configuration is represented as a pipeline file in the source code repository, using the file name `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. +After enabling the ability to use pipelines in a project, you can configure multiple pipelines in each project. Each pipeline is unique and can be configured independently. -- **Stages:** +A pipeline is configured off of a group of files that are checked into source code repositories. Users can configure their pipelines either through the Rancher UI or by adding a `.rancher-pipeline.yml` into the repository. - A pipeline stage consists of multiple steps. Stages are executed in the order defined in the pipeline file. The steps in a stage are executed concurrently. A stage starts when all steps in the former stage finish without failure. +Before pipelines can be configured, you will need to configure authentication to your version control provider, e.g. GitHub, GitLab, Bitbucket. If you haven't configured a version control provider, you can always use [Rancher's example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/) to view some common pipeline deployments. -- **Steps:** +When you configure a pipeline in one of your projects, a namespace specifically for the pipeline is automatically created. The following components are deployed to it: - A pipeline step is executed inside a specified stage. A step fails if it exits with a code other than `0`. If a step exits with this failure code, the entire pipeline fails and terminates. + - **Jenkins:** -- **Workspace:** + The pipeline's build engine. Because project users do not directly interact with Jenkins, it's managed and locked. - The workspace is the working directory shared by all pipeline steps. In the beginning of a pipeline, source code is checked out to the workspace. The command for every step bootstraps in the workspace. During a pipeline execution, the artifacts from a previous step will be available in future steps. The working directory is an ephemeral volume and will be cleaned out with the executor pod when a pipeline execution is finished. + >**Note:** There is no option to use existing Jenkins deployments as the pipeline engine. -## Configuring Repositories + - **Docker Registry:** + + Out-of-the-box, the default target for your build-publish step is an internal Docker Registry. However, you can make configurations to push to a remote registry instead. The internal Docker Registry is only accessible from cluster nodes and cannot be directly accessed by users. Images are not persisted beyond the lifetime of the pipeline and should only be used in pipeline runs. If you need to access your images outside of pipeline runs, please push to an external registry. + + - **Minio:** + + Minio storage is used to store the logs for pipeline executions. + + >**Note:** The managed Jenkins instance works statelessly, so don't worry about its data persistency. The Docker Registry and Minio instances use ephemeral volumes by default, which is fine for most use cases. If you want to make sure pipeline logs can survive node failures, you can configure persistent volumes for them, as described in [data persistency for pipeline components]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/storage). + +# Roles-based Access Control for Pipelines + +If you can access a project, you can enable repositories to start building pipelines. + +Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can configure version control providers and manage global pipeline execution settings. + +Project members can only configure repositories and pipelines. + +# Setting up Pipelines + +To set up pipelines, you will need to do the following: + +1. [Configure version control providers](#1-configure-version-control-providers) +2. [Configure repositories](#2-configure-repositories) +3. [Configure the pipeline](#3-configure-the-pipeline) + +### 1. Configure Version Control Providers + +Before you can start configuring a pipeline for your repository, you must configure and authorize a version control provider. + +| Provider | Available as of | +| --- | --- | +| GitHub | v2.0.0 | +| GitLab | v2.1.0 | +| Bitbucket | v2.2.0 | + +Select your provider's tab below and follow the directions. + +{{% tabs %}} +{{% tab "GitHub" %}} +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Select **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. + +1. Follow the directions displayed to **Setup a Github application**. Rancher redirects you to Github to setup an OAuth App in Github. + +1. From GitHub, copy the **Client ID** and **Client Secret**. Paste them into Rancher. + +1. If you're using GitHub for enterprise, select **Use a private github enterprise installation**. Enter the host address of your GitHub installation. + +1. Click **Authenticate**. + +{{% /tab %}} +{{% tab "GitLab" %}} + +_Available as of v2.1.0_ + +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Select **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. + +1. Follow the directions displayed to **Setup a GitLab application**. Rancher redirects you to GitLab. + +1. From GitLab, copy the **Application ID** and **Secret**. Paste them into Rancher. + +1. If you're using GitLab for enterprise setup, select **Use a private gitlab enterprise installation**. Enter the host address of your GitLab installation. + +1. Click **Authenticate**. + +>**Note:** +> 1. Pipeline uses Gitlab [v4 API](https://docs.gitlab.com/ee/api/v3_to_v4.html) and the supported Gitlab version is 9.0+. +> 2. If you use GitLab 10.7+ and your Rancher setup is in a local network, enable the **Allow requests to the local network from hooks and services** option in GitLab admin settings. +{{% /tab %}} +{{% tab "Bitbucket Cloud" %}} + +_Available as of v2.2.0_ + +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Select **Tools > Pipelines** in the navigation bar. + +1. Choose the **Use public Bitbucket Cloud** option. + +1. Follow the directions displayed to **Setup a Bitbucket Cloud application**. Rancher redirects you to Bitbucket to setup an OAuth consumer in Bitbucket. + +1. From Bitbucket, copy the consumer **Key** and **Secret**. Paste them into Rancher. + +1. Click **Authenticate**. + +{{% /tab %}} +{{% tab "Bitbucket Server" %}} + +_Available as of v2.2.0_ + +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Select **Tools > Pipelines** in the navigation bar. + +1. Choose the **Use private Bitbucket Server setup** option. + +1. Follow the directions displayed to **Setup a Bitbucket Server application**. + +1. Enter the host address of your Bitbucket server installation. + +1. Click **Authenticate**. + +>**Note:** +> Bitbucket server needs to do SSL verification when sending webhooks to Rancher. Please ensure that Rancher server's certificate is trusted by the Bitbucket server. There are two options: +> +> 1. Setup Rancher server with a certificate from a trusted CA. +> 1. If you're using self-signed certificates, import Rancher server's certificate to the Bitbucket server. For instructions, see the Bitbucket server documentation for [configuring self-signed certificates](https://confluence.atlassian.com/bitbucketserver/if-you-use-self-signed-certificates-938028692.html). +> +{{% /tab %}} +{{% /tabs %}} + +**Result:** After the version control provider is authenticated, you will be automatically re-directed to start configuring which repositories you want start using with a pipeline. + +### 2. Configure Repositories After the version control provider is authorized, you are automatically re-directed to start configuring which repositories that you want start using pipelines with. Even if someone else has set up the version control provider, you will see their repositories and can build a pipeline. @@ -53,187 +193,58 @@ After the version control provider is authorized, you are automatically re-direc **Results:** You have a list of repositories that you can start configuring pipelines for. -## Pipeline Configuration +### 3. Configure the Pipeline -Now that repositories are added to your project, you can start configuring the pipeline by adding automated stages and steps. For your convenience, there are multiple built-in [step types](#step-types) for dedicated tasks. +Now that repositories are added to your project, you can start configuring the pipeline by adding automated stages and steps. For your convenience, there are multiple built-in step types for dedicated tasks. 1. From the **Global** view, navigate to the project that you want to configure pipelines. 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. Find the repository that you want to set up a pipeline for. Pipelines can be configured either through the UI or using a yaml file in the repository, i.e. `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. Throughout the next couple of steps, we'll provide the options of how to do pipeline configuration through the UI or the YAML file. +1. Find the repository that you want to set up a pipeline for. + +1. Configure the pipeline through the UI or using a yaml file in the repository, i.e. `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. Pipeline configuration is split into stages and steps. Stages must fully complete before moving onto the next stage, but steps in a stage run concurrently. For each stage, you can add different step types. Note: As you build out each step, there are different advanced options based on the step type. Advanced options include trigger rules, environment variables, and secrets. For more information on configuring the pipeline through the UI or the YAML file, refer to the [pipeline configuration reference.]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/config) * If you are going to use the UI, select the vertical **Ellipsis (...) > Edit Config** to configure the pipeline using the UI. After the pipeline is configured, you must view the YAML file and push it to the repository. - * If you are going to use the YAML file, select the vertical **Ellipsis (...) **View/Edit YAML** to configure the pipeline. If you choose to use a YAML file, you need to push it to the repository after any changes in order for it to be updated in the repository. - - >**Note:** When editing the pipeline configuration, it takes a few moments for Rancher to check for an existing pipeline configuration. + * If you are going to use the YAML file, select the vertical **Ellipsis (...) > View/Edit YAML** to configure the pipeline. If you choose to use a YAML file, you need to push it to the repository after any changes in order for it to be updated in the repository. When editing the pipeline configuration, it takes a few moments for Rancher to check for an existing pipeline configuration. 1. Select which `branch` to use from the list of branches. -1. Pipeline configuration is split into stages and [steps](#step-types). Remember that stages must fully complete before moving onto the next stage, but steps in a stage run concurrently. +1. _Available as of v2.2.0_ Optional: Set up notifications. - For each stage, you can add different step types. Learn more about how to configure each step type: +1. Set up the trigger rules for the pipeline. - - [Run Script](#run-script) - - [Build and Publish Images](#build-and-publish-images) - - [Publish Catalog Template](#publish-catalog-template) - - [Deploy YAML](#deploy-yaml) - - [Deploy Catalog App](#deploy-catalog-app) - - >**Note:** As you build out each step, there are different [advanced options](#advanced-options) based on the step type. - - {{% accordion id="stages-and-steps" label="Adding Stages and Steps" %}} -{{% tabs %}} -{{% tab "By UI" %}} -
    -If you haven't added any stages, click **Configure pipeline for this branch** to configure the pipeline through the UI. - -1. Add stages to your pipeline execution by clicking **Add Stage**. - - 1. Enter a **Name** for each stage of your pipeline. - 1. For each stage, you can configure [trigger rules](#trigger-rules) by clicking on **Show Advanced Options**. Note: this can always be updated at a later time. - -1. After you've created a stage, start [adding steps](#step-types) by clicking **Add a Step**. You can add multiple steps to each stage. -
    -
    -{{% /tab %}} -{{% tab "By YAML" %}} -
    -For each stage, you can add multiple steps. Read more about each [step type](#step-types) and the [advanced options](#advanced-options) to get all the details on how to configure the YAML. This is only a small example of how to have multiple stages with a singular step in each stage. - -```yaml -# example -stages: - - name: Build something - # Conditions for stages - when: - branch: master - event: [ push, pull_request ] - # Multiple steps run concurrently - steps: - - runScriptConfig: - image: busybox - shellScript: date -R - - name: Publish my image - steps: - - publishImageConfig: - dockerfilePath: ./Dockerfile - buildContext: . - tag: rancher/rancher:v2.0.0 - # Optionally push to remote registry - pushRemote: true - registry: reg.example.com -``` -
    -{{% /tab %}} -{{% /tabs %}} - {{% /accordion %}} - -1. _Available as of v2.2.0_ - - **Notifications:** Decide if you want to set up notifications for your pipeline. You can enable notifications to any [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) based on the build status of a pipeline. Before enabling notifications, Rancher recommends [setting up notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) so it will be easy to add recipients immediately. - - {{% accordion id="notification" label="Configuring Notifications" %}} - - -{{% tabs %}} -{{% tab "By UI" %}} -
    -_Available as of v2.2.0_ - -1. Within the **Notification** section, turn on notifications by clicking **Enable**. - -1. Select the conditions for the notification. You can select to get a notification for the following statuses: `Failed`, `Success`, `Changed`. For example, if you want to receive notifications when an execution fails, select **Failed**. - -1. If you don't have any existing [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers), Rancher will provide a warning that no notifiers are set up and provide a link to be able to go to the notifiers page. Follow the [instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) to add a notifier. If you already have notifiers, you can add them to the notification by clicking the **Add Recipient** button. - - > **Note:** Notifiers are configured at a cluster level and require a different level of permissions. - -1. For each recipient, select which notifier type from the dropdown. Based on the type of notifier, you can use the default recipient or override the recipient with a different one. For example, if you have a notifier for _Slack_, you can update which channel to send the notification to. You can add additional notifiers by clicking **Add Recipient**. -
    -
    -{{% /tab %}} -{{% tab "By YAML" %}} -
    -_Available as of v2.2.0_ - -In the `notification` section, you will provide the following information: - -* **Recipients:** This will be the list of notifiers/recipients that will receive the notification. - * **Notifier:** The ID of the notifier. This can be found by finding the notifier and selecting **View in API** to get the ID. - * **Recipient:** Depending on the type of the notifier, the "default recipient" can be used or you can override this with a different recipient. For example, when configuring a slack notifier, you select a channel as your default recipient, but if you wanted to send notifications to a different channel, you can select a different recipient. -* **Condition:** Select which conditions of when you want the notification to be sent. -* **Message (Optional):** If you want to change the default notification message, you can edit this in the yaml. Note: This option is not available in the UI. - -```yaml -# Example -stages: - - name: Build something - steps: - - runScriptConfig: - image: busybox - shellScript: ls -notification: - recipients: - - # Recipient - recipient: "#mychannel" - # ID of Notifier - notifier: "c-wdcsr:n-c9pg7" - - recipient: "test@example.com" - notifier: "c-wdcsr:n-lkrhd" - # Select which statuses you want the notification to be sent - condition: ["Failed", "Success", "Changed"] - # Ability to override the default message (Optional) - message: "my-message" -``` -
    -{{% /tab %}} -{{% /tabs %}} - - {{% /accordion %}} - -1. Set up the **[Trigger Rules](#trigger-rules)** for the pipeline. - -1. Enter a **Timeout** for the pipeline. By default, each pipeline execution has a timeout of 60 minutes. If the pipeline execution cannot complete within its timeout period, the pipeline is aborted. - - {{% accordion id="timeout" label="Setting up Timeout" %}} - -{{% tabs %}} -{{% tab "By UI" %}} -
    -Enter a new value in the **Timeout** field. -
    -
    -{{% /tab %}} -{{% tab "By YAML" %}} -
    -In the `timeout` section, enter the timeout value in minutes. -```yaml -# example -stages: - - name: Build something - steps: - - runScriptConfig: - image: busybox - shellScript: ls -# timeout in minutes -timeout: 30 -``` -
    -{{% /tab %}} -{{% /tabs %}} - - {{% /accordion %}} +1. Enter a **Timeout** for the pipeline. 1. When all the stages and steps are configured, click **Done**. **Results:** Your pipeline is now configured and ready to be run. -## Running your Pipelines + +# Pipeline Configuration Reference + +Refer to [this page]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/config) for details on how to configure a pipeline to: + +- Run a script +- Build and publish images +- Publish catalog templates +- Deploy YAML +- Deploy a catalog app + +The configuration reference also covers how to configure: + +- Notifications +- Timeouts +- The rules that trigger a pipeline +- Environment variables +- Secrets + + +# Running your Pipelines Run your pipeline for the first time. From the project view in Rancher, go to **Resources > Pipelines.** (In versions prior to v2.3.0, go to the **Pipelines** tab.) Find your pipeline and select the vertical **Ellipsis (...) > Run**. -During this initial run, your pipeline is tested, and the following [pipeline components]({{}}/rancher/v2.x/en/project-admin/pipelines/#how-pipelines-work) are deployed to your project as workloads in a new namespace dedicated to the pipeline: +During this initial run, your pipeline is tested, and the following pipeline components are deployed to your project as workloads in a new namespace dedicated to the pipeline: - `docker-registry` - `jenkins` @@ -241,7 +252,7 @@ During this initial run, your pipeline is tested, and the following [pipeline co This process takes several minutes. When it completes, you can view each pipeline component from the project **Workloads** tab. -## Pipeline Setting +# Triggering a Pipeline When a repository is enabled, a webhook is automatically set in the version control provider. By default, the pipeline is triggered by a **push** event to a repository, but you can modify the event(s) that trigger running the pipeline. @@ -251,7 +262,7 @@ Available Events: * **Pull Request**: Whenever a pull request is made to the repository, the pipeline is triggered. * **Tag**: When a tag is created in the repository, the pipeline is triggered. -> **Note:** This option doesn't exist for Rancher's [example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example/). +> **Note:** This option doesn't exist for Rancher's [example repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/). ### Modifying the Event Triggers for the Repository @@ -263,494 +274,4 @@ Available Events: 1. Select which event triggers (**Push**, **Pull Request** or **Tag**) you want for the repository. -1. Click **Save**. - -## Step Types - -Within each stage, you can add as many steps as you'd like. When there are multiple steps in one stage, they run concurrently. - -- [Run Script](#run-script) -- [Build and Publish Images](#build-and-publish-images) -- [Publish Catalog Template](#publish-catalog-template) -- [Deploy YAML](#deploy-yaml) -- [Deploy Catalog App](#deploy-catalog-app) - - - -### Run Script - -The **Run Script** step executes arbitrary commands in the workspace inside a specified container. You can use it to build, test and do more, given whatever utilities the base image provides. For your convenience, you can use variables to refer to metadata of a pipeline execution. Please refer to the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) for the list of available variables. - -{{% tabs %}} - -{{% tab "By UI" %}} - -1. From the **Step Type** drop-down, choose **Run Script** and fill in the form. - -1. Click **Add**. - -{{% /tab %}} - -{{% tab "By YAML" %}} -
    -```yaml -# example -stages: -- name: Build something - steps: - - runScriptConfig: - image: golang - shellScript: go build -``` -
    -{{% /tab %}} - -{{% /tabs %}} - -### Build and Publish Images - -The **Build and Publish Image** step builds and publishes a Docker image. This process requires a Dockerfile in your source code's repository to complete successfully. - -_Available as of Rancher v2.1.0_ - -The option to publish an image to an insecure registry is not exposed in the UI, but you can specify an environment variable in the YAML that allows you to publish an image insecurely. - -{{% tabs %}} - -{{% tab "By UI" %}} -1. From the **Step Type** drop-down, choose **Build and Publish**. - -1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. - - Field | Description | - ---------|----------| - Dockerfile Path | The relative path to the Dockerfile in the source code repo. By default, this path is `./Dockerfile`, which assumes the Dockerfile is in the root directory. You can set it to other paths in different use cases (`./path/to/myDockerfile` for example). | - Image Name | The image name in `name:tag` format. The registry address is not required. For example, to build `example.com/repo/my-image:dev`, enter `repo/my-image:dev`. | - Push image to remote repository | An option to set the registry that publishes the image that's built. To use this option, enable it and choose a registry from the drop-down. If this option is disabled, the image is pushed to the internal registry. | - Build Context

    (**Show advanced options**)| By default, the root directory of the source code (`.`). For more details, see the Docker [build command documentation](https://docs.docker.com/engine/reference/commandline/build/). - -{{% /tab %}} - -{{% tab "By YAML" %}} - -You can use specific arguments for Docker daemon and the build. They are not exposed in the UI, but they are available in pipeline YAML format, as indicated in the example below. Available environment variables include: - -Variable Name | Description -------------------------|------------------------------------------------------------ -PLUGIN_DRY_RUN | Disable docker push -PLUGIN_DEBUG | Docker daemon executes in debug mode -PLUGIN_MIRROR | Docker daemon registry mirror -PLUGIN_INSECURE | Docker daemon allows insecure registries -PLUGIN_BUILD_ARGS | Docker build args, a comma separated list - -
    -```yaml -# This example shows an environment variable being used -# in the Publish Image step. This variable allows you to -# publish an image to an insecure registry: - -stages: -- name: Publish Image - steps: - - publishImageConfig: - dockerfilePath: ./Dockerfile - buildContext: . - tag: repo/app:v1 - pushRemote: true - registry: example.com - env: - PLUGIN_INSECURE: "true" -``` -
    -{{% /tab %}} - -{{% /tabs %}} - -### Publish Catalog Template - -_Available as of v2.2.0_ - -The **Publish Catalog Template** step publishes a version of a catalog app template (i.e. Helm chart) to a [git hosted chart repository]({{}}/rancher/v2.x/en/catalog/custom/). It generates a git commit and pushes it to your chart repository. This process requires a chart folder in your source code's repository and a pre-configured secret in the dedicated pipeline namespace to complete successfully. Any variables in the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) is supported for any file in the chart folder. - -{{% tabs %}} - -{{% tab "By UI" %}} -
    - -1. From the **Step Type** drop-down, choose **Publish Catalog Template**. - -1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. - - Field | Description | - ---------|----------| - Chart Folder | The relative path to the chart folder in the source code repo, where the `Chart.yaml` file is located. | - Catalog Template Name | The name of the template. For example, wordpress. | - Catalog Template Version | The version of the template you want to publish, it should be consistent with the version defined in the `Chart.yaml` file. | - Protocol | You can choose to publish via HTTP(S) or SSH protocol. | - Secret | The secret that stores your Git credentials. You need to create a secret in dedicated pipeline namespace in the project before adding this step. If you use HTTP(S) protocol, store Git username and password in `USERNAME` and `PASSWORD` key of the secret. If you use SSH protocol, store Git deploy key in `DEPLOY_KEY` key of the secret. After the secret is created, select it in this option. | - Git URL | The Git URL of the chart repository that the template will be published to. | - Git Branch | The Git branch of the chart repository that the template will be published to. | - Author Name | The author name used in the commit message. | - Author Email | The author email used in the commit message. | - - -{{% /tab %}} - -{{% tab "By YAML" %}} -
    -You can add **Publish Catalog Template** steps directly in the `.rancher-pipeline.yml` file. - -Under the `steps` section, add a step with `publishCatalogConfig`. You will provide the following information: - -* Path: The relative path to the chart folder in the source code repo, where the `Chart.yaml` file is located. -* CatalogTemplate: The name of the template. -* Version: The version of the template you want to publish, it should be consistent with the version defined in the `Chart.yaml` file. -* GitUrl: The git URL of the chart repository that the template will be published to. -* GitBranch: The git branch of the chart repository that the template will be published to. -* GitAuthor: The author name used in the commit message. -* GitEmail: The author email used in the commit message. -* Credentials: You should provide Git credentials by referencing secrets in dedicated pipeline namespace. If you publish via SSH protocol, inject your deploy key to the `DEPLOY_KEY` environment variable. If you publish via HTTP(S) protocol, inject your username and password to `USERNAME` and `PASSWORD` environment variables. - -```yaml -# example -stages: -- name: Publish Wordpress Template - steps: - - publishCatalogConfig: - path: ./charts/wordpress/latest - catalogTemplate: wordpress - version: ${CICD_GIT_TAG} - gitUrl: git@github.com:myrepo/charts.git - gitBranch: master - gitAuthor: example-user - gitEmail: user@example.com - envFrom: - - sourceName: publish-keys - sourceKey: DEPLOY_KEY -``` - -
    -{{% /tab %}} - -{{% /tabs %}} - -### Deploy YAML - -This step deploys arbitrary Kubernetes resources to the project. This deployment requires a Kubernetes manifest file to be present in the source code repository. Pipeline variable substitution is supported in the manifest file. You can view an example file at [GitHub](https://github.com/rancher/pipeline-example-go/blob/master/deployment.yaml). Please refer to the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) for the list of available variables. - -{{% tabs %}} - -{{% tab "By UI" %}} - -1. From the **Step Type** drop-down, choose **Deploy YAML** and fill in the form. - -1. Enter the **YAML Path**, which is the path to the manifest file in the source code. - -1. Click **Add**. - -{{% /tab %}} - -{{% tab "By YAML" %}} -
    -```yaml -# example -stages: -- name: Deploy - steps: - - applyYamlConfig: - path: ./deployment.yaml -``` -
    -{{% /tab %}} - -{{% /tabs %}} - -### Deploy Catalog App - -_Available as of v2.2.0_ - -The **Deploy Catalog App** step deploys a catalog app in the project. It will install a new app if it is not present, or upgrade an existing one. - -{{% tabs %}} - -{{% tab "By UI" %}} - -1. From the **Step Type** drop-down, choose **Deploy Catalog App**. - -1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. - - Field | Description | - ---------|----------| - Catalog | The catalog from which the app template will be used. | - Template Name | The name of the app template. For example, wordpress. | - Template Version | The version of the app template you want to deploy. | - Namespace | The target namespace where you want to deploy the app. | - App Name | The name of the app you want to deploy. | - Answers | Key-value pairs of answers used to deploy the app. | - - -{{% /tab %}} - -{{% tab "By YAML" %}} -
    -You can add **Deploy Catalog App** steps directly in the `.rancher-pipeline.yml` file. - -Under the `steps` section, add a step with `applyAppConfig`. You will provide the following information: - -* CatalogTemplate: The ID of the template. This can be found by clicking `Launch app` and selecting `View details` for the app. It is the last part of the URL. -* Version: The version of the template you want to deploy. -* Answers: Key-value pairs of answers used to deploy the app. -* Name: The name of the app you want to deploy. -* TargetNamespace: The target namespace where you want to deploy the app. - -```yaml -# example -stages: -- name: Deploy App - steps: - - applyAppConfig: - catalogTemplate: cattle-global-data:library-mysql - version: 0.3.8 - answers: - persistence.enabled: "false" - name: testmysql - targetNamespace: test -``` -
    -{{% /tab %}} -{{% /tabs %}} - -## Advanced Options - -Within a pipeline, there are multiple advanced options for different parts of the pipeline. - -- [Trigger Rules](#trigger-rules) -- [Environment Variables](#environment-variables) -- [Secrets](#secrets) - -### Trigger Rules - -Trigger rules can be created to have fine-grained control of pipeline executions in your pipeline configuration. Trigger rules come in two types: - -- **Run this when:** - - This type of rule starts the pipeline, stage, or step when a trigger explicitly occurs. - -- **Do Not Run this when:** - - This type of rule skips the pipeline, stage, or step when a trigger explicitly occurs. - -If all conditions evaluate to `true`, then the pipeline/stage/step is executed. Otherwise it is skipped. When a pipeline is skipped, none of the pipeline is executed. When a stage/step is skipped, it is considered successful and follow-up stages/steps continue to run. - -Wildcard character (`*`) expansion is supported in `branch` conditions. - -{{% tabs %}} -{{% tab "Pipeline Trigger" %}} - -1. From the **Global** view, navigate to the project that you want to configure a pipeline trigger rule. - -1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** - -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. - -1. Click on **Show Advanced Options**. - -1. In the **Trigger Rules** section, configure rules to run or skip the pipeline. - - 1. Click **Add Rule**. In the **Value** field, enter the name of the branch that triggers the pipeline. - - 1. **Optional:** Add more branches that trigger a build. - -1. Click **Done.** - -{{% /tab %}} -{{% tab "Stage Trigger" %}} -1. From the **Global** view, navigate to the project that you want to configure a stage trigger rule. - -1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** - -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. - -1. Find the **stage** that you want to manage trigger rules, click the **Edit** icon for that stage. - -1. Click **Show advanced options**. - -1. In the **Trigger Rules** section, configure rules to run or skip the stage. - - 1. Click **Add Rule**. - - 1. Choose the **Type** that triggers the stage and enter a value. - - | Type | Value | - | ------ | -------------------------------------------------------------------- | - | Branch | The name of the branch that triggers the stage. | - | Event | The type of event that triggers the stage. Values are: `Push`, `Pull Request`, `Tag` | - -1. Click **Save**. - -{{% /tab %}} -{{% tab "Step Trigger" %}} -1. From the **Global** view, navigate to the project that you want to configure a stage trigger rule. - -1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** - -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. - -1. Find the **step** that you want to manage trigger rules, click the **Edit** icon for that step. - -1. Click **Show advanced options**. - -1. In the **Trigger Rules** section, configure rules to run or skip the step. - - 1. Click **Add Rule**. - - 1. Choose the **Type** that triggers the step and enter a value. - - | Type | Value | - | ------ | -------------------------------------------------------------------- | - | Branch | The name of the branch that triggers the step. | - | Event | The type of event that triggers the step. Values are: `Push`, `Pull Request`, `Tag` | - -1. Click **Save**. - -{{% /tab %}} -{{% tab "By YAML" %}} -
    -```yaml -# example -stages: - - name: Build something - # Conditions for stages - when: - branch: master - event: [ push, pull_request ] - # Multiple steps run concurrently - steps: - - runScriptConfig: - image: busybox - shellScript: date -R - # Conditions for steps - when: - branch: [ master, dev ] - event: push -# branch conditions for the pipeline -branch: - include: [ master, feature/*] - exclude: [ dev ] -``` -
    -{{% /tab %}} -{{% /tabs %}} - -### Environment Variables - -When configuring a pipeline, certain [step types](#step-types) allow you to use environment variables to configure the step's script. - -{{% tabs %}} -{{% tab "By UI" %}} -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** - -1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. - -1. Within one of the stages, find the **step** that you want to add an environment variable for, click the **Edit** icon. - -1. Click **Show advanced options**. - -1. Click **Add Variable**, and then enter a key and value in the fields that appear. Add more variables if needed. - -1. Add your environment variable(s) into either the script or file. - -1. Click **Save**. - -{{% /tab %}} - -{{% tab "By YAML" %}} -
    -```yaml -# example -stages: - - name: Build something - steps: - - runScriptConfig: - image: busybox - shellScript: echo ${FIRST_KEY} && echo ${SECOND_KEY} - env: - FIRST_KEY: VALUE - SECOND_KEY: VALUE2 -``` -
    -{{% /tab %}} - -{{% /tabs %}} - -### Secrets - -If you need to use security-sensitive information in your pipeline scripts (like a password), you can pass them in using Kubernetes [secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/). - -#### Prerequisite -Create a secret in the same project as your pipeline, or explicitly in the namespace where pipeline build pods run. -
    - ->**Note:** Secret injection is disabled on [pull request events](#pipeline-setting). - -{{% tabs %}} -{{% tab "By UI" %}} -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** - -1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. - -1. Within one of the stages, find the **step** that you want to use a secret for, click the **Edit** icon. - -1. Click **Show advanced options**. - -1. Click **Add From Secret**. Select the secret file that you want to use. Then choose a key. Optionally, you can enter an alias for the key. - -1. Click **Save**. - -{{% /tab %}} -{{% tab "By YAML" %}} -
    -```yaml -# example -stages: - - name: Build something - steps: - - runScriptConfig: - image: busybox - shellScript: echo ${ALIAS_ENV} - # environment variables from project secrets - envFrom: - - sourceName: my-secret - sourceKey: secret-key - targetKey: ALIAS_ENV -``` -
    -{{% /tab %}} -{{% /tabs %}} - -## Pipeline Variable Substitution Reference - -For your convenience, the following variables are available for your pipeline configuration scripts. During pipeline executions, these variables are replaced by metadata. You can reference them in the form of `${VAR_NAME}`. - -Variable Name | Description -------------------------|------------------------------------------------------------ -`CICD_GIT_REPO_NAME` | Repository name (Github organization omitted). -`CICD_GIT_URL` | URL of the Git repository. -`CICD_GIT_COMMIT` | Git commit ID being executed. -`CICD_GIT_BRANCH` | Git branch of this event. -`CICD_GIT_REF` | Git reference specification of this event. -`CICD_GIT_TAG` | Git tag name, set on tag event. -`CICD_EVENT` | Event that triggered the build (`push`, `pull_request` or `tag`). -`CICD_PIPELINE_ID` | Rancher ID for the pipeline. -`CICD_EXECUTION_SEQUENCE` | Build number of the pipeline. -`CICD_EXECUTION_ID` | Combination of `{CICD_PIPELINE_ID}-{CICD_EXECUTION_SEQUENCE}`. -`CICD_REGISTRY` | Address for the Docker registry for the previous publish image step, available in the Kubernetes manifest file of a `Deploy YAML` step. -`CICD_IMAGE` | Name of the image built from the previous publish image step, available in the Kubernetes manifest file of a `Deploy YAML` step. It does not contain the image tag.

    [Example](https://github.com/rancher/pipeline-example-go/blob/master/deployment.yaml) +1. Click **Save**. \ No newline at end of file diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/concepts/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/concepts/_index.md new file mode 100644 index 00000000000..db8e3a24a58 --- /dev/null +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/concepts/_index.md @@ -0,0 +1,36 @@ +--- +title: Concepts +weight: 1 +--- + +The purpose of this page is to explain common concepts and terminology related to pipelines. + +- **Pipeline:** + + A _pipeline_ is a software delivery process that is broken into different stages and steps. Setting up a pipeline can help developers deliver new software as quickly and efficiently as possible. Within Rancher, you can configure pipelines for each of your Rancher projects. A pipeline is based on a specific repository. It defines the process to build, test, and deploy your code. Rancher uses the [pipeline as code](https://jenkins.io/doc/book/pipeline-as-code/) model. Pipeline configuration is represented as a pipeline file in the source code repository, using the file name `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. + +- **Stages:** + + A pipeline stage consists of multiple steps. Stages are executed in the order defined in the pipeline file. The steps in a stage are executed concurrently. A stage starts when all steps in the former stage finish without failure. + +- **Steps:** + + A pipeline step is executed inside a specified stage. A step fails if it exits with a code other than `0`. If a step exits with this failure code, the entire pipeline fails and terminates. + +- **Workspace:** + + The workspace is the working directory shared by all pipeline steps. In the beginning of a pipeline, source code is checked out to the workspace. The command for every step bootstraps in the workspace. During a pipeline execution, the artifacts from a previous step will be available in future steps. The working directory is an ephemeral volume and will be cleaned out with the executor pod when a pipeline execution is finished. + +Typically, pipeline stages include: + +- **Build:** + + Each time code is checked into your repository, the pipeline automatically clones the repo and builds a new iteration of your software. Throughout this process, the software is typically reviewed by automated tests. + +- **Publish:** + + After the build is completed, either a Docker image is built and published to a Docker registry or a catalog template is published. + +- **Deploy:** + + After the artifacts are published, you would release your application so users could start using the updated product. \ No newline at end of file diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md new file mode 100644 index 00000000000..9bffc8eb1ee --- /dev/null +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md @@ -0,0 +1,658 @@ +--- +title: Pipeline Configuration Reference +weight: 1 +--- + +In this section, you'll learn how to configure pipelines. + +- [Step Types](#step-types) +- [Step Type: Run Script](#step-type-run-script) +- [Step Type: Build and Publish Images](#step-type-build-and-publish-images) +- [Step Type: Publish Catalog Template](#step-type-publish-catalog-template) +- [Step Type: Deploy YAML](#step-type-deploy-yaml) +- [Step Type: Deploy Catalog App](#step-type-deploy-catalog-app) +- [Notifications](#notifications) +- [Timeouts](#timeouts) +- [Triggers and Trigger Rules](#triggers-and-trigger-rules) +- [Environment Variables](#environment-variables) +- [Secrets](#secrets) +- [Pipeline Variable Substitution Reference](#pipeline-variable-substitution-reference) +- [Global Pipeline Execution Settings](#global-pipeline-execution-settings) + - [Executor Quota](#executor-quota) + - [Resource Quota for Executors](#resource-quota-for-executors) + - [Custom CA](#custom-ca) +- [Persistent Data for Pipeline Components](#persistent-data-for-pipeline-components) +- [Example rancher-pipeline.yml](#example-rancher-pipeline-yml) + +# Step Types + +Within each stage, you can add as many steps as you'd like. When there are multiple steps in one stage, they run concurrently. + +Step types include: + +- [Run Script](#step-type-run-script) +- [Build and Publish Images](#step-type-build-and-publish-images) +- [Publish Catalog Template](#step-type-publish-catalog-template) +- [Deploy YAML](#step-type-deploy-yaml) +- [Deploy Catalog App](#step-type-deploy-catalog-app) + + + +### Configuring Steps By UI + +If you haven't added any stages, click **Configure pipeline for this branch** to configure the pipeline through the UI. + +1. Add stages to your pipeline execution by clicking **Add Stage**. + + 1. Enter a **Name** for each stage of your pipeline. + 1. For each stage, you can configure [trigger rules](#triggers-and-trigger-rules) by clicking on **Show Advanced Options**. Note: this can always be updated at a later time. + +1. After you've created a stage, start [adding steps](#step-types) by clicking **Add a Step**. You can add multiple steps to each stage. + +### Configuring Steps by YAML + +For each stage, you can add multiple steps. Read more about each [step type](#step-types) and the advanced options to get all the details on how to configure the YAML. This is only a small example of how to have multiple stages with a singular step in each stage. + +```yaml +# example +stages: + - name: Build something + # Conditions for stages + when: + branch: master + event: [ push, pull_request ] + # Multiple steps run concurrently + steps: + - runScriptConfig: + image: busybox + shellScript: date -R + - name: Publish my image + steps: + - publishImageConfig: + dockerfilePath: ./Dockerfile + buildContext: . + tag: rancher/rancher:v2.0.0 + # Optionally push to remote registry + pushRemote: true + registry: reg.example.com +``` +# Step Type: Run Script + +The **Run Script** step executes arbitrary commands in the workspace inside a specified container. You can use it to build, test and do more, given whatever utilities the base image provides. For your convenience, you can use variables to refer to metadata of a pipeline execution. Please refer to the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) for the list of available variables. + +### Configuring Script by UI + +1. From the **Step Type** drop-down, choose **Run Script** and fill in the form. + +1. Click **Add**. + +### Configuring Script by YAML +```yaml +# example +stages: +- name: Build something + steps: + - runScriptConfig: + image: golang + shellScript: go build +``` +# Step Type: Build and Publish Images + +_Available as of Rancher v2.1.0_ + +The **Build and Publish Image** step builds and publishes a Docker image. This process requires a Dockerfile in your source code's repository to complete successfully. + +The option to publish an image to an insecure registry is not exposed in the UI, but you can specify an environment variable in the YAML that allows you to publish an image insecurely. + +### Configuring Building and Publishing Images by UI +1. From the **Step Type** drop-down, choose **Build and Publish**. + +1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. + + Field | Description | + ---------|----------| + Dockerfile Path | The relative path to the Dockerfile in the source code repo. By default, this path is `./Dockerfile`, which assumes the Dockerfile is in the root directory. You can set it to other paths in different use cases (`./path/to/myDockerfile` for example). | + Image Name | The image name in `name:tag` format. The registry address is not required. For example, to build `example.com/repo/my-image:dev`, enter `repo/my-image:dev`. | + Push image to remote repository | An option to set the registry that publishes the image that's built. To use this option, enable it and choose a registry from the drop-down. If this option is disabled, the image is pushed to the internal registry. | + Build Context

    (**Show advanced options**)| By default, the root directory of the source code (`.`). For more details, see the Docker [build command documentation](https://docs.docker.com/engine/reference/commandline/build/). + +### Configuring Building and Publishing Images by YAML + +You can use specific arguments for Docker daemon and the build. They are not exposed in the UI, but they are available in pipeline YAML format, as indicated in the example below. Available environment variables include: + +Variable Name | Description +------------------------|------------------------------------------------------------ +PLUGIN_DRY_RUN | Disable docker push +PLUGIN_DEBUG | Docker daemon executes in debug mode +PLUGIN_MIRROR | Docker daemon registry mirror +PLUGIN_INSECURE | Docker daemon allows insecure registries +PLUGIN_BUILD_ARGS | Docker build args, a comma separated list + +
    + +```yaml +# This example shows an environment variable being used +# in the Publish Image step. This variable allows you to +# publish an image to an insecure registry: + +stages: +- name: Publish Image + steps: + - publishImageConfig: + dockerfilePath: ./Dockerfile + buildContext: . + tag: repo/app:v1 + pushRemote: true + registry: example.com + env: + PLUGIN_INSECURE: "true" +``` + +# Step Type: Publish Catalog Template + +_Available as of v2.2.0_ + +The **Publish Catalog Template** step publishes a version of a catalog app template (i.e. Helm chart) to a [git hosted chart repository]({{}}/rancher/v2.x/en/catalog/custom/). It generates a git commit and pushes it to your chart repository. This process requires a chart folder in your source code's repository and a pre-configured secret in the dedicated pipeline namespace to complete successfully. Any variables in the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) is supported for any file in the chart folder. + +### Configuring Publishing a Catalog Template by UI + +1. From the **Step Type** drop-down, choose **Publish Catalog Template**. + +1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. + + Field | Description | + ---------|----------| + Chart Folder | The relative path to the chart folder in the source code repo, where the `Chart.yaml` file is located. | + Catalog Template Name | The name of the template. For example, wordpress. | + Catalog Template Version | The version of the template you want to publish, it should be consistent with the version defined in the `Chart.yaml` file. | + Protocol | You can choose to publish via HTTP(S) or SSH protocol. | + Secret | The secret that stores your Git credentials. You need to create a secret in dedicated pipeline namespace in the project before adding this step. If you use HTTP(S) protocol, store Git username and password in `USERNAME` and `PASSWORD` key of the secret. If you use SSH protocol, store Git deploy key in `DEPLOY_KEY` key of the secret. After the secret is created, select it in this option. | + Git URL | The Git URL of the chart repository that the template will be published to. | + Git Branch | The Git branch of the chart repository that the template will be published to. | + Author Name | The author name used in the commit message. | + Author Email | The author email used in the commit message. | + + +### Configuring Publishing a Catalog Template by YAML + +You can add **Publish Catalog Template** steps directly in the `.rancher-pipeline.yml` file. + +Under the `steps` section, add a step with `publishCatalogConfig`. You will provide the following information: + +* Path: The relative path to the chart folder in the source code repo, where the `Chart.yaml` file is located. +* CatalogTemplate: The name of the template. +* Version: The version of the template you want to publish, it should be consistent with the version defined in the `Chart.yaml` file. +* GitUrl: The git URL of the chart repository that the template will be published to. +* GitBranch: The git branch of the chart repository that the template will be published to. +* GitAuthor: The author name used in the commit message. +* GitEmail: The author email used in the commit message. +* Credentials: You should provide Git credentials by referencing secrets in dedicated pipeline namespace. If you publish via SSH protocol, inject your deploy key to the `DEPLOY_KEY` environment variable. If you publish via HTTP(S) protocol, inject your username and password to `USERNAME` and `PASSWORD` environment variables. + +```yaml +# example +stages: +- name: Publish Wordpress Template + steps: + - publishCatalogConfig: + path: ./charts/wordpress/latest + catalogTemplate: wordpress + version: ${CICD_GIT_TAG} + gitUrl: git@github.com:myrepo/charts.git + gitBranch: master + gitAuthor: example-user + gitEmail: user@example.com + envFrom: + - sourceName: publish-keys + sourceKey: DEPLOY_KEY +``` + +# Step Type: Deploy YAML + +This step deploys arbitrary Kubernetes resources to the project. This deployment requires a Kubernetes manifest file to be present in the source code repository. Pipeline variable substitution is supported in the manifest file. You can view an example file at [GitHub](https://github.com/rancher/pipeline-example-go/blob/master/deployment.yaml). Please refer to the [pipeline variable substitution reference](#pipeline-variable-substitution-reference) for the list of available variables. + +### Configure Deploying YAML by UI + +1. From the **Step Type** drop-down, choose **Deploy YAML** and fill in the form. + +1. Enter the **YAML Path**, which is the path to the manifest file in the source code. + +1. Click **Add**. + +### Configure Deploying YAML by YAML + +```yaml +# example +stages: +- name: Deploy + steps: + - applyYamlConfig: + path: ./deployment.yaml +``` + +# Step Type :Deploy Catalog App + +_Available as of v2.2.0_ + +The **Deploy Catalog App** step deploys a catalog app in the project. It will install a new app if it is not present, or upgrade an existing one. + +### Configure Deploying Catalog App by UI + +1. From the **Step Type** drop-down, choose **Deploy Catalog App**. + +1. Fill in the rest of the form. Descriptions for each field are listed below. When you're done, click **Add**. + + Field | Description | + ---------|----------| + Catalog | The catalog from which the app template will be used. | + Template Name | The name of the app template. For example, wordpress. | + Template Version | The version of the app template you want to deploy. | + Namespace | The target namespace where you want to deploy the app. | + App Name | The name of the app you want to deploy. | + Answers | Key-value pairs of answers used to deploy the app. | + + +### Configure Deploying Catalog App by YAML + +You can add **Deploy Catalog App** steps directly in the `.rancher-pipeline.yml` file. + +Under the `steps` section, add a step with `applyAppConfig`. You will provide the following information: + +* CatalogTemplate: The ID of the template. This can be found by clicking `Launch app` and selecting `View details` for the app. It is the last part of the URL. +* Version: The version of the template you want to deploy. +* Answers: Key-value pairs of answers used to deploy the app. +* Name: The name of the app you want to deploy. +* TargetNamespace: The target namespace where you want to deploy the app. + +```yaml +# example +stages: +- name: Deploy App + steps: + - applyAppConfig: + catalogTemplate: cattle-global-data:library-mysql + version: 0.3.8 + answers: + persistence.enabled: "false" + name: testmysql + targetNamespace: test +``` + +# Timeouts + +By default, each pipeline execution has a timeout of 60 minutes. If the pipeline execution cannot complete within its timeout period, the pipeline is aborted. + +### Configuring Timeouts by UI + +Enter a new value in the **Timeout** field. + +### Configuring Timeouts by YAML + +In the `timeout` section, enter the timeout value in minutes. + +```yaml +# example +stages: + - name: Build something + steps: + - runScriptConfig: + image: busybox + shellScript: ls +# timeout in minutes +timeout: 30 +``` + +# Notifications + +You can enable notifications to any [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/) based on the build status of a pipeline. Before enabling notifications, Rancher recommends [setting up notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) so it will be easy to add recipients immediately. + +### Configuring Notifications by UI + +_Available as of v2.2.0_ + +1. Within the **Notification** section, turn on notifications by clicking **Enable**. + +1. Select the conditions for the notification. You can select to get a notification for the following statuses: `Failed`, `Success`, `Changed`. For example, if you want to receive notifications when an execution fails, select **Failed**. + +1. If you don't have any existing [notifiers]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers), Rancher will provide a warning that no notifiers are set up and provide a link to be able to go to the notifiers page. Follow the [instructions]({{}}/rancher/v2.x/en/cluster-admin/tools/notifiers/#adding-notifiers) to add a notifier. If you already have notifiers, you can add them to the notification by clicking the **Add Recipient** button. + + > **Note:** Notifiers are configured at a cluster level and require a different level of permissions. + +1. For each recipient, select which notifier type from the dropdown. Based on the type of notifier, you can use the default recipient or override the recipient with a different one. For example, if you have a notifier for _Slack_, you can update which channel to send the notification to. You can add additional notifiers by clicking **Add Recipient**. + +### Configuring Notifications by YAML +_Available as of v2.2.0_ + +In the `notification` section, you will provide the following information: + +* **Recipients:** This will be the list of notifiers/recipients that will receive the notification. + * **Notifier:** The ID of the notifier. This can be found by finding the notifier and selecting **View in API** to get the ID. + * **Recipient:** Depending on the type of the notifier, the "default recipient" can be used or you can override this with a different recipient. For example, when configuring a slack notifier, you select a channel as your default recipient, but if you wanted to send notifications to a different channel, you can select a different recipient. +* **Condition:** Select which conditions of when you want the notification to be sent. +* **Message (Optional):** If you want to change the default notification message, you can edit this in the yaml. Note: This option is not available in the UI. + +```yaml +# Example +stages: + - name: Build something + steps: + - runScriptConfig: + image: busybox + shellScript: ls +notification: + recipients: + - # Recipient + recipient: "#mychannel" + # ID of Notifier + notifier: "c-wdcsr:n-c9pg7" + - recipient: "test@example.com" + notifier: "c-wdcsr:n-lkrhd" + # Select which statuses you want the notification to be sent + condition: ["Failed", "Success", "Changed"] + # Ability to override the default message (Optional) + message: "my-message" +``` + +# Triggers and Trigger Rules + +After you configure a pipeline, you can trigger it using different methods: + +- **Manually:** + + After you configure a pipeline, you can trigger a build using the latest CI definition from Rancher UI. When a pipeline execution is triggered, Rancher dynamically provisions a Kubernetes pod to run your CI tasks and then remove it upon completion. + +- **Automatically:** + + When you enable a repository for a pipeline, webhooks are automatically added to the version control system. When project users interact with the repo by pushing code, opening pull requests, or creating a tag, the version control system sends a webhook to Rancher Server, triggering a pipeline execution. + + To use this automation, webhook management permission is required for the repository. Therefore, when users authenticate and fetch their repositories, only those on which they have webhook management permission will be shown. + +Trigger rules can be created to have fine-grained control of pipeline executions in your pipeline configuration. Trigger rules come in two types: + +- **Run this when:** This type of rule starts the pipeline, stage, or step when a trigger explicitly occurs. + +- **Do Not Run this when:** This type of rule skips the pipeline, stage, or step when a trigger explicitly occurs. + +If all conditions evaluate to `true`, then the pipeline/stage/step is executed. Otherwise it is skipped. When a pipeline is skipped, none of the pipeline is executed. When a stage/step is skipped, it is considered successful and follow-up stages/steps continue to run. + +Wildcard character (`*`) expansion is supported in `branch` conditions. + +This section covers the following topics: + +- [Configuring pipeline triggers](#configuring-pipeline-triggers) +- [Configuring stage triggers](#configuring-stage-triggers) +- [Configuring step triggers](#configuring-step-triggers) +- [Configuring triggers by YAML](#configuring-triggers-by-yaml) + +### Configuring Pipeline Triggers + +1. From the **Global** view, navigate to the project that you want to configure a pipeline trigger rule. + +1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** + +1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. + +1. Click on **Show Advanced Options**. + +1. In the **Trigger Rules** section, configure rules to run or skip the pipeline. + + 1. Click **Add Rule**. In the **Value** field, enter the name of the branch that triggers the pipeline. + + 1. **Optional:** Add more branches that trigger a build. + +1. Click **Done.** + +### Configuring Stage Triggers + +1. From the **Global** view, navigate to the project that you want to configure a stage trigger rule. + +1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** + +1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. + +1. Find the **stage** that you want to manage trigger rules, click the **Edit** icon for that stage. + +1. Click **Show advanced options**. + +1. In the **Trigger Rules** section, configure rules to run or skip the stage. + + 1. Click **Add Rule**. + + 1. Choose the **Type** that triggers the stage and enter a value. + + | Type | Value | + | ------ | -------------------------------------------------------------------- | + | Branch | The name of the branch that triggers the stage. | + | Event | The type of event that triggers the stage. Values are: `Push`, `Pull Request`, `Tag` | + +1. Click **Save**. + +### Configuring Step Triggers + +1. From the **Global** view, navigate to the project that you want to configure a stage trigger rule. + +1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** + +1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. + +1. Find the **step** that you want to manage trigger rules, click the **Edit** icon for that step. + +1. Click **Show advanced options**. + +1. In the **Trigger Rules** section, configure rules to run or skip the step. + + 1. Click **Add Rule**. + + 1. Choose the **Type** that triggers the step and enter a value. + + | Type | Value | + | ------ | -------------------------------------------------------------------- | + | Branch | The name of the branch that triggers the step. | + | Event | The type of event that triggers the step. Values are: `Push`, `Pull Request`, `Tag` | + +1. Click **Save**. + + +### Configuring Triggers by YAML + +```yaml +# example +stages: + - name: Build something + # Conditions for stages + when: + branch: master + event: [ push, pull_request ] + # Multiple steps run concurrently + steps: + - runScriptConfig: + image: busybox + shellScript: date -R + # Conditions for steps + when: + branch: [ master, dev ] + event: push +# branch conditions for the pipeline +branch: + include: [ master, feature/*] + exclude: [ dev ] +``` + +# Environment Variables + +When configuring a pipeline, certain [step types](#step-types) allow you to use environment variables to configure the step's script. + +### Configuring Environment Variables by UI + +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** + +1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. + +1. Within one of the stages, find the **step** that you want to add an environment variable for, click the **Edit** icon. + +1. Click **Show advanced options**. + +1. Click **Add Variable**, and then enter a key and value in the fields that appear. Add more variables if needed. + +1. Add your environment variable(s) into either the script or file. + +1. Click **Save**. + +### Configuring Environment Variables by YAML + +```yaml +# example +stages: + - name: Build something + steps: + - runScriptConfig: + image: busybox + shellScript: echo ${FIRST_KEY} && echo ${SECOND_KEY} + env: + FIRST_KEY: VALUE + SECOND_KEY: VALUE2 +``` + +# Secrets + +If you need to use security-sensitive information in your pipeline scripts (like a password), you can pass them in using Kubernetes [secrets]({{}}/rancher/v2.x/en/k8s-in-rancher/secrets/). + +### Prerequisite +Create a secret in the same project as your pipeline, or explicitly in the namespace where pipeline build pods run. +
    + +>**Note:** Secret injection is disabled on [pull request events](#triggers-and-trigger-rules). + +### Configuring Secrets by UI + +1. From the **Global** view, navigate to the project that you want to configure pipelines. + +1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** + +1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. + +1. Within one of the stages, find the **step** that you want to use a secret for, click the **Edit** icon. + +1. Click **Show advanced options**. + +1. Click **Add From Secret**. Select the secret file that you want to use. Then choose a key. Optionally, you can enter an alias for the key. + +1. Click **Save**. + +### Configuring Secrets by YAML + +```yaml +# example +stages: + - name: Build something + steps: + - runScriptConfig: + image: busybox + shellScript: echo ${ALIAS_ENV} + # environment variables from project secrets + envFrom: + - sourceName: my-secret + sourceKey: secret-key + targetKey: ALIAS_ENV +``` + +# Pipeline Variable Substitution Reference + +For your convenience, the following variables are available for your pipeline configuration scripts. During pipeline executions, these variables are replaced by metadata. You can reference them in the form of `${VAR_NAME}`. + +Variable Name | Description +------------------------|------------------------------------------------------------ +`CICD_GIT_REPO_NAME` | Repository name (Github organization omitted). +`CICD_GIT_URL` | URL of the Git repository. +`CICD_GIT_COMMIT` | Git commit ID being executed. +`CICD_GIT_BRANCH` | Git branch of this event. +`CICD_GIT_REF` | Git reference specification of this event. +`CICD_GIT_TAG` | Git tag name, set on tag event. +`CICD_EVENT` | Event that triggered the build (`push`, `pull_request` or `tag`). +`CICD_PIPELINE_ID` | Rancher ID for the pipeline. +`CICD_EXECUTION_SEQUENCE` | Build number of the pipeline. +`CICD_EXECUTION_ID` | Combination of `{CICD_PIPELINE_ID}-{CICD_EXECUTION_SEQUENCE}`. +`CICD_REGISTRY` | Address for the Docker registry for the previous publish image step, available in the Kubernetes manifest file of a `Deploy YAML` step. +`CICD_IMAGE` | Name of the image built from the previous publish image step, available in the Kubernetes manifest file of a `Deploy YAML` step. It does not contain the image tag.

    [Example](https://github.com/rancher/pipeline-example-go/blob/master/deployment.yaml) + +# Global Pipeline Execution Settings + +After configuring a version control provider, there are several options that can be configured globally on how pipelines are executed in Rancher. These settings can be edited by selecting **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. + +- [Executor Quota](#executor-quota) +- [Resource Quota for Executors](#resource-quota-for-executors) +- [Custom CA](#custom-ca) + +### Executor Quota + +Select the maximum number of pipeline executors. The _executor quota_ decides how many builds can run simultaneously in the project. If the number of triggered builds exceeds the quota, subsequent builds will queue until a vacancy opens. By default, the quota is `2`. A value of `0` or less removes the quota limit. + +### Resource Quota for Executors + +_Available as of v2.2.0_ + +Configure compute resources for Jenkins agent containers. When a pipeline execution is triggered, a build pod is dynamically provisioned to run your CI tasks. Under the hood, A build pod consists of one Jenkins agent container and one container for each pipeline step. You can [manage compute resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for every containers in the pod. + +Edit the **Memory Reservation**, **Memory Limit**, **CPU Reservation** or **CPU Limit**, then click **Update Limit and Reservation**. + +To configure compute resources for pipeline-step containers: + +You can configure compute resources for pipeline-step containers in the `.rancher-pipeline.yml` file. + +In a [step type]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#step-types), you will provide the following information: + +* **CPU Reservation (`CpuRequest`)**: CPU request for the container of a pipeline step. +* **CPU Limit (`CpuLimit`)**: CPU limit for the container of a pipeline step. +* **Memory Reservation (`MemoryRequest`)**: Memory request for the container of a pipeline step. +* **Memory Limit (`MemoryLimit`)**: Memory limit for the container of a pipeline step. + +```yaml +# example +stages: + - name: Build something + steps: + - runScriptConfig: + image: busybox + shellScript: ls + cpuRequest: 100m + cpuLimit: 1 + memoryRequest:100Mi + memoryLimit: 1Gi + - publishImageConfig: + dockerfilePath: ./Dockerfile + buildContext: . + tag: repo/app:v1 + cpuRequest: 100m + cpuLimit: 1 + memoryRequest:100Mi + memoryLimit: 1Gi +``` + +>**Note:** Rancher sets default compute resources for pipeline steps except for `Build and Publish Images` and `Run Script` steps. You can override the default value by specifying compute resources in the same way. + +### Custom CA + +_Available as of v2.2.0_ + +If you want to use a version control provider with a certificate from a custom/internal CA root, the CA root certificates need to be added as part of the version control provider configuration in order for the pipeline build pods to succeed. + +1. Click **Edit cacerts**. + +1. Paste in the CA root certificates and click **Save cacerts**. + +**Result:** Pipelines can be used and new pods will be able to work with the self-signed-certificate. + +# Persistent Data for Pipeline Components + +The internal Docker registry and the Minio workloads use ephemeral volumes by default. This default storage works out-of-the-box and makes testing easy, but you lose the build images and build logs if the node running the Docker Registry or Minio fails. In most cases this is fine. If you want build images and logs to survive node failures, you can configure the Docker Registry and Minio to use persistent volumes. + +For details on setting up persistent storage for pipelines, refer to [this page.]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/storage) + +# Example rancher-pipeline.yml + +An example pipeline configuration file is on [this page.]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/example) \ No newline at end of file diff --git a/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/docs-for-v2.0.x/_index.md similarity index 98% rename from content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md rename to content/rancher/v2.x/en/k8s-in-rancher/pipelines/docs-for-v2.0.x/_index.md index e408ef05817..412822f0f96 100644 --- a/content/rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/docs-for-v2.0.x/_index.md @@ -3,6 +3,7 @@ title: v2.0.x Pipeline Documentation weight: 9000 aliases: - /rancher/v2.x/en/project-admin/tools/pipelines/docs-for-v2.0.x + - /rancher/v2.x/en/project-admin/pipelines/docs-for-v2.0.x --- >**Note:** This section describes the pipeline feature as implemented in Rancher v2.0.x. If you are using Rancher v2.1 or later, where pipelines have been significantly improved, please refer to the new documentation for [v2.1 or later]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md index 75619cd6702..c57dd613f2d 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.x/en/tools/pipelines/quick-start-guide/ --- -Rancher ships with several example repositories that you can use to familiarize yourself with pipelines. We recommend configuring and testing the example repository that most resembles your environment before using pipelines with your own repositories in a production environment. Use this example repository as a sandbox for repo configuration, build demonstration, etc. Rancher includes example repositories for: +Rancher ships with several example repositories that you can use to familiarize yourself with pipelines. We recommend configuring and testing the example repository that most resembles your environment before using pipelines with your own repositories in a production environment. Use this example repository as a sandbox for repo configuration, build demonstration, etc. Rancher includes example repositories for: - Go - Maven @@ -13,7 +13,13 @@ Rancher ships with several example repositories that you can use to familiarize > **Note:** The example repositories are only available if you have not [configured a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines). -## Configure Repositories +To start using these example repositories, + +1. [Enable the example repositories](#1-enable-the-example-repositories) +2. [View the example pipeline](#2-view-the-example-pipeline) +3. [Run the example pipeline](#3-run-the-example-pipeline) + +### 1. Enable the Example Repositories By default, the example pipeline repositories are disabled. Enable one (or more) to test out the pipeline feature and see how it works. @@ -39,7 +45,7 @@ By default, the example pipeline repositories are disabled. Enable one (or more) - `jenkins` - `minio` -## View the Example Pipeline +### 2. View the Example Pipeline After enabling an example repository, review the pipeline to see how it is set up. @@ -51,7 +57,7 @@ After enabling an example repository, review the pipeline to see how it is set u * **Rancher UI**: Click on **Edit Config** to view the stages and steps of the pipeline. * **YAML**: Click on View/Edit YAML to view the `./rancher-pipeline.yml` file. -## Run the Example Pipeline +### 3. Run the Example Pipeline After enabling an example repository, run the pipeline to see how it works. @@ -65,6 +71,6 @@ After enabling an example repository, run the pipeline to see how it works. **Result:** The pipeline runs. You can see the results in the logs. -## What's Next? +### What's Next? -For detailed information about setting up your own pipeline for your repository, [configure a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines), [enable a repository](#configure-repositories) and finally [configure your pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). +For detailed information about setting up your own pipeline for your repository, [configure a version control provider]({{}}/rancher/v2.x/en/project-admin/pipelines), [enable a repository](#configure-repositories) and finally [configure your pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). \ No newline at end of file diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md index 82e10d93ddf..512c87af456 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example/_index.md @@ -7,7 +7,9 @@ aliases: Pipelines can be configured either through the UI or using a yaml file in the repository, i.e. `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. -In the [pipeline configuration docs]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration), we provide examples of each available feature within pipelines. Here is a full example `rancher-pipeline.yml` for those who want to jump right in. +In the [pipeline configuration reference]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/config), we provide examples of how to configure each feature using the Rancher UI or using YAML configuration. + +Below is a full example `rancher-pipeline.yml` for those who want to jump right in. ```yaml # example diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md new file mode 100644 index 00000000000..e3b911bc9a2 --- /dev/null +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md @@ -0,0 +1,103 @@ +--- +title: Configuring Persistent Data for Pipeline Components +weight: 600 +--- + +The internal [Docker registry](#how-pipelines-work) and the [Minio](#how-pipelines-work) workloads use ephemeral volumes by default. This default storage works out-of-the-box and makes testing easy, but you lose the build images and build logs if the node running the Docker Registry or Minio fails. In most cases this is fine. If you want build images and logs to survive node failures, you can configure the Docker Registry and Minio to use persistent volumes. + +This section assumes that you understand how persistent storage works in Kubernetes. For more information, refer to the section on [how storage works.]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/how-storage-works/) + +>**Prerequisites (for both parts A and B):** +> +>[Persistent volumes]({{}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) must be available for the cluster. + +### A. Configuring Persistent Data for Docker Registry + +1. From the project that you're configuring a pipeline for, and click **Resources > Workloads.** In versions prior to v2.3.0, select the **Workloads** tab. + +1. Find the `docker-registry` workload and select **Ellipsis (...) > Edit**. + +1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: + + - **Add Volume > Add a new persistent volume (claim)** + - **Add Volume > Use an existing persistent volume (claim)** + +1. Complete the form that displays to choose a persistent volume for the internal Docker registry. +{{% tabs %}} +{{% tab "Add a new persistent volume" %}} +
    +1. Enter a **Name** for the volume claim. + +1. Select a volume claim **Source**: + + - If you select **Use a Storage Class to provision a new persistent volume**, select a storage class and enter a **Capacity**. + + - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. +1. From the **Customize** section, choose the read/write access for the volume. + +1. Click **Define**. + +{{% /tab %}} + +{{% tab "Use an existing persistent volume" %}} +
    +1. Enter a **Name** for the volume claim. + +1. Choose a **Persistent Volume Claim** from the drop-down. + +1. From the **Customize** section, choose the read/write access for the volume. + +1. Click **Define**. + +{{% /tab %}} + +{{% /tabs %}} + +1. From the **Mount Point** field, enter `/var/lib/registry`, which is the data storage path inside the Docker registry container. + +1. Click **Upgrade**. + +### B. Configuring Persistent Data for Minio + +1. From the project view, click **Resources > Workloads.** (In versions prior to v2.3.0, click the **Workloads** tab.) Find the `minio` workload and select **Ellipsis (...) > Edit**. + +1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: + + - **Add Volume > Add a new persistent volume (claim)** + - **Add Volume > Use an existing persistent volume (claim)** + +1. Complete the form that displays to choose a persistent volume for the internal Docker registry. +{{% tabs %}} + +{{% tab "Add a new persistent volume" %}} +
    +1. Enter a **Name** for the volume claim. + +1. Select a volume claim **Source**: + + - If you select **Use a Storage Class to provision a new persistent volume**, select a storage class and enter a **Capacity**. + + - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. +1. From the **Customize** section, choose the read/write access for the volume. + +1. Click **Define**. + +{{% /tab %}} +{{% tab "Use an existing persistent volume" %}} +
    +1. Enter a **Name** for the volume claim. + +1. Choose a **Persistent Volume Claim** from the drop-down. + +1. From the **Customize** section, choose the read/write access for the volume. + +1. Click **Define**. + +{{% /tab %}} +{{% /tabs %}} + +1. From the **Mount Point** field, enter `/data`, which is the data storage path inside the Minio container. + +1. Click **Upgrade**. + +**Result:** Persistent storage is configured for your pipeline components. diff --git a/content/rancher/v2.x/en/project-admin/pipelines/_index.md b/content/rancher/v2.x/en/project-admin/pipelines/_index.md index 521b01f16de..7eea9d66735 100644 --- a/content/rancher/v2.x/en/project-admin/pipelines/_index.md +++ b/content/rancher/v2.x/en/project-admin/pipelines/_index.md @@ -9,8 +9,6 @@ aliases: --- Using Rancher, you can integrate with a GitHub repository to setup a continuous integration (CI) pipeline. -To set up a pipeline, you'll first need to authorize Rancher using your GitHub settings. Directions are provided in the Rancher UI. After authorizing Rancher in GitHub, provide Rancher with a client ID and secret to authenticate. - After configuring Rancher and GitHub, you can deploy containers running Jenkins to automate a pipeline execution: - Build your application from code to image. @@ -19,346 +17,4 @@ After configuring Rancher and GitHub, you can deploy containers running Jenkins - Run unit tests. - Run regression tests. - - - - -A _pipeline_ is a software delivery process that is broken into different stages and steps. Setting up a pipeline can help developers deliver new software as quickly and efficiently as possible. Within Rancher, you can configure pipelines for each of your Rancher projects. - -Typically, pipeline stages include: - -- **Build:** - - Each time code is checked into your repository, the pipeline automatically clones the repo and builds a new iteration of your software. Throughout this process, the software is typically reviewed by automated tests. - -- **Publish:** - - After the build is completed, either a Docker image is built and published to a Docker registry or a catalog template is published. - -- **Deploy:** - - After the artifacts are published, you would release your application so users could start using the updated product. - -Only [administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), [cluster owners or members]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), or [project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can [configure version control providers](#version-control-providers) and [manage global pipeline execution settings](#managing-global-pipeline-execution-settings). Project members can only configure [repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) and [pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). - - -> **Notes:** -> -> - Pipelines were improved in Rancher v2.1. Therefore, if you configured pipelines while using v2.0.x, you'll have to reconfigure them after upgrading to v2.1. -> - Still using v2.0.x? See the pipeline documentation for [previous versions]({{}}/rancher/v2.x/en/tools/pipelines/docs-for-v2.0.x). - -## Overview - -Rancher's pipeline provides a simple CI/CD experience. Use it to automatically checkout code, run builds or scripts, publish Docker images or catalog applications, and deploy the updated software to users. - -After enabling the ability to use pipelines in a project, you can configure multiple pipelines in each project. Each pipeline is unique and can be configured independently. - -A pipeline is configured off of a group of files that are checked into source code repositories. Users can configure their pipelines either through the Rancher UI or by adding a `.rancher-pipeline.yml` into the repository. - ->**Note:** Rancher's pipeline provides a simple CI/CD experience, but it does not offer the full power and flexibility of and is not a replacement of enterprise-grade Jenkins or other CI tools your team uses. - - -## How Pipelines Work - -When you configure a pipeline in one of your projects, a namespace specifically for the pipeline is automatically created. The following components are deployed to it: - - - **Jenkins:** - - The pipeline's build engine. Because project users do not directly interact with Jenkins, it's managed and locked. - - >**Note:** There is no option to use existing Jenkins deployments as the pipeline engine. - - - **Docker Registry:** - - Out-of-the-box, the default target for your build-publish step is an internal Docker Registry. However, you can make configurations to push to a remote registry instead. The internal Docker Registry is only accessible from cluster nodes and cannot be directly accessed by users. Images are not persisted beyond the lifetime of the pipeline and should only be used in pipeline runs. If you need to access your images outside of pipeline runs, please push to an external registry. - - - **Minio:** - - Minio storage is used to store the logs for pipeline executions. - - >**Note:** The managed Jenkins instance works statelessly, so don't worry about its data persistency. The Docker Registry and Minio instances use ephemeral volumes by default, which is fine for most use cases. If you want to make sure pipeline logs can survive node failures, you can configure persistent volumes for them, as described in [data persistency for pipeline components](#configuring-persistent-data-for-pipeline-components). - -## Pipeline Triggers - -After you configure a pipeline, you can trigger it using different methods: - - -- **Manually:** - - After you configure a pipeline, you can trigger a build using the latest CI definition from Rancher UI. When a pipeline execution is triggered, Rancher dynamically provisions a Kubernetes pod to run your CI tasks and then remove it upon completion. - -- **Automatically:** - - When you enable a repository for a pipeline, webhooks are automatically added to the version control system. When project users interact with the repo—push code, open pull requests, or create a tag—the version control system sends a webhook to Rancher Server, triggering a pipeline execution. - - To use this automation, webhook management permission is required for the repository. Therefore, when users authenticate and fetch their repositories, only those on which they have webhook management permission will be shown. - -## Version Control Providers - -Before you can start [configuring a pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) for your repository, you must configure and authorize a version control provider. - -| Provider | Available as of | -| --- | --- | -| GitHub | v2.0.0 | -| GitLab | v2.1.0 | -| Bitbucket | v2.2.0 | - -Select your provider's tab below and follow the directions. - -{{% tabs %}} -{{% tab "GitHub" %}} -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Select **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. - -1. Follow the directions displayed to **Setup a Github application**. Rancher redirects you to Github to setup an OAuth App in Github. - -1. From GitHub, copy the **Client ID** and **Client Secret**. Paste them into Rancher. - -1. If you're using GitHub for enterprise, select **Use a private github enterprise installation**. Enter the host address of your GitHub installation. - -1. Click **Authenticate**. - -{{% /tab %}} -{{% tab "GitLab" %}} - -_Available as of v2.1.0_ - -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Select **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. - -1. Follow the directions displayed to **Setup a GitLab application**. Rancher redirects you to GitLab. - -1. From GitLab, copy the **Application ID** and **Secret**. Paste them into Rancher. - -1. If you're using GitLab for enterprise setup, select **Use a private gitlab enterprise installation**. Enter the host address of your GitLab installation. - -1. Click **Authenticate**. - ->**Note:** -> 1. Pipeline uses Gitlab [v4 API](https://docs.gitlab.com/ee/api/v3_to_v4.html) and the supported Gitlab version is 9.0+. -> 2. If you use GitLab 10.7+ and your Rancher setup is in a local network, enable the **Allow requests to the local network from hooks and services** option in GitLab admin settings. -{{% /tab %}} -{{% tab "Bitbucket Cloud" %}} - -_Available as of v2.2.0_ - -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Select **Tools > Pipelines** in the navigation bar. - -1. Choose the **Use public Bitbucket Cloud** option. - -1. Follow the directions displayed to **Setup a Bitbucket Cloud application**. Rancher redirects you to Bitbucket to setup an OAuth consumer in Bitbucket. - -1. From Bitbucket, copy the consumer **Key** and **Secret**. Paste them into Rancher. - -1. Click **Authenticate**. - -{{% /tab %}} -{{% tab "Bitbucket Server" %}} - -_Available as of v2.2.0_ - -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Select **Tools > Pipelines** in the navigation bar. - -1. Choose the **Use private Bitbucket Server setup** option. - -1. Follow the directions displayed to **Setup a Bitbucket Server application**. - -1. Enter the host address of your Bitbucket server installation. - -1. Click **Authenticate**. - ->**Note:** -> Bitbucket server needs to do SSL verification when sending webhooks to Rancher. Please ensure that Rancher server's certificate is trusted by the Bitbucket server. There are two options: -> -> 1. Setup Rancher server with a certificate from a trusted CA. -> 1. If you're using self-signed certificates, import Rancher server's certificate to the Bitbucket server. For instructions, see the Bitbucket server documentation for [configuring self-signed certificates](https://confluence.atlassian.com/bitbucketserver/if-you-use-self-signed-certificates-938028692.html). -> -{{% /tab %}} -{{% /tabs %}} - -**Result:** After the version control provider is authenticated, you will be automatically re-directed to start [configuring which repositories]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#configuring-repositories) that you want start using with a pipeline. Once a repository is enabled, you can start to [configure the pipeline]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#pipeline-configuration). - -## Managing Global Pipeline Execution Settings - -After configuring a version control provider, there are several options that can be configured globally on how [pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/) are executed in Rancher. - -1. From the **Global** view, navigate to the project that you want to configure pipelines. - -1. Select **Tools > Pipelines** in the navigation bar. In versions prior to v2.2.0, you can select **Resources > Pipelines**. - -1. Edit the different settings: - - {{% accordion id="executor-quota" label="Executor Quota" %}} - -Select the maximum number of pipeline executors. The _executor quota_ decides how many builds can run simultaneously in the project. If the number of triggered builds exceeds the quota, subsequent builds will queue until a vacancy opens. By default, the quota is `2`. A value of `0` or less removes the quota limit. - {{% /accordion %}} - - {{% accordion id="resource-quota" label="Resource Quota for Executors" %}} - -_Available as of v2.2.0_ - -Configure compute resources for Jenkins agent containers. When a pipeline execution is triggered, a build pod is dynamically provisioned to run your CI tasks. Under the hood, A build pod consists of one Jenkins agent container and one container for each pipeline step. You can [manage compute resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for every containers in the pod. - -Edit the **Memory Reservation**, **Memory Limit**, **CPU Reservation** or **CPU Limit**, then click **Update Limit and Reservation**. - -To configure compute resources for pipeline-step containers: -{{% tabs %}} -{{% tab "By YAML" %}} - -You can configure compute resources for pipeline-step containers in the `.rancher-pipeline.yml` file. - -In a [step type]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/#step-types), you will provide the following information: - -* **CPU Reservation (`CpuRequest`)**: CPU request for the container of a pipeline step. -* **CPU Limit (`CpuLimit`)**: CPU limit for the container of a pipeline step. -* **Memory Reservation (`MemoryRequest`)**: Memory request for the container of a pipeline step. -* **Memory Limit (`MemoryLimit`)**: Memory limit for the container of a pipeline step. - -```yaml -# example -stages: - - name: Build something - steps: - - runScriptConfig: - image: busybox - shellScript: ls - cpuRequest: 100m - cpuLimit: 1 - memoryRequest:100Mi - memoryLimit: 1Gi - - publishImageConfig: - dockerfilePath: ./Dockerfile - buildContext: . - tag: repo/app:v1 - cpuRequest: 100m - cpuLimit: 1 - memoryRequest:100Mi - memoryLimit: 1Gi -``` - ->**Note:** Rancher sets default compute resources for pipeline steps except for `Build and Publish Images` and `Run Script` steps. You can override the default value by specifying compute resources in the same way. -{{% /tab %}} -{{% /tabs %}} - - {{% /accordion %}} - {{% accordion id="cacerts" label="Custom CA" %}} - -_Available as of v2.2.0_ - -If you want to use a version control provider with a certificate from a custom/internal CA root, the CA root certificates need to be added as part of the version control provider configuration in order for the pipeline build pods to succeed. - -1. Click **Edit cacerts**. - -1. Paste in the CA root certificates and click **Save cacerts**. - -**Result:** Pipelines can be used and new pods will be able to work with the self-signed-certificate. - - {{% /accordion %}} - -## Configuring Persistent Data for Pipeline Components - -The internal [Docker registry](#how-pipelines-work) and the [Minio](#how-pipelines-work) workloads use ephemeral volumes by default. This default storage works out-of-the-box and makes testing easy, but you lose the build images and build logs if the node running the Docker Registry or Minio fails. In most cases this is fine. If you want build images and logs to survive node failures, you can configure the Docker Registry and Minio to use persistent volumes. - ->**Prerequisites (for both parts A and B):** -> ->[Persistent volumes]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#persistent-volumes) must be available for the cluster. - -### A. Configuring Persistent Data for Docker Registry - -1. From the project that you're configuring a pipeline for, and click **Resources > Workloads.** In versions prior to v2.3.0, select the **Workloads** tab. - -1. Find the `docker-registry` workload and select **Ellipsis (...) > Edit**. - -1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: - - - **Add Volume > Add a new persistent volume (claim)** - - **Add Volume > Use an existing persistent volume (claim)** - -1. Complete the form that displays to choose a persistent volume for the internal Docker registry. -{{% tabs %}} - -{{% tab "Add a new persistent volume" %}} -
    -1. Enter a **Name** for the volume claim. - -1. Select a volume claim **Source**: - - - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. - - - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. -1. From the **Customize** section, choose the read/write access for the volume. - -1. Click **Define**. - -{{% /tab %}} - -{{% tab "Use an existing persistent volume" %}} -
    -1. Enter a **Name** for the volume claim. - -1. Choose a **Persistent Volume Claim** from the drop-down. - -1. From the **Customize** section, choose the read/write access for the volume. - -1. Click **Define**. - -{{% /tab %}} - -{{% /tabs %}} - -1. From the **Mount Point** field, enter `/var/lib/registry`, which is the data storage path inside the Docker registry container. - -1. Click **Upgrade**. - -### B. Configuring Persistent Data for Minio - -1. From the project view, click **Resources > Workloads.** (In versions prior to v2.3.0, click the **Workloads** tab.) Find the `minio` workload and select **Ellipsis (...) > Edit**. - -1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: - - - **Add Volume > Add a new persistent volume (claim)** - - **Add Volume > Use an existing persistent volume (claim)** - -1. Complete the form that displays to choose a persistent volume for the internal Docker registry. -{{% tabs %}} - -{{% tab "Add a new persistent volume" %}} -
    -1. Enter a **Name** for the volume claim. - -1. Select a volume claim **Source**: - - - If you select **Use a Storage Class to provision a new persistent volume**, select a [Storage Class]({{}}/rancher/v2.x/en/k8s-in-rancher/volumes-and-storage/#storage-classes) and enter a **Capacity**. - - - If you select **Use an existing persistent volume**, choose a **Persistent Volume** from the drop-down. -1. From the **Customize** section, choose the read/write access for the volume. - -1. Click **Define**. - -{{% /tab %}} - -{{% tab "Use an existing persistent volume" %}} -
    -1. Enter a **Name** for the volume claim. - -1. Choose a **Persistent Volume Claim** from the drop-down. - -1. From the **Customize** section, choose the read/write access for the volume. - -1. Click **Define**. - -{{% /tab %}} - -{{% /tabs %}} - -1. From the **Mount Point** field, enter `/data`, which is the data storage path inside the Minio container. - -1. Click **Upgrade**. - -**Result:** Persistent storage is configured for your pipeline components. +For details, refer to the [pipelines]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines) section. \ No newline at end of file From ede45042e91687bff16aac5d1044882df77c7832 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 31 Mar 2020 13:43:51 -0700 Subject: [PATCH 138/183] Edit note on backing up K3s before upgrading --- .../v2.x/en/cluster-provisioning/imported-clusters/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index 89b5174c57e..a765eaa6c49 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -84,7 +84,7 @@ When a K3s cluster is imported, Rancher will recognize it as K3s, and the Ranche ### Configuring K3s Cluster Upgrades -> **Important:** It is a Kubernetes best practice to back up the cluster before upgrading. When upgrading a high-availability K3s cluster with an external database, back up the database in whichever way is recommended by the relational database provider. +> It is a Kubernetes best practice to back up the cluster before upgrading. When upgrading a high-availability K3s cluster with an external database, back up the database in whichever way is recommended by the relational database provider. The **concurrency** is the maximum number of nodes that are permitted to be unavailable during an upgrade. If number of unavailable nodes is larger than the **concurrency,** the upgrade will fail. If an upgrade fails, you may need to repair or remove failed nodes before the upgrade can succeed. From 37ecb8638fa371ce921e1cfa3f28f3c999c1e6d2 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 17:55:40 -0700 Subject: [PATCH 139/183] Reorganize cloud provider docs --- .../rke-clusters/cloud-providers/_index.md | 36 +++++++ .../amazon}/_index.md | 101 +----------------- .../cloud-providers/azure/_index.md | 70 ++++++++++++ 3 files changed, 109 insertions(+), 98 deletions(-) create mode 100644 content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md rename content/rancher/v2.x/en/cluster-provisioning/rke-clusters/{options/cloud-providers => cloud-providers/amazon}/_index.md (55%) create mode 100644 content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure/_index.md diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md new file mode 100644 index 00000000000..ee5c9c2af7f --- /dev/null +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md @@ -0,0 +1,36 @@ +--- +title: Setting up Cloud Providers +weight: 2300 +aliases: + - /rancher/v2.x/en/concepts/clusters/cloud-providers/ + - /rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers +--- +A _cloud provider_ is a module in Kubernetes that provides an interface for managing nodes, load balancers, and networking routes. For more information, refer to the [official Kubernetes documentation on cloud providers.](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/) + +When a cloud provider is set up in Rancher, the Rancher server can automatically provision new nodes, load balancers or persistent storage devices when launching Kubernetes definitions, if the cloud provider you're using supports such automation. + +Your cluster will not provision correctly if you configure a cloud provider cluster of nodes that do not meet the prerequisites. + +By default, the **Cloud Provider** option is set to `None`. + +Supported cloud providers are: + +* Amazon +* Azure + +### Setting up the Amazon Cloud Provider + +For details on enabling the Amazon cloud provider, refer to [this page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/amazon) + +### Setting up the Azure Cloud Provider + +For details on enabling the Azure cloud provider, refer to [this page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure) + +### Setting up a Custom Cloud Provider + +The `Custom` cloud provider is available if you want to configure any [Kubernetes cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/). + +For the custom cloud provider option, you can refer to the [RKE docs]({{}}/rke/latest/en/config-options/cloud-providers/) on how to edit the yaml file for your specific cloud provider. There are specific cloud providers that have more detailed configuration : + +* [vSphere]({{}}/rke/latest/en/config-options/cloud-providers/vsphere/) +* [Openstack]({{}}/rke/latest/en/config-options/cloud-providers/openstack/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/amazon/_index.md similarity index 55% rename from content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/_index.md rename to content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/amazon/_index.md index 6b8de366b6a..169fbc92a7a 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/amazon/_index.md @@ -1,34 +1,7 @@ --- -title: Setting up Cloud Providers -weight: 2255 -aliases: - - /rancher/v2.x/en/concepts/clusters/cloud-providers/ +title: Setting up the Amazon Cloud Provider +weight: 1 --- -A _cloud provider_ is a module in Kubernetes that provides an interface for managing nodes, load balancers, and networking routes. For more information, refer to the [official Kubernetes documentation on cloud providers.](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/) - -When a cloud provider is set up in Rancher, the Rancher server can automatically provision new nodes, load balancers or persistent storage devices when launching Kubernetes definitions, if the cloud provider you're using supports such automation. - -- [Cloud provider options](#cloud-provider-options) -- [Setting up the Amazon cloud provider](#setting-up-the-amazon-cloud-provider) -- [Setting up the Azure cloud provider](#setting-up-the-azure-cloud-provider) - -## Cloud Provider Options - -By default, the **Cloud Provider** option is set to `None`. Supported cloud providers are: - -* [Amazon](#setting-up-the-amazon-cloud-provider) -* [Azure](#setting-up-the-azure-cloud-provider) - -The `Custom` cloud provider is available if you want to configure any [Kubernetes cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/). - -For the custom cloud provider option, you can refer to the [RKE docs]({{}}/rke/latest/en/config-options/cloud-providers/) on how to edit the yaml file for your specific cloud provider. There are specific cloud providers that have more detailed configuration : - -* [vSphere]({{}}/rke/latest/en/config-options/cloud-providers/vsphere/) -* [Openstack]({{}}/rke/latest/en/config-options/cloud-providers/openstack/) - -> **Warning:** Your cluster will not provision correctly if you configure a cloud provider cluster of nodes that do not meet the prerequisites. Prerequisites for supported cloud providers are listed below. - -## Setting up the Amazon Cloud Provider When using the `Amazon` cloud provider, you can leverage the following capabilities: @@ -174,72 +147,4 @@ Setting the value of the tag to `owned` tells the cluster that all resources wit ### Using Amazon Elastic Container Registry (ECR) -The kubelet component has the ability to automatically obtain ECR credentials, when the IAM profile mentioned in [Create an IAM Role and attach to the instances](#1-create-an-iam-role-and-attach-to-the-instances) is attached to the instance(s). When using a Kubernetes version older than v1.15.0, the Amazon cloud provider needs be configured in the cluster. Starting with Kubernetes version v1.15.0, the kubelet can obtain ECR credentials without having the Amazon cloud provider configured in the cluster. - -## Setting up the Azure Cloud Provider - -When using the `Azure` cloud provider, you can leverage the following capabilities: - -- **Load Balancers:** Launches an Azure Load Balancer within a specific Network Security Group. - -- **Persistent Volumes:** Supports using Azure Blob disks and Azure Managed Disks with standard and premium storage accounts. - -- **Network Storage:** Support Azure Files via CIFS mounts. - -The following account types are not supported for Azure Subscriptions: - -- Single tenant accounts (i.e. accounts with no subscriptions). -- Multi-subscription accounts. - -To set up the Azure cloud provider following credentials need to be configured: - -1. [Set up the Azure Tenant ID](#1-set-up-the-azure-tenant-id) -2. [Set up the Azure Client ID and Azure Client Secret](#2-set-up-the-azure-client-id-and-azure-client-secret) -3. [Configure App Registration Permissions](#3-configure-app-registration-permissions) -4. [Set up Azure Network Security Group Name](#4-set-up-azure-network-security-group-name) - -### 1. Set up the Azure Tenant ID - -Visit [Azure portal](https://portal.azure.com), login and go to **Azure Active Directory** and select **Properties**. Your **Directory ID** is your **Tenant ID** (tenantID). - -If you want to use the Azure CLI, you can run the command `az account show` to get the information. - -### 2. Set up the Azure Client ID and Azure Client Secret - -Visit [Azure portal](https://portal.azure.com), login and follow the steps below to create an **App Registration** and the corresponding **Azure Client ID** (aadClientId) and **Azure Client Secret** (aadClientSecret). - -1. Select **Azure Active Directory**. -1. Select **App registrations**. -1. Select **New application registration**. -1. Choose a **Name**, select `Web app / API` as **Application Type** and a **Sign-on URL** which can be anything in this case. -1. Select **Create**. - -In the **App registrations** view, you should see your created App registration. The value shown in the column **APPLICATION ID** is what you need to use as **Azure Client ID**. - -The next step is to generate the **Azure Client Secret**: - -1. Open your created App registration. -1. In the **Settings** view, open **Keys**. -1. Enter a **Key description**, select an expiration time and select **Save**. -1. The generated value shown in the column **Value** is what you need to use as **Azure Client Secret**. This value will only be shown once. - -### 3. Configure App Registration Permissions - -The last thing you will need to do, is assign the appropriate permissions to your App registration. - -1. Go to **More services**, search for **Subscriptions** and open it. -1. Open **Access control (IAM)**. -1. Select **Add**. -1. For **Role**, select `Contributor`. -1. For **Select**, select your created App registration name. -1. Select **Save**. - -### 4. Set up Azure Network Security Group Name - -A custom Azure Network Security Group (securityGroupName) is needed to allow Azure Load Balancers to work. - -If you provision hosts using Rancher Machine Azure driver, you will need to edit them manually to assign them to this Network Security Group. - -You should already assign custom hosts to this Network Security Group during provisioning. - -Only hosts expected to be load balancer back ends need to be in this group. +The kubelet component has the ability to automatically obtain ECR credentials, when the IAM profile mentioned in [Create an IAM Role and attach to the instances](#1-create-an-iam-role-and-attach-to-the-instances) is attached to the instance(s). When using a Kubernetes version older than v1.15.0, the Amazon cloud provider needs be configured in the cluster. Starting with Kubernetes version v1.15.0, the kubelet can obtain ECR credentials without having the Amazon cloud provider configured in the cluster. \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure/_index.md new file mode 100644 index 00000000000..25884572579 --- /dev/null +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure/_index.md @@ -0,0 +1,70 @@ +--- +title: Setting up the Azure Cloud Provider +weight: 2 +--- + +When using the `Azure` cloud provider, you can leverage the following capabilities: + +- **Load Balancers:** Launches an Azure Load Balancer within a specific Network Security Group. + +- **Persistent Volumes:** Supports using Azure Blob disks and Azure Managed Disks with standard and premium storage accounts. + +- **Network Storage:** Support Azure Files via CIFS mounts. + +The following account types are not supported for Azure Subscriptions: + +- Single tenant accounts (i.e. accounts with no subscriptions). +- Multi-subscription accounts. + +To set up the Azure cloud provider following credentials need to be configured: + +1. [Set up the Azure Tenant ID](#1-set-up-the-azure-tenant-id) +2. [Set up the Azure Client ID and Azure Client Secret](#2-set-up-the-azure-client-id-and-azure-client-secret) +3. [Configure App Registration Permissions](#3-configure-app-registration-permissions) +4. [Set up Azure Network Security Group Name](#4-set-up-azure-network-security-group-name) + +### 1. Set up the Azure Tenant ID + +Visit [Azure portal](https://portal.azure.com), login and go to **Azure Active Directory** and select **Properties**. Your **Directory ID** is your **Tenant ID** (tenantID). + +If you want to use the Azure CLI, you can run the command `az account show` to get the information. + +### 2. Set up the Azure Client ID and Azure Client Secret + +Visit [Azure portal](https://portal.azure.com), login and follow the steps below to create an **App Registration** and the corresponding **Azure Client ID** (aadClientId) and **Azure Client Secret** (aadClientSecret). + +1. Select **Azure Active Directory**. +1. Select **App registrations**. +1. Select **New application registration**. +1. Choose a **Name**, select `Web app / API` as **Application Type** and a **Sign-on URL** which can be anything in this case. +1. Select **Create**. + +In the **App registrations** view, you should see your created App registration. The value shown in the column **APPLICATION ID** is what you need to use as **Azure Client ID**. + +The next step is to generate the **Azure Client Secret**: + +1. Open your created App registration. +1. In the **Settings** view, open **Keys**. +1. Enter a **Key description**, select an expiration time and select **Save**. +1. The generated value shown in the column **Value** is what you need to use as **Azure Client Secret**. This value will only be shown once. + +### 3. Configure App Registration Permissions + +The last thing you will need to do, is assign the appropriate permissions to your App registration. + +1. Go to **More services**, search for **Subscriptions** and open it. +1. Open **Access control (IAM)**. +1. Select **Add**. +1. For **Role**, select `Contributor`. +1. For **Select**, select your created App registration name. +1. Select **Save**. + +### 4. Set up Azure Network Security Group Name + +A custom Azure Network Security Group (securityGroupName) is needed to allow Azure Load Balancers to work. + +If you provision hosts using Rancher Machine Azure driver, you will need to edit them manually to assign them to this Network Security Group. + +You should already assign custom hosts to this Network Security Group during provisioning. + +Only hosts expected to be load balancer back ends need to be in this group. From 19f5499de7bced9df081c8ff241e885bc9c05aa8 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 21:06:29 -0700 Subject: [PATCH 140/183] Update catalog docs --- content/rancher/v2.x/en/catalog/_index.md | 116 +++--------- .../adding => adding-catalogs}/_index.md | 58 +++++- .../rancher/v2.x/en/catalog/apps/_index.md | 170 ------------------ .../v2.x/en/catalog/built-in/_index.md | 30 ++-- .../{custom => catalog-config}/_index.md | 31 ++-- .../creating => creating-apps}/_index.md | 122 ++++--------- .../v2.x/en/catalog/launching-apps/_index.md | 102 +++++++++++ .../v2.x/en/catalog/managing-apps/_index.md | 80 +++++++++ .../en/catalog/multi-cluster-apps/_index.md | 53 ++++-- .../v2.x/en/catalog/tutorial/_index.md | 72 ++++++++ 10 files changed, 421 insertions(+), 413 deletions(-) rename content/rancher/v2.x/en/catalog/{custom/adding => adding-catalogs}/_index.md (59%) delete mode 100644 content/rancher/v2.x/en/catalog/apps/_index.md rename content/rancher/v2.x/en/catalog/{custom => catalog-config}/_index.md (69%) rename content/rancher/v2.x/en/catalog/{custom/creating => creating-apps}/_index.md (52%) create mode 100644 content/rancher/v2.x/en/catalog/launching-apps/_index.md create mode 100644 content/rancher/v2.x/en/catalog/managing-apps/_index.md create mode 100644 content/rancher/v2.x/en/catalog/tutorial/_index.md diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index 7500a67b3f6..e38d9aeb73a 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -20,16 +20,11 @@ This section covers the following topics: - [Prerequisites](#prerequisites) - [Catalog scopes](#catalog-scopes) - [Catalog Helm Deployment Versions](#catalog-helm-deployment-versions) -- [Enabling built-in global catalogs](#enabling-built-in-global-catalogs) -- [Adding custom global catalogs](#adding-custom-global-catalogs) - - [Add custom Git repositories](#add-custom-git-repositories) - - [Add custom Helm chart repositories](#add-custom-helm-chart-repositories) - - [Add private Git/Helm chart repositories](#add-private-git-helm-chart-repositories) -- [Launching catalog applications](#launching-catalog-applications) -- [Working with catalogs](#working-with-catalogs) - - [Apps](#apps) - - [Global DNS](#global-dns) - - [Chart compatibility with Rancher](#chart-compatibility-with-rancher) +- [Built-in global catalogs](#built-in-global-catalogs) +- [Custom catalogs](#custom-catalogs) +- [Creating and launching applications](#creating-and-launching-applications) +- [Chart compatibility with Rancher](#chart-compatibility-with-rancher) +- [Global DNS](#global-dns) # Prerequisites @@ -64,103 +59,34 @@ By default, catalogs are assumed to be deployed using Helm 2. If you run an app Charts that are specific to Helm 2 should only be added to a Helm 2 catalog, and Helm 3 specific charts should only be added to a Helm 3 catalog. -# Enabling Built-in Global Catalogs +# Built-in Global Catalogs -Within Rancher, there are default catalogs packaged as part of Rancher. These can be enabled or disabled by an administrator. +Within Rancher, there are default catalogs packaged as part of Rancher. These can be enabled or disabled by an administrator. For details, refer to the section on managing [built-in global catalogs.]({{}}/rancher/v2.x/en/catalog/built-in) -1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. +# Custom Catalogs -2. Toggle the default catalogs that you want use to a setting of **Enabled**. +There are two types of catalogs in Rancher: [Built-in global catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) and [custom catalogs.]({{}}/rancher/v2.x/en/catalog/adding-catalogs/) - - **Library:** The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. - - **Helm Stable:** This catalog, which is maintained by the Kubernetes community, includes native [Helm charts](https://helm.sh/docs/chart_template_guide/). This catalog features the largest pool of apps. - - **Helm Incubator:** Similar in user experience to Helm Stable, but this catalog is filled with applications in **beta**. +Any user can create custom catalogs to add into Rancher. Custom catalogs can be added into Rancher at the global level, cluster level, or project level. For details, refer to the [section on adding custom catalogs]({{}}/rancher/v2.x/en/catalog/adding-catalogs) and the [catalog configuration reference.]({{}}/rancher/v2.x/en/catalog/catalog-config) - **Result**: The chosen catalogs are enabled. Wait a few minutes for Rancher to replicate the catalog charts. When replication completes, you'll be able to see them in any of your projects by selecting **Apps** from the main navigation bar. In versions prior to v2.2.0, you can select **Catalog Apps** from the main navigation bar. +# Creating and Launching Applications -# Adding Custom Global Catalogs - -Adding a catalog is as simple as adding a catalog name, a URL and a branch name. - -**Prerequisite:** An [admin]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) of Rancher has the ability to add or remove catalogs globally in Rancher. - -### Add Custom Git Repositories -The Git URL needs to be one that `git clone` [can handle](https://git-scm.com/docs/git-clone#_git_urls_a_id_urls_a) and must end in `.git`. The branch name must be a branch that is in your catalog URL. If no branch name is provided, it will use the `master` branch by default. Whenever you add a catalog to Rancher, it will be available immediately. - -### Add Custom Helm Chart Repositories - -A Helm chart repository is an HTTP server that houses one or more packaged charts. Any HTTP server that can serve YAML files and tar files and can answer GET requests can be used as a repository server. - -Helm comes with built-in package server for developer testing (helm serve). The Helm team has tested other servers, including Google Cloud Storage with website mode enabled, S3 with website mode enabled or hosting custom chart repository server using open-source projects like [ChartMuseum](https://github.com/helm/chartmuseum). - -In Rancher, you can add the custom Helm chart repository with only a catalog name and the URL address of the chart repository. - -### Add Private Git/Helm Chart Repositories -_Available as of v2.2.0_ - -Private catalog repositories can be added using credentials like Username and Password. You may also want to use the OAuth token if your Git or Helm repository server supports that. - -[Read More About Adding Private Git/Helm Catalogs]({{}}/rancher/v2.x/en/catalog/custom/#private-repositories) - - 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. - 2. Click **Add Catalog**. - 3. Complete the form and click **Create**. - - **Result:** Your catalog is added to Rancher. - -# Launching Catalog Applications - -After you've either enabled the built-in catalogs or added your own custom catalog, you can start launching any catalog application.> - -1. From the **Global** view, open the project that you want to deploy to. - -2. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. - -3. Find the app that you want to launch, and then click **View Now**. - -4. Under **Configuration Options** enter a **Name**. By default, this name is also used to create a Kubernetes namespace for the application. - - * If you would like to change the **Namespace**, click **Customize** and enter a new name. - * If you want to use a different namespace that already exists, click **Customize**, and then click **Use an existing namespace**. Choose a namespace from the list. - -5. Select a **Template Version**. - -6. Complete the rest of the **Configuration Options**. - - * For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs), answers are provided as key value pairs in the **Answers** section. - * Keys and values are available within **Detailed Descriptions**. - * When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of --set]https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. - - For example, when entering an answer that includes two values separated by a comma (i.e., `abc, bcd`), wrap the values with double quotes (i.e., `"abc, bcd"`). - -7. Review the files in **Preview**. When you're satisfied, click **Launch**. - -**Result**: Your application is deployed to your chosen namespace. You can view the application status from the project's: - -By creating a customized repository with added files, Rancher improves on Helm repositories and charts. All native Helm charts can work within Rancher, but Rancher adds several enhancements to improve their user experience. - -# Working with Catalogs - -There are two types of catalogs in Rancher. Learn more about each type: - -* [Built-in Global Catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) -* [Custom Catalogs]({{}}/rancher/v2.x/en/catalog/custom/) - -### Apps - -In Rancher, applications are deployed from the templates in a catalog. Rancher supports two types of applications: +In Rancher, applications are deployed from the templates in a catalog. This section covers the following topics: * [Multi-cluster applications]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) -* [Applications deployed in a specific Project]({{}}/rancher/v2.x/en/catalog/apps) +* [Creating catalog apps]({{}}/rancher/v2.x/en/catalog/creating-apps) +* [Launching catalog apps within a project]({{}}/rancher/v2.x/en/catalog/launching-apps) +* [Managing catalog apps]({{}}/rancher/v2.x/en/catalog/managing-apps) +* [Tutorial: Example custom chart creation]({{}}/rancher/v2.x/en/catalog/tutorial) -### Global DNS +# Chart Compatibility with Rancher + +Charts now support the fields `rancher_min_version` and `rancher_max_version` in the [`questions.yml` file](https://github.com/rancher/integration-test-charts/blob/master/charts/chartmuseum/v1.6.0/questions.yml) to specify the versions of Rancher that the chart is compatible with. When using the UI, only app versions that are valid for the version of Rancher running will be shown. API validation is done to ensure apps that don't meet the Rancher requirements cannot be launched. An app that is already running will not be affected on a Rancher upgrade if the newer Rancher version does not meet the app's requirements. + +# Global DNS _Available as v2.2.0_ When creating applications that span multiple Kubernetes clusters, a Global DNS entry can be created to route traffic to the endpoints in all of the different clusters. An external DNS server will need be programmed to assign a fully qualified domain name (a.k.a FQDN) to your application. Rancher will use the FQDN you provide and the IP addresses where your application is running to program the DNS. Rancher will gather endpoints from all the Kubernetes clusters running your application and program the DNS. For more information on how to use this feature, see [Global DNS]({{}}/rancher/v2.x/en/catalog/globaldns/). - -### Chart Compatibility with Rancher - -Charts now support the fields `rancher_min_version` and `rancher_max_version` in the [`questions.yml` file](https://github.com/rancher/integration-test-charts/blob/master/charts/chartmuseum/v1.6.0/questions.yml) to specify the versions of Rancher that the chart is compatible with. When using the UI, only app versions that are valid for the version of Rancher running will be shown. API validation is done to ensure apps that don't meet the Rancher requirements cannot be launched. An app that is already running will not be affected on a Rancher upgrade if the newer Rancher version does not meet the app's requirements. diff --git a/content/rancher/v2.x/en/catalog/custom/adding/_index.md b/content/rancher/v2.x/en/catalog/adding-catalogs/_index.md similarity index 59% rename from content/rancher/v2.x/en/catalog/custom/adding/_index.md rename to content/rancher/v2.x/en/catalog/adding-catalogs/_index.md index 785ac1bcdde..d8540b3cf42 100644 --- a/content/rancher/v2.x/en/catalog/custom/adding/_index.md +++ b/content/rancher/v2.x/en/catalog/adding-catalogs/_index.md @@ -1,13 +1,53 @@ --- -title: Adding Custom Catalogs -weight: 4005 +title: Creating Custom Catalogs +weight: 200 aliases: - /rancher/v2.x/en/tasks/global-configuration/catalog/adding-custom-catalogs/ + - /rancher/v2.x/en/catalog/custom/adding --- -[Custom catalogs]({{}}/rancher/v2.x/en/catalog/custom/) can be added into Rancher at any [scope of Rancher]({{}}/rancher/v2.x/en/catalog/#catalog-scope). +Custom catalogs can be added into Rancher at a global scope, cluster scope, or project scope. -## Adding Global Catalogs +- [Adding catalog repositories](#adding-catalog-repositories) + - [Add custom Git repositories](#add-custom-git-repositories) + - [Add custom Helm chart repositories](#add-custom-helm-chart-repositories) + - [Add private Git/Helm chart repositories](#add-private-git-helm-chart-repositories) +- [Adding global catalogs](#adding-global-catalogs) +- [Adding cluster level catalogs](#adding-cluster-level-catalogs) +- [Adding project level catalogs](#adding-project-level-catalogs) +- [Custom catalog configuration reference](#custom-catalog-configuration-reference) + +# Adding Catalog Repositories + +Adding a catalog is as simple as adding a catalog name, a URL and a branch name. + +**Prerequisite:** An [admin]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) of Rancher has the ability to add or remove catalogs globally in Rancher. + +### Add Custom Git Repositories +The Git URL needs to be one that `git clone` [can handle](https://git-scm.com/docs/git-clone#_git_urls_a_id_urls_a) and must end in `.git`. The branch name must be a branch that is in your catalog URL. If no branch name is provided, it will use the `master` branch by default. Whenever you add a catalog to Rancher, it will be available immediately. + +### Add Custom Helm Chart Repositories + +A Helm chart repository is an HTTP server that houses one or more packaged charts. Any HTTP server that can serve YAML files and tar files and can answer GET requests can be used as a repository server. + +Helm comes with built-in package server for developer testing (helm serve). The Helm team has tested other servers, including Google Cloud Storage with website mode enabled, S3 with website mode enabled or hosting custom chart repository server using open-source projects like [ChartMuseum](https://github.com/helm/chartmuseum). + +In Rancher, you can add the custom Helm chart repository with only a catalog name and the URL address of the chart repository. + +### Add Private Git/Helm Chart Repositories +_Available as of v2.2.0_ + +Private catalog repositories can be added using credentials like Username and Password. You may also want to use the OAuth token if your Git or Helm repository server supports that. + +For more information on private Git/Helm catalogs, refer to the [custom catalog configuration reference.]({{}}/rancher/v2.x/en/catalog/catalog-config) + + 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. + 2. Click **Add Catalog**. + 3. Complete the form and click **Create**. + + **Result:** Your catalog is added to Rancher. + +# Adding Global Catalogs >**Prerequisites:** In order to manage the [built-in catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) or manage global catalogs, you need _one_ of the following permissions: > @@ -20,9 +60,9 @@ aliases: {{}}/rancher/v2.x/en/catalog/#catalog-helm-deployment-versions) 4. Click **Create**. - **Result**: Your custom global catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [multi-cluster apps]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or [applications in any project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. + **Result**: Your custom global catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [multi-cluster apps]({{}}/rancher/v2.x/en/catalog/multi-cluster-apps/) or [applications in any project]({{}}/rancher/v2.x/en/catalog/launching-apps/) from this catalog. -## Adding Cluster Catalogs +# Adding Cluster Level Catalogs _Available as of v2.2.0_ @@ -41,7 +81,7 @@ _Available as of v2.2.0_ **Result**: Your custom cluster catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in any project in that cluster]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. -## Adding Project Level Catalogs +# Adding Project Level Catalogs _Available as of v2.2.0_ @@ -60,3 +100,7 @@ _Available as of v2.2.0_ 5. Click **Create**. **Result**: Your custom project catalog is added to Rancher. Once it is in `Active` state, it has completed synchronization and you will be able to start deploying [applications in that project]({{}}/rancher/v2.x/en/catalog/apps/) from this catalog. + +# Custom Catalog Configuration Reference + +Refer to [this page]({{}}/rancher/v2.x/en/catalog/catalog-config) more information on configuring custom catalogs. \ No newline at end of file diff --git a/content/rancher/v2.x/en/catalog/apps/_index.md b/content/rancher/v2.x/en/catalog/apps/_index.md deleted file mode 100644 index c5b0b058bc7..00000000000 --- a/content/rancher/v2.x/en/catalog/apps/_index.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -title: Apps in a Project -weight: 5005 ---- - -Within a project, when you want to deploy applications from catalogs, the applications available in your project will be based on the [scope of the catalogs]({{}}/rancher/v2.x/en/catalog/#catalog-scope). - -If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/). - -## Prerequisites - -To create a multi-cluster app in Rancher, you must have at least one of the following permissions: - -- A [project-member role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads -- A [cluster owner role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project - -## Launching Catalog Applications - -After you've either enabled the [built-in global catalogs]({{}}/rancher/v2.x/en/catalog/built-in/) or [added your own custom catalog]({{}}/rancher/v2.x/en/catalog/custom/adding), you can start launching catalog applications. - -1. From the **Global** view, navigate to your project that you want to start deploying applications. - -2. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. - -3. Find the application that you want to launch, and then click **View Details**. - -4. (Optional) Review the detailed descriptions, which comes from the Helm chart's `README`. - -5. Under **Configuration Options** enter a **Name**. By default, this name is also used to create a Kubernetes namespace for the application. - - * If you would like to change the **Namespace**, click **Customize** and change the name of the namespace. - * If you want to use a different namespace that already exists, click **Customize**, and then click **Use an existing namespace**. Choose a namespace from the list. - -6. Select a **Template Version**. - -7. Complete the rest of the **Configuration Options**. Rancher handles how to [customize your configuration options](#configuration-options) depending on whether or not the custom catalog includes the `questions.yml` file. - -8. Review the files in the **Preview** section. When you're satisfied, click **Launch**. - -**Result**: Your application is deployed to your chosen namespace. You can view the application status from the project's: - -- **Workloads** view -- **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. - -### Configuration Options - -For each Helm chart, there are a list of desired answers that must be entered in order to successfully deploy the chart. When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of –set](https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. - -> For example, when entering an answer that includes two values separated by a comma (i.e. `abc, bcd`), it is required to wrap the values with double quotes (i.e., ``"abc, bcd"``). - -{{% tabs %}} -{{% tab "UI" %}} - -#### Using a `questions.yml` file - -If the Helm chart that you are deploying contains a `questions.yml` file, Rancher's UI will translate this file to display an easy to use UI to collect the answers for the questions. - -#### Key Value Pairs for Native Helm Charts - -For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. - -{{% /tab %}} -{{% tab "Editing YAML Files" %}} - -_Available as of v2.1.0_ - -If you do not want to input answers using the UI, you can choose the **Edit as YAML** option. - -With this example YAML: - -```YAML -outer: - inner: value -servers: -- port: 80 - host: example -``` - -#### Kev Value Pairs - -You can have a YAML file that translates these fields to match how to [format custom values so that it can be used with `--set`](https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set). - -These values would be translated to: - -``` -outer.inner=value -servers[0].port=80 -servers[0].host=example -``` - -#### YAML files - -_Available as of v2.2.0_ - -You can directly paste that YAML formatted structure into the YAML editor. By allowing custom values to be set using a YAML formatted structure, Rancher has the ability to easily customize for more complicated input values (e.g. multi-lines, array and JSON objects). -{{% /tab %}} -{{% /tabs %}} - -## Application Management - -After deploying an application, one of the benefits of using an application versus individual workloads/resources is the ease of being able to manage many workloads/resources applications. Apps can be cloned, upgraded or rolled back. - -### Cloning Catalog Applications - -After an application is deployed, you can easily clone it to use create another application with almost the same configuration. It saves you the work of manually filling in duplicate information. - -### Upgrading Catalog Applications - -After an application is deployed, you can easily upgrade to a different template version. - -1. From the **Global** view, navigate to the project that contains the catalog application that you want to upgrade. - -1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. - -3. Find the application that you want to upgrade, and then click the Ellipsis to find **Upgrade**. - -4. Select the **Template Version** that you want to deploy. - -5. (Optional) Update your **Configuration Options**. - -6. (Optional) Select whether or not you want to force the catalog application to be upgraded by checking the box for **Delete and recreate resources if needed during the upgrade**. - - > In Kubernetes, some fields are designed to be immutable or cannot be updated directly. As of v2.2.0, you can now force your catalog application to be updated regardless of these fields. This will cause the catalog apps to be deleted and resources to be re-created if needed during the upgrade. - -7. Review the files in the **Preview** section. When you're satisfied, click **Launch**. - -**Result**: Your application is updated. You can view the application status from the project's: - -- **Workloads** view -- **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. - - -### Rolling Back Catalog Applications - -After an application has been upgraded, you can easily rollback to a different template version. - -1. From the **Global** view, navigate to the project that contains the catalog application that you want to upgrade. - -1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. - -3. Find the application that you want to rollback, and then click the Ellipsis to find **Rollback**. - -4. Select the **Revision** that you want to roll back to. By default, Rancher saves up to the last 10 revisions. - -5. (Optional) Select whether or not you want to force the catalog application to be upgraded by checking the box for **Delete and recreate resources if needed during the upgrade**. - - > In Kubernetes, some fields are designed to be immutable or cannot be updated directly. As of v2.2.0, you can now force your catalog application to be updated regardless of these fields. This will cause the catalog apps to be deleted and resources to be re-created if needed during the rollback. - -7. Click **Rollback**. - -**Result**: Your application is updated. You can view the application status from the project's: - -- **Workloads** view -- **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. - -### Deleting Catalog Application Deployments - -As a safeguard to prevent you from unintentionally deleting other catalog applications that share a namespace, deleting catalog applications themselves does not delete the namespace they're assigned to. - -Therefore, if you want to delete both an app and the namespace that contains the app, you should remove the app and the namespace separately: - -1. Uninstall the app using the app's `uninstall` function. - -1. From the **Global** view, navigate to the project that contains the catalog application that you want to delete. - -1. From the main menu, choose **Namespaces**. - -1. Find the namespace running your catalog app. Select it and click **Delete**. - -**Result:** The catalog application deployment and its namespace are deleted. diff --git a/content/rancher/v2.x/en/catalog/built-in/_index.md b/content/rancher/v2.x/en/catalog/built-in/_index.md index fa81d40f40a..5b86667717b 100644 --- a/content/rancher/v2.x/en/catalog/built-in/_index.md +++ b/content/rancher/v2.x/en/catalog/built-in/_index.md @@ -1,35 +1,25 @@ --- -title: Built-in Global Catalogs -weight: 4000 +title: Enabling and Disabling Built-in Global Catalogs +weight: 100 aliases: - /rancher/v2.x/en/tasks/global-configuration/catalog/enabling-default-catalogs/ --- -There are default [global catalogs]({{}}/rancher/v2.x/en/catalog/#global-catalogs) packaged as part of Rancher. +There are default global catalogs packaged as part of Rancher. -## Managing Built-in Global Catalogs +Within Rancher, there are default catalogs packaged as part of Rancher. These can be enabled or disabled by an administrator. ->**Prerequisites:** In order to manage the built-in catalogs or [manage global catalogs]({{}}/rancher/v2.x/en/catalog/custom/adding/#adding-global-catalogs), you need _one_ of the following permissions: +>**Prerequisites:** In order to manage the built-in catalogs or manage global catalogs, you need _one_ of the following permissions: > >- [Administrator Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) ->- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#global-permissions-reference) role assigned. +>- [Custom Global Permissions]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Catalogs]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/#custom-global-permissions-reference) role assigned. 1. From the **Global** view, choose **Tools > Catalogs** in the navigation bar. In versions prior to v2.2.0, you can select **Catalogs** directly in the navigation bar. -2. Toggle the default catalogs that you want use to a setting of **Enabled**. +2. Toggle the default catalogs that you want to be enabled or disabled: - - **Library** - - The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. In Rancher 2.x, only global catalogs are supported. Support for cluster-level and project-level charts will be added in the future. - - This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/custom/#chart-types) over native Helm charts. - - - **Helm Stable** - - This catalog, , which is maintained by the Kubernetes community, includes native [Helm charts](https://github.com/kubernetes/helm/blob/master/docs/chart_template_guide/getting_started.md). This catalog features the largest pool of apps. - - - **Helm Incubator** - - Similar in user experience to Helm Stable, but this catalog is filled with applications in **beta**. + - **Library:** The Library Catalog includes charts curated by Rancher. Rancher stores charts in a Git repository to expedite the fetch and update of charts. This catalog features Rancher Charts, which include some [notable advantages]({{}}/rancher/v2.x/en/catalog/creating-apps/#rancher-charts) over native Helm charts. + - **Helm Stable:** This catalog, which is maintained by the Kubernetes community, includes native [Helm charts](https://helm.sh/docs/chart_template_guide/). This catalog features the largest pool of apps. + - **Helm Incubator:** Similar in user experience to Helm Stable, but this catalog is filled with applications in **beta**. **Result**: The chosen catalogs are enabled. Wait a few minutes for Rancher to replicate the catalog charts. When replication completes, you'll be able to see them in any of your projects by selecting **Apps** from the main navigation bar. In versions prior to v2.2.0, within a project, you can select **Catalog Apps** from the main navigation bar. diff --git a/content/rancher/v2.x/en/catalog/custom/_index.md b/content/rancher/v2.x/en/catalog/catalog-config/_index.md similarity index 69% rename from content/rancher/v2.x/en/catalog/custom/_index.md rename to content/rancher/v2.x/en/catalog/catalog-config/_index.md index 67e79a87ab2..229f65e1c97 100644 --- a/content/rancher/v2.x/en/catalog/custom/_index.md +++ b/content/rancher/v2.x/en/catalog/catalog-config/_index.md @@ -1,24 +1,32 @@ --- -title: Custom Catalogs -weight: 4020 +title: Custom Catalog Configuration Reference +weight: 300 aliases: - + - /rancher/v2.x/en/catalog/catalog-config --- -Any user can [create custom catalogs]({{}}/rancher/v2.x/en/catalog/custom/creating/) to add into Rancher. Besides the content of the catalog, users must ensure their catalogs are able to be added into Rancher. +Any user can create custom catalogs to add into Rancher. Besides the content of the catalog, users must ensure their catalogs are able to be added into Rancher. -## Types of Repositories +- [Types of Repositories](#types-of-repositories) +- [Custom Git Repository](#custom-git-repository) +- [Custom Helm Chart Repository](#custom-helm-chart-repository) +- [Catalog Fields](#catalog-fields) +- [Private Repositories](#private-repositories) + - [Using Username and Password](#using-username-and-password) + - [Using an OAuth token](#using-an-oauth-token) + +# Types of Repositories Rancher supports adding in different types of repositories as a catalog: * Custom Git Repository * Custom Helm Chart Repository -### Custom Git Repository +# Custom Git Repository The Git URL needs to be one that `git clone` [can handle](https://git-scm.com/docs/git-clone#_git_urls_a_id_urls_a) and must end in `.git`. The branch name must be a branch that is in your catalog URL. If no branch name is provided, it will default to use the `master` branch. Whenever you add a catalog to Rancher, it will be available almost immediately. -### Custom Helm Chart Repository +# Custom Helm Chart Repository A Helm chart repository is an HTTP server that contains one or more packaged charts. Any HTTP server that can serve YAML files and tar files and can answer GET requests can be used as a repository server. @@ -26,7 +34,7 @@ Helm comes with a built-in package server for developer testing (`helm serve`). In Rancher, you can add the custom Helm chart repository with only a catalog name and the URL address of the chart repository. -## Catalog Fields +# Catalog Fields When [adding your catalog]({{}}/rancher/v2.x/en/catalog/custom/adding/) to Rancher, you'll provide the following information: @@ -36,11 +44,12 @@ When [adding your catalog]({{}}/rancher/v2.x/en/catalog/custom/adding/) | Name | Name for your custom catalog to distinguish the repositories in Rancher | | Catalog URL | URL of your custom chart repository| | Use Private Catalog | Selected if you are using a private repository that requires authentication | -| Username (Optional) | [Username](#using-username-and-password) or [OAuth Token](#using-an-oauth-token) | -| Password (Optional) | If you are authenticating using [username](#using-username-and-password), the associated password. If you are using an [OAuth Token](#using-an-oauth-token), use `x-oauth-basic`. | +| Username (Optional) | Username or OAuth Token | +| Password (Optional) | If you are authenticating using a username, enter the associated password. If you are using an OAuth token, use `x-oauth-basic`. | | Branch | For a Git repository, the branch name. Default: `master`. For a Helm Chart repository, this field is ignored. | +| Helm version | The Helm version that will be used to deploy all of the charts in the catalog. This field cannot be changed later. For more information, refer to the [section on Helm versions.]({{}}/rancher/v2.x/en/catalog/#catalog-helm-deployment-versions) | -## Private Repositories +# Private Repositories _Available as of v2.2.0_ diff --git a/content/rancher/v2.x/en/catalog/custom/creating/_index.md b/content/rancher/v2.x/en/catalog/creating-apps/_index.md similarity index 52% rename from content/rancher/v2.x/en/catalog/custom/creating/_index.md rename to content/rancher/v2.x/en/catalog/creating-apps/_index.md index 36c1e41825e..d59893cd9de 100644 --- a/content/rancher/v2.x/en/catalog/custom/creating/_index.md +++ b/content/rancher/v2.x/en/catalog/creating-apps/_index.md @@ -1,41 +1,46 @@ --- -title: Creating Custom Catalogs Apps -weight: 4000 +title: Creating Catalog Apps +weight: 400 aliases: - /rancher/v2.x/en/tasks/global-configuration/catalog/customizing-charts/ + - /rancher/v2.x/en/catalog/custom/creating --- Rancher's catalog service requires any custom catalogs to be structured in a specific format for the catalog service to be able to leverage it in Rancher. -## Chart Types +> For a complete walkthrough of developing charts, see the [Chart Template Developer's Guide](https://helm.sh/docs/chart_template_guide/) in the official Helm documentation. -Rancher supports two different types of charts: +- [Chart types](#chart-types) + - [Helm charts](#helm-charts) + - [Rancher charts](#rancher-charts) +- [Chart directory structure](#chart-directory-structure) +- [Additional Files for Rancher Charts](#additional-files-for-rancher-charts) + - [questions.yml](#questions-yml) + - [Min/Max Rancher versions](#min-max-rancher-versions) + - [Question variable reference](#question-variable-reference) +- [Tutorial: Example Custom Chart Creation](#tutorial-example-custom-chart-creation) -- **Helm Charts** +# Chart Types - Native Helm charts include an application along with other software required to run it. When deploying native Helm charts, you'll learn the chart's parameters and then configure them using **Answers**, which are sets of key value pairs. +Rancher supports two different types of charts: Helm charts and Rancher charts. - The Helm Stable and Helm Incubators are populated with native Helm charts. However, you can also use native Helm charts in Custom catalogs (although we recommend Rancher Charts). +### Helm Charts -- **Rancher Charts** +Native Helm charts include an application along with other software required to run it. When deploying native Helm charts, you'll learn the chart's parameters and then configure them using **Answers**, which are sets of key value pairs. - Rancher charts mirror native helm charts, although they add two files that enhance user experience: `app-readme.md` and `questions.yaml`. Read more about them in [Rancher Chart Additional Files](#rancher-chart-additional-files). +The Helm Stable and Helm Incubators are populated with native Helm charts. However, you can also use native Helm charts in Custom catalogs (although we recommend Rancher Charts). - Advantages of Rancher charts include: +### Rancher Charts - - **Enhanced Revision Tracking** +Rancher charts mirror native helm charts, although they add two files that enhance user experience: `app-readme.md` and `questions.yaml`. Read more about them in [Additional Files for Rancher Charts.](#additional-files-for-rancher-charts) - While Helm supports versioned deployments, Rancher adds tracking and revision history to display changes between different versions of the chart. +Advantages of Rancher charts include: - - **Streamlined Application Launch** +- **Enhanced revision tracking:** While Helm supports versioned deployments, Rancher adds tracking and revision history to display changes between different versions of the chart. +- **Streamlined application launch:** Rancher charts add simplified chart descriptions and configuration forms to make catalog application deployment easy. Rancher users need not read through the entire list of Helm variables to understand how to launch an application. +- **Application resource management:** Rancher tracks all the resources created by a specific application. Users can easily navigate to and troubleshoot on a page listing all the workload objects used to power an application. - Rancher charts add simplified chart descriptions and configuration forms to make catalog application deployment easy. Rancher users need not read through the entire list of Helm variables to understand how to launch an application. - - - **Application Resource Management** - - Rancher tracks all the resources created by a specific application. Users can easily navigate to and troubleshoot on a page listing all the workload objects used to power an application. - -## Chart Directory Structure +# Chart Directory Structure The following table demonstrates the directory structure for a chart, which can be found in a chart directory: `charts///`. This information is helpful when customizing charts for a custom catalog. Files denoted with **Rancher Specific** are specific to Rancher charts, but are optional for chart customization. @@ -51,7 +56,7 @@ charts/// |--values.yml # Default configuration values for the chart. ``` -## Rancher Chart Additional Files +# Additional Files for Rancher Charts Before you create your own custom catalog, you should have a basic understanding about how a Rancher chart differs from a native Helm chart. Rancher charts differ slightly from Helm charts in their directory structures. Rancher charts include two files that Helm charts do not. @@ -73,11 +78,11 @@ Before you create your own custom catalog, you should have a basic understanding ![questions.yml]({{}}/img/rancher/questions.png) -### Questions.yml +### questions.yml Inside the `questions.yml`, most of the content will be around the questions to ask the end user, but there are some additional fields that can be set in this file. -#### Min/Max Rancher versions +### Min/Max Rancher versions _Available as of v2.3.0_ @@ -90,7 +95,7 @@ rancher_min_version: 2.3.0 rancher_max_version: 2.3.99 ``` -#### Question Variable Reference +### Question Variable Reference This reference contains variables that you can use in `questions.yml` nested under `questions:`. @@ -116,71 +121,6 @@ This reference contains variables that you can use in `questions.yml` nested und >**Note:** `subquestions[]` cannot contain `subquestions` or `show_subquestions_if` keys, but all other keys in the above table are supported. +# Tutorial: Example Custom Chart Creation -## Example Custom Chart Creation - - You can fill your custom catalogs with either Helm Charts or Rancher Charts, although we recommend Rancher Charts due to their enhanced user experience. - ->**Note:** For a complete walkthrough of developing charts, see the upstream Helm chart [developer reference](https://helm.sh/docs/chart_template_guide/). - -1. Within the GitHub repo that you're using as your custom catalog, create a directory structure that mirrors the structure listed in [Chart Directory Structure](#chart-directory-structure). - - Rancher requires this directory structure, although `app-readme.md` and `questions.yml` are optional. - - >**Tip:** - > - >- To begin customizing a chart, copy one from either the [Rancher Library](https://github.com/rancher/charts) or the [Helm Stable](https://github.com/kubernetes/charts/tree/master/stable). - >- For a complete walk through of developing charts, see the upstream Helm chart [developer reference](https://docs.helm.sh/developing_charts/). - -2. **Recommended:** Create an `app-readme.md` file. - - Use this file to create custom text for your chart's header in the Rancher UI. You can use this text to notify users that the chart is customized for your environment or provide special instruction on how to use it. -
    -
    - **Example**: - - ``` - $ cat ./app-readme.md - - # Wordpress ROCKS! - ``` - -3. **Recommended:** Create a `questions.yml` file. - - This file creates a form for users to specify deployment parameters when they deploy the custom chart. Without this file, users **must** specify the parameters manually using key value pairs, which isn't user-friendly. -
    -
    - The example below creates a form that prompts users for persistent volume size and a storage class. -
    -
    - For a list of variables you can use when creating a `questions.yml` file, see [Question Variable Reference](#question-variable-reference). - - 
    -        categories:
-        - Blog
-        - CMS
-        questions:
-        - variable: persistence.enabled
-        default: "false"
-        description: "Enable persistent volume for WordPress"
-        type: boolean
-        required: true
-        label: WordPress Persistent Volume Enabled
-        show_subquestion_if: true
-        group: "WordPress Settings"
-        subquestions:
-        - variable: persistence.size
-            default: "10Gi"
-            description: "WordPress Persistent Volume Size"
-            type: string
-            label: WordPress Volume Size
-        - variable: persistence.storageClass
-            default: ""
-            description: "If undefined or null, uses the default StorageClass. Default to null"
-            type: storageclass
-            label: Default StorageClass for WordPress
-
    - -4. Check the customized chart into your GitHub repo. - -**Result:** Your custom chart is added to the repo. Your Rancher Server will replicate the chart within a few minutes. +For a tutorial on adding a custom Helm chart to a custom catalog, refer to [this page.]({{}}/rancher/v2.x/en/catalog/tutorial) diff --git a/content/rancher/v2.x/en/catalog/launching-apps/_index.md b/content/rancher/v2.x/en/catalog/launching-apps/_index.md new file mode 100644 index 00000000000..62e69a0b399 --- /dev/null +++ b/content/rancher/v2.x/en/catalog/launching-apps/_index.md @@ -0,0 +1,102 @@ +--- +title: Launching Catalog Apps +weight: 700 +aliases: + - /rancher/v2.x/en/catalog/launching-apps +--- + +Within a project, when you want to deploy applications from catalogs, the applications available in your project will be based on the [scope of the catalogs]({{}}/rancher/v2.x/en/catalog/#catalog-scope). + +If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/). + +- [Prerequisites](#prerequisites) +- [Launching a catalog app](#launching-a-catalog-app) +- [Configuration options](#configuration-options) + +# Prerequisites + +To launch an app from a catalog in Rancher, you must have at least one of the following permissions: + +- A [project-member role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads +- A [cluster owner role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project + +Before launching an app, you'll need to either [enable a built-in global catalog]({{}}/rancher/v2.x/en/catalog/built-in) or [add your own custom catalog.]({{}}/rancher/v2.x/en/catalog/adding-catalogs) + +# Launching a Catalog App + +1. From the **Global** view, open the project that you want to deploy an app to. + +2. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. + +3. Find the app that you want to launch, and then click **View Now**. + +4. Under **Configuration Options** enter a **Name**. By default, this name is also used to create a Kubernetes namespace for the application. + + * If you would like to change the **Namespace**, click **Customize** and enter a new name. + * If you want to use a different namespace that already exists, click **Customize**, and then click **Use an existing namespace**. Choose a namespace from the list. + +5. Select a **Template Version**. + +6. Complete the rest of the **Configuration Options**. + + * For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs), answers are provided as key value pairs in the **Answers** section. + * Keys and values are available within **Detailed Descriptions**. + * When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of --set](https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. For example, when entering an answer that includes two values separated by a comma (i.e., `abc, bcd`), wrap the values with double quotes (i.e., `"abc, bcd"`). + +7. Review the files in **Preview**. When you're satisfied, click **Launch**. + +**Result**: Your application is deployed to your chosen namespace. You can view the application status from the project's **Workloads** view or **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. + +# Configuration Options + +For each Helm chart, there are a list of desired answers that must be entered in order to successfully deploy the chart. When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of –set](https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. + +> For example, when entering an answer that includes two values separated by a comma (i.e. `abc, bcd`), it is required to wrap the values with double quotes (i.e., ``"abc, bcd"``). + +{{% tabs %}} +{{% tab "UI" %}} + +### Using a questions.yml file + +If the Helm chart that you are deploying contains a `questions.yml` file, Rancher's UI will translate this file to display an easy to use UI to collect the answers for the questions. + +### Key Value Pairs for Native Helm Charts + +For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. + +{{% /tab %}} +{{% tab "Editing YAML Files" %}} + +_Available as of v2.1.0_ + +If you do not want to input answers using the UI, you can choose the **Edit as YAML** option. + +With this example YAML: + +```YAML +outer: + inner: value +servers: +- port: 80 + host: example +``` + +### Key Value Pairs + +You can have a YAML file that translates these fields to match how to [format custom values so that it can be used with `--set`](https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set). + +These values would be translated to: + +``` +outer.inner=value +servers[0].port=80 +servers[0].host=example +``` + +### YAML files + +_Available as of v2.2.0_ + +You can directly paste that YAML formatted structure into the YAML editor. By allowing custom values to be set using a YAML formatted structure, Rancher has the ability to easily customize for more complicated input values (e.g. multi-lines, array and JSON objects). +{{% /tab %}} +{{% /tabs %}} \ No newline at end of file diff --git a/content/rancher/v2.x/en/catalog/managing-apps/_index.md b/content/rancher/v2.x/en/catalog/managing-apps/_index.md new file mode 100644 index 00000000000..4ce33372060 --- /dev/null +++ b/content/rancher/v2.x/en/catalog/managing-apps/_index.md @@ -0,0 +1,80 @@ +--- +title: Managing Catalog Apps +weight: 500 +--- + +After deploying an application, one of the benefits of using an application versus individual workloads/resources is the ease of being able to manage many workloads/resources applications. Apps can be cloned, upgraded or rolled back. + +- [Cloning catalog applications](#cloning-catalog-applications) +- [Upgrading catalog applications](#upgrading-catalog-applications) +- [Rolling back catalog applications](#rolling-back-catalog-applications) +- [Deleting catalog application deployments](#deleting-catalog-application-deployments) + +### Cloning Catalog Applications + +After an application is deployed, you can easily clone it to use create another application with almost the same configuration. It saves you the work of manually filling in duplicate information. + +### Upgrading Catalog Applications + +After an application is deployed, you can easily upgrade to a different template version. + +1. From the **Global** view, navigate to the project that contains the catalog application that you want to upgrade. + +1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. + +3. Find the application that you want to upgrade, and then click the Ellipsis to find **Upgrade**. + +4. Select the **Template Version** that you want to deploy. + +5. (Optional) Update your **Configuration Options**. + +6. (Optional) Select whether or not you want to force the catalog application to be upgraded by checking the box for **Delete and recreate resources if needed during the upgrade**. + + > In Kubernetes, some fields are designed to be immutable or cannot be updated directly. As of v2.2.0, you can now force your catalog application to be updated regardless of these fields. This will cause the catalog apps to be deleted and resources to be re-created if needed during the upgrade. + +7. Review the files in the **Preview** section. When you're satisfied, click **Launch**. + +**Result**: Your application is updated. You can view the application status from the project's: + +- **Workloads** view +- **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. + + +### Rolling Back Catalog Applications + +After an application has been upgraded, you can easily rollback to a different template version. + +1. From the **Global** view, navigate to the project that contains the catalog application that you want to upgrade. + +1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. + +3. Find the application that you want to rollback, and then click the Ellipsis to find **Rollback**. + +4. Select the **Revision** that you want to roll back to. By default, Rancher saves up to the last 10 revisions. + +5. (Optional) Select whether or not you want to force the catalog application to be upgraded by checking the box for **Delete and recreate resources if needed during the upgrade**. + + > In Kubernetes, some fields are designed to be immutable or cannot be updated directly. As of v2.2.0, you can now force your catalog application to be updated regardless of these fields. This will cause the catalog apps to be deleted and resources to be re-created if needed during the rollback. + +7. Click **Rollback**. + +**Result**: Your application is updated. You can view the application status from the project's: + +- **Workloads** view +- **Apps** view. In versions prior to v2.2.0, this is the **Catalog Apps** view. + +### Deleting Catalog Application Deployments + +As a safeguard to prevent you from unintentionally deleting other catalog applications that share a namespace, deleting catalog applications themselves does not delete the namespace they're assigned to. + +Therefore, if you want to delete both an app and the namespace that contains the app, you should remove the app and the namespace separately: + +1. Uninstall the app using the app's `uninstall` function. + +1. From the **Global** view, navigate to the project that contains the catalog application that you want to delete. + +1. From the main menu, choose **Namespaces**. + +1. Find the namespace running your catalog app. Select it and click **Delete**. + +**Result:** The catalog application deployment and its namespace are deleted. diff --git a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md index 282835a53e4..79c404bf289 100644 --- a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md +++ b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md @@ -1,15 +1,30 @@ --- title: Multi-Cluster Apps -weight: 5000 +weight: 600 --- _Available as of v2.2.0_ Typically, most applications are deployed on a single Kubernetes cluster, but there will be times you might want to deploy multiple copies of the same application across different clusters and/or projects. In Rancher, a _multi-cluster application_, is an application deployed using a Helm chart across multiple clusters. With the ability to deploy the same application across multiple clusters, it avoids the repetition of the same action on each cluster, which could introduce user error during application configuration. With multi-cluster applications, you can customize to have the same configuration across all projects/clusters as well as have the ability to change the configuration based on your target project. Since multi-cluster application is considered a single application, it's easy to manage and maintain this application. -Any Helm charts from a [global catalog]({{}}/rancher/v2.x/en/catalog/#catalog-scope) can be used to deploy and manage multi-cluster applications. +Any Helm charts from a global catalog can be used to deploy and manage multi-cluster applications. After creating a multi-cluster application, you can program a [Global DNS entry]({{}}/rancher/v2.x/en/catalog/globaldns/) to make it easier to access the application. +- [Prerequisites](#prerequisites) +- [Launching a multi-cluster app](#launching-a-multi-cluster-app) +- [Multi-cluster app configuration options](#multi-cluster-app-configuration-options) + - [Targets](#targets) + - [Upgrades](#upgrades) + - [Roles](#roles) +- [Application configuration options](#application-configuration-options) + - [Using a questions.yml file](#using-a-questions-yml-file) + - [Key value pairs for native Helm charts](key-value-pairs-for-native-helm-charts) + - [Members](#members) + - [Overriding application configuration options for specific projects](#overriding-application-configuration-options-for-specific-projects) +- [Upgrading multi-cluster app roles and projects](#upgrading-multi-cluster-app-roles-and-projects) +- [Multi-cluster application management](#multi-cluster-application-managements) +- [Deleting a multi-cluster application](#deleting-a-multi-cluster-application) + # Prerequisites To create a multi-cluster app in Rancher, you must have at least one of the following permissions: @@ -17,7 +32,7 @@ To create a multi-cluster app in Rancher, you must have at least one of the foll - A [project-member role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster(s), which gives you the ability to create, read, update, and delete the workloads - A [cluster owner role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the clusters(s) that include the target project(s) -## Launching a Multi-Cluster App +# Launching a Multi-Cluster App 1. From the **Global** view, choose **Apps** in the navigation bar. Click **Launch**. @@ -29,7 +44,7 @@ To create a multi-cluster app in Rancher, you must have at least one of the foll 5. Select a **Template Version**. -6. Complete the [multi-cluster applications specific configuration options](#configuration-options-to-make-a-multi-cluster-app) as well as the [application configuration options](#application-configuration-options). +6. Complete the [multi-cluster applications specific configuration options](#multi-cluster-app-configuration-options) as well as the [application configuration options](#application-configuration-options). 7. Select the **Members** who can [interact with the multi-cluster application](#members). @@ -39,15 +54,15 @@ To create a multi-cluster app in Rancher, you must have at least one of the foll **Result**: Your application is deployed to your chosen namespace. You can view the application status from the project's: -### Configuration Options to Make a Multi-Cluster App +# Multi-cluster App Configuration Options Rancher has divided the configuration option for the multi-cluster application into several sections. -#### Targets +### Targets -In the **Targets** section, select the [projects]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#projects) that you want the application to be deployed in. The list of projects is based on what projects you have access to. For each project that you select, it will be added to the list, which shows the cluster name and project name that were selected. To remove a target project, click on **-**. +In the **Targets** section, select the projects that you want the application to be deployed in. The list of projects is based on what projects you have access to. For each project that you select, it will be added to the list, which shows the cluster name and project name that were selected. To remove a target project, click on **-**. -#### Upgrades +### Upgrades In the **Upgrades** section, select the upgrade strategy to use, when you decide to upgrade your application. @@ -55,9 +70,9 @@ In the **Upgrades** section, select the upgrade strategy to use, when you decide * **Upgrade all apps simultaneously:** When selecting this upgrade strategy, all applications across all projects will be upgraded at the same time. -#### Roles +### Roles -In the **Roles** section, you define the role of the multi-cluster application. Typically, when a user [launches catalog applications]({{}}/rancher/v2.x/en/catalog/apps/#launching-catalog-applications), that specific user's permissions are used for creation of all workloads/resources that is required by the app. +In the **Roles** section, you define the role of the multi-cluster application. Typically, when a user [launches catalog applications]({{}}/rancher/v2.x/en/catalog/launching-apps), that specific user's permissions are used for creation of all workloads/resources that is required by the app. For multi-cluster applications, the application is deployed by a _system user_ and is assigned as the creator of all underlying resources. A _system user_ is used instead of the actual user due to the fact that the actual user could be removed from one of the target projects. If the actual user was removed from one of the projects, then that user would no longer be able to manage the application for the other projects. @@ -71,17 +86,17 @@ When launching the application, Rancher will confirm if you have these permissio > **Note:** There are some applications like _Grafana_ or _Datadog_ that require access to specific cluster-scoped resources. These applications will require the _Cluster_ role. If you find out later that the application requires cluster roles, the multi-cluster application can be upgraded to update the roles. -### Application Configuration Options +# Application Configuration Options -For each Helm chart, there are a list of desired answers that must be entered in order to successfully deploy the chart. When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of –set](https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. +For each Helm chart, there are a list of desired answers that must be entered in order to successfully deploy the chart. When entering answers, you must format them using the syntax rules found in [Using Helm: The format and limitations of –set](https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set), as Rancher passes them as `--set` flags to Helm. > For example, when entering an answer that includes two values separated by a comma (i.e. `abc, bcd`), it is required to wrap the values with double quotes (i.e., ``"abc, bcd"``). -#### Using a `questions.yml` file +### Using a questions.yml file If the Helm chart that you are deploying contains a `questions.yml` file, Rancher's UI will translate this file to display an easy to use UI to collect the answers for the questions. -#### Key Value Pairs for Native Helm Charts +### Key Value Pairs for Native Helm Charts For native Helm charts (i.e., charts from the **Helm Stable** or **Helm Incubator** catalogs or a [custom Helm chart repository]({{}}/rancher/v2.x/en/catalog/custom/#custom-helm-chart-repository)), answers are provided as key value pairs in the **Answers** section. These answers are used to override the default values. @@ -93,7 +108,7 @@ By default, multi-cluster applications can only be managed by the user who creat 2. Select the **Access Type** for that member. There are three access types for a multi-cluster project, but due to how the permissions of a multi-cluster application are launched, please read carefully to understand what these access types mean. - - **Owner**: This access type can manage any configuration part of the multi-cluster application including the template version, the [multi-cluster applications specific configuration options](#configuration-options-to-make-a-multi-cluster-app), the [application specific configuration options](#application-configuration-options), the [members who can interact with the multi-cluster application](#members) and the [custom application configuration answers](#overriding-application-configuration-options-for-specific-projects). Since a multi-cluster application is created with a different set of permissions from the user, any _owner_ of the multi-cluster application can manage/remove applications in [target projects](#targets) without explicitly having access to these project(s). Only trusted users should be provided with this access type. + - **Owner**: This access type can manage any configuration part of the multi-cluster application including the template version, the [multi-cluster applications specific configuration options](#Multi-cluster App Configuration Options), the [application specific configuration options](#application-configuration-options), the members who can interact with the multi-cluster application and the [custom application configuration answers](#overriding-application-configuration-options-for-specific-projects). Since a multi-cluster application is created with a different set of permissions from the user, any _owner_ of the multi-cluster application can manage/remove applications in [target projects](#targets) without explicitly having access to these project(s). Only trusted users should be provided with this access type. - **Member**: This access type can only modify the template version, the [application specific configuration options](#application-configuration-options) and the [custom application configuration answers](#overriding-application-configuration-options-for-specific-projects). Since a multi-cluster application is created with a different set of permissions from the user, any _member_ of the multi-cluster application can modify the application without explicitly having access to these project(s). Only trusted users should be provided with this access type. @@ -115,7 +130,7 @@ The ability to use the same configuration to deploy the same application across - **Answer**: Enter the answer that you want to be used instead. -## Upgrading Multi-Cluster App Roles and Projects +# Upgrading Multi-Cluster App Roles and Projects - **Changing Roles on an existing Multi-Cluster app** The creator and any users added with the access-type "owner" to a multi-cluster app, can upgrade its Roles. When adding a new Role, we check if the user has that exact role in all current target projects. These checks allow the same relaxations for global admins, cluster owners and project-owners as described in the installation section for the field `Roles`. @@ -125,7 +140,7 @@ The creator and any users added with the access-type "owner" to a multi-cluster 2. We do not do these membership checks when removing target projects. This is because the caller's permissions could have with respect to the target project, or the project could have been deleted and hence the caller wants to remove it from targets list. -## Multi-Cluster Application Management +# Multi-Cluster Application Management One of the benefits of using a multi-cluster application as opposed to multiple individual applications of the same type, is the ease of management. Multi-cluster applications can be cloned, upgraded or rolled back. @@ -134,10 +149,10 @@ One of the benefits of using a multi-cluster application as opposed to multiple 2. Choose the multi-cluster application you want to take one of these actions on and click the **Vertical Ellipsis (...)**. Select one of the following options: * **Clone**: Creates another multi-cluster application with the same configuration. By using this option, you can easily duplicate a multi-cluster application. - * **Upgrade**: Upgrade your multi-cluster application to change some part of the configuration. When performing an upgrade for multi-cluster application, the [upgrade strategy](#upgrade-strategy) can be modified if you have the correct [access type](#members). + * **Upgrade**: Upgrade your multi-cluster application to change some part of the configuration. When performing an upgrade for multi-cluster application, the [upgrade strategy](#upgrades) can be modified if you have the correct [access type](#members). * **Rollback**: Rollback your application to a specific version. If after an upgrade, there are issues for your multi-cluster application for one or more of your [targets](#targets), Rancher has stored up to 10 versions of the multi-cluster application. Rolling back a multi-cluster application reverts the application for **all** target clusters and projects, not just the targets(s) affected by the upgrade issue. -## Deleting a Multi-Cluster Application +# Deleting a Multi-Cluster Application 1. From the **Global** view, choose **Apps** in the navigation bar. diff --git a/content/rancher/v2.x/en/catalog/tutorial/_index.md b/content/rancher/v2.x/en/catalog/tutorial/_index.md new file mode 100644 index 00000000000..b8e6295742c --- /dev/null +++ b/content/rancher/v2.x/en/catalog/tutorial/_index.md @@ -0,0 +1,72 @@ +--- +title: "Tutorial: Example Custom Chart Creation" +weight: 800 +--- + +In this tutorial, you'll learn how to create a Helm chart and deploy it to a repository. The repository can then be used as a source for a custom catalog in Rancher. + +You can fill your custom catalogs with either Helm Charts or Rancher Charts, although we recommend Rancher Charts due to their enhanced user experience. + +> For a complete walkthrough of developing charts, see the upstream Helm chart [developer reference](https://helm.sh/docs/chart_template_guide/). + +1. Within the GitHub repo that you're using as your custom catalog, create a directory structure that mirrors the structure listed in [Chart Directory Structure](#chart-directory-structure). + + Rancher requires this directory structure, although `app-readme.md` and `questions.yml` are optional. + + >**Tip:** + > + >- To begin customizing a chart, copy one from either the [Rancher Library](https://github.com/rancher/charts) or the [Helm Stable](https://github.com/kubernetes/charts/tree/master/stable). + >- For a complete walk through of developing charts, see the upstream Helm chart [developer reference](https://docs.helm.sh/developing_charts/). + +2. **Recommended:** Create an `app-readme.md` file. + + Use this file to create custom text for your chart's header in the Rancher UI. You can use this text to notify users that the chart is customized for your environment or provide special instruction on how to use it. +
    +
    + **Example**: + + ``` + $ cat ./app-readme.md + + # Wordpress ROCKS! + ``` + +3. **Recommended:** Create a `questions.yml` file. + + This file creates a form for users to specify deployment parameters when they deploy the custom chart. Without this file, users **must** specify the parameters manually using key value pairs, which isn't user-friendly. +
    +
    + The example below creates a form that prompts users for persistent volume size and a storage class. +
    +
    + For a list of variables you can use when creating a `questions.yml` file, see [Question Variable Reference]({{}}/rancher/v2.x/en/catalog/creating-apps/#question-variable-reference). + + ```yaml + categories: + - Blog + - CMS + questions: + - variable: persistence.enabled + default: "false" + description: "Enable persistent volume for WordPress" + type: boolean + required: true + label: WordPress Persistent Volume Enabled + show_subquestion_if: true + group: "WordPress Settings" + subquestions: + - variable: persistence.size + default: "10Gi" + description: "WordPress Persistent Volume Size" + type: string + label: WordPress Volume Size + - variable: persistence.storageClass + default: "" + description: "If undefined or null, uses the default StorageClass. Default to null" + type: storageclass + label: Default StorageClass for WordPress + ``` + +4. Check the customized chart into your GitHub repo. + +**Result:** Your custom chart is added to the repo. Your Rancher Server will replicate the chart within a few minutes. From 63ef8d42662bb0a333c7aa7314071518cf2207bf Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 21:41:04 -0700 Subject: [PATCH 141/183] Say that branch not needed for K8s metadata in Rancher v2.4 --- .../en/admin-settings/k8s-metadata/_index.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md index 4f16e1aa458..4efabbecb3a 100644 --- a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md +++ b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md @@ -39,6 +39,24 @@ To force Rancher to refresh the Kubernetes metadata, a manual refresh action is The RKE metadata config controls how often Rancher syncs metadata and where it downloads data from. You can configure the metadata from the settings in the Rancher UI, or through the Rancher API at the endpoint `v3/settings/rke-metadata-config`. +The way that the metadata is configured depends on the Rancher version. + +{{% tabs %}} +{{% tab "Rancher v2.4+" %}} +To edit the metadata config in Rancher, + +1. Go to the **Global** view and click the **Settings** tab. +1. Go to the **rke-metadata-config** section. Click the **Ellipsis (...)** and click **Edit.** +1. You can optionally fill in the following parameters: + + - `refresh-interval-minutes`: This is the amount of time that Rancher waits to sync the metadata. To disable the periodic refresh, set `refresh-interval-minutes` to 0. + - `url`: This is the HTTP path that Rancher fetches data from. The path must be a direct path to a JSON file. For example, the default URL for Rancher v2.4 is `https://releases.rancher.com/kontainer-driver-metadata/release-v2.4/data.json`. + +If you don't have an air gap setup, you don't need to specify the URL where Rancher gets the metadata, because the default setting is to pull from [Rancher's metadata Git repository.](https://github.com/rancher/kontainer-driver-metadata/blob/dev-v2.5/data/data.json) + +However, if you have an [air gap setup,](#air-gap-setups) you will need to mirror the Kubernetes metadata repository in a location available to Rancher. Then you need to change the URL to point to the new location of the JSON file. +{{% /tab %}} +{{% tab "Rancher v2.3" %}} To edit the metadata config in Rancher, 1. Go to the **Global** view and click the **Settings** tab. @@ -52,6 +70,8 @@ To edit the metadata config in Rancher, If you don't have an air gap setup, you don't need to specify the URL or Git branch where Rancher gets the metadata, because the default setting is to pull from [Rancher's metadata Git repository.](https://github.com/rancher/kontainer-driver-metadata.git) However, if you have an [air gap setup,](#air-gap-setups) you will need to mirror the Kubernetes metadata repository in a location available to Rancher. Then you need to change the URL and Git branch in the `rke-metadata-config` settings to point to the new location of the repository. +{{% /tab %}} +{{% /tabs %}} ### Air Gap Setups From 9997395be030b36898b75d359ae1d32503f31caf Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 21:50:03 -0700 Subject: [PATCH 142/183] Make K8s metadata air gap section more generic --- content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md index 4efabbecb3a..7198b3305e9 100644 --- a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md +++ b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md @@ -79,7 +79,7 @@ Rancher relies on a periodic refresh of the `rke-metadata-config` to download ne If you have an air gap setup, you might not be able to get the automatic periodic refresh of the Kubernetes metadata from Rancher's Git repository. In that case, you should disable the periodic refresh to prevent your logs from showing errors. Optionally, you can configure your metadata settings so that Rancher can sync with a local copy of the RKE metadata. -To sync Rancher with a local mirror of the RKE metadata, an administrator would configure the `rke-metadata-config` settings by updating the `url` and `branch` to point to the mirror. +To sync Rancher with a local mirror of the RKE metadata, an administrator would configure the `rke-metadata-config` settings to point to the mirror. For details, refer to [Configuring the Metadata Synchronization.](#configuring-the-metadata-synchronization) After new Kubernetes versions are loaded into the Rancher setup, additional steps would be required in order to use them for launching clusters. Rancher needs access to updated system images. While the metadata settings can only be changed by administrators, any user can download the Rancher system images and prepare a private Docker registry for them. From a86bb7442d271462d93f91f18a928da7d051d32a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 22:49:28 -0700 Subject: [PATCH 143/183] Edit docs about cert-manager --- .../installation/options/upgrading-cert-manager/_index.md | 5 +---- content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md | 8 ++++---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md index 83bce83066b..2f224f311b3 100644 --- a/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md +++ b/content/rancher/v2.x/en/installation/options/upgrading-cert-manager/_index.md @@ -25,10 +25,7 @@ To address these changes, this guide will do two things: > For reinstalling Rancher with Helm, please check [Option B: Reinstalling Rancher Chart]({{}}/rancher/v2.x/en/upgrades/upgrades/ha/#c-upgrade-rancher) under the upgrade Rancher section. -## Upgrade Cert-Manager Only - -> **Note:** -> These instructions are applied if you have no plan to upgrade Rancher. +## Upgrade Cert-Manager The namespace used in these instructions depends on the namespace cert-manager is currently installed in. If it is in kube-system use that in the instructions below. You can verify by running `kubectl get pods --all-namespaces` and checking which namespace the cert-manager-\* pods are listed in. Do not change the namespace cert-manager is running in or this can cause issues. diff --git a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md index 7e74a35c0ed..6b57e500f0a 100644 --- a/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md +++ b/content/rancher/v2.x/en/upgrades/upgrades/ha/_index.md @@ -87,7 +87,7 @@ hostname: rancher.my.org > **Note:** There will be more values that are listed with this command. This is just an example of one of the values. -If you are also upgrading cert-manager to the latest version from a version older than 0.11.0, follow `Option B: Reinstalling Rancher`. Otherwise, follow `Option A: Upgrading Rancher`. +If you are also upgrading cert-manager to the latest version from a version older than 0.11.0, follow `Option B: Reinstalling Rancher and cert-manager`. Otherwise, follow `Option A: Upgrading Rancher`. {{% accordion label="Option A: Upgrading Rancher" %}} @@ -105,12 +105,10 @@ helm upgrade rancher rancher-/rancher \ {{% /accordion %}} -{{% accordion label="Option B: Reinstalling Rancher chart" %}} +{{% accordion label="Option B: Reinstalling Rancher and cert-manager" %}} If you are currently running the cert-manger whose version is older than v0.11, and want to upgrade both Rancher and cert-manager to a newer version, then you need to reinstall both Rancher and cert-manger due to the API change in cert-manger v0.11. -Please refer the [Upgrading Cert-Manager]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page for more information. - 1. Uninstall Rancher ``` @@ -125,6 +123,8 @@ Please refer the [Upgrading Cert-Manager]({{}}/rancher/v2.x/en/installa --set hostname=rancher.my.org ``` +3. Uninstall and reinstall `cert-manager` according to the instructions on the [Upgrading Cert-Manager]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager) page. + {{% /accordion %}} {{% /tab %}} From 164d548380f5a6c5a26d3fe4f1800607a6983113 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 23:11:58 -0700 Subject: [PATCH 144/183] Clarify result of creating/attaching cluster to RKE template --- .../rke-templates/creating-and-revising/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md index 1c0c4711596..736779f9ae3 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md @@ -40,7 +40,7 @@ You can revise, share, and delete a template if you are an owner of the template 1. Optional: Share the template with other users or groups by [adding them as members.]({{}}/rancher/v2.x/en/admin-settings/rke-templates/template-access-and-sharing/#sharing-templates-with-specific-users) You can also make the template public to share with everyone in the Rancher setup. 1. Then follow the form on screen to save the cluster configuration parameters as part of the template's revision. The revision can be marked as default for this template. -**Result:** An RKE template with one revision is configured. You can use this RKE template revision later when you [provision a Rancher-launched cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). +**Result:** An RKE template with one revision is configured. You can use this RKE template revision later when you [provision a Rancher-launched cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters). After a cluster is managed by an RKE template, it cannot be disconnected and the option to uncheck **Use an existing RKE Template and Revision** will be unavailable. ### Updating a Template From 38b8fcba0a49d84411a971ca70cd5f969a08924e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 23:22:15 -0700 Subject: [PATCH 145/183] Describe admin control of node templates --- .../rke-clusters/node-pools/_index.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md index 7d0c6c6e8e4..e359bf31e47 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md @@ -16,6 +16,7 @@ This section covers the following topics: - [Node templates](#node-templates) - [Node labels](#node-labels) - [Node taints](#node-taints) + - [Administrator control of node templates](#administrator-control-of-node-templates) - [Node pools](#node-pools) - [Node pool taints](#node-pool-taints) - [About node auto-replace](#about-node-auto-replace) @@ -42,6 +43,19 @@ You can add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and Since taints can be added at a node template and node pool, if there is no conflict with the same key and effect of the taints, all taints will be added to the nodes. If there are taints with the same key and different effect, the taints from the node pool will override the taints from the node template. +### Administrator Control of Node Templates + +_Available as of v2.3.3_ + +Administrators can control all node templates. Admins can now maintain all the node templates within Rancher. When a node template owner is no longer using Rancher, the node templates created by them can be managed by administrators so the cluster can continue to be updated and maintained. + +To access all node templates, an administrator will need to do the following: + +1. In the Rancher UI, click the user profile icon in the upper right corner. +1. Click **Node Templates.** + +**Result:** All node templates are listed and grouped by owner. The templates can be edited or cloned by clicking the **Ellipsis (...).** + # Node Pools Using Rancher, you can create pools of nodes based on a [node template](#node-templates). The benefit of using a node pool is that if a node is destroyed or deleted, you can increase the number of live nodes to compensate for the node that was lost. The node pool helps you ensure that the count of the node pool is as expected. From b67e0050508b3022700155bbdecdb616945869b4 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 23:42:43 -0700 Subject: [PATCH 146/183] Remove ConfigMaps from list of secrets --- content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md | 2 +- content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md | 2 +- content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md | 2 +- content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md index 2ab2329eeeb..0bf10731b0f 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/certificates/_index.md @@ -18,7 +18,7 @@ Add SSL certificates to either projects, namespaces, or both. A project scoped c 1. Enter a **Name** for the certificate. - >**Note:** Kubernetes classifies SSL certificates as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your SSL certificate must have a unique name among the other certificates, ConfigMaps, registries, and secrets within your project/workspace. + >**Note:** Kubernetes classifies SSL certificates as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your SSL certificate must have a unique name among the other certificates, registries, and secrets within your project/workspace. 1. Select the **Scope** of the certificate. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md index acd710150de..20419b97d07 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/configmaps/_index.md @@ -18,7 +18,7 @@ ConfigMaps accept key value pairs in common string formats, like config files or 1. Enter a **Name** for the Config Map. - >**Note:** Kubernetes classifies ConfigMaps as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your ConfigMaps must have a unique name among the other certificates, ConfigMaps, registries, and secrets within your workspace. + >**Note:** Kubernetes classifies ConfigMaps as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your ConfigMaps must have a unique name among the other certificates, registries, and secrets within your workspace. 1. Select the **Namespace** you want to add Config Map to. You can also add a new namespace on the fly by clicking **Add to a new namespace**. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md index 76a6887a055..8fdff42b006 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/registries/_index.md @@ -28,7 +28,7 @@ Currently, deployments pull the private registry credentials automatically only 1. Enter a **Name** for the registry. - >**Note:** Kubernetes classifies secrets, certificates, ConfigMaps, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your registry must have a unique name among all secrets within your workspace. + >**Note:** Kubernetes classifies secrets, certificates, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your registry must have a unique name among all secrets within your workspace. 1. Select a **Scope** for the registry. You can either make the registry available for the entire project or a single [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). diff --git a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md index 88f2c9603af..e89708abae1 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md @@ -23,7 +23,7 @@ When creating a secret, you can make it available for any deployment within a pr 3. Enter a **Name** for the secret. - >**Note:** Kubernetes classifies secrets, certificates, ConfigMaps, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your secret must have a unique name among all secrets within your workspace. + >**Note:** Kubernetes classifies secrets, certificates, and registries all as [secrets](https://kubernetes.io/docs/concepts/configuration/secret/), and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your secret must have a unique name among all secrets within your workspace. 4. Select a **Scope** for the secret. You can either make the registry available for the entire project or a single [namespace]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/#namespaces). From 84f55529635b90d71cc159e60baa7488d26cd70f Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 23:48:12 -0700 Subject: [PATCH 147/183] Move prerequisites for launching catalog apps --- content/rancher/v2.x/en/catalog/_index.md | 10 ---------- .../rancher/v2.x/en/catalog/launching-apps/_index.md | 2 ++ 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index e38d9aeb73a..a827d3d9ba7 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -17,7 +17,6 @@ Rancher improves on Helm catalogs and charts. All native Helm charts can work wi This section covers the following topics: -- [Prerequisites](#prerequisites) - [Catalog scopes](#catalog-scopes) - [Catalog Helm Deployment Versions](#catalog-helm-deployment-versions) - [Built-in global catalogs](#built-in-global-catalogs) @@ -26,15 +25,6 @@ This section covers the following topics: - [Chart compatibility with Rancher](#chart-compatibility-with-rancher) - [Global DNS](#global-dns) -# Prerequisites - -When Rancher deploys a catalog app, it launches an ephemeral instance of a Helm service account that has the permissions of the user deploying the catalog app. Therefore, a user cannot gain more access to the cluster through Helm or a catalog application than they otherwise would have. - -To launch a catalog app or a multi-cluster app, you should have at least one of the following permissions: - -- A [project-member role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads -- A [cluster owner role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project - # Catalog Scopes Within Rancher, you can manage catalogs at three different scopes. Global catalogs are shared across all clusters and project. There are some use cases where you might not want to share catalogs between different clusters or even projects in the same cluster. By leveraging cluster and project scoped catalogs, you will be able to provide applications for specific teams without needing to share them with all clusters and/or projects. diff --git a/content/rancher/v2.x/en/catalog/launching-apps/_index.md b/content/rancher/v2.x/en/catalog/launching-apps/_index.md index 62e69a0b399..74c0fd358e2 100644 --- a/content/rancher/v2.x/en/catalog/launching-apps/_index.md +++ b/content/rancher/v2.x/en/catalog/launching-apps/_index.md @@ -15,6 +15,8 @@ If your application is using ingresses, you can program the ingress hostname to # Prerequisites +When Rancher deploys a catalog app, it launches an ephemeral instance of a Helm service account that has the permissions of the user deploying the catalog app. Therefore, a user cannot gain more access to the cluster through Helm or a catalog application than they otherwise would have. + To launch an app from a catalog in Rancher, you must have at least one of the following permissions: - A [project-member role]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads From ee47c472ccfc60ac1a60e3a2b4387f26d7d05018 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 22 Nov 2019 15:25:05 -0700 Subject: [PATCH 148/183] Reorganize node page in cluster admin section --- .../v2.x/en/cluster-admin/nodes/_index.md | 208 +++++++++--------- 1 file changed, 101 insertions(+), 107 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index 3290a860d9c..611034e0a41 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -5,22 +5,27 @@ weight: 2030 After you launch a Kubernetes cluster in Rancher, you can manage individual nodes from the cluster's **Node** tab. Depending on the [option used]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-in-rancher) to provision the cluster, there are different node options available. -This page covers the following topics: +> If you want to manage the _cluster_ and not individual nodes, see [Editing Clusters]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters). -- [Node options for each type of cluster](#node-options-for-each-type-of-cluster) -- [Cordoning and draining nodes](#cordoning-and-draining-nodes) -- [Editing a node](#editing-a-node) -- [Viewing a node API](#viewing-a-node-api) +This section covers the following topics: + +- [Node options available for each cluster creation option](#node-options-available-for-each-cluster-creation-option) + - [Nodes hosted by an infrastructure provider](#nodes-hosted-by-an-infrastructure-provider) + - [Nodes provisioned by hosted Kubernetes providers](#nodes-provisioned-by-hosted-kubernetes-providers) + - [Imported nodes](#imported-nodes) +- [Managing and editing individual nodes](#managing-and-editing-individual-nodes) +- [Viewing a node in the Rancher API](#viewing-a-node-in-the-rancher-api) - [Deleting a node](#deleting-a-node) - [Scaling nodes](#scaling-nodes) - [SSH into a node hosted by an infrastructure provider](#ssh-into-a-node-hosted-by-an-infrastructure-provider) -- [Managing node pools](#managing-node-pools) +- [Cordoning a node](#cordoning-a-node) +- [Draining a node](#draining-a-node) + - [Aggressive and safe draining options](#aggressive-and-safe-draining-options) + - [Grace period](#grace-period) + - [Timeout](#timeout) + - [Drained and cordoned state](#drained-and-cordoned-state) -To manage individual nodes, browse to the cluster that you want to manage and then select **Nodes** from the main menu. You can open the options menu for a node by clicking its **Ellipsis** icon (**...**). - ->**Note:** If you want to manage the _cluster_ and not individual nodes, see [Editing Clusters]({{}}/rancher/v2.x/en/k8s-in-rancher/editing-clusters). - -# Node Options for Each Type of Cluster +# Node Options Available for Each Cluster Creation Option The following table lists which node options are available for each [type of cluster]({{}}/rancher/v2.x/en/cluster-provisioning/#cluster-creation-options) in Rancher. Click the links in the **Option** column for more detailed information about each feature. @@ -28,8 +33,8 @@ The following table lists which node options are available for each [type of clu | ------------------------------------------------ | ------------------------------------------------ | ---------------- | ------------------- | ------------------- | ------------------------------------------------------------------ | | [Cordon](#cordoning-a-node) | ✓ | ✓ | ✓ | | Marks the node as unschedulable. | | [Drain](#draining-a-node) | ✓ | ✓ | ✓ | | Marks the node as unschedulable _and_ evicts all pods. | -| [Edit](#editing-a-node) | ✓ | ✓ | ✓ | | Enter a custom name, description, label, or taints for a node. | -| [View API](#viewing-a-node-api) | ✓ | ✓ | ✓ | | View API data. | +| [Edit](#managing-and-editing-individual-nodes) | ✓ | ✓ | ✓ | | Enter a custom name, description, label, or taints for a node. | +| [View API](#viewing-a-node-in-the-rancher-api) | ✓ | ✓ | ✓ | | View API data. | | [Delete](#deleting-a-node) | ✓ | ✓ | | | Deletes defective nodes from the cluster. | | [Download Keys](#ssh-into-a-node-hosted-by-an-infrastructure-provider) | ✓ | | | | Download SSH key for in order to SSH into the node. | | [Node Scaling](#scaling-nodes) | ✓ | | | | Scale the number of nodes in the node pool up or down. | @@ -39,92 +44,25 @@ The following table lists which node options are available for each [type of clu [3]: {{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/ [4]: {{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/ -### Notes for Node Pool Nodes +### Nodes Hosted by an Infrastructure Provider -Clusters provisioned using [one of the node pool options]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-pools) automatically maintain the node scale that's set during the initial cluster provisioning. This scale determines the number of active nodes that Rancher maintains for the cluster. +Node pools are available when you provision Rancher-launched Kubernetes clusters on nodes that are [hosted in an infrastructure provider.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) -### Notes for Nodes Provisioned by Hosted Kubernetes Providers +Clusters provisioned using [one of the node pool options]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-pools) can be scaled up or down if the node pool is edited. -Options for managing nodes [hosted by a Kubernetes provider]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) are somewhat limited in Rancher. Rather than using the Rancher UI to make edits such as scaling the number of nodes up or down, edit the cluster directly. +A node pool can also automatically maintain the node scale that's set during the initial cluster provisioning if [node auto-replace is enabled.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-auto-replace) This scale determines the number of active nodes that Rancher maintains for the cluster. -### Notes for Imported Nodes +Rancher uses [node templates]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-templates) to replace nodes in the node pool. Each node template uses cloud provider credentials to allow Rancher to set up the node in the infrastructure provider. -Although you can deploy workloads to an [imported cluster]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) using Rancher, you cannot manage individual cluster nodes. All management of imported cluster nodes must take place outside of Rancher. +### Nodes Provisioned by Hosted Kubernetes Providers -# Cordoning and Draining Nodes +Options for managing nodes [hosted by a Kubernetes provider]({{}}/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/) are somewhat limited in Rancher. Rather than using the Rancher UI to make edits such as scaling the number of nodes up or down, edit the cluster directly. -_Cordoning_ a node marks it as unschedulable. This feature is useful for performing short tasks on the node during small maintenance windows, like reboots, upgrades, or decommissions. When you're done, power back on and make the node schedulable again by uncordoning it. +### Imported Nodes -_Draining_ is the process of first cordoning the node, and then evicting all its pods. This feature is useful for performing node maintenance (like kernel upgrades or hardware maintenance). It prevents new pods from deploying to the node while redistributing existing pods so that users don't experience service interruption. +Although you can deploy workloads to an [imported cluster]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/) using Rancher, you cannot manage individual cluster nodes. All management of imported cluster nodes must take place outside of Rancher. -When nodes are drained, pods are handled with the following rules: - -- For pods with a replica set, the pod is replaced by a new pod that will be scheduled to a new node. Additionally, if the pod is part of a service, then clients will automatically be redirected to the new pod. - -- For pods with no replica set, you need to bring up a new copy of the pod, and assuming it is not part of a service, redirect clients to it. - -You can drain nodes that are in either a `cordoned` or `active` state. When you drain a node, the node is cordoned, the nodes are evaluated for conditions they must meet to be drained, and then (if it meets the conditions) the node evicts its pods. - -However, you can override the conditions draining when you initiate the drain. You're also given an opportunity to set a grace period and timeout value. - -The node draining options are different based on your version of Rancher. - -### Aggressive and Safe Draining Options - -{{% tabs %}} -{{% tab "Rancher v2.2.x+" %}} -There are two drain modes: aggressive and safe. - -- **Aggressive Mode** - - In this mode, pods won't get rescheduled to a new node, even if they do not have a controller. Kubernetes expects you to have your own logic that handles the deletion of these pods. - - Kubernetes also expects the implementation to decide what to do with pods using emptyDir. If a pod uses emptyDir to store local data, you might not be able to safely delete it, since the data in the emptyDir will be deleted once the pod is removed from the node. Choosing aggressive mode will delete these pods. - -- **Safe Mode** - - If a node has standalone pods or ephemeral data it will be cordoned but not drained. -{{% /tab %}} -{{% tab "Rancher Prior to v2.2.x" %}} -The following list describes each drain option: - -- **Even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet** - - These types of pods won't get rescheduled to a new node, since they do not have a controller. Kubernetes expects you to have your own logic that handles the deletion of these pods. Kubernetes forces you to choose this option (which will delete/evict these pods) or drain won't proceed. - -- **Even if there are DaemonSet-managed pods** - - Similar to above, if you have any daemonsets, drain would proceed only if this option is selected. Even when this option is on, pods won't be deleted since they'll immediately be replaced. On startup, Rancher currently has a few daemonsets running by default in the system, so this option is turned on by default. - -- **Even if there are pods using emptyDir** - - If a pod uses emptyDir to store local data, you might not be able to safely delete it, since the data in the emptyDir will be deleted once the pod is removed from the node. Similar to the first option, Kubernetes expects the implementation to decide what to do with these pods. Choosing this option will delete these pods. - -{{% /tab %}} -{{% /tabs %}} - -### Grace Period - -The timeout given to each pod for cleaning things up, so they will have chance to exit gracefully. For example, when pods might need to finish any outstanding requests, roll back transactions or save state to some external storage. If negative, the default value specified in the pod will be used. - -### Timeout - -The amount of time drain should continue to wait before giving up. - ->**Kubernetes Known Issue:** Currently, the [timeout setting](https://github.com/kubernetes/kubernetes/pull/64378) is not enforced while draining a node. This issue will be corrected as of Kubernetes 1.12. - -### Drained and Cordoned State - -If there's any error related to user input, the node enters a `cordoned` state because the drain failed. You can either correct the input and attempt to drain the node again, or you can abort by uncordoning the node. - -If the drain continues without error, the node enters a `draining` state. You'll have the option to stop the drain when the node is in this state, which will stop the drain process and change the node's state to `cordoned`. - -Once drain successfully completes, the node will be in a state of `drained`. You can then power off or delete the node. - ->**Want to know more about cordon and drain?** See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#maintenance-on-a-node). - - -# Editing a Node +# Managing and Editing Individual Nodes Editing a node lets you: @@ -133,27 +71,27 @@ Editing a node lets you: * Add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) * Add/Remove [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +To manage individual nodes, browse to the cluster that you want to manage and then select **Nodes** from the main menu. You can open the options menu for a node by clicking its **Ellipsis** icon (**...**). -# Viewing a Node API - -Select this option to view the node's [API endpoints]({{}}/rancher/v2.x/en/api/). +# Viewing a Node in the Rancher API +Select this option to view the node's [API endpoints]({{< baseurl >}}/rancher/v2.x/en/api/). # Deleting a Node -Use **Delete** to remove defective nodes from the cloud provider. When you the delete a defective node, Rancher automatically replaces it with an identically provisioned node. +Use **Delete** to remove defective nodes from the cloud provider. + +When you the delete a defective node, Rancher can automatically replace it with an identically provisioned node if the node is in a node pool and [node auto-replace is enabled.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-auto-replace) >**Tip:** If your cluster is hosted by an infrastructure provider, and you want to scale your cluster down instead of deleting a defective node, [scale down](#scaling-nodes) rather than delete. - # Scaling Nodes -For nodes hosted by an infrastructure provider, you can scale the number of nodes in each node pool by using the scale controls. This option isn't available for other cluster types. +For nodes hosted by an infrastructure provider, you can scale the number of nodes in each [node pool]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#node-pools) by using the scale controls. This option isn't available for other cluster types. # SSH into a Node Hosted by an Infrastructure Provider -For [nodes hosted by an infrastructure provider]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), you have the option of downloading its SSH key so that you can connect to it remotely from your desktop. - +For [nodes hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/), you have the option of downloading its SSH key so that you can connect to it remotely from your desktop. 1. From the cluster hosted by an infrastructure provider, select **Nodes** from the main menu. @@ -170,19 +108,75 @@ For [nodes hosted by an infrastructure provider]({{}}/rancher/v2.x/en/c ``` ssh -i id_rsa root@ ``` - -# Managing Node Pools -> **Prerequisite:** The options below are available only for clusters that are [launched using RKE.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) The node pool features are not available for imported clusters or clusters hosted by a Kubernetes provider. +# Cordoning a Node -In clusters [launched by RKE]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/), you can: +_Cordoning_ a node marks it as unschedulable. This feature is useful for performing short tasks on the node during small maintenance windows, like reboots, upgrades, or decommissions. When you're done, power back on and make the node schedulable again by uncordoning it. -- Add new [pools of nodes]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/) to your cluster. The nodes added to the pool are provisioned according to the [node template]({{}}/rancher/v2.x/en/user-settings/node-templates/) that you use. +# Draining a Node - - Click **+** and follow the directions on screen to create a new template. +_Draining_ is the process of first cordoning the node, and then evicting all its pods. This feature is useful for performing node maintenance (like kernel upgrades or hardware maintenance). It prevents new pods from deploying to the node while redistributing existing pods so that users don't experience service interruption. - - You can also reuse existing templates by selecting one from the **Template** drop-down. +- For pods with a replica set, the pod is replaced by a new pod that will be scheduled to a new node. Additionally, if the pod is part of a service, then clients will automatically be redirected to the new pod. -- Redistribute Kubernetes roles amongst your node pools by making different checkbox selections +- For pods with no replica set, you need to bring up a new copy of the pod, and assuming it is not part of a service, redirect clients to it. -- Scale the number of nodes in a pool up or down (although, if you simply want to maintain your node scale, we recommend using the cluster's [Nodes tab]({{}}/rancher/v2.x/en/k8s-in-rancher/nodes/#nodes-provisioned-by-node-pool) instead.) +You can drain nodes that are in either a `cordoned` or `active` state. When you drain a node, the node is cordoned, the nodes are evaluated for conditions they must meet to be drained, and then (if it meets the conditions) the node evicts its pods. + +However, you can override the conditions draining when you initiate the drain. You're also given an opportunity to set a grace period and timeout value. + +### Aggressive and Safe Draining Options + +The node draining options are different based on your version of Rancher. + +{{% tabs %}} +{{% tab "Rancher v2.2.x+" %}} +There are two drain modes: aggressive and safe. + +- **Aggressive Mode** + + In this mode, pods won't get rescheduled to a new node, even if they do not have a controller. Kubernetes expects you to have your own logic that handles the deletion of these pods. + + Kubernetes also expects the implementation to decide what to do with pods using emptyDir. If a pod uses emptyDir to store local data, you might not be able to safely delete it, since the data in the emptyDir will be deleted once the pod is removed from the node. Choosing aggressive mode will delete these pods. + +- **Safe Mode** + + If a node has standalone pods or ephemeral data it will be cordoned but not drained. +{{% /tab %}} +{{% tab "Rancher prior to v2.2.x" %}} + +The following list describes each drain option: + +- **Even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet** + + These types of pods won't get rescheduled to a new node, since they do not have a controller. Kubernetes expects you to have your own logic that handles the deletion of these pods. Kubernetes forces you to choose this option (which will delete/evict these pods) or drain won't proceed. + +- **Even if there are DaemonSet-managed pods** + + Similar to above, if you have any daemonsets, drain would proceed only if this option is selected. Even when this option is on, pods won't be deleted since they'll immediately be replaced. On startup, Rancher currently has a few daemonsets running by default in the system, so this option is turned on by default. + +- **Even if there are pods using emptyDir** + + If a pod uses emptyDir to store local data, you might not be able to safely delete it, since the data in the emptyDir will be deleted once the pod is removed from the node. Similar to the first option, Kubernetes expects the implementation to decide what to do with these pods. Choosing this option will delete these pods. +{{% /tab %}} +{{% /tabs %}} + +### Grace Period + +The timeout given to each pod for cleaning things up, so they will have chance to exit gracefully. For example, when pods might need to finish any outstanding requests, roll back transactions or save state to some external storage. If negative, the default value specified in the pod will be used. + +### Timeout + +The amount of time drain should continue to wait before giving up. + +>**Kubernetes Known Issue:** The [timeout setting](https://github.com/kubernetes/kubernetes/pull/64378) was not enforced while draining a node prior to Kubernetes 1.12. + +### Drained and Cordoned State + +If there's any error related to user input, the node enters a `cordoned` state because the drain failed. You can either correct the input and attempt to drain the node again, or you can abort by uncordoning the node. + +If the drain continues without error, the node enters a `draining` state. You'll have the option to stop the drain when the node is in this state, which will stop the drain process and change the node's state to `cordoned`. + +Once drain successfully completes, the node will be in a state of `drained`. You can then power off or delete the node. + +>**Want to know more about cordon and drain?** See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#maintenance-on-a-node). From 965b24712c3fb9e658729cd6c33341b2fe8d182c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 22 Nov 2019 16:29:49 -0700 Subject: [PATCH 149/183] Document how to make Rancher ignore nodes --- .../v2.x/en/cluster-admin/nodes/_index.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index 611034e0a41..18a2c28f480 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -24,6 +24,7 @@ This section covers the following topics: - [Grace period](#grace-period) - [Timeout](#timeout) - [Drained and cordoned state](#drained-and-cordoned-state) +- [Labeling a node to be ignored by Rancher](#labeling-a-node-to-be-ignored-by-rancher) # Node Options Available for Each Cluster Creation Option @@ -180,3 +181,46 @@ If the drain continues without error, the node enters a `draining` state. You'll Once drain successfully completes, the node will be in a state of `drained`. You can then power off or delete the node. >**Want to know more about cordon and drain?** See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#maintenance-on-a-node). + +# Labeling a Node to be Ignored by Rancher + +_Available as of 2.3.3_ + +Some solutions, such as F5's BIG-IP integration, may require creating a node that is never registered to a cluster. + +Since the node will never finish registering, it will always be shown as unhealthy in the Rancher UI. + +In that case, you may want to label the node to be ignored by Rancher so that Rancher only shows nodes as unhealthy when they are actually failing. + +You can label nodes to be ignored by using a setting in the Rancher UI, or by using `kubectl`. + +> **Note:** There is an [open issue](https://github.com/rancher/rancher/issues/24172) in which nodes labeled to be ignored can get stuck in an updating state. + +### Labeling Nodes to be Ignored with the Rancher UI + +To add a node that is ignored by Rancher, + +1. From the **Global** view, click the **Settings** tab. +1. Go to the `ignore-node-name` setting and click **Ellipsis (...) > Edit.** +1. Enter a name that Rancher will use to ignore nodes. All nodes with this name will be ignored. +1. Click **Save.** + +**Result:** Rancher will not wait to register nodes with this name. In the UI, the node will displayed with a grayed-out status. The node is still part of the cluster and can be listed with `kubectl`. + +If the setting is changed afterward, the ignored nodes will continue to be hidden. + +### Labeling Nodes to be Ignored with kubectl + +To add a node that will be ignored by Rancher, use `kubectl` to create a node that has the following label: + +``` +cattle.rancher.io/node-status: ignore +``` + +**Result:** If you add the node to a cluster, Rancher will not attempt to sync with this node. The node can still be part of the cluster and can be listed with `kubectl`. + +If the label is added before the node is added to the cluster, the node will not be shown in the Rancher UI. + +If the label is added after the node is added to a Rancher cluster, the node will not be removed from the UI. + +If you delete the node from the Rancher server using the Rancher UI or API, the node will not be removed from the cluster if the `nodeName` is listed in the Rancher settings under `ignore-node-name`. From e08e5ab1e1bbd7de550c845655ebe3562b3da6fa Mon Sep 17 00:00:00 2001 From: Terdunov Vyacheslav Date: Thu, 2 Apr 2020 11:12:03 +0400 Subject: [PATCH 150/183] Fix How Upgrades Work link to cluster.yaml --- content/rke/latest/en/upgrades/how-upgrades-work/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md index 99eba360c5f..fbd7b5e729c 100644 --- a/content/rke/latest/en/upgrades/how-upgrades-work/_index.md +++ b/content/rke/latest/en/upgrades/how-upgrades-work/_index.md @@ -62,7 +62,7 @@ Because RKE addons are necessary for allowing traffic into the cluster, they wil For more information on configuring the number of replicas for each addon, refer to [this section.](#replicas-for-rke-addons) -For an example showing how to configure the addons, refer to the [example cluster.yml.]({{}}rke/latest/en/upgrades/configuring-strategy/#example-cluster-yml) +For an example showing how to configure the addons, refer to the [example cluster.yml.]({{}}/rke/latest/en/upgrades/configuring-strategy/#example-cluster-yml) {{% /tab %}} {{% tab "RKE prior to v1.1.0" %}} From 22a65c0889bd5f97b3584b177558761b353c49ba Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 00:18:44 -0700 Subject: [PATCH 151/183] Specify GCE requirement for Windows clusters --- .../rke-clusters/windows-clusters/_index.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md index f6bec63c232..b22346ed381 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md @@ -19,23 +19,17 @@ This guide covers the following topics: -- [Prerequisites](#prerequisites) - [Requirements](#requirements-for-windows-clusters) - [OS and Docker](#os-and-docker-requirements) - [Nodes](#node-requirements) - [Networking](#networking-requirements) - [Architecture](#architecture-requirements) - [Containers](#container-requirements) + - [Cloud Providers](#cloud-providers) - [Tutorial: How to Create a Cluster with Windows Support](#tutorial-how-to-create-a-cluster-with-windows-support) - [Configuration for Storage Classes in Azure](#configuration-for-storage-classes-in-azure) -# Prerequisites - -Before provisioning a new cluster, be sure that you have already installed Rancher on a device that accepts inbound network traffic. This is required in order for the cluster nodes to communicate with Rancher. If you have not already installed Rancher, please refer to the [installation documentation]({{}}/rancher/v2.x/en/installation/) before proceeding with this guide. - -> **Note on Cloud Providers:** If you set a Kubernetes cloud provider in your cluster, some additional steps are required. You might want to set a cloud provider if you want to want to leverage a cloud provider's capabilities, for example, to automatically provision storage, load balancers, or other infrastructure for your cluster. Refer to [this page]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) for details on how to configure a cloud provider cluster of nodes that meet the prerequisites. - # Requirements for Windows Clusters For a custom cluster, the general node requirements for networking, operating systems, and Docker are the same as the node requirements for a [Rancher installation]({{}}/rancher/v2.x/en/installation/requirements/). @@ -64,6 +58,8 @@ Rancher will not provision the node if the node does not meet these requirements ### Networking Requirements +Before provisioning a new cluster, be sure that you have already installed Rancher on a device that accepts inbound network traffic. This is required in order for the cluster nodes to communicate with Rancher. If you have not already installed Rancher, please refer to the [installation documentation]({{}}/rancher/v2.x/en/installation/) before proceeding with this guide. + Rancher only supports Windows using Flannel as the network provider. There are two network options: [**Host Gateway (L2bridge)**](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) and [**VXLAN (Overlay)**](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan). The default option is **VXLAN (Overlay)** mode. @@ -92,6 +88,15 @@ We recommend the minimum three-node architecture listed in the table below, but Windows requires that containers must be built on the same Windows Server version that they are being deployed on. Therefore, containers must be built on Windows Server core version 1809 or above. If you have existing containers built for an earlier Windows Server core version, they must be re-built on Windows Server core version 1809 or above. +### Cloud Providers + +If you set a Kubernetes cloud provider in your cluster, some additional steps are required. You might want to set a cloud provider if you want to want to leverage a cloud provider's capabilities, for example, to automatically provision storage, load balancers, or other infrastructure for your cluster. Refer to [this page]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/cloud-providers/) for details on how to configure a cloud provider cluster of nodes that meet the prerequisites. + +If you are using the GCE (Google Compute Engine) cloud provider, you must do the following: + +- Specify `gce` as the cloud provider in the `cluster.yml` +- When provisioning the cluster in Rancher, choose **Custom cloud provider** as the cloud provider in the Rancher UI. + # Tutorial: How to Create a Cluster with Windows Support This tutorial describes how to create a Rancher-provisioned cluster with the three nodes in the [recommended architecture.](#guide-architecture) From 95cc5e84c26653595024a490fe3253ad0bb9abd6 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 00:43:38 -0700 Subject: [PATCH 152/183] Add payload example for webhook alert notifier --- .../cluster-admin/tools/notifiers/_index.md | 66 ++++++++++++++++--- 1 file changed, 56 insertions(+), 10 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md index 1fc9c115451..c5860f0c33e 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/notifiers/_index.md @@ -5,8 +5,6 @@ weight: 1 Notifiers are services that inform you of alert events. You can configure notifiers to send alert notifications to staff best suited to take corrective action. -Notifiers are configured at the cluster level. This model ensures that only cluster owners need to configure notifiers, leaving project owners to simply configure alerts in the scope of their projects. You don't need to dispense privileges like SMTP server access or cloud account access. - Rancher integrates with a variety of popular IT services, including: - **Slack**: Send alert notifications to your Slack channels. @@ -15,7 +13,18 @@ Rancher integrates with a variety of popular IT services, including: - **WebHooks**: Update a webpage with alert notifications. - **WeChat**: Send alert notifications to your Enterprise WeChat contacts. -## Adding Notifiers +This section covers the following topics: + +- [Roles-based access control for notifiers](#roles-based-access-control-for-notifiers) +- [Adding notifiers](#adding-notifiers) +- [Managing notifiers](#managing-notifiers) +- [Example payload for a webhook alert notifier](#example-payload-for-a-webhook-alert-notifier) + +### Roles-based Access Control for Notifiers + +Notifiers are configured at the cluster level. This model ensures that only cluster owners need to configure notifiers, leaving project owners to simply configure alerts in the scope of their projects. You don't need to dispense privileges like SMTP server access or cloud account access. + +### Adding Notifiers Set up a notifier so that you can begin configuring and sending alerts. @@ -70,17 +79,54 @@ _Available as of v2.2.0_ **Result:** Your notifier is added to Rancher. -## What's Next? -After creating a notifier, set up alerts to receive notifications of Rancher system events. - -- [Cluster owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) can set up alerts at the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/). -- [Project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can set up alerts at the [project level]({{}}/rancher/v2.x/en/project-admin/tools/alerts/). - -## Managing Notifiers +### Managing Notifiers After you set up notifiers, you can manage them. From the **Global** view, open the cluster that you want to manage your notifiers. Select **Tools > Notifiers**. You can: - **Edit** their settings that you configured during their initial setup. - **Clone** them, to quickly setup slightly different notifiers. - **Delete** them when they're no longer necessary. + +### Example Payload for a Webhook Alert Notifier + +```json +{ + "receiver": "c-2a3bc:kube-components-alert", + "status": "firing", + "alerts": [ + { + "status": "firing", + "labels": { + "alert_name": "Scheduler is unavailable", + "alert_type": "systemService", + "cluster_name": "mycluster (ID: c-2a3bc)", + "component_name": "scheduler", + "group_id": "c-2a3bc:kube-components-alert", + "logs": "Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused", + "rule_id": "c-2a3bc:kube-components-alert_scheduler-system-service", + "severity": "critical" + }, + "annotations": {}, + "startsAt": "2020-01-30T19:18:13.321684733Z", + "endsAt": "0001-01-01T00:00:00Z", + "generatorURL": "" + } + ], + "groupLabels": { + "component_name": "scheduler", + "rule_id": "c-2a3bc:kube-components-alert_scheduler-system-service" + }, + "commonLabels": { + "alert_name": "Scheduler is unavailable", + "alert_type": "systemService", + "cluster_name": "mycluster (ID: c-2a3bc)" + } +} +``` +### What's Next? + +After creating a notifier, set up alerts to receive notifications of Rancher system events. + +- [Cluster owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) can set up alerts at the [cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/). +- [Project owners]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) can set up alerts at the [project level]({{}}/rancher/v2.x/en/project-admin/tools/alerts/). From 17c2203b9d67217ee4585ca1fde445dbb2ecfefd Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 01:28:31 -0700 Subject: [PATCH 153/183] Say that mounted secrets are updated automatically --- content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md index e89708abae1..e251e88271b 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/secrets/_index.md @@ -11,7 +11,7 @@ aliases: When configuring a workload, you'll be able to choose which secrets to include. Like config maps, secrets can be referenced by workloads as either an environment variable or a volume mount. -Any update to an active secrets won't automatically update the pods that are using it. Restart those pods to have them use the new secret. +Mounted secrets will be updated automatically unless they are mounted as subpath volumes. For details on how updated secrets are propagated, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically) # Creating Secrets @@ -37,7 +37,7 @@ When creating a secret, you can make it available for any deployment within a pr **Result:** Your secret is added to the project or namespace, depending on the scope you chose. You can view the secret in the Rancher UI from the **Resources > Secrets** view. -Any update to an active secrets won't automatically update the pods that are using it. Restart those pods to have them use the new secret. +Mounted secrets will be updated automatically unless they are mounted as subpath volumes. For details on how updated secrets are propagated, refer to the [Kubernetes documentation.](https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically) # What's Next? From bf6d245669768deb3942bcd774d8049e88c78a66 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 04:15:10 -0700 Subject: [PATCH 154/183] Replace the word ellipsis with vertical ellipsis --- .../en/admin-settings/k8s-metadata/_index.md | 4 ++-- .../rbac/cluster-project-roles/_index.md | 4 ++-- .../rbac/default-custom-roles/_index.md | 4 ++-- .../rbac/global-permissions/_index.md | 4 ++-- .../rbac/locked-roles/_index.md | 2 +- .../applying-templates/_index.md | 2 +- .../creating-and-revising/_index.md | 20 +++++++++---------- .../creator-permissions/_index.md | 6 +++--- .../rke-templates/enforcement/_index.md | 4 ++-- .../template-access-and-sharing/_index.md | 6 +++--- .../v2.x/en/catalog/globaldns/_index.md | 4 ++-- .../v2.x/en/catalog/managing-apps/_index.md | 4 ++-- .../en/catalog/multi-cluster-apps/_index.md | 4 ++-- .../cluster-admin/backing-up-etcd/_index.md | 2 +- .../certificate-rotation/_index.md | 4 ++-- .../cluster-admin/editing-clusters/_index.md | 2 +- .../v2.x/en/cluster-admin/nodes/_index.md | 6 +++--- .../pod-security-policy/_index.md | 2 +- .../en/cluster-admin/restoring-etcd/_index.md | 4 ++-- .../tools/istio/disabling-istio/_index.md | 2 +- .../istio/setup/deploy-workloads/_index.md | 2 +- .../enable-istio-with-psp/_index.md | 2 +- .../setup/enable-istio-in-namespace/_index.md | 4 ++-- .../istio/setup/node-selectors/_index.md | 2 +- .../tools/opa-gatekeper/_index.md | 2 +- .../upgrading-kubernetes/_index.md | 6 +++--- .../attaching-existing-storage/_index.md | 2 +- .../provisioning-new-storage/_index.md | 2 +- .../rke-clusters/node-pools/_index.md | 6 +++--- .../rke-clusters/windows-clusters/_index.md | 4 ++-- .../v2.x/en/faq/removing-rancher/_index.md | 2 +- .../rancher/v2.x/en/faq/technical/_index.md | 2 +- .../options/api-audit-log/_index.md | 2 +- .../options/feature-flags/_index.md | 4 ++-- .../options/local-system-charts/_index.md | 2 +- .../hpa-for-rancher-before-2_0_7/_index.md | 2 +- .../manage-hpa-with-rancher-ui/_index.md | 2 +- .../en/k8s-in-rancher/pipelines/_index.md | 8 ++++---- .../k8s-in-rancher/pipelines/config/_index.md | 10 +++++----- .../pipelines/example-repos/_index.md | 4 ++-- .../pipelines/storage/_index.md | 4 ++-- .../workloads/add-a-sidecar/_index.md | 4 ++-- .../workloads/rollback-workloads/_index.md | 2 +- .../workloads/upgrade-workloads/_index.md | 2 +- .../pod-security-policies/_index.md | 2 +- .../project-admin/resource-quotas/_index.md | 2 +- .../override-container-default/_index.md | 2 +- .../override-namespace-default/_index.md | 2 +- .../v2.x/en/security/security-scan/_index.md | 10 +++++----- .../user-settings/cloud-credentials/_index.md | 4 ++-- .../en/user-settings/node-templates/_index.md | 4 ++-- 51 files changed, 99 insertions(+), 99 deletions(-) diff --git a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md index 7198b3305e9..58e56178eee 100644 --- a/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md +++ b/content/rancher/v2.x/en/admin-settings/k8s-metadata/_index.md @@ -46,7 +46,7 @@ The way that the metadata is configured depends on the Rancher version. To edit the metadata config in Rancher, 1. Go to the **Global** view and click the **Settings** tab. -1. Go to the **rke-metadata-config** section. Click the **Ellipsis (...)** and click **Edit.** +1. Go to the **rke-metadata-config** section. Click the **⋮** and click **Edit.** 1. You can optionally fill in the following parameters: - `refresh-interval-minutes`: This is the amount of time that Rancher waits to sync the metadata. To disable the periodic refresh, set `refresh-interval-minutes` to 0. @@ -60,7 +60,7 @@ However, if you have an [air gap setup,](#air-gap-setups) you will need to mirro To edit the metadata config in Rancher, 1. Go to the **Global** view and click the **Settings** tab. -1. Go to the **rke-metadata-config** section. Click the **Ellipsis (...)** and click **Edit.** +1. Go to the **rke-metadata-config** section. Click the **⋮** and click **Edit.** 1. You can optionally fill in the following parameters: - `refresh-interval-minutes`: This is the amount of time that Rancher waits to sync the metadata. To disable the periodic refresh, set `refresh-interval-minutes` to 0. diff --git a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md index 1a8f6db193d..6d04183c0b5 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/_index.md @@ -67,7 +67,7 @@ To assign the role to a new cluster member, To assign any custom role to an existing cluster member, -1. Go to the member you want to give the role to. Click the **Ellipsis (...) > View in API.** +1. Go to the member you want to give the role to. Click the **⋮ > View in API.** 1. In the **roleTemplateId** field, go to the drop-down menu and choose the role you want to assign to the member. Click **Show Request** and **Send Request.** **Result:** The member has the assigned role. @@ -157,7 +157,7 @@ You can change the cluster or project role(s) that are automatically assigned to 1. From the **Global** view, select **Security > Roles** from the main menu. Select either the **Cluster** or **Project** tab. -1. Find the custom or individual role that you want to use as default. Then edit the role by selecting **Ellipsis > Edit**. +1. Find the custom or individual role that you want to use as default. Then edit the role by selecting **⋮ > Edit**. 1. Enable the role as default. {{% accordion id="cluster" label="For Clusters" %}} diff --git a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md index 833462a1238..1d262e1db31 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/default-custom-roles/_index.md @@ -105,7 +105,7 @@ The custom global role can then be assigned to a user or group so that the custo To create a custom global role based on an existing role, 1. Go to the **Global** view and click **Security > Roles.** -1. On the **Global** tab, go to the role that the custom global role will be based on. Click **Ellipsis (…) > Clone.** +1. On the **Global** tab, go to the role that the custom global role will be based on. Click **⋮ (…) > Clone.** 1. Enter a name for the role. 1. Optional: To assign the custom role default for new users, go to the **New User Default** section and click **Yes: Default role for new users.** 1. In the **Grant Resources** section, select the Kubernetes resource operations that will be enabled for users with the custom role. @@ -135,7 +135,7 @@ Custom global roles can be deleted, but built-in roles cannot be deleted. To delete a custom global role, 1. Go to the **Global** view and click **Security > Roles.** -2. On the **Global** tab, go to the custom global role that should be deleted and click **Ellipsis (…) > Delete.** +2. On the **Global** tab, go to the custom global role that should be deleted and click **⋮ (…) > Delete.** 3. Click **Delete.** ## Assigning a Custom Global Role to a Group diff --git a/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md index 367d82bb81d..123a11ea5e1 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/global-permissions/_index.md @@ -102,7 +102,7 @@ To change the default global permissions that are assigned to external users upo 1. From the **Global** view, select **Security > Roles** from the main menu. Make sure the **Global** tab is selected. -1. Find the permissions set that you want to add or remove as a default. Then edit the permission by selecting **Ellipsis > Edit**. +1. Find the permissions set that you want to add or remove as a default. Then edit the permission by selecting **⋮ > Edit**. 1. If you want to add the permission as a default, Select **Yes: Default role for new users** and then click **Save**. @@ -116,7 +116,7 @@ To configure permission for a user, 1. Go to the **Users** tab. -1. On this page, go to the user whose access level you want to change and click **Ellipsis (...) > Edit.** +1. On this page, go to the user whose access level you want to change and click **⋮ > Edit.** 1. In the **Global Permissions** section, click **Custom.** diff --git a/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md b/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md index 70c5c93778b..3bbfd52bd07 100644 --- a/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rbac/locked-roles/_index.md @@ -32,6 +32,6 @@ You can lock roles in two contexts: 1. From the **Global** view, select **Security** > **Roles**. -2. From the role that you want to lock (or unlock), select **Vertical Ellipsis (...)** > **Edit**. +2. From the role that you want to lock (or unlock), select **⋮** > **Edit**. 3. From the **Locked** option, choose the **Yes** or **No** radio button. Then click **Save**. diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/applying-templates/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/applying-templates/_index.md index 1a3010aefe0..06a62b8e02a 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/applying-templates/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/applying-templates/_index.md @@ -53,7 +53,7 @@ RKE templates cannot be applied to existing clusters, except if you save an exis To convert an existing cluster to use an RKE template, 1. From the **Global** view in Rancher, click the **Clusters** tab. -1. Go to the cluster that will be converted to use an RKE template. Click **Ellipsis (...)** > **Save as RKE Template.** +1. Go to the cluster that will be converted to use an RKE template. Click **⋮** > **Save as RKE Template.** 1. Enter a name for the template in the form that appears, and click **Create.** **Results:** diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md index 736779f9ae3..10935277fa9 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/creating-and-revising/_index.md @@ -51,7 +51,7 @@ You can't edit individual revisions. Since you can't edit individual revisions o When new template revisions are created, clusters using an older revision of the template are unaffected. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template that you want to edit and click the **Vertical Ellipsis (...) > Edit.** +1. Go to the template that you want to edit and click the **⋮ > Edit.** 1. Edit the required information and click **Save.** 1. Optional: You can change the default revision of this template and also change who it is shared with. @@ -62,7 +62,7 @@ When new template revisions are created, clusters using an older revision of the When you no longer use an RKE template for any of your clusters, you can delete it. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the RKE template that you want to delete and click the **Vertical Ellipsis (...) > Delete.** +1. Go to the RKE template that you want to delete and click the **⋮ > Delete.** 1. Confirm the deletion when prompted. **Result:** The template is deleted. @@ -72,7 +72,7 @@ When you no longer use an RKE template for any of your clusters, you can delete You can clone the default template revision and quickly update its settings rather than creating a new revision from scratch. Cloning templates saves you the hassle of re-entering the access keys and other parameters needed for cluster creation. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the RKE template that you want to clone and click the **Vertical Ellipsis (...) > New Revision From Default.** +1. Go to the RKE template that you want to clone and click the **⋮ > New Revision From Default.** 1. Complete the rest of the form to create a new revision. **Result:** The RKE template revision is cloned and configured. @@ -82,7 +82,7 @@ You can clone the default template revision and quickly update its settings rath When creating new RKE template revisions from your user settings, you can clone an existing revision and quickly update its settings rather than creating a new one from scratch. Cloning template revisions saves you the hassle of re-entering the cluster parameters. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template revision you want to clone. Then select **Ellipsis > Clone Revision.** +1. Go to the template revision you want to clone. Then select **⋮ > Clone Revision.** 1. Complete the rest of the form. **Result:** The RKE template revision is cloned and configured. You can use the RKE template revision later when you provision a cluster. Any existing cluster using this RKE template can be upgraded to this new revision. @@ -94,7 +94,7 @@ When you no longer want an RKE template revision to be used for creating new clu You can disable the revision if it is not being used by any cluster. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template revision you want to disable. Then select **Ellipsis > Disable.** +1. Go to the template revision you want to disable. Then select **⋮ > Disable.** **Result:** The RKE template revision cannot be used to create a new cluster. @@ -103,7 +103,7 @@ You can disable the revision if it is not being used by any cluster. If you decide that a disabled RKE template revision should be used to create new clusters, you can re-enable it. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template revision you want to re-enable. Then select **Ellipsis > Enable.** +1. Go to the template revision you want to re-enable. Then select **⋮ > Enable.** **Result:** The RKE template revision can be used to create a new cluster. @@ -114,7 +114,7 @@ When end users create a cluster using an RKE template, they can choose which rev To set an RKE template revision as default, 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the RKE template revision that should be default and click the **Ellipsis (...) > Set as Default.** +1. Go to the RKE template revision that should be default and click the **⋮ > Set as Default.** **Result:** The RKE template revision will be used as the default option when clusters are created with the template. @@ -125,7 +125,7 @@ You can delete all revisions of a template except for the default revision. To permanently delete a revision, 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the RKE template revision that should be deleted and click the **Ellipsis (...) > Delete.** +1. Go to the RKE template revision that should be deleted and click the **⋮ > Delete.** **Result:** The RKE template revision is deleted. @@ -137,7 +137,7 @@ To permanently delete a revision, To upgrade a cluster to use a new template revision, 1. From the **Global** view in Rancher, click the **Clusters** tab. -1. Go to the cluster that you want to upgrade and click **Ellipsis (...) > Edit.** +1. Go to the cluster that you want to upgrade and click **⋮ > Edit.** 1. In the **Cluster Options** section, click the dropdown menu for the template revision, then select the new template revision. 1. Click **Save.** @@ -152,7 +152,7 @@ This exports the cluster's settings as a new RKE template, and also binds the cl To convert an existing cluster to use an RKE template, 1. From the **Global** view in Rancher, click the **Clusters** tab. -1. Go to the cluster that will be converted to use an RKE template. Click **Ellipsis (...)** > **Save as RKE Template.** +1. Go to the cluster that will be converted to use an RKE template. Click **⋮** > **Save as RKE Template.** 1. Enter a name for the template in the form that appears, and click **Create.** **Results:** diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/creator-permissions/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/creator-permissions/_index.md index 30b58bebd98..0773da504e3 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/creator-permissions/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/creator-permissions/_index.md @@ -24,7 +24,7 @@ Administrators can give users permission to create RKE templates in two ways: An administrator can individually grant the role **Create RKE Templates** to any existing user by following these steps: -1. From the global view, click the **Users** tab. Choose the user you want to edit and click the **Vertical Ellipsis (...) > Edit.** +1. From the global view, click the **Users** tab. Choose the user you want to edit and click the **⋮ > Edit.** 1. In the **Global Permissions** section, choose **Custom** and select the **Create RKE Templates** role along with any other roles the user should have. Click **Save.** **Result:** The user has permission to create RKE templates. @@ -34,7 +34,7 @@ An administrator can individually grant the role **Create RKE Templates** to any Alternatively, the administrator can give all new users the default permission to create RKE templates by following the following steps. This will not affect the permissions of existing users. 1. From the **Global** view, click **Security > Roles.** -1. Under the **Global** roles tab, go to the role **Create RKE Templates** and click the **Vertical Ellipsis (...) > Edit**. +1. Under the **Global** roles tab, go to the role **Create RKE Templates** and click the **⋮ > Edit**. 1. Select the option **Yes: Default role for new users** and click **Save.** **Result:** Any new user created in this Rancher installation will be able to create RKE templates. Existing users will not get this permission. @@ -43,7 +43,7 @@ Alternatively, the administrator can give all new users the default permission t Administrators can remove a user's permission to create templates with the following steps: -1. From the global view, click the **Users** tab. Choose the user you want to edit and click the **Vertical Ellipsis (...) > Edit.** +1. From the global view, click the **Users** tab. Choose the user you want to edit and click the **⋮ > Edit.** 1. In the **Global Permissions** section, un-check the box for **Create RKE Templates**. In this section, you can change the user back to a standard user, or give the user a different set of custom permissions. 1. Click **Save.** diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/enforcement/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/enforcement/_index.md index 4f686c0222a..a1fa1e79ddb 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/enforcement/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/enforcement/_index.md @@ -22,7 +22,7 @@ You might want to require new clusters to use a template to ensure that any clus To require new clusters to use an RKE template, administrators can turn on RKE template enforcement with the following steps: 1. From the **Global** view, click the **Settings** tab. -1. Go to the `cluster-template-enforcement` setting. Click the vertical **Ellipsis (...)** and click **Edit.** +1. Go to the `cluster-template-enforcement` setting. Click the vertical **⋮** and click **Edit.** 1. Set the value to **True** and click **Save.** **Result:** All clusters provisioned by Rancher must use a template, unless the creator is an administrator. @@ -32,7 +32,7 @@ To require new clusters to use an RKE template, administrators can turn on RKE t To allow new clusters to be created without an RKE template, administrators can turn off RKE template enforcement with the following steps: 1. From the **Global** view, click the **Settings** tab. -1. Go to the `cluster-template-enforcement` setting. Click the vertical **Ellipsis (...)** and click **Edit.** +1. Go to the `cluster-template-enforcement` setting. Click the vertical **⋮** and click **Edit.** 1. Set the value to **False** and click **Save.** **Result:** When clusters are provisioned by Rancher, they don't need to use a template. diff --git a/content/rancher/v2.x/en/admin-settings/rke-templates/template-access-and-sharing/_index.md b/content/rancher/v2.x/en/admin-settings/rke-templates/template-access-and-sharing/_index.md index a86d8219a85..863faa1bc8b 100644 --- a/content/rancher/v2.x/en/admin-settings/rke-templates/template-access-and-sharing/_index.md +++ b/content/rancher/v2.x/en/admin-settings/rke-templates/template-access-and-sharing/_index.md @@ -28,7 +28,7 @@ There are several ways to share templates: To allow users or groups to create clusters using your template, you can give them the basic **User** access level for the template. 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template that you want to share and click the **Vertical Ellipsis (...) > Edit.** +1. Go to the template that you want to share and click the **⋮ > Edit.** 1. In the **Share Template** section, click on **Add Member**. 1. Search in the **Name** field for the user or group you want to share the template with. 1. Choose the **User** access type. @@ -39,7 +39,7 @@ To allow users or groups to create clusters using your template, you can give th ### Sharing Templates with All Users 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the template that you want to share and click the **Vertical Ellipsis (...) > Edit.** +1. Go to the template that you want to share and click the **⋮ > Edit.** 1. Under **Share Template,** click **Make Public (read-only).** Then click **Save.** **Result:** All users in the Rancher setup can create clusters using the template. @@ -53,7 +53,7 @@ In that case, you can give users the Owner access type, which allows another use To give Owner access to a user or group, 1. From the **Global** view, click **Tools > RKE Templates.** -1. Go to the RKE template that you want to share and click the **Vertical Ellipsis (...) > Edit.** +1. Go to the RKE template that you want to share and click the **⋮ > Edit.** 1. Under **Share Template**, click on **Add Member** and search in the **Name** field for the user or group you want to share the template with. 1. In the **Access Type** field, click **Owner.** 1. Click **Save.** diff --git a/content/rancher/v2.x/en/catalog/globaldns/_index.md b/content/rancher/v2.x/en/catalog/globaldns/_index.md index 463cbebc6c9..7be91731f1c 100644 --- a/content/rancher/v2.x/en/catalog/globaldns/_index.md +++ b/content/rancher/v2.x/en/catalog/globaldns/_index.md @@ -97,7 +97,7 @@ The [global administrators]({{}}/rancher/v2.x/en/admin-settings/rbac/gl 1. From the **Global View**, select **Tools > Global DNS Providers**. -1. For the Global DNS provider that you want to edit, click the **Vertical Ellipsis (...) > Edit**. +1. For the Global DNS provider that you want to edit, click the **⋮ > Edit**. ## Editing a Global DNS Entry @@ -115,4 +115,4 @@ Permission checks are relaxed for removing target projects in order to support s 1. From the **Global View**, select **Tools > Global DNS Entries**. -1. For the Global DNS entry that you want to edit, click the **Vertical Ellipsis (...) > Edit**. +1. For the Global DNS entry that you want to edit, click the **⋮ > Edit**. diff --git a/content/rancher/v2.x/en/catalog/managing-apps/_index.md b/content/rancher/v2.x/en/catalog/managing-apps/_index.md index 4ce33372060..1351c90b3bc 100644 --- a/content/rancher/v2.x/en/catalog/managing-apps/_index.md +++ b/content/rancher/v2.x/en/catalog/managing-apps/_index.md @@ -22,7 +22,7 @@ After an application is deployed, you can easily upgrade to a different template 1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. -3. Find the application that you want to upgrade, and then click the Ellipsis to find **Upgrade**. +3. Find the application that you want to upgrade, and then click the ⋮ to find **Upgrade**. 4. Select the **Template Version** that you want to deploy. @@ -48,7 +48,7 @@ After an application has been upgraded, you can easily rollback to a different t 1. From the main navigation bar, choose **Apps**. In versions prior to v2.2.0, choose **Catalog Apps** on the main navigation bar. Click **Launch**. -3. Find the application that you want to rollback, and then click the Ellipsis to find **Rollback**. +3. Find the application that you want to rollback, and then click the ⋮ to find **Rollback**. 4. Select the **Revision** that you want to roll back to. By default, Rancher saves up to the last 10 revisions. diff --git a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md index 79c404bf289..37fe0c6304b 100644 --- a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md +++ b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md @@ -146,7 +146,7 @@ One of the benefits of using a multi-cluster application as opposed to multiple 1. From the **Global** view, choose **Apps** in the navigation bar. -2. Choose the multi-cluster application you want to take one of these actions on and click the **Vertical Ellipsis (...)**. Select one of the following options: +2. Choose the multi-cluster application you want to take one of these actions on and click the **⋮**. Select one of the following options: * **Clone**: Creates another multi-cluster application with the same configuration. By using this option, you can easily duplicate a multi-cluster application. * **Upgrade**: Upgrade your multi-cluster application to change some part of the configuration. When performing an upgrade for multi-cluster application, the [upgrade strategy](#upgrades) can be modified if you have the correct [access type](#members). @@ -156,6 +156,6 @@ One of the benefits of using a multi-cluster application as opposed to multiple 1. From the **Global** view, choose **Apps** in the navigation bar. -2. Choose the multi-cluster application you want to delete and click the **Vertical Ellipsis (...) > Delete**. When deleting the multi-cluster application, all applications and namespaces are deleted in all of the target projects. +2. Choose the multi-cluster application you want to delete and click the **⋮ > Delete**. When deleting the multi-cluster application, all applications and namespaces are deleted in all of the target projects. > **Note:** The applications in the target projects, that are created for a multi-cluster application, cannot be deleted individually. The applications can only be deleted when the multi-cluster application is deleted. diff --git a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md index d0d3cfab5eb..369f5a34d61 100644 --- a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md @@ -77,7 +77,7 @@ In addition to recurring snapshots, you may want to take a "one-time" snapshot. 1. In the **Global** view, navigate to the cluster that you want to take a one-time snapshot. -2. Click the **Vertical Ellipsis (...) > Snapshot Now**. +2. Click the **⋮ > Snapshot Now**. **Result:** Based on your [snapshot backup target](#snapshot-backup-targets), a one-time snapshot will be taken and saved in the selected backup target. diff --git a/content/rancher/v2.x/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.x/en/cluster-admin/certificate-rotation/_index.md index 2323917c395..357ab776e07 100644 --- a/content/rancher/v2.x/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/certificate-rotation/_index.md @@ -25,7 +25,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 1. In the **Global** view, navigate to the cluster that you want to rotate certificates. -2. Select the **Ellipsis (...) > Rotate Certificates**. +2. Select the **⋮ > Rotate Certificates**. 3. Select which certificates that you want to rotate. @@ -47,7 +47,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 1. In the **Global** view, navigate to the cluster that you want to rotate certificates. -2. Select the **Ellipsis (...) > View in API**. +2. Select the **⋮ > View in API**. 3. Click on **RotateCertificates**. diff --git a/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md b/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md index 1b2d42d582a..e237deba153 100644 --- a/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/editing-clusters/_index.md @@ -3,7 +3,7 @@ title: Cluster Configuration weight: 2025 --- -After you provision a Kubernetes cluster using Rancher, you can still edit options and settings for the cluster. To edit your cluster, open the **Global** view, make sure the **Clusters** tab is selected, and then select **Ellipsis (...) > Edit** for the cluster that you want to edit. +After you provision a Kubernetes cluster using Rancher, you can still edit options and settings for the cluster. To edit your cluster, open the **Global** view, make sure the **Clusters** tab is selected, and then select **⋮ > Edit** for the cluster that you want to edit. To Edit an Existing Cluster ![Edit Cluster]({{}}/img/rancher/edit-cluster.png) diff --git a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md index 18a2c28f480..b5406cb379b 100644 --- a/content/rancher/v2.x/en/cluster-admin/nodes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/nodes/_index.md @@ -72,7 +72,7 @@ Editing a node lets you: * Add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) * Add/Remove [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) -To manage individual nodes, browse to the cluster that you want to manage and then select **Nodes** from the main menu. You can open the options menu for a node by clicking its **Ellipsis** icon (**...**). +To manage individual nodes, browse to the cluster that you want to manage and then select **Nodes** from the main menu. You can open the options menu for a node by clicking its **⋮** icon (**...**). # Viewing a Node in the Rancher API @@ -96,7 +96,7 @@ For [nodes hosted by an infrastructure provider]({{< baseurl >}}/rancher/v2.x/en 1. From the cluster hosted by an infrastructure provider, select **Nodes** from the main menu. -1. Find the node that you want to remote into. Select **Ellipsis (...) > Download Keys**. +1. Find the node that you want to remote into. Select **⋮ > Download Keys**. **Step Result:** A ZIP file containing files used for SSH is downloaded. @@ -201,7 +201,7 @@ You can label nodes to be ignored by using a setting in the Rancher UI, or by us To add a node that is ignored by Rancher, 1. From the **Global** view, click the **Settings** tab. -1. Go to the `ignore-node-name` setting and click **Ellipsis (...) > Edit.** +1. Go to the `ignore-node-name` setting and click **⋮ > Edit.** 1. Enter a name that Rancher will use to ignore nodes. All nodes with this name will be ignored. 1. Click **Save.** diff --git a/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md b/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md index 730255113e3..261e1e11782 100644 --- a/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/pod-security-policy/_index.md @@ -9,7 +9,7 @@ When your cluster is running pods with security-sensitive configurations, assign You can assign a pod security policy when you provision a cluster. However, if you need to relax or restrict security for your pods later, you can update the policy while editing your cluster. -1. From the **Global** view, find the cluster to which you want to apply a pod security policy. Select **Vertical Ellipsis (...) > Edit**. +1. From the **Global** view, find the cluster to which you want to apply a pod security policy. Select **⋮ > Edit**. 2. Expand **Cluster Options**. diff --git a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md index ec99c1732d1..44f802fffc3 100644 --- a/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/restoring-etcd/_index.md @@ -47,7 +47,7 @@ When rolling back to a prior Kubernetes version, the [upgrade strategy options]( 1. In the **Global** view, navigate to the cluster that you want to restore from a snapshots. -2. Click the **Vertical Ellipsis (...) > Restore Snapshot**. +2. Click the **⋮ > Restore Snapshot**. 3. Select the snapshot that you want to use for restoring your cluster from the dropdown of available snapshots. @@ -67,7 +67,7 @@ When rolling back to a prior Kubernetes version, the [upgrade strategy options]( 1. In the **Global** view, navigate to the cluster that you want to restore from a snapshot. -2. Click the **Vertical Ellipsis (...) > Restore Snapshot**. +2. Click the **⋮ > Restore Snapshot**. 3. Select the snapshot that you want to use for restoring your cluster from the dropdown of available snapshots. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/disabling-istio/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/disabling-istio/_index.md index 3cba3d5a86c..d2035689626 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/disabling-istio/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/disabling-istio/_index.md @@ -18,7 +18,7 @@ To disable Istio, # Disable Istio in a Namespace 1. In the Rancher UI, go to the project that has the namespace where you want to disable Istio. -1. On the **Workloads** tab, you will see a list of namespaces and the workloads deployed in them. Go to the namespace where you want to disable and click the **Ellipsis (...) > Disable Istio Auto Injection.** +1. On the **Workloads** tab, you will see a list of namespaces and the workloads deployed in them. Go to the namespace where you want to disable and click the **⋮ > Disable Istio Auto Injection.** **Result:** When workloads are deployed in this namespace, they will not have the Istio sidecar. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/deploy-workloads/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/deploy-workloads/_index.md index 38bb20f588a..8e52d678bbf 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/deploy-workloads/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/deploy-workloads/_index.md @@ -7,7 +7,7 @@ weight: 4 Enabling Istio in a namespace only enables automatic sidecar injection for new workloads. To enable the Envoy sidecar for existing workloads, you need to enable it manually for each workload. -To inject the Istio sidecar on an existing workload in the namespace, go to the workload, click the **Ellipsis (...),** and click **Redeploy.** When the workload is redeployed, it will have the Envoy sidecar automatically injected. +To inject the Istio sidecar on an existing workload in the namespace, go to the workload, click the **⋮,** and click **Redeploy.** When the workload is redeployed, it will have the Envoy sidecar automatically injected. Wait a few minutes for the workload to upgrade to have the istio sidecar. Click it and go to the Containers section. You should be able to see istio-init and istio-proxy alongside your original workload. This means the Istio sidecar is enabled for the workload. Istio is doing all the wiring for the sidecar envoy. Now Istio can do all the features automatically if you enable them in the yaml. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md index 07b3f104f5a..f31369cfc61 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md @@ -15,7 +15,7 @@ The Istio CNI plugin removes the need for each application pod to have a privile ### 1. Configure the System Project Policy to allow Istio install 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**. -1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**. +1. Find the **Project: System** project and select the **⋮ > Edit**. 1. Change the Pod Security Policy option to be unrestricted, then click Save. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-namespace/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-namespace/_index.md index 948d15c7c05..9065424e534 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-namespace/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-namespace/_index.md @@ -10,7 +10,7 @@ This namespace setting will only affect new workloads in the namespace. Any pree > **Prerequisite:** To enable Istio in a namespace, the cluster must have Istio enabled. 1. In the Rancher UI, go to the cluster view. Click the **Projects/Namespaces** tab. -1. Go to the namespace where you want to enable the Istio sidecar auto injection and click the **Ellipsis (...).** +1. Go to the namespace where you want to enable the Istio sidecar auto injection and click the **⋮.** 1. Click **Edit.** 1. In the **Istio sidecar auto injection** section, click **Enable.** 1. Click **Save.** @@ -33,7 +33,7 @@ To add the annotation to a workload, 1. From the **Global** view, open the project that has the workload that should not have the sidecar. 1. Click **Resources > Workloads.** -1. Go to the workload that should not have the sidecar and click **Ellipsis (...) > Edit.** +1. Go to the workload that should not have the sidecar and click **⋮ > Edit.** 1. Click **Show Advanced Options.** Then expand the **Labels & Annotations** section. 1. Click **Add Annotation.** 1. In the **Key** field, enter `sidecar.istio.io/inject`. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/node-selectors/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/node-selectors/_index.md index aa7e807b095..994656361e3 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/node-selectors/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/node-selectors/_index.md @@ -14,7 +14,7 @@ In larger deployments, it is strongly advised that Istio's infrastructure be pla First, add a label to the node where Istio components should be deployed. This label can have any key-value pair. For this example, we will use the key `istio` and the value `enabled`. 1. From the cluster view, go to the **Nodes** tab. -1. Go to a worker node that will host the Istio components and click **Ellipsis (...) > Edit.** +1. Go to a worker node that will host the Istio components and click **⋮ > Edit.** 1. Expand the **Labels & Annotations** section. 1. Click **Add Label.** 1. In the fields that appear, enter `istio` for the key and `enabled` for the value. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md index 1450ab5a496..12c951c6279 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -91,7 +91,7 @@ The detail view of each constraint lists information about the resource that vio 1. Navigate to the cluster's Dashboard view 1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper.** -1. Click the **Vertical Ellipsis (...) > Disable**. +1. Click the **⋮ > Disable**. **Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. diff --git a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md index 9df2fc6cf00..d015b8b5b03 100644 --- a/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/_index.md @@ -73,7 +73,7 @@ The cluster cannot be downgraded to a previous Kubernetes version. > - The options below are available only for [Rancher-launched RKE Kubernetes clusters]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) and [imported K3s Kubernetes clusters.]({{}}/rancher/v2.x/en/cluster-provisioning/imported-clusters/#additional-features-for-imported-k3s-clusters) > - Before upgrading Kubernetes, [back up your cluster.]({{}}/rancher/v2.x/en/backups) -1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **Vertical Ellipsis (...) > Edit**. +1. From the **Global** view, find the cluster for which you want to upgrade Kubernetes. Select **⋮ > Edit**. 1. Expand **Cluster Options**. @@ -107,7 +107,7 @@ By default, the maximum number of unavailable worker is defined as 10 percent of To change the default number or percentage of worker nodes, 1. Go to the cluster view in the Rancher UI. -1. Click **Ellipsis (...) > Edit.** +1. Click **⋮ > Edit.** 1. In the **Advanced Options** section, go to the **Maxiumum Worker Nodes Unavailable** field. Enter the percentage of worker nodes that can be upgraded in a batch. Optionally, select **Count** from the drop-down menu and enter the maximum unavailable worker nodes as an integer. 1. Click **Save.** @@ -120,7 +120,7 @@ By default, RKE [cordons](https://kubernetes.io/docs/concepts/architecture/nodes To enable draining each node during a cluster upgrade, 1. Go to the cluster view in the Rancher UI. -1. Click **Ellipsis (...) > Edit.** +1. Click **⋮ > Edit.** 1. In the **Advanced Options** section, go to the **Drain nodes** field and click **Yes.** 1. Choose a safe or aggressive drain option. For more information about each option, refer to [this section.]({{}}/rancher/v2.x/en/cluster-admin/nodes/#aggressive-and-safe-draining-options) 1. Optionally, configure a grace period. The grace period is the timeout given to each pod for cleaning things up, so they will have chance to exit gracefully. Pods might need to finish any outstanding requests, roll back transactions or save state to some external storage. If this value is negative, the default value specified in the pod will be used. diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md index 8cd6adf86e2..d85a4e9ad3d 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/attaching-existing-storage/_index.md @@ -93,7 +93,7 @@ The following steps describe how to assign existing storage to a new workload th The following steps describe how to assign persistent storage to an existing workload: 1. From the **Project** view, go to the **Workloads** tab. -1. Go to the workload that you want to add the persistent storage to. The workload type should be a stateful set. Click **Ellipsis (...) > Edit.** +1. Go to the workload that you want to add the persistent storage to. The workload type should be a stateful set. Click **⋮ > Edit.** 1. Expand the **Volumes** section and click **Add Volume > Use an existing persistent volume (claim).**. 1. In the **Persistent Volume Claim** field, select the PVC that you created. 1. In the **Mount Point** field, enter the path that the workload will use to access the volume. diff --git a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md index 9aaffd5accc..50f33cce160 100644 --- a/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/volumes-and-storage/provisioning-new-storage/_index.md @@ -100,7 +100,7 @@ To attach the PVC to a new workload, To attach the PVC to an existing workload, 1. Go to the project that has the workload that will have the PVC attached. -1. Go to the workload that will have persistent storage and click **Ellipsis (...) > Edit.** +1. Go to the workload that will have persistent storage and click **⋮ > Edit.** 1. Expand the **Volumes** section and click **Add Volume > Add a New Persistent Volume (Claim).** 1. In the **Persistent Volume Claim** section, select the newly created persistent volume claim that is attached to the storage class. 1. In the **Mount Point** field, enter the path that the workload will use to access the volume. diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md index e359bf31e47..fbac23befac 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/_index.md @@ -54,7 +54,7 @@ To access all node templates, an administrator will need to do the following: 1. In the Rancher UI, click the user profile icon in the upper right corner. 1. Click **Node Templates.** -**Result:** All node templates are listed and grouped by owner. The templates can be edited or cloned by clicking the **Ellipsis (...).** +**Result:** All node templates are listed and grouped by owner. The templates can be edited or cloned by clicking the **⋮.** # Node Pools @@ -97,7 +97,7 @@ When you create the node pool, you can specify the amount of time in minutes tha You can also enable node auto-replace after the cluster is created with the following steps: 1. From the Global view, click the Clusters tab. -1. Go to the cluster where you want to enable node auto-replace, click the vertical ellipsis **(…)**, and click **Edit.** +1. Go to the cluster where you want to enable node auto-replace, click the vertical ⋮ **(…)**, and click **Edit.** 1. In the **Node Pools** section, go to the node pool where you want to enable node auto-replace. In the **Recreate Unreachable After** field, enter the number of minutes that Rancher should wait for a node to respond before replacing the node. 1. Click **Save.** @@ -108,7 +108,7 @@ You can also enable node auto-replace after the cluster is created with the foll You can disable node auto-replace from the Rancher UI with the following steps: 1. From the Global view, click the Clusters tab. -1. Go to the cluster where you want to enable node auto-replace, click the vertical ellipsis **(…)**, and click **Edit.** +1. Go to the cluster where you want to enable node auto-replace, click the vertical ⋮ **(…)**, and click **Edit.** 1. In the **Node Pools** section, go to the node pool where you want to enable node auto-replace. In the **Recreate Unreachable After** field, enter 0. 1. Click **Save.** diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md index b22346ed381..837b8628ceb 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md @@ -193,7 +193,7 @@ After the initial provisioning of your custom cluster, your cluster only has a s 1. From the **Global** view, click **Clusters.** -1. Go to the custom cluster that you created and click **Ellipsis (...) > Edit.** +1. Go to the custom cluster that you created and click **⋮ > Edit.** 1. Scroll down to **Node Operating System**. Choose **Linux**. @@ -221,7 +221,7 @@ You can add Windows hosts to a custom cluster by editing the cluster and choosin 1. From the **Global** view, click **Clusters.** -1. Go to the custom cluster that you created and click **Ellipsis (...) > Edit.** +1. Go to the custom cluster that you created and click **⋮ > Edit.** 1. Scroll down to **Node Operating System**. Choose **Windows**. Note: You will see that the **worker** role is the only available role. diff --git a/content/rancher/v2.x/en/faq/removing-rancher/_index.md b/content/rancher/v2.x/en/faq/removing-rancher/_index.md index 1cf26a9d8a0..897fdcfce49 100644 --- a/content/rancher/v2.x/en/faq/removing-rancher/_index.md +++ b/content/rancher/v2.x/en/faq/removing-rancher/_index.md @@ -43,7 +43,7 @@ If an imported cluster is deleted from the Rancher UI, the cluster is detached f To detach the cluster, 1. From the **Global** view in Rancher, go to the **Clusters** tab. -2. Go to the imported cluster that should be detached from Rancher and click **Ellipsis (...) > Delete.** +2. Go to the imported cluster that should be detached from Rancher and click **⋮ > Delete.** 3. Click **Delete.** **Result:** The imported cluster is detached from Rancher and functions normally outside of Rancher. diff --git a/content/rancher/v2.x/en/faq/technical/_index.md b/content/rancher/v2.x/en/faq/technical/_index.md index 1340d9623e3..1151e35489c 100644 --- a/content/rancher/v2.x/en/faq/technical/_index.md +++ b/content/rancher/v2.x/en/faq/technical/_index.md @@ -81,7 +81,7 @@ We follow the validated Docker versions for upstream Kubernetes releases. The va ### How can I access nodes created by Rancher? -SSH keys to access the nodes created by Rancher can be downloaded via the **Nodes** view. Choose the node which you want to access and click on the vertical ellipsis button at the end of the row, and choose **Download Keys** as shown in the picture below. +SSH keys to access the nodes created by Rancher can be downloaded via the **Nodes** view. Choose the node which you want to access and click on the vertical ⋮ button at the end of the row, and choose **Download Keys** as shown in the picture below. ![Download Keys]({{}}/img/rancher/downloadsshkeys.png) diff --git a/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md b/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md index 7ade1298509..e465c60eb6c 100644 --- a/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md +++ b/content/rancher/v2.x/en/installation/options/api-audit-log/_index.md @@ -70,7 +70,7 @@ kubectl -n cattle-system logs -f rancher-84d886bdbb-s4s69 rancher-audit-log ![Rancher Workload]({{}}/img/rancher/audit_logs_gui/rancher_workload.png) -1. Pick one of the `rancher` pods and select **Ellipsis (...) > View Logs**. +1. Pick one of the `rancher` pods and select **⋮ > View Logs**. ![View Logs]({{}}/img/rancher/audit_logs_gui/view_logs.png) diff --git a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md index bf9cafea51f..7df5e71056c 100644 --- a/content/rancher/v2.x/en/installation/options/feature-flags/_index.md +++ b/content/rancher/v2.x/en/installation/options/feature-flags/_index.md @@ -119,7 +119,7 @@ _Available as of Rancher v2.3.3_ 1. Go to the **Global** view and click **Settings.** 1. Click the **Feature Flags** tab. You will see a list of experimental features. -1. To enable a feature, go to the disabled feature you want to enable and click **Ellipsis (...) > Activate.** +1. To enable a feature, go to the disabled feature you want to enable and click **⋮ > Activate.** **Result:** The feature is enabled. @@ -127,7 +127,7 @@ _Available as of Rancher v2.3.3_ 1. Go to the **Global** view and click **Settings.** 1. Click the **Feature Flags** tab. You will see a list of experimental features. -1. To disable a feature, go to the enabled feature you want to disable and click **Ellipsis (...) > Deactivate.** +1. To disable a feature, go to the enabled feature you want to disable and click **⋮ > Deactivate.** **Result:** The feature is disabled. diff --git a/content/rancher/v2.x/en/installation/options/local-system-charts/_index.md b/content/rancher/v2.x/en/installation/options/local-system-charts/_index.md index b2b84f724f3..82def8c7c92 100644 --- a/content/rancher/v2.x/en/installation/options/local-system-charts/_index.md +++ b/content/rancher/v2.x/en/installation/options/local-system-charts/_index.md @@ -37,7 +37,7 @@ In the catalog management page in the Rancher UI, follow these steps: 1. Click **Tools > Catalogs.** -1. The system chart is displayed under the name `system-library`. To edit the configuration of the system chart, click **Ellipsis (...) > Edit.** +1. The system chart is displayed under the name `system-library`. To edit the configuration of the system chart, click **⋮ > Edit.** 1. In the **Catalog URL** field, enter the location of the Git mirror of the `system-charts` repository. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7/_index.md index 1d6d4584a0b..ab9b55db752 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/hpa-for-rancher-before-2_0_7/_index.md @@ -19,7 +19,7 @@ Be sure that your Kubernetes cluster services are running with these flags at mi - `horizontal-pod-autoscaler-upscale-delay: "3m0s"` - `horizontal-pod-autoscaler-sync-period: "30s"` -For an RKE Kubernetes cluster definition, add this snippet in the `services` section. To add this snippet using the Rancher v2.0 UI, open the **Clusters** view and select **Ellipsis (...) > Edit** for the cluster in which you want to use HPA. Then, from **Cluster Options**, click **Edit as YAML**. Add the following snippet to the `services` section: +For an RKE Kubernetes cluster definition, add this snippet in the `services` section. To add this snippet using the Rancher v2.0 UI, open the **Clusters** view and select **⋮ > Edit** for the cluster in which you want to use HPA. Then, from **Cluster Options**, click **Edit as YAML**. Add the following snippet to the `services` section: ``` services: diff --git a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md index 6b812cf8dd7..b08eb8f8624 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/horitzontal-pod-autoscaler/manage-hpa-with-rancher-ui/_index.md @@ -48,7 +48,7 @@ If you want to create HPAs that scale based on other metrics than CPU and memory 1. Find the HPA which you would like to delete. -1. Click **Ellipsis (...) > Delete**. +1. Click **⋮ > Delete**. 1. Click **Delete** to confirm. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md index 767ecc6bbac..e20e1794245 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/_index.md @@ -205,8 +205,8 @@ Now that repositories are added to your project, you can start configuring the p 1. Configure the pipeline through the UI or using a yaml file in the repository, i.e. `.rancher-pipeline.yml` or `.rancher-pipeline.yaml`. Pipeline configuration is split into stages and steps. Stages must fully complete before moving onto the next stage, but steps in a stage run concurrently. For each stage, you can add different step types. Note: As you build out each step, there are different advanced options based on the step type. Advanced options include trigger rules, environment variables, and secrets. For more information on configuring the pipeline through the UI or the YAML file, refer to the [pipeline configuration reference.]({{}}/rancher/v2.x/en/k8s-in-rancher/pipelines/config) - * If you are going to use the UI, select the vertical **Ellipsis (...) > Edit Config** to configure the pipeline using the UI. After the pipeline is configured, you must view the YAML file and push it to the repository. - * If you are going to use the YAML file, select the vertical **Ellipsis (...) > View/Edit YAML** to configure the pipeline. If you choose to use a YAML file, you need to push it to the repository after any changes in order for it to be updated in the repository. When editing the pipeline configuration, it takes a few moments for Rancher to check for an existing pipeline configuration. + * If you are going to use the UI, select the vertical **⋮ > Edit Config** to configure the pipeline using the UI. After the pipeline is configured, you must view the YAML file and push it to the repository. + * If you are going to use the YAML file, select the vertical **⋮ > View/Edit YAML** to configure the pipeline. If you choose to use a YAML file, you need to push it to the repository after any changes in order for it to be updated in the repository. When editing the pipeline configuration, it takes a few moments for Rancher to check for an existing pipeline configuration. 1. Select which `branch` to use from the list of branches. @@ -242,7 +242,7 @@ The configuration reference also covers how to configure: # Running your Pipelines -Run your pipeline for the first time. From the project view in Rancher, go to **Resources > Pipelines.** (In versions prior to v2.3.0, go to the **Pipelines** tab.) Find your pipeline and select the vertical **Ellipsis (...) > Run**. +Run your pipeline for the first time. From the project view in Rancher, go to **Resources > Pipelines.** (In versions prior to v2.3.0, go to the **Pipelines** tab.) Find your pipeline and select the vertical **⋮ > Run**. During this initial run, your pipeline is tested, and the following pipeline components are deployed to your project as workloads in a new namespace dedicated to the pipeline: @@ -270,7 +270,7 @@ Available Events: 1. 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. Find the repository that you want to modify the event triggers. Select the vertical **Ellipsis (...) > Setting**. +1. Find the repository that you want to modify the event triggers. Select the vertical **⋮ > Setting**. 1. Select which event triggers (**Push**, **Pull Request** or **Tag**) you want for the repository. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md index 9bffc8eb1ee..7443af2daad 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/config/_index.md @@ -393,7 +393,7 @@ This section covers the following topics: 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. +1. From the repository for which you want to manage trigger rules, select the vertical **⋮ > Edit Config**. 1. Click on **Show Advanced Options**. @@ -411,7 +411,7 @@ This section covers the following topics: 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. +1. From the repository for which you want to manage trigger rules, select the vertical **⋮ > Edit Config**. 1. Find the **stage** that you want to manage trigger rules, click the **Edit** icon for that stage. @@ -436,7 +436,7 @@ This section covers the following topics: 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. From the repository for which you want to manage trigger rules, select the vertical **Ellipsis (...) > Edit Config**. +1. From the repository for which you want to manage trigger rules, select the vertical **⋮ > Edit Config**. 1. Find the **step** that you want to manage trigger rules, click the **Edit** icon for that step. @@ -491,7 +491,7 @@ When configuring a pipeline, certain [step types](#step-types) allow you to use 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. +1. From the pipeline for which you want to edit build triggers, select **⋮ > Edit Config**. 1. Within one of the stages, find the **step** that you want to add an environment variable for, click the **Edit** icon. @@ -534,7 +534,7 @@ Create a secret in the same project as your pipeline, or explicitly in the names 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. From the pipeline for which you want to edit build triggers, select **Ellipsis (...) > Edit Config**. +1. From the pipeline for which you want to edit build triggers, select **⋮ > Edit Config**. 1. Within one of the stages, find the **step** that you want to use a secret for, click the **Edit** icon. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md index c57dd613f2d..4b7fddc4b85 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/example-repos/_index.md @@ -53,7 +53,7 @@ After enabling an example repository, review the pipeline to see how it is set u 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. Find the example repository, select the vertical **Ellipsis (...)**. There are two ways to view the pipeline: +1. Find the example repository, select the vertical **⋮**. There are two ways to view the pipeline: * **Rancher UI**: Click on **Edit Config** to view the stages and steps of the pipeline. * **YAML**: Click on View/Edit YAML to view the `./rancher-pipeline.yml` file. @@ -65,7 +65,7 @@ After enabling an example repository, run the pipeline to see how it works. 1. Click **Resources > Pipelines.** In versions prior to v2.3.0, click **Workloads > Pipelines.** -1. Find the example repository, select the vertical **Ellipsis (...) > Run**. +1. Find the example repository, select the vertical **⋮ > Run**. >**Note:** When you run a pipeline the first time, it takes a few minutes to pull relevant images and provision necessary pipeline components. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md index e3b911bc9a2..6fec0fa6ccb 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/pipelines/storage/_index.md @@ -15,7 +15,7 @@ This section assumes that you understand how persistent storage works in Kuberne 1. From the project that you're configuring a pipeline for, and click **Resources > Workloads.** In versions prior to v2.3.0, select the **Workloads** tab. -1. Find the `docker-registry` workload and select **Ellipsis (...) > Edit**. +1. Find the `docker-registry` workload and select **⋮ > Edit**. 1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: @@ -59,7 +59,7 @@ This section assumes that you understand how persistent storage works in Kuberne ### B. Configuring Persistent Data for Minio -1. From the project view, click **Resources > Workloads.** (In versions prior to v2.3.0, click the **Workloads** tab.) Find the `minio` workload and select **Ellipsis (...) > Edit**. +1. From the project view, click **Resources > Workloads.** (In versions prior to v2.3.0, click the **Workloads** tab.) Find the `minio` workload and select **⋮ > Edit**. 1. Scroll to the **Volumes** section and expand it. Make one of the following selections from the **Add Volume** menu, which is near the bottom of the section: diff --git a/content/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar/_index.md index abe6b1c5fe7..36b4355c4f2 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/workloads/add-a-sidecar/_index.md @@ -10,7 +10,7 @@ A _sidecar_ is a container that extends or enhances the main container in a pod. 1. Click **Resources > Workloads.** In versions prior to v2.3.0, select the **Workloads** tab. -1. Find the workload that you want to extend. Select **Ellipsis icon (...) > Add a Sidecar**. +1. Find the workload that you want to extend. Select **⋮ icon (...) > Add a Sidecar**. 1. Enter a **Name** for the sidecar. @@ -30,7 +30,7 @@ A _sidecar_ is a container that extends or enhances the main container in a pod. 1. Click **Launch**. -**Result:** The sidecar is deployed according to your parameters. Following its deployment, you can view the sidecar by selecting **Ellipsis icon (...) > Edit** for the main deployment. +**Result:** The sidecar is deployed according to your parameters. Following its deployment, you can view the sidecar by selecting **⋮ icon (...) > Edit** for the main deployment. ## Related Links diff --git a/content/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/_index.md index 4be9cd00eaf..d9ad17aab29 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/workloads/rollback-workloads/_index.md @@ -9,7 +9,7 @@ Sometimes there is a need to rollback to the previous version of the application 1. From the **Global** view, open the project running the workload you want to rollback. -1. Find the workload that you want to rollback and select **Vertical Ellipsis (... ) > Rollback**. +1. Find the workload that you want to rollback and select **Vertical ⋮ (... ) > Rollback**. 1. Choose the revision that you want to roll back to. Click **Rollback**. diff --git a/content/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/_index.md index 5d47c733ed4..bf9a17e4f3d 100644 --- a/content/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/_index.md +++ b/content/rancher/v2.x/en/k8s-in-rancher/workloads/upgrade-workloads/_index.md @@ -8,7 +8,7 @@ When a new version of an application image is released on Docker Hub, you can up 1. From the **Global** view, open the project running the workload you want to upgrade. -1. Find the workload that you want to upgrade and select **Vertical Ellipsis (... ) > Edit**. +1. Find the workload that you want to upgrade and select **Vertical ⋮ (... ) > Edit**. 1. Update the **Docker Image** to the updated version of the application image on Docker Hub. diff --git a/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md b/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md index c5e7417df02..e7c01b2aec9 100644 --- a/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md +++ b/content/rancher/v2.x/en/project-admin/pod-security-policies/_index.md @@ -16,7 +16,7 @@ You can always assign a pod security policy (PSP) to an existing project if you 1. From the **Global** view, find the cluster containing the project you want to apply a PSP to. 1. From the main menu, select **Projects/Namespaces**. -1. Find the project that you want to add a PSP to. From that project, select **Vertical Ellipsis (...) > Edit**. +1. Find the project that you want to add a PSP to. From that project, select **⋮ > Edit**. 1. From the **Pod Security Policy** drop-down, select the PSP you want to apply to the project. Assigning a PSP to a project will: diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md index ad9f464df25..e4df1e5fdee 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/_index.md @@ -26,7 +26,7 @@ Edit [resource quotas]({{}}/rancher/v2.x/en/k8s-in-rancher/projects-and 1. From the main menu, select **Projects/Namespaces**. -1. Find the project that you want to add a resource quota to. From that project, select **Ellipsis (...) > Edit**. +1. Find the project that you want to add a resource quota to. From that project, select **⋮ > Edit**. 1. Expand **Resource Quotas** and click **Add Quota**. Alternatively, you can edit existing quotas. diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md index b20230f7c14..5d3bf362301 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/override-container-default/_index.md @@ -20,7 +20,7 @@ Edit [container default resource limit]({{}}/rancher/v2.x/en/k8s-in-ran 1. From the **Global** view, open the cluster containing the project to which you want to edit the container default resource limit. 1. From the main menu, select **Projects/Namespaces**. -1. Find the project that you want to edit the container default resource limit. From that project, select **Ellipsis (...) > Edit**. +1. Find the project that you want to edit the container default resource limit. From that project, select **⋮ > Edit**. 1. Expand **Container Default Resource Limit** and edit the values. ### Resource Limit Propagation diff --git a/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md b/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md index 2d7f83b4162..f87f5612e06 100644 --- a/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md +++ b/content/rancher/v2.x/en/project-admin/resource-quotas/override-namespace-default/_index.md @@ -20,7 +20,7 @@ If there is a [resource quota]({{}}/rancher/v2.x/en/k8s-in-rancher/proj 1. From the main menu, select **Projects/Namespaces**. -1. Find the namespace for which you want to edit the resource quota. Select **Ellipsis (...) > Edit**. +1. Find the namespace for which you want to edit the resource quota. Select **⋮ > Edit**. 1. Edit the Resource Quota **Limits**. These limits determine the resources available to the namespace. The limits must be set within the configured project limits. diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index 2e9b25bb554..7ff5cb3bd20 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -150,7 +150,7 @@ To schedule scans for an existing cluster: 1. Go to the cluster view in Rancher. 1. Click **Tools > CIS Scans.** -1. Click **Add Schedule.** This takes you to the section of the cluster editing page that is applicable to configuring a schedule for CIS scans. (This section can also be reached by going to the cluster view, clicking **Ellipsis (...) > Edit,** and going to the **Advanced Options.**) +1. Click **Add Schedule.** This takes you to the section of the cluster editing page that is applicable to configuring a schedule for CIS scans. (This section can also be reached by going to the cluster view, clicking **⋮ > Edit,** and going to the **Advanced Options.**) 1. In the **CIS Scan Enabled** field, click **Yes.** 1. In the **CIS Scan Profile** field, choose a **Permissive** or **Hardened** profile. The corresponding CIS Benchmark version is included in the profile name. Note: Any skipped tests [defined in a separate ConfigMap](#skipping-tests) will be skipped regardless of whether a **Permissive** or **Hardened** profile is selected. When selecting the the permissive profile, you should see which tests were skipped by Rancher (tests that are skipped by default for RKE clusters) and which tests were skipped by a Rancher user. In the hardened test profile, the only skipped tests will be skipped by users. 1. In the **CIS Scan Interval (cron)** job, enter a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) to define how often the cluster will be scanned. @@ -216,8 +216,8 @@ To activate an existing alert for a CIS scan result, 1. From the cluster view in Rancher, click **Tools > Alerts.** 1. Go to the section called **A set of alerts for cluster scans.** -1. Go to the alert you want to activate and click **Ellipsis (...) > Activate.** -1. Go to the alert rule group **A set of alerts for cluster scans** and click **Ellipsis (...) > Edit.** +1. Go to the alert you want to activate and click **⋮ > Activate.** +1. Go to the alert rule group **A set of alerts for cluster scans** and click **⋮ > Edit.** 1. Scroll down to the **Alert** section. In the **To** field, select the notifier that you would like to use for sending alert notifications. 1. Optional: To limit the frequency of the notifications, click on **Show advanced options** and configure the time interval of the alerts. 1. Click **Save.** @@ -242,12 +242,12 @@ For more information about alerts, refer to [this page.]({{}}/rancher/v 1. From the cluster view in Rancher, click **Tools > CIS Scans.** 1. Go to the report that should be deleted. -1. Click the **Ellipsis (...) > Delete.** +1. Click the **⋮ > Delete.** 1. Click **Delete.** # Downloading a Report 1. From the cluster view in Rancher, click **Tools > CIS Scans.** -1. Go to the report that you want to download. Click **Ellipsis (...) > Download.** +1. Go to the report that you want to download. Click **⋮ > Download.** **Result:** The report is downloaded in CSV format. For more information on each columns, refer to the [section about the generated report.](#about-the-generated-report) diff --git a/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md b/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md index 39a516475c1..148f8f6783f 100644 --- a/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md +++ b/content/rancher/v2.x/en/user-settings/cloud-credentials/_index.md @@ -34,7 +34,7 @@ All cloud credentials are bound to the user profile of who created it. They **ca When access credentials are changed or compromised, updating a cloud credential allows you to rotate those credentials while keeping the same node template. 1. From your user settings, select **User Avatar > Cloud Credentials**. -1. Choose the cloud credential you want to edit and click the **Vertical Ellipsis (...) > Edit**. +1. Choose the cloud credential you want to edit and click the **⋮ > Edit**. 1. Update the credential information and click **Save**. **Result:** The cloud credential is updated with the new access credentials. All existing node templates using this cloud credential will automatically use the updated information whenever [new nodes are added]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/). @@ -46,6 +46,6 @@ In order to delete cloud credentials, there must not be any node template associ 1. From your user settings, select **User Avatar > Cloud Credentials**. 1. You can either individually delete a cloud credential or bulk delete. - - To individually delete one, choose the cloud credential you want to edit and click the **Vertical Ellipsis (...) > Delete**. + - To individually delete one, choose the cloud credential you want to edit and click the **⋮ > Delete**. - To bulk delete cloud credentials, select one or more cloud credentials from the list. Click **Delete**. 1. Confirm that you want to delete these cloud credentials. diff --git a/content/rancher/v2.x/en/user-settings/node-templates/_index.md b/content/rancher/v2.x/en/user-settings/node-templates/_index.md index c91fa4ca695..0b6f411fc76 100644 --- a/content/rancher/v2.x/en/user-settings/node-templates/_index.md +++ b/content/rancher/v2.x/en/user-settings/node-templates/_index.md @@ -21,7 +21,7 @@ When you create a node template, it is bound to your user profile. Node template ## Updating a Node Template 1. From your user settings, select **User Avatar > Node Templates**. -1. Choose the node template that you want to edit and click the **Vertical Ellipsis (...) > Edit**. +1. Choose the node template that you want to edit and click the **⋮ > Edit**. > **Note:** As of v2.2.0, the default `active` [node drivers]({{}}/rancher/v2.x/en/admin-settings/drivers/node-drivers/) and any node driver, that has fields marked as `password`, are required to use [cloud credentials]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/#cloud-credentials). If you have upgraded to v2.2.0, existing node templates will continue to work with the previous account access information, but when you edit the node template, you will be required to create a cloud credential and the node template will start using it. @@ -34,7 +34,7 @@ When you create a node template, it is bound to your user profile. Node template When creating new node templates from your user settings, you can clone an existing template and quickly update its settings rather than creating a new one from scratch. Cloning templates saves you the hassle of re-entering access keys for the cloud provider. 1. From your user settings, select **User Avatar > Node Templates**. -1. Find the template you want to clone. Then select **Ellipsis > Clone**. +1. Find the template you want to clone. Then select **⋮ > Clone**. 1. Complete the rest of the form. **Result:** The template is cloned and configured. You can use the template later when you [provision a node pool cluster]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools). From 22fb5a11357ed942232b3531cf9c33cbff16ac85 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 31 Dec 2019 17:09:11 -0700 Subject: [PATCH 155/183] Reorganize RancherOS docs --- content/os/v1.x/en/_index.md | 2 +- content/os/v1.x/en/about/_index.md | 6 ++-- .../running-rancher-on-rancherOS/_index.md | 2 +- .../configuration/_index.md | 4 ++- .../adding-kernel-parameters/_index.md | 4 ++- .../airgap-configuration/_index.md | 12 +++++-- .../configuration/date-and-timezone/_index.md | 4 ++- .../disable-access-to-system/_index.md | 2 ++ .../configuration/docker/_index.md | 6 ++-- .../v1.x/en/configuration/hostname/_index.md | 13 +++++++ .../configuration/images-prefix/_index.md | 2 ++ .../kernel-modules-kernel-headers/_index.md | 2 ++ .../loading-kernel-modules/_index.md | 2 ++ .../private-registries/_index.md | 6 ++-- .../resizing-device-partition/_index.md | 2 ++ .../configuration/running-commands/_index.md | 4 ++- .../setting-up-docker-tls/_index.md | 2 ++ .../configuration/ssh-keys/_index.md | 4 ++- .../switching-consoles/_index.md | 12 +++++++ .../switching-docker-versions/_index.md | 10 ++++++ .../configuration/sysctl/_index.md | 2 ++ .../configuration/users/_index.md | 2 ++ .../configuration/write-files/_index.md | 2 ++ content/os/v1.x/en/installation/_index.md | 34 +++++++++++++++++-- .../v1.x/en/installation/amazon-ecs/_index.md | 6 ++-- .../built-in-system-services/_index.md | 16 ++++----- .../boot-process/cloud-init/_index.md | 4 +-- .../cloud/aliyun/_index.md | 2 ++ .../cloud/aws/_index.md | 6 ++++ .../cloud/azure/_index.md | 2 ++ .../cloud/do/_index.md | 2 ++ .../cloud/gce/_index.md | 6 ++-- .../cloud/openstack/_index.md | 4 ++- .../cloud/vmware-esxi/_index.md | 2 ++ .../configuration/hostname/_index.md | 11 ------ .../custom-builds/custom-console/_index.md | 10 ++++++ .../custom-rancheros-iso/_index.md | 2 +- .../server/install-to-disk/_index.md | 8 +++-- .../server/pxe/_index.md | 6 ++-- .../server/raspberry-pi/_index.md | 4 ++- .../workstation/boot-from-iso/_index.md | 4 ++- .../workstation/docker-machine/_index.md | 4 ++- .../networking/dns/_index.md | 2 ++ .../networking/interfaces/_index.md | 2 ++ .../networking/proxy-settings/_index.md | 2 ++ content/os/v1.x/en/overview/_index.md | 2 +- .../os/v1.x/en/quick-start-guide/_index.md | 2 +- .../storage/additional-mounts/_index.md | 6 ++++ .../storage/state-partition/_index.md | 2 ++ .../storage/using-zfs/_index.md | 2 ++ .../_index.md | 2 ++ .../custom-system-services/_index.md | 4 ++- .../system-services/environment/_index.md | 2 ++ .../system-docker-volumes/_index.md | 2 ++ content/os/v1.x/en/upgrading/_index.md | 4 +-- .../provisioning-vsphere-clusters/_index.md | 2 +- .../node-template-reference/_index.md | 6 ++-- 57 files changed, 218 insertions(+), 64 deletions(-) rename content/os/v1.x/en/{installation => }/configuration/_index.md (93%) rename content/os/v1.x/en/{installation => }/configuration/adding-kernel-parameters/_index.md (93%) rename content/os/v1.x/en/{installation => }/configuration/airgap-configuration/_index.md (86%) rename content/os/v1.x/en/{installation => }/configuration/date-and-timezone/_index.md (85%) rename content/os/v1.x/en/{installation => }/configuration/disable-access-to-system/_index.md (91%) rename content/os/v1.x/en/{installation => }/configuration/docker/_index.md (96%) create mode 100644 content/os/v1.x/en/configuration/hostname/_index.md rename content/os/v1.x/en/{installation => }/configuration/images-prefix/_index.md (94%) rename content/os/v1.x/en/{installation => }/configuration/kernel-modules-kernel-headers/_index.md (95%) rename content/os/v1.x/en/{installation => }/configuration/loading-kernel-modules/_index.md (97%) rename content/os/v1.x/en/{installation => }/configuration/private-registries/_index.md (86%) rename content/os/v1.x/en/{installation => }/configuration/resizing-device-partition/_index.md (87%) rename content/os/v1.x/en/{installation => }/configuration/running-commands/_index.md (86%) rename content/os/v1.x/en/{installation => }/configuration/setting-up-docker-tls/_index.md (96%) rename content/os/v1.x/en/{installation => }/configuration/ssh-keys/_index.md (83%) rename content/os/v1.x/en/{installation => }/configuration/switching-consoles/_index.md (85%) rename content/os/v1.x/en/{installation => }/configuration/switching-docker-versions/_index.md (78%) rename content/os/v1.x/en/{installation => }/configuration/sysctl/_index.md (88%) rename content/os/v1.x/en/{installation => }/configuration/users/_index.md (89%) rename content/os/v1.x/en/{installation => }/configuration/write-files/_index.md (95%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/aliyun/_index.md (95%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/aws/_index.md (84%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/azure/_index.md (97%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/do/_index.md (96%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/gce/_index.md (90%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/openstack/_index.md (75%) rename content/os/v1.x/en/installation/{running-rancheros => }/cloud/vmware-esxi/_index.md (96%) delete mode 100644 content/os/v1.x/en/installation/configuration/hostname/_index.md rename content/os/v1.x/en/installation/{running-rancheros => }/server/install-to-disk/_index.md (89%) rename content/os/v1.x/en/installation/{running-rancheros => }/server/pxe/_index.md (92%) rename content/os/v1.x/en/installation/{running-rancheros => }/server/raspberry-pi/_index.md (92%) rename content/os/v1.x/en/installation/{running-rancheros => }/workstation/boot-from-iso/_index.md (86%) rename content/os/v1.x/en/installation/{running-rancheros => }/workstation/docker-machine/_index.md (95%) rename content/os/v1.x/en/{installation => }/networking/dns/_index.md (92%) rename content/os/v1.x/en/{installation => }/networking/interfaces/_index.md (99%) rename content/os/v1.x/en/{installation => }/networking/proxy-settings/_index.md (92%) rename content/os/v1.x/en/{installation => }/storage/additional-mounts/_index.md (79%) rename content/os/v1.x/en/{installation => }/storage/state-partition/_index.md (95%) rename content/os/v1.x/en/{installation => }/storage/using-zfs/_index.md (98%) rename content/os/v1.x/en/{installation/system-services/adding-system-services => system-services}/_index.md (95%) rename content/os/v1.x/en/{installation => }/system-services/custom-system-services/_index.md (96%) rename content/os/v1.x/en/{installation => }/system-services/environment/_index.md (94%) rename content/os/v1.x/en/{installation => }/system-services/system-docker-volumes/_index.md (95%) diff --git a/content/os/v1.x/en/_index.md b/content/os/v1.x/en/_index.md index 585f581fcf7..a4d46db0150 100644 --- a/content/os/v1.x/en/_index.md +++ b/content/os/v1.x/en/_index.md @@ -29,7 +29,7 @@ You can adjust memory requirements by custom building RancherOS, please refer to ### How RancherOS Works -Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services](installation/system-services/adding-system-services/). +Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services](installation/system-services/). System Docker runs a special container called **Docker**, which is another Docker daemon responsible for managing all of the user’s containers. Any containers that you launch as a user from the console will run inside this Docker. This creates isolation from the System Docker containers and ensures that normal user commands don’t impact system services. diff --git a/content/os/v1.x/en/about/_index.md b/content/os/v1.x/en/about/_index.md index 306c4e880a7..8b5bf2f8525 100644 --- a/content/os/v1.x/en/about/_index.md +++ b/content/os/v1.x/en/about/_index.md @@ -1,6 +1,6 @@ --- -title: About -weight: 4 +title: Additional Resources +weight: 200 --- ## Developing @@ -59,7 +59,7 @@ All of repositories are located within our main GitHub [page](https://github.com [RancherOS Repo](https://github.com/rancher/os): This repo contains the bulk of the RancherOS code. -[RancherOS Services Repo](https://github.com/rancher/os-services): This repo is where any [system-services]({{}}/os/v1.x/en//installation/system-services/adding-system-services/) can be contributed. +[RancherOS Services Repo](https://github.com/rancher/os-services): This repo is where any [system-services]({{< baseurl >}}/os/v1.x/en//system-services/) can be contributed. [RancherOS Images Repo](https://github.com/rancher/os-images): This repo is for the corresponding service images. diff --git a/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md b/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md index d447465344b..3fb01def4ed 100644 --- a/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md +++ b/content/os/v1.x/en/about/running-rancher-on-rancherOS/_index.md @@ -7,7 +7,7 @@ RancherOS can be used to launch [Rancher](/rancher/) and be used as the OS to ad ### Launching Agents using Cloud-Config -You can easily add hosts into Rancher by using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) to launch the rancher/agent container. +You can easily add hosts into Rancher by using [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) to launch the rancher/agent container. After Rancher is launched and host registration has been saved, you will be able to find use the custom option to add Rancher OS nodes. diff --git a/content/os/v1.x/en/installation/configuration/_index.md b/content/os/v1.x/en/configuration/_index.md similarity index 93% rename from content/os/v1.x/en/installation/configuration/_index.md rename to content/os/v1.x/en/configuration/_index.md index 8d835d0c1bc..209b96ea3b4 100644 --- a/content/os/v1.x/en/installation/configuration/_index.md +++ b/content/os/v1.x/en/configuration/_index.md @@ -1,6 +1,8 @@ --- title: Configuration weight: 120 +aliases: + - /os/v1.x/en/installation/configuration --- There are two ways that RancherOS can be configured. @@ -34,7 +36,7 @@ In our example above, we have our `#cloud-config` line to indicate it's a cloud- ### Manually Changing Configuration To update RancherOS configuration after booting, the `ros config set ` command can be used. -For more complicated settings, like the [sysctl settings]({{}}/os/v1.x/en/installation/configuration/sysctl/), you can also create a small YAML file and then run `sudo ros config merge -i `. +For more complicated settings, like the [sysctl settings]({{< baseurl >}}/os/v1.x/en/configuration/sysctl/), you can also create a small YAML file and then run `sudo ros config merge -i `. #### Getting Values diff --git a/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md b/content/os/v1.x/en/configuration/adding-kernel-parameters/_index.md similarity index 93% rename from content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md rename to content/os/v1.x/en/configuration/adding-kernel-parameters/_index.md index 5571bea102a..da82856f3c9 100644 --- a/content/os/v1.x/en/installation/configuration/adding-kernel-parameters/_index.md +++ b/content/os/v1.x/en/configuration/adding-kernel-parameters/_index.md @@ -1,6 +1,8 @@ --- title: Kernel boot parameters weight: 133 +aliases: + - /os/v1.x/en/installation/configuration/adding-kernel-parameters --- RancherOS parses the Linux kernel boot cmdline to add any keys it understands to its configuration. This allows you to modify what cloud-init sources it will use on boot, to enable `rancher.debug` logging, or to almost any other configuration setting. @@ -27,7 +29,7 @@ $ sudo system-docker run --rm -it -v /:/host alpine vi /host/boot/global.cfg ### During installation -If you want to set the extra kernel parameters when you are [Installing RancherOS to Disk]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) please use the `--append` parameter. +If you want to set the extra kernel parameters when you are [Installing RancherOS to Disk]({{< baseurl >}}/os/v1.x/en/installation/server/install-to-disk/) please use the `--append` parameter. ```bash $ sudo ros install -d /dev/sda --append "rancheros.autologin=tty1" diff --git a/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md b/content/os/v1.x/en/configuration/airgap-configuration/_index.md similarity index 86% rename from content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md rename to content/os/v1.x/en/configuration/airgap-configuration/_index.md index 8547f29023e..c82fdbb2a9d 100644 --- a/content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md +++ b/content/os/v1.x/en/configuration/airgap-configuration/_index.md @@ -1,6 +1,8 @@ --- title: Air Gap Configuration weight: 138 +aliases: + - /os/v1.x/en/installation/configuration/airgap-configuration --- In the air gap environment, the Docker registry, RancherOS repositories URL, and the RancherOS upgrade URL should be configured to ensure the OS can pull images, update OS services, and upgrade the OS. @@ -10,10 +12,10 @@ In the air gap environment, the Docker registry, RancherOS repositories URL, and You should use a private Docker registry so that `user-docker` and `system-docker` can pull images. -1. Add the private Docker registry domain to the [images prefix]({{}}/os/v1.x/en/installation/configuration/images-prefix/). -2. Set the private registry certificates for `user-docker`. For details, refer to [Certificates for Private Registries]({{}}/os/v1.x/en/installation/configuration/private-registries/#certificates-for-private-registries) +1. Add the private Docker registry domain to the [images prefix]({{< baseurl >}}/os/v1.x/en/configuration/images-prefix/). +2. Set the private registry certificates for `user-docker`. For details, refer to [Certificates for Private Registries]({{< baseurl >}}/os/v1.x/en/configuration/private-registries/#certificates-for-private-registries) 3. Set the private registry certificates for `system-docker`. There are two ways to set the certificates: - - To set the private registry certificates before RancherOS starts, you can run a script included with RancherOS. For details, refer to [Set Custom Certs in ISO]({{}}/os/v1.x/en/installation/configuration/airgap-configuration/#set-custom-certs-in-iso). + - To set the private registry certificates before RancherOS starts, you can run a script included with RancherOS. For details, refer to [Set Custom Certs in ISO]({{< baseurl >}}/os/v1.x/en/configuration/airgap-configuration/#set-custom-certs-in-iso). - To set the private registry certificates after RancherOS starts, append your private registry certs to the `/etc/ssl/certs/ca-certificates.crt.rancher` file. Then reboot to make the certs fully take effect. 4. The images used by RancherOS should be pushed to your private registry. @@ -84,7 +86,11 @@ $ sudo ros config set rancher.upgrade.url https://foo.bar.com/os/releases.yml Here is a total cloud-config example for using RancherOS in an air gap environment. +<<<<<<< HEAD:content/os/v1.x/en/installation/configuration/airgap-configuration/_index.md For `system-docker`, see [Configuring Private Docker Registry]({{}}/os/v1.x/en/installation/configuration/airgap-configuration/#configuring-private-docker-registry). +======= +For `system-docker`, see [Configuring Private Docker Registry]({{< baseurl >}}/os/v1.x/en/configuration/airgap-configuration/#configuring-private-docker-registry). +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/configuration/airgap-configuration/_index.md ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md b/content/os/v1.x/en/configuration/date-and-timezone/_index.md similarity index 85% rename from content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md rename to content/os/v1.x/en/configuration/date-and-timezone/_index.md index 1c4cff6e930..4f21ba4b3d7 100644 --- a/content/os/v1.x/en/installation/configuration/date-and-timezone/_index.md +++ b/content/os/v1.x/en/configuration/date-and-timezone/_index.md @@ -1,11 +1,13 @@ --- title: Date and time zone weight: 121 +aliases: + - /os/v1.x/en/installation/configuration/date-and-timezone --- The default console keeps time in the Coordinated Universal Time (UTC) zone and synchronizes clocks with the Network Time Protocol (NTP). The Network Time Protocol daemon (ntpd) is an operating system program that maintains the system time in synchronization with time servers using the NTP. -RancherOS can run ntpd in the System Docker container. You can update its configurations by updating `/etc/ntp.conf`. For an example of how to update a file such as `/etc/ntp.conf` within a container, refer to [this page.]({{}}/os/v1.x/en/installation/configuration/write-files/#writing-files-in-specific-system-services) +RancherOS can run ntpd in the System Docker container. You can update its configurations by updating `/etc/ntp.conf`. For an example of how to update a file such as `/etc/ntp.conf` within a container, refer to [this page.]({{< baseurl >}}/os/v1.x/en/configuration/write-files/#writing-files-in-specific-system-services) The default console cannot support changing the time zone because including `tzdata` (time zone data) will increase the ISO size. However, you can change the time zone in the container by passing a flag to specify the time zone when you run the container: diff --git a/content/os/v1.x/en/installation/configuration/disable-access-to-system/_index.md b/content/os/v1.x/en/configuration/disable-access-to-system/_index.md similarity index 91% rename from content/os/v1.x/en/installation/configuration/disable-access-to-system/_index.md rename to content/os/v1.x/en/configuration/disable-access-to-system/_index.md index 8f9e26529d3..bcbe845c4ac 100644 --- a/content/os/v1.x/en/installation/configuration/disable-access-to-system/_index.md +++ b/content/os/v1.x/en/configuration/disable-access-to-system/_index.md @@ -1,6 +1,8 @@ --- title: Disabling Access to RancherOS weight: 136 +aliases: + - /os/v1.x/en/installation/configuration/disable-access-to-system --- _Available as of v1.5_ diff --git a/content/os/v1.x/en/installation/configuration/docker/_index.md b/content/os/v1.x/en/configuration/docker/_index.md similarity index 96% rename from content/os/v1.x/en/installation/configuration/docker/_index.md rename to content/os/v1.x/en/configuration/docker/_index.md index 89ec70999e6..f1c9bc03344 100644 --- a/content/os/v1.x/en/installation/configuration/docker/_index.md +++ b/content/os/v1.x/en/configuration/docker/_index.md @@ -1,9 +1,11 @@ --- title: Configuring Docker or System Docker weight: 126 +aliases: + - /os/v1.x/en/installation/configuration/docker --- -In RancherOS, you can configure System Docker and Docker daemons by using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +In RancherOS, you can configure System Docker and Docker daemons by using [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). ### Configuring Docker @@ -61,7 +63,7 @@ Key | Value | Default | Description ---|---|---| --- `extra_args` | List of Strings | `[]` | Arbitrary daemon arguments, appended to the generated command `environment` | List of Strings | `[]` | -`tls` | Boolean | `false` | When [setting up TLS]({{}}/os/v1.x/en/installation/configuration/setting-up-docker-tls/), this key needs to be set to true. +`tls` | Boolean | `false` | When [setting up TLS]({{< baseurl >}}/os/v1.x/en/configuration/setting-up-docker-tls/), this key needs to be set to true. `tls_args` | List of Strings (used only if `tls: true`) | `[]` | `server_key` | String (used only if `tls: true`)| `""` | PEM encoded server TLS key. `server_cert` | String (used only if `tls: true`) | `""` | PEM encoded server TLS certificate. diff --git a/content/os/v1.x/en/configuration/hostname/_index.md b/content/os/v1.x/en/configuration/hostname/_index.md new file mode 100644 index 00000000000..d7c6f3636b5 --- /dev/null +++ b/content/os/v1.x/en/configuration/hostname/_index.md @@ -0,0 +1,13 @@ +--- +title: Setting the Hostname +weight: 124 +aliases: + - /os/v1.x/en/installation/configuration/hostname +--- + +You can set the hostname of the host using [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). The example below shows how to configure it. + +```yaml +#cloud-config +hostname: myhost +``` diff --git a/content/os/v1.x/en/installation/configuration/images-prefix/_index.md b/content/os/v1.x/en/configuration/images-prefix/_index.md similarity index 94% rename from content/os/v1.x/en/installation/configuration/images-prefix/_index.md rename to content/os/v1.x/en/configuration/images-prefix/_index.md index f8d902c4f66..207595a1312 100644 --- a/content/os/v1.x/en/installation/configuration/images-prefix/_index.md +++ b/content/os/v1.x/en/configuration/images-prefix/_index.md @@ -1,6 +1,8 @@ --- title: Images prefix weight: 121 +aliases: + - /os/v1.x/en/installation/configuration/images-prefix --- _Available as of v1.3_ diff --git a/content/os/v1.x/en/installation/configuration/kernel-modules-kernel-headers/_index.md b/content/os/v1.x/en/configuration/kernel-modules-kernel-headers/_index.md similarity index 95% rename from content/os/v1.x/en/installation/configuration/kernel-modules-kernel-headers/_index.md rename to content/os/v1.x/en/configuration/kernel-modules-kernel-headers/_index.md index 630594495ce..a350c41eff0 100644 --- a/content/os/v1.x/en/installation/configuration/kernel-modules-kernel-headers/_index.md +++ b/content/os/v1.x/en/configuration/kernel-modules-kernel-headers/_index.md @@ -1,6 +1,8 @@ --- title: Installing Kernel Modules that require Kernel Headers weight: 135 +aliases: + - /os/v1.x/en/installation/configuration/kernel-modules-kernel-headers --- To compile any kernel modules, you will need to download the kernel headers. The kernel headers are available in the form of a system service. Since the kernel headers are a system service, they need to be enabled using the `ros service` command. diff --git a/content/os/v1.x/en/installation/configuration/loading-kernel-modules/_index.md b/content/os/v1.x/en/configuration/loading-kernel-modules/_index.md similarity index 97% rename from content/os/v1.x/en/installation/configuration/loading-kernel-modules/_index.md rename to content/os/v1.x/en/configuration/loading-kernel-modules/_index.md index 11d4a5ec41f..d7f2b47673b 100644 --- a/content/os/v1.x/en/installation/configuration/loading-kernel-modules/_index.md +++ b/content/os/v1.x/en/configuration/loading-kernel-modules/_index.md @@ -1,6 +1,8 @@ --- title: Loading Kernel Modules weight: 134 +aliases: + - /os/v1.x/en/installation/configuration/loading-kernel-modules --- Since RancherOS v0.8, we build our own kernels using an unmodified kernel.org LTS kernel. diff --git a/content/os/v1.x/en/installation/configuration/private-registries/_index.md b/content/os/v1.x/en/configuration/private-registries/_index.md similarity index 86% rename from content/os/v1.x/en/installation/configuration/private-registries/_index.md rename to content/os/v1.x/en/configuration/private-registries/_index.md index c371956f3fd..b231ec4fb6c 100644 --- a/content/os/v1.x/en/installation/configuration/private-registries/_index.md +++ b/content/os/v1.x/en/configuration/private-registries/_index.md @@ -1,9 +1,11 @@ --- title: Private Registries weight: 128 +aliases: + - /os/v1.x/en/installation/configuration/private-registries --- -When launching services through a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), it is sometimes necessary to pull a private image from DockerHub or from a private registry. Authentication for these can be embedded in your cloud-config. +When launching services through a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config), it is sometimes necessary to pull a private image from DockerHub or from a private registry. Authentication for these can be embedded in your cloud-config. For example, to add authentication for DockerHub: @@ -61,7 +63,7 @@ write_files: ### Certificates for Private Registries -Certificates can be stored in the standard locations (i.e. `/etc/docker/certs.d`) following the [Docker documentation](https://docs.docker.com/registry/insecure). By using the `write_files` directive of the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), the certificates can be written directly into `/etc/docker/certs.d`. +Certificates can be stored in the standard locations (i.e. `/etc/docker/certs.d`) following the [Docker documentation](https://docs.docker.com/registry/insecure). By using the `write_files` directive of the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config), the certificates can be written directly into `/etc/docker/certs.d`. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/resizing-device-partition/_index.md b/content/os/v1.x/en/configuration/resizing-device-partition/_index.md similarity index 87% rename from content/os/v1.x/en/installation/configuration/resizing-device-partition/_index.md rename to content/os/v1.x/en/configuration/resizing-device-partition/_index.md index c7aa605f430..dc21dc1d6a4 100644 --- a/content/os/v1.x/en/installation/configuration/resizing-device-partition/_index.md +++ b/content/os/v1.x/en/configuration/resizing-device-partition/_index.md @@ -1,6 +1,8 @@ --- title: Resizing a Device Partition weight: 131 +aliases: + - /os/v1.x/en/installation/configuration/resizing-device-partition --- The `resize_device` cloud config option can be used to automatically extend the first partition (assuming its `ext4`) to fill the size of it's device. diff --git a/content/os/v1.x/en/installation/configuration/running-commands/_index.md b/content/os/v1.x/en/configuration/running-commands/_index.md similarity index 86% rename from content/os/v1.x/en/installation/configuration/running-commands/_index.md rename to content/os/v1.x/en/configuration/running-commands/_index.md index b18fc06b875..b13fee7e041 100644 --- a/content/os/v1.x/en/installation/configuration/running-commands/_index.md +++ b/content/os/v1.x/en/configuration/running-commands/_index.md @@ -1,6 +1,8 @@ --- title: Running Commands weight: 123 +aliases: + - /os/v1.x/en/installation/configuration/running-commands --- You can automate running commands on boot using the `runcmd` cloud-config directive. Commands can be specified as either a list or a string. In the latter case, the command is executed with `sh`. @@ -31,4 +33,4 @@ write_files: docker run -d nginx ``` -Running Docker commands in this manner is useful when pieces of the `docker run` command are dynamically generated. For services whose configuration is static, [adding a system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) is recommended. +Running Docker commands in this manner is useful when pieces of the `docker run` command are dynamically generated. For services whose configuration is static, [adding a system service]({{< baseurl >}}/os/v1.x/en/system-services/) is recommended. diff --git a/content/os/v1.x/en/installation/configuration/setting-up-docker-tls/_index.md b/content/os/v1.x/en/configuration/setting-up-docker-tls/_index.md similarity index 96% rename from content/os/v1.x/en/installation/configuration/setting-up-docker-tls/_index.md rename to content/os/v1.x/en/configuration/setting-up-docker-tls/_index.md index cf98801bbc8..0fb44180b0b 100644 --- a/content/os/v1.x/en/installation/configuration/setting-up-docker-tls/_index.md +++ b/content/os/v1.x/en/configuration/setting-up-docker-tls/_index.md @@ -1,6 +1,8 @@ --- title: Setting up Docker TLS weight: 127 +aliases: + - /os/v1.x/en/installation/configuration/setting-up-docker-tls --- `ros tls generate` is used to generate both the client and server TLS certificates for Docker. diff --git a/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md b/content/os/v1.x/en/configuration/ssh-keys/_index.md similarity index 83% rename from content/os/v1.x/en/installation/configuration/ssh-keys/_index.md rename to content/os/v1.x/en/configuration/ssh-keys/_index.md index 1752042dcf1..25dbfe72cf7 100644 --- a/content/os/v1.x/en/installation/configuration/ssh-keys/_index.md +++ b/content/os/v1.x/en/configuration/ssh-keys/_index.md @@ -1,9 +1,11 @@ --- title: SSH Settings weight: 121 +aliases: + - /os/v1.x/en/installation/configuration/ssh-keys --- -RancherOS supports adding SSH keys through the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. Within the cloud-config file, you simply add the ssh keys within the `ssh_authorized_keys` key. +RancherOS supports adding SSH keys through the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file. Within the cloud-config file, you simply add the ssh keys within the `ssh_authorized_keys` key. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md b/content/os/v1.x/en/configuration/switching-consoles/_index.md similarity index 85% rename from content/os/v1.x/en/installation/configuration/switching-consoles/_index.md rename to content/os/v1.x/en/configuration/switching-consoles/_index.md index d9dd64176af..e410a194a4e 100644 --- a/content/os/v1.x/en/installation/configuration/switching-consoles/_index.md +++ b/content/os/v1.x/en/configuration/switching-consoles/_index.md @@ -1,8 +1,11 @@ --- title: Switching Consoles weight: 125 +aliases: + - /os/v1.x/en/installation/configuration/switching-consoles --- +<<<<<<< HEAD:content/os/v1.x/en/installation/configuration/switching-consoles/_index.md When [booting from the ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. You can select which console you want RancherOS to start with using the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). @@ -10,6 +13,15 @@ You can select which console you want RancherOS to start with using the [cloud-c ### Enabling Consoles using Cloud-Config When launching RancherOS with a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. +======= +When [booting from the ISO]({{< baseurl >}}/os/v1.x/en/installation/workstation//boot-from-iso/), RancherOS starts with the default console, which is based on busybox. + +You can select which console you want RancherOS to start with using the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). + +### Enabling Consoles using Cloud-Config + +When launching RancherOS with a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file, you can select which console you want to use. +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/configuration/switching-consoles/_index.md Currently, the list of available consoles are: diff --git a/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md b/content/os/v1.x/en/configuration/switching-docker-versions/_index.md similarity index 78% rename from content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md rename to content/os/v1.x/en/configuration/switching-docker-versions/_index.md index c64e20b7733..3b667af2430 100644 --- a/content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md +++ b/content/os/v1.x/en/configuration/switching-docker-versions/_index.md @@ -1,9 +1,15 @@ --- title: Switching Docker Versions weight: 129 +aliases: + - /os/v1.x/en/installation/configuration/switching-docker-versions --- +<<<<<<< HEAD:content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md The version of User Docker used in RancherOS can be configured using a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file or by using the `ros engine` command. +======= +The version of User Docker used in RancherOS can be configured using a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file or by using the `ros engine` command. +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/configuration/switching-docker-versions/_index.md > **Note:** There are known issues in Docker when switching between versions. For production systems, we recommend setting the Docker engine only once [using a cloud-config](#setting-the-docker-engine-using-cloud-config). @@ -83,7 +89,11 @@ FROM scratch COPY engine /engine ``` +<<<<<<< HEAD:content/os/v1.x/en/installation/configuration/switching-docker-versions/_index.md Once the image is built a [system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) configuration file must be created. An [example file](https://github.com/rancher/os-services/blob/master/d/docker-18.06.3-ce.yml) can be found in the rancher/os-services repo. Change the `image` field to point to the Docker engine image you've built. +======= +Once the image is built a [system service]({{< baseurl >}}/os/v1.x/en/system-services/) configuration file must be created. An [example file](https://github.com/rancher/os-services/blob/master/d/docker-18.06.3-ce.yml) can be found in the rancher/os-services repo. Change the `image` field to point to the Docker engine image you've built. +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/configuration/switching-docker-versions/_index.md All of the previously mentioned methods of switching Docker engines are now available. For example, if your service file is located at `https://myservicefile` then the following cloud-config file could be used to use your custom Docker engine. diff --git a/content/os/v1.x/en/installation/configuration/sysctl/_index.md b/content/os/v1.x/en/configuration/sysctl/_index.md similarity index 88% rename from content/os/v1.x/en/installation/configuration/sysctl/_index.md rename to content/os/v1.x/en/configuration/sysctl/_index.md index 6eac6f0eecd..1a8d6722d63 100644 --- a/content/os/v1.x/en/installation/configuration/sysctl/_index.md +++ b/content/os/v1.x/en/configuration/sysctl/_index.md @@ -1,6 +1,8 @@ --- title: Sysctl Settings weight: 132 +aliases: + - /os/v1.x/en/installation/configuration/sysctl --- The `rancher.sysctl` cloud-config key can be used to control sysctl parameters. This works in a manner similar to `/etc/sysctl.conf` for other Linux distros. diff --git a/content/os/v1.x/en/installation/configuration/users/_index.md b/content/os/v1.x/en/configuration/users/_index.md similarity index 89% rename from content/os/v1.x/en/installation/configuration/users/_index.md rename to content/os/v1.x/en/configuration/users/_index.md index 0a89ec8d5ea..4612c1cce2a 100644 --- a/content/os/v1.x/en/installation/configuration/users/_index.md +++ b/content/os/v1.x/en/configuration/users/_index.md @@ -1,6 +1,8 @@ --- title: Users weight: 130 +aliases: + - /os/v1.x/en/installation/configuration/users --- Currently, we don't support adding other users besides `rancher`. diff --git a/content/os/v1.x/en/installation/configuration/write-files/_index.md b/content/os/v1.x/en/configuration/write-files/_index.md similarity index 95% rename from content/os/v1.x/en/installation/configuration/write-files/_index.md rename to content/os/v1.x/en/configuration/write-files/_index.md index c222448370c..7071d5d8923 100644 --- a/content/os/v1.x/en/installation/configuration/write-files/_index.md +++ b/content/os/v1.x/en/configuration/write-files/_index.md @@ -1,6 +1,8 @@ --- title: Writing Files weight: 122 +aliases: + - /os/v1.x/en/installation/configuration/write-files --- You can automate writing files to disk using the `write_files` cloud-config directive. diff --git a/content/os/v1.x/en/installation/_index.md b/content/os/v1.x/en/installation/_index.md index 99f8d6369a6..be3cae1d222 100644 --- a/content/os/v1.x/en/installation/_index.md +++ b/content/os/v1.x/en/installation/_index.md @@ -1,4 +1,34 @@ --- -title: Installation -weight: 2 +title: Installing and Running RancherOS +weight: 100 +aliases: + - /os/v1.x/en/installation/running-rancheros --- + +RancherOS runs on virtualization platforms, cloud providers and bare metal servers. We also support running a local VM on your laptop. + +To start running RancherOS as quickly as possible, follow our [Quick Start Guide]({{< baseurl >}}/os/v1.x/en/quick-start-guide/). + +# Platforms +Refer to the below resources for more information on installing Rancher on your platform. + +### Workstation + +- [Docker Machine]({{< baseurl >}}/os/v1.x/en/installation/workstation//docker-machine) +- [Boot from ISO]({{< baseurl >}}/os/v1.x/en/installation/workstation//boot-from-iso) + +### Cloud + +- [Amazon EC2]({{< baseurl >}}/os/v1.x/en/installation/cloud/aws) +- [Google Compute Engine]({{< baseurl >}}/os/v1.x/en/installation/cloud/gce) +- [DigitalOcean]({{< baseurl >}}/os/v1.x/en/installation/cloud/do) +- [Azure]({{< baseurl >}}/os/v1.x/en/installation/cloud/azure) +- [OpenStack]({{< baseurl >}}/os/v1.x/en/installation/cloud/openstack) +- [VMware ESXi]({{< baseurl >}}/os/v1.x/en/installation/cloud/vmware-esxi) +- [Aliyun]({{< baseurl >}}/os/v1.x/en/installation/cloud/aliyun) + +### Bare Metal & Virtual Servers + +- [PXE]({{< baseurl >}}/os/v1.x/en/installation/server/pxe) +- [Install to Hard Disk]({{< baseurl >}}/os/v1.x/en/installation/server/install-to-disk) +- [Raspberry Pi]({{< baseurl >}}/os/v1.x/en/installation/server/raspberry-pi) diff --git a/content/os/v1.x/en/installation/amazon-ecs/_index.md b/content/os/v1.x/en/installation/amazon-ecs/_index.md index 7fcbefeef4c..10dae1ffddb 100644 --- a/content/os/v1.x/en/installation/amazon-ecs/_index.md +++ b/content/os/v1.x/en/installation/amazon-ecs/_index.md @@ -11,13 +11,13 @@ Prior to launching RancherOS EC2 instances, the [ECS Container Instance IAM Role ### Launching an instance with ECS -RancherOS makes it easy to join your ECS cluster. The ECS agent is a [system service]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) that is enabled in the ECS enabled AMI. There may be other RancherOS AMIs that don't have the ECS agent enabled by default, but it can easily be added in the user data on any RancherOS AMI. +RancherOS makes it easy to join your ECS cluster. The ECS agent is a [system service]({{< baseurl >}}/os/v1.x/en/system-services/) that is enabled in the ECS enabled AMI. There may be other RancherOS AMIs that don't have the ECS agent enabled by default, but it can easily be added in the user data on any RancherOS AMI. When launching the RancherOS AMI, you'll need to specify the **IAM Role** and **Advanced Details** -> **User Data** in the **Configure Instance Details** step. For the **IAM Role**, you'll need to be sure to select the ECS Container Instance IAM role. -For the **User Data**, you'll need to pass in the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. +For the **User Data**, you'll need to pass in the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file. ```yaml #cloud-config @@ -37,7 +37,7 @@ rancher: By default, the ECS agent will be using the `latest` tag for the `amazon-ecs-agent` image. In v0.5.0, we introduced the ability to select which version of the `amazon-ecs-agent`. -To select the version, you can update your [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. +To select the version, you can update your [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file. ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md b/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md index b1cfb9b8eda..d49a8ac4b5a 100644 --- a/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md +++ b/content/os/v1.x/en/installation/boot-process/built-in-system-services/_index.md @@ -3,7 +3,7 @@ title: Built-in System Services weight: 150 --- -To launch RancherOS, we have built-in system services. They are defined in the [Docker Compose](https://docs.docker.com/compose/compose-file/) format, and can be found in the default system config file, `/usr/share/ros/os-config.yml`. You can [add your own system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/) or override services in the cloud-config. +To launch RancherOS, we have built-in system services. They are defined in the [Docker Compose](https://docs.docker.com/compose/compose-file/) format, and can be found in the default system config file, `/usr/share/ros/os-config.yml`. You can [add your own system services]({{< baseurl >}}/os/v1.x/en/system-services/) or override services in the cloud-config. ### preload-user-images @@ -13,7 +13,7 @@ Read more about [image preloading]({{}}/os/v1.x/en/installation/boot-pr During this service, networking is set up, e.g. hostname, interfaces, and DNS. -It is configured by `hostname` and `rancher.network`settings in [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +It is configured by `hostname` and `rancher.network`settings in [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). ### ntp @@ -24,13 +24,13 @@ Runs `ntpd` in a System Docker container. This service provides the RancherOS user interface by running `sshd` and `getty`. It completes the RancherOS configuration on start up: 1. If the `rancher.password=` kernel parameter exists, it sets `` as the password for the `rancher` user. -2. If there are no host SSH keys, it generates host SSH keys and saves them under `rancher.ssh.keys` in [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +2. If there are no host SSH keys, it generates host SSH keys and saves them under `rancher.ssh.keys` in [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). 3. Runs `cloud-init -execute`, which does the following: - * Updates `.ssh/authorized_keys` in `/home/rancher` and `/home/docker` from [cloud-config]({{}}/os/v1.x/en/installation/configuration/ssh-keys/) and metadata. - * Writes files specified by the `write_files` [cloud-config]({{}}/os/v1.x/en/installation/configuration/write-files/) setting. - * Resizes the device specified by the `rancher.resize_device` [cloud-config]({{}}/os/v1.x/en/installation/configuration/resizing-device-partition/) setting. - * Mount devices specified in the `mounts` [cloud-config]({{}}/os/v1.x/en/installation/storage/additional-mounts/) setting. - * Set sysctl parameters specified in the`rancher.sysctl` [cloud-config]({{}}/os/v1.x/en/installation/configuration/sysctl/) setting. + * Updates `.ssh/authorized_keys` in `/home/rancher` and `/home/docker` from [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/ssh-keys/) and metadata. + * Writes files specified by the `write_files` [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/write-files/) setting. + * Resizes the device specified by the `rancher.resize_device` [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/resizing-device-partition/) setting. + * Mount devices specified in the `mounts` [cloud-config]({{< baseurl >}}/os/v1.x/en/storage/additional-mounts/) setting. + * Set sysctl parameters specified in the`rancher.sysctl` [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/sysctl/) setting. 4. If user-data contained a file that started with `#!`, then a file would be saved at `/var/lib/rancher/conf/cloud-config-script` during cloud-init and then executed. Any errors are ignored. 5. Runs `/opt/rancher/bin/start.sh` if it exists and is executable. Any errors are ignored. 6. Runs `/etc/rc.local` if it exists and is executable. Any errors are ignored. diff --git a/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md b/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md index dfe48a01fb6..78a9c583273 100644 --- a/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md +++ b/content/os/v1.x/en/installation/boot-process/cloud-init/_index.md @@ -7,7 +7,7 @@ Userdata and metadata can be fetched from a cloud provider, VM runtime, or manag ### Userdata -Userdata is a file given by users when launching RancherOS hosts. It is stored in different locations depending on its format. If the userdata is a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, indicated by beginning with `#cloud-config` and being in YAML format, it is stored in `/var/lib/rancher/conf/cloud-config.d/boot.yml`. If the userdata is a script, indicated by beginning with `#!`, it is stored in `/var/lib/rancher/conf/cloud-config-script`. +Userdata is a file given by users when launching RancherOS hosts. It is stored in different locations depending on its format. If the userdata is a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file, indicated by beginning with `#cloud-config` and being in YAML format, it is stored in `/var/lib/rancher/conf/cloud-config.d/boot.yml`. If the userdata is a script, indicated by beginning with `#!`, it is stored in `/var/lib/rancher/conf/cloud-config-script`. ### Metadata @@ -15,7 +15,7 @@ Although the specifics vary based on provider, a metadata file will typically co ## Configuration Load Order -[Cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config/) is read by system services when they need to get configuration. Each additional file overwrites and extends the previous configuration file. +[Cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config/) is read by system services when they need to get configuration. Each additional file overwrites and extends the previous configuration file. 1. `/usr/share/ros/os-config.yml` - This is the system default configuration, which should **not** be modified by users. 2. `/usr/share/ros/oem/oem-config.yml` - This will typically exist by OEM, which should **not** be modified by users. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md b/content/os/v1.x/en/installation/cloud/aliyun/_index.md similarity index 95% rename from content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md rename to content/os/v1.x/en/installation/cloud/aliyun/_index.md index 839d0200e90..bffd35fc0d6 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/aliyun/_index.md +++ b/content/os/v1.x/en/installation/cloud/aliyun/_index.md @@ -1,6 +1,8 @@ --- title: Aliyun weight: 111 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/aliyun --- # Adding the RancherOS Image into Aliyun diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md b/content/os/v1.x/en/installation/cloud/aws/_index.md similarity index 84% rename from content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md rename to content/os/v1.x/en/installation/cloud/aws/_index.md index 66bb3cb663a..57a937465a8 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md +++ b/content/os/v1.x/en/installation/cloud/aws/_index.md @@ -1,6 +1,8 @@ --- title: Amazon EC2 weight: 105 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/aws --- RancherOS is available as an Amazon Web Services AMI, and can be easily run on EC2. You can launch RancherOS either using the AWS Command Line Interface (CLI) or using the AWS console. @@ -28,7 +30,11 @@ Let’s walk through how to import and create a RancherOS on EC2 machine using t {{< img "/img/os/Rancher_aws1.png" "RancherOS on AWS 1">}} 2. Select the **Community AMIs** on the sidebar and search for **RancherOS**. Pick the latest version and click **Select**. {{< img "/img/os/Rancher_aws2.png" "RancherOS on AWS 2">}} +<<<<<<< HEAD:content/os/v1.x/en/installation/running-rancheros/cloud/aws/_index.md 3. Go through the steps of creating the instance type through the AWS console. If you want to pass in a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file during boot of RancherOS, you'd pass in the file as **User data** by expanding the **Advanced Details** in **Step 3: Configure Instance Details**. You can pass in the data as text or as a file. +======= +3. Go through the steps of creating the instance type through the AWS console. If you want to pass in a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file during boot of RancherOS, you'd pass in the file as **User data** by expanding the **Advanced Details** in **Step 3: Configure Instance Details**. You can pass in the data as text or as a file. +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/installation/cloud/aws/_index.md {{< img "/img/os/Rancher_aws6.png" "RancherOS on AWS 6">}} After going through all the steps, you finally click on **Launch**, and either create a new key pair or choose an existing key pair to be used with the EC2 instance. If you have created a new key pair, download the key pair. If you have chosen an existing key pair, make sure you have the key pair accessible. Click on **Launch Instances**. {{< img "/img/os/Rancher_aws3.png" "RancherOS on AWS 3">}} diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/azure/_index.md b/content/os/v1.x/en/installation/cloud/azure/_index.md similarity index 97% rename from content/os/v1.x/en/installation/running-rancheros/cloud/azure/_index.md rename to content/os/v1.x/en/installation/cloud/azure/_index.md index c144d792d4a..19553b92b02 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/azure/_index.md +++ b/content/os/v1.x/en/installation/cloud/azure/_index.md @@ -1,6 +1,8 @@ --- title: Azure weight: 110 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/azure --- RancherOS has been published in Azure Marketplace, you can get it from [here](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/rancher.rancheros). diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md b/content/os/v1.x/en/installation/cloud/do/_index.md similarity index 96% rename from content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md rename to content/os/v1.x/en/installation/cloud/do/_index.md index 683fbe0ef9c..63761bf2c99 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/do/_index.md +++ b/content/os/v1.x/en/installation/cloud/do/_index.md @@ -1,6 +1,8 @@ --- title: Digital Ocean weight: 107 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/do --- RancherOS is available in the Digital Ocean portal. RancherOS is a member of container distributions and you can find it easily. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md b/content/os/v1.x/en/installation/cloud/gce/_index.md similarity index 90% rename from content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md rename to content/os/v1.x/en/installation/cloud/gce/_index.md index 0c08d8fc1ed..34159b09d19 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/gce/_index.md +++ b/content/os/v1.x/en/installation/cloud/gce/_index.md @@ -1,9 +1,11 @@ --- title: Google Compute Engine (GCE) weight: 106 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/gce --- -> **Note:** Due to the maximum transmission unit (MTU) of [1460 bytes on GCE](https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation), you will need to configure your [network interfaces]({{}}/os/v1.x/en/installation/networking/interfaces/) and both the [Docker and System Docker]({{}}/os/v1.x/en/installation/configuration/docker/) to use a MTU of 1460 bytes or you will encounter weird networking related errors. +> **Note:** Due to the maximum transmission unit (MTU) of [1460 bytes on GCE](https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation), you will need to configure your [network interfaces]({{< baseurl >}}/os/v1.x/en/networking/interfaces/) and both the [Docker and System Docker]({{< baseurl >}}/os/v1.x/en/configuration/docker/) to use a MTU of 1460 bytes or you will encounter weird networking related errors. ### Adding the RancherOS Image into GCE @@ -26,7 +28,7 @@ $ gcloud compute instances create --project --zone }}/os/v1.x/en/installation/configuration/#cloud-config), you can pass it as metadata upon creation of the instance during the `gcloud compute` command. The file will need to be stored locally before running the command. The key of the metadata will be `user-data` and the value is the location of the file. If any SSH keys are added in the cloud config file, it will also be added to the **rancher** user. +If you want to pass in your own cloud config file that will be processed by [cloud init]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config), you can pass it as metadata upon creation of the instance during the `gcloud compute` command. The file will need to be stored locally before running the command. The key of the metadata will be `user-data` and the value is the location of the file. If any SSH keys are added in the cloud config file, it will also be added to the **rancher** user. ``` $ gcloud compute instances create --project --zone --image --metadata-from-file user-data=/Directory/of/Cloud_Config.yml diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md b/content/os/v1.x/en/installation/cloud/openstack/_index.md similarity index 75% rename from content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md rename to content/os/v1.x/en/installation/cloud/openstack/_index.md index 0a55044ed47..679c48e998e 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/openstack/_index.md +++ b/content/os/v1.x/en/installation/cloud/openstack/_index.md @@ -1,8 +1,10 @@ --- title: OpenStack weight: 109 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/openstack --- As of v0.5.0, RancherOS releases include an Openstack image that can be found on our [releases page](https://github.com/rancher/os/releases). The image format is [QCOW3](https://wiki.qemu.org/Features/Qcow3#Fully_QCOW2_backwards-compatible_feature_set) that is backward compatible with QCOW2. -When launching an instance using the image, you must enable **Advanced Options** -> **Configuration Drive** and in order to use a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file. +When launching an instance using the image, you must enable **Advanced Options** -> **Configuration Drive** and in order to use a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file. diff --git a/content/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/_index.md b/content/os/v1.x/en/installation/cloud/vmware-esxi/_index.md similarity index 96% rename from content/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/_index.md rename to content/os/v1.x/en/installation/cloud/vmware-esxi/_index.md index b4ccdb6fa25..07913f18ae4 100644 --- a/content/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/_index.md +++ b/content/os/v1.x/en/installation/cloud/vmware-esxi/_index.md @@ -1,6 +1,8 @@ --- title: VMware ESXi weight: 108 +aliases: + - /os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi --- As of v1.1.0, RancherOS automatically detects that it is running on VMware ESXi, and automatically adds the `open-vm-tools` service to be downloaded and started, and uses `guestinfo` keys to set the cloud-init data. diff --git a/content/os/v1.x/en/installation/configuration/hostname/_index.md b/content/os/v1.x/en/installation/configuration/hostname/_index.md deleted file mode 100644 index d315838c58e..00000000000 --- a/content/os/v1.x/en/installation/configuration/hostname/_index.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Setting the Hostname -weight: 124 ---- - -You can set the hostname of the host using [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). The example below shows how to configure it. - -```yaml -#cloud-config -hostname: myhost -``` diff --git a/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md b/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md index f3c1b330765..5a4e2c225f5 100644 --- a/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md +++ b/content/os/v1.x/en/installation/custom-builds/custom-console/_index.md @@ -3,6 +3,7 @@ title: Custom Console weight: 180 --- +<<<<<<< HEAD When [booting from the ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/), RancherOS starts with the default console, which is based on busybox. You can select which console you want RancherOS to start with using the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). @@ -10,6 +11,15 @@ You can select which console you want RancherOS to start with using the [cloud-c ### Enabling Consoles using Cloud-Config When launching RancherOS with a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config) file, you can select which console you want to use. +======= +When [booting from the ISO]({{< baseurl >}}/os/v1.x/en/installation/workstation//boot-from-iso/), RancherOS starts with the default console, which is based on busybox. + +You can select which console you want RancherOS to start with using the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). + +### Enabling Consoles using Cloud-Config + +When launching RancherOS with a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config) file, you can select which console you want to use. +>>>>>>> Reorganize RancherOS docs Currently, the list of available consoles are: diff --git a/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md b/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md index faec99fb845..18f3ddafcbe 100644 --- a/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md +++ b/content/os/v1.x/en/installation/custom-builds/custom-rancheros-iso/_index.md @@ -29,7 +29,7 @@ If you need a compressed ISO, you can run this command: $ make release ``` -The `rancheros.iso` is ready to be used to [boot RancherOS from ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/) or [launch RancherOS using Docker Machine]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine). +The `rancheros.iso` is ready to be used to [boot RancherOS from ISO]({{< baseurl >}}/os/v1.x/en/installation/workstation//boot-from-iso/) or [launch RancherOS using Docker Machine]({{< baseurl >}}/os/v1.x/en/installation/workstation//docker-machine). ## Creating a GCE Image Archive diff --git a/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md b/content/os/v1.x/en/installation/server/install-to-disk/_index.md similarity index 89% rename from content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md rename to content/os/v1.x/en/installation/server/install-to-disk/_index.md index 0b3363704b8..35f1010a6a6 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/install-to-disk/_index.md +++ b/content/os/v1.x/en/installation/server/install-to-disk/_index.md @@ -1,9 +1,11 @@ --- title: Installing to Disk weight: 111 +aliases: + - /os/v1.x/en/installation/running-rancheros/server/install-to-disk --- -RancherOS comes with a simple installer that will install RancherOS on a given target disk. To install RancherOS on a new disk, you can use the `ros install` command. Before installing, you'll need to have already [booted RancherOS from ISO]({{}}/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso). Please be sure to pick the `rancheros.iso` from our release [page](https://github.com/rancher/os/releases). +RancherOS comes with a simple installer that will install RancherOS on a given target disk. To install RancherOS on a new disk, you can use the `ros install` command. Before installing, you'll need to have already [booted RancherOS from ISO]({{< baseurl >}}/os/v1.x/en/installation/workstation//boot-from-iso). Please be sure to pick the `rancheros.iso` from our release [page](https://github.com/rancher/os/releases). ### Using `ros install` to Install RancherOS @@ -11,7 +13,7 @@ The `ros install` command orchestrates the installation from the `rancher/os` co #### Cloud-Config -The easiest way to log in is to pass a `cloud-config.yml` file containing your public SSH keys. To learn more about what's supported in our cloud-config, please read our [documentation]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +The easiest way to log in is to pass a `cloud-config.yml` file containing your public SSH keys. To learn more about what's supported in our cloud-config, please read our [documentation]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). The `ros install` command will process your `cloud-config.yml` file specified with the `-c` flag. This file will also be placed onto the disk and installed to `/var/lib/rancher/conf/`. It will be evaluated on every boot. @@ -61,7 +63,7 @@ Status: Downloaded newer image for rancher/os:v0.5.0 Continue with reboot [y/N]: ``` -After installing RancherOS to disk, you will no longer be automatically logged in as the `rancher` user. You'll need to have added in SSH keys within your [cloud-config file]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +After installing RancherOS to disk, you will no longer be automatically logged in as the `rancher` user. You'll need to have added in SSH keys within your [cloud-config file]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). #### Installing a Different Version diff --git a/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md b/content/os/v1.x/en/installation/server/pxe/_index.md similarity index 92% rename from content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md rename to content/os/v1.x/en/installation/server/pxe/_index.md index 1b855649615..c866a92c4e5 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/pxe/_index.md +++ b/content/os/v1.x/en/installation/server/pxe/_index.md @@ -1,6 +1,8 @@ --- title: iPXE weight: 112 +aliases: + - /os/v1.x/en/installation/running-rancheros/server/pxe --- ``` @@ -63,11 +65,11 @@ Valid cloud-init datasources for RancherOS. | cmdline | Kernel command line: `cloud-config-url=http://link/user_data` | | configdrive | /media/config-2 | | url | URL address | -| vmware| Set `guestinfo` cloud-init or interface data as per [VMware ESXi]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi) | +| vmware| Set `guestinfo` cloud-init or interface data as per [VMware ESXi]({{< baseurl >}}/os/v1.x/en/installation/cloud/vmware-esxi) | | * | This will add ["configdrive", "vmware", "ec2", "digitalocean", "packet", "gce"] into the list of datasources to try | The vmware datasource was added as of v1.1. ### Cloud-Config -When booting via iPXE, RancherOS can be configured using a [cloud-config file]({{}}/os/v1.x/en/installation/configuration/#cloud-config). +When booting via iPXE, RancherOS can be configured using a [cloud-config file]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). diff --git a/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md b/content/os/v1.x/en/installation/server/raspberry-pi/_index.md similarity index 92% rename from content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md rename to content/os/v1.x/en/installation/server/raspberry-pi/_index.md index a858fb38a2d..a540afe8f89 100644 --- a/content/os/v1.x/en/installation/running-rancheros/server/raspberry-pi/_index.md +++ b/content/os/v1.x/en/installation/server/raspberry-pi/_index.md @@ -1,11 +1,13 @@ --- title: Raspberry Pi weight: 113 +aliases: + - /os/v1.x/en/installation/running-rancheros/server/raspberry-pi --- As of v0.5.0, RancherOS releases include a Raspberry Pi image that can be found on our [releases page](https://github.com/rancher/os/releases). The official Raspberry Pi documentation contains instructions on how to [install operating system images](https://www.raspberrypi.org/documentation/installation/installing-images/). -When installing, there is no ability to pass in a [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). You will need to boot up, change the configuration and then reboot to apply those changes. +When installing, there is no ability to pass in a [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). You will need to boot up, change the configuration and then reboot to apply those changes. Currently, only Raspberry Pi 3 is tested and known to work. diff --git a/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md b/content/os/v1.x/en/installation/workstation/boot-from-iso/_index.md similarity index 86% rename from content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md rename to content/os/v1.x/en/installation/workstation/boot-from-iso/_index.md index 372fa258727..28f3a8a7fc2 100644 --- a/content/os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso/_index.md +++ b/content/os/v1.x/en/installation/workstation/boot-from-iso/_index.md @@ -1,6 +1,8 @@ --- title: Booting from ISO weight: 102 +aliases: + - /os/v1.x/en/installation/running-rancheros/workstation/boot-from-iso --- The RancherOS ISO file can be used to create a fresh RancherOS install on KVM, VMware, VirtualBox, Hyper-V, Proxmox VE, or bare metal servers. You can download the `rancheros.iso` file from our [releases page](https://github.com/rancher/os/releases/). @@ -17,4 +19,4 @@ You must boot with enough memory which you can refer to [here]({{}}/os/ ### Install to Disk -After you boot RancherOS from ISO, you can follow the instructions [here]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/) to install RancherOS to a hard disk. +After you boot RancherOS from ISO, you can follow the instructions [here]({{< baseurl >}}/os/v1.x/en/installation/server/install-to-disk/) to install RancherOS to a hard disk. diff --git a/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md b/content/os/v1.x/en/installation/workstation/docker-machine/_index.md similarity index 95% rename from content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md rename to content/os/v1.x/en/installation/workstation/docker-machine/_index.md index 0cf9207f66b..1595b668383 100644 --- a/content/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/_index.md +++ b/content/os/v1.x/en/installation/workstation/docker-machine/_index.md @@ -1,6 +1,8 @@ --- title: Using Docker Machine weight: 101 +aliases: + - /os/v1.x/en/installation/running-rancheros/workstation/docker-machine --- Before we get started, you'll need to make sure that you have docker machine installed. Download it directly from the docker machine [releases](https://github.com/docker/machine/releases). @@ -116,7 +118,7 @@ Logging into RancherOS follows the standard Docker Machine commands. To login in $ docker-machine ssh ``` -You'll be logged into RancherOS and can start exploring the OS, This will log you into the RancherOS VM. You'll then be able to explore the OS by [adding system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/), [customizing the configuration]({{}}/os/v1.x/en/installation/configuration/), and launching containers. +You'll be logged into RancherOS and can start exploring the OS, This will log you into the RancherOS VM. You'll then be able to explore the OS by [adding system services]({{< baseurl >}}/os/v1.x/en/system-services/), [customizing the configuration]({{< baseurl >}}/os/v1.x/en/configuration/), and launching containers. If you want to exit out of RancherOS, you can exit by pressing `Ctrl+D`. diff --git a/content/os/v1.x/en/installation/networking/dns/_index.md b/content/os/v1.x/en/networking/dns/_index.md similarity index 92% rename from content/os/v1.x/en/installation/networking/dns/_index.md rename to content/os/v1.x/en/networking/dns/_index.md index efbf740fa29..725a4f109fc 100644 --- a/content/os/v1.x/en/installation/networking/dns/_index.md +++ b/content/os/v1.x/en/networking/dns/_index.md @@ -1,6 +1,8 @@ --- title: Configuring DNS weight: 171 +aliases: + - /os/v1.x/en/installation/networking/dns --- If you wanted to configure the DNS through the cloud config file, you'll need to place DNS configurations within the `rancher` key. diff --git a/content/os/v1.x/en/installation/networking/interfaces/_index.md b/content/os/v1.x/en/networking/interfaces/_index.md similarity index 99% rename from content/os/v1.x/en/installation/networking/interfaces/_index.md rename to content/os/v1.x/en/networking/interfaces/_index.md index f93384e4e53..cdbc82eaa70 100644 --- a/content/os/v1.x/en/installation/networking/interfaces/_index.md +++ b/content/os/v1.x/en/networking/interfaces/_index.md @@ -1,6 +1,8 @@ --- title: Configuring Network Interfaces weight: 170 +aliases: + - /os/v1.x/en/installation/networking/interfaces --- Using `ros config`, you can configure specific interfaces. Wildcard globbing is supported so `eth*` will match `eth1` and `eth2`. The available options you can configure are `address`, `gateway`, `mtu`, and `dhcp`. diff --git a/content/os/v1.x/en/installation/networking/proxy-settings/_index.md b/content/os/v1.x/en/networking/proxy-settings/_index.md similarity index 92% rename from content/os/v1.x/en/installation/networking/proxy-settings/_index.md rename to content/os/v1.x/en/networking/proxy-settings/_index.md index fccd1c14d01..09698194c9c 100644 --- a/content/os/v1.x/en/installation/networking/proxy-settings/_index.md +++ b/content/os/v1.x/en/networking/proxy-settings/_index.md @@ -1,6 +1,8 @@ --- title: Configuring Proxy Settings weight: 172 +aliases: + - /os/v1.x/en/installation/networking/proxy-settings --- HTTP proxy settings can be set directly under the `network` key. This will automatically configure proxy settings for both Docker and System Docker. diff --git a/content/os/v1.x/en/overview/_index.md b/content/os/v1.x/en/overview/_index.md index 6c554718d10..a2936d617c0 100644 --- a/content/os/v1.x/en/overview/_index.md +++ b/content/os/v1.x/en/overview/_index.md @@ -29,7 +29,7 @@ You can adjust memory requirements by custom building RancherOS, please refer to ### How RancherOS Works -Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services]({{}}/os/v1.x/en/installation/system-services/adding-system-services/). +Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call **System Docker** and is the first process on the system. All other system services, like `ntpd`, `syslog`, and `console`, are running in Docker containers. System Docker replaces traditional init systems like `systemd` and is used to launch [additional system services]({{< baseurl >}}/os/v1.x/en/system-services/). System Docker runs a special container called **Docker**, which is another Docker daemon responsible for managing all of the user’s containers. Any containers that you launch as a user from the console will run inside this Docker. This creates isolation from the System Docker containers and ensures that normal user commands don’t impact system services. diff --git a/content/os/v1.x/en/quick-start-guide/_index.md b/content/os/v1.x/en/quick-start-guide/_index.md index 67403520766..5c1ee3a13d5 100644 --- a/content/os/v1.x/en/quick-start-guide/_index.md +++ b/content/os/v1.x/en/quick-start-guide/_index.md @@ -3,7 +3,7 @@ title: Quick Start weight: 1 --- -If you have a specific RanchersOS machine requirements, please check out our [guides on running RancherOS]({{}}/os/v1.x/en/installation/running-rancheros/). With the rest of this guide, we'll start up a RancherOS using [Docker machine]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) and show you some of what RancherOS can do. +If you have a specific RanchersOS machine requirements, please check out our [guides on running RancherOS]({{< baseurl >}}/os/v1.x/en/installation/platform/). With the rest of this guide, we'll start up a RancherOS using [Docker machine]({{< baseurl >}}/os/v1.x/en/installation/workstation//docker-machine/) and show you some of what RancherOS can do. ### Launching RancherOS using Docker Machine diff --git a/content/os/v1.x/en/installation/storage/additional-mounts/_index.md b/content/os/v1.x/en/storage/additional-mounts/_index.md similarity index 79% rename from content/os/v1.x/en/installation/storage/additional-mounts/_index.md rename to content/os/v1.x/en/storage/additional-mounts/_index.md index 77159ad30ec..a9b39af7f33 100644 --- a/content/os/v1.x/en/installation/storage/additional-mounts/_index.md +++ b/content/os/v1.x/en/storage/additional-mounts/_index.md @@ -1,9 +1,15 @@ --- title: Additional Mounts weight: 161 +aliases: + - /os/v1.x/en/installation/storage/additional-mounts --- +<<<<<<< HEAD:content/os/v1.x/en/installation/storage/additional-mounts/_index.md Additional mounts can be specified as part of your [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config). These mounts are applied within the console container. Here's a simple example that mounts `/dev/vdb` to `/mnt/s`. +======= +Additional mounts can be specified as part of your [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config). These mounts are applied within the console container. Here's a simple example that mounts `/dev/vdb` to `/mnt/s`. +>>>>>>> Reorganize RancherOS docs:content/os/v1.x/en/storage/additional-mounts/_index.md ```yaml #cloud-config diff --git a/content/os/v1.x/en/installation/storage/state-partition/_index.md b/content/os/v1.x/en/storage/state-partition/_index.md similarity index 95% rename from content/os/v1.x/en/installation/storage/state-partition/_index.md rename to content/os/v1.x/en/storage/state-partition/_index.md index 27b125792b2..f5ae065cd12 100644 --- a/content/os/v1.x/en/installation/storage/state-partition/_index.md +++ b/content/os/v1.x/en/storage/state-partition/_index.md @@ -1,6 +1,8 @@ --- title: Persistent State Partition weight: 160 +aliases: + - /os/v1.x/en/installation/storage/state-partition --- RancherOS will store its state in a single partition specified by the `dev` field. The field can be a device such as `/dev/sda1` or a logical name such `LABEL=state` or `UUID=123124`. The default value is `LABEL=RANCHER_STATE`. The file system type of that partition can be set to `auto` or a specific file system type such as `ext4`. diff --git a/content/os/v1.x/en/installation/storage/using-zfs/_index.md b/content/os/v1.x/en/storage/using-zfs/_index.md similarity index 98% rename from content/os/v1.x/en/installation/storage/using-zfs/_index.md rename to content/os/v1.x/en/storage/using-zfs/_index.md index 494bf53f017..dd317c1b5df 100644 --- a/content/os/v1.x/en/installation/storage/using-zfs/_index.md +++ b/content/os/v1.x/en/storage/using-zfs/_index.md @@ -1,6 +1,8 @@ --- title: Using ZFS weight: 162 +aliases: + - /os/v1.x/en/installation/storage/using-zfs --- #### Installing the ZFS service diff --git a/content/os/v1.x/en/installation/system-services/adding-system-services/_index.md b/content/os/v1.x/en/system-services/_index.md similarity index 95% rename from content/os/v1.x/en/installation/system-services/adding-system-services/_index.md rename to content/os/v1.x/en/system-services/_index.md index bbfc6c4470e..b3d0ebd6051 100644 --- a/content/os/v1.x/en/installation/system-services/adding-system-services/_index.md +++ b/content/os/v1.x/en/system-services/_index.md @@ -1,6 +1,8 @@ --- title: System Services weight: 140 +aliases: + - /os/v1.x/en/installation/system-services/adding-system-services --- A system service is a container that can be run in either System Docker or Docker. Rancher provides services that are already available in RancherOS by adding them to the [os-services repo](https://github.com/rancher/os-services). Anything in the `index.yml` file from the repository for the tagged release will be an available system service when using the `ros service list` command. diff --git a/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md b/content/os/v1.x/en/system-services/custom-system-services/_index.md similarity index 96% rename from content/os/v1.x/en/installation/system-services/custom-system-services/_index.md rename to content/os/v1.x/en/system-services/custom-system-services/_index.md index 09e0024b158..0fe56654018 100644 --- a/content/os/v1.x/en/installation/system-services/custom-system-services/_index.md +++ b/content/os/v1.x/en/system-services/custom-system-services/_index.md @@ -1,9 +1,11 @@ --- title: Custom System Services weight: 141 +aliases: + - /os/v1.x/en/installation/system-services/custom-system-services --- -You can also create your own system service in [Docker Compose](https://docs.docker.com/compose/) format. After creating your own custom service, you can launch it in RancherOS in a couple of methods. The service could be directly added to the [cloud-config]({{}}/os/v1.x/en/installation/configuration/#cloud-config), or a `docker-compose.yml` file could be saved at a http(s) url location or in a specific directory of RancherOS. +You can also create your own system service in [Docker Compose](https://docs.docker.com/compose/) format. After creating your own custom service, you can launch it in RancherOS in a couple of methods. The service could be directly added to the [cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/#cloud-config), or a `docker-compose.yml` file could be saved at a http(s) url location or in a specific directory of RancherOS. ### Launching Services through Cloud-Config diff --git a/content/os/v1.x/en/installation/system-services/environment/_index.md b/content/os/v1.x/en/system-services/environment/_index.md similarity index 94% rename from content/os/v1.x/en/installation/system-services/environment/_index.md rename to content/os/v1.x/en/system-services/environment/_index.md index c3990e318a9..f2a5d07fccd 100644 --- a/content/os/v1.x/en/installation/system-services/environment/_index.md +++ b/content/os/v1.x/en/system-services/environment/_index.md @@ -1,6 +1,8 @@ --- title: Environment weight: 143 +aliases: + - /os/v1.x/en/installation/system-services/environment --- The [environment key](https://docs.docker.com/compose/compose-file/#environment) can be used to customize system services. When a value is not assigned, RancherOS looks up the value from the `rancher.environment` key. diff --git a/content/os/v1.x/en/installation/system-services/system-docker-volumes/_index.md b/content/os/v1.x/en/system-services/system-docker-volumes/_index.md similarity index 95% rename from content/os/v1.x/en/installation/system-services/system-docker-volumes/_index.md rename to content/os/v1.x/en/system-services/system-docker-volumes/_index.md index 8430640c436..1ec9fb1baab 100644 --- a/content/os/v1.x/en/installation/system-services/system-docker-volumes/_index.md +++ b/content/os/v1.x/en/system-services/system-docker-volumes/_index.md @@ -1,6 +1,8 @@ --- title: System Docker Volumes weight: 142 +aliases: + - /os/v1.x/en/installation/system-services/system-docker-volumes --- A few services are containers in `created` state. Their purpose is to provide volumes for other services. diff --git a/content/os/v1.x/en/upgrading/_index.md b/content/os/v1.x/en/upgrading/_index.md index 4c3cf8e0be2..a1de8d39291 100644 --- a/content/os/v1.x/en/upgrading/_index.md +++ b/content/os/v1.x/en/upgrading/_index.md @@ -9,7 +9,7 @@ Since RancherOS is a kernel and initrd, the upgrade process is downloading a new Before upgrading to any version, please review the release notes on our [releases page](https://github.com/rancher/os/releases) in GitHub to review any updates in the release. -> **Note:** If you are using [`docker-machine`]({{}}/os/v1.x/en/installation/running-rancheros/workstation/docker-machine/) then you will not be able to upgrade your RancherOS version. You need to delete and re-create the machine. +> **Note:** If you are using [`docker-machine`]({{< baseurl >}}/os/v1.x/en/installation/workstation//docker-machine/) then you will not be able to upgrade your RancherOS version. You need to delete and re-create the machine. ### Version Control @@ -64,7 +64,7 @@ $ sudo ros -v ros version v0.5.0 ``` -> **Note:** If you are booting from ISO and have not installed to disk, your upgrade will not be saved. You can view our guide to [installing to disk]({{}}/os/v1.x/en/installation/running-rancheros/server/install-to-disk/). +> **Note:** If you are booting from ISO and have not installed to disk, your upgrade will not be saved. You can view our guide to [installing to disk]({{< baseurl >}}/os/v1.x/en/installation/server/install-to-disk/). #### Upgrading to a Specific Version diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md index ce0cfc1ac5f..f59e5e35b86 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/_index.md @@ -226,7 +226,7 @@ To make use of cloud-init initialization, create a cloud config file using valid {{% /tab %}} {{% tab "Rancher prior to v2.3.3" %}} -You may specify the URL of a RancherOS cloud-config.yaml file in the the **Cloud Init** field. Refer to the [RancherOS Documentation]https://rancher.com/docs/os/v1.x/en/installation/configuration/#cloud-config) for details on the supported configuration directives. Note that the URL must be network accessible from the VMs created by the template. +You may specify the URL of a RancherOS cloud-config.yaml file in the the **Cloud Init** field. Refer to the [RancherOS Documentation]https://rancher.com/docs/os/v1.x/en/configuration/#cloud-config) for details on the supported configuration directives. Note that the URL must be network accessible from the VMs created by the template. {{% /tab %}} {{% /tabs %}} diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md index 4b6dfcf0339..adf7cdbe8d4 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/node-template-reference/_index.md @@ -48,7 +48,7 @@ The options for creating and configuring an instance are different depending on | Creation method | * | The method for setting up an operating system on the node. The operating system can be installed from an ISO or from a VM template. Depending on the creation method, you will also have to specify a VM template, content library, existing VM, or ISO. For more information on creation methods, refer to the section on [configuring instances.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/#c-configure-instances-and-operating-systems) | | Cloud Init | | URL of a `cloud-config.yml` file or URL to provision VMs with. This file allows further customization of the operating system, such as network configuration, DNS servers, or system daemons. The operating system must support `cloud-init`. | | Networks | | Name(s) of the network to attach the VM to. | -| Configuration Parameters used for guestinfo | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | +| Configuration Parameters used for guestinfo | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{< baseurl >}}/os/v1.x/en/installation/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | {{% /tab %}} {{% tab "Rancher prior to v2.3.3" %}} @@ -58,9 +58,9 @@ The options for creating and configuring an instance are different depending on | CPUs | * | Number of vCPUS to assign to VMs. | | Memory | * | Amount of memory to assign to VMs. | | Disk | * | Size of the disk (in MB) to attach to the VMs. | -| Cloud Init | | URL of a [RancherOS cloud-config]({{}}/os/v1.x/en/installation/configuration/) file to provision VMs with. This file allows further customization of the RancherOS operating system, such as network configuration, DNS servers, or system daemons.| +| Cloud Init | | URL of a [RancherOS cloud-config]({{< baseurl >}}/os/v1.x/en/configuration/) file to provision VMs with. This file allows further customization of the RancherOS operating system, such as network configuration, DNS servers, or system daemons.| | OS ISO URL | * | URL of a RancherOS vSphere ISO file to boot the VMs from. You can find URLs for specific versions in the [Rancher OS GitHub Repo](https://github.com/rancher/os). | -| Configuration Parameters | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{}}/os/v1.x/en/installation/running-rancheros/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | +| Configuration Parameters | | Additional configuration parameters for the VMs. These correspond to the [Advanced Settings](https://kb.vmware.com/s/article/1016098) in the vSphere console. Example use cases include providing RancherOS [guestinfo]({{< baseurl >}}/os/v1.x/en/installation/cloud/vmware-esxi/#vmware-guestinfo) parameters or enabling disk UUIDs for the VMs (`disk.EnableUUID=TRUE`). | {{% /tab %}} {{% /tabs %}} From b23c94bdf2b48baea59a835b54aa60fa213e2797 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 05:36:04 -0700 Subject: [PATCH 156/183] Clarify K3s options --- .../en/installation/install-options/_index.md | 111 ++++++++++-------- 1 file changed, 59 insertions(+), 52 deletions(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index e2bc4a2dbb2..94f5520d688 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -9,9 +9,13 @@ This page focuses on the options that can be used when you set up K3s for the fi - [Installing K3s from the binary](#installing-k3s-from-the-binary) - [Registration options for the K3s server](#registration-options-for-the-k3s-server) - [Registration options for the K3s agent](#registration-options-for-the-k3s-agent) +- [How to Use Flags and Environment Variables](#how-to-use-flags-and-environment-variables) For more advanced options, refer to [this page.]({{}}/k3s/latest/en/advanced) +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.](#how-to-use-flags-and-environment-variables) + + # Installation Script Options As mentioned in the [Quick-Start Guide]({{}}/k3s/latest/en/quick-start/), you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. @@ -23,58 +27,24 @@ curl -sfL https://get.k3s.io | sh - When using this method to install K3s, the following environment variables can be used to configure the installation: -- `INSTALL_K3S_SKIP_DOWNLOAD` +| Environment Variable | Description | +|-----------------------------|---------------------------------------------| +| `INSTALL_K3S_SKIP_DOWNLOAD` | If set to true will not download K3s hash or binary. | +| `INSTALL_K3S_SYMLINK` | If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. | +| `INSTALL_K3S_SKIP_START` | If set to true will not start K3s service. | +| `INSTALL_K3S_VERSION` | Version of K3s to download from github. Will attempt to download the latest version if not specified. | +| `INSTALL_K3S_BIN_DIR` | Directory to install K3s binary, links, and uninstall script to, or use `/usr/local/bin` as the default. | +| `INSTALL_K3S_BIN_DIR_READ_ONLY` | If set to true will not write files to `INSTALL_K3S_BIN_DIR`, forces setting `INSTALL_K3S_SKIP_DOWNLOAD=true`. | +| `INSTALL_K3S_SYSTEMD_DIR` | Directory to install systemd service and environment files to, or use `/etc/systemd/system` as the default. | +| `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. For help, refer to [this example.](#example-a-install-k3s-exec) | +| `INSTALL_K3S_NAME` | Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. | +| `INSTALL_K3S_TYPE` | Type of systemd service to create, will default from the K3s exec command if not specified. - If set to true will not download K3s hash or binary. +Environment variables which begin with `K3S_` will be preserved for the systemd and openrc services to use. -- `INSTALL_K3S_SYMLINK` - - If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. - -- `INSTALL_K3S_SKIP_START` - - If set to true will not start K3s service. - -- `INSTALL_K3S_VERSION` - - Version of K3s to download from github. Will attempt to download the latest version if not specified. - -- `INSTALL_K3S_BIN_DIR` - - Directory to install K3s binary, links, and uninstall script to, or use `/usr/local/bin` as the default. - -- `INSTALL_K3S_BIN_DIR_READ_ONLY` - - If set to true will not write files to `INSTALL_K3S_BIN_DIR`, forces setting `INSTALL_K3S_SKIP_DOWNLOAD=true`. - -- `INSTALL_K3S_SYSTEMD_DIR` - - Directory to install systemd service and environment files to, or use `/etc/systemd/system` as the default. - -- `INSTALL_K3S_EXEC` - - Command with flags to use for launching K3s in the service. If the command is not specified, it will default to "agent" if `K3S_URL` is set or "server" if it is not set. - - The final systemd command resolves to a combination of this environment variable and script args. To illustrate this, the following commands result in the same behavior of registering a server without flannel: - ```sh - curl ... | INSTALL_K3S_EXEC="--no-flannel" sh -s - - curl ... | INSTALL_K3S_EXEC="server --no-flannel" sh -s - - curl ... | INSTALL_K3S_EXEC="server" sh -s - --no-flannel - curl ... | sh -s - server --no-flannel - curl ... | sh -s - --no-flannel - ``` - - - `INSTALL_K3S_NAME` - - Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. - - - `INSTALL_K3S_TYPE` - - Type of systemd service to create, will default from the K3s exec command if not specified. - - -Environment variables which begin with `K3S_` will be preserved for the systemd and openrc services to use. Setting `K3S_URL` without explicitly setting an exec command will default the command to "agent". When running the agent `K3S_TOKEN` must also be set. +Setting `K3S_URL` without explicitly setting an exec command will default the command to "agent". +When running the agent `K3S_TOKEN` must also be set. # Installing K3s from the Binary @@ -92,7 +62,10 @@ Command | Description The `k3s server` and `k3s agent` commands have additional configuration options that can be viewed with `k3s server --help` or `k3s agent --help`. For convenience, that help text is presented here: # Registration Options for the K3s Server -``` + +> If an option appears in brackets below, for example `[$K3S_TOKEN]`, it means that the option can be passed in as an environment variable of that name. + +```bash NAME: k3s server - Run management server @@ -160,7 +133,10 @@ OPTIONS: ``` # Registration Options for the K3s Agent -``` + +> If an option appears in brackets below, for example `[$K3S_URL]`, it means that the option can be passed in as an environment variable of that name. + +```bash NAME: k3s agent - Run node agent @@ -201,10 +177,41 @@ OPTIONS: K3s agents can be configured with the options `--node-label` and `--node-taint` which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands. Below is an example showing how to add labels and a taint: -``` +```bash --node-label foo=bar \ --node-label hello=world \ --node-taint key1=value1:NoExecute ``` If you want to change node labels and taints after node registration you should use `kubectl`. Refer to the official Kubernetes documentation for details on how to add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) and [node labels.](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node) + +# How to Use Flags and Environment Variables + +Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. The below examples show how these options can be passed in both ways. + +### Example A: K3S_KUBECONFIG_MODE + +The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. Below are two ways to pass in the option. + +Using the flag `--write-kubeconfig-mode 644`: +```bash +$ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 +``` +Using the environment variable `K3S_KUBECONFIG_MODE`: +```bash +$ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - +``` + +### Example B: INSTALL_K3S_EXEC + +If this command is not specified as a server or agent command, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. + +The final systemd command resolves to a combination of this environment variable and script args. To illustrate this, the following commands result in the same behavior of registering a server without flannel: + +```bash +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--no-flannel" sh -s - +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-flannel" sh -s - +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --no-flannel +curl -sfL https://get.k3s.io | sh -s - server --no-flannel +curl -sfL https://get.k3s.io | sh -s - --no-flannel +``` \ No newline at end of file From 19ba199aade2b9289763db743223873cc462c1e2 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 05:43:02 -0700 Subject: [PATCH 157/183] Fix internal link --- content/k3s/latest/en/installation/install-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 94f5520d688..1743f289bf9 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -36,7 +36,7 @@ When using this method to install K3s, the following environment variables can b | `INSTALL_K3S_BIN_DIR` | Directory to install K3s binary, links, and uninstall script to, or use `/usr/local/bin` as the default. | | `INSTALL_K3S_BIN_DIR_READ_ONLY` | If set to true will not write files to `INSTALL_K3S_BIN_DIR`, forces setting `INSTALL_K3S_SKIP_DOWNLOAD=true`. | | `INSTALL_K3S_SYSTEMD_DIR` | Directory to install systemd service and environment files to, or use `/etc/systemd/system` as the default. | -| `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. For help, refer to [this example.](#example-a-install-k3s-exec) | +| `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. For help, refer to [this example.](#example-b-install-k3s-exec) | | `INSTALL_K3S_NAME` | Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. | | `INSTALL_K3S_TYPE` | Type of systemd service to create, will default from the K3s exec command if not specified. From eb5f97525a022c32ee40be574846d4a4ac8d5914 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 13:08:47 -0700 Subject: [PATCH 158/183] Reorganize K3s install options --- .../en/installation/install-options/_index.md | 118 +-------- .../install-options/agent-config/_index.md | 136 ++++++++++ .../install-options/server-config/_index.md | 243 ++++++++++++++++++ 3 files changed, 381 insertions(+), 116 deletions(-) create mode 100644 content/k3s/latest/en/installation/install-options/agent-config/_index.md create mode 100644 content/k3s/latest/en/installation/install-options/server-config/_index.md diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 1743f289bf9..6b8b72ea733 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -63,127 +63,13 @@ The `k3s server` and `k3s agent` commands have additional configuration options # Registration Options for the K3s Server -> If an option appears in brackets below, for example `[$K3S_TOKEN]`, it means that the option can be passed in as an environment variable of that name. +For details on configuring the K3s server, refer to the [server configuration reference.]({{}}/k3s/latest/en/installation/install-options/server-config) -```bash -NAME: - k3s server - Run management server - -USAGE: - k3s server [OPTIONS] - -OPTIONS: - -v value (logging) Number for the log level verbosity (default: 0) - --vmodule value (logging) Comma-separated list of pattern=N settings for file-filtered logging - --log value, -l value (logging) Log to file - --alsologtostderr (logging) Log to standard error as well as file (if set) - --bind-address value (listener) k3s bind address (default: 0.0.0.0) - --https-listen-port value (listener) HTTPS listen port (default: 6443) - --advertise-address value (listener) IP address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip) - --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0) - --tls-san value (listener) Add additional hostname or IP as a Subject Alternative Name in the TLS cert - --data-dir value, -d value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root - --cluster-cidr value (networking) Network CIDR to use for pod IPs (default: "10.42.0.0/16") - --service-cidr value (networking) Network CIDR to use for services IPs (default: "10.43.0.0/16") - --cluster-dns value (networking) Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) - --cluster-domain value (networking) Cluster Domain (default: "cluster.local") - --flannel-backend value (networking) One of 'none', 'vxlan', 'ipsec', 'host-gw', or 'wireguard' (default: "vxlan") - --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN] - --token-file value (cluster) File containing the cluster-secret/token [$K3S_TOKEN_FILE] - --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT] - --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE] - --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process - --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process - --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process - --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process - --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT] - --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE] - --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE] - --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE] - --default-local-storage-path value (storage) Default local storage path for local provisioner storage class - --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) - --disable-scheduler (components) Disable Kubernetes default scheduler - --disable-cloud-controller (components) Disable k3s default cloud controller manager - --disable-network-policy (components) Disable k3s default network policy controller - --node-name value (agent/node) Node name [$K3S_NODE_NAME] - --with-node-id (agent/node) Append id to node name - --node-label value (agent/node) Registering and starting kubelet with set of labels - --node-taint value (agent/node) Registering kubelet with set of taints - --docker (agent/runtime) Use docker instead of containerd - --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") - --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") - --node-ip value, -i value (agent/networking) IP address to advertise for node - --node-external-ip value (agent/networking) External IP address to advertise for node - --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] - --flannel-iface value (agent/networking) Override default flannel interface - --flannel-conf value (agent/networking) Override default flannel config file - --kubelet-arg value (agent/flags) Customized flag for kubelet process - --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process - --rootless (experimental) Run rootless - --agent-token value (experimental/cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN] - --agent-token-file value (experimental/cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE] - --server value, -s value (experimental/cluster) Server to connect to, used to join a cluster [$K3S_URL] - --cluster-init (experimental/cluster) Initialize new cluster master [$K3S_CLUSTER_INIT] - --cluster-reset (experimental/cluster) Forget all peers and become a single cluster new cluster master [$K3S_CLUSTER_RESET] - --secrets-encryption (experimental) Enable Secret encryption at rest - --no-flannel (deprecated) use --flannel-backend=none - --no-deploy value (deprecated) Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) - --cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET] -``` # Registration Options for the K3s Agent -> If an option appears in brackets below, for example `[$K3S_URL]`, it means that the option can be passed in as an environment variable of that name. +For details on configuring the K3s agent, refer to the [agent configuration reference.]({{}}/k3s/latest/en/installation/install-options/agent-config) -```bash -NAME: - k3s agent - Run node agent - -USAGE: - k3s agent [OPTIONS] - -OPTIONS: - -v value (logging) Number for the log level verbosity (default: 0) - --vmodule value (logging) Comma-separated list of pattern=N settings for file-filtered logging - --log value, -l value (logging) Log to file - --alsologtostderr (logging) Log to standard error as well as file (if set) - --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN] - --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE] - --server value, -s value (cluster) Server to connect to [$K3S_URL] - --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s") - --node-name value (agent/node) Node name [$K3S_NODE_NAME] - --with-node-id (agent/node) Append id to node name - --node-label value (agent/node) Registering and starting kubelet with set of labels - --node-taint value (agent/node) Registering kubelet with set of taints - --docker (agent/runtime) Use docker instead of containerd - --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") - --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") - --node-ip value, -i value (agent/networking) IP address to advertise for node - --node-external-ip value (agent/networking) External IP address to advertise for node - --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] - --flannel-iface value (agent/networking) Override default flannel interface - --flannel-conf value (agent/networking) Override default flannel config file - --kubelet-arg value (agent/flags) Customized flag for kubelet process - --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process - --rootless (experimental) Run rootless - --no-flannel (deprecated) use --flannel-backend=none - --cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET] -``` - -### Node Labels and Taints for Agents - -K3s agents can be configured with the options `--node-label` and `--node-taint` which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands. - -Below is an example showing how to add labels and a taint: -```bash - --node-label foo=bar \ - --node-label hello=world \ - --node-taint key1=value1:NoExecute -``` - -If you want to change node labels and taints after node registration you should use `kubectl`. Refer to the official Kubernetes documentation for details on how to add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) and [node labels.](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node) # How to Use Flags and Environment Variables diff --git a/content/k3s/latest/en/installation/install-options/agent-config/_index.md b/content/k3s/latest/en/installation/install-options/agent-config/_index.md new file mode 100644 index 00000000000..7f0b8cf7c3c --- /dev/null +++ b/content/k3s/latest/en/installation/install-options/agent-config/_index.md @@ -0,0 +1,136 @@ +--- +title: K3s Agent Configuration Reference +weight: 2 +--- +In this section, you'll learn how to configure the K3s agent. + +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/#how-to-use-flags-and-environment-variables) + +- [Logging](#logging) +- [Cluster Options](#cluster-options) +- [Data](#data) +- [Node](#node) +- [Runtime](#runtime) +- [Networking](#networking) +- [Customized Flags](#customized-flags) +- [Experimental](#experimental) +- [Deprecated](#deprecated) +- [Node Labels and Taints for Agents](#node-labels-and-taints-for-agents) +- [K3s Agent CLI Help](#k3s-agent-cli-help) + +### Logging + +| Flag | Default | Description | +|------|---------|-------------| +| `-v` value | 0 | Number for the log level verbosity | +| `--vmodule` value | N/A | Comma-separated list of pattern=N settings for file-filtered logging | +| `--log value, -l` value | N/A | Log to file | +| `--alsologtostderr` | N/A | Log to standard error as well as file (if set) | + +### Cluster Options +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--token value, -t` value | `K3S_TOKEN` | Token to use for authentication | +| `--token-file` value | `K3S_TOKEN_FILE` | Token file to use for authentication | +| `--server value, -s` value | `K3S_URL` | Server to connect to | + + +### Data +| Flag | Default | Description | +|------|---------|-------------| +| `--data-dir value, -d` value | "/var/lib/rancher/k3s" | Folder to hold state | + +### Node +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-name` value | `K3S_NODE_NAME` | Node name | +| `--with-node-id` | N/A | Append id to node name | +| `--node-label` value | N/A | Registering and starting kubelet with set of labels | +| `--node-taint` value | N/A | Registering kubelet with set of taints | + +### Runtime +| Flag | Default | Description | +|------|---------|-------------| +| `--docker` | N/A | Use docker instead of containerd | +| `--container-runtime-endpoint` value | N/A | Disable embedded containerd and use alternative CRI implementation | +| `--pause-image` value | "docker.io/rancher/pause:3.1" | Customized pause image for containerd or docker sandbox | (agent/runtime) (default: ) +| `--private-registry` value | "/etc/rancher/k3s/registries.yaml" | Private registry configuration file | + +### Networking +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-ip value, -i` value | N/A | IP address to advertise for node | +| `--node-external-ip` value | N/A | External IP address to advertise for node | +| `--resolv-conf` value | `K3S_RESOLV_CONF` | Kubelet resolv.conf file | +| `--flannel-iface` value | N/A | Override default flannel interface | +| `--flannel-conf` value | N/A | Override default flannel config file | + +### Customized Flags +| Flag | Description | +|------|--------------| +| `--kubelet-arg` value | Customized flag for kubelet process | +| `--kube-proxy-arg` value | Customized flag for kube-proxy process | + +### Experimental +| Flag | Description | +|------|--------------| +| `--rootless` | Run rootless | + +### Deprecated +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--no-flannel` | N/A | Use `--flannel-backend=none` | +| `--cluster-secret` value | `K3S_CLUSTER_SECRET` | Use `--token` | + +### Node Labels and Taints for Agents + +K3s agents can be configured with the options `--node-label` and `--node-taint` which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands. + +Below is an example showing how to add labels and a taint: +```bash + --node-label foo=bar \ + --node-label hello=world \ + --node-taint key1=value1:NoExecute +``` + +If you want to change node labels and taints after node registration you should use `kubectl`. Refer to the official Kubernetes documentation for details on how to add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) and [node labels.](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node) + +### K3s Agent CLI Help + +> If an option appears in brackets below, for example `[$K3S_URL]`, it means that the option can be passed in as an environment variable of that name. + +```bash +NAME: + k3s agent - Run node agent + +USAGE: + k3s agent [OPTIONS] + +OPTIONS: + -v value (logging) Number for the log level verbosity (default: 0) + --vmodule value (logging) Comma-separated list of pattern=N settings for file-filtered logging + --log value, -l value (logging) Log to file + --alsologtostderr (logging) Log to standard error as well as file (if set) + --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN] + --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE] + --server value, -s value (cluster) Server to connect to [$K3S_URL] + --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s") + --node-name value (agent/node) Node name [$K3S_NODE_NAME] + --with-node-id (agent/node) Append id to node name + --node-label value (agent/node) Registering and starting kubelet with set of labels + --node-taint value (agent/node) Registering kubelet with set of taints + --docker (agent/runtime) Use docker instead of containerd + --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation + --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") + --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") + --node-ip value, -i value (agent/networking) IP address to advertise for node + --node-external-ip value (agent/networking) External IP address to advertise for node + --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] + --flannel-iface value (agent/networking) Override default flannel interface + --flannel-conf value (agent/networking) Override default flannel config file + --kubelet-arg value (agent/flags) Customized flag for kubelet process + --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process + --rootless (experimental) Run rootless + --no-flannel (deprecated) use --flannel-backend=none + --cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET] +``` diff --git a/content/k3s/latest/en/installation/install-options/server-config/_index.md b/content/k3s/latest/en/installation/install-options/server-config/_index.md new file mode 100644 index 00000000000..9a003aa9e4a --- /dev/null +++ b/content/k3s/latest/en/installation/install-options/server-config/_index.md @@ -0,0 +1,243 @@ +--- +title: K3s Server Configuration Reference +weight: 1 +--- + +In this section, you'll learn how to configure the K3s server. + +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/#how-to-use-flags-and-environment-variables) + +- [Commonly Used Options](#commonly-used-options) + - [Database](#database) + - [Cluster Options](#cluster-options) + - [Client Options](#client-options) +- [Advanced Options](#advanced-options) + - [Logging](#logging) + - [Listeners](#listeners) + - [Data](#data) + - [Networking](#networking) + - [Customized Options](#customized-options) + - [Storage Class](#storage-class) + - [Kubernetes Components](#kubernetes-components) + - [Registering Agents](#registering-agent-nodes) + - [Registering Agent Runtime](#registering-agent-runtime) + - [Registering Agent Networking](#registering-agent) + - [Customized Flags for Kubernetes Processes](#customized-flags-for-kubernetes-processes) + - [Experimental Options](#experimental-options) + - [Deprecated Options](#deprecated-options) + - [K3s Server Cli Help](#k3s-server-cli-help) + + +# Commonly Used Options + +### Database + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--datastore-endpoint` value | `K3S_DATASTORE_ENDPOINT` | Specify etcd, Mysql, Postgres, or Sqlite (default) data source name | +| `--datastore-cafile` value | `K3S_DATASTORE_CAFILE` | TLS Certificate Authority file used to secure datastore backend communication | +| `--datastore-certfile` value | `K3S_DATASTORE_CERTFILE` | TLS certification file used to secure datastore backend communication | +| `--datastore-keyfile` value | `K3S_DATASTORE_KEYFILE` | TLS key file used to secure datastore backend communication | + +### Cluster Options + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--token value, -t` value | `K3S_TOKEN` | Shared secret used to join a server or agent to a cluster | +| `--token-file` value | `K3S_TOKEN_FILE` | File containing the cluster-secret/token | + +### Client Options + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--write-kubeconfig value, -o` value | `K3S_KUBECONFIG_OUTPUT` | Write kubeconfig for admin client to this file | +| `--write-kubeconfig-mode` value | `K3S_KUBECONFIG_MODE` | Write kubeconfig with this [mode.](https://en.wikipedia.org/wiki/Chmod) The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. An example value is 644. | + +# Advanced Options + +### Logging + +| Flag | Default | Description | +|------|---------|-------------| +| `-v` value | 0 | Number for the log level verbosity | +| `--vmodule` value | N/A | Comma-separated list of pattern=N settings for file-filtered logging | +| `--log value, -l` value | N/A | Log to file | +| `--alsologtostderr` | N/A | Log to standard error as well as file (if set) | + + +### Listeners + +| Flag | Default | Description | +|------|---------|-------------| +| `--bind-address` value | 0.0.0.0 | k3s bind address | +| `--https-listen-port` value | 6443 | HTTPS listen port | +| `--advertise-address` value | node-external-ip/node-ip | IP address that apiserver uses to advertise to members of the cluster | +| `--advertise-port` value | 0 | Port that apiserver uses to advertise to members of the cluster (default: listen-port) | +| `--tls-san` value | N/A | Add additional hostname or IP as a Subject Alternative Name in the TLS cert + +### Data + +| Flag | Default | Description | +|------|---------|-------------| +| `--data-dir value, -d` value | `/var/lib/rancher/k3s` or `${HOME}/.rancher/k3s` if not root | Folder to hold state | + +### Networking + +| Flag | Default | Description | +|------|---------|-------------| +| `--cluster-cidr` value | "10.42.0.0/16" | Network CIDR to use for pod IPs | +| `--service-cidr` value | "10.43.0.0/16" | Network CIDR to use for services IPs | +| `--cluster-dns` value | "10.43.0.10" | Cluster IP for coredns service. Should be in your service-cidr range | +| `--cluster-domain` value | "cluster.local" | Cluster Domain | +| `--flannel-backend` value | "vxlan" | One of 'none', 'vxlan', 'ipsec', 'host-gw', or 'wireguard' | + +### Customized Flags + +| Flag | Description | +|------|--------------| +| `--kube-apiserver-arg` value | Customized flag for kube-apiserver process | +| `--kube-scheduler-arg` value | Customized flag for kube-scheduler process | +| `--kube-controller-manager-arg` value | Customized flag for kube-controller-manager process | +| `--kube-cloud-controller-manager-arg` value | Customized flag for kube-cloud-controller-manager process | + +### Storage Class + +| Flag | Description | +|------|--------------| +| `--default-local-storage-path` value | Default local storage path for local provisioner storage class | + +### Kubernetes Components + +| Flag | Description | +|------|--------------| +| `--disable` value | Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik,local-storage, metrics-server) | +| `--disable-scheduler` | Disable Kubernetes default scheduler | +| `--disable-cloud-controller` | Disable k3s default cloud controller manager | +| `--disable-network-policy` | Disable k3s default network policy controller | + +### Registering Agent Nodes + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-name` value | `K3S_NODE_NAME` | Node name | +| `--with-node-id` | N/A | Append id to node name | (agent/node) +| `--node-label` value | N/A | Registering and starting kubelet with set of labels | +| `--node-taint` value | N/A | Registering kubelet with set of taints | + +### Registering Agent Runtime + +| Flag | Default | Description | +|------|---------|-------------| +| `--docker` | N/A | Use docker instead of containerd | (agent/runtime) +| `--container-runtime-endpoint` value | N/A | Disable embedded containerd and use alternative CRI implementation | +| `--pause-image` value | "docker.io/rancher/pause:3.1" | Customized pause image for containerd or Docker sandbox | +| `--private-registry` value | "/etc/rancher/k3s/registries.yaml" | Private registry configuration file | + +### Registering Agent Networking + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-ip value, -i` value | N/A | IP address to advertise for node | +| `--node-external-ip` value | N/A | External IP address to advertise for node | +| `--resolv-conf` value | `K3S_RESOLV_CONF` | Kubelet resolv.conf file | +| `--flannel-iface` value | N/A | Override default flannel interface | +| `--flannel-conf` value | N/A | Override default flannel config file | + +### Customized Flags for Kubernetes Processes + +| Flag | Description | +|------|--------------| +| `--kubelet-arg` value | Customized flag for kubelet process | +| `--kube-proxy-arg` value | Customized flag for kube-proxy process | + +### Experimental Options + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--rootless` | N/A | Run rootless | (experimental) +| `--agent-token` value | `K3S_AGENT_TOKEN` | Shared secret used to join agents to the cluster, but not servers | +| `--agent-token-file` value | `K3S_AGENT_TOKEN_FILE` | File containing the agent secret | +| `--server value, -s` value | `K3S_URL` | Server to connect to, used to join a cluster | +| `--cluster-init` | `K3S_CLUSTER_INIT` | Initialize new cluster master | +| `--cluster-reset` | `K3S_CLUSTER_RESET` | Forget all peers and become a single cluster new cluster master | +| `--secrets-encryption` | N/A | Enable Secret encryption at rest | + +### Deprecated Options + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--no-flannel` | N/A | Use --flannel-backend=none | +| `--no-deploy` value | N/A | Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) | +| `--cluster-secret` value | `K3S_CLUSTER_SECRET` | Use --token | + + +### K3s Server CLI Help + +> If an option appears in brackets below, for example `[$K3S_TOKEN]`, it means that the option can be passed in as an environment variable of that name. + +```bash +NAME: + k3s server - Run management server + +USAGE: + k3s server [OPTIONS] + +OPTIONS: + -v value (logging) Number for the log level verbosity (default: 0) + --vmodule value (logging) Comma-separated list of pattern=N settings for file-filtered logging + --log value, -l value (logging) Log to file + --alsologtostderr (logging) Log to standard error as well as file (if set) + --bind-address value (listener) k3s bind address (default: 0.0.0.0) + --https-listen-port value (listener) HTTPS listen port (default: 6443) + --advertise-address value (listener) IP address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip) + --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0) + --tls-san value (listener) Add additional hostname or IP as a Subject Alternative Name in the TLS cert + --data-dir value, -d value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root + --cluster-cidr value (networking) Network CIDR to use for pod IPs (default: "10.42.0.0/16") + --service-cidr value (networking) Network CIDR to use for services IPs (default: "10.43.0.0/16") + --cluster-dns value (networking) Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) + --cluster-domain value (networking) Cluster Domain (default: "cluster.local") + --flannel-backend value (networking) One of 'none', 'vxlan', 'ipsec', 'host-gw', or 'wireguard' (default: "vxlan") + --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN] + --token-file value (cluster) File containing the cluster-secret/token [$K3S_TOKEN_FILE] + --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT] + --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE] + --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process + --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process + --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process + --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process + --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT] + --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE] + --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE] + --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE] + --default-local-storage-path value (storage) Default local storage path for local provisioner storage class + --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) + --disable-scheduler (components) Disable Kubernetes default scheduler + --disable-cloud-controller (components) Disable k3s default cloud controller manager + --disable-network-policy (components) Disable k3s default network policy controller + --node-name value (agent/node) Node name [$K3S_NODE_NAME] + --with-node-id (agent/node) Append id to node name + --node-label value (agent/node) Registering and starting kubelet with set of labels + --node-taint value (agent/node) Registering kubelet with set of taints + --docker (agent/runtime) Use docker instead of containerd + --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation + --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "docker.io/rancher/pause:3.1") + --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml") + --node-ip value, -i value (agent/networking) IP address to advertise for node + --node-external-ip value (agent/networking) External IP address to advertise for node + --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] + --flannel-iface value (agent/networking) Override default flannel interface + --flannel-conf value (agent/networking) Override default flannel config file + --kubelet-arg value (agent/flags) Customized flag for kubelet process + --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process + --rootless (experimental) Run rootless + --agent-token value (experimental/cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN] + --agent-token-file value (experimental/cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE] + --server value, -s value (experimental/cluster) Server to connect to, used to join a cluster [$K3S_URL] + --cluster-init (experimental/cluster) Initialize new cluster master [$K3S_CLUSTER_INIT] + --cluster-reset (experimental/cluster) Forget all peers and become a single cluster new cluster master [$K3S_CLUSTER_RESET] + --secrets-encryption (experimental) Enable Secret encryption at rest + --no-flannel (deprecated) use --flannel-backend=none + --no-deploy value (deprecated) Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) + --cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET] +``` \ No newline at end of file From b045bb694f3cef5b44ace5cd900f8fc38959d3ae Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 13:30:42 -0700 Subject: [PATCH 159/183] Edit K3s installation options --- .../en/installation/install-options/_index.md | 52 ++++--------------- .../install-options/agent-config/_index.md | 2 +- .../install-options/how-to-flags/_index.md | 33 ++++++++++++ .../install-options/server-config/_index.md | 2 +- 4 files changed, 44 insertions(+), 45 deletions(-) create mode 100644 content/k3s/latest/en/installation/install-options/how-to-flags/_index.md diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 6b8b72ea733..0867f441ee2 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -5,18 +5,16 @@ weight: 20 This page focuses on the options that can be used when you set up K3s for the first time: -- [Installation script options](#installation-script-options) -- [Installing K3s from the binary](#installing-k3s-from-the-binary) +- [Options for installation with script](#options-for-installation-with-script) +- [Options for installation from binary](#options-for-installation-from-binary) - [Registration options for the K3s server](#registration-options-for-the-k3s-server) - [Registration options for the K3s agent](#registration-options-for-the-k3s-agent) -- [How to Use Flags and Environment Variables](#how-to-use-flags-and-environment-variables) For more advanced options, refer to [this page.]({{}}/k3s/latest/en/advanced) -> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.](#how-to-use-flags-and-environment-variables) +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/how-to-flags) - -# Installation Script Options +### Options for Installation with Script As mentioned in the [Quick-Start Guide]({{}}/k3s/latest/en/quick-start/), you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. @@ -36,7 +34,7 @@ When using this method to install K3s, the following environment variables can b | `INSTALL_K3S_BIN_DIR` | Directory to install K3s binary, links, and uninstall script to, or use `/usr/local/bin` as the default. | | `INSTALL_K3S_BIN_DIR_READ_ONLY` | If set to true will not write files to `INSTALL_K3S_BIN_DIR`, forces setting `INSTALL_K3S_SKIP_DOWNLOAD=true`. | | `INSTALL_K3S_SYSTEMD_DIR` | Directory to install systemd service and environment files to, or use `/etc/systemd/system` as the default. | -| `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. For help, refer to [this example.](#example-b-install-k3s-exec) | +| `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, and the `K3S_URL` is set, it will default to "agent." If `K3S_URL` not set, it will default to "server." For help, refer to [this example.]({{}}/k3s/latest/en/installation/install-options/how-to-flags/#example-b-install-k3s-exec) | | `INSTALL_K3S_NAME` | Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. | | `INSTALL_K3S_TYPE` | Type of systemd service to create, will default from the K3s exec command if not specified. @@ -46,7 +44,7 @@ Setting `K3S_URL` without explicitly setting an exec command will default the co When running the agent `K3S_TOKEN` must also be set. -# Installing K3s from the Binary +### Options for Installation from Binary As stated, the installation script is primarily concerned with configuring K3s to run as a service. If you choose to not use the script, you can run K3s simply by downloading the binary from our [release page](https://github.com/rancher/k3s/releases/latest), placing it on your path, and executing it. The K3s binary supports the following commands: @@ -61,43 +59,11 @@ Command | Description The `k3s server` and `k3s agent` commands have additional configuration options that can be viewed with `k3s server --help` or `k3s agent --help`. For convenience, that help text is presented here: -# Registration Options for the K3s Server +### Registration Options for the K3s Server For details on configuring the K3s server, refer to the [server configuration reference.]({{}}/k3s/latest/en/installation/install-options/server-config) -# Registration Options for the K3s Agent +### Registration Options for the K3s Agent -For details on configuring the K3s agent, refer to the [agent configuration reference.]({{}}/k3s/latest/en/installation/install-options/agent-config) - - -# How to Use Flags and Environment Variables - -Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. The below examples show how these options can be passed in both ways. - -### Example A: K3S_KUBECONFIG_MODE - -The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. Below are two ways to pass in the option. - -Using the flag `--write-kubeconfig-mode 644`: -```bash -$ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 -``` -Using the environment variable `K3S_KUBECONFIG_MODE`: -```bash -$ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - -``` - -### Example B: INSTALL_K3S_EXEC - -If this command is not specified as a server or agent command, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. - -The final systemd command resolves to a combination of this environment variable and script args. To illustrate this, the following commands result in the same behavior of registering a server without flannel: - -```bash -curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--no-flannel" sh -s - -curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-flannel" sh -s - -curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --no-flannel -curl -sfL https://get.k3s.io | sh -s - server --no-flannel -curl -sfL https://get.k3s.io | sh -s - --no-flannel -``` \ No newline at end of file +For details on configuring the K3s agent, refer to the [agent configuration reference.]({{}}/k3s/latest/en/installation/install-options/agent-config) \ No newline at end of file diff --git a/content/k3s/latest/en/installation/install-options/agent-config/_index.md b/content/k3s/latest/en/installation/install-options/agent-config/_index.md index 7f0b8cf7c3c..216dd5112e0 100644 --- a/content/k3s/latest/en/installation/install-options/agent-config/_index.md +++ b/content/k3s/latest/en/installation/install-options/agent-config/_index.md @@ -4,7 +4,7 @@ weight: 2 --- In this section, you'll learn how to configure the K3s agent. -> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/#how-to-use-flags-and-environment-variables) +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/how-to-flags) - [Logging](#logging) - [Cluster Options](#cluster-options) diff --git a/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md b/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md new file mode 100644 index 00000000000..cfb79d7371a --- /dev/null +++ b/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md @@ -0,0 +1,33 @@ +--- +title: How to Use Flags and Environment Variables +weight: 3 +--- + +Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. The below examples show how these options can be passed in both ways. + +### Example A: K3S_KUBECONFIG_MODE + +The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. Below are two ways to pass in the option. + +Using the flag `--write-kubeconfig-mode 644`: +```bash +$ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 +``` +Using the environment variable `K3S_KUBECONFIG_MODE`: +```bash +$ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - +``` + +### Example B: INSTALL_K3S_EXEC + +If this command is not specified as a server or agent command, it will default to "agent" if `K3S_URL` is set, or "server" if it is not set. + +The final systemd command resolves to a combination of this environment variable and script args. To illustrate this, the following commands result in the same behavior of registering a server without flannel: + +```bash +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--no-flannel" sh -s - +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-flannel" sh -s - +curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --no-flannel +curl -sfL https://get.k3s.io | sh -s - server --no-flannel +curl -sfL https://get.k3s.io | sh -s - --no-flannel +``` \ No newline at end of file diff --git a/content/k3s/latest/en/installation/install-options/server-config/_index.md b/content/k3s/latest/en/installation/install-options/server-config/_index.md index 9a003aa9e4a..3d7775f5e97 100644 --- a/content/k3s/latest/en/installation/install-options/server-config/_index.md +++ b/content/k3s/latest/en/installation/install-options/server-config/_index.md @@ -5,7 +5,7 @@ weight: 1 In this section, you'll learn how to configure the K3s server. -> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/#how-to-use-flags-and-environment-variables) +> Throughout the K3s documentation, you will see some options that can be passed in as both command flags and environment variables. For help with passing in options, refer to [How to Use Flags and Environment Variables.]({{}}/k3s/latest/en/installation/install-options/how-to-flags) - [Commonly Used Options](#commonly-used-options) - [Database](#database) From 740217c91750fdde59db1c134543ce2ade6ab7f5 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 14:56:24 -0700 Subject: [PATCH 160/183] Update _index.md --- content/k3s/latest/en/installation/ha/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/ha/_index.md b/content/k3s/latest/en/installation/ha/_index.md index 0c06efcb20e..c699e465b83 100644 --- a/content/k3s/latest/en/installation/ha/_index.md +++ b/content/k3s/latest/en/installation/ha/_index.md @@ -59,7 +59,7 @@ Agent nodes need a URL to register against. This can be the IP or hostname of an * Round-robin DNS * Virtual or elastic IP addresses -This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file to point to it instead of a specific node. To avoid certificate errors you should install the server with the `--tls-san YOUR_IP_OR_HOSTNAME_HERE` option. This option can be specified multiple times if you would like to access via both the ip and hostname. +This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the `--tls-san YOUR_IP_OR_HOSTNAME_HERE` option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname. ### 4. Optional: Join Agent Nodes From 0f852614cc3149b550412803119f7cc4fea46b85 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 16:38:04 -0700 Subject: [PATCH 161/183] Add section on annotating imported clusters --- .../imported-clusters/_index.md | 70 ++++++++++++++++--- 1 file changed, 61 insertions(+), 9 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index a765eaa6c49..da3a97264c8 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -19,11 +19,13 @@ Rancher v2.4 added the capability to import a K3s cluster into Rancher, as well - [Features](#features) - [Prerequisites](#prerequisites) - [Importing a cluster](#importing-a-cluster) -- [Additional features for imported K3s clusters](#additional-features-for-imported-k3s-clusters) -- [Configuring a K3s Cluster to Enable Importation to Rancher](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) -- [Debug Logging and Troubleshooting for Imported K3s clusters](#debug-logging-and-troubleshooting-for-imported-k3s-clusters) +- [Imported K3s clusters](#imported-k3s-clusters) + - [Additional features for imported K3s clusters](#additional-features-for-imported-k3s-clusters) + - [Configuring a K3s Cluster to Enable Importation to Rancher](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) + - [Debug Logging and Troubleshooting for Imported K3s clusters](#debug-logging-and-troubleshooting-for-imported-k3s-clusters) +- [Annotating imported clusters](#annotating-imported-clusters) -### Features +# Features After importing a cluster, the cluster owner can: @@ -36,7 +38,7 @@ After importing a cluster, the cluster owner can: After importing a K3s cluster, the cluster owner can also [upgrade Kubernetes from the Rancher UI.]({{}}/rancher/v2.x/en/cluster-admin/upgrading-kubernetes/) -### Prerequisites +# Prerequisites If your existing Kubernetes cluster already has a `cluster-admin` role defined, you must have this `cluster-admin` privilege to import the cluster into Rancher. @@ -54,7 +56,7 @@ By default, GKE users are not given this privilege, so you will need to run the > If you are importing a K3s cluster, make sure the `cluster.yml` is readable. It is protected by default. For details, refer to [Configuring a K3s cluster to enable importation to Rancher.](#configuring-a-k3s-cluster-to-enable-importation-to-rancher) -### Importing a Cluster +# Importing a Cluster 1. From the **Clusters** page, click **Add Cluster**. 2. Choose **Import**. @@ -70,12 +72,14 @@ By default, GKE users are not given this privilege, so you will need to run the > **Note:** > You can not re-import a cluster that is currently active in a Rancher setup. +# Imported K3s Clusters + +You can now import a K3s Kubernetes cluster into Rancher. [K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. You can also upgrade Kubernetes by editing the K3s cluster in the Rancher UI. + ### Additional Features for Imported K3s Clusters _Available as of v2.4.0_ -You can now import a K3s Kubernetes cluster into Rancher. [K3s]({{}}/k3s/latest/en/) is lightweight, fully compliant Kubernetes distribution. You can also upgrade Kubernetes by editing the K3s cluster in the Rancher UI. - When a K3s cluster is imported, Rancher will recognize it as K3s, and the Rancher UI will expose the following features in addition to the functionality for other imported clusters: - The ability to upgrade the K3s version @@ -131,4 +135,52 @@ kubectl get plans -A -o yaml If the cluster becomes stuck in upgrading, restart the `system-upgrade-controller`. -To prevent issues when upgrading, the [Kubernetes upgrade best practices](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/) should be followed. \ No newline at end of file +To prevent issues when upgrading, the [Kubernetes upgrade best practices](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/) should be followed. + +### Annotating Imported Clusters + +For all types of imported Kubernetes clusters except for K3s Kubernetes clusters, Rancher doesn't have any information about how the cluster is provisioned or configured. + +Therefore, when Rancher imports a cluster, it assumes that several capabilities are disabled by default. Rancher assumes this in order to avoid exposing UI options to the user even when the capabilities are not enabled in the imported cluster. + +However, if the cluster has a certain capability, such as the ability to use a pod security policy, a user of that cluster might still want to select pod security policies for the cluster in the Rancher UI. In order to do that, the user will need to manually indicate to Rancher that pod security policies are enabled for the cluster. + +By annotating an imported cluster, it is possible to indicate to Rancher that a cluster was given a pod security policy, or another capability, outside of Rancher. + +This example annotation indicates that a pod security policy is enabled: + +```json +"capabilities.cattle.io/pspEnabled": "true" +``` + +This annotation indicates Ingress capabilities: + +```json +capabilities.cattle.io/ingressCapabilities": "[ + { + "customDefaultBackend":true, + "ingressProvider":"asdf" + } +]" +``` + +The following capabilities can be annotated for the cluster: + +- `ingressCapabilities` +- `loadBalancerCapabilities` +- `nodePoolScalingSupported` +- `nodePortRange` +- `pspEnabled` +- `taintSupport` + +All the capabilities and their type defintions can be viewed in the Rancher API view, at `[Rancher Server URL]/v3/schemas/capabilities`. + +To annotate an imported cluster, + +1. Go to the cluster view in Rancher and select **⋮ > Edit.** +1. Expand the **Labels & Annotations** section. +1. Click **Add Annotation.** +1. Add an annotation to the cluster with the format `capabilities/: ` where `value` is the cluster capability that will be overridden by the annotation. In this scenario, Rancher is not aware of any capabilities of the cluster until you add the annotation. +1. Click **Save.** + +**Result:** The annotation does not give the capabilities to the cluster, but it does indicate to Rancher that the cluster has those capabilities. \ No newline at end of file From 7f96e3902e7a2b7c8876d54fd5151262aa98c8b8 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 2 Apr 2020 17:01:20 -0700 Subject: [PATCH 162/183] Edit section on annotating imported clusters --- .../imported-clusters/_index.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md index da3a97264c8..8f59cbb3348 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/imported-clusters/_index.md @@ -153,18 +153,13 @@ This example annotation indicates that a pod security policy is enabled: "capabilities.cattle.io/pspEnabled": "true" ``` -This annotation indicates Ingress capabilities: +The following annotation indicates Ingress capabilities. Note that that the values of non-primitive objects need to be JSON encoded, with quotations escaped. ```json -capabilities.cattle.io/ingressCapabilities": "[ - { - "customDefaultBackend":true, - "ingressProvider":"asdf" - } -]" +"capabilities.cattle.io/ingressCapabilities": "[{"customDefaultBackend":true,"ingressProvider":"asdf"}]" ``` -The following capabilities can be annotated for the cluster: +These capabilities can be annotated for the cluster: - `ingressCapabilities` - `loadBalancerCapabilities` @@ -173,7 +168,7 @@ The following capabilities can be annotated for the cluster: - `pspEnabled` - `taintSupport` -All the capabilities and their type defintions can be viewed in the Rancher API view, at `[Rancher Server URL]/v3/schemas/capabilities`. +All the capabilities and their type definitions can be viewed in the Rancher API view, at `[Rancher Server URL]/v3/schemas/capabilities`. To annotate an imported cluster, From 6e49f591aad5949f3008633dd90356159219e22e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 3 Apr 2020 11:51:56 -0700 Subject: [PATCH 163/183] Add line breaks --- .../en/installation/install-options/how-to-flags/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md b/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md index cfb79d7371a..25aa9b43567 100644 --- a/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md +++ b/content/k3s/latest/en/installation/install-options/how-to-flags/_index.md @@ -10,10 +10,12 @@ Throughout the K3s documentation, you will see some options that can be passed i The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. Below are two ways to pass in the option. Using the flag `--write-kubeconfig-mode 644`: + ```bash $ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 ``` Using the environment variable `K3S_KUBECONFIG_MODE`: + ```bash $ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - ``` From d6e7309028ef541cf07c683aeafed55f6c17d734 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 3 Apr 2020 11:53:31 -0700 Subject: [PATCH 164/183] Add alias for OPA Gatekeeper page --- .../rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md index 12c951c6279..dceb610f935 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md @@ -1,6 +1,8 @@ --- title: OPA Gatekeeper weight: 1 +aliases: + - /rancher/v2.x/en/cluster-admin/tools/opa-gatekeeper --- _Available as of v2.4.0_ From f47f80fe72d7e258682e771c8a9f93d4bec74ce4 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 6 Apr 2020 11:04:22 -0700 Subject: [PATCH 165/183] Say that K3s agent process is embedded in server process --- .../en/installation/install-options/_index.md | 2 +- .../install-options/server-config/_index.md | 73 ++++++++++--------- 2 files changed, 41 insertions(+), 34 deletions(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 0867f441ee2..68a275e2bd0 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -57,7 +57,7 @@ Command | Description `k3s ctr` | Run an embedded [ctr](https://github.com/projectatomic/containerd/blob/master/docs/cli.md). This is a CLI for containerd, the container daemon used by K3s. Useful for debugging. `k3s help` | Shows a list of commands or help for one command -The `k3s server` and `k3s agent` commands have additional configuration options that can be viewed with `k3s server --help` or `k3s agent --help`. For convenience, that help text is presented here: +The `k3s server` and `k3s agent` commands have additional configuration options that can be viewed with `k3s server --help` or `k3s agent --help`. ### Registration Options for the K3s Server diff --git a/content/k3s/latest/en/installation/install-options/server-config/_index.md b/content/k3s/latest/en/installation/install-options/server-config/_index.md index 3d7775f5e97..a60c075bbd5 100644 --- a/content/k3s/latest/en/installation/install-options/server-config/_index.md +++ b/content/k3s/latest/en/installation/install-options/server-config/_index.md @@ -11,6 +11,10 @@ In this section, you'll learn how to configure the K3s server. - [Database](#database) - [Cluster Options](#cluster-options) - [Client Options](#client-options) +- [Agent Options](#agent-options) + - [Agent Nodes](#agent-nodes) + - [Agent Runtime](#agent-runtime) + - [Agent Networking](#agent-networking) - [Advanced Options](#advanced-options) - [Logging](#logging) - [Listeners](#listeners) @@ -19,13 +23,10 @@ In this section, you'll learn how to configure the K3s server. - [Customized Options](#customized-options) - [Storage Class](#storage-class) - [Kubernetes Components](#kubernetes-components) - - [Registering Agents](#registering-agent-nodes) - - [Registering Agent Runtime](#registering-agent-runtime) - - [Registering Agent Networking](#registering-agent) - [Customized Flags for Kubernetes Processes](#customized-flags-for-kubernetes-processes) - [Experimental Options](#experimental-options) - [Deprecated Options](#deprecated-options) - - [K3s Server Cli Help](#k3s-server-cli-help) +- [K3s Server Cli Help](#k3s-server-cli-help) # Commonly Used Options @@ -53,6 +54,40 @@ In this section, you'll learn how to configure the K3s server. | `--write-kubeconfig value, -o` value | `K3S_KUBECONFIG_OUTPUT` | Write kubeconfig for admin client to this file | | `--write-kubeconfig-mode` value | `K3S_KUBECONFIG_MODE` | Write kubeconfig with this [mode.](https://en.wikipedia.org/wiki/Chmod) The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. An example value is 644. | +# Agent Options + +K3s agent options are available as server options because the server has the agent process embedded within. + +### Agent Nodes + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-name` value | `K3S_NODE_NAME` | Node name | +| `--with-node-id` | N/A | Append id to node name | (agent/node) +| `--node-label` value | N/A | Registering and starting kubelet with set of labels | +| `--node-taint` value | N/A | Registering kubelet with set of taints | + +### Agent Runtime + +| Flag | Default | Description | +|------|---------|-------------| +| `--docker` | N/A | Use docker instead of containerd | (agent/runtime) +| `--container-runtime-endpoint` value | N/A | Disable embedded containerd and use alternative CRI implementation | +| `--pause-image` value | "docker.io/rancher/pause:3.1" | Customized pause image for containerd or Docker sandbox | +| `--private-registry` value | "/etc/rancher/k3s/registries.yaml" | Private registry configuration file | + +### Agent Networking + +the agent options are there because the server has the agent process embedded within + +| Flag | Environment Variable | Description | +|------|----------------------|-------------| +| `--node-ip value, -i` value | N/A | IP address to advertise for node | +| `--node-external-ip` value | N/A | External IP address to advertise for node | +| `--resolv-conf` value | `K3S_RESOLV_CONF` | Kubelet resolv.conf file | +| `--flannel-iface` value | N/A | Override default flannel interface | +| `--flannel-conf` value | N/A | Override default flannel config file | + # Advanced Options ### Logging @@ -115,34 +150,6 @@ In this section, you'll learn how to configure the K3s server. | `--disable-cloud-controller` | Disable k3s default cloud controller manager | | `--disable-network-policy` | Disable k3s default network policy controller | -### Registering Agent Nodes - -| Flag | Environment Variable | Description | -|------|----------------------|-------------| -| `--node-name` value | `K3S_NODE_NAME` | Node name | -| `--with-node-id` | N/A | Append id to node name | (agent/node) -| `--node-label` value | N/A | Registering and starting kubelet with set of labels | -| `--node-taint` value | N/A | Registering kubelet with set of taints | - -### Registering Agent Runtime - -| Flag | Default | Description | -|------|---------|-------------| -| `--docker` | N/A | Use docker instead of containerd | (agent/runtime) -| `--container-runtime-endpoint` value | N/A | Disable embedded containerd and use alternative CRI implementation | -| `--pause-image` value | "docker.io/rancher/pause:3.1" | Customized pause image for containerd or Docker sandbox | -| `--private-registry` value | "/etc/rancher/k3s/registries.yaml" | Private registry configuration file | - -### Registering Agent Networking - -| Flag | Environment Variable | Description | -|------|----------------------|-------------| -| `--node-ip value, -i` value | N/A | IP address to advertise for node | -| `--node-external-ip` value | N/A | External IP address to advertise for node | -| `--resolv-conf` value | `K3S_RESOLV_CONF` | Kubelet resolv.conf file | -| `--flannel-iface` value | N/A | Override default flannel interface | -| `--flannel-conf` value | N/A | Override default flannel config file | - ### Customized Flags for Kubernetes Processes | Flag | Description | @@ -171,7 +178,7 @@ In this section, you'll learn how to configure the K3s server. | `--cluster-secret` value | `K3S_CLUSTER_SECRET` | Use --token | -### K3s Server CLI Help +# K3s Server CLI Help > If an option appears in brackets below, for example `[$K3S_TOKEN]`, it means that the option can be passed in as an environment variable of that name. From 1e071dde9d8c982b815e50706e0d4d18ac161379 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Mon, 6 Apr 2020 11:28:34 -0700 Subject: [PATCH 166/183] Add k3s-agent to Restarting K3s section - Mentions commands for both systemd and OpenRC for restarting the k3s-agent service - Closes https://github.com/rancher/k3s/issues/1557 --- .../k3s/latest/en/upgrades/basic/_index.md | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/content/k3s/latest/en/upgrades/basic/_index.md b/content/k3s/latest/en/upgrades/basic/_index.md index 6311b045764..d0f1b8654c8 100644 --- a/content/k3s/latest/en/upgrades/basic/_index.md +++ b/content/k3s/latest/en/upgrades/basic/_index.md @@ -32,13 +32,28 @@ Or to manually upgrade K3s: ### Restarting K3s -Restarting K3s is supported by the installation script for systemd and openrc. -To restart manually for systemd use: +Restarting K3s is supported by the installation script for systemd and OpenRC. + +**systemd** + +To restart servers manually: ```sh sudo systemctl restart k3s ``` -To restart manually for openrc use: +To restart agents manually: +```sh +sudo systemctl restart k3s-agent +``` + +**OpenRC** + +To restart servers manually: ```sh sudo service k3s restart ``` + +To restart agents mantually: +```sh +sudo service k3s-agent restart +``` From d208dac1331ec9dbea1fe7360e2bb0440a8fb5b0 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 6 Apr 2020 12:14:13 -0700 Subject: [PATCH 167/183] Revert "Revert "WIP: Misc changes and improvements to K3s docs"" This reverts commit f698b97d3e4284e494efff4a767f22a88efcea20. --- .../en/installation/install-options/_index.md | 9 +++++---- .../installation-requirements/_index.md | 16 ++++++++++++++-- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index 68a275e2bd0..df7ae330dca 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -28,23 +28,24 @@ When using this method to install K3s, the following environment variables can b | Environment Variable | Description | |-----------------------------|---------------------------------------------| | `INSTALL_K3S_SKIP_DOWNLOAD` | If set to true will not download K3s hash or binary. | -| `INSTALL_K3S_SYMLINK` | If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. | +| `INSTALL_K3S_SYMLINK` | By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. | | `INSTALL_K3S_SKIP_START` | If set to true will not start K3s service. | -| `INSTALL_K3S_VERSION` | Version of K3s to download from github. Will attempt to download the latest version if not specified. | +| `INSTALL_K3S_VERSION` | Version of K3s to download from Github. Will attempt to download the latest version if not specified. | | `INSTALL_K3S_BIN_DIR` | Directory to install K3s binary, links, and uninstall script to, or use `/usr/local/bin` as the default. | | `INSTALL_K3S_BIN_DIR_READ_ONLY` | If set to true will not write files to `INSTALL_K3S_BIN_DIR`, forces setting `INSTALL_K3S_SKIP_DOWNLOAD=true`. | | `INSTALL_K3S_SYSTEMD_DIR` | Directory to install systemd service and environment files to, or use `/etc/systemd/system` as the default. | | `INSTALL_K3S_EXEC` | Command with flags to use for launching K3s in the service. If the command is not specified, and the `K3S_URL` is set, it will default to "agent." If `K3S_URL` not set, it will default to "server." For help, refer to [this example.]({{}}/k3s/latest/en/installation/install-options/how-to-flags/#example-b-install-k3s-exec) | -| `INSTALL_K3S_NAME` | Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. | +| `INSTALL_K3S_NAME` | Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. | | `INSTALL_K3S_TYPE` | Type of systemd service to create, will default from the K3s exec command if not specified. + Environment variables which begin with `K3S_` will be preserved for the systemd and openrc services to use. Setting `K3S_URL` without explicitly setting an exec command will default the command to "agent". When running the agent `K3S_TOKEN` must also be set. -### Options for Installation from Binary +# Installing K3s from the Binary As stated, the installation script is primarily concerned with configuring K3s to run as a service. If you choose to not use the script, you can run K3s simply by downloading the binary from our [release page](https://github.com/rancher/k3s/releases/latest), placing it on your path, and executing it. The K3s binary supports the following commands: diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 13da6c3d7ce..ee053e09e0c 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -37,12 +37,24 @@ K3s performance depends on the performance of the database. To ensure optimal sp ## Networking -The K3s server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach other nodes over UDP port 8472 (Flannel VXLAN). If you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. +The K3s server needs port 6443 to be accessible by the nodes. -IMPORTANT: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disabled access to port 8472. +The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. If you wish to utilize the metrics server, you will need to open port 10250 on each node. +> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. + +
    Inbound Rules for K3s Server Nodes
    + +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 6443 | K3s server nodes | Kubernetes API +| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN +| TCP | 10250 | K3s server and agent nodes | kubelet + +Typically all outbound traffic is allowed. + ## Large Clusters Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: From 3f43f82d6c46d0d96545d34aa6187e0bc20a0fbe Mon Sep 17 00:00:00 2001 From: Sherzod Mutalov Date: Tue, 7 Apr 2020 14:53:43 +0500 Subject: [PATCH 168/183] Fix the HW Requirements link Fixed link to the RancherOS hardware requirements in the Digital Ocean section --- content/os/v1.x/en/installation/cloud/do/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/os/v1.x/en/installation/cloud/do/_index.md b/content/os/v1.x/en/installation/cloud/do/_index.md index 63761bf2c99..1d043601180 100644 --- a/content/os/v1.x/en/installation/cloud/do/_index.md +++ b/content/os/v1.x/en/installation/cloud/do/_index.md @@ -17,7 +17,7 @@ To start a RancherOS Droplet on Digital Ocean: 1. Click **Create Droplet.** 1. Click the **Container distributions** tab. 1. Click **RancherOS.** -1. Choose a plan. Make sure your Droplet has the [minimum hardware requirements for RancherOS]({{}}os/v1.x/en/overview/#hardware-requirements). +1. Choose a plan. Make sure your Droplet has the [minimum hardware requirements for RancherOS]({{}}/os/v1.x/en/overview/#hardware-requirements). 1. Choose any options for backups, block storage, and datacenter region. 1. Optional: In the **Select additional options** section, you can check the **User data** box and enter a `cloud-config` file in the text box that appears. The `cloud-config` file is used to provide a script to be run on the first boot. An example is below. 1. Choose an SSH key that you have access to, or generate a new SSH key. From 2b7961e6fd5c127960dff6f1afc63745b16b517b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 8 Apr 2020 13:42:47 -0700 Subject: [PATCH 169/183] Fix formatting in air gap docs --- .../populate-private-registry/_index.md | 40 +++++++---------- .../populate-private-registry/_index.md | 45 +++++++------------ 2 files changed, 32 insertions(+), 53 deletions(-) diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md index cb9f4698034..8a99f3152f0 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md @@ -126,11 +126,11 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 2. From the release's "Assets" section, download the following files: - | Release File | Description | - | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | - | `rancher-windows-images.txt` | This file contains a list of Windows images needed to provision Windows clusters. | - | `rancher-save-images.ps1` | This script pulls all the images in the `rancher-windows-images.txt` from Docker Hub and saves all of the images as `rancher-windows-images.tar.gz`. | - | `rancher-load-images.ps1` | This script loads the images from the `rancher-windows-images.tar.gz` file and pushes them to your private registry. | +| Release File | Description | +|------------------------|-------------------| +| `rancher-windows-images.txt` | This file contains a list of Windows images needed to provision Windows clusters. | +| `rancher-save-images.ps1` | This script pulls all the images in the `rancher-windows-images.txt` from Docker Hub and saves all of the images as `rancher-windows-images.tar.gz`. | +| `rancher-load-images.ps1` | This script loads the images from the `rancher-windows-images.tar.gz` file and pushes them to your private registry. | ### B. Save the images to your Windows Server workstation @@ -146,9 +146,9 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### C. Prepare the Docker daemon -1. Append your private registry address to the `allow-nondistributable-artifacts` config field in the Docker daemon (`C:\ProgramData\Docker\config\daemon.json`). Since the base image of Windows images are maintained by the `mcr.microsoft.com` registry, this step is required as the layers in the Microsoft registry are missing from Docker Hub and need to be pulled into the private registry. +Append your private registry address to the `allow-nondistributable-artifacts` config field in the Docker daemon (`C:\ProgramData\Docker\config\daemon.json`). Since the base image of Windows images are maintained by the `mcr.microsoft.com` registry, this step is required as the layers in the Microsoft registry are missing from Docker Hub and need to be pulled into the private registry. - ```json + ``` { ... "allow-nondistributable-artifacts": [ @@ -164,13 +164,11 @@ The workstation must have Docker 18.02+ in order to support manifests, which are Move the images in the `rancher-windows-images.tar.gz` to your private registry using the scripts to load the images. The `rancher-windows-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.ps1` script. 1. Using `powershell`, log into your private registry if required: - ```plain docker login ``` 1. Using `powershell`, use `rancher-load-images.ps1` to extract, tag and push the images from `rancher-images.tar.gz` to your private registry: - ```plain ./rancher-load-images.ps1 --registry ``` @@ -202,21 +200,19 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 2. From the release's **Assets** section, download the following files, which are required to install Rancher in an air gap environment: - | Release File | Description | - | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | - | `rancher-images.txt` | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. | - | `rancher-windows-images.txt` | This file contains a list of images needed to provision Windows clusters. | - | `rancher-save-images.sh` | This script pulls all the images in the `rancher-images.txt` from Docker Hub and saves all of the images as `rancher-images.tar.gz`. | - | `rancher-load-images.sh` | This script loads images from the `rancher-images.tar.gz` file and pushes them to your private registry. | +| Release File | Description | +|----------------------------|------| +| `rancher-images.txt` | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. | +| `rancher-windows-images.txt` | This file contains a list of images needed to provision Windows clusters. | +| `rancher-save-images.sh` | This script pulls all the images in the `rancher-images.txt` from Docker Hub and saves all of the images as `rancher-images.tar.gz`. | +| `rancher-load-images.sh` | This script loads images from the `rancher-images.tar.gz` file and pushes them to your private registry. | ### B. Collect all the required images -1. **For Kubernetes Installs using Rancher Generated Self-Signed Certificate:** In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using you using your own certificates. +**For Kubernetes Installs using Rancher Generated Self-Signed Certificate:** In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using you using your own certificates. 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). - ```plain helm repo add jetstack https://charts.jetstack.io helm repo update @@ -225,7 +221,6 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ``` 2. Sort and unique the images list to remove any overlap between the sources: - ```plain sort -u rancher-images.txt -o rancher-images.txt ``` @@ -233,37 +228,32 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### C. Save the images to your workstation 1. Make `rancher-save-images.sh` an executable: - ``` chmod +x rancher-save-images.sh ``` 1. Run `rancher-save-images.sh` with the `rancher-images.txt` image list to create a tarball of all the required images: - ```plain ./rancher-save-images.sh --image-list ./rancher-images.txt ``` - **Step Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-images.tar.gz`. Check that the output is in the directory. + **Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-images.tar.gz`. Check that the output is in the directory. ### D. Populate the private registry Move the images in the `rancher-images.tar.gz` to your private registry using the `rancher-load-images.sh script` to load the images. The `rancher-images.txt` / `rancher-windows-images.txt` image list is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. 1. Log into your private registry if required: - ```plain docker login ``` 1. Make `rancher-load-images.sh` an executable: - ``` chmod +x rancher-load-images.sh ``` 1. Use `rancher-load-images.sh` to extract, tag and push the images from `rancher-images.tar.gz` to your private registry: - ```plain ./rancher-load-images.sh --image-list ./rancher-images.txt \ --windows-image-list ./rancher-windows-images.txt \ diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index a7b4e8be62c..10b996b98dc 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -131,29 +131,28 @@ The workstation must have Docker 18.02+ in order to support manifests, which are 2. From the release's "Assets" section, download the following files: - | Release File | Description | - | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | - | `rancher-windows-images.txt` | This file contains a list of Windows images needed to provision Windows clusters. | - | `rancher-save-images.ps1` | This script pulls all the images in the `rancher-windows-images.txt` from Docker Hub and saves all of the images as `rancher-windows-images.tar.gz`. | - | `rancher-load-images.ps1` | This script loads the images from the `rancher-windows-images.tar.gz` file and pushes them to your private registry. | +| Release File | Description | +|----------------------------|------------------| +| `rancher-windows-images.txt` | This file contains a list of Windows images needed to provision Windows clusters. | +| `rancher-save-images.ps1` | This script pulls all the images in the `rancher-windows-images.txt` from Docker Hub and saves all of the images as `rancher-windows-images.tar.gz`. | +| `rancher-load-images.ps1` | This script loads the images from the `rancher-windows-images.tar.gz` file and pushes them to your private registry. | ### B. Save the images to your Windows Server workstation 1. Using `powershell`, go to the directory that has the files that were downloaded in the previous step. 1. Run `rancher-save-images.ps1` to create a tarball of all the required images: - ```plain ./rancher-save-images.ps1 ``` - **Step Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-windows-images.tar.gz`. Check that the output is in the directory. + **Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-windows-images.tar.gz`. Check that the output is in the directory. ### C. Prepare the Docker daemon -1. Append your private registry address to the `allow-nondistributable-artifacts` config field in the Docker daemon (`C:\ProgramData\Docker\config\daemon.json`). Since the base image of Windows images are maintained by the `mcr.microsoft.com` registry, this step is required as the layers in the Microsoft registry are missing from Docker Hub and need to be pulled into the private registry. +Append your private registry address to the `allow-nondistributable-artifacts` config field in the Docker daemon (`C:\ProgramData\Docker\config\daemon.json`). Since the base image of Windows images are maintained by the `mcr.microsoft.com` registry, this step is required as the layers in the Microsoft registry are missing from Docker Hub and need to be pulled into the private registry. - ```json + ``` { ... "allow-nondistributable-artifacts": [ @@ -171,13 +170,11 @@ Move the images in the `rancher-windows-images.tar.gz` to your private registry The `rancher-windows-images.txt` is expected to be on the workstation in the same directory that you are running the `rancher-load-images.ps1` script. The `rancher-windows-images.tar.gz` should also be in the same directory. 1. Using `powershell`, log into your private registry if required: - ```plain docker login ``` 1. Using `powershell`, use `rancher-load-images.ps1` to extract, tag and push the images from `rancher-images.tar.gz` to your private registry: - ```plain ./rancher-load-images.ps1 --registry ``` @@ -205,25 +202,23 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### A. Find the required assets for your Rancher version -1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. Click **Assets*.* +1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. Click **Assets.** 2. From the release's **Assets** section, download the following files: - | Release File | Description | - | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | - | `rancher-images.txt` | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. | - | `rancher-windows-images.txt` | This file contains a list of images needed to provision Windows clusters. | - | `rancher-save-images.sh` | This script pulls all the images in the `rancher-images.txt` from Docker Hub and saves all of the images as `rancher-images.tar.gz`. | - | `rancher-load-images.sh` | This script loads images from the `rancher-images.tar.gz` file and pushes them to your private registry. | +| Release File | Description | +|----------------------------| -------------------------- | +| `rancher-images.txt` | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. | +| `rancher-windows-images.txt` | This file contains a list of images needed to provision Windows clusters. | +| `rancher-save-images.sh` | This script pulls all the images in the `rancher-images.txt` from Docker Hub and saves all of the images as `rancher-images.tar.gz`. | +| `rancher-load-images.sh` | This script loads images from the `rancher-images.tar.gz` file and pushes them to your private registry. | ### B. Collect all the required images -1. **For Kubernetes Installs using Rancher Generated Self-Signed Certificate:** In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using you using your own certificates. +**For Kubernetes Installs using Rancher Generated Self-Signed Certificate:** In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://hub.helm.sh/charts/jetstack/cert-manager) image to `rancher-images.txt` as well. You skip this step if you are using you using your own certificates. 1. Fetch the latest `cert-manager` Helm chart and parse the template for image details: - > **Note:** Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our [upgrade documentation]({{}}/rancher/v2.x/en/installation/options/upgrading-cert-manager/). - ```plain helm repo add jetstack https://charts.jetstack.io helm repo update @@ -232,7 +227,6 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ``` 2. Sort and unique the images list to remove any overlap between the sources: - ```plain sort -u rancher-images.txt -o rancher-images.txt ``` @@ -240,18 +234,16 @@ The workstation must have Docker 18.02+ in order to support manifests, which are ### C. Save the images to your workstation 1. Make `rancher-save-images.sh` an executable: - ``` chmod +x rancher-save-images.sh ``` 1. Run `rancher-save-images.sh` with the `rancher-images.txt` image list to create a tarball of all the required images: - ```plain ./rancher-save-images.sh --image-list ./rancher-images.txt ``` - **Step Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-images.tar.gz`. Check that the output is in the directory. + **Result:** Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named `rancher-images.tar.gz`. Check that the output is in the directory. ### D. Populate the private registry @@ -260,19 +252,16 @@ Move the images in the `rancher-images.tar.gz` to your private registry using th The image list, `rancher-images.txt` or `rancher-windows-images.txt`, is expected to be on the workstation in the same directory that you are running the `rancher-load-images.sh` script. The `rancher-images.tar.gz` should also be in the same directory. 1. Log into your private registry if required: - ```plain docker login ``` 1. Make `rancher-load-images.sh` an executable: - ``` chmod +x rancher-load-images.sh ``` 1. Use `rancher-load-images.sh` to extract, tag and push the images from `rancher-images.tar.gz` to your private registry: - ```plain ./rancher-load-images.sh --image-list ./rancher-images.txt \ --windows-image-list ./rancher-windows-images.txt \ From 501006cadf2507c025fe89cf544334fecd4ece75 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 8 Apr 2020 14:13:49 -0700 Subject: [PATCH 170/183] Say that registry must support manifests if ARM64 or Windows hosts are used --- .../options/air-gap-helm2/populate-private-registry/_index.md | 4 ++++ .../air-gap/populate-private-registry/_index.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md index 8a99f3152f0..b96ca100b47 100644 --- a/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/options/air-gap-helm2/populate-private-registry/_index.md @@ -33,6 +33,8 @@ D. Populate the private registry These steps expect you to use a Linux workstation that has internet access, access to your private registry, and at least 20 GB of disk space. +If you will use ARM64 hosts, the registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests. + ### A. Find the required assets for your Rancher version 1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. Click **Assets*.* @@ -120,6 +122,8 @@ These steps expect you to use a Windows Server 1809 workstation that has interne The workstation must have Docker 18.02+ in order to support manifests, which are required when provisioning Windows clusters. +Your registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests. + ### A. Find the required assets for your Rancher version 1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. diff --git a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md index 10b996b98dc..6cef213e1ae 100644 --- a/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/other-installation-methods/air-gap/populate-private-registry/_index.md @@ -32,6 +32,8 @@ For Rancher servers that will only provision Linux clusters, these are the steps These steps expect you to use a Linux workstation that has internet access, access to your private registry, and at least 20 GB of disk space. +If you will use ARM64 hosts, the registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests. + ### 1. Find the required assets for your Rancher version 1. Go to our [releases page,](https://github.com/rancher/rancher/releases) find the Rancher v2.x.x release that you want to install, and click **Assets.** Note: Don't use releases marked `rc` or `Pre-release`, as they are not stable for production environments. @@ -125,6 +127,8 @@ These steps expect you to use a Windows Server 1809 workstation that has interne The workstation must have Docker 18.02+ in order to support manifests, which are required when provisioning Windows clusters. +Your registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests. + ### A. Find the required assets for your Rancher version 1. Browse to our [releases page](https://github.com/rancher/rancher/releases) and find the Rancher v2.x.x release that you want to install. Don't download releases marked `rc` or `Pre-release`, as they are not stable for production environments. From 93b0b6bb30d8f5a2499a8ab4ba60326be346fbe7 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 8 Apr 2020 21:50:09 -0700 Subject: [PATCH 171/183] Say that we recommend MySQL as the K3s datastore for management server cluster --- .../installation/k8s-install/create-nodes-lb/_index.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md index 863ab0522eb..0dfb09491d2 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/_index.md @@ -18,7 +18,7 @@ For more information about each installation option, refer to [this page.]({{}}/rancher/v2.x/en/installation/options/rds/) for setting up a MySQL database on Amazon's RDS service. +For an example of one way to set up the MySQL database, refer to this [tutorial]({{}}/rancher/v2.x/en/installation/options/rds/) for setting up MySQL on Amazon's RDS service. For the complete list of options that are available for configuring a K3s cluster datastore, refer to the [K3s documentation.]({{}}/k3s/latest/en/installation/datastore/) From c9fb9c496aae16294ce8b4b024dd61a3e9ea2201 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 8 Apr 2020 21:28:14 -0700 Subject: [PATCH 172/183] Include doc on enabling GCE cloud provider for custom clusters --- .../cloud-providers/gce/_index.md | 55 +++++++++++++++++++ .../rke-clusters/windows-clusters/_index.md | 2 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md new file mode 100644 index 00000000000..d5f13a993f8 --- /dev/null +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md @@ -0,0 +1,55 @@ +--- +title: Setting up the Google Compute Engine Cloud Provider +weight: 3 +--- + +In this section, you'll learn how to enable the Google Compute Engine (GCE) cloud provider for provisioning custom clusters in Rancher. A custom cluster is one in which Rancher installs Kubernetes on existing nodes. + +These steps are required for provisioning GCE Kubernetes clusters that include Windows nodes. + +The official Kubernetes documentation for the GCE cloud provider is [here.](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#gce) + +> **Prerequisites:** The service account of `Identity and API` access on GCE needs the `Computer Admin` permission. + +If you are using Calico, + +1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** +1. Click **Edit as YAML,** and enter the following configuration: + ```yaml + rancher_kubernetes_engine_config: + cloud_provider: + name: gce + customCloudProvider: |- + [Global] + project-id= + network-name= + subnetwork-name= + node-instance-prefix= + node-tags= + network: + options: + calico_cloud_provider: "gce" + plugin: "calico" + ``` + +If you are using Canal or Flannel, + +1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** +1. Click **Edit as YAML,** and enter the following configuration: + ```yaml + rancher_kubernetes_engine_config: + cloud_provider: + name: gce + customCloudProvider: |- + [Global] + project-id= + network-name= + subnetwork-name= + node-instance-prefix= + node-tags= + services: + kube_controller: + extra_args: + configure-cloud-routes: true # we need to allow + # the cloud provider to configure the routes for the hosts + ``` \ No newline at end of file diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md index 837b8628ceb..17aeed8c00b 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/windows-clusters/_index.md @@ -94,7 +94,7 @@ If you set a Kubernetes cloud provider in your cluster, some additional steps ar If you are using the GCE (Google Compute Engine) cloud provider, you must do the following: -- Specify `gce` as the cloud provider in the `cluster.yml` +- Enable the GCE cloud provider in the `cluster.yml` by following [these steps.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce) - When provisioning the cluster in Rancher, choose **Custom cloud provider** as the cloud provider in the Rancher UI. # Tutorial: How to Create a Cluster with Windows Support From 7a6b28b842554ce24099cccf536143a0dd21fe47 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 9 Apr 2020 12:11:43 -0700 Subject: [PATCH 173/183] Fix formatting on Prometheus expressions page --- .../en/cluster-admin/tools/alerts/_index.md | 7 + .../tools/monitoring/expression/_index.md | 561 ++++++++++-------- 2 files changed, 315 insertions(+), 253 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md index 7fdca61df02..1b0b9685295 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/alerts/_index.md @@ -16,6 +16,7 @@ For details about what triggers the predefined alerts, refer to the [documentati This section covers the following topics: - [Alert event examples](#alert-event-examples) + - [Prometheus queries](#prometheus-queries) - [Urgency levels](#urgency-levels) - [Scope of alerts](#scope-of-alerts) - [Adding cluster alerts](#adding-cluster-alerts) @@ -30,6 +31,12 @@ Some examples of alert events are: - A scheduled deployment taking place as planned. - A node's hardware resources becoming overstressed. +### Prometheus Queries + +> **Prerequisite:** Monitoring must be [enabled]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) before you can trigger alerts with custom Prometheus queries or expressions. + +When you edit an alert rule, you will have the opportunity to configure the alert to be triggered based on a Prometheus expression. For examples of expressions, refer to [this page.]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/expression) + # Urgency Levels You can set an urgency level for each alert. This urgency appears in the notification you receive, helping you to prioritize your response actions. For example, if you have an alert configured to inform you of a routine deployment, no action is required. These alerts can be assigned a low priority level. However, if a deployment fails, it can critically impact your organization, and you need to react quickly. Assign these alerts a high priority level. diff --git a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/_index.md index a667264c69c..9f5170c9779 100644 --- a/content/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/tools/monitoring/expression/_index.md @@ -1,375 +1,430 @@ --- -title: Expression +title: Prometheus Expressions weight: 4 --- -## In This Document +The PromQL expressions in this doc can be used to configure [alerts.]({{}}/rancher/v2.x/en/cluster-admin/tools/alerts/) + +> Before expression can be used in alerts, monitoring must be enabled. For more information, refer to the documentation on enabling monitoring [at the cluster level]({{}}/rancher/v2.x/en/cluster-admin/tools/monitoring/#enabling-cluster-monitoring) or [at the project level.]({{}}/rancher/v2.x/en/project-admin/tools/monitoring/#enabling-project-monitoring) + +For more information about querying Prometheus, refer to the official [Prometheus documentation.](https://prometheus.io/docs/prometheus/latest/querying/basics/) - [Cluster Metrics](#cluster-metrics) - + [Node Metrics](#node-metrics) + - [Cluster CPU Utilization](#cluster-cpu-utilization) + - [Cluster Load Average](#cluster-load-average) + - [Cluster Memory Utilization](#cluster-memory-utilization) + - [Cluster Disk Utilization](#cluster-disk-utilization) + - [Cluster Disk I/O](#cluster-disk-i-o) + - [Cluster Network Packets](#cluster-network-packets) + - [Cluster Network I/O](#cluster-network-i-o) +- [Node Metrics](#node-metrics) + - [Node CPU Utilization](#node-cpu-utilization) + - [Node Load Average](#node-load-average) + - [Node Memory Utilization](#node-memory-utilization) + - [Node Disk Utilization](#node-disk-utilization) + - [Node Disk I/O](#node-disk-i-o) + - [Node Network Packets](#node-network-packets) + - [Node Network I/O](#node-network-i-o) - [Etcd Metrics](#etcd-metrics) + - [Etcd Has a Leader](#etcd-has-a-leader) + - [Number of Times the Leader Changes](#number-of-times-the-leader-changes) + - [Number of Failed Proposals](#number-of-failed-proposals) + - [GRPC Client Traffic](#grpc-client-traffic) + - [Peer Traffic](#peer-traffic) + - [DB Size](#db-size) + - [Active Streams](#active-streams) + - [Raft Proposals](#raft-proposals) + - [RPC Rate](#rpc-rate) + - [Disk Operations](#disk-operations) + - [Disk Sync Duration](#disk-sync-duration) - [Kubernetes Components Metrics](#kubernetes-components-metrics) + - [API Server Request Latency](#api-server-request-latency) + - [API Server Request Rate](#api-server-request-rate) + - [Scheduling Failed Pods](#scheduling-failed-pods) + - [Controller Manager Queue Depth](#controller-manager-queue-depth) + - [Scheduler E2E Scheduling Latency](#scheduler-e2e-scheduling-latency) + - [Scheduler Preemption Attempts](#scheduler-preemption-attempts) + - [Ingress Controller Connections](#ingress-controller-connections) + - [Ingress Controller Request Process Time](#ingress-controller-request-process-time) - [Rancher Logging Metrics](#rancher-logging-metrics) + - [Fluentd Buffer Queue Rate](#fluentd-buffer-queue-rate) + - [Fluentd Input Rate](#fluentd-input-rate) + - [Fluentd Output Errors Rate](#fluentd-output-errors-rate) + - [Fluentd Output Rate](#fluentd-output-rate) - [Workload Metrics](#workload-metrics) - + [Pod Metrics](#pod-metrics) - + [Container Metrics](#container-metrics) + - [Workload CPU Utilization](#workload-cpu-utilization) + - [Workload Memory Utilization](#workload-memory-utilization) + - [Workload Network Packets](#workload-network-packets) + - [Workload Network I/O](#workload-network-i-o) + - [Workload Disk I/O](#workload-disk-i-o) +- [Pod Metrics](#pod-metrics) + - [Pod CPU Utilization](#pod-cpu-utilization) + - [Pod Memory Utilization](#pod-memory-utilization) + - [Pod Network Packets](#pod-network-packets) + - [Pod Network I/O](#pod-network-i-o) + - [Pod Disk I/O](#pod-disk-i-o) +- [Container Metrics](#container-metrics) + - [Container CPU Utilization](#container-cpu-utilization) + - [Container Memory Utilization](#container-memory-utilization) + - [Container Disk I/O](#container-disk-i-o) -## Cluster Metrics +# Cluster Metrics -- **CPU Utilization** +### Cluster CPU Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `1 - (avg(irate(node_cpu_seconds_total{mode="idle"}[5m])) by (instance))` | - | Summary | `1 - (avg(irate(node_cpu_seconds_total{mode="idle"}[5m])))` | +| Catalog | Expression | +| --- | --- | +| Detail | `1 - (avg(irate(node_cpu_seconds_total{mode="idle"}[5m])) by (instance))` | +| Summary | `1 - (avg(irate(node_cpu_seconds_total{mode="idle"}[5m])))` | -- **Load Average** +### Cluster Load Average - | Catalog | Expression | - | --- | --- | - | Detail |
    load1`sum(node_load1) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    load5`sum(node_load5) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    load15`sum(node_load15) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    | - | Summary |
    load1`sum(node_load1) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    load5`sum(node_load5) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    load15`sum(node_load15) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    load1`sum(node_load1) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    load5`sum(node_load5) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    load15`sum(node_load15) by (instance) / count(node_cpu_seconds_total{mode="system"}) by (instance)`
    | +| Summary |
    load1`sum(node_load1) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    load5`sum(node_load5) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    load15`sum(node_load15) by (instance) / count(node_cpu_seconds_total{mode="system"})`
    | -- **Memory Utilization** +### Cluster Memory Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `1 - sum(node_memory_MemAvailable_bytes) by (instance) / sum(node_memory_MemTotal_bytes) by (instance)` | - | Summary | `1 - sum(node_memory_MemAvailable_bytes) / sum(node_memory_MemTotal_bytes)` | +| Catalog | Expression | +| --- | --- | +| Detail | `1 - sum(node_memory_MemAvailable_bytes) by (instance) / sum(node_memory_MemTotal_bytes) by (instance)` | +| Summary | `1 - sum(node_memory_MemAvailable_bytes) / sum(node_memory_MemTotal_bytes)` | -- **Disk Utilization** +### Cluster Disk Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `(sum(node_filesystem_size_bytes{device!="rootfs"}) by (instance) - sum(node_filesystem_free_bytes{device!="rootfs"}) by (instance)) / sum(node_filesystem_size_bytes{device!="rootfs"}) by (instance)` | - | Summary | `(sum(node_filesystem_size_bytes{device!="rootfs"}) - sum(node_filesystem_free_bytes{device!="rootfs"})) / sum(node_filesystem_size_bytes{device!="rootfs"})` | +| Catalog | Expression | +| --- | --- | +| Detail | `(sum(node_filesystem_size_bytes{device!="rootfs"}) by (instance) - sum(node_filesystem_free_bytes{device!="rootfs"}) by (instance)) / sum(node_filesystem_size_bytes{device!="rootfs"}) by (instance)` | +| Summary | `(sum(node_filesystem_size_bytes{device!="rootfs"}) - sum(node_filesystem_free_bytes{device!="rootfs"})) / sum(node_filesystem_size_bytes{device!="rootfs"})` | -- **Disk I/O** +### Cluster Disk I/O - | Catalog | Expression | - | --- | --- | - | Detail |
    read`sum(rate(node_disk_read_bytes_total[5m])) by (instance)`
    written`sum(rate(node_disk_written_bytes_total[5m])) by (instance)`
    | - | Summary |
    read`sum(rate(node_disk_read_bytes_total[5m]))`
    written`sum(rate(node_disk_written_bytes_total[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    read`sum(rate(node_disk_read_bytes_total[5m])) by (instance)`
    written`sum(rate(node_disk_written_bytes_total[5m])) by (instance)`
    | +| Summary |
    read`sum(rate(node_disk_read_bytes_total[5m]))`
    written`sum(rate(node_disk_written_bytes_total[5m]))`
    | -- **Network Packets** +### Cluster Network Packets - | Catalog | Expression | - | --- | --- | - | Detail |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    | - | Summary |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    | +| Summary |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    | -- **Network I/O** +### Cluster Network I/O - | Catalog | Expression | - | --- | --- | - | Detail |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    | - | Summary |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m])) by (instance)
    | +| Summary |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*"}[5m]))
    | -### Node Metrics +# Node Metrics -- **CPU Utilization** +### Node CPU Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `avg(irate(node_cpu_seconds_total{mode!="idle", instance=~"$instance"}[5m])) by (mode)` | - | Summary | `1 - (avg(irate(node_cpu_seconds_total{mode="idle", instance=~"$instance"}[5m])))` | +| Catalog | Expression | +| --- | --- | +| Detail | `avg(irate(node_cpu_seconds_total{mode!="idle", instance=~"$instance"}[5m])) by (mode)` | +| Summary | `1 - (avg(irate(node_cpu_seconds_total{mode="idle", instance=~"$instance"}[5m])))` | -- **Load Average** +### Node Load Average - | Catalog | Expression | - | --- | --- | - | Detail |
    load1`sum(node_load1{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load5`sum(node_load5{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load15`sum(node_load15{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    | - | Summary |
    load1`sum(node_load1{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load5`sum(node_load5{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load15`sum(node_load15{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    load1`sum(node_load1{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load5`sum(node_load5{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load15`sum(node_load15{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    | +| Summary |
    load1`sum(node_load1{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load5`sum(node_load5{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    load15`sum(node_load15{instance=~"$instance"}) / count(node_cpu_seconds_total{mode="system",instance=~"$instance"})`
    | -- **Memory Utilization** +### Node Memory Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `1 - sum(node_memory_MemAvailable_bytes{instance=~"$instance"}) / sum(node_memory_MemTotal_bytes{instance=~"$instance"})` | - | Summary | `1 - sum(node_memory_MemAvailable_bytes{instance=~"$instance"}) / sum(node_memory_MemTotal_bytes{instance=~"$instance"}) ` | +| Catalog | Expression | +| --- | --- | +| Detail | `1 - sum(node_memory_MemAvailable_bytes{instance=~"$instance"}) / sum(node_memory_MemTotal_bytes{instance=~"$instance"})` | +| Summary | `1 - sum(node_memory_MemAvailable_bytes{instance=~"$instance"}) / sum(node_memory_MemTotal_bytes{instance=~"$instance"}) ` | -- **Disk Utilization** +### Node Disk Utilization - | Catalog | Expression | - | --- | --- | - | Detail | `(sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) by (device) - sum(node_filesystem_free_bytes{device!="rootfs",instance=~"$instance"}) by (device)) / sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) by (device)` | - | Summary | `(sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) - sum(node_filesystem_free_bytes{device!="rootfs",instance=~"$instance"})) / sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"})` | +| Catalog | Expression | +| --- | --- | +| Detail | `(sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) by (device) - sum(node_filesystem_free_bytes{device!="rootfs",instance=~"$instance"}) by (device)) / sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) by (device)` | +| Summary | `(sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"}) - sum(node_filesystem_free_bytes{device!="rootfs",instance=~"$instance"})) / sum(node_filesystem_size_bytes{device!="rootfs",instance=~"$instance"})` | -- **Disk I/O** +### Node Disk I/O - | Catalog | Expression | - | --- | --- | - | Detail |
    read`sum(rate(node_disk_read_bytes_total{instance=~"$instance"}[5m]))`
    written`sum(rate(node_disk_written_bytes_total{instance=~"$instance"}[5m]))`
    | - | Summary |
    read`sum(rate(node_disk_read_bytes_total{instance=~"$instance"}[5m]))`
    written`sum(rate(node_disk_written_bytes_total{instance=~"$instance"}[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    read`sum(rate(node_disk_read_bytes_total{instance=~"$instance"}[5m]))`
    written`sum(rate(node_disk_written_bytes_total{instance=~"$instance"}[5m]))`
    | +| Summary |
    read`sum(rate(node_disk_read_bytes_total{instance=~"$instance"}[5m]))`
    written`sum(rate(node_disk_written_bytes_total{instance=~"$instance"}[5m]))`
    | -- **Network Packets** +### Node Network Packets - | Catalog | Expression | - | --- | --- | - | Detail |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    | - | Summary |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    | +| Summary |
    receive-droppedsum(rate(node_network_receive_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    receive-errssum(rate(node_network_receive_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    receive-packetssum(rate(node_network_receive_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-droppedsum(rate(node_network_transmit_drop_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-errssum(rate(node_network_transmit_errs_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmit-packetssum(rate(node_network_transmit_packets_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    | -- **Network I/O** +### Node Network I/O - | Catalog | Expression | - | --- | --- | - | Detail |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    | - | Summary |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m])) by (device)
    | +| Summary |
    receivesum(rate(node_network_receive_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    transmitsum(rate(node_network_transmit_bytes_total{device!~"lo | veth.* | docker.* | flannel.* | cali.* | cbr.*",instance=~"$instance"}[5m]))
    | -## Etcd Metrics +# Etcd Metrics -- **Etcd has a leader** +### Etcd Has a Leader - `max(etcd_server_has_leader)` +`max(etcd_server_has_leader)` -- **Number of leader changes** +### Number of Times the Leader Changes - `max(etcd_server_leader_changes_seen_total)` +`max(etcd_server_leader_changes_seen_total)` -- **Number of failed proposals** +### Number of Failed Proposals - `sum(etcd_server_proposals_failed_total)` +`sum(etcd_server_proposals_failed_total)` -- **GRPC Client Traffic** +### GRPC Client Traffic - | Catalog | Expression | - | --- | --- | - | Detail |
    in`sum(rate(etcd_network_client_grpc_received_bytes_total[5m])) by (instance)`
    out`sum(rate(etcd_network_client_grpc_sent_bytes_total[5m])) by (instance)`
    | - | Summary |
    in`sum(rate(etcd_network_client_grpc_received_bytes_total[5m]))`
    out`sum(rate(etcd_network_client_grpc_sent_bytes_total[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    in`sum(rate(etcd_network_client_grpc_received_bytes_total[5m])) by (instance)`
    out`sum(rate(etcd_network_client_grpc_sent_bytes_total[5m])) by (instance)`
    | +| Summary |
    in`sum(rate(etcd_network_client_grpc_received_bytes_total[5m]))`
    out`sum(rate(etcd_network_client_grpc_sent_bytes_total[5m]))`
    | -- **Peer Traffic** +### Peer Traffic - | Catalog | Expression | - | --- | --- | - | Detail |
    in`sum(rate(etcd_network_peer_received_bytes_total[5m])) by (instance)`
    out`sum(rate(etcd_network_peer_sent_bytes_total[5m])) by (instance)`
    | - | Summary |
    in`sum(rate(etcd_network_peer_received_bytes_total[5m]))`
    out`sum(rate(etcd_network_peer_sent_bytes_total[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    in`sum(rate(etcd_network_peer_received_bytes_total[5m])) by (instance)`
    out`sum(rate(etcd_network_peer_sent_bytes_total[5m])) by (instance)`
    | +| Summary |
    in`sum(rate(etcd_network_peer_received_bytes_total[5m]))`
    out`sum(rate(etcd_network_peer_sent_bytes_total[5m]))`
    | -- **DB Size** +### DB Size - | Catalog | Expression | - | --- | --- | - | Detail | `sum(etcd_debugging_mvcc_db_total_size_in_bytes) by (instance)` | - | Summary | `sum(etcd_debugging_mvcc_db_total_size_in_bytes)` | +| Catalog | Expression | +| --- | --- | +| Detail | `sum(etcd_debugging_mvcc_db_total_size_in_bytes) by (instance)` | +| Summary | `sum(etcd_debugging_mvcc_db_total_size_in_bytes)` | -- **Active Streams** +### Active Streams - | Catalog | Expression | - | --- | --- | - | Detail |
    lease-watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) by (instance) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) by (instance)`
    watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) by (instance) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) by (instance)`
    | - | Summary |
    lease-watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"})`
    watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"})`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    lease-watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) by (instance) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) by (instance)`
    watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) by (instance) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) by (instance)`
    | +| Summary |
    lease-watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"}) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Lease",grpc_type="bidi_stream"})`
    watch`sum(grpc_server_started_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"}) - sum(grpc_server_handled_total{grpc_service="etcdserverpb.Watch",grpc_type="bidi_stream"})`
    | -- **Raft Proposals** +### Raft Proposals - | Catalog | Expression | - | --- | --- | - | Detail |
    applied`sum(increase(etcd_server_proposals_applied_total[5m])) by (instance)`
    committed`sum(increase(etcd_server_proposals_committed_total[5m])) by (instance)`
    pending`sum(increase(etcd_server_proposals_pending[5m])) by (instance)`
    failed`sum(increase(etcd_server_proposals_failed_total[5m])) by (instance)`
    | - | Summary |
    applied`sum(increase(etcd_server_proposals_applied_total[5m]))`
    committed`sum(increase(etcd_server_proposals_committed_total[5m]))`
    pending`sum(increase(etcd_server_proposals_pending[5m]))`
    failed`sum(increase(etcd_server_proposals_failed_total[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    applied`sum(increase(etcd_server_proposals_applied_total[5m])) by (instance)`
    committed`sum(increase(etcd_server_proposals_committed_total[5m])) by (instance)`
    pending`sum(increase(etcd_server_proposals_pending[5m])) by (instance)`
    failed`sum(increase(etcd_server_proposals_failed_total[5m])) by (instance)`
    | +| Summary |
    applied`sum(increase(etcd_server_proposals_applied_total[5m]))`
    committed`sum(increase(etcd_server_proposals_committed_total[5m]))`
    pending`sum(increase(etcd_server_proposals_pending[5m]))`
    failed`sum(increase(etcd_server_proposals_failed_total[5m]))`
    | -- **RPC Rate** +### RPC Rate - | Catalog | Expression | - | --- | --- | - | Detail |
    total`sum(rate(grpc_server_started_total{grpc_type="unary"}[5m])) by (instance)`
    fail`sum(rate(grpc_server_handled_total{grpc_type="unary",grpc_code!="OK"}[5m])) by (instance)`
    | - | Summary |
    total`sum(rate(grpc_server_started_total{grpc_type="unary"}[5m]))`
    fail`sum(rate(grpc_server_handled_total{grpc_type="unary",grpc_code!="OK"}[5m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    total`sum(rate(grpc_server_started_total{grpc_type="unary"}[5m])) by (instance)`
    fail`sum(rate(grpc_server_handled_total{grpc_type="unary",grpc_code!="OK"}[5m])) by (instance)`
    | +| Summary |
    total`sum(rate(grpc_server_started_total{grpc_type="unary"}[5m]))`
    fail`sum(rate(grpc_server_handled_total{grpc_type="unary",grpc_code!="OK"}[5m]))`
    | -- **Disk Operations** +### Disk Operations - | Catalog | Expression | - | --- | --- | - | Detail |
    commit-called-by-backend`sum(rate(etcd_disk_backend_commit_duration_seconds_sum[1m])) by (instance)`
    fsync-called-by-wal`sum(rate(etcd_disk_wal_fsync_duration_seconds_sum[1m])) by (instance)`
    | - | Summary |
    commit-called-by-backend`sum(rate(etcd_disk_backend_commit_duration_seconds_sum[1m]))`
    fsync-called-by-wal`sum(rate(etcd_disk_wal_fsync_duration_seconds_sum[1m]))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    commit-called-by-backend`sum(rate(etcd_disk_backend_commit_duration_seconds_sum[1m])) by (instance)`
    fsync-called-by-wal`sum(rate(etcd_disk_wal_fsync_duration_seconds_sum[1m])) by (instance)`
    | +| Summary |
    commit-called-by-backend`sum(rate(etcd_disk_backend_commit_duration_seconds_sum[1m]))`
    fsync-called-by-wal`sum(rate(etcd_disk_wal_fsync_duration_seconds_sum[1m]))`
    | -- **Disk Sync Duration** +### Disk Sync Duration - | Catalog | Expression | - | --- | --- | - | Detail |
    wal`histogram_quantile(0.99, sum(rate(etcd_disk_wal_fsync_duration_seconds_bucket[5m])) by (instance, le))`
    db`histogram_quantile(0.99, sum(rate(etcd_disk_backend_commit_duration_seconds_bucket[5m])) by (instance, le))`
    | - | Summary |
    wal`sum(histogram_quantile(0.99, sum(rate(etcd_disk_wal_fsync_duration_seconds_bucket[5m])) by (instance, le)))`
    db`sum(histogram_quantile(0.99, sum(rate(etcd_disk_backend_commit_duration_seconds_bucket[5m])) by (instance, le)))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    wal`histogram_quantile(0.99, sum(rate(etcd_disk_wal_fsync_duration_seconds_bucket[5m])) by (instance, le))`
    db`histogram_quantile(0.99, sum(rate(etcd_disk_backend_commit_duration_seconds_bucket[5m])) by (instance, le))`
    | +| Summary |
    wal`sum(histogram_quantile(0.99, sum(rate(etcd_disk_wal_fsync_duration_seconds_bucket[5m])) by (instance, le)))`
    db`sum(histogram_quantile(0.99, sum(rate(etcd_disk_backend_commit_duration_seconds_bucket[5m])) by (instance, le)))`
    | -## Kubernetes Components Metrics +# Kubernetes Components Metrics -- **API Server Request Latency** +### API Server Request Latency - | Catalog | Expression | - | --- | --- | - | Detail | `avg(apiserver_request_latencies_sum / apiserver_request_latencies_count) by (instance, verb) /1e+06` | - | Summary | `avg(apiserver_request_latencies_sum / apiserver_request_latencies_count) by (instance) /1e+06` | +| Catalog | Expression | +| --- | --- | +| Detail | `avg(apiserver_request_latencies_sum / apiserver_request_latencies_count) by (instance, verb) /1e+06` | +| Summary | `avg(apiserver_request_latencies_sum / apiserver_request_latencies_count) by (instance) /1e+06` | -- **API Server Request Rate** +### API Server Request Rate - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(apiserver_request_count[5m])) by (instance, code)` | - | Summary | `sum(rate(apiserver_request_count[5m])) by (instance)` | +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(apiserver_request_count[5m])) by (instance, code)` | +| Summary | `sum(rate(apiserver_request_count[5m])) by (instance)` | -- **Scheduling Failed Pods** +### Scheduling Failed Pods - | Catalog | Expression | - | --- | --- | - | Detail | `sum(kube_pod_status_scheduled{condition="false"})` | - | Summary | `sum(kube_pod_status_scheduled{condition="false"})` | +| Catalog | Expression | +| --- | --- | +| Detail | `sum(kube_pod_status_scheduled{condition="false"})` | +| Summary | `sum(kube_pod_status_scheduled{condition="false"})` | -- **Controller Manager Queue Depth** +### Controller Manager Queue Depth - | Catalog | Expression | - | --- | --- | - | Detail |
    volumes`sum(volumes_depth) by instance`
    deployment`sum(deployment_depth) by instance`
    replicaset`sum(replicaset_depth) by instance`
    service`sum(service_depth) by instance`
    serviceaccount`sum(serviceaccount_depth) by instance`
    endpoint`sum(endpoint_depth) by instance`
    daemonset`sum(daemonset_depth) by instance`
    statefulset`sum(statefulset_depth) by instance`
    replicationmanager`sum(replicationmanager_depth) by instance`
    | - | Summary |
    volumes`sum(volumes_depth)`
    deployment`sum(deployment_depth)`
    replicaset`sum(replicaset_depth)`
    service`sum(service_depth)`
    serviceaccount`sum(serviceaccount_depth)`
    endpoint`sum(endpoint_depth)`
    daemonset`sum(daemonset_depth)`
    statefulset`sum(statefulset_depth)`
    replicationmanager`sum(replicationmanager_depth)`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    volumes`sum(volumes_depth) by instance`
    deployment`sum(deployment_depth) by instance`
    replicaset`sum(replicaset_depth) by instance`
    service`sum(service_depth) by instance`
    serviceaccount`sum(serviceaccount_depth) by instance`
    endpoint`sum(endpoint_depth) by instance`
    daemonset`sum(daemonset_depth) by instance`
    statefulset`sum(statefulset_depth) by instance`
    replicationmanager`sum(replicationmanager_depth) by instance`
    | +| Summary |
    volumes`sum(volumes_depth)`
    deployment`sum(deployment_depth)`
    replicaset`sum(replicaset_depth)`
    service`sum(service_depth)`
    serviceaccount`sum(serviceaccount_depth)`
    endpoint`sum(endpoint_depth)`
    daemonset`sum(daemonset_depth)`
    statefulset`sum(statefulset_depth)`
    replicationmanager`sum(replicationmanager_depth)`
    | -- **Scheduler E2E Scheduling Latency** +### Scheduler E2E Scheduling Latency - | Catalog | Expression | - | --- | --- | - | Detail | `histogram_quantile(0.99, sum(scheduler_e2e_scheduling_latency_microseconds_bucket) by (le, instance)) / 1e+06` | - | Summary | `sum(histogram_quantile(0.99, sum(scheduler_e2e_scheduling_latency_microseconds_bucket) by (le, instance)) / 1e+06)` | +| Catalog | Expression | +| --- | --- | +| Detail | `histogram_quantile(0.99, sum(scheduler_e2e_scheduling_latency_microseconds_bucket) by (le, instance)) / 1e+06` | +| Summary | `sum(histogram_quantile(0.99, sum(scheduler_e2e_scheduling_latency_microseconds_bucket) by (le, instance)) / 1e+06)` | -- **Scheduler Preemption Attempts** +### Scheduler Preemption Attempts - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(scheduler_total_preemption_attempts[5m])) by (instance)` | - | Summary | `sum(rate(scheduler_total_preemption_attempts[5m]))` | +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(scheduler_total_preemption_attempts[5m])) by (instance)` | +| Summary | `sum(rate(scheduler_total_preemption_attempts[5m]))` | -- **Ingress Controller Connections** +### Ingress Controller Connections - | Catalog | Expression | - | --- | --- | - | Detail |
    reading`sum(nginx_ingress_controller_nginx_process_connections{state="reading"}) by (instance)`
    waiting`sum(nginx_ingress_controller_nginx_process_connections{state="waiting"}) by (instance)`
    writing`sum(nginx_ingress_controller_nginx_process_connections{state="writing"}) by (instance)`
    accepted`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="accepted"}[5m]))) by (instance)`
    active`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="active"}[5m]))) by (instance)`
    handled`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="handled"}[5m]))) by (instance)`
    | - | Summary |
    reading`sum(nginx_ingress_controller_nginx_process_connections{state="reading"})`
    waiting`sum(nginx_ingress_controller_nginx_process_connections{state="waiting"})`
    writing`sum(nginx_ingress_controller_nginx_process_connections{state="writing"})`
    accepted`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="accepted"}[5m])))`
    active`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="active"}[5m])))`
    handled`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="handled"}[5m])))`
    | +| Catalog | Expression | +| --- | --- | +| Detail |
    reading`sum(nginx_ingress_controller_nginx_process_connections{state="reading"}) by (instance)`
    waiting`sum(nginx_ingress_controller_nginx_process_connections{state="waiting"}) by (instance)`
    writing`sum(nginx_ingress_controller_nginx_process_connections{state="writing"}) by (instance)`
    accepted`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="accepted"}[5m]))) by (instance)`
    active`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="active"}[5m]))) by (instance)`
    handled`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="handled"}[5m]))) by (instance)`
    | +| Summary |
    reading`sum(nginx_ingress_controller_nginx_process_connections{state="reading"})`
    waiting`sum(nginx_ingress_controller_nginx_process_connections{state="waiting"})`
    writing`sum(nginx_ingress_controller_nginx_process_connections{state="writing"})`
    accepted`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="accepted"}[5m])))`
    active`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="active"}[5m])))`
    handled`sum(ceil(increase(nginx_ingress_controller_nginx_process_connections_total{state="handled"}[5m])))`
    | -- **Ingress Controller Request Process Time** +### Ingress Controller Request Process Time - | Catalog | Expression | - | --- | --- | - | Detail | `topk(10, histogram_quantile(0.95,sum by (le, host, path)(rate(nginx_ingress_controller_request_duration_seconds_bucket{host!="_"}[5m]))))` | - | Summary | `topk(10, histogram_quantile(0.95,sum by (le, host)(rate(nginx_ingress_controller_request_duration_seconds_bucket{host!="_"}[5m]))))` | +| Catalog | Expression | +| --- | --- | +| Detail | `topk(10, histogram_quantile(0.95,sum by (le, host, path)(rate(nginx_ingress_controller_request_duration_seconds_bucket{host!="_"}[5m]))))` | +| Summary | `topk(10, histogram_quantile(0.95,sum by (le, host)(rate(nginx_ingress_controller_request_duration_seconds_bucket{host!="_"}[5m]))))` | -## Rancher Logging Metrics +# Rancher Logging Metrics -- **Fluentd Buffer Queue Rate** - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(fluentd_output_status_buffer_queue_length[5m])) by (instance)` | - | Summary | `sum(rate(fluentd_output_status_buffer_queue_length[5m]))` | +### Fluentd Buffer Queue Rate -- **Fluentd Input Rate** +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(fluentd_output_status_buffer_queue_length[5m])) by (instance)` | +| Summary | `sum(rate(fluentd_output_status_buffer_queue_length[5m]))` | - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(fluentd_input_status_num_records_total[5m])) by (instance)` | - | Summary | `sum(rate(fluentd_input_status_num_records_total[5m]))` | +### Fluentd Input Rate -- **Fluentd Output Errors Rate** +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(fluentd_input_status_num_records_total[5m])) by (instance)` | +| Summary | `sum(rate(fluentd_input_status_num_records_total[5m]))` | - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(fluentd_output_status_num_errors[5m])) by (type)` | - | Summary | `sum(rate(fluentd_output_status_num_errors[5m]))` | +### Fluentd Output Errors Rate -- **Fluentd Output Rate** +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(fluentd_output_status_num_errors[5m])) by (type)` | +| Summary | `sum(rate(fluentd_output_status_num_errors[5m]))` | - | Catalog | Expression | - | --- | --- | - | Detail | `sum(rate(fluentd_output_status_num_records_total[5m])) by (instance)` | - | Summary | `sum(rate(fluentd_output_status_num_records_total[5m]))` | +### Fluentd Output Rate -## Workload Metrics +| Catalog | Expression | +| --- | --- | +| Detail | `sum(rate(fluentd_output_status_num_records_total[5m])) by (instance)` | +| Summary | `sum(rate(fluentd_output_status_num_records_total[5m]))` | -- **CPU Utilization** +# Workload Metrics - | Catalog | Expression | - | --- | --- | - | Detail |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    user seconds`sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    system seconds`sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | - | Summary |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    user seconds`sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    system seconds`sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | +### Workload CPU Utilization -- **Memory Utilization** +| Catalog | Expression | +| --- | --- | +| Detail |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    user seconds`sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    system seconds`sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | +| Summary |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    user seconds`sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    system seconds`sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail | `sum(container_memory_working_set_bytes{namespace="$namespace",pod_name=~"$podName", container_name!=""}) by (pod_name)` | - | Summary | `sum(container_memory_working_set_bytes{namespace="$namespace",pod_name=~"$podName", container_name!=""})` | +### Workload Memory Utilization -- **Network Packets** +| Catalog | Expression | +| --- | --- | +| Detail | `sum(container_memory_working_set_bytes{namespace="$namespace",pod_name=~"$podName", container_name!=""}) by (pod_name)` | +| Summary | `sum(container_memory_working_set_bytes{namespace="$namespace",pod_name=~"$podName", container_name!=""})` | - | Catalog | Expression | - | --- | --- | - | Detail |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | - | Summary |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | +### Workload Network Packets -- **Network I/O** +| Catalog | Expression | +| --- | --- | +| Detail |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | +| Summary |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | - | Summary |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | +### Workload Network I/O -- **Disk I/O** +| Catalog | Expression | +| --- | --- | +| Detail |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | +| Summary |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | - | Summary |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | +### Workload Disk I/O -### Pod Metrics +| Catalog | Expression | +| --- | --- | +| Detail |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m])) by (pod_name)`
    | +| Summary |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name=~"$podName",container_name!=""}[5m]))`
    | -- **CPU Utilization** +# Pod Metrics - | Catalog | Expression | - | --- | --- | - | Detail |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    system seconds`sum(rate(container_cpu_system_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    user seconds`sum(rate(container_cpu_user_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    | - | Summary |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    system seconds`sum(rate(container_cpu_system_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    user seconds`sum(rate(container_cpu_user_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    | +### Pod CPU Utilization -- **Memory Utilization** +| Catalog | Expression | +| --- | --- | +| Detail |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    system seconds`sum(rate(container_cpu_system_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    user seconds`sum(rate(container_cpu_user_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m])) by (container_name)`
    | +| Summary |
    cfs throttled seconds`sum(rate(container_cpu_cfs_throttled_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    usage seconds`sum(rate(container_cpu_usage_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    system seconds`sum(rate(container_cpu_system_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    user seconds`sum(rate(container_cpu_user_seconds_total{container_name!="POD",namespace="$namespace",pod_name="$podName", container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail | `sum(container_memory_working_set_bytes{container_name!="POD",namespace="$namespace",pod_name="$podName",container_name!=""}) by (container_name)` | - | Summary | `sum(container_memory_working_set_bytes{container_name!="POD",namespace="$namespace",pod_name="$podName",container_name!=""})` | +### Pod Memory Utilization -- **Network Packets** +| Catalog | Expression | +| --- | --- | +| Detail | `sum(container_memory_working_set_bytes{container_name!="POD",namespace="$namespace",pod_name="$podName",container_name!=""}) by (container_name)` | +| Summary | `sum(container_memory_working_set_bytes{container_name!="POD",namespace="$namespace",pod_name="$podName",container_name!=""})` | - | Catalog | Expression | - | --- | --- | - | Detail |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | - | Summary |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | +### Pod Network Packets -- **Network I/O** +| Catalog | Expression | +| --- | --- | +| Detail |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | +| Summary |
    receive-packets`sum(rate(container_network_receive_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-dropped`sum(rate(container_network_receive_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    receive-errors`sum(rate(container_network_receive_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-packets`sum(rate(container_network_transmit_packets_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-dropped`sum(rate(container_network_transmit_packets_dropped_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit-errors`sum(rate(container_network_transmit_errors_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | - | Summary |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | +### Pod Network I/O -- **Disk I/O** +| Catalog | Expression | +| --- | --- | +| Detail |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | +| Summary |
    receive`sum(rate(container_network_receive_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    transmit`sum(rate(container_network_transmit_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | - | Catalog | Expression | - | --- | --- | - | Detail |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m])) by (container_name)`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m])) by (container_name)`
    | - | Summary |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | +### Pod Disk I/O -### Container Metrics +| Catalog | Expression | +| --- | --- | +| Detail |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m])) by (container_name)`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m])) by (container_name)`
    | +| Summary |
    read`sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    write`sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name!=""}[5m]))`
    | -- **CPU Utilization** +# Container Metrics - | Catalog | Expression | - | --- | --- | - | cfs throttled seconds | `sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | - | usage seconds | `sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | - | system seconds | `sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | - | user seconds | `sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +### Container CPU Utilization -- **Memory Utilization** +| Catalog | Expression | +| --- | --- | +| cfs throttled seconds | `sum(rate(container_cpu_cfs_throttled_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +| usage seconds | `sum(rate(container_cpu_usage_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +| system seconds | `sum(rate(container_cpu_system_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +| user seconds | `sum(rate(container_cpu_user_seconds_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | - `sum(container_memory_working_set_bytes{namespace="$namespace",pod_name="$podName",container_name="$containerName"})` +### Container Memory Utilization -- **Disk IO** +`sum(container_memory_working_set_bytes{namespace="$namespace",pod_name="$podName",container_name="$containerName"})` - | Catalog | Expression | - | --- | --- | - | read | `sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | - | write | `sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +### Container Disk I/O + +| Catalog | Expression | +| --- | --- | +| read | `sum(rate(container_fs_reads_bytes_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | +| write | `sum(rate(container_fs_writes_bytes_total{namespace="$namespace",pod_name="$podName",container_name="$containerName"}[5m]))` | From ecc8e93f99189a8dc1070ac80f85378898da328a Mon Sep 17 00:00:00 2001 From: Caleb Bron Date: Fri, 10 Apr 2020 13:59:23 -0700 Subject: [PATCH 174/183] Add note about helm3 catalogs when upgrade to rancher 2.4 --- content/rancher/v2.x/en/catalog/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index a827d3d9ba7..35fed1613b9 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -45,7 +45,7 @@ When you create a custom catalog, you will have to configure the catalog to use When you launch a new app from a catalog, the app will be managed by the catalog's Helm version. A Helm 2 catalog will use Helm 2 to manage all of the apps, and a Helm 3 catalog will use Helm 3 to manage all apps. -By default, catalogs are assumed to be deployed using Helm 2. If you run an app in Rancher prior to v2.4.0, then upgrade to Rancher v2.4.0+, the app will still be managed by Helm 2. +By default, catalogs are assumed to be deployed using Helm 2. If you run an app in Rancher prior to v2.4.0, then upgrade to Rancher v2.4.0+, the app will still be managed by Helm 2. If the app was already using a Helm 3 Chart (API version 2) it will no longer work in v2.4.0+, you must either downgrade the chart's API version or recreate the catalog to use Helm 3. Charts that are specific to Helm 2 should only be added to a Helm 2 catalog, and Helm 3 specific charts should only be added to a Helm 3 catalog. From 5a23c3505d2b4c224a878b6fa8deaa5074a4e259 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 10 Apr 2020 14:39:17 -0700 Subject: [PATCH 175/183] Fix run-on --- content/rancher/v2.x/en/catalog/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md index 35fed1613b9..48ecd6612fd 100644 --- a/content/rancher/v2.x/en/catalog/_index.md +++ b/content/rancher/v2.x/en/catalog/_index.md @@ -45,7 +45,7 @@ When you create a custom catalog, you will have to configure the catalog to use When you launch a new app from a catalog, the app will be managed by the catalog's Helm version. A Helm 2 catalog will use Helm 2 to manage all of the apps, and a Helm 3 catalog will use Helm 3 to manage all apps. -By default, catalogs are assumed to be deployed using Helm 2. If you run an app in Rancher prior to v2.4.0, then upgrade to Rancher v2.4.0+, the app will still be managed by Helm 2. If the app was already using a Helm 3 Chart (API version 2) it will no longer work in v2.4.0+, you must either downgrade the chart's API version or recreate the catalog to use Helm 3. +By default, catalogs are assumed to be deployed using Helm 2. If you run an app in Rancher prior to v2.4.0, then upgrade to Rancher v2.4.0+, the app will still be managed by Helm 2. If the app was already using a Helm 3 Chart (API version 2) it will no longer work in v2.4.0+. You must either downgrade the chart's API version or recreate the catalog to use Helm 3. Charts that are specific to Helm 2 should only be added to a Helm 2 catalog, and Helm 3 specific charts should only be added to a Helm 3 catalog. From ca2386656c0cdeb9f57a5ba3f6158b258900a85a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 10 Apr 2020 15:38:56 -0700 Subject: [PATCH 176/183] Fix errors on GCE cloud provider page --- .../rke-clusters/cloud-providers/_index.md | 4 ++ .../cloud-providers/gce/_index.md | 49 +++++++++---------- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md index ee5c9c2af7f..70dc4464f42 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/_index.md @@ -26,6 +26,10 @@ For details on enabling the Amazon cloud provider, refer to [this page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/azure) +### Setting up the GCE Cloud Provider + +For details on enabling the Google Compute Engine cloud provider, refer to [this page.]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce) + ### Setting up a Custom Cloud Provider The `Custom` cloud provider is available if you want to configure any [Kubernetes cloud provider](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/). diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md index d5f13a993f8..32980b2e40e 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md @@ -3,9 +3,7 @@ title: Setting up the Google Compute Engine Cloud Provider weight: 3 --- -In this section, you'll learn how to enable the Google Compute Engine (GCE) cloud provider for provisioning custom clusters in Rancher. A custom cluster is one in which Rancher installs Kubernetes on existing nodes. - -These steps are required for provisioning GCE Kubernetes clusters that include Windows nodes. +In this section, you'll learn how to enable the Google Compute Engine (GCE) cloud provider for custom clusters in Rancher. A custom cluster is one in which Rancher installs Kubernetes on existing nodes. The official Kubernetes documentation for the GCE cloud provider is [here.](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#gce) @@ -17,18 +15,18 @@ If you are using Calico, 1. Click **Edit as YAML,** and enter the following configuration: ```yaml rancher_kubernetes_engine_config: - cloud_provider: + cloud_provider: // indent 2 spaces than `rancher_kubernetes_engine_config` name: gce - customCloudProvider: |- - [Global] - project-id= - network-name= - subnetwork-name= - node-instance-prefix= - node-tags= - network: + customCloudProvider: |- + [Global] + project-id= + network-name= + subnetwork-name= + node-instance-prefix= + node-tags= + network: options: - calico_cloud_provider: "gce" + calico_cloud_provider: "gce" plugin: "calico" ``` @@ -38,18 +36,17 @@ If you are using Canal or Flannel, 1. Click **Edit as YAML,** and enter the following configuration: ```yaml rancher_kubernetes_engine_config: - cloud_provider: + cloud_provider: name: gce - customCloudProvider: |- - [Global] - project-id= - network-name= - subnetwork-name= - node-instance-prefix= - node-tags= - services: - kube_controller: - extra_args: - configure-cloud-routes: true # we need to allow - # the cloud provider to configure the routes for the hosts + customCloudProvider: |- + [Global] + project-id= + network-name= + subnetwork-name= + node-instance-prefix= + node-tags= + services: + kube_controller: + extra_args: + configure-cloud-routes: true # we need to allow the cloud provider configure the routes for the hosts ``` \ No newline at end of file From ae7a2d5d365cb3a44fb0b9172a7d2de922ffbdc9 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 10 Apr 2020 15:40:13 -0700 Subject: [PATCH 177/183] Remove comment --- .../rke-clusters/cloud-providers/gce/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md index 32980b2e40e..2484105be02 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md @@ -15,7 +15,7 @@ If you are using Calico, 1. Click **Edit as YAML,** and enter the following configuration: ```yaml rancher_kubernetes_engine_config: - cloud_provider: // indent 2 spaces than `rancher_kubernetes_engine_config` + cloud_provider: name: gce customCloudProvider: |- [Global] From 69e12f4fe9093f54762104a2da1c571d8de4bc1b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 10 Apr 2020 15:53:46 -0700 Subject: [PATCH 178/183] Add line breaks --- .../rke-clusters/cloud-providers/gce/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md index 2484105be02..548ff88ba96 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md @@ -13,6 +13,7 @@ If you are using Calico, 1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** 1. Click **Edit as YAML,** and enter the following configuration: + ```yaml rancher_kubernetes_engine_config: cloud_provider: @@ -34,6 +35,7 @@ If you are using Canal or Flannel, 1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** 1. Click **Edit as YAML,** and enter the following configuration: + ```yaml rancher_kubernetes_engine_config: cloud_provider: From b9fac34736609764c47636f5e20f81441e3698e5 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Fri, 10 Apr 2020 16:00:11 -0700 Subject: [PATCH 179/183] Remove syntax highlighting from page --- .../rke-clusters/cloud-providers/gce/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md index 548ff88ba96..000b537c110 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/cloud-providers/gce/_index.md @@ -14,7 +14,7 @@ If you are using Calico, 1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** 1. Click **Edit as YAML,** and enter the following configuration: - ```yaml + ``` rancher_kubernetes_engine_config: cloud_provider: name: gce @@ -36,7 +36,7 @@ If you are using Canal or Flannel, 1. Go to the cluster view in the Rancher UI, and click **⋮ > Edit.** 1. Click **Edit as YAML,** and enter the following configuration: - ```yaml + ``` rancher_kubernetes_engine_config: cloud_provider: name: gce From a305dc2ec1150f76552d8af2a9d638a787075944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Sat, 11 Apr 2020 19:57:06 +0300 Subject: [PATCH 180/183] Update _index.md --- content/rke/latest/en/installation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rke/latest/en/installation/_index.md b/content/rke/latest/en/installation/_index.md index 30d5dc73842..1f83871f40b 100644 --- a/content/rke/latest/en/installation/_index.md +++ b/content/rke/latest/en/installation/_index.md @@ -7,7 +7,7 @@ weight: 50 RKE is a fast, versatile Kubernetes installer that you can use to install Kubernetes on your Linux hosts. You can get started in a couple of quick and easy steps: 1. [Download the RKE Binary](#download-the-rke-binary) - 1. [Alternative RKE MacOS X Install - Homebrew](#alternative-rke-macos-x-install---homebrew) + 1. [Alternative RKE MacOS X Install - Homebrew](#alternative-rke-macos-x-install-homebrew) 1. [Prepare the Nodes for the Kubernetes Cluster](#prepare-the-nodes-for-the-kubernetes-cluster) 1. [Creating the Cluster Configuration File](#creating-the-cluster-configuration-file) 1. [Deploying Kubernetes with RKE](#deploying-kubernetes-with-rke) From e0eb8b062992d896ce6a129ebea38140be83b3cc Mon Sep 17 00:00:00 2001 From: timniklas Date: Sun, 12 Apr 2020 22:09:40 +0200 Subject: [PATCH 181/183] Update _index.md --- content/os/v1.x/en/storage/using-zfs/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/os/v1.x/en/storage/using-zfs/_index.md b/content/os/v1.x/en/storage/using-zfs/_index.md index dd317c1b5df..1247accff85 100644 --- a/content/os/v1.x/en/storage/using-zfs/_index.md +++ b/content/os/v1.x/en/storage/using-zfs/_index.md @@ -21,7 +21,7 @@ $ sudo ros service logs --follow zfs $ lsmod | grep zfs ``` -> *Note:* if you switch consoles, you may need to re-run `ros up zfs`. +> *Note:* if you switch consoles, you may need to re-run `sudo ros service up zfs`. #### Creating ZFS pools From 3fe1b07563f0d91c3780205cc8dba25939106988 Mon Sep 17 00:00:00 2001 From: Brad Joniec <56899019+Rancheroo@users.noreply.github.com> Date: Tue, 14 Apr 2020 08:52:58 +1000 Subject: [PATCH 182/183] Updated retention in snapshots https://rancher.com/docs/rke/latest/en/etcd-snapshots/recurring-snapshots/ as in this document RKE 0.2 + uses a numbered retention not a hours The number of snapshots to retain before rotation. This supercedes the retention option and will override it if both are specified. --- .../v2.x/en/installation/k8s-install/kubernetes-rke/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md index 2791481d481..8f62c8450ec 100644 --- a/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md +++ b/content/rancher/v2.x/en/installation/k8s-install/kubernetes-rke/_index.md @@ -161,7 +161,7 @@ services: etcd: snapshot: true creation: 6h - retention: 24h + retention: 24 # Required for external TLS termination with # ingress-nginx v0.22+ From cd2b4753f17e739f32662cc2d7f3bcd23b7059ee Mon Sep 17 00:00:00 2001 From: dkeightley Date: Tue, 14 Apr 2020 14:55:23 +1200 Subject: [PATCH 183/183] Add note/warning about NodeLocal DNS changes in a cluster --- .../rke/latest/en/config-options/add-ons/dns/_index.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/content/rke/latest/en/config-options/add-ons/dns/_index.md b/content/rke/latest/en/config-options/add-ons/dns/_index.md index a1e268bb988..2e63a5c25be 100644 --- a/content/rke/latest/en/config-options/add-ons/dns/_index.md +++ b/content/rke/latest/en/config-options/add-ons/dns/_index.md @@ -129,6 +129,8 @@ _Available as of v1.1.0_ NodeLocal DNS is an additional component that can be deployed on each node to improve DNS performance. It is not a replacement for the `provider` parameter, you will still need to have one of the available DNS providers configured. See [Using NodeLocal DNSCache in Kubernetes clusters](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) for more information on how NodeLocal DNS works. +Enable NodeLocal DNS by configuring an IP address. + ## Configuring NodeLocal DNS The `ip_address` parameter is used to configure what link-local IP address will be configured one each host to listen on, make sure this IP address is not already configured on the host. @@ -139,3 +141,11 @@ dns: nodelocal: ip_address: "169.254.20.10" ``` + +> **Note:** When enabling NodeLocal DNS on an existing cluster, pods that are currently running will not be modified, the updated `/etc/resolv.conf` configuration will take effect only for pods started after enabling NodeLocal DNS. + +## Removing NodeLocal DNS + +By removing the `ip_address` value, NodeLocal DNS will be removed from the cluster. + +> **Warning:** When removing NodeLocal DNS, a disruption to DNS can be expected. The updated `/etc/resolv.conf` configuration will take effect only for pods that are started after removing NodeLocal DNS. In general pods using the default `dnsPolicy: ClusterFirst` will need to be re-deployed.

    @8$F&Sz!;GhUZ2`3$f-P8mcPyJ+INSsSPRY!+4R}O zKm=CXp#$ptOpZ5?<*DicPJe{wBXI;jh*)1R%3w~THn(pmHSrCyggs@>*Q+e z(x9q=SSG(B0`few?$hI!dk<~H^b+$TuSAzeeEdWx^Vbl;;+TN}omOUMBoTe`a3rbj zQ$BX$%NaUr9&^faS@9rWwgpv<^;{Sal9(JVZ=ii1VW3ZImt{M#Sef3b(V=P(_Hg1h z@l}wk9V-s! z*cZ?K`~fYE71i_FughN*0MAMkT|I;lU3dT75VS(Rqi`P6W8Ht2ERmH2KpBbpOxBsM zNLXduEy3$F9_upRk~J_DQQcs-8A8RZTs>H)kIp@$_=Uter-)holzdF*-A-}GD5E!c zVASck>Zq~r&Vpz_9PLz$V=M7xC57kuvuZ-|$kbG>^i_hRFsz5DQf*D+Tj-KEE7G0* zAJOrj-ycz4zH{=a|MdXL-$C;wl1EyX7p9oCaBgzr_j}s#(PLYnLLs9x3bV*|f(wNm zoV@njU{bxuO0Kb=onR&l)5Q$2WZDJ|!5L=^p$slUs8pr%SZIx;2I z?J3#sG&`#6e(3ExmBqFmZyw@F1AQ(V8InJeqn4Hn`=W_OAH~8;ObY817FmgT<{Z>+ zNA@Q8H}V$VDYTM!DT*b!rVvg z04w~k=i{M(f(wo9!zYTO3ij)PU9vYx*~0I}VkQYpi7oiL=r3(r z2Lb38>gvR{n~by~6C_GK-RiJG<5lQ*2G3i8uWQ$hLbF9E>E>N~v5Sz8_Q; zo(7b0E*TzfQgU_Jt(zehm{iK=<3V_xtzPYi(-_`{7o)a=A$aYW|1H#wKFUC2qeGn{ z8zuN1@t6+6Si$USRft&Cl%}9^rx*BfYck$a&LWwEnMBGmxP+ZkJmJF!TUV++2ip+- z4pO~`)X!6Y7KO$5iyHRMOQ&&~d7E7|IIneDj_Z;rv>k$eJ9-8CZZ-UbZc@SY7XOS) z7m4-ZCZR_XC97R@iNXg}k`E8)kHT6hvA?j<7^}{W!)mp(K;p##4QGYz4c^$TzRz;A zY96uy-^FIlQZZu{^&$DR*w`aFtFRhfcQda;=fHE$t~#|zW92O}0jKQ6@B?ixI;_%0 zqxq*cvPH&0%yjq|KF}@DypSVcvTOGsC=0eF@wcGn?g!7-Yq) zm=EJ05x+UKn9^mqKtqlY4QW-@#Dhaeey-c2}a#?-vRj z_JiL+qK9Syck(Efztfw>ub&CXdBLaFaS_1HE9hC#pM7rCLQsNh8`j$Jw|qC^R3EHi z&Z-pjhS>XvkXh_!kjFVuYnjq@;y&BCV2R6qRsx~k3I8<(qRf|k zB4D&p{XC9EE9TX-zroFva>_3HiL;XzGI^anh|yPQ7EIWXMkdxexE|eouduGOxZ?J;*y{= zwWtWO*=L9K$kD5|9U>x~Hyu|pZB&ljS9&9I*^08@%Eq6WqZ-lLR% zRp=6wgq5NE-cqb)ha8ObQ>^=^d)-%2()_FO@n;N223(2@;pk|h&}%Kiy-JNKJrw)C zdB6d&uG~}9VJhzXA`Dm1T@VQs6GMSig0zqos^W{f*@ME5$O>3;+J6U&sTaYb*tPOM0ibGXui6MpTDC(oyPsluz@P zGmmlBr1*j2SFA{ww0hvw_Q83|ZDmtX(w1)WLx{>;Qzx%ddH`$ON4{BlEN+@bsyk!e z{SA=404jp3eKK~5W$e~!Pv$OW@$r#-laoQS3kus!+CfweWK-AW`HscqLG1ro!4Y=o~}X-7%HRNt^BFH&<3 zs;h3sG_!4BvX(s&H>55zvnim1a5jNy1}+g$eDEo_c-m z#R^Ia$=Tslaw1VB6-mOa{rv>2J#txMt@g4;D+NsYjk9Rl_Xv? zhszxj$Cp7FTFS|<8Hn~}E~EI(5#6yr@u)VW3OSu-E44OAYRebzMS2-sT7ijCQ{{D1 zR}=Z=7MVU zLdnP~K7J*#5be>(fuRN7Nr}-bOOl5;;9UAbKmBcm9qHH$R5Pi%KU)+c3&n<*@+CNY zyH+z5q2FBBi*7#A3r@!NZ#kw7daYz%r>{bA>_|v&_!fc{R(i! zX&;R7nA&W=P2Q8Du9|0S547^9u^7!sTtEb#OsRqoPYvxNa*wGx!CoRH=E&F$iMy-F z*?4sPrt5sdBB`|0BsqZ4X7F-V7V0ZAUY~k-qoc_&eY3VduS;5(_bx*pnXOJDmR9yQ z@x7U`6C>LH)YXqfE}W8?F9WoHbhW^Rt`=zhz%4IiI4@5v;!zGazkc~0u%7UjG+Xh*rE)+5mS9^wy^ZQagZs_utdcR^u}pHbe@!7Pm7a7^iD*n}6-Hd_E3)&& zMzoKW9N$jhIBg={6>cEGMerItooSoN@@_%e&WXn4nNE(+9yhwfj)yvQY_8~(pM%D> z8uy#HLbRD7f8ij538^DDGVW~1xga)ge>dO~TupZ7457GO+eGXgNTd>=Y=syqqF!$A zVAHEHeTuv9ZyWOQke?v}LPE{zC2>ykFvcBkzZnd*u6>dC@=5Ihhq3hG*4Ojm+ju(0 z3e*FUv%V#S$UWyN$4)bl!kOvyuOE(3n8@2BhbeS zRAlXTjL4yPnKk%1h*ny~0K0K+_@Q3djhkUl%UecYtq-(mC}zqP^`PD713xF2{mhpe z`6l5XCyko_=#A*BP<8k#cs<_04!T=fH04dXEt5Q8xjN$+&)*!>9s`)l6&<6?i&D-k znU}t_LsAa9>9$ulvt+T=Jzd_j<|Qgy2b8Boqw>CvZD0~U=)LnP=scv@T^Ro?h;Y20 z$yWZ@_Hd_upnqGD=H3-uA|{vhgM<|LFo_KP5LM))KL084ATAyp>9Tv~K0+`#+=6S% zydz=5<#YO=HpqO6uua97F4Cu*Vm{1sZf`z#Q%|6mYw0fWr5!@*hL#EX^YHuXJUQwb zZOX-3ZDK=EDA}@6<;X47FT*FOg|Mn;@{>cr$s(h@#wxrqVx?h<{H6j=-n(Ri7s+YR zrcW%0@+O9t>!k~$eTKMb7w2Ja39D#9Y4W*93(8)Ol{K6z#+-Z%zBKNGY4j2SJ2)Np z7Fib9t_!4kvWd=`s$QpCH+X&y!6wqQy(YTZ%(f(9KqF2}6MKHDAkpJFWDv$--XS=rU!XFnHtW$v#wH30_7dPy{?;0L-F zXf}BM$wjf?IotYm+{YASK5*I^;^uek^aDrh&h}fRc9LJYJ=dw}&vJIO!$3~b zh5ZXfcO zAY|i{voOsaMCJDzM>yN-^!VI#)r{DKC_<6LkA<{H6uc5oLHa2pNp~@%XZYmntk3kB zg%$I!XP#W^)rXsiG^G+4j1;{k_h6{y<1-&`);pJEI~1d+(FwfA#hPKNF62&Z*6JnJ z=8%qhwiU0!>gYDDp6ou8>(Bt}p?%OQA6_7lTluA01oY%4+lJoqnD%dyD-4c&Yao#y zkcB|Q-v9i#7v)O(fs4=OPBTIBvUUhjPndNKb>Bu8nF7jDPsmVR)do?tn40BvAb*Iv zUHth#p;OmvNz}%FaZ=4#v#XiV!uA2~l$3z9^&lRB32~Zbv|qo!^K~nyU%m^WT>h>Y zh{W5W0{B$&QM!n2ER-jnHC4QLCn4nPP@R`#cR$HkO>#TBv+-Xb9_nf#@ zQwFT!4+Eq`|31Evj_6}@!Hpwa6y`|hQzA9Q5YE+0nliNFzclRpa`a98kztppaIm(# zX0Io^Rey*c|F?;vO0hfS*j0nEcIV&1_K#TMpn#HcT-#**de7um@qA5W< z$M=USks(!ntnL5;cyR|6=`u0e7Ntr@EOt>ghVwE}n^SxJ)v0Z^L|P)%#!_b9Jn@Ng zTWTz6ls9=Z-6un}9Cfl7RlCMj(@^eAd?I|h*UDBJJf0U7g1>ZAIjdiCdoTmn;YPNu zJ5j}TxOTIwuW+`gjd}p)%$1i0O2noIIF#8Mcli2={cu$66#|!J5_A_+ItYn{h_WAl zlEm&Ix~E3N9d?k!Y4CEZSTZj2a08isSP0cnx>WG%6k7Rip2%Eb(lpS&%=74re;*cu ztR$8wtqhdsd=MSz1;*c@za+EBlQHUVrRQ*nuZ%`B7u9i&YJOTDFEKIiPZrSX+c=|p z(+`?iN_!R(ycZ+*z@P8K4brV|w>=Q?JnnsS6T0AjzLEFD!pM@fyTZH$x)JUP5}xBp zaWVW#WWE&3H544dFu~3Ihr2t|wQ|I1^op*p0yuAvr>fj+^XqO6-!C|5 zT!gfk)E6PzXTNA^N(9#VolNaY@RGw8KFWz4zgnRfTW}eX<9`TP#S_BD)8Sr=5fxhf zZqm;{+ZiN5Q(wy#b1d=AdTe5lSLG3NH09}L&5YN9F65V&rmy_V^v$8w=U`f?Rp-s| z`iu1@)l%D$+*gGv{2v%Ng9@n^D5XONx0X&vbx18F;n~ebEG>5(l$3~sk|7#ZKGHK1 z^dVliZPtI~#iWmi&}CRXEWHiA+hRc(CJ28HS_yc!M?(^J za^cE}x2q2ff3lOcW?5W;>o*78WXqjYymc)gRcx&rAf1KX7h4xwsgw4TL`fddimmW$ zwA}O4e&^>YKgR_7R{mIST-41@ms?Zo#_m=RD&?@wI>@8{UHnKsb+`HI5awNW7JLDTD%hMMn~~pW0MLPweYb zt&6ziF6Dd&R+XPU$(w9q%@X=L2d=0SCAljiViA+tr+aLYByLMRiPz_8%LMzc5a>-> z6M^N>*-&KYzshJNc%U_nU`JoT$M$ujPrX*%TMlVhVbrLWRaRrDIJET^vn0pp{F_8x z+c$~aR>r{Hh1rz137zNlCP2FPKDlb1@|M9$u_dd%rd!p(F!;I8%;ram=&n z67H82w;2J8dY@|J?e2*I*IvWSu=|@^kt_YFo;&MRL5VE%_PKSww@&llwQT{q$__ii zl}Nw@ot9Q0E1Jp5eDG8we`%vkhx?VM51Ve)K;P{VtzO~YUmU%V@rVFa2=AWm-Pk6w z@O_i3yx+`z#)bZRy&nV`q$+*}Bfz{sU&QSWYCMFnRkBS0^KhY_5EmG)Gr8&mPzWPA z@-&NhH5}$g>BoJ+@V{N<5uUBlt(FIVJPu$?jk9*ER7t}iugqM-V#?aN-vZ(xr2CgO z`Qx4f)Z6ndFpDQK<1^geYujtoD^X|QI_vE=oFQ|waWWs~>dD4;?ttS=xT#}lTd6Z& zU2(}-B+bGGkn8H|B)mwps7Qca%^NGt~gggX5yk5l7o2h`^hCwLaR!iW_xticfRk6-h?38DqQ9q>*rrv)j!7h&?V zxvV|MWzrG;lH;R+ApPDxVvh@N#O?C0yC);avtb{ST!qUterhVCuo_U1e!zCAp@@8E zyzD;;blGYb)j4W9ZTa8TIfyE_AV~c_h6DT=Lw4iA^Y>RC?LBUmNLOHx`f5EUu=0J! z^VOvDMt)35SkOmtZ~Bkj<&Ns#Pp^xv{Ui`l&X3Z|=mU;hwzT0^bAO`2%=u^cgKmGt zZq7-`f3;|XAGmdq>bT`|gXmAg))J$*pPHTQEe0?_amy@g0%m;u+1v|!o;a&V;0~-F z(e?R^UIPtXZ~Qso5B;twgZsNCe6l6@ZzUS>@3%pHW<)OJIQn<79q*!GbLCpPv@+lp z4kqKa{8$Y@ZSeaOz>fU5{!(+!`EXD!X?-{+2|4RKO9A*aUfo56U+D>WXM>t|V{%qR ztPRx^bZiM4sT^vlHVk%sft(w>YRFFFGEW;D>)Bqb(j2Dj9g2005QR;D;lQm=NZA#0 zooVhBNq;hX2!Z#`@8*Z~ba$si=hww1WkeH^n)Y0_v#@?QWrXYs7WxXMuT%Z2{M^v{ zrK+mxWPOSI_L_Z{9AcrAbtPPZJOk!5WCiP3X{Xj$CT}neTj%5vnw`LKbF@ZTGPd`& zhVdrZ4fDySEidt5cz8f$QRc<%o76a=%grS;OHE+;=FC<8Rl_C3liu^b$vdB8W0?u2 z2J!jdGNCN(l3y5k!20{$uo6OvDCIWs1y-#D#3+7)c-h05p=94t87u#V2=>kAYT~~c_63hdwAx7=-=4#vZqAcLS){1 zh4R_k5#%!4hUO+GE5E4>Lp2w=9{8p-AV;+k6G7o#;gPUOlv`Y)FXr63Ky}qexs6Q+^m`AV)A~Jx!Hd!~yioz3%bEvj@svq7NoV0@|03YwEg#$WaLPF-sC*bB=ygR;bW$1Tqq9%3fi z(f$zmA^UH(+)-@({m4Bdp(Fr>_hfb=Zoe$9BCS}|IOWrb)sP3`pmfXPpq-kRE9E%9 z$1O&$@!V|8QOpS2A;`A=1v#2PIBF_ZyGvagCSYFq!vgtCNX}xsdLw7ObK96;I{V42 z@3?>%tlwK~-a8N(msP)ou}|)!{ODo18ucdM>(a(f#wk3#ij1 z;5^!)${>G2IZ|-8zmvAUWR^YN`1SK}cXk$^N_ZT!?gv&3F_P2xp(PD>rm9!I`V(*# zXjgE8Dk}%84zw432nPBRV^syaLp>Q)5>0*f{Hd4p;>Z-fHV}1n`pNsLEn7aHlky`p zmu$G4wwj;2q|ERny{Ys54X;Og&0NxcgkVeySNV5@`HyjuXQ~&PE@#lx;CKIyp%C%c zCJP}yvx@)tx&ItK`PV;v#0A>v;9VQb?@I#%AZ{HVu=oq3_8*$>U;pFZKj~Tg#ZD-p zZIXWbJsWrz-K*W=gUWx5z<;L1eg`K1xae0(545Ki0ke?I@9*MK0tzy5xqI^8o00yH z@4pfOgL6kR%>7Sr<9G3({0M|=RsLV@o#bNYLXEx>|6bd($%_ly`{|JX{bK)p;o_H< zRluztP#GLY{$Bc<0AL$<-ba7__io<*<9l)SD;wEO7C+-yzq#$sm~T&3d{fVqHDBzA zFb8PuPx)rvW&$_RQI$wd3|meH5`|VXb=5z^4ghI0@LhO*YQ>TL-j}a57pta;6vQb1 zzpVPn-`{)D=nlq*%t7$S5jp%#h3jIZbu00l=A~>{u0NLQ9fPFZIX|4? zI1-XnuHB$rl=&_44nU0NrT_2u|7X!4Krgx~dUj8*>AE8fU_1OT%H9I1%B^b~mXHu7 zL_xYmMY_97kTPhH21$Vp(jYC}(p^fYG^j{-Y*LV}P3NY*wH42Mp7VVF`=4)&GaRVL z`(F22bIrKsoY#~G0#KfZ=ptDv>tgDvO}W!z0?x=7G-xdKaL;fsyezO;OyIV*>g8P~ z-P=pOoZ_&Y;CKlov98x!>Pxi-6t4QAd}|Nvj(_?mf(G7EfS{5YgLYqtlOjKi!>;8z zA!_E$7tf!603Dvq!4$$jy@XfY~A&TZXKz_juL_yvD1dvp- zAc#5Uy=wJTa}|=iL4ZND7!jo?bn*?*4d5>Um)$OonDe#at97t&6A;PZbbSAhNpS{goiW=S8SI5RZGJ3xO{rH*lO~<8le{$QJ3((}u@1<~g zasDE|^H~KtQXgn^C!F?XSpi%Y4wJ!>gbh)E#IJn{bi}ak+^!-c;ju|OX}UZWW_DbZ zE)mtGYXIGKOP}XMqr&d1IvM)dtoq<91axlu{JQmNKY_B%{TagR@~`e5AL?2|Gx`H6 zjT$h9vj_CBkd1>*<<|YR5e6wIz|W;n;T;58c{zXGenhA>4{E6IVGvPL!*{|wEOeY# z>Ed)RYSun}>ejv3B|I@@YS>q?1C8C%sY42gMnU?~2mx>*-fy&UTF@N!Si27elM8B; zea>vUK0b4C$c^$-v2peMXokCu)J{H{EXft`cE;JUTe6@_)#Q)IkJ|BniLe)%B*IVS zoZ5K&FRr^tAl?HkufE~@XFZ_VT~9&y+}@vX00Io$f)DR!&j*~^wf3xi0(-%Am%Cle zb+GcrgF@??J}NJqHPGAb{xjojmK1Z+J{h3-#vnV}V%yk^u4x`Z#Qq&IkimHFTcDN8 zV~Lw$UmC!~BuPz3&j;48q|PhppzGAGPY}9M3Dseu$iNe|LGikEyNdF3S@_bd#CLQs zTTXkQ%5i?(BgNywX%Da|55JNtLMMOQEFzN?MR4p2Zb%ML8v`&z1D2KxtkM`T@3Pq~ zb+dwA#n;13n+LE-?#`~OE%8Hai67^W4aR@7C1!{%!SQ*7PG%n-q70vJ8cyFEg=k97ozGI4&i6E8nfPc!W3@%5xjsN zE^{!Taj3>_Ij`VH4sLad%^xlR^RIrldULh_@0_wbuhU#0{Y?pB8I9S@;`tw+-^_P+ z(5D6uJ6=?0wbJ?seHnf9c=n z?}sRV^kePap!-)JdmDUgSino5r|>1?2j1Pa$Q&s*QRGGjwJ>(dulHls8kMB|UayZ9 zD%g9kh#a5n4=GMpX;4$|cA0tg`4Z}wB6{~}u$71NeWi{cJIreh!VlJaG9-h#>z($r z_DLl+5%UHY9pq;L`Vl6R<_-Ifi?qQw;s@p!Ya??)dvpN{Nl*t5*qM<{^RrH;|xN^ZLiPEM@^RvotFBRbAF)l zqtR^Wz8&Byk`klU!lEN*le*bQs}39hl-Csl>-c#Hu-N6wr1 z@2sUE%sNhhjH3HwIW?8@ZNQBR&?5&Bi_c%D_qxnldH{iv0j{1jJ>#P<5WGoBVr1$S zf&G4QzPc7JT~qu?M?HR~ELtx`86}@H1lA)>28j+r^XVJBe_bf8<#$(eI5Wbrq-%Bk zH_jBT(jIE(lUWo21Sv%iAe6XEdjRMfdA)90y)F$QSUbkEW@YH=R6HU7l+V z3Q1bG{j6TlZ1O#rXbJQwLk{LsUA7van8B3WqQu-*NxTQc&!(Lsfiek4aQHBVUC^5a zF=4m@E~u3UWq7D!xvB28k-yTyZ$lg9ah6Aate(#Lzz-h?h@?KI#q`mS*+IFIV1!Ba zCUbU3`Zp^>#Q-Zqmp|QKHGm(&NWM-M>k1PFN;AR5$R!5M#>=vIGFL@7?8fx`YxHq( zs3Nf?*km~Awp$K05k$J5_5k;E=m{{E^1!Z4Er$tT@VurVthgo<_q74AkbJvI%G1wb zHi$~m1CrS0pe2;Yk?As^89fzmXF0*VC_-}y+`yjq?iKFm&eeir#qI|T8IP zk(K@u0GJGwd{1nk`!6T&zg?&YjL1e0w|6A@M1<^?NO?6QCu(IIt5 z5eV*)^TC=C{Aep|Xm|lj*LipzPO$P$=eOg$|0YhmO|Qg! zT?j}e8)7PJ#fwo;_S*v}+=#@_K^1QTdoRydZ5Ke-)~)CP9~wIcA3rtGd($+3F>El8K$heEI%$aE!ZxRcVOYG*ZJs?2QA?z z$ML_Nxq5`6{W0J5<6kLSE<}uz&zLoaj3qo-WyubrGIl^V+w5TN3_7?KUZF*jCjc`7nJw1A(*O1;CTM8%NR$0N7_n15TWkYj?vb?v4Kw# zL1ddPD8yU1K9n2QLSO)jvy2~4;AHHattxu30T9yTxpb5Jc{gyyNZgiw8`^7_3y5Ie zRhE_FUpNuhFoy+zM7~ZjD;ymIDGtDqKnYy}4va-3kd#C^x!4c%sjh6s=vAknmm{nj zaLtm{_2OJzyKo$Ytx5kT@NcdmZHXIDIpuDjN1qgqz58SiEixV}(aVR4POk9p{C^9=7ZCukvrsJp5d!S)+#Z*wGujK})5%Iaw)u@|I!_GKS72_Q58)z4MySg#56Z)? z7OeCXdGY=>0@+Zna{$CSL31gu6|f0F=X0JTD&=kqmo|cAO1;WLJ$a%p;5FoZYRF#= zY4ptjJ_qg?XD|6!I_XM$ji=(N2e9Yt4pr3jUGrE(nJ>Yd~7?s>r z@3n|Hozi)h=R^*$xr`mj~k7WRTB?m z^~Ecp9&Of+r=P5=&-C09bt>XO%#MxtdbLLm!!5WavVW|J*K5SHUn3j7`ST}Nke{+jX2Jknw?>N0+$W&eKJGVnp`%F8>;IWkBPv zMd8jKVf3Q>_1j-Rc=<_zHTrSQZ7^TG`;KVZl=~YEtMiud*r4BdATUzKBOhM?>N(D( zFIdbR2y6bM{16egBRrIG>!x!AOwR=V2ff^bc|P zh}hS)9RstgZ!yJ1?Sv8LE{;;jf2qYib_M1b0qq$ha=Re%;yB%EYB~Y&wjqFop6}b0 zT21o}Rat7XyTR>M+Ypfj@MIz!-4q3Oe0aeeL+uNnBT3N8^&Iux+M;=3)$a$O0tg;@PBCsGgjxaeI4@G5=Sw;%n|Q{Xf; z#C!by`nKOcJV79|bZodB-dD2sB>s==)jT6aP6ec3#Y+I~3dpen-Jv}Q%Ulh>iWQA? zdfXe8=FndGc(&HNjL&D;U5{;svgHU>W06zER#k_kD@p!s4KrGQ%tR$l)h9dclnAFSmgnVEYEtKpZJpm6Az;{Vz8i@WmAf7)5 z)ctLO;MkO^7vZa6+9DdR_Y!B$a#sAsp+Qf;ogg+!zKb}&9)JhTPYBNkvv&&vc0`%| zl7?V7sPE|kH1SIx{Y%zCkj-LK&qjy;AO=$Md_(4bjH?NNjg9wL1`wsEEWpL+?hII- z1s2J1@}@g@OLuJ_)(L(;b>qYx>rqLGva@^^6H7eL&*;i?_vJs}nwN1c>lgeK5UK}U zlVD6k3M;NI&72YfUPSN-N_XsbtH=*`IL^315fG-;q-ts>cjL}2M>6Hd2{eucS3@r4U_g*bnu`aZp#jW#^-%2HYB$M90ZKLeMb2ZXe7))DV$A{MoG9NGg4 zOPIhA!@Z?M>jXfXJAgo)0m;u>{)*>nF%YV4FJA~=L;(w1cXE&jWVwQQpKtT?{LPGc zk>>a9LfH>K#B-X*dZnS~BQSn|25#2#&GczqKiH>WBxj~w%hGY&g~7pqo5de^Y|QQ_ zUAhT+U;P#}rxv|GFM)9y+?ACFBuj5*8r^zQFV9S%7n9aamMneiav!Z{Xx6Y)CuINA zVN}C0&%-|mQCcIO=c{y~T-(!Dvzh~RyH8x#g}}&~7+z5Fmf3z6XuSmB5;^Y2 z&2dlJc-!5{>Nx>kVLXC&Gwt#1B%(3C3=l$YqGR&{$fOV8ayP3`ycxk*12$>WH$E-8 zvVB1H0cJ#DJENczEK`giTrZ4X%d<-1+ZJD6@*}R}Q*hI!D_t+VykVf`=Z(>9mgr1L z3{duhM!*jiRK32o`Jw z^yrZm2Z=?5?;e78`!T5ddBuPk+y{W$2qO~eND$4l*s1{zp?D^-4iJ?rO^E2S80X*2X>tu3r|UkB80*pNg)kD-WJ>Z{srwu-w zGu3rBu)GlADCcE{vL*97hQh=6@MMw1Pz7c#4|Fe$945?i^T>Hyj`h1(_OBO&v!Edq z@$?}bz@st^A#J#d66m!6KIs7{+j^4q2akI}mls=?MU|$KtTaJqS1tnccLbDT0t|8n(k|U zYIU#sY%Vvv5FRM z@m9g!F_XXL*_n(Lp_YwT4ZzT*CjuQ?%8a_GsqS^o)kO!GQDzab8On_EVR;cW>JCeN zA+S2ezCY*eijJ7q`Z{x!*etWrEi5lWq5Mzh;-AzI8Y01nCU~|X@Joq_SRzslRWi#^ z1-BE)?Wwy_-87et0>uhF+Cm+Rr-$Ui-3*u3p(meC9J4 zCi_^uNx*JDW6CB+%xM9f0LwK3xDz7w$gGMFT8L2nb_r)9m%*r|H(w}EHYm_>$SuIc zk}oT4NgT)P_7 znCR@RB5_KL9a0r&k@l@`cx+M-vpn}LpOl^2iV({+1Lx(BrP#Cr<;A z5q}@yJj4fWZ3`c_;E3hKEpR$Xiw1Q3221~zTE68a(tr<4l&IccCTbWXdXiaTUCx7Y z+v)hcYc~PAJt(@^bh*0iM}(t}Wix=IyC3Ez-Nw`dxcPF1x~bRoU79ZnGT%_V1>f1t}<7{vBWr@UeG=Xn(@!LCv>csvyE??A++Xr;cf1Euhg!7s=a1I1h;843QPTvbWfm$8EyI7{|1F zSQG(kxOzA7zJ_l<7M=2E6*HukV2xVV>hui_VDo!ms%ApFOR!5Nh6-OQMyUG>#!K9k*v_O_ z46BkOkiZDbNEEpfw1xbNaXwTal5*pkN1)%k^?)k>g3M45LusoJRKY>|$BvxOO$QVgO5}3ygd({yBfL(T`kFxOsB;9E0A{9yqL{Kp%?H2?v$j%?U z4bV8=^0=IoWc%iv(L@OE!?`C2N{u(QLmqI0+Gh@sE3Bpg4Rgl#?v~L%P_-DAJ$L(l zX_Y?N%&R8S&4@W4!W-InEDQbAM1OL!zYHvMJc3U<_#W$*!t1kPTaE~V!;EkYbG{$X zZpYm28+U9v)jmqb$gmp@tTY0_4J#7g(kYI|@z-y>MX*P{d+=Ssj5}%rX#em}*r;B4 zDF6MAD%UHQ%>(#6PLqL z;rt_Su2v?}LiYQhHgq@7b)o~1qiSD(Jn@4)fM!doEC1lL$Z*EWAL8rCwAF{EiF&h* zKKy{hyp9n%Ej_ElGKnbIM<3o>l$qP;H>9O=mbsiQEal)*rl$Rh7gQ{? zbz3Dyluk0XZferMHM9%JJ!d#KeOxg1xYWW>D=?*fD$jiHNo%MUDGPV&OVR^@ju)d% z)->Ug5IrFclh^x1kgi&jYLp;tD6Fd{B<=1e9cV~pmlTO?!90R){W-y&#@bD?^W{g6 zR+7gaXy+fKSutpBKLPu1NTdlB<7(%eA(%E{Xlz$2HS9+#$bTsxf$*BPh1L}3&02#u zwduZ_8#~k`2j8VdUH5HpNF;w4do*yv<=p`$I!Wu}mvMJFvzMf6gxuiY;GQ=)n#7iF zc1~cJmpaCb-IoT6dH(bLBXMblGm#PHN25Z5Lg@}?PIowu4=@`ESB`A*ut}(x9~rma zQQwkkx_La;kQwDZ(~<+CH1_Z4TgtA|o!sN5@0FdByld_*NI=DA`jo0K$vUgGh2~F@ z8|_XU{2Q%TOXXbLx5>Y2Jg}TKz22l87u6Ui<4)4U(z%|xvPFAOkwKRUx1#&e zOKW`OGamkh>0JF#qKz3HmTOg~ufKTpC;cUu2y@U?DEuM05+rJv;l30;bce+rnf{28 zjRS%_IIjLV=jMkiLTjFT6N>ov zeUwYaQ^LRCNz7%T_MCfnjPaw^3pk&TJZLoy=0u{xy@!E=r{RnGkc&^D;IYtg)p*l( z=wj)BP)6;*cQBrev<{~=s z2==G$VDog==0XLuj>u*|`$6vQJ&znNT$khX|EiYqRjb$STuW9nJ#)srEtJeV)C^!F zL=_Rm`hBk=dp>VY&Q-_1{2kL3heWL0_v!_R!Q z0Pie9qX>ea0~d6Sp!ega%`^23c|czo0psM4}q+QW3RVPu_w zvxG->g2KBE)U@_kJwzm&vI!xfrixfyR2SmAzKmZUJ~}=KteVkvJgYx0*voZu95^|H zv=(!7R9nzyjX8=0<2MG$lqtKHeZM_tU6=f^j>&Dn;2yELRunH2ByLXGf?0CX^uK~$ z3mg#iTHt&vi24I02LHi5R$r1JQ_RGpqh~4D+{4r)g^i-Z9Ui~KBBemoCQP@XH{E)J z4HpXmH4;>x9y6Kd2J*1HBf@9;V&;p%89-oIUD;0g2nBSL-c`x1x=u|dk-vjqWJce# zugZV;^QKQb2KK`f+1q2sXRdmo6P1 zGk}pYVK;hD5yC}TydWsb&(BhK=G&yjh%4rWv0lBZ?zZbAqSls0#pn433hUGe-Q*62{eY{fXjD@9r7 zPr*93IK|^JEEJDllQP+J%5V$BU8-hq6F+_17!)FdR_Er0JnB?HCli3`b09Jy=ZyZj z`-d=X;moL%>i=+7@A1@18ykl+$f*J?M)mJixt_cacOWL}=%JfOjWGYF@GT9_pez`u_X zPrhxYG?~1=Idr(Pg<{(0;r>e1nnc@tccFu*?(Ro}jXp~Zm)$_)05~9`$qYc_S6n>;j$dQS7P}WTvx>aVAm=JotJ-_ zDi{AkNgsc@_uYfy^D#29ji1rNAL#uR4l0ahcm-- zj-~F7Hlj?176-YB7OFi73atER{5EHW53{r-mIe;wJj6qpllz1T=_C6d?i0dHHGzb_ z5ZpA+Rm(t%(rXM1FqL*hw$^}D(dv;VT#LI z9&`vA(BujZ3wHvhGW9F zlLpoq;KiAn$FS3R(gaO7zaK&F9rM(&v^J{Yq6InrwbIc!(&(M>AFg{n>Mu^Vgk3!% zSJV?|zAFZqmOXk>Gb{aR08hL5@@%g!Y$@jQ{BgbpM$Ep}FdkCnwCt9UpacB$+Qg9j zfM4HTr~N6kIM+;~jK?aF426vPD&hRFcKQyFm-~Mgm6HQKt;%EhduyBrAQe3N0*8YKX!(a~0=&u9;C9Ri5^js$eksGmR*$&Z8+OHi3$p14iK)OAq z1Jat~I)>_h5-HJmURMa+GfNjNSKJ7s-dlQcTRX9uR)Hy~uzpYcvWyJsT6%gLww3lf za|PSUI2uz_MsJ2K7v_USiDq^J+R-LNbCX3*Mpq{z7n)mMs@iB^Dvl#R;jf&Lo zXXLPv;2_x+-Q}g@HRH$)x2z#`G=nXCByrGpi2|iZ+-ueQ!gpR=3s%ZaA#4vT4VR&i zJzQIV5Jj7{y5NpPxJ>E6rWG-_;giL z4-$KssmY&@e3QgvNyeGwi7nfDeqZrIyLU`dnr8RI(e3`#s@=~3z2%qp6 z^yh44?N)of1r@fL7Ymy7Ya`uC3PFB06qo~yhC*`>6z;-?pWGIIF^YT1txF$L#kiog z8-G0TWN@P6MRnC%P-GvE7__G!9>k2Qln`e@7-`5%EwOSYi~SUEu_*#bJwAR^an+wG zvCIA8vm4SsRiIVT@5yR-Rv_27g6=WrCkY=dj7zx-nuwVb?XH*_e!&1vF2Aw!;RaD6 zR2Jf&Vu_H1Ag+iC%kLw4GP8OI-$wtQA)pJV!ZjE_u6*>;~bK z4cnIOak)CV*}^LHp|#p2{ReBV@TqFLK!2u87zSntt@Z8PtaX*%YS|;s85whTGB)nW zQ0L%J1{Cn{Pxbrkusovmi_-&oNqPw(#)N_Mp*>p0L9GNg-`(qu=jZa!kXrla_r@OS zYa}a97M^DAWtBqZqm~MLqc~LeA%VsiBsUm?oX_&4CN8pso_J7cK&K*)shf(pEt5x1 z?1iIxL2}c9l^!KR@$?X8uyx}h`p*ZAs&c!_ibCcw(Tu*C`=9Puq~H3llP5u({H;!l zKbgHX-ap!4$lT?I>oy^DLN;8^W)91#B>UR!Z^B>5rFn$G@JI$noJ-30H%MFf!gvNL zf9%lcA7eXsBo=D*-ZLAkmg9emD=5Wpv0I1_ISnP^*`+d#KwZAK7IpE?-+~d8i}R=AFx0jhuCN= z_h+Vhn>+N+BO5+&BLMLj(FQ(Ip0qYmX}l-vxx?wF42N9}Dnd8fYO6}0Z?v}}Dd&EB zNjj8NohR2PyAW6N-o?2Wv`jAyOg;pCwGOJcMN!PlLN}htOkX6$auQfln@vW3laApn zzZ@|arj7tL;C%0y{HEMa4@2%fscRH$l`t9N@_)NliXoWUcJ%CIk zY;7X9i;yqZ*I+_z9X>RAolIG(Ph3!OA7aLznpvb-{H&&T@igA*DxE?=GQ`{BK z>~w=eYAMwY+wL5$Hp2UOGTKIRY3Ef_EpiI~ODYhgfY1HOyZ+QMpiup(V<5It^a^vB z^VFUope!-EI6H~JCp>BWiIF=GGz3{4I=u}jRx=3IC88j$970FNbHiEA+d?p8o*_oY z)y8!Zp=d^w_#*E58zMs!)fR_hctF%^Gxva~S^R0aj`@Udd)8}F+U2qIJ{S*$J$A%r|Yh{0j9|k%; z8HL9O`kS2&vNgviMn)TAhw~Z_1`~AAEqb|MK!vm$`*|6;azZL80QhU* z!K6W_T_=KXF9nxMia+E<<;g*#xVSEo6uZ`;>vj=Bps3uDJehvRF5r1(06FY^d!L8U z-Z(MKjDtB%YIn4NO^Hx{f$T<{-1ggx2oJ`>B|w}F{(%jja^>> z8~cE-Z$LIR;+e*GD%c9Y+cx2V*~vkJ7B;~&I+%G5IbH^yB$>Fo;Kg#dk_i9#*%`c? zS!Q5>B9gRof(y2QcfS^&r-C zr&=yzb{5r+ENRqnI~b9K!uV|u?0mQ?EI;(&iYz7CSKQL&@ia9^@UIBESg~!NmoDtM zi|`ZX;?3Q*;}`f}YPeFK4;0wfU6A&loY`F_2RYd9b1!%RR*a+olx18y(<(5dT}sND z6BBO&WOoU>yxYwpZGqb$ql*<%;TJ$Pp%B1y=Ho85@v#~Q0C4%5am@A#a%5%(Fs#jf zv?}Sr4iEIzm50tLclNM%GDiS)#f#e2G2RqzGBWwSZOOp5v5~03dBcQur!xj%Fd`|5 z_2sy{!6PX`{GO7W423Uf9-FiLkCz^#1OhGsBTy7Vg5T4ACbeHyk+ptMvtm0o@d9wB z^>Ixc;8Smc9Mb*To9P79h9~)eZCKgOR25a|f}j5B*dkQ@Myjv!!!a?Ezru^FAJVuG zm188)<7ih!1H*QIYJGB`NsAP)^}oGsoI*QE4W z8^I>!8J-mw@(^SMOrJPOR_Q)fKy|OMQ_sFKzawkIx60Uh)|40L3JNTO@2$yT+v@Ve z`%R|NcC#v@o*w}K6TkAITO3UWTx6IAGvggD!-Di>1r3&w?Rb#Dy|(^(@#L{8No$DT znT*+aL3hNPDjDG$@pdYWMWOn3+Lg?(*!N`mibeB)P|JJo-oV{$`6|$+@K(3j%h?ix z*U=4~^WHRw3*$j8I8&8&MhQcfRkzu>MWC8EJj6t9trhRQ28?rN4@jZHlcp{9816NQ zZk>21gF6wy3|V&&SFQr2d$B<#Oh~?cw7My^y0yYzB&&nm*PZDUS5~m3lnD0LM>VY> zc*D#tl&WS(oCxe5)c;^{Aum_02XV#DEc*!VysKDeaY@P{Y3Aix(nUq5BK9hZ3k-6mU z5LGoC$>&ObtgzU$Zs_`oUxMzfbSKUd4k}eTHC#q z94Xo^4QY_XFuXh;Q>O*^yhnZ!y7F*BquREBUt8;aG*k59_F-P$mR^2t20@HQ82LNf ztk-YXgWg%=^-T`mI1s6fu6~CrQbqa6#}oIq81h2HWunm6&Mz2-D|WZn`)sbr31oPZG!FY)*H1)~*jN_u5V~ZO+p)pbtZl-7H6N zW1Iw8gyWnWG2c8*<{L>tQuc6MQ7P_qShuqqil0c@B0Jz|aOZTbdDVh!_W_KpY!a9h zA@;k5j6v!7=a+A4o}P-qq7Si=P;o`Bc~Ra#g?SI99kdlglP>xe3N@=o<6>fbd${@| zFIFzoMn(MG_40IkC9v8nvK}w9!n5bVEGL+QS&e0lVh2w74RZ)B97o9gj%~o15vHJ1BTde>7Em%b38oA88cDM5!p>7Lv-&GpIGb8Bd&~ zd&B%Z;tQRIwA?%N2xQXDDiUtT2Fv*5!Wtp|rtPp{95*s9*z1s7yCo_|kKsY};ySJA znPEnil@80*n@lU~A5O8Hk9Od$psMx&z=1bD)$%r(LW41nB|f%U*wvXHw`>GCY>{W$ zS*ETUY8IJ2ld>}?+!CECr&`K{B8tWI&c9BwEj-=CeI+Hx&0Ff|_K093K;^!j9*sd{$xahp$P z>WA-7y!&&qzs~sEGjO~DkcT9{kJl69_wmwG#;MQN4kR$!AVZz_7MzfZ>#?1)$qLC> zk~`$%rr)?LTfy}=AusPH^R@`?g|OG-o1rld#meZ`nv00X1+tcNnQHgO*CrW-feE!K zMqi_IkNBQ>?{(>GUv#>ig2FKv^UhP@{l@I_xK$NaEBtdd^=e^&Af+>hLzXa)7*#wD zrk0FN><)P&bJ^eC`9#!F0qc$Dq&|@LPMUC^AJgh@hNZXMF(Jz#ZD?A}Nn8^?-ybS@ zwx8e%tAvUj@P@06?#={nLAD)>f@PISGMY zjesuKRSQ`JGM%|+-yu*uBR^CBLt(=IKTq*VS~7v*xj_KQpR0@eA`LW(9yX@cTViN< zWMGr>M?QMR$WJ{QspLRXaGB017yCG(qM{;iPlmDN}e{rhp?fp58*-2F8VjIwnY zm}i{l(eomES%bYIkn>ZZny!4%-H&FazK75Rb+N&rAv$*UXP{>#Cj5d6nrpaOTu^X_ zpSwSMbcn3Tn1`f8OfVW7o{exu8)1YQ8Wg9Pd=n|D$l#LEY+r7 z%r2;S`E7kP*1WdTa&TwRoR@(?u7D^b3$)5JUJ#jDYU}X)xPkrtt|`{}RMpZ!1}6+^ z{wsa4(uor4xa!7v2~YAj$uQh#f}Zw2c!+FTbb|Py))KD zFBor@NIo#WUYP~7(V+qJrI9;5+Tu*UPF0TO-;^Zf>@6f@p&wu#gx9Zg@yxyc?y$wI zA3nbtMDI%?-AwO`K7+1()VZFfI`Pw+Dl_ovAJ5*Nb@RdU$^HAYaNmMwc~R)|1^jxJ z$mG?th7R#^eBNSwMiByyE>)L~E&^*A@~9dNv%j@rr8{ZZl~8mL&bmqLws{i#j~b`+ z6w$v9iW^1~Cx99Umwh{1q+f{VmWGF`lXA95W*npD{pu;(py?ry9O(jWm1-Fb*S}9Q zYw!PFbKINEXW`?a9ozod;Iqq=H5{f_zjWmzd#t5n%~ zpVfvz+5hrN6ImWCxFQS^c$7^2wJn<4)(Rni-^6e&u!$W9xemYoCs!)m3LFLRQ3_ox z369%Hr~-7qckSylZ*ha)j}b|eM6M4r#luIZ`pfu%UGqeBCE8Zs?dvm|UY5Sib~El^ z{ZV!3N@93z9_sJ!DE?y-KS6K7#I7N2-FUkQ>1Tj#Z^{g?U9BCR z>y>unm}&OeOLr}}q7!}keCgiF|X2Uvn(t=^Gg4jo1B*OZhg z1TLNu*~#|x+mZj4lknHbqNlSQrsuMi>k${!oIcllOg94fS?Df`gNn-g=yPak!1OJl?PCr zM3P5#=WzToIFo(Fb6a3lgI3NylbaFL+7l+vwNHgfJOt2_=#c7C{ zyj$+Yk+XW!vT0uTTQpZ4r^RsBedU;ir5yjYA@q?E6T_8$(v#8Z-7JsGf)Y1(ca;|q zsiM#N<7j1heHInjy8< znT9WSGH?g=j?UjaHr)nQx^gg2MLj(~i)p^+e2&;6{`haaRM5d2!mlBA8_fS!A>wzi zKwij02J*RG)C?*V7jhDqhz0`VWWJF)6ey40P!JO};DvW~^ECwS(q#s#`Pl|XKFmBPqjA{YC zN$^cCQxUPtG+t+Ct}bR@+Q?nxtr}03q)zc0yog3_Gb*_KKK*0eW^?x2aNX!D5&wO& zJ#|rC3AfcXAsY8JsKOUE3OIRA*IS7rNEsdcIF*B%!^;NPdhFL_0G*78P#&k zvg?1l|B$f|Q#0e!^{>rTzn(68hjKPb!u6vR&?LxA&B3pcC|=e6_69_Puh(@}!Dx39g$~4@|SK^8Ffqj0>oGW;-tPOdQ; zpT4*K7PozDQW8hJ@MU;qw@ip&SKr3CTb4l^M;*RqbxK8S6W{$$FUjI)q!lJ7;rktt zf%tVD?Ga?X4*N4}~SSNS1Nfgq{ zNitf2^ig61vpGxf|y3 zTuxN9cFI;R1vDgJp7dBZ;!gi4)bukQ7rt~#ze$#0`O(_G_*^+POt`4*2#|hs-cW=@ zQCyTHBJTEdFA_@G!rCWw;sQK!5`;37^Yp}tL;AZM|J_<%Y10n;ZIfmblc!>>?@u+o zqIj4G?wa|fG`OrA9&bOj-JX32<{6XkcC$B#pBH`Pqlweecm&kJ1p8@s0;CzcX9daE zm+0kjw#@F{kkR+xbHE;P(eJd0UT$&}t9wxe(}{}j%gakS z>Mb8yKvD49JSh`0=iLsJ-PFq(<^uUWi7@E6%l_e9kekt9)~0dX2j^6mqA;LQ?@e4R zCHgO(&M=pM5lmieJiSqn*5BJNwCr6yLrz&e^P{zlzjXtrB1k1Y znmh(KtplCn=I%M0>88*w;=%>^UPDS%d!T~$|FbpA_eGj>uUiFT9P^m0@LE1C+bi~X z(RF?lH?DW@)=+^aw*>sC??&azxZ2v?PQQ4Y?(fC!mEKctq#N%h@tXR&`Hdl^%0@YK z$uY+SZ4R;Y%(jfb9H(EP7e1LvGVX!1(>~5KFuuixzP}pv&~EuK3Y%=Oprl_&y>#w# zgB%JgK*uOMY~&Z_Z{9JhTkc+E;G+raO#*$18?2HON1H%=pbc&V8O)1Cb-ifz6;m@8 zRmIawk&$0_zhEsoI1yV+l<3Kfb&GYyl9j&`ofJFh{qQDb>aBsv$=RO9$#|c`WD9vY zyGncK#ymOL6&VP)H~H?@`#t`$-{4RGu9koO*30n5F~_Xk7cP?M&p*)Vt|w8=R33U%Q$9mm%<7Ucf0;6Vs@VD7 zAlGoUl`MNfsWAHa@VHU0pqjZg^!@wOGwwDyL~~60j%sP2>!$;nK(MmhPW_@F@kQ1iE{TA4 zfb~@C*08Ckw6&2@CWQ?GalJBG)usov)%++z#9V{% z-p)t86q^>o6gG$c zu$L{Y(H-uzBV1^&=2GqW62vz)>G8Qi!}zeL>MOr@*$~XqqvD;&9-2eA2e~j^`B8F3 z*V)APdE2w#2F>^AwA{0M?KFZ5KmA>vK#Oj{MqcuMWgyNOFG-iNwI#(&@yn4uKMfwK z?qZ%XWL{sy9{%7N)*Fz?j()J=#FdqKy+}vf$k(rG%&1tMT}>*~q6E_WqugqmZuGW3 zZ^)X*<+*|FUe7J|HHlBqhH0X0&~U;Oxn9(Di{Yq0{n^X*yy29PHmA+q#TeW315KC# z;p5NE8b3Z!9nTAl6Fs4xosa&>3a%b56L6@fyiNZ1jl!T+Y0gDTT?-!w78);WD$@DB zWHQ0NZCWC2&BqXi=J=9evC|{^MOT<}MVwouiJ|3)*??VRRjCS7mGRDrQL%-(`E{3y z;4O!)GBHtlSlRte9!=?;Yv!?O9&sced8BZX^b$_?PGyaa`SXhj&BqIfL32GyI$ajW zw{iy<9pKOrzf3|(RWEn$7|s_=v`{u$B>GgqH(s8r0IWcaqELRUNvfb}>io^t6||uo zQ?Ix}O~uYMQ4*M4G7^QIPF8l^hIe68hVL8uCf=E8a{TRq=7FUi$-_Z|9DxSaAUqnb z@veB@K1d4T!@R8J*Zr%9lhs{yTjVjO=Ogo<5l(16VxvZiufhLBKmYd~3ztWDfc8r% zL~gbP;|^UMUJ@`si=%(a3M@1#d*_`FjAPJ8%O|S{=L1hD3hr8rjhDC?p5 z3p;H`z-7=)cp9=fy_}c^+69+8y5pBQ`7Xvv*+(~ov&#&m3xRBv3qHLbn$#wV5EoR4 zRM_T&t~i{?jg9U2_Z+yK?q^I+u*&x(Mol>i)8@WejU~n;YY!M+YCR_UiI3+CH-gJG z(@T6o0m>*X0%&e2T8sbEO8=>;DD{vVagOtbCyE!I?6hdO944EbF3J=aaGdmxJ|a;@ z5vhIpRXFBlxHO7jZEzgsw&^t)lih)N2mz&AQQKOu&{AxGr(%VT?28d1^ZZYKEFt9O zZ+ApwtMBi;K{En%;i4JkOP{S%-JQSiIX)X(s@v*~OBXLUY7ZwhA1@YkkZB{!WA%!2 z0taEyL?dYFQFfunh zXCh8<-s@>!Hsi&=zY(dbTlfl%g8NY)B7*e4hD3pmhV%De@^8V`pDmCn@w`M98nxBH zuO?G`@NCC7S;FKnu&oF6S;lo&dxwP6E#@ewuJGetPr0n{ka9QYAKH$v@ah?>4>f>A z#LM>UEvIyKi=@-!^m~k7D>@pcqbc&OmaF{9*Qojgh9*hL9hy8mlK0mR@*8@z-7B1* zHq$3W5D=_tm0R|w9gapCiqq25yDm`(Dw@a=vl|B$Xc%3uFSs@mNrys%7O<~o1*G@? zK}+g3=awnlw%9TAdaH77-~avU{ZaBdcnGcDHQ)ok ztD8i4Ev}*A^VyD?P#kYHWsID6v+JtCrp+lTU$tDfopIAn&JFYnEowMqS1-?* z__4_(tkJMcyscid`6 zL`A}&yK^X|84&4Kz@bZ0rDN!j?vfs)yK`vx_T1j*{m%Qm&$-Wk#5J?`wf0_nt-a#+ z3oEN@IPE1zKF08D3J7IEy-OU>A#TEy|HT*l_m}&ma`XC@XT(TXOD{pU64Q(CuJ+`V zgTic_Bk?K<;G)%&I-|_POMOQIc!OPsYv+rz(rin{zu#ZCh0A7YR|I4=ef76_c|Z9a z1maBwzut8G?UbAaM~0~?`@c-7MbJFrAef9JNir2R-<_zbP&zxb)bLV>9C6&KDU>R^ z0;h|~RAq9B*Co!Im!TWtV;_`tb?d_D>X`1by3hKcfirpBcAr~1a! zveJC1OPa^k-g%XqU?PsvJ&7?9#NB-br-j&$r?r=-?(P+f&KgfHPTMNke&4Q`7P)sk zRr-r&a_;MjVP^Jp)d{4#UVfA6gs&%g1jMR$Ki zQaz!0%R?8w(aGY0GAsH3&!%=TOvVuF02OX}<^W{#(Cg*^^nYF#~ctUe2)5wd@=zOk|O2ov9eYpdx%=5Zm|W1q!6td@qq zxp#J0u!y^xyl{3-VuNIppC6B*4to#EGEUtgCN8eugfHUbKTYxC^1q>}0q3nx%pGti zech~R{?CW681roRhsbt(%ZSKZYJ~++gBca$;;awXxMoiKCMf+qr#KQ&afTKhkdo+m z{*d_pf1m&DCm%B4OIkiwwIQ+@+rBo^X2|l#86G35NZpyzWE1x=d!eMXFyZ_DX)3kd z6!XSd>ZhhA{D~sNp!Yj;safMqRP7`{gpGk9+~_G}!3ScL|DX~K+~Bb&z8DP8c|1Eb z39ysjOnYDFiXFYRt2$d(LcTTxO~fUhr;jNmz0`AWH(WV!0ra$#^cAtcvVU}e3 zC+|NE0hII3L*U7Lo&?R=HwjKa-}-0fjbwo>u|dhTHAT8MCGcs6ED*!ZJly@|_K#oX z^8n>$@83{?dft*a-^`4Op@GHfbH@5&Df_D;XMJz+xH+cdQ^QE$$*42$23k1yT0Q|o zy#I3L3r4LotL3`%Uxu}@9VI(4S3cT*lwIR7>M=>b_kXOh&k2}YaKmH%|ESr2{z0q= zb^#wH{O_QN)HCpF&_}F)KZO5fSN`p94^Vrjsq@?4d*>R5cz16mZqVqT#Wjl!&c{BD zA=Hilvz!MvTNc~0yZ={6_1^~hd*)K5;KdS{=5PG{2R_RTJ}H6RAKCl|Ibx>)n{gRvM!!MH{oFWmm$DgFB$3cCy?i|%|O z5bj2usxhQs@k(Ts+y9G_GDtPHqx(vc{85M9YB0sZNa8Kof1Y9qm?A?YC-l!_3{O#0 z#CZPrzf3X77kuoU)WY3AB7Cg~X8b)|=<=WCu^R>E#1)PS`FkH`fWgE>xcTt@gZ%!| zK`90%Ap6V~?qARU3^s|1UqHN)!v8O!{rhVD^$#g+RG>~S^4%Y?J-dxMfO!Vqll#`zfrbBhEDCi%#-9!U z^OAj92UB`|iJNx)XHI2OU}(HgLVu@g{?mv)LST)8N!VNeWUz=I0NG1ZDW3h``SSm{ zKV}8NV_wvcCqw`27F1aG!Oi4H|Ey%hClz1|bKd%UE*2=^ls=*PZ>Pr;`0|!;*vCI# zjvWD%XEuyU{Er&^C;i+_1w&njQ*!)SForoGojXcO{{Lmc{J>a#tgio>(jfTtNwlHp zf3XmIC`;#UZ1qRw{>Rb(_YV4h_SgR~BtB2TLOhS*JNlop{?}aop7{W(GR2q#{`X@a zKtMP0f230X$0ty~K2Tv8xS6VqRO=i}__e>AhNAvI@3vZI;-C-xNex@E4|ibYoyZbB+C|?~LQ{cMfrpMfs1=n`0S*9$lgS$S zKd$cwdJK@~b2FF|uzp^!AE)8csZ=2&A?K*M6Y=>3-sAvAYr4+>_VD>u>hh;s`HV3HSeM4*@IcGX+}b!KiZE8Pf2_R9m_ zu6}cafVZBsyYYJsHTkAh$S1VnhNF36#-PKxx9gyD`jMN)`KuYIy_Mm@V$5w)NF05B+2_YV%TzJ8Sfz|+hCl*=%~QLEGtNN>MSbY~n=4}iTF z0h*G<{^6Lu_iw`F#pUGy+MLU=8(jc0cBy)!Ai5sJcDIfXqL;d3yN|~7>DQYQ_^nMA zJ3gnc?761t=L!?(d+y1_^I5(Y`wprHfCu~z4G@^e0yLP=a~H)o1S2!){SxPS@7IUF zeQO>MlnTW-#LEL%#@(PUfV!@*yRQ#cpj-0-l!Y8_j43}2qcChBw|VtbLIlWF>1iY# z$639+9e{QD0syM`_Jh=8UAgXZX?Fc((VyM&d3Rd-T{!mp_eWLpA#9mtWy2DDuTtN* zE{XpHGhYNq(@~nGW}QEMv6?GU$fVcp?3XV&27OkG0x~fHY+|VQt7+YWK!Q56n2W%-%`IbPdz46rDVaS{O%RP6Qo>_ZcK z01DO#0PwQ(>OyEm**Q63;4JA>65WdN@rS14(_BdZjp}skHfz7DY5|5?q25-z4A^r^ zb+!c#AsoM18pkI9w;BhE+?DgmJ}CRIvU9*%Ig}@|L<5cQF({qjtl7K=cn5l^6~>uC z4FrHGTLcKVZv?nhuW0I(QLz0~kxMmpW?x82Njtf`_VB>Qb6gId1$+y?naFkDzp{Uu zS-VyA^2uYYsA(so+ISM>hEgx2${8}wMRn^bL^s3|$;cSS{Ar;(oFY9~@kk2!~AmlR`m{haLvZ@oF69~wcb zKLj#GT(0_JbD-z1zGW$lsTb2^zcx?iZ(SkkX%Ev>UD|KQ2RM|&dT0fbH>K^jZZ$@& zJSegn`97@Yv9*Kn@)9vWyvM}4WBPbbmH!= z0!1h24FIQ(l*P|M?Kr@Ljbr=PeWMi&e#f1<e{2e9{^Hj?r#C4%*%Eq>gOYW@N0r8M;jgpk{Fq zGkM>B3onnDS^++{N64bx!6tUIo%oMML87Vk87 zrR(8OQqwXspCn;VM2=_*6fM33BJ2i8SF9A0PxWzNDFBWAK0qwO|NT|IEG8&qA^*yWC#pWn~>DK$R;Xc2fW%{Z(f2#M3h zXva26^CztVau;5gXPv-_*lf3RpjA%b>x^W&08skm8hC0I-?mg1f)UFH1tjDV?IpxP zW0%8W8QlsYZ({4pUDl8LgRVu5r9$5hezohqO9=Dy@?01*Wj{?qUbOIdu^oI!#E%iV zJbaDESv2oBru&YKqjThkU}m*T>MDkwe$LrZB1vN3>54i%p2V-5!sq3dyhE`orTwsW z*h<|oESt{D)yryiz_fUU?R>UZupfCUdN_bnJR08?p}TZ&+{M=V?MSu1QN?t@@B%EM zYTSp77gEGJ{_i^SAeLwo>=TtlqQMiTWS;YR%RQ-*lE%w7%^2BrtB2dk`&1@k;-ygt zs1O~*8Ik10r#N$uCKxpt*;F8>hloGm0c3%jCp)R(@;0vh-Q;2L2D|d-{_5$+6{1v* zM44#Acek<4b0zmX?iWiBc;lKojorlyD85zD=!;C)o+xE0T*Ec#&i(UYE5Vzhw#Mz| zMX8Y5N96p6ky8&Ua+T?{nmb7AtCPKf=km4WBQ3i~^Bw0XU;d^9gI1Amo}_M59N+F1 zw~ps(Q^C_#oA(B9-+yZ2*IqOKEhmL4%cnY{d<_2y|8hHE&LJNurIqc^`H(nCSeo_I zCE4bEmrKE<_O1g_RGw{XLaSr*xqQd){O4)?1xyZ5`bWrV+=-?3LCMod=BW+`ynv-u zkT%XCkH@FZ@dA5nse~T}}-pE6oST&#DRK4;5DaYO@1=b}IRHA|mq*2>jsu2V7fX~v$(ivWwp;KGNk!!}wIp(aH%sRONfK7VA$;{@3c+0$I2+D#;9(Dpuh!wXQALi43 z@2iDhKab99W-j|Qxsq4`AjFS~A`EXp0h88GZKnCt5VIX13bFxwoLy6U^c$euBDPXO zRnS}SnlVyfn?y-Sno5AZ{AEzQNs-AR=H;8aaVfZ_UdiKsiAlGOq)-S-P#4>77J{?@6V?-48L>B)>1OXcnX zfadp##6IwSk}osW&}vH9@4%bl@;+7Q{|h)=AC95Z;{Z_gdD0e>cGN@Vr#2Dcl9w|C)LpLVT%|`ew2Bfs$HV+L#91RF; zi*5*(jiGKuee0&xQ@cbz7;}wvc2Fqu6(v~^R!-wwJPpP;9@7v>0tH=G`bmPJ?E5$G zu+rZ=zXAN_PK~boalE28tu0Vmv8hhvV)(+ELodal2Cec3^x%+!D0}kuI#cWTo2Ezbd3njAC`2_uMYP zb#u#{vt2x}J&bZ8)y<;R6iJl+HH%YNut#z zSZEcZ%ge9C3B9_zAO5&l@^VeN7z%N1s$@PxxT<5|`Jqrwq1Ti<8Cw0%jsbw@{$4x0T-8bc`q2T-ysevSq#|_rZh3IT{@Tay z>bagAr<=d+o=~z$%=86SV7#Hk02~xPZ$_b8`2#xM;%1*kf5>bXmgMyse5}$g>B`yb zxPM?A`Zk&UN_~>NIX38U%%!#4 znX0k1Z<)Vq;QV1jC1>ijdVO!&Zox|)Rycn{dnJYS^s27`m(L3vR@!2 zO40*0;4uD)b=%)-O2OuCg9l@8kxJ%Rf^D)8>yku_+*R?Yi0isr4{>S3mq==wpbLY` zZSSjt)ImFfAKJ$^*^ZD1JC+oe`Ak;m=6EH)_|Yt;2hVziOe^(`h%LH8(aUG z8!sBBq)fImheIOPW_vGg?GjAe=)k7A`e$C)+vGSl+y&V2bK&UTK|5-~t!{$stRxFA zq}WA(!+pl%rqqwO(5Pd7%h%cxGu~H5U8R7W&M#iNUsW>2@Dxb11hGcnFteS%${x$1 z?m6<>uM@nNq)nIivQ}ueCGk})Rl{!-v|aI>Yti~`?DH26{r3{B1!ogq9j9OKi``Em z=D4qffECdr3Al|ffDHQCUY^j@gBC-cra3Cv)D}H*C1Pq);msT&Lu*QfrveSzz8ZH& z+bl0v>yhP6d` z!m~|2xshqU;8KAglA~>e+l)Nh&RcXYj9~uwU3loku7B78<9^X}{s?1tUt6d>+#5Qg zs-Bhf>`{i!60PLZDb?Q-k1dMYp*T*7y_zt1{boJ98E|Vz`eq$voGTGiGMR74^ds`& zt-Dl1hhKxHl;FruKWHcSEU3+$rVIJ?*BSQLE+->PImbqhbt`B_T2sv~=Ej%ptw(L_ z1wB23PA55jb2F8jbh;lqEY_^L3>|^C^zQ&hnB!&L`F7N}&AlmYI}W7R+rtv0R`+8A z{YAQ_1L(!GgK=Y)Y&~eX&`}d!D9`+BpGe#f({AR$`lB0h#?0A-!X}>UU2Nvr*-9M2 zirPdXI^}=u8cIvgW zUY&EmmZ`W6UagmO56x4?fO>ZGlYIbG+7tt$PLaH@|7N~7qTb28U4P~7ABnd%N7NlB zZO`xi-mIEU-S(MJJ5%h-$S%wVB5}T%vDDrN7e4u%i~(B*{apL)pIq2uG0nSE->w+9 zw{B5Sm8RI*JKQ9riD^3CbwD7_4t-K_6uQ3lxXUG3Z4UYV-O>Ta6^hl2?>r`@yu`e%rnTrq4tk%`45 zUuO347YOy+qMryGUYu;@={*rEHs0XwYY@k5SZ@;h){wbxRau#D`hCv?5unhaNm7e# zevr0TIiXV@!3Xu&`j)zH`#A0^`r9CS8_+sApvLf^#F9ao!XOJ}`;$J@1w>;=%+<9L zmRW}M-P3-rJ1^2Y6ld>0MeU$lL)lA}HB%43*I(7T|8D=CIQ4QU%>LpPKaO9&*tu9_ z_u~u1RVN4rk-4$;^WH1y_lq<|RvDdR8eYFb7*vjMyXP|~9rEN09_ z!GpBrnl=WbXLTo1!Q!SFxy`8<%-aD?Off`qV2)ZstK@aQnj9 zJ1X-^Iqzmo*NFMa7)Mebq#p(d0FaD6*GSo|h)^(elyl|0*kWIMLKEdIBQbYJ7llOA zHc9L~rSWpAQfum*+VAfA?sgE8cv*N&utiaXnTiMR9R92srf}Yp0N-i|*lC9M)5XSC zmhnxm*UNd}bcYp>0(cXFVhjH=*>2i323ws%!-PqtN9(#+@yb?2hT225<4EhB{$Pgh z6TwywcPV+z?bpwaBUn!g`>kp3`}FUmejcVo*UAhb`y#OZlO)z8$b$hnp@WucSFgFo z`Jt?pE=YQIcoMILq10Sd^=X)|3g#T4`1_BEz+5)(FJ;N3*KEJ=jsv|Qsxh!^%L)Nb z(vvCg>)PS`ioWOg$EPcMun6M5Hpnreg8s`#p>`1tB0nCk`byTv>@CmMhxb2+Best> z1m)}8_wM#R3|;j@XjZ?6zMl>lgLdCK9bItH9*&0*IHfhE2sJ1sdTn4@4}Hm5s<5=A zV??XoZCca(C4PDM@L{HTG6a1V6Yg;OAuX>`DEszAMu1n)wuA%MIn#f%aaCA}-81kzYaglce!O8K{)woZa*Wnuw(Q`(#SE!UgPZ zU^*xl>eb!DG)Sjc|6HKW^GGC+T($h;$9JxKD$Xb4d=M?I_bG=%prpS)bN9{)Y<8di zgN#5Bo)@uTUu&JGp;{}TmebWYa*Oxem__e0U4V0qr{^mClBF1CdZKso2|ti;Gf)!0 zQp1om4_Ek2+bi9`CAbr9eeFGEiXhp9A}@^Pt~=UncVzW!XxH6hZV@_tJmC{-`l>gF z`>>Gc(^9JGcgrIHNz5xvSpeW?Sc!z_;cxJxq*Tz!SOsa|bDM14y?P!&BwP4Xvr%S0 z(sjRb4$w7gy0H3+RG8>I_4-|M|CMe4FT?K=ajGzF5I#l29=8^v85p*(?{_il$=G-$ zhl{LDer0|uYp(A0F}6-aWrYFRX1L%qMQf->P&l;_#(C1u#ssgJ56{NpT_T%|>@|0^ z6S!=D(E02NCs}{E>ttpA0)c#$V(zCc!f(ZUmZbi|m9u%0L4xX=Z>t0}Wu2F>RPhyI zh2Mw7M*hiA->LmHiDy&qDAw@l#Dx6qt$GLa$YIhQSeElt16M6Q@o|SR;dd0HoOAYd zvl)1K*j6cwI!#!D6`odI91d%j{+8qB?ykLzbYdR2F`axUi{O&J2b1RVi%74pZc_R; zj)^NUY}P^SKVqLO;3$4U@^2up+>aPdD>V}5yEZ-idZZz~yB9S8hyb`~8b|NCF-^s& z9j1{4O=S*x?a%D{kY5}Ky-y=LO*Tkcva~zEX}~}ETn?@uyC^9ZA>mJpF6#zDOgmSHhN+Kcj^m1y$|R0xJ2>>e4C--v1qlRrJv?)dJ51ZU0fmE* zO&7hqK6mQ#SB&&!s@Nh1{CCve@Z0_lh~}N*c|qx=B50*3Ru=a0-TIVc0p%RP_MJPA z5Q=mV7u^ml8+3-pH0A*El!u3xhI1s)orKLO_V)`^vbuoek-jJLv4;*5@VNuQzD(PMP%u+W-}l9x@a3caH&!TPoiBC zMmKd#_h>IQ#ErrIRdIW)eu2GUd)X?Mn)^Hrdubz4-hAbXG-ZX=NPq<;XAop|xnDm~ zWT)2BRwbV`gdXkg;!U(D(e1bez4>3SzBS4p-1N4qEgmOuWPewB#PVdW<~`*WCc%*5 zq2v=j0h&Ba=zgc;*sJ(EwDLk4T(5JM2JML(8msX!o`9eqJ3D02$FnCfR*85%_g!E7 zItT9BX-4GLbnMd9yPRq!mKXWdmTocr*?70ZIMoA$h$Z(!-y7Cp&y%xN`()87;=z0| z3AEPZ8Fa-76<*F_bAnPt(filCzWX1J<;WFX1e@M3S)MkZJ)waK?qfY3@V>5TvD?%B zC8wcH4kyS>jaEAQ$#p4UZ{QGcvf3xAV7|geZHtO@-oQA#^?~mh!vh2Jz1jP;dbq=e zorDn4Ro9J|rs9#16X`j?W4NclAst8T6(pr|!jRGDyy?*AwW=an1(%asCCb8j6SW`5 zL3o~ywP)}gi=C7dm&cwEUC0W`>UoNN5b=}f-0&rqz&s|wCJ#}<*r#yl&A?RqHT=b1 zT$|k}lhch*%BIQ6IeGouO^4deH5&py9NI2J{X@WV;vJ~R;}y81rZ;PXmGFt4RCWSe zrgT`X$Yg`~lrXjkCpPGpv(7U&h~7LBqGQ2k2=!lTHwbq+$+avL7bkaAvlXJ(^GF|H zrpf(j!F}DSk#eyHwpl+gk)_8S_H9|Xinjyn z1n28b`YoyEF4fKVCp|d*J`+c3k!Sy)*UqEgR_8#Qd&jyxO}9MWhc-GHj^0$E*zFC&3nczK^7vP9d#=ER`~DHszQ&?@j! zHnm2`yii!DkivjScl@|a&68cNz{O|9Z$vxG#43xnhF-sUJ+Q*#hROon)DSd z-H2IQlz7cdv`&0($o*=LdNT@W=k)UEIh0v+-U$`}+uO@P`eTPmP|1a zWvE@zkW_?Nd=PA%AI<^000@pa8SZP7&P40c|NPE8({Gl%T`Wt)3iUSnbF`nV##7%M zfq^T6Mzood(erKgxYmuu9#a}3L{k)3y&E5;CG&qj#ZLVO@BNW#PaS}Bp0qym$L{iG zEzqO{pV^c{Sx?GM!)mgd`3|c>i;xL;g{Db?vNL^z)z-%Df9ruUFkhL;t!K(RC-^sGuZ?wk>M zBkG^tQT8jIg6My%T|#3Mwe|7RfETkMavm*;Gv|?%PeX(?@S@>1yT;w*DWwh%wh+6M zV_}Fk9NwnA5&&}c3wq5S(q_+{V$4BodDY}~iAC>8oG9KsjC7DSgVS0+f$Jm`q?AIs z+CmTDb!|rw{)mM7R_Mk@JkFqLNt?tQvGemoUmP3nQSW>rW!^Km!^wPiZrWwLYQ-$m zcqb4$F~8p4>&>KZZw2hJr5Kgv$X#`yW(P3xtfH6d>E6T#8a|Pv$7wPZ!*_IxzJ8q# zxBvD7i=LgdsU=t~3WIS{D!=mn-SS2&#jyfo&&fGqg2In?v8Bv@A*2-#_0@$scS_YTpnvH%e6&o7jJX?5q z=kelNkV zNN{O^APgwz`w(Ii?rp-ApX%Bm&Hiicmk|o0$!OQ$?rn14pm5G!iWfhSvfcf1O&&Vc ztR#Lkyn2F)!rbnerha@b+~=P?btGZXY*jr0r{d%!p!-3E(d1DNbZ3e9YODP&L>8E* z*=FBzFJlA=EV-yO2|{)9!6aX;b&0gSiTk-4Hb`Cq^Q3Wyt?xHLq#NWXm(YHv`^%6D zSzUbkdemW!CCf0fT|BnA3^K7WH23&#do(_TA>dToB|$yt4IfprnaFefDM1gJ`T7+o z%Sy=>iQn3!MAR|@Nj;x(zTR&O5oTm2%>Sj);Bd~U%>IsS#pVj4-$}>yz9;ijF-vzF zQZO3%1**Z~K=y(IU0cAuXbG>s)d4qhVz*;M|7xFHG9t)9EAbdqCG>>WLr%DNM!l!% zm;1AWjjeh|+QOmTGxZe#YmXGDC0;g1K(tZ>^!zH0f_TQ91CP^%(j&`Pah^`NvdO+& zE+>&$n8c2lIA?4!`@xko6N6OwyinSq;N&p!diD)nr7w&4XVocRp>yxWClATJ6ZTN` z3QNy9cerg|a+G`|Vd0Dy_sFlgnFH`nJs_H2?2{N;m~C5W)rQd|C;BXD9t9PDBoPmU zB;{h7zGlS3xUbP?HQzEq=^f1y`{XMroAcoQ102OXZdP_>9X%Vp;zFPmkV=>7hq`@i z_|(VLm&6)-r%1$?Zxz#8o3>g9U$dI#yVBNJ_J;Qn2Wml1zZ6RsO6DScYB;^k;+Nm_ zC)nzwkdQ3m0FBU+lM=Nq|31KOqlAX^e~x%o01@)&aNfO5rhsdJc|(Fqri|OXFR8_I zoSeun+=KEZ{-)BnsRBd9GpeFavOv=hT*WXC7Ih=2@;;E{U^R6dq|*dCc;oO;upPMf;0u6?{H z;VB#vMbVVqddZ={P`koXj?>GOw=pgtZAE~1r0mm2EwlRE{6J@N81f~)BR;-^W+j#43137qqOf0>DQaJtf? z@VN>B;jmKQjM2w!n43aU0@Jg8$B#vWWfy)v!N(5T6!z$s8Mis|KS-RUdt~KF=Jt)V zKn>dyQ@M*{TiSmMq#FV%v5e^15vuWhAqotOZrfG<+n9-0&3E1sNrp*Rlr^#_d8Rkv zvtbvX_A+mGI4dovNOzgWe&M9eUMceDrz~&DPPy?R46+ z-A2FQN1q=UoGmAQF>PvX?KcJXCKrLI+B5_~Kc+c$=O@W+cSIom;ZxIEiRC2mZ z(+NMWpF*k1VsIN|E4%ts5IudH%F}blKoJ?e&F=db^Gx{GW2vt5!3C19s~_A&N}jFW zcYWStXYoSFl9F)vc(0wFzSXWf`mIuG(Ybkd;&2}be6(3t2!vOjebi4>7Iig@MKqS! zQgqyWBNT(sLKcq&L3{-y=m##lzvN^Jm^Ay0fyC(i+4vh01Tu_rZ-+902z5`J$62fn zfUt@sMu@EEuF_%e`IA<)aVT5t2qRN07YH~`R;5a4p9BQE#9=DCxBaZ9-e!5PnkePk zuWUuaDtBVj_D(UjJU7U^<#6rS@1X^vCtI55gjNrEUN(E>DSWkQejpxrTVSmk`*eII zU-1A4J#?SIu#%L1!dk>u01D^Zh zWB7zn6qfY2JqYD@m6&`?bne+RQh}YC?*I+lKNNM$3Oy^@YZE_SSnsJ9P2=*Z4?*6a zzX)t+S3dMnE6|~I-)qQUVnVR|2y$HFMVg$y^{;JTe3J_E;h@H~?G7w{MT;KhfA`%$ zfc)h+^6oOhS3>K29-DUJ7C`RGyLU;jAnMvsW_eGECi30$Esh@Y7MAoR$~Jv!@4&GV2pe2!VKO~A?}JGD1Kr__>W#t%3HLGVD#TgWif+yTGR$GKD}G%wFwPzie4i(R?tHj?^0OReYH=kvGg8=3tF7iOTxx-mI2zea?L%DKYl@Uo7` zw-JsDS*)o`_lf0C&}{TuY^Y$0I;Z==?I;tl6oObrKiBZk*_0+o*Gv8#f8j1BAb zqaS9Y_Cptl%X7UiE6L?59oqZQeDy_*AAU=s3gqBwVt%ZC?H{AwJkB@2j(24vQJ&A_ zFzEW2)x>SG79o(kXDMX!Zt3Ae2sL4C6zp@UC2E(Y*`rkz%yB;z6~dLyA{8g372!Kf zap-?u;%J`lH{lUmr_Tf>ei+R_^wtt>PF&KGnY~32SrxYOL8ALrV~FR|JdNUePJ?pf za?l$PUpYCs!N-}A&I#QUo|a+`hBgQ|G~-i0AaU1b7J`)&*)*9K)@3{N`YY)B{S~F- z2r#lTVaAV)R3k=fo+xYfob#j@h0(73tGFiZ(e0vs{=-{cyn3dRCif$RLiwF_aJ)7T z9;?sX^Mp^XRG0Kr%osK=zaV!&xGtoe1EUadD(42Ez7s1tSniVIQ}J~?rQbr-PCWlW zs#}m*%#!GZx}ei*vuFt+IGeAsIrJHg{irGkBCBzJ5wV!1O{=DnE{mtu^9~UJs7H`= zOh~q%#=Qm%0R63X`r}#IvSzTHaPnY;d)b(2OfglhZ!qa(dn8*n>7YNP6`oP)92d^^ zMBh1#anW{zZCls;4MJ8&vzu3fnp{~`TrC5*y)>dXlehINwXONFYm37)R_zH;9EPTo3agQ*H~h;kG^@mQVt(epTtBS;u)%wG+Dgcy-^W|y zsu3zjyM0VW1TR9%L=P_NGV7lc{(;^>MThV~$I3SN8BwrKg1vLz>ShDU;ZeshVo5VsX?m6uDSh~W`!8+s9YIP_|A#kc^( zxopb&ofIF;cm)z9vgx)!7Q#KYtHOgufyC;5e9t~tQ6z=u53c^A^ZkDeSg}rTL7@Iq5GdpCU7(wjvLNhj8!WDJV# zsEaQfEyl3@b8Qags2iAbQTv(qNVyeD-jk4z1}Hqr>E(jGlBJpzvC~@)r@cyX{kqAc zNu^iyKvO4#O_E}R$Kv@Mv810W77cgbO7FhH_xrsh@GgdLw3-blE0vp!QRb^As?h&B z5Tl7)-t(|~xd8ngx2s$;7!k%%{f)2_yC4oP?j>(|22 zrtMTSherRp$Cw{{gK*H)KDh$uY-V=+?IFANQ_Hk_6V}QL%??gLaq|gU z2`=WU+i!F#aMi_}b?aZvANam+mcFZ)iVBKtVmRtHJEWrwz(Gpx+@`qv4kHC?Eoj?$ z4az}m<6ZM`wm|EOIX2sEx??yXx|~YfYlCX+Al#Kl-dE)(psxAwU>gLeLN*C{S!S~2 z_B2i3r%VaJ#pd?k@Zp;LvV4<%_dW4>C|7+@#D?3UG9Wb;m zH>KRVRaeK~xXl>ve^W-x;36>c476-#gW;j3uzU*;ZM%e=`b~`x`O!R6|5Y3o8p6Y2 z&_pzS$^Dp!M6{r4nTnpX$3-XE=qu$}!{p59VG#j>y33;fzL$=EIybggQyE7;w;rNx z%jp|?5dp`97{KctTpO7GT+Vq{3tKrvGQ@^=XS~Fh8bfjxRV8g+GhE3?osNZ1_Omu<~> z+ur58TPSss{_&FpbiSLKB`Elwi|F(D+w7`Yr_jT}*QTWep_k92U$nkBp=GiE=>P&# zZ{NPXlO=2*Rcr8wb2Ex*4oMm%tg)2x$aVt=RMTe3)M59 zgX=eVy&~hbFpwM?{~6U0jVQL6uUsaH<-BvGhFVT2#TB z(7R0}UDRE|c2$Ghi8yq5JQ(|Kw$|bqx^uEpQJ|;;ZC)i@(()W!_{<;RusJ;UI;wt%}Y$#Dnx^Oji<@5pbHl9R{Y9<`)#4*dzW z_PJr$eE$5zhHzsBMmzU^oXPLRxgC3t4x_ht`Nry@63gq_i|z%!=5Vh-TIIpVxPF~q zY$@!fG;Um&ywlhhBgYdjgmSb5N*GvxX#E7oSyXy%R_zk*Iky1q?+Rn(jvPgW%N7V^ z;xFA9x}qKOMW+sOn;$AZN<``+z2jCgxec$!l^XFm%G#EgdIT|EorYOk=~&ny>-fuT z3$EtjhLbS!@rdXGT7|v{g8SlAqQeuF&F|(!%L#JkDi+CLP75dg?FNr=V0L-kBZQ$w zeg=lM?sg@|vYDSZbg{g;5OhrjC2zL5WmEoBES-wW`bpAUDE)gur z^hT_;Z}yp>@u%Y?Uxqqd&}+0#cd+KKe= zGnyz{s9Efb*9;{eDtCm2SQ8&lRasxo9Ij<4STOmIy#K6j@41oRs#oh*+nZF?)_aw* zHJlYa)r@7<5_-RY_$ec;5c^Kn+WizEpGZY4%f{;4u59Syg_fs5za_ELiF2-`7jL!M z6SMwyXir*Ag3t@4zLgisi2zR3PY#?`ltv;4-q(#N0yTa(vX(@su$s zKc6cRDP-ni5a3wP=~*14UCkJV*Zq8aDPdUVxH6MI=b7_Eyhk1ujkF<>RwO%-zB{ffL zsNHHwc{xZ^Jvsg5Igd_<`C#kF3K2?*X*e2AYa%^qn9}tt0L9rNYK`aSXNpxvFc!eqJG4=+ccO$9s6Z>7Ui2e3uvzD^e1Jk9PJ$9b;*(&7%LzV@q}10^1uzeYEOB9^(Pv?L6^FQ}zA z6e$N@F}8&dOS8rdyF5*lO?~XS)8ZkMbYyeV&SPVBiFJy5OX3;%8p5j#9*nB2?W6GJ z9hhsH<1#TjFPw{08!FFOY9TXrw=%`1QE_(4^+r6+pT&nvE|1~X@m;{Cno0_^dexkr zLu-wD$}=+`2qacbGR~{pQgKb|+t>a@9Wvpi8y;VoW&0cw@@lk1JU8c7R zF2B8Vx{r2xpY@zeY*BUNc)+6~IH+HM9?z~%^sufNxgVw-4=Ok~g9*kwH{5yVqw4Ce zHHb*x@9wpecWIg{9u;4n&xm%~dHoVI@3}nhj}GNhigg)C(_PHXNI2t;)fITNU1@CF zw|hJ@Bkg`{n>@GE$wJ;mX`XqI&O#_&7K~3fCAU68vf^D0I-@;<@$jyjU6cG^t0YM2#X+=5)L>lRCK>>*Y zX=z6!C8WEhJBJ3Pl$5Tan}GqTq31tyh5PRN-@D%TeSC13Is5FjSM7DyUQrm&$^&~O zK$Cx(>a15{qgi;)-s{c#Dwri} zGr#~N>)6_ZDnG$V>a#N>8?)3nehrRd0M*H^W#a-2`hmyAcJ)y#XGg@$9q&N9rBhll&egh6{%<5~p_$fmAC zJgHKk27hQir9dus)Ume{`(fp=Ktz-9t%~)4jMt^k_xm3}5};nf56uQZl#5%ugV&Ez zAhuHDE+NwJ*)9GRDjVXf?g=Z_j__f*ANzg1Uuq-vH*D$FKyiM@FIJ9~9=>!w^73oO z?K$?KE39_0dRGLTX!TXZGvf&Yfpx#K5^a-Sh$RzGMEt9%^XrO1Vf4t~b_Ajs5< zV7U`(llFS!kh+dP;kR$M1lAQ(PoKzAu11)yo5|L-rxX~TVBVU4`POM1c5Bm0{@Wb< z&P&&9l@nvT7vB8hjUx@4vqJrH>swC~o7&xx?vqHR=Bjmp%SVkwV;Xn^{nImnmA)P> zF-b|!JO$mRMGWrE2iYuhB3SFiDU^J_F|6Ho7O$rb>h(G79=^4wcV&L0YJc*>2ac1k z2fI99fy6bHr2Ti?F`IA8m$LY+^D3IKW)wUP!vyz+PHyB}@pJV_fcmbNJzKoRJ+C8~ z3^JR2e!PzhyCgDl6JJW%kY0`{RL_xgUSZnV)Rkf1Y#xa}o#@mPDa)Q1i@zK5GLCPy z_ZCpn)9zK%J0s`aK1u;4r6nvvH(8ruhdN4J%T_KX3YUdY^2PNss0w=@@m#3aEwasy zVi}3RQN8^sft@R)+kw2-Zt33l?n~6KuiW_>ujd5L_Jwu3mn6KMd&Mwl#@H(~!l*uz z?i|3}dvXY0h)@YwI7JRz0r`yvgmYRdJA+Q%#O|(fRRq4p`WoF%i7K(*OgiJ`dfBGU zx6{Q)x=K}$m5g}kOFk^d?|6U1%KWFp@!ZE&eLqap8+Fz2yc2P8ix$=$I`&50sO17E zf@(Q=TAPfgM^$_b?H8SV)p#l+uDN>O@AZUCN7)fNbT(z50O)?TKkP2Y#Har{;c#rF zm4K4%XMFIvE8F}E1l^#@7C1>iN;A6M)17^XN9S?niVa4xW{98^2JH-eV=IoEpU?UI z=P7beE+6a1%FU?6la{R0DpFt!>CbqHP7B#r>h88hY)1&+D1(;mKUt_tmij1>F|3{z zKJ*HxyNE0Q06W8yJS!>>ZgRLFJb&+NOpOCvO8WaX241t7K{q0u*Dae-VcX7LR5=b7 z*%VK_9}>mR0S+;tE2fE6RJY==J~(xn9-dGqPk>4AUhS_}1Z#Dmo@T!+*n6!D1f@pm z@OS2Dwc^;uaWV$BrisIOn{u`|YRRm*`2|a^3+C9#AO*CCF*mo-Vmm(s_Pc)b9`|#P{jy~7#!aC1fQ>AZcw;lU z!0kL@H&NjeIUsq0UIc=tgK@r@{%STBLHA;snQ@D;(^pa|r4G~lLlc&Fa%pyp&d%ZM z?f&5QPwEglnz>F3UfcX%P%ANK*u(3XGu7_0YIVAE?2R zEmfV5Y)U8h%V=T{Z6_!2qZ5HBun<$w{tEH<<9GHV5J*LL6;x68xcGobCZ+AVTSUhv zY1u^}Z~0_;aE?Go*TnUNf_2d^F}`yZt9*=F-F0p7F!OoR+jp3`Hz3V;*3{2@>~omL z3_$?lb1wm4<%-Zf!ub;{TE$Bce?kVCXg1?%IH14jToKi#!!a&M1UajjG(dPfbw_B9PvwqAN>4 zu;0bcjR&`Hxb*;SPX4G<0kl%#OJALU7Qx;$<4#Qjp#^kkYr@Va6^kId0Q1F{<>KaB zJ6|at-39W3p-E~w&c(2QEfoOx5(W=Y@$Uo(*h4-#0&;tiQ?5lTPS*&ifx}y22pQ`Z zqcE}0pA;y@ET2!5$yhf;Cl~zLmQK|W1L!Fq3RF&!IX&9T0Gh<9@n&_A{p*H5??hjS zpxJYQx@G52I6_O4FetgNowFr6oagUdyye zKSg8rY2^2`bC^Vo@d0g8`i(>XceDOE{+rx8jAU5g%0h^xijRJnsS_xb@dvLFJqMn5<66hcf4TdD zU;gz~$|V5tcP@R@N5_r=KPi>y=T#01b^@aQYp4CqZ$%<>lQ|-Di1RrzAWZVW>`eMk zyD0vK(tlx*Pa;8pE>Q?7)F-~s(@Z{>u7Ze~LreaRJN`Q6uh$~Z=;$CUG>ZYUEuvFW5#7K!$3!i(%ov5cHoYyZFQ$3r%K8p|Xf`L={V;*^t)l z=JWpnbs`w?V!-rrU)!6`hbs!8S0k_%oAIY;{mEkgd66B5X4<&DueyMC|3ic#sR3k0 z=H4>-_f71-FC`@k&EipNydVFtSOE|g(QN0O{rCbIzo&reO+E^rxgO2EiUvWP>v8!10s>bA00LLJkrvB22-#8?T!5(% zYI&FBf0|#F8;!yENAnlaiew^a3@ZAw{QKVe-{~Myf!+u!3iwSD&cWxV1fIuDX_0xM z2!6kc2f*E;)aVWUmwYRtCC~WN)?el8@2@Sn(a7T-eC~IFJa#nltS28Y|9;wE-wq`M zlMOZA(!#hvo;_Of_>Jg)qip{2l|R7y(qheof6gWI?%Wsi_aOg?M@tVh>>f+cLoZ+_ zN5ifc`MCMd=l$k_%MVTXY!0nE7qGLSVJFsVyO5;c3dEhexCUEeZwJ z7?^)q-`_r=_$n~E?CR_jvx~{u&}x8Y>t*6Yc^tpsoBmi`;sJmQz@VC_Y3k7u| zM1qJ8KDQ;XJ1o`F=BUc7ai02rCUgA6zcU>130Qk*i5 zZsI$xO7ukLLN5RE%>O^H;uY*cDTso30wJ=?y^qmZHwcV!4V^^DYD})JQaA5UKioEZ z&>uvdOg5USMf(RbATm?{x6z3hU+h`Gc|7pdCk6-^!PdEs!_VCH@yAieNb7XY*ks`^&@1UcdXi#@i{xv;~Qx zT?87!*L)nbU{gM!lrGSsc2EXx=rMc8Jt$|Lm-4MWz(_G%P3i9cFIr~lb?;G%=Gm5S z+6oLv2h!}}&x>?BnB|Cl{IcM_tK}1*T7!pulE8P&;d~p%99_FYjiO*eS-RtSQZ#+C zZ=xZ;rq*`BbpM~^|4yz${A^N;WGy`ZuBve@gv}ZjJHkeX>(0D5=$@hF8yyA&zU4@5 z0m{yIcqo)V2zh60nssET2^&(Ga*xYAQt)(F6lizrY;0?@{hbx?p+(uw`LiZ`OYd6k z_Lx~O%j$R;!n(T}Ogf-e<2cDrgEyitAZt};Bi~lyaq9R9F&W>9s14a`M;)|BZLgOl z!fee+rw*ELzeP@F0ELRWq70kW#Uvku)$I0Hmck2h(_g~S#sZ{+7GOc+eq)$gP!or# zbMfl%it4aFkLgbrXN#5_S`{WTNCCCt=~WOs%FnGVoN%9aD7egWu4@Ni9?c}2X=7Mho+Nh_IT7;3 zN8_4=rgoiet;W7Eg?3qSM_W&wCL)p|r}sgmp)cqealqq)(Ld*rpQ2cKdfPDFXT(rF+}BA4WBS_TQUD!AzoHf+ZZmJfBR7e#h# zaH6e0VV8}(EfT2AW#53xA+O$E{*LU9((q-ER`DEGP2$Ze2oXr;wFpawCKfMO3CJE( z?&%7Hhusr19LfUVo>5gU_qc5;+(2fLEKcup3+@f>VNegYpCwjC=~Y@Q(p{Z-O(Qua z_{=BRfKKDgQKvdbGVeygQQDz}aV4P!c%(eZ-fV)38&NGg-09uh6D>^MuUfNNCbwXk z=-POg`?>;p;0K4i&%cg)p(y_AmXRWHJNpbHIip#u0aZYVtmHsQ~e^Ot=ARa8>abgY>`q(s{5`-M(jS64AEzGMZ{Lx+oS6p(uAChVk?tfXE|CaHO-F46JGyHS9_x= zC}Vbi+B2bX3Uq9#aao7|kF%DCTi?60xsUHYHu}JR29!rvNxfUzio+~G&h{`YBkx6= z(kqc<%J1K?xW31NFv(1X`8AU6)(jq3P~+ZPW|P-_yk8lNVIvE+#nDCOHyeD!#JGQ5 ztWd~MhxBoQ7zLk&tMzwN6|HwDnrBhpszahH)XnBWMo5Y6Gop>W`<@FZJiM-`=mt$T zo`gY}LPs~IjxQXF(Xv@@_wkaZBzjJrGmVu#pPra@E)05RvcA&a>~C!Q+&GNwR-+FR z_lT*jRL2=)$_3rU`<+Rw%7rmxFr&gD_o}PG%n*;Bs5uNTf6ww{H2g9QC>OQN&HEIu z;VPHar^=Z!tMseMj>`e-wl5_MYFS1umsbg|a}H1}Zt51^1jL|IQ9Q~X5QfQhdnHnuig`Pb1zABHmB z3zG=0PiXV7Sedz4O7gzV2g2Q8`}Z?nl$EF{{ak|ux1~lD#&vvdk}A_fnG;_)EjJQj zM}@ujqB89&AkXj^V^fvT^n2*xW~gM}6~IZAvT{5w>I|PC>Ys0-w{5kVP?u)rP+DR( z#QGYUgzVj)OL`1F)8vOTR#0EL{CzqpnH^aV)dX!!JiRsL41aH1{C4r$VJqvCg?L6f zr7F~zu?3$cRHAeoJ3xZ(L7(qSjYGRhey)h#!ikdM>ux{xJzPgvAbX!F>#ZKarGLiI|GAU@^&(dQvc|sk6t}Bk zNNc0oJ)MY>hyNB_=w7s*Ujfy1_XM7?@3?PyMuGBMQ^8hX-!DCB3QNz&Mz@IGDvERZ zZ7;=7d?(T zAjX}hZGf(POr}Jpl6=SO8@V#W9NVeXIlRn5%{~R6l20u~eVVW+eTqMmbnMkmSG>W< ziz5B`Q!)r)sZ z0~v5sm+c!;XvOY}(5`v)T6Yq5vP4~dw75%<&P&M<=7*!96D)Mrr))iY9V1@h7!mUz z=Dl}%B6}?LPIO`K#|q<0b2%BuTFU^yq((9`2s*EHZCsVL)q=V?$V`z}h)$iDR2xti z(Q%yp9IoAQhvy?uHjv~-KDNVZzvBLAdMJxlsXkC{YIUmgc76-Y z-3g0*%Vv6G;RB(zRI`r*<{@gkGqOKdP3Um1DE@dyv(y3sbMU|}ynH3VJ=bY+NZ)ZZ z6~e4T&TwS*;6U-`5&WZZWLfD4<8R{?%!#ChV;?Hg@IabOK#I3!ro6*@)@49_FPm)h zIM{GTQ=VpXcA?KMfTDg!i(m7nRpiIiJ$B-kLKjmbt%i9!f=c(+xVqbcz8KwgO{PJ| zD}$xRLVQaxCTCS=&tU9z#orc&$EG{9m2!k>Kh=R?t--t`1!-Mp%W+{Z4CTT6q-xG4dGaLNI`gpn2 z2`G=c2%L&Wb#f@B9ZTOdHUc=q-p^MZ`D zxXQ&HC_U?7BZMsiZ(exx@J$@+b!fiB#vh5a=4Z!zSf!;sQP}?@-{W)L(GJ#EFf05y0DuW z@s!xQ%CK^GL*QO5hy803NJi9l6}m35`_c0dT%f7;mBaP2$vQgny_B!i*PV*Rh5$0G zGD2n+;YAt}vOeMr+z6oF#t636{;pBXa*__M=h48O#w%%jedl8kN{lBPyP0v$3)3*kf;~XS)$KL4Cvd%hds()#efj z?G~d#0}j~k8&&_)s-4~t>paKm5=-zM(GG$(_VtmmUZ5lh&YFef~r z@^ovv+n_|7w!t5=yE^bJLBTYss%IEnG3dRn%9gqKbv)DdcMX^qiw;BqZn9UWMylyb z>TV%9Hgp{V{yE4WBt(3}ZR*%6wOYz-Ysu4aUG)! zl8)Z`2ga62#93}|z+wKAao>{l$XKD$sJ6!ml-xFvf&!MYZXAY@P}%`h#Bga3t9vax zq%zFkZn(n*>N)oA>U%dD&&DyQdk~-m7oIs2SeKlZuh#O;hi97xeV|H9=~)}M^)4=s z*IhEEW0{Z>$42nN>=)UE#&mU=mkj)ULViL5WrS0*3qA(T)85U$g{7kC?9A zm?&J#dY_9pwhUL>HEBi%0RC4?{MUym=7iZ=7?j05k_%pRHG{Uj@~A25If_?mt#^y# zo&eU7wGvi4j?J&AkEB_z>=#*y$5p#4={R+CBnj8&lX**8$nS-Rc9~^?;Vi3FAv_3} zzAIN4z`7mv$exfB-8WAy7-n+jg;im1o(Y)se=a2KVR0mWPw(2vT-4YQPI4glvqcp8 zyj{ln%QXy&DnbRz*(fm?&o?!zndB!W=re5A$(xi7@ldOIyc*Bc>sZ7Nz}~{$-{sCp z#%~|1>oAmmGc|DO@>iM#3)JboPEq76Zd!=*PQR?k3+EEylhh360e<#u?X{>##i!R} zzK|(MOLypyDtA7r!HinU^F;0I`*FVd#!_7C|Navbywx8Mz;Y|UqF*wu(qi5J zq4|RRT9gk}3{V}2l=N`;tsU6+rWPWf*qsu-(Mlq~XQRH#p?ffMC3VCLkC=Xok#l;{ z%yI+p9z+b=1kCEkfUNi4N*Klmz%ttIi&WSwAoW zh;fEZ9S?O}{IlT-=5$X;3U;XRnZufPa$Or^t^BhiF_@q5oE1i1Q@~LZ)?^_O)EgHL zkgrK(_N*;{4W>sTvuqNIJqg+4zJ#g2(cE7vgFEhu2IH&9F8IZpd{Z{Ic z$n;wOQEHE!*Gpd*^~}nTq{IA(jO2re5F(MNww&-pqJjO;eci<~sk`%yG&gJ$J;{ppf8&U603r9rX&xT%txQ>!5&lH}C%V&b~~PS%C35Nl5307{@HjE25F6w169KoWVTPx^o3vA|fiPyM$)2s`58^ z8d(X&>G@4q?}L(2b*jZbcL&H92UVa$4^N4y$*VRhWj)tL`Cqmd+EQn2w6cl&EVco` zBH+_DZMUbR6;{K}P^;BlO6OOSfQb>DS9bX9%ole;&2g%F_gMrH3h09^031zMp1qVU z(pOn5X(x7hI^>71cUr1Nww$ZR2=T-0e76YSy1bl|HCNEHyH=5S0yhva8T9W)swg-_ z2&4GI^>k~b(m%OHL%ZFNR&Veve8L9d6ie*>Y_E;dio@L?Na*X?HcKCGyS!0vi4@-TOr_Ysp%f&07`?qww3C7Z~MLMcuA|Mf_6cxSXA0}sAYf4 zQnbOd1z!bevaNljRCm4XcLOB)wAoW4|I;*#uM>yDqpB=jcc(+t+358WhvZlb;q7-P z8;4gZ?)JYu=-Q}PH13C0uoYglg?Y$P19b&OA`nH1M3K`~jn;|T%U=d2-dYF==n0A| zbaF9N8H*=I#yZFw*lxOhtmnF$@PRH?3+b@0Zoa;)DTQhfhW>n?np0@~Vb_(Hncokq zCm?p~-moLviJGjzKC(gQfktE9ZQuHPPOjr~eH!9)+YrKTLDZ@;=|=vc$SaJ?-(5z8 zy^K>H_q@Ng?Yo#dbJosUgx$#_o4{571kaj&Bk=Zj*USiZYWP?Abaa*ug@1(^FisQ;vH#;bOO^%N>S46-Nw__k6u|KUmmC-X&IH z!sA35i8og~fCpx4?cpG35u3T>6kN8j^CK2~(g3D8dw1+K#U9s*A|LvypuoSLX~?En#~KWGXXDg8RbQ4H`g074W+}pHU8L=;DpTMeKqC?#Dgbv+>-g z+*}sJaUA&h+7%CE<_l|=B$gXdQ;e3nH3tIle8wEydub}90?Ua!tR2%e4y0KpAwW~Q z;2z(@5j*gB;B!{(2-3TUwzBqz#m&A&e$+sF#l^F`+YTEQWoh$^lYFQX`!fZQv+Xs5 z&a<=Qm$Ije-q@>~ zrA@#1u+te8$(=A(Hj+7mw@m+BQ;)m<1C94WtswXoc;1hO{=hA@Kt5i*vcN~Hb4cO~ z^4*oTL*6eF{*@h7{)Dm8jy{x zq*Igq$~j&~@;l2Op3^MT$S=f(*7vI(ZGQwQ!G4y6vDNLS7x)?Q1+A&YN=`8#j0jpf9%e% z<_{YH8mFE3u*|HgMAL8k2rsnmUrlycojnNUkyC)gJJ4Ck#(Hw`H8xzEJDU_T8^+Ro z!c|dN4kr*7a-NDC^vlV6awZ|qD*Zsn!Ah(AVQ;oqBwfbx4A!dP$?V)9RE1;5d%iw7 z0p486@1%Su3oQI_GtYo+;PVNwF>0~ki5qV@bNOZ77E?HhgE9Gbfu;2$aOY9UaW*uO zopIaHCzxHQXqbH;d{nt%vNN)|AwFw%_WO8~Y#&VX{pcEANbe|d&R{Mp@Kz#FLLI(+ z-R)6Tktn7ge_N1FX^OCRR)l6HY2RrbYDB@L9$}W;5z~rmWYd$# zQZKZ>oM6|fa5&Ga?$`8i8m)n~Qc3$e+852!_mB91`u7b8@PuTd`%ZUAZSz9 zWb-J@FD6@7k|?08J$Z#27nPO$bR_o?nrVGdr_fR07>2aFW| zzzIf}=1T;6=6q&#IzASO$8C5T(*?)jwx00GO>&AmW{2&&KUsGvWv?f``AX}2ypf@t zL|3zJ`~2|E7d92+Xkjvt8xK@hZGQBjy?2?9NrTb(pPl#P;Y{i@uX+^5Wi zF^tejZjD=@xA#c-%Rh3y=~P&-1^hC4F?=B1u<1uA?$hJV&6%jj7K!+(oryM&W_?+w z14%86QK#+S>zr4OTW&7^5vAWVqOI5^DaJUpK}-*FSGKlhnHQU`v>#8`U~1ai&Ijvx z6euJQ7oG@wyNng+)EQY2b&P;h@kSMO@=QnRfNU({?cQg;?;mQF8sKG>5?p+Rs^7)qV7z05 z1mAa*ez^C}TxbCpsu(j2H$5c>oggt}EXT+t|rhBAPZmpxdcAzuL`|PJ{oy8Te z_5uP^X~_mAZPw}MjQ(|oW@V&E$0&8STRKtEJ*dzVMANQvWvD6iWps7vhV(?wbjY;2 z)rlVSy%s2skoAPR55vy09i=*>XAwMhHC=^ZgX%dAlj@U5=?_@{-QK)-&&#ES!~y45 z%a|amPX=q%?9|{&g0Y#kCRFuwViJ+r8Jty{vEEgI0jW?;Ub&T?@a9SW8_LU6 z7?2biO2AoF0Q58SSQn>fdh;!^@P?i!Brr3JI;m>MrRT;A&IF3(Px0i z4qnfySuBsJu}Fg1b|wVANEEQ9Yxdco2Tv>&&YvI5v_d~_Ho(`Qq@mywo725AptqQb zX#&P(C{68BWH4@wLPO`oQbOx}paoP3s2ZQfF}faU^(s7gvUf;g&&_fs#!EqHNa^fk z8GK55Z@5zU9t$PKurN|Og&X~X#64)c82R|lAyo!Vh#)}}EzleOK`Btc{7ypE4Vonu zeRd{H$U!RbKD3RLL~N-w&SubSwjnj$*`91G;;htoRC%WLYSQ>eEnGl^pBI>8fVs zoQjXk+y%BRj=e&5lUaVd%8HKIscvas37-4j=a}-{9J8}EKRt>-eZ5Y^QjmX3C|Ro7J>X((+%wb{zhSxkBjSARAR zo(rCjVO#djD6y@s;Kbu}dV$PG@QM}{?r>h&W6EUL`t+5S?a@2m+| zNLUU(%zL#(u-RnHItVzLxE$tm=%?YVjxAPzVvA+UZr94?Y6Q_(tv(X7U-l#x-#Z(C zXF5wv_v(j#CD5FfmuBxX=`BEbgbW&Kek<=*?N@AD`;tN-w&R$iDh-NYpyYpa$G9z7C%ms&T z_ZG&3T{0cnKHD=AT+7P^c;oXUgZV-p9GmR)X%H3pvApCc2nZmo8ryxrA~1-M?QddSEiSW?E&F?9?q>1-VF%?v!}qj&X!* zZRtwy4tB*_7=?;v$tS;}HP7yJ1RUjQ+XOB7nxTosxpIebErja6L!Ku;wJwJyLQiQz zSOUitZoH1LGBcx2i)0=#-5vWsgYq%KFp&(rl~8d2(k)4&G+o z>y?j{q913SaZh=-DUVhLTacw2CYmM-(Z#LH3@feF53!m&^CeC?xYbxz+ZwR}6$pg#4yWC?WODXbvaQU|IOe`na_b?fxShpKTcbLk0vJZJ3k*WzxjY z_x`a!6BN(p6SJ>32#3FAG6-wahv$KF=K}>yB|&!x%Cmp86XqE`4ryVwBQEOxkQVV| zlZoZT{h&TW=~TTZ@R5>~cCB}e&Y0-&WBu1Oo_jKRJS-a7K}L@LBY1_e6aeaQpKw?Z zQYN=(fk_AsV5e3|l60xD{~}$R{V3 z=(6^Cw9Pc>yIir4JmZZ>FjtV$kQoNs;aQ*L>PWXOO7_5PKwYPz4;1)t_s27w?f%_N zHo;t?B}`1Fm`gxBHUbv39tY6dANF#InBe_G_nB)y16puh=+e{g5J=zQ_e4#Mz2?t_ zm*7RkVdor+Ismo(@yGY;utW6-ZfdDMkR1WtY0=%Y+-p=b)E8$A)1%i{IyRk5B*I#S z9gH1%VySVL&rU=ubQ8ARA?*Lqg(F^%4KADiK|gl%lKra|shdx!+ju88p^5j`0wYJF zmxbkY40I+?t`9;?5 z_LIi)*_B#|NROth@V1llfC7>T0#wZj6z+N{z6QdNK2m?_Ug=XSnQ840#~_P@mUAk} zrd|gznRdSa&cGTKTE7%3UYY~dFEb)3lXyHf8T{EQ4K6~})!XkAJZ**e%2!uPT{Cie)}Any4dkfX2)>zlF9@n2O{a7# z7DUhtF_#3hZqUp33ODi+h)BO6vNGJI)T1mjE%Mjb-j~(Ud;4L}_9jGz;ayW!ziZXW z3C>lr)Z1c7AIu0MXrqUjXu}@bg91y_j_%-oqdsKW^V~sgOiv#qd*io=I(+ybm!DR% zU;ozDWV>#CnP<`26V~y3d7!=ZYnb!BDAvdo$z{6ylFGa~sU^HCWlGv#r34KZNE1De zcOpwfbivYt>6LpjrB5dMsW(2{Z&9Tt7&8U3`shO{P9m_K1`F3+=F&4_TbYNAhu>}l z^2+4f?+e)}gPBdDV{|Yn{j2ZLNyo3B4v}k>gjbjehQAb}jvoVIgmL?a^fU^awp(9Y zz#QS)vzA*`y5f&w^ECHZuq*MCRsUSM$G(Nn48HGP3Gp5JLh&Da#J^NZN4N-c>;}UI zlbvgpZ)cams`jC0EbBzAI%%W9rfyz+l5Jt)xc0g%lfm-e{YOD28HLK-B$(mPs-(}py$e|Bxg16y8(_aSRVF4O$}B=QN5xoYI`RR~Ntp+-+PmwH3q3fh)?R0ji16ZKBu;@lXrdZt#_c(W_X`$)Ub<^;jZJ&fpIi2~2 zy@JP9Uq1{vJAdVop6=nd$gMqGsy2+Oo3GuR>PfVff!5i1PYq@osHt<;oovf{O!sWm zBOmgZ_Kept6;&^NM7+mwSxS^`$jO_mC}DkNwjqRs86mwW1EJ8N{Rh3{!F@m$?EGoG zdO_iqSQrHHmLcI$A1>g*=~`kj&~si;`+D!X>LUoyXGwfYZM)s)2BIOr9&9$`0-e7a z4ujFbVQ>&?c9-gZYj z64aZ{hXp^J=^6woJKRruRp$Baw+tpKoSrch1@xT$Tw$FwILnGB>CGA;Css{TITPxf zMD6z<><;UVS8<>5$2UAeLfw8)y3~3(bslk9b}%6$h2{NsHpg5Ed5p9Xb{&VlPBtS6 zqs`zd)k$y>t7Bu0oqU49p401*4!OAaJX9`WZS6EgA6HMhmw|%}NL2(S#&ue{{m=WH0oQ82Fd&XF`e^k$R56p86mM9Cg!9t8a z=uqimGp^b!$iP?0Q#|X@F7KI=INqN^F?w#!yIA(M6>KFpI-P8^m^<%}I}-A^$ppjq zg~n@Aqpg=KS7J_6bW~8o5lN;$e0YjN^j90)56iQIR(aNExGj?Fr!yA|z^A=Z19oE|veR$$wBJh?k)o0U8zMDTXK zRQ9+^esS6?E40vQ)6wc+Yw~4@V!{L7w+FM{p?AN^dsE+}RQpD5*M*rpHH3Tj2ZO@Q z&hEg+$v(*tCxP{1|9jk)PSC?8zP%7k5Kt{>99rLxOIn&YVVa!KB)O5lw7Ih2U^sYe)ogdLOPpC(FJ5z)xb|%6 z=zDkanSC0G_)xC)8WdD@ADOZhffdfY&72(1jW6IRyh=;>a!QkdRWlP-^kV}o7? zvtbW=miQt}j3df3;oLdR( zRj5OA#Ex-{LVGUC6x!p6Y^Z3Nv>jK+&np*n=eb^TgvySuU5Lql#~K@g{GENOkG4;r zWM_48tiNqTiZvM{0EI3vzB9oi$q3ZnT)eBbe7 z1DN9u;bU_CJ7-))uurcIf6h4+CMLh?Z$?p^k+jEyqX>rwN7TfJes+?H6TXZ;!VXo; zSDEIwP_e2=u8Ln}_Awy`D(?i&=cUWEqQ+>Vrm0^%k|tZ1z{OT{pLOFy+m|QYlCfct#oFK0f{Of z7=p0!%5G!jy=)8Q^2jd_u9E(w2GkID9C7OMUgYcn+PW_vS8+!X_dIb}BZInBG`={Y zM_H(3l@LrM3E5p6jFvQnOF={q2}Nd9&fNX5f+R)e9$;IQGnUHYp^#J5%Yzk>6=!x` z5r-CTgHgj)u^}>p#%0`vI#hx3!_YT}F3?eE{jl$V(!`|u#98|DK5%BpD;oSzOG~)$ z*WI=L%BlU_2kt!)qtdQp#m4xqA4xM;WOt$qcDO5S!S#f>d3mUHZG$Lti&zxPO7ytx z5pAZQcs;c1)Ey6uEzV_qa9weF3qPgBtQz$^yTAhX^!D)3-F9Ld^Q?l2YJ3gL&G8J+ z!F)B9&7eG6gB@xX>|Ri#iz~xZl6$|iUWL)tYv5UU=ktc4UeUKoAuU2K{nI8mBWv&4 z6XCjXb4lBj%5Q&JB9T(S+Z^3K6Xs=VA6X+l z>{}n=FegAhbP10F*A7ck8U6ih@FhqGmEsr%<+NmM>T-?x0Oik4yF&w3D14m*OK3?u z@?BMyT3!hAOU&7;nA#74ykw;Pgmt4d&K?C+hx#%mh_z(oCn-jxY|0=eh#K7aiE+Cp zn;B~7?oys-hXq@RW)xVSss>T3GV`o%3fu|0rncO{_%E~SKR20fnUuM!ptShI1HomJ zx)p8rW=X_qsbm=jv9aWd^d_0V|K<4w2yNSWP4_DO^Lcr?XZmiK@A>Uas_LiidVBiUsj zmFj|Q_`o`EVgmbK*mafy?afL)r!<{X+j`f%FCih;mKsec)=j25jh=eBG(w|K_r|z?(=AdgXq8H!oBS z)t2GS|Kj4fxc_{yDTmjow#-2L}HlV=^=E(VgD_{|ALqFtDk%a+>5@>3)GF z@)D5Ifl;xX&)ru}E@}bb{nJw}VN{^sF81@kVgCZ)bqTPJ^3lR}o8PS#4LyW_3K)sW ze;G(~{$p$g+OLs=yuJVQKRrADzHC(v0NatU+JkH7lhOjKCc~y3`X3NRfyVO{GV$|C zS%UyVMh(v&;QV^jZyXRZz{m(?>lZk`cql~-KpuDN1Pg?gXl0{6c58B|sUbTF;-i z{)v-P%F*cDIQznXKB@F=V9y|!e24#!D`kxURz^JjvkLcoQXGIi98$&g|A{b{uXD1Y z<+d|?{2XaSXrzfdGRyztQX{Z|k;eT>F&B(4j}b|~MauC?%5LuSZ$g2XRDdfTYw1b)#2!a)y+Z=e9)z&`@qkpxUqx+!}99AHi% z0CjS`F~sLc{|$i^{eYpOuXyn;;C~L#C-D81f2ORZJ-~U~{I+E0G8aJ!Ou9H?s(G#{ zey|D+&9t^#bM0!a*zJ*P?=nkps!%9Q^!@)D-G0)Wd6tx&>q)nWv| zZdRffGXEQT{DPQH1Q>~Jk3oOVoHA%GQr>*9{*Mfp{R*uQs-1q~o=++Ttdx^LD)%3i z(mN3$v=+kR3^<=un+zZ*YeD-@l7Cb!5!WLMnoRrB#I0Hbh=w#BSNmJRK$yeNL((TE zE$y>Uffk8#&|JwqI-a5QqtSEPv7#3h1;W^({Kx0>VMkOnEqlevPBNFNx1PvPHFzB> z_p;_;yHUibE-vM3Q!c`XQY!>JYHzVIZXLP}V<4Lra;pkAJyYu^OyTm^-HfR3|FJ9) zSv39Vkf4TVf2*D^q=*MnN_=oLu5?t0pNnB@6*`e=6O}| zw;+MpFV~t(9Dt=T1jRq=p6oY&jHlVk*-{F2{e#DTyZ}BT3;cBBLR|h{R1~d&TLt+s zL3VQ#&{t7M{0$|K<2Hh-){i0r(gms!U&OX0t~y~qYpwXdkGSiL?RNuD1578}0vcpg8-z@^f8VdZ5Rq+D(XGHtJA;k(pl z)LV=gzO?@Y7_cQh2Kbudjoo!OM58CsxHur5YAS;fMeB8KEd-^Dv-Rk zW20_I3i>a9q{WDb7a91AH-nt^#?dZmsHDic@2$y6_xXG2lOM425;29-B{pW;MLUUf zaPJm3CEE9Y_8R~WvNr+0MW>)i#u0tE4Fbp{od+G~cWhLfVzDPpDgDe`c5g6uSKbSn7qeyG|St^=@<`*$T^n;+H0Z0pjU&mGQpnsBmS z=C>ZV71jW=OqKt2kAW;vrz{^9oU&gPuzx)!9B0XPR{j?Y?1vkm7T)f6KiE3_8NyHl zxk56WvpntY6#Z~qHt_}>2hEoBC9|(k0?!2ZeN`tQ0XAJ7QETn$wDlzscJMO~rqNKE z;~5mtLP&4|;3;du=wnBcpLRX}JiWZ`hU0jS`<)yHG0GcmR<&RqPc+haVIqgGZ$_54x!1rA)6hueEo$^G}z16=loih_e-&a>X+lgP$KaXmd6Pa(9v zXW$J`V}Ynya3I3J=TW2f#~SJd|o&#UoV<# zz%#*SqmH5uZUTlm>hq@0E5pGc(ZmuUZ5MLX{-9G8Ji(t=Gx7>GZKM! zLtRd9Q3#IeISi>G-d(x%2FPwnPCHgABUNbr>xS|g6D`OsOSccC?xrkSvmA-F2Nz5> zo^kOIxMdq0@4;h9`o#Mr!TOrMT~#h+t3-qlQeKP&Jo!CQPLNaBzV|4L@n8!SUU`K$4c|-^=GhJ<(|mj zZI#C%Dco`A>Fw+7>T`p9*T++U{M8v6+)oMd7D>~cCcRk+EvdfIotvX36vsUdCDZ;m&h zwLqP$UeBVn2#t(1l7|6bNE)`TLQ!YOwLmFJ9yQBQjqG6SwqSC2`sK~_^vl+Z>6b(H zr&nu+OMIddClCDJW6}Z-G0?)$s&}byUCoGw0r4hth}z8tK}z8CnjJWLXg^%mI;DOP zL%_A_(J##)eu$_?>QfdV7wR}Nb~AHxnF#it$2|JtIkHafj}DC|Z9RoE? zC6JjilmpI+Z~r3wihYi@^sR|ZtMZS8K^sDz4igCLE7gn$SOMY@r0>23ju1)_wM zi|&wCx;qrui(=LH*c0dxV9L#n`22VCeS$8LHViQ&O zXZN`%DD+=rX=6e?%ANH$Mn|Cs!SM8uYDIhsKulohdOWz4A+^P6bZVc-`+W!;x`fY5 zSSrj)V*q3J$yXwAXL)k($25v1ZzbL-Lid4rhQG@&Y7b?+^~6g=2lO!z6NHadH4@5w zCMIL)Jix{BB!Ej9RjX93bjP-%-GHY-fWnI*=2Q!>wXI(8m;8CO9I2pYT^=c2%^-84 zWyw7|7P4v!=6uK zc|xwwjX2&-mXi&Fdd<37kb8pYll$~{gg;dF4o~j@1?FW6I_k>Q)^~8x(NeQ_TXhgt zS3{JSI|1J$M0x$+vPm>f z%_D8~cp{)(d%RlnF7Pp0A6F2bZ;$6RcmPxsJ;%Pqd|`Cr;Tfc`ooG_u+N!2-Er88c zxZX<~U3O#my5_@HrQ3!tt;kPhWQnX4(4U?d6D@U*cITVCc@EgayK+_YW`JO9r2ry6 zK{L=oPbFu?WhfoQ&AvNKf!l6oz=pq+*7WT}Z8Zpvz3@>a$PgwOy2qy}0( z*UL+E=w5Mj*v)Y%*&XRwKBo)KTxmSX&6vTSgo+Q!vuNH?+8sBpft6iM6shL(&X!AF@a|oux%!Z6RK|Sw1CCm??d;UK z{yi6$RIl10;r)2ZC0lMI^&4z90N;G|VZzQ7`B35Yr+J%uC z^J^K7LWSw3j-z-4u+D({=U`zWR-&@A{db(1o@94RzN($d z8k1$n^;^G0eus+7v!=C+E1BqC;n#C*Uy(g1HW@kGzaE%qU zVb?6}lbD!lK`b+B*FO9-L3{Yr^1*pO$zFr2L{99~z^k`p&o(cAzc}HBH{zGCr zx7+kR{UpTwn99va!ns@i1bNmNd$QL`9Q!tWm^R0Or4G>W_RbV}jsDmHi8#w%f8MU&zcJu58Vi#GW{UZq}?BS-o$BEHQaPacyo>&vb%R@~mMh&uYqB!*FGE zOt#wq=0Dn=(6vF8zNOuLi^@UNj2g2*F4RZ`dfvkwd{oF>ad4FC3Tvy_9L+w+=FF&t zJu9@TaQMoZZKXNwjdYE*l(Ds-2qjS>oXqqH+>Bq#sM;xM|6(3kPOLXE2t{7jlu)R) zc!#3me;E(6nzLekd3eC|#vZuYx>L1_wY(~~KJz(Nu%~hXt6SDf@r?qvs zoKqzwj{hwRb1np`kGkdg?4H*esEKV-4c;yt^CqPdc=N@3^&t8dtm;;r^x!SL;>$Z| zskh!|zRdv5aWZPh*K43Qyy%dMG*PO5oAW-7w2GA|AQ55&`q(Q$dz^uBaeY&*4(c-B z3f+*=54!x!ibP-%HNA|FQu=f zVof?Pg-(ku`t8T-)A+y`kf8qB|FT=(RBY5@GL7b?i<54xv3Cty__rdjC#|#I$oC_w zblcS{F*ZjGySMLX{PYu#tWVai2F19xyY0d$aiF(cyNkW>g;MNDxd>x>s5T*+8Ly>^ zs%4B-A>5EovZMvT40an2LOD-)orTQ@ZC$ytTfz04@T9!Iq_z69Hm@dapmWL zoUh)O^1QvWDa_vG@r@j_%iRc>#-Cz*`WSgffGr*JXrGC?(zAm2#FH71Pv}fXtv(`l zu*q#b4RT%E0lUVZx`MCe&Dd1+1_uLQudw7f$S3c4npr2s2);e)O-97c3*ss4)NXZ{ zKhhM|N)0e!uQji&TMU|1qDum%qy4n?F#BpOuQ)x1z;amsL*XCp+ZrP5fjQ-q4RY-- z19pi53*J~yvsLvtA|) za`UPA8#G>@s6nxBAn0A)hIbxvfHnq@REu-ho>|&kepAT;<)^7Ho>g<>Y*0uHaLxoH z)=E&x&IW!@w>OrpxhK0h`t!|*&1cEFfaa+}E_UO?9=kKhl{pDRiX*j`yLFMxB781m zmS^32Zw-!aBx;Y2tccmx6Ej@G?%Kw3STA~c zh^kis975EL@%YipScz-d_@=SWRE{?mTYW6h+h4=;sl;t{IX~4i7^4=FIJR z@DerH%zXMYr6R9f+aO9+<0g*PoNa*z%DUv*IwK^f)97wb&%BN7%`u%(R_pF+qMd1A zVa&j!$*R#?9BROUgB%>EsyO_%s~^p-l}C7o>u-Tx6?C6c!gJYF$Sjlxnx;L?&Zk)% zo#$A0IyWUz*dfo77hw5tU#a7#LQan(w)Pss`E-%)O5;#o9_;>MYv|Y@FJ=mX4c%SE z@?dadh!-j*q<>CwR)b0Ea61}DU-sH%w~9sJANip}#&!AHu?q`I#vv|Y9M8Yku z;r%sA5m%I)hG+bXA6Gca0b9An^u_*)-q{@ zrQeC?e_==ldW+)8A8&9s&(%gM%nf0))k@&n6*ju7QD91tMi^x&BHNaJ1cyuvqUogohRv#>>!zDSPwBbGKO#%X&M@yf!7QHTpZM_<{DtAF0bWL7i z0wv+yc91Z&Ybsz;#x^P$vdD1`zOZaeeHZy$9M>X$CsR0g|6*%Rg?u>ZUAen+o36*s z_FJ9o(1%B(o)P!g=aF-L0blHP{GM_zmg0T7Lsnj9r5*en0zw$naK^f0tydxGF3rcq zvx&A-yg><><^t+^@g`Zv%W*PO`CF?v-V;;6s6_)&pJ@rS)XdjA7h4_@B459Mh^-A~ z?_y6)cVrmZnD@>;b2X)#8>}D_*NnKk5MhMZ4Y-nd1t?+B%OrAhAKu7;vYQy&p-fdT zS=pejP2u2t;O~%8muwBMUjcLod8k=;=9Z`kOya4|eme$-j~DrHa zy`;W5y9c@%J|sMtFPgfb=DC`XI1uauQMPLsXZoFM;lTD(=&2?$`G5wwgf2F%yN>FG zfc!mE25}Z+gTRqX`FLnV=q0y9H?xHDL0)u2J13O^K%DGX97>7^b|wT&8=r z0$Q$6P-mT7Dj`9U>5N3~wbmRAUary)8ovL0DDHaH@A~N&H$yly24ffwx(-S#JsCoM?r$hRkwqg)G`7Zq#yq3+?_G%^ zujqueY>Xz-twhFiTfC6h zhP#iW+~s(rPr>z}y|<^H%gx}5jMGiL&HJGLs2$sf3vny7H|cykZv7fOHOA9klZE`V*eqOIW38hmSFiNqBjpoF#z`wp zuD>+QH3XOe8!(x59i|dHbR2QFVshjZK$)4fYZy8;xjFA1S}|)MyYGKLvJ616&cdlq$8q_C%BG3@3+d(8UGliP?6_&@Qco zTvh!!uTdvK`GmcQqagnzQ2&BWlV{QGe8Gqt(yUlfUMwtp^%yBo&PnHic%?krr8O<( z%^-igWn)e9knE*9wJq7DH^S;uz=UriJXhe8u$M@7E{ki4`8Ji?@p`31x*Ao~=4m14dSGNi0i4*hBC*CME<-odJZ>i!Z(bo+yR$(k*P?Mxf4!B9>3Ni@61mXj(O7@>R?BVVwupY)9S}dQMF}w3>qW|~X_d>S9IC9&u zHPiFmuiZh6b0sU_I>mkS>u8%Al;mqkb~VFG;m9);BO2;u<@rXaQB!pG70vvB9VO$Q z!-;{3(T`vjZU~k#mD%jLx4t{I+5|B*`}ekH&Fg|e}})ax_{)?Oo3O(?aZe7(`XS*&NtP**;mj)o`-olo zh(k`01~;liaHm{qv_-r0*>+^+gSHDkH^}k$6dS`n9Ns@XeQ!&OD!_=FAdo55;gPXA zP2EeH&VjTVsqe)$LgQl-1Xad})x5rdMQ+x;4D8nWNM7xf<;Jjr7!HD;l8@J7tI9I# zq2}65xn)O(X3HI$=^1OO{kmlw^r`b5aDD7sCj~ zdi>F$n$FGk)Pphoqtp^)mx=Tc3|CztYm)KQCo>1 zR_}R{j5+apg8*^nZ|E#h?*a`h@uCRu&IPaLhBSWC9>`Wpp=UZyl?(5TX)5Vq+GY3k ztA}a{l`bs>PIgviep`!&Ii>cOR%9dXAX1`qGy_J|k3#jl-QVb?yjyKGsOgu^WhP*i z5;d-5m1|C-4U^7SI##d(cYfX$cD@|K#UT+RTdtkA(ouk>4aeZnz zcI1wocX0pZN3!eNca;sLThSqSFEw;6Wg_b=e=yWWuV%bG-z%-5mXv$|s*x_+S9sF4 z9yW-s^eE&hUuH6`0x1aT%KZd_9?y=z9d2?BB7m(YUwc4I_TeRTIVA*kFM^TbFr1pJ z3H%BiZqbp#r&`qd%j!%jSkQy;_lMTfN3B!rD-A7}5HzLjV9(=lX-l4(iE2zSEiyYu zkirNIxE#WZF4lMGS}}PI>^4}uL624O74XNa>)V!+p2CH5Sxn1A8$w4@0%@1q_q@*P zLSXgLZXhkiMV7jnD2k2ua&qkcJhUaRT5l8tVUZu>3nz=cqhlESACpITY?+m5dSI5b zgRX8!qr9buFBZv=ubU+>f~U_0ZLVOUdVN=G!pP2T&`|2YEwHh<01}e0nZP6bq!0_! z)B29z)rj{3La`mqyF(y#zzy->9q2`)uw|MT!y`d z?&5O)dZX!icxy}d`QT1 zu_Z8^w5@UAg#0uRYb4fbgar9F=kfVxQjiNg*zab34-3TRA-%rXs*!>%lSEXvq@Vjn z9;xZQ54hax7uyZ5W|aFa&D~`lnu$bv(t^A&mL(_=eNW}V{9c^I;GuOl!)|0cc9|-8 z#Z{wkX!umk%;uqshS%g{50~9wvr=2JOirH{OavI+0kn5m^?L#oJ;PS@6W%soNK|G9 zrsvOY6?O+vMOYVj9@a+>&!GgInYS{Zy{Sb_T*(f!aiPC{@qLCrBGMX%l*L<)0(;U% zBs!C+)w&qUM1^_zHLOUjZ%VFg@{sN<6&gdy%8(+JJwCD*(-cjL^vwr*u_Tu> z-D;pvVu$`)&H3VnQi?qV$wRn+sqF4}Ozp0-e38d)CoI#X(syb6O8wfZFh2UA+i|6W zBW>IWW|9%k3=8!uP71XV%HVMr{D8y$@ga-Qg*mT#LW?$0Nq0IfsqoIru`&6$K8Gc| z;@i%l+N>2XK6_%ukz_Nx2;6nH!1WX{kmtP7H$!j59Tb=0646XF82P%5cKYflYa78$ zaPFI)kYFAF`P#5-wI?jw<;hQT#@Di0CMnX{0f~Xwe~6RX2!2Hi*M#h-yF0)ei4{Ig zT_533Hpv*iJy#u0cQVLKFP@R5K9C=LXSoS0zSEA%V0MMRlhb2hWX6W$%8w;HZ{u*r zmk1v~|Ej;rQuLPTI{arlZ(_ZiytS3#D1?#4vZd4no<4-?^DTeYeP7c#J}1SU1>!wr zk+UL4z#6Gv$ttgoFl|!Zznn)x67Jvg!;uEbetRAEr=8?e0&mt8^H}BrHcn2&nltQ& zw4-Idy$%`j47|&9@L}Ocz#5!JpKeIf$f9t>bVgERG1jq^c2IAHXDmd!l;cMUTS>US zBTLa0=v_}9dmge)>^VU18EVQ$c!sB?_%*nssF zx_wMPJd5`f83yO+ha=)j$y}&Jplbj+Zhy@=wgcN@%%C|)5#WJGC?Gd`mM2to3rwVV!XLL zQs2@-pYm-LDNY!eSljIo;hz)W%a}_s7)A5mdc&?c$4^ws+PfR3pHThdY7jyY?`M-( z9z}HnRQqTgHA4T8G_*d5;y$U0*%MUyUSbKL^kCc3zj1#@Lz!@4TGT z66ikkH|j%wX>oSLinYfMYT-Ou&NtuEn(m|NtwF$1!FFSARJ}jQx*X$GEeErlP5qhP zwW!Zq-~0l~rIyA6%!v=>ZAI~9G>R$cBAl`%^l8U#jB-D@P395=Z-gG+Ilz4zB|Kxz z%!;W_@O|y-a?QA}f$vgasc$mgX*V8!{3!PB`#8m)+}|V`zwQuSyir6llLlIdgu~L8 z>2`)a0zW=VwI1rW9?^4V)-V#T9bF$PJga9fZb=*eba|kdemQ5TZO2Z0J{iG0P7Q_wKw5PzshxIeR7o9R4 zbQt->R$vra)fu=08f5e2Dnxd2o2tM{S(SX`tXW@u;FVj|ZXuUDWY>(iu96OCj5y7i zBu|Mn{}%IIO8zhbCwKU*ugTVu3<+~)9EX}~TII`U(r}GIduvjPE%F`uA?YBM0!w8e}3^P{O*KS@1 zC2&p(r8Vo&Y6>-*J#H3r#G|>+k1wUioegp8-s~`n*>^oGNjq^R=@qx|tK<=vbCXL* z?Sx?NlyMRqVuR4YM`dd(j68em5wQu=Q{NS8&;1wAlB;kond{|4**`Z3<*MQJ-JinpwLNzN}EO^7V1+a4ff-wZdZrhlPh~zpp$kMjQTvA@hCTZyYMiwF^DefDvg>ZGR)cLlH*ao!z{+ckFnZlT0V4^*l)$1 zd4@_doZyydV%QJAFWzl8c{;Se;y}p|ro@x-SX!Q`wnWhH)SHB#BUgany#86`g(Gat z%hAq8>SLMx%S=kK5%>yanb9*g>9FX#2v+0RWSpCjRN361hr1f?j&^9NQ|I_W?}APO zCVNo;xaUvtiaWdQBTD0_dEo{94h-o7uLMtPbRxNx0>d6AWd%*NzN%5sr_WjE9IrT?7% zh;4N|>Wm*vkYK?(8StsPBrvbB*eJ*Et5s|)4U8>2XfzJs8RPw&ASqcHSAmr<^W2JR zzt$tD+l}4>9$iqINQBdb_#suHV;khDS5Hx~0$H=BO$jiovgDqp(v+j`6o7!hP8L13 zdV!Ye)Vx4Q6RPrNAS%E2*t-x2RTuKIc8+(QYXlwwTA z#vkj9X<>^&tfhloD(W=hu$W7wT0K8eJl?jeqmT8yqLflJQgO_3&+lh5!jQ)~+e0sd z9+bVYc>FS^r+T3Q6Dw-o_nw7jMSd6@-bP-N)er86iQ8$Kubk!sfLB<)yi*&IXCP}FhKX`Px`bv2gQ05=g zg}({~uSfLiB9M;{mDa1^32pinzR;-h8h6%7ZU%;-IIWWA{wapaV)?)nEE~VVl?3bE zd2jKV+ZG6wFG9)Gg8Zy;xXQD_%?_zVG>pA51G|Q3**wqYyuICw>)NVfPA?F9IbwTq zBuw6q1fpWR>khlNg;?Y~GcR6_RqQnJ)bXo7Lpv?5aH;9M>C?qn{Efq?b~JwJ;X-#} z#u1Xie=YzmE-yv*K7&}h4Ai&m*)5Jwu?t+`-NV#o4`buk#ng$nE7)Ntxw$ee%>>WYy20J8zO`ip58n zsV!VTR``kV!|(m&H?7huAJHl%e9H+F&K-{7VvUkGEkzmFOlD}jZlvq4`v~3Sk ztB(8x)B>QDtd%&7>NbW?1Y?uR+0|l)jH?(n80CA|wxWrkt)4@fO{4KiJ(N!@Ri5|+ zu2euBBgQ=y-AfxUF7T!_^!0n@9cR3c2PGVQ85~B>F&;i8JzB0VF=ua0kN1T}Y|A7T z$6|=XBNBaCfZb-v;}u~N>GlH@Ez@=LsCon$XLL%CmswnfC0iF1v4LoD@YGi+9fLcT z9;xASWBnH6YFt9S?aMV`-nyhuR-RaRFgyQ=@~Jgy@Nf}I9dVXFbMsb>-*>+k>#d^Yh~27Zp!=l4z{O8ir3y~? zX`{GM#QMikr$8j{5zs_TY-krrBziv1N;CN06Pt1Oho_nz+TB2W6h9KOIFfK*(i1o6p$d#)0O%g$sGI@1y2C6R zhD}K#baZTTuGqHOONzEV$)QR z<0Y4IpyJMEX&NG%^HU1vVE}Hh2SQsk)%bu%JHKeeD~&TDzkM!1CLLsotdZEf&`B~p z%=##arQ!5D2;dKM2T)zOMO`;z2Nwj@H_*xjrf!mO8N2C`*^#BbgOb`_C49w2TakJ| z@b&7{r{-od#u38p2cDKiyfcpH@rNvjObRv_J!eRuEuAkj10B|u^&Ox7dfzbjo}SSX zoB2jhONu~A7j0kKvZv+rJN!B>+Xx4Eq$3{w&fD)TU)b=^eeYBxsZa5`c50zREMD^i zLrI0;Mq>RP;AuQ1kl zhu|XJv|m?pYvPD??L=Tbe_L{vh!bkH3vum9hSmFO=j3ohD3|qqDTrbKz3NBq6;)(bsrM zLrJd>m_i{fZg?-&Jv-zp$Hs~3P8IkUeAfl;Anw6zFe^bQE?;M&-y+=N(d<>eg`LdD z(Ez0hHRvwKs`Av_ru?Z?+<2QJnXnu`H9#aDR2Wk90n`|OM0ACL#gm=TXzSvVw94U_ z7uY+p&ngee9vbSKV?(3Nl@lk~crA<`)VCAW?W(FX4Pot#j`_#=uBnPAPDaZOAli%&4?kFZKMJjj<=XouTF1F|8gc;F;wcmt#z>$_2^tw z<#8d3ss%0&+tqcQRjI)4oP)+22@_PpjqXvz(A(Sx&tIXxjyy{H@-6*4Q;{!0nJIjL znVfgjdAno@5!;_{zmx$RVjPUUG@;0r>qaDKx5|ACBZ$zLoyx()Xg*#($VpvAe~ed? zDW-_o9YUt+lPtYBd?bVCi<)Ddvz;OubSSsGuT|P`zAG z71L@GiHP9k6^V%{tks7)OT`gja?3+Bo0??-tM%E;B0rm4l%X>tqJ(}!r6`>*OGqE1 zUG$Z&+VDBnl-G(P_=0 zxh$PuK+HHT8hv|cR+*g++UY=^gH;wUMij>lOr=IIP4?VSUw(_}C;e<6{WvQ$*|$*9 zYl0cVXhbP#<>UzHUk zLts2FKAWG6kBKr@e3h_1>9`3RH3A`gm1{8w@AXd6hV*oqQ%{Mbr-q^2_2=}se;Q_C z-n?mF`|TIFo**vI&gOfQkh}BK-g*j1B`K|BUQ#l7Yf$|mpeNoT`a9l!rVTG-GG9<%U&|V@#Oov7ruW; z)nnXxpzwkE)DWY$mX?Xn6nhyN&Nt5=tf zGZy(ACO0)7V{a`bYPvEsRlGv~P*6m1td-<|>r@sTXC*sgq z^nPaC??k#^hxY6s-JZG6UNk4_CGA^MEdfF4*atAq^(GQCKLWh_pqocJljX;uY+23Z zryH3`10s=g-l8$E2dWud%}TO&nI(MFG-E^(!sSSEWah3Z-!Rkg(@JXbC#2B&c;K z%ptxauqiCh5s;rXjeT9(7-lY!*rHoCC&0Jsk;UkD*C0_k*8U|e4*X&<_-T0P&?d`% zN!C{t7bHSBxJ9(o%3uH9^6@a^+GI3A_e8a_rkL%ZqXph)4IXNlqE6~S1D>`DRn>ws zoDWWhjH7JiKYA}9p-qQ=^%1-QC%)}uR=24I84mg6Nbtv)6W@e3o=y#!hvaT^_b*Q; z5nzrQmldi9H)mep2S-nc29zm#;tYQhNm?tu+Pv zOaTWQzyMnte=e6)sMY_X>j7x$w(r|9gg~+d$#VQeWlbeY1l^*KvR|NYe>eKTlJ*## zCFEOoDm$!|39nIdz4Wb^i=k7kzU^j`$7;()=Q{6MQv)4dK}ceS08w$DW<77lI)5%} z4|R|_U|A72ZEK!cE0@wUhaXLwnz&r=wD9N3%K?<}8vJmN(WHE4>~na{N~_3%9M^kT zEqh2NK9&uEkc1)SWPv~hU2LG6+C@K&!d*?Gti*kWke?56VYGx69#%bF)l{QEMze(A zgQamR>eu{Fxq-PgT-lZ}Fl5$c$6>|T_01b~(pWx%z?y$#lm!5z&v{%QRR-%NJh+>| zJRzDh)E+__sU~=mB$v<7dW(oKGtT^hrU6Ok3;Y&8-r(1G@~i$PKO{NTB$#;q^#3{7 zO558`TdfOy8yFCTP;u)g5V=f)o*xbwfrzQ%dtyqRjpYtH+gin2^qQ3SdVDgJmYn33wlPF=eGIBpJuJQw@S&9-_K?92UI3 zYd!t@DFoS8*3{7B!2@SS$$fJZl~gf`vaRgKe3hIN2i=Q4Ys_vdctYmSoXS%nbmWToI^9&pK(el#bnvjK9 zoItvaTQHWOrQ=lbH=@AQcu;F9+vNmMYPrnjjSw76s~N+N_0Rqe&quXA@L5}ecR+?mh8^tCM2w2@7& z6^J&|aGjb^)I@w9LznJK4ROyDtRyTITg+87Ca5H*(ne}Qrvj96qg+8qprv$(UNZ7s z&t}b9%JGx%AD(h7uKIcr3L`?;rn|QFtg#Y*R@u z(C{Kjn1<-fdXgw-C36srP20p7mDm;Jlw|^eM1BjySjE@)>~4fuo^-s@(hza(mHC)q{>NV)ZFdnWW-G}@!; zoS)aA?jDiu9LX8SlTmev)XD8KZLVBd65N+cRI(q#jngpj@oXkc@$))6wb|&6Z2;TT zPE5m;o=o8ck+`GcB|h8X2XU}>eP z7S!(RG^}`gTT8(V`#6yEpVf1<=XiWNw{D-!dp98s+NW=_A&!-y^ZliFFS7=!F&Ze6X>}3J3sJaX|DCA%rHL1^MPtNN$U2$e(t&Oq951cdH7iEiys(EVgkDr&Iq60GEpS+vQ+sPKoSJn?`-uG!HvRL7MIQA58 zPFni(j2(~F*DyU+-|H!RM&)v_udu4BYPf=0>JHErVnLYQUkk`>t7!_AS0b7}DN@iS zn)atqHk7LbSGJvsU9-F|hrjkX%1Ubc5;GEx2mtj8;^~~B0d7aDaEv--PxSF;N1mRm z@n(kOSfPpbZWLR2gsi2)*CbCJjVbPS#L-`J*)&6J-~90TA8s3C%3Io12AU6T8N6`2 zMJjk|{pzMwaAA=m4w_e%%BhwIBlL zN7wO7_pSkfs6)vG7t0%Oi}fd8JwDEQw@9XoW74SZ0We40ntq4E`zLUhVL3jraEB4% z+WF1v*Ju5Yy`dVIS~hLsclcJmbxk|xI9QxH3F!-OWJVfN+h~gCW%C+6=u|i(oPAlo zF;_%SUSPAcW2antH!EvaV#^&d7F#y?<3EHOlbF8_DrA@?8P~S%{cC(eiPTymv z;=If-?c(BeCy|&RBfwi@MvlsJ<5&k*d zB>g;NMgjpj9}2Hi(I`1)wigMt5b;$6NM^GoR>0ZI;i>;cR=J#*ozcuIdna<-@TE0o zMn+}@VG91VVid8XG!^mI+T%TtqtrG^4H!3ql0I3!#+yoXp$PgUq6Y$5S~N}elf{qq z-zJ4ztE#J&R`41<>}7mrw(_!W=+nuW(eBI@HS3tm9VUUqz=WaAN+&!h1E1APx8^3y zm?Fry9h6_&WBYH_QV#}nP^rVi7506L!tXEZdS5K2r zwQNVmkp&ucvYC}2T9CZ)phv`DEm;wvr8G!J+jJh){|!$#!H>=kjJWraOF=9SlP0lQ z?5@$Kvk~+%o}vTuIb)1IVKGOTeA--j0BhejU1PI369gjNnu>_}P1QosxW2=wfN+I=HHw@>0{U(+g? zWp_&;zVh@)sV*>DP9k-vm~kW*<>U|)rqn#KO-?*k3M1Km8D6P!eC4JvHFynx>^M(xy8=JQ~Yzu0X{%4R{v39 zwJ2tH$mw`lEtd0hlQ3^zzTUJIh2?gR4Ov|b#|}hmeygf5Y1n#+;?J<=pB4VR3_fa> zJ>LB6b-e+0&Kbmoj=@|zhSOD6bzL^&4Q11BhUJ!=uCW8j8=KcGW*G#=8Or*01|34T zM)TB@+5>L5;IFZ}D34db`kk#B+IB{=8n%YAWIPKwakMHfsyXvA3b7u9b#CLkak}nm zjps%?&DK>Ftd34q^ubq(XFv@{@X(x_8L{iYi$t;Zkgt~23ERFWqcv;t&cHYw->G-< z;Cr*a3-H`(eG-H&C?3PR)Qv-^vJ%@SMCsYXiyVVlgPzz&ntSb6<|z8lt?{Cqy3JgU zwx#()o_u;~V%h;|K8B{~jdp(#TZeyZ!g6youk=y3!C{P>k3;lnVU(wI_9Q(WuCN$pV98l~a>h*C>pF+|zj{A)PwWXoPc|R?COkB(_44m?opp}Mex<%JuXQ+CMzFUVA{t!`nk{QY^r8kgzYU> z{O@Qk^g%p=kdDdF-+;%nYCG^b8S#5qz8HpNLatfvxD}KzNbdSDR&RGPxJvw|GNpP( z66Y%D5HyN7N_Cp`xox|u=jFzTeDK9trKzoH#Ukp~*Gv@6$!M58+P_&yJ_lk*QY=42 zs{xsbE~)CJ3^+eEB0EqkW9k*%e!utiaIz~SexKVMFktp|Ot*=C?;CkIWoo#NTjbVn`^@c^uN>8ex* zFl3BftNTx4KrVMLH3Wx_2d{|zB=Un3g_2sL?=iy19&p|(Ar}_FK|iiOhNKA$D9^r zmkqA7ugKi!rco3Csyj+v|Mf3YoTuJ@BX?A@M5qS!y&vEOYJaMb$w_BQvOOZO0}EtE;(-xs(@N8 z3VQSYz$-Cup{keDDKvQ@W>AQIwpL!dIYCf6i&NXpUiawq5P<&9=1ZDLo7TWrn3JJO z)BRa1{-R_;!AC!rptyLf(??LK3GmRD=inihVr2)+f1Lsze6V2zR(gvmC~Fh%JwdmG z7997nPd_;LL1e=AKcAz@{Rw+t(xN{Y;0KGxb5FwZ-}?f*RAm(5+lcSiU;H+TH^4(G z&lwld{-s`-aMAMA3LN_dk3#Bz%Q&m7AQWvD?JK0N$DM}C~8EkO<_U=ZZ^VXQ$@csYs z(Z8YHr3J+_4rSo7@r|J@FvgY&Aea1eR@Dvr6A>e zyX_x%U~XWPKL$&yr4g{i{wuW%0fUYNkeU1)bM$ve@4sj8pUbMk14NZ@wgHvG`G1eA zxCjP`dVAY|>erwIDB>DFy>GYv;lF04{<@swRo@?Uo zrxMd%a+5-MqnsrS1^?-zpKGG%ykchk2Y-EYD4;3oZ(EVG`ui>Q-zS3sR0gJn{a++y z&sk8caCb<#=tdRf|E^npZNy)5{PPr{pjqGqw(5NcTr;RAo(G~-t0Cq4r~f!I8)~13 zMrZkd5%_$eMvXiIL(BTt;`|!q{~mfk5C{Sfj;og6pN~Wlg5zN_s!Q@WGNAvM>0bxQ z0KBQ95wLjgmk2SVSlY01M}G0~{r5%sMzDn6w_)bMr7_kFOs4JnBOKw$o8*6V^EZ_ zGTY9czmE6+ew>*I!JE=qjK#nId2c8-qx6pb+H10ZJc+H~OO+3FLq7Z()F1Wb_WmRP zeK-F8Q=bdeA=Y<{`o#uU{s6VSie^hJ|2SwTYGWLA-@o`Z=n$&<@%REg_#YQZ>mEwa zV#U*e48ng?=XnJ@_g7c4iDjf^t0wI`jaFebvGz`BV3=L2FTKrf#_WH{bGqIl<4Dz#jr6yvJ&meSSVjgkMVAeb1zn_XY4iV6Q5bU+rREb!kZ{8ASG z`?-Jjj#04$Ej4;ppmx&Z%--qRiZy4cBC*mrIh);CTULA1z2Vspn+4e914VMQS(lB~ zdv&LetGs62&t{N9YcYN1QzgT>&a7wiRmiHXQYi7+>8M?u14l?+X#6s2+5?%WnK0|I z{C{kh5*i`nzGj)lGrsHF&#F5Etkp*j3XO=Wi)OfbDzr_N9{0lRk9I4wb=ezfCg91M=)Oz65R7sUky!rlO*JIq1 z!!pCtAiBCvZ?$+ zSW>AsQ-*Y=j#lAG&9D{f+Htyolpy+34)Vzl_h=3-mtVkUJ*v6=lNadLnJarqIooF) z1}NPO(^3V`@T-P#pFNFr*xmiG=Mp&|r;{H&caWgB}R!c?Q1r?ai-hX zR5lbTXSn%%1>90nD6xr{eXsP7=a9|!xfrG=1m1)UidimgoVHx2I1_84P#^Cn77uqP z+OE$^yspr*ZF|x1D0u6!UDoB)%3ic69d+Ov_Bc16>GI3$5@?x!pCj_Rt7+-1^LMtT zH+^es)nhyL-`cUAS3{EU1EEvpR!gWp2CKvvxrWSIe3l`%k$*hsmfb*1lm32S9AD%C>oW;uj{LVhR?|t^M4{yHgxQVQ!26to$lJ|P0kzZW{jl4(B zoZX}ID)fv>Hj~b)B*rIxdVeshF1gD;G1gHM5KP*4LyqayKGc);YpQ{T=g<59@jm7C z5VgFAdnKIsuIYUE1HN~UXOKVoEM|(jG2LEsUpC!P#0{E}Jf)nU^B$}5u`^2d)_3pr z>c*>8GxZv=au>HRUw0oaqqEf+uRpH4&0aR;;EiHRo z>b>BR0{3zOaR;*FmHYK->q)q(fH7i54EDGc>28w3oE*#bw39(MdtwPclBt@3GlvI6 zSyr3e9j`BOx62{x!mGS5ZLEw|b;+bG_+bq-E7)MuF14p-ZW=mTXlj-4Kl5roI~*>t z8bC)ldFITpHq&{H-;)d=d__m7b2*0czTRwd9(q4=q>r7Yf**|;IZhcR=(8d9mGj}* z`R3!BAz?GK@7^LELVab)6Q}X+1kScp?^rz<@B2p7*S3U0-+1<%{=x>7*udCly*%gI zQ`%YT)mFvYu0gyTkN(=QN9?m!-UZ1(6|VPihE*OVdl3^>tFe$Hy4R-jCr$Tj%$3H~*NIv&@Z0$VWeb(Xi5a;E`Mgy)5aN7!4@Rf;A zYV*}BJTF)cCdmmtuhHkqNuK0dLKGyy*E|N+Hukq~!jWBMo)bb*Il-M|Au{Gzal#{8 zVZ##PvP0wS0j56g2L~MP`NX4D)N$|E@ok$NPNqmhaYASPCq)?F>0Q+PQ)m> zUU7{Y@2|3jASHDt3GK0UmW!usSeZiW zz~7PuFV3)aT-OXLZz&Zr@tiA~MAcxdNSw+L>GSNE%0KO8$5Op;dEOYbW+AB?a@nBl zo(*kk#JBdTqR*ocw~i2F#RA)D@9rVQoN&myI(6SH!iKEq#{9Bx=W1vyI6)o;2IN>l zBxZ{%e|^@86Z<7g{je1Zb+tHE`8)g*wYb|ap*gVY{j-8p(}@#HgJRb+#}>yhyUdo< zco(Q#1&PdE@r zOqj^_JsyvorvxbS#Cy18mY5nP|Isj7ZfbI%U5BT@wko$R#UUyQAx~QjAS7&-rAean zk6WqWLg9-?G&9=d_!s%HVX>i=0uVPWG0CO8yNjnjlPzmRlW9Ys-PNl0^%HR(+9=ba zOUYznmRb8Q=+%#`kFQLn6eLlrXH_}^@jn*J-8Mz5iXm|7LDF$kk6Cp@$yA=H0{Xf; z-<}UEw1xyWb7+vB4YrfE(D3Kun0x2asx3bH z7T2RG$M#x4ebtT}9-g$wj8mmZ8|M_f`rIJQs?{M*!{uuRd#0T*m-wKr3pUnLBi z5q&G)XSSc11P?%q)3m=VDrtD=dbfDSm%_Y$jD-DQKnk&xTr$CS^KtPjK6-5DS&gP3 zGIN&}2F2>9VOB)KGA_rI+fR@YGSz|h($IFFm~|M84|~0Fg+>mjpG})FDN7)CSKRRB zoao&co)PL!@sdL?RTK_Qoa5>%OL?doj*L0Y8+tNN_DIBF)vS3>t-4#q+si^M$P~9B zFIsanjr6V5J1=E`QrW^W_pOMgoJcvaZ&easv~011(FrkCswPe=EI=QY-_sW+wddBc z*^c{Z9(Wn&wfPOPPXJm;Sxz)1eu@-94AB&T@*(f>INz zKn{tb+Q|4*z5}E%#8>{o8{d%<{BiowzBIesuKHW|W3pH< zWl0UUm!&04<4#ufjb2WHH*4)l(0Q3Aqs0T8MyPOqRwKL0*agUJgc25CX=dJ7Z1kxL zzTg!3quKVrYVw)(K8N^t*rl6$qYjr#wnx{t**-$uh=S}YB8aywhhxSt=$!4*EyP3%+0B+C@x7NTpwnvHLWX_ zC|-}3%UlwUe;aUBt2QRUcm9#dYrbdd&rd_nqkCP0w5XE|^m8oeYxTnp;xTgEkj?My zCu-F)NYmGkYN_EoQYIB_$}{^J)orFS3im)|10O1PeUY<~%MI{ZxigfynpUBKU`rlB z9O#RaAjFNgRx0~Uy+=ac!qx>6((qzo8;_SxwpoST(b8Z*N}8-i=B}5I;UBl5IclHS zFgKJ7#iKNFOInl|cGn3X#D&yJ+jj{Z^(P6~7emS(#HdlcK88=z^d0=W%gs@C6FHwp z^)eeRgvEQ^KYa_8A=Qb>Y0{7G;||SP+-&BQ3t;N+zJ05OaYZXBJIRG+;)3Sn_94}gHE!a?lNzPaSwW8a6w9hW%VtpXL-}nyJD5hk;M{W$}@*&`m0}8h^wg5 z)C4L3J{=xL9eGDtV_lihM|7p=)Dkm<5(4E~Dn96NWw_(T7#N!km8#PaC=`nKH!dz9 zxb*;Iv*7Sz`**pzn$2GEvP#J1m5R9x>*7cHIcs6aN~@+*?GnC2BFrn(QG2|k>+c>2 ztB_c2bgPVG5^f&_6GoHZ^=R=&RsK-TtUa3T%?p3tfPQH3C01S$TVcGmV<2GQHm(| z&?rO9LbbNdP#4W@y(#xKx~8G{oTpWyMIYX%KX;O3O7VQwxK=1)+Ho#X8?rfR=)i{8 zqos=AZ&)P$PIRN zRm=GW1+jW#e1%Y|yhMsKZa*L%3=of!n<2atga-TaP3$fr#2M^LZh!F z!_ZPaucD)#u?L!CnG=Fdj$5)v#V(PT(lo<-NE0xkxM|7gv(+lib<+%Q#EA!M(G&A& zbLCI_|GjC(2?kUi|jGMhi3{WMQ`1$=RR@kLBg-s9lp-57OQHRzKKa{6Y- zyf2q&nQ0Gt)YgD|P5`|-OC(X}pw9ix2k5Tuga|`;*NRW+UBsUkmvMPk^)j>F1haCo z1MHyoa_sud55tTIxDc$bnhj7$1yHCoJDK#m2#U^LfpiK<%qVyhDB-RzN8@#2r_`<@ z%^GtHy?aJP*BBB?ZIMEdHo7R@0kk?PnyGni2T{C4r&V|-@$fXe<^!BV zM1a>r!;t2avuaMVKb?{UP1L?mosvDQ6&Ev$lZkFV%Pp%twVMsGkpWj9GFxi?%QWTHN{)B8gIryc-EP6G`3;&FC&*$sQ84xT3767Pf-zF+J?hTKxtD>?ABsv z=DJgpNPW#m-hfdzTaPLRkWhw~kBd&Erge%N=Nsp$?h8*~;xH~4x&rj3I zSRb$Q>yVpn09sjh#~4@hzZaVt5ar`4gI5%h{Pa4@&1+=~jSJ=RXxlU#f21H)N3!=X z4uLa{D?bW8EJnsJp1INAVl$9Kc*wQR%i()otMxqBC{8CL;A%HpL;4Ux;LkUE?n*xh z%I(Cj;_B){c&hS}rgWOeoX9?+EDOmwnSl=_;Qhrf9d2)0I*$*Xb=YjhatC^DOeF-m zb*PZyJykac*XqYPRf*WiWAgg2*ac$I9;1hg=_147jIzKNtf-@D&sk)-!6Q(%-^(EI z#-2j?!~(qUEJwil$VaaV*4#3?RSWT{QGGT-n&WNnrB3U?To;oGB5+8o**c3@wj$Ut=miny6v^hL1Gv|A_i7JY;s{PvtP{$5rE@GOs){gulWAW2|`tx0E z72X9Ioq8p>CQRzgb=rI|+KQ;AXh zD~!TAm;7ot6QM1LJ0zk}_xgc9xPWzhJIzn4+VA+~`{lRMfuyV%Y9m!_(@^$%?s2p7 zUByB5KFfNTLp?aL3NE?RXywz6wMX0FO2rkMMNn2jjcTCsH4K1|s)-@L9sj*XlXUdA z6H>0qxU59R|GOyir|*@2K}%WR>h>SIOFN*5ce<@!|#IC{YFH zEQT6hY|*tGWk4?3HNH2j<4B-gE1b%gEsUInDW*c?q;h+w0s}MUYRNgk18FK4ph);q zZynqiAD&cxo7*9~=@DRx`mX#|b>1P0@pP3ZmSh$*gMJ}V0K!FT7L3%$cp<>3vc)HGZ^n~5 zndfydA-eO~XgsSOWo^nd%-+zgv0fc$Y0pfai47zR)k&o~xuW@~ugp2EqF7zHK?J@9 zn--G5?iPnoO>R|}ZI3qf9?i_D^V`iO$H=T{k zytF>yr#MPVg@0O+lgld8@y^IUpyB}8urylqxBc7mX2b1$lBV<+q#TV2-XR8=X9khu z2Ds%bA3IL7`x0`oKef0ZlrJ zQdlye0mhMf{VtY|o|(1__VdHmjU%Fd|0Tcby8ZiB?c$KdTlr(9AV6H3qm9$NJEW6O zWdLi;YkZ<(+b0Q814I+gd0x7MtQShsH-#R-Y(ug01HkqsBA)F4Oi2L%>pY%pzm-Z< za$*O-TC%2azs@Xfk^59R0A_A_c5&PF4xyjsQQ;>7I|0)Jz}U-|AaPqzI*q|kW_1lf zuK)K3=m37Q#@@xVmHfAU4%ngj(OvIjTmSpZ-zkM31>i5KTO@5++Ix$1l0!UscQ6;= z80Ihk#E`A6RBaXi*Qp)0aRk(98IXHFbct_+g3v)(iFgC!^wYTi+dq^#jss90ww86< zpu&Mf+C6@}Yp1PW1i;^3jQa_sh<-qP1jxUA`oB-r|2YR(#NC{C>nHwv+Y;T%w8K^; z?}MH2Rk)|#-Z}y42*4_-Z=?_Jw2IUogPev?DTi|9pQolL(h5RM+UHHU9(-g64e3{% zdJKrHPJ7+iEn;ivf%D%lmXNW-(MTfb0IU9nY_BC*0hsO!C#U~^@A}`MD#5{d6n!hv z-2Ta1;EUa4y}bh`@3VUh7SXtEue5c3txI(8Z7Am5_VNCj$rkBM2C`Z$ou|G5HJE}Q9}Vcod_eqb^YVM)NO(J7d7xp0kCeNO9;Znn{x|%IzRY= z$CJ)Ozu(Fq{)gy>=MPELHZMo=0buRA1LPe9Mv@PFwyyBh*tM;L{};viYhXtKFcGtN z-siWV^nwmSWXR&8^iIG+z{&TWP#|p~@n=5=fL&wnx7rEVO*+L&h55Dvs#8&bhY1EO z1=~{aYhe0xV78UsBHO^ufG->}TiikIfv1H5undmt@!J#|69K>~dU|?xFprYtmn^@{X4dZ+Ma~UNxGv6k!0_(8WUU*YQ7Ydx#(M|eh5Hz zvA68R#dZ(ck+o%8SeyN)ClTV0?v;bC=GiLCQ7Q=7k*XH&*JNBQ(4rJfQJ z=4@MPvq3DP_wU_W<70_W>r@ZSBomq>s5P}5EJjlt1I``UGGo!O?taTyczn`f@wpsS)6(uVSkm6;lwXe;=#5S>@z5?5v#*6Vwxezi%ec!_PmbBnUMwa zVk1M?^2T&_fk~LU=(_~6=MZAOCmr*KJ2_A!Euk#s0AxA0iXwYj!NYO7Y^t|?_u2}a z^Mfi&7{t3jau%vsN*U{OTxt^|7Gq_2sj)2^qPn?8Y{&V8U)rML^&bx97*3s#u>8xU zi+|9l!W}wYNiK1pEmdKJT)4o$dtWvR82zJZE7T>KKY92lS9TBDf1;&3beBu~E$^cFTSl{T6p+EA<% z!c~2QIya*i`gK%~&Rv-;NpM_We)_k&G#ky5n^>{PSO1LTb_ilo7Zz7W8RHsB|KQOn zTL7|HnM=VuisxkAOxE3Gz1J32>n;yn+~ckF$3^Jwo4B(5tDQF|85kI+=#3fNdNDhw z;Uno*{(L9r5Njb9=DVu0y$!Q|ycJxa{g^X({RHAx@$paQ)uzC(WIycZ7qNWKp-7r4 zD!R%UN}I?lb?lIU8eT|wgk_L(4rXDQVl9VvyiX|Yna7?^?BXM^B5(O(|RmfC(y-_@0c1_4{U#;zje ztcp`u#i~LV+T=#xJUNef5nh_wWPB9ni*{gNu;H{CxTMfun{VA!rV;niDoo~4eW>FP zWIiTeT8himbCcb%$+HX;n1^N~n7pos4&>E|lm&hQLo^chTphb!?wVspox#;ZsLlf1 z5k6oZcB#12SYXBD#=EM^O{B2XSLE153{LXU?vZbNe-F3MA>V2*C62o&tOuWQpZ!4mM~8H=#wZ+nItLIkiB*7GY2|YnPo=T*^r3W z>EnARztl==U(Kk(`k-O7dSAP|=j0N{AOd*X<2q>wK4Q*;JI8{jjc{leC^e7tK5j(k zHA~MBvJ2MgM9ZDC7f)wit{{Y#_7zvX#oxXf&yO@ZQqQyb&_}_tY3>B1Vhq#6HmAnL z>Z>_=_6!3uu3HgAfXP6Rt}}YX|CdMh@BgU2zK>q14B1TJ;jmyxSRj-PmeplY?T>~N zMZ?Z|_t#cj$XZym*Oy8lpyH45YWB&NSui9zCtKAb${62%gWw(*!P{m%9&hV>eF)WvQ?{+WGyq-hWbD%hkAkc<9nd(0=!S+7dSSLN3 zA0meuet?(V+wgt%k=fD0l3jiXOU!vw$%|{O` z{%U=`gG+Vh&Qqmu=GD0Mo?`P(^$7ns*2&WEH9nMeT)prM@?n4^c>Gjx$UB}W#Y_C6 zw7-z&e>y;j)F z2+1-dRo0K^}Pgj|cF@5A|v;5|!XuN%HA!XLcB>vP(<_3!pY z3G8$@46U|E^WAi~ZS?rtQhULIn|1_f!gN22e=aB`Lmt>b>`6E&5ou+p+8n9_wQf%~ zR%b{VZRBMp+V-uz;9Aw?IrsIk;$3U6I+c+=C4c63bm1 zV!b069E5hEXh2`?J(PK1(a5nD?KqiXIEG*Srm34_Y!I7guKL%h;#XB zRqv{=Kdvd!`|K|uBKHgEu4j@j(w86|$&9b;5YjLu4{ zS)G6yUcL~akpCx^gFJQA)3VC6e6)ELTM4WE;E)}7c+jKvlYTT2rT>b^L2hnf&>l?) zXgPgiGyIu{ed7})7lqIhZ5Mo2Uk|y!F(xyCewrQ=!4hkK;m{HLk*qf;L*%vk+j3Ai zGD5K0Yhy8dBs0tM$Jtj_NUnrE*ZYY$E4EKaoC97Q?<2UZ&pmsiMA9fuck10C&hHPx2k)HbSvO{H&@EX}6%Hcxf z8fFH4Wqv*k)_itP6lSFelQL7FwMzUEZrUtFO@5@lHs-V506F7w=gaH0({iqN*`M?a z_7|JZ#Gqw8$>sH9XORme4P(}`G0q8}rNb1YCHEe*juKrYd}dCo?X#+SjWl&?UUB@q zzj6qnRg45LA$oXG8d0!pV~+wFl~iJ$wmKKklYI&bPV2~>OKaa*_^qy{exv*a9!tt0 z;PAPbyLC1$gO-s%tSbp zyNqd|>Wf$4Y{v`av9{{y7spq|*~yrai!Bu{2DNfio_WOTP{*#cVgr27WG6;`SR2O- zUQBhGF2GJ^$~s_5g_)7^$jh4k@krVOC6g3>Xeot8^sHxt*})FfzYUOc?S1d9>tgwr z^JJmyv{tZw(}xP#TZp2>r2boN7~17$H(L~n1@#s>wUy1ugL3sjVwP;-&x60kcCqUT ztbz9npwm^p(9w76WYQbxd|&A~zqkFBOYLt?$d_bRO>(O!PAwXGIrKM7Kj+*VQ4x4V zV-mdRxwrmofR4S~$_lR0yyivbqt>+PTR3t*bwKQd_DFmH6dF64v6eDExYML4M#AO7ATq*X$$rz7#%bDia!lbCDpF*VK zk*C3h)+?ylaP(%sE3QFG476)tGidV7)b9aqqEIivF(bPUG{#AkguBAPC_?YUus~Iz z_ z)Tlx^Q6%}zAq^4lyYY6qDx*kRJ;M1R=;69~4ZMweUe-1HpizXwYuz3M>r;+|2~fNt z#lmE7PDO_nKI;X}ck^c`^Ws#DARnkW6;Nm67eq=S^Dnt=|E_7++}rKeLU}*~89)D9 zO4ap9;Bo)fCG~ISZ~egt3DYoOtv7}hap`>Ou2h~nfq_z^W1-#@ssOHrWj5yMX57a! zWo~v{=4qlLG4MIk-E!9;=EJ0dPbAb#?YX79-i@h6mD-@JGZHRX3?>`A81Kr`n3vfU zVR4gRZ2IU&&-DLyAHS$ zvO(ck+j}ZEDQw9wTYuR>#6f$#!pjyliG5hceJNQP9p66}`0@79IW^n(ZtF%7-1P&e zQ$DCibwl~3XyxeTjQ6F6fK2Ik0cTxjzr0g&(C!$$4OC5#xUo31N+4tj^}JP2NyKs% zL=o>J7pR<0J{|iF>oK^l)4_ewJ{{$tHOHg%f$=)1Y2=@fnWF?+TE(^Ti(=gGsjww3 zJgS%KvE$*7yW_M6`Hw#~gpU^gV!k>TdRJ!{ya=^2-z4#6G3SHeUN2&jms~Cr_laW} zBbv(u@c4Y4MU+MucmVINhci~;DdClJnF^)2Q>Qd_>6&Z4naW?W4F|O;gm%hkR27#g zZN!$c{EWl?IEYj&YH2~luEC%q8q3s_(1LKY=5GFBrw)w*;MJRaEAMl{wjgBEDzGE8 zj5PK!!+?~jdT!j6m7#L=`E;|!LPx^&zpx1|eqV<~H#zl?SEBa1(j)Nyh~v)hf;a&e zmluVQsJms{KKwXsri<5S?!5@7UEDe0e6*6<@}~~;?Er4sv)4mncm#ys2zJoMRkar^ zRjgCp)8q%{D@n^?B;P9E`Sg+E^zQJ?FRb5RpPPPjiXG}LXyQQ}LF2}1>J=g4RR)IT zom*)V9%`>T0(Z{t&DiP?8FK{qP@yr`ZXyWFtNhR+HR#ig)%uf&X9keMA_cZN!v*N&i{07Ln`NoG7!v_uDUYQWaU%Wrqu1 zyF7Y7ZsFB!1Y6v~Bh^WvXI?twEjY;!$pEP+wB$5c@Q zGxsbrr=Z~r-{_(y3EbUC%x=fBBlN6W;@IZD@-pX7LQu6)RRjEBR76(igB(>#g;=@W zy*RIh$kG`Fa#IM4Z%O8pJClhXuhRCl=~S6Q^xE7gv_>RMaq|-kUp*Kt(&7Lk=L|_3 zb2!}~e*4~Q?wQ)r?hV4>FZ6KO4EXID2km8kZz>oVEf_T*!`dq%^TR^SjbfL_y~-27 z%oO3_f{f6l_NKBr&!x6_f-z~5m5EF8y-o)IGnF;6sX~ua3qk@s0GxqA?hd z*Di=HClNfFDVlY#vph-dz^K=xwpcxvTT@Pn>H5eMX7o#xZ>2*9<6Vlbb{8&nik01C z;oE(Xfr)J=FpI@SK64woXx!tx&}e!%UAx+9X}mUXDi_)n@NhD%1g7v+`)}J!yjXu4 z-mH1@*qj<$s4EU`S3z57KLHGZ$?LS#BQV6KLsg~x_23hn9jPMNOkS4|PZHM~*crhw z^jQX^8FOJ-Q>m9|3orwBKt-ALn9q&|!NcE@ZLV+0i&Jr=xN6-p&esQe(F$IvK%M^R zzTA~U4+)?+$|ABjj1WeG&NnPgG%n_pX+v(0~E!JM$MEu6~beCwbV*&htDL=eiisGbtj3Zzfa8K{PT`hx33 zg_mdU^8OxH^W-7{^h6nmdMImYk2--UV6()bJScEt3$k<7^N2sEfBH+b@{9>CGVpru z&oH+9*<104S^7YD` zEquz&>$~&1bY~U>rMqxBQywbPOCWs_!m4$XeZo-A#elpzHQD0?gyCQ6^S{jOC5qE4 zim6@Jex;qPb2fhWoz>_*ezOtS={vEH*q!=aJLyS78w8jdG~L*$pJLf_Kj=xsyiO5m^8^yUS9sCc3&v1y0gsy{6YgD?`C zShmB~&V1ws>rDA~vBswQVf~pxv7Z%~3Gb|)*Ouc4GX#8|U!fN+t1UtMLSGZ}J@?;h z9)EUveJm*oU%yrA^e>~A*PGRZe*X&w#zXWzt0S3f+r2Q&z%5C8Cz6icA?IYR1>kBt zEWH)El?k-t1{$%MV6U^&Dxkrm9{(*}>uS5#HSp`|NbYTZura?dK ziJW&QxA(3g3UcS)z8wOyC4TGHC!Pm~lk{l2w7Rbolw-AHgQ+{LvHO$>Smb+1$hLzL zLoeKin_lDjy}xp%^>2_ph?yICC%XlsSBK7SH~VFFTBRG5y!AV3xV9rDCyxr{c&?y&bObeaZ0mkw={*dM?=bwZE4BQ8)EE?_?$wjGoE3oUP|ipZW$Y)SeHFD(PH`T zF97|6RpT#!J-69#g-tg_P$nH}& zz$*UtT(-f-(AmeyKm-3%rTvNst)29yoBqIe;BEl;a_>R9LSh(vwbLp?N3Gv5AhQyp zxx+0*G8~U87ONuNUB=#&Y>t*nK{PM-bXk@saE&A@P&?N!Oj}<{OaaEHu#k;hxxsw$yQrXY_G!I?0r;CkJ5S@$K8cBp5*ju^)5bh8&&?CD7>Di4ltx5E=SX!X& zWNw@3#{CN;U|GKrb~-f+t?8UqNrNQ(4j$-tkf3)kef$HUOf1=Io)Mupf2)X9h3%B2 zYoc#USjl|fs<3{(pl(i}b(i1*K9sBAIMeny()S&^f9T^5Z(V6)mpcgG1B9v^Knl6m zcOAAVGx9s$MeMm)rC!=#&kYrefuvSwoAKDyzip>Y$rY zC1Lvpx+JK5YAR1o?x;)q_ZT==TXm{C5o}2$9%OF{EO%+L>4LtDwSBOc&-Gv$t+lAJ ztD{4wl;}<3G@YEG7lJsddinbc1qK^5BZc+Zs%WE~tFvzS22{C=Ef<*9`NDq}4l3>Z zv$cxegvxNoWy@Fo&FLnFGKxqKhhI}5oor31DYWkUG2WT$JK>=nCyaF^$c`t@zrF^U zC;<_7KD^8$+hzQpng|gN#`Wcl5EXeocCY+Hd%E6XQSttj_V`EedjIri=bXDjQr=}w zX+VhE)NR%kmVS6#siMwbAL_07a>m2g@{458Vh$*U9-)#4}HtG z$Xakqa5uZ3EC|6ua;nK<0{lt22S4Dmn&_|JUmGcoxm<^WPU7 zXNn|7Kt6D+7!22B1F1TRP)L~-dRcEYpe3g0+~#xF8G~9-`45Jf8XxO1lHhG0cz$r= zh!wIDY9D^>E{pu1VxYu-<@K5-{w;>=O`19dYBOQIW@j#yO-u@N;4zi^=o^ffsuy=_W4=&R8kE)IhFghhE5?0Fp&oL1+^vtQzYui` zTh1e4>3)#M#8WTT>oBisOUq|r&>h3=e(%N-2`{>rg*)8T^k-o*@^V-j5LTn^f zjv^>m*>wJdW8Fz;#PdLOElC74z(GU8dJsiPpUz^C+j=r7h}D7kE^BVZooX zuXL%8mUC0lowvRQp3O;0$_m7*@(f;C>9cZyrUnLx(kzi=0o~uWKc}1tvbFsOg;HDh(Y|@fhCOat1urw*(pr@U(q;=SC39{^A<27+^E2KB< zd==|hl&sGww&(F({epY_`LBr^P=r?WMd-8|D71-wn}t4myTI9}h@={!Xq7LIN7XF% zurxeT55Gx5I%^%^T5hUZ{KQ185A%_{zNxCA;Dr}KwLzlAyd}Q; z(my#KdHF@q5ccw%PB^0!p)TY_fu1aPRYqz=_Nd?K*c%? zoyBoysY09))%?(Y#B|Pv2WSsx`Dl@rGi6sfyMS6XEcl64M2@-+RrOK6I7PK^ZKMk(>i%GBZF z-{X~lu)NE@meK!Q2##~9W{_gCYG=Z`;zD1eD{s~l!o-@WncOr1mQ^s>eOTtlD|-ZW z1j(9yQrrx@zKO12y>t`XBIoefYm*wjc&2T2o_As9OQ2i31I5kM{k!!1GK$>H6UF3p z`$~!%=p%4t0}V5NSTd$Zk@JHuqL`jZQ%d~LqOn#`AAl){EATZNXc4Tu?ZY7R!18Pv zL$3t;RB0S}@(8M8ofv(I$b%@q(3n>LX4HX5^tAUyEKTOC`V8IKe9NS()oc0VE0++u z%K%q0N&*dw3!dOPi0=6r2XbTi4MVeduZ84Qd9@=BP@1AQt(y$x&&n3!Euf}`xE~ST$ftE7OK-M#0;>T#jGcBGe z*@w(q**ZJi#}?a)gfYb2r{jXNNZ0=M#e1MMXJD!7lr^7Y^PyFjIS z?>4wq&A-R@aDN7Mtyj_=hw`#;DT)Q%8{F$_T{)+k=_yQdrGpowYFi(tsr&eBt}hZ2 zpYr{{nTK#*K9{wxQxJDOv*7xQM@S?illL>fI2eFj4QGh)h1p2JBeG)bV z7$LSe2)(TnE6AWBw#Ta>YhQ${LE|@~qG=Hu4Cq>+)#L_6dLw7Q;36n-j%0ga4IM$b zOvvLl^rdK-^*xZTu2trsAL++7pzJs`(s%8o>^Oy6lNceSLCc#JG0iU@y^}0 zH0`u5s7D~EuA*78xaagi+l0w|{ynb(#XHVx`K7JpnW_9>dmc!wWj8K@@7FC9@-anN z*cj0>(WHuRwK=QvVa1^&ue67@`Ry8@Hx(#(F}jlfoPK=AeV^aj_vEHlF!J&JJv!vu zU(9Q|@!v=yreMMWVxl9@x^J@e#!q{g?w*DbZP;~1AbYV>`-|D!aOTI`aC0!Dcwlv0 z)wF@fcQMwm7V8U1>@4)cWsCWiYH}y4vANn~5CJli>D-8N&{cbqAG|u|HS1JqmX*_Q zLDCGNr^$g9)+L9ZvcFNyUkTH>kSQSfHlfEg+o3vboWGL%ou%r8SXG52esa3o&@Fr4 zVYV3>-Gl$%m%@G%4cP@N1+lE2uZUku;Px)#I-*&%5)v&<+BkrHesDF}--n8um>(6Z zN(g(G*)xD34)?-~y9_NNG{?FPt?FN^VvNe997jZ7Kam_&J=!ENn=;%Av~7M)S^sD; z-7oy|JVb<>SVhJwo^%Rt2r*U6OjPAM94b5J_|}6Y+&sDOW=5_9QZ=--W*AdwT$Wq zjCfeTH!V|8bHdVfp^mfBY`B`JUaX~*R*~5}QoGe;SL=ioX~1=&FLXcO3qASDLFMVuMwWxCYR#_)KWnh2XV5d0JdLP|SK#Vo-5%+8hJf$!sk*K~j z-kDlw_0zk06k??wsflHTIG`LA2YW%Mv)OQ3g24&kS-;I5X_>sKP+PF%xk1@AQrLkG zPEfGjz$DE?z*@ed>ta|14lXTqd=W%{z6l3?k5}1`oI+kkqb00VFkQWw(AN%KT`B5Q zhc^5Qp|E^4@01U2By?NR)N?YdE6A7b&)hQxEHrg&Vf%{Yuj5LkFCby`0KFJhaasr_ zl5rQ|1g^Hkz1Y4mb58&n*Yewtajo4GExSfq{a zkt*ft&BG22&K<7U3Ztdy_aDBFY~6AFHJm^EHO|rXZ%||2I1!uT<^9T$t{M^_X)1dEM_T zNHo#T{szQ$YR3yuFBUuWb;}D%{6n8Lhc>CwY?KbS3v(d%(b!Yi&yk$@87(Z z);O@+n8nF8=`HYgG{F~^cV}?^ek%-&oM8B40fV*4c1rv|&H;wlNHuNW4wlpcz^<45 znYx3rZaoKdwL#4#>WwWZ9~}WOP9hP$BQRb7Ox$B=I~yrN&-XqPF2wF|tK9l6onnvm zZv}2~h@>c;Vny7R|6Dr#6~*%Dz`8xC2HU`{(t*{CUDyfOGN{vNiv`PWQ|v#S#RPzP zdN+k`13N&cSl&UttN(U_|8=IV*XSA2@y}GdZD8~Z!&4tpw(s`+Vk7jZZ4Fq73{%a@ zZLYKgDe(^Bs4mqV*i!N+K*E=QCv`jfC7nhuD0N=m;WDF=I{m`%gf9aIxwV(htKeJ? z--!7YJN~m7Yx-5hy-&Kf!CT)3TWPkD@@D=`UHJEPg}7_o=V(bQHD~)C zSu|-#9F0p-J~-8NI-m}6!wqI{z}Er?~<1LVZ*h@>PZRl$C#r~!6I@+Az=q6 zPkJs*o${6~YK-7-HaZ719oB+_RJk z2HYri{im+arq=^gU&?K%kKbrn=?MCj+vMsNW(khkfMU{7{?PGQCQmIX+pyKC}@DizW(YQnC+Sfi6&x-g~bvyY;Nxc0#Ox=w^g|RrD~I zK`pr5z+qgDwiiX}lJIx+QbNVRb)yrK>E4xLc@VD9Q&NgPltuw?S(jQep5)(_XP&i; z@P6740Xb*)k(bZtw|C8IUW9UXsxC*JO2ST>m+;*Y9d^hyGGE7nNsjm?&i^L*hOZ}? z!4m2+>r1mZ@MrZO${c%-yn3&1CiY^F?fLU}#cr6rJU8$|&_n9_2epm16Nk(`^_sDM z>w0nFDC0a|%wKmq6OE2eNIX4rP^IBuQ)_C}BAz6ht3WLjxFt90nGkS=I$gOUh%Ca& z%VTK?MMsqW0M7vZ@BhT8pRs3zxMt;C;o#xD0PQk^jb^aigw6DMBpO+wdME5>pm>F5 z#QHOim4X$Jln3w<3N+`6JH z`!X-FvTId)1bgxy-Mtt<55~JD`^DXc_i6rdJjrCZ>~_ z`Cz%s%vV`$H+J-4kyn0xKCQ`URa~r{B3tR!M6S)xrx{N5#s#uEl;`>+?rlvSbg}bmFsQ?I9&K2ut_#^dldv#@^LD2} z!%A&2JsP7OpO&WUDJ0(#x<@Y1~y2Dl&C0l5KY`c42DK2+$0*QQD|;4o7zTUWZbI?zP0z|5iu^J zvrqkOclXQ0%s9;?nTqEO(cp^akjmShX7W6R`{%!$@B!5(X+q3J)Nf*33wvN36Te!m zy;Do_)7n&5zTzaXEAdYCsQF5j4-Q+tYzZgcUUsbJ^HA=?xuJVk`$vF6z@6|P+Fw3h z0Dga#1}9h4XD|sTY%uM$qd`=90>gE|(V_Al;jVCK@i!(n(V!OYL&bxgK0KSrk0J($ z*xF?@i)D=wBKDr)!c9xYgY9;2o4M4OAtgEiKWq4@#WD98CQj8f7{|2Apbp2Y~ZHQn^b$m`{7_tn4SrU6kn5HyhcJzPBJiPINhu$G?#Muw*L(2 zt^N*ToCIOUv$ma@b41|yup+~E(X>HS3avcMC04Z|;fu0b@ZoclnnjsE)lG*N`U1i` zlObhoPI#h0?i7{39tAy)ulPQ+_N#$qs`WOc9Ait#h>Pz!q0c}=a014eJjKn4zd>u# z6AKlW53I66RfW!Y-pVTsy;{0fc#!XInQ=Z;x!D&&{+?{_HT%em^hIJ(+7*pLzjVaPJT~(Dv8K3gZa%>#twpZ#UR(rLG9-wnFSEUaRek-8ZuzO{)#THE# zyBqYgs`twS5A=Z%{dMcmy|}vgD+|a zD349)N00J(Dp#9HOLyiOp6^0;ld=LUR%Jdd4lj&a%x+C~PYs&EWYXoO{l|rsvH^R& zdd0EbS54kredwkRx7cWxb8*R^Ybmbk;d)sG)svAiooe^E8C<<*P)*~Z7~EKjN^AL< zQ8{&Zkf(m_asNxWOmiDZuz$u}xS#^jQlSt0`O^UbSD`VK%^_mwXB`+Y=*m)iU$CKQ zggVd^i%VA1;|l#q*An|o1EO!+!sRygnySlOa0r8qDI$y2nj?AWhoLd+FDxvgTz5>~ ztuIC`u4lw#>u7O+xAGcd`vh*^Mz-V>ZwBcHX zR>*C}-{?%|x0FTYe6q_XB3Eu%pF=(l8{IQhE6De=pif=PZGTl|4iUZ?*Dbc6(fCtK zTbrwTN5w;E=F*|eZL&DdxELQeRCsK!12*EakVrMb$-9<} zb`~P-$#r2lPewp8W4BTaU13)`?i1ft?)d&9PdEwnGPRDiRIwjq`uw55iuLSO zg=jm^a^1FgCZ9T)XDr!cijkiKY1g?cX^TYBLpbF6_1mHwvo6fJ2@d~64qHf~bGXOW zT5l8Z>i=*+KCXcQxpgDe)_u8D zPs+VY%y_DjM?^%rt1Gy*Xv`|yO?7>5GQdcfIq)tzXZfo|LTH@M{OeqSa#RHo?Q#d# zWJR7yH@tbMbob@v;^Wf&P0?jmvIjc0a`9`V4q*$q3v>82dz>XD1XZFP&ZQIYmvPcr zdbYPwtnzQK3npgoKWnIfIi?oW`5nTZ=Q)oyd|a4#EtKE-UL77M$w2e$m67etqWy=# zZSz*`>8Viu5-3zEVY;AwWDHKT%(NBN%iHVFm9jkJTs@aIh)&+u>Chg9SO%^v6$eSf<_=-K7Pjj`vYDk{eDZ0okIr^AM)s}IWq7LjVKVteBPeY0O1 zc;mkIh+g5`{Ld@^LgiO@4{0^Q^n+T%qEFQa_SG66fAnUc1t=#(sOOx3ONTI(jFGDu zJJ{Wg3A22)yEdOCF$EjVBI`DOW;Rw+WD(Y%LCfnV6+g9)45QK)Ep2U zfNkuji!E_N995fzPxM(6eyy=-D;`&`idGs9NjTNpE3+~S<(7*+Zc#o?sFO|}&0lq9w;sQ<{a!8tLb zev`H9(qm@#2j`i_sDgY*{-)Y0JOk8Xh(SI_fQ_M`E+VW5QLHcdX4i7AtG;Rtfqa%b zw?T6ozHMrXTkZlP{zD52VsVT%!vii&;B{k7r8I?vo+_Pkj$z`et)x~FJ$3cz_|g3D z(vo+U=BlMbs@Ca6wU>0ey^Z3V9P>O@YME{2TKpI)M`EiNa_O1(uV4SXE~Isy;3w6b zcR^b?I%afe))wwU%)SbGn}*;K+}sX%3nB<&(PjRnWK3$VuseN-%bib@n0%@UYjpWs z8dQ{Rg=)nH-e;4yus`B}N9?nmXx|=N+M=e*aK|Bz2$}GXN^mrQ@msK9OuIsI_XgB!{ zp|z?Jr{u;;w%fKJo!u+@Ds3;`jkmI&nF=l2AiyXr?9XSt_e5nSB{?jkTG>|wmKcx@ zcCALSK?|H5tDYV@^HMXJRdDZw7R(3 z1~aNA(r=jAvD2>QMyuBeK{)T1wik-RMn?HJwqXn8?iNLih)svwAoqmzB15@%FvJ;# zXxkC+GxueCv}5lk>lWzmY_WccgYvlQpH%>%p~osB+AQG}noKR-k<_x< zt;T_Cq8u|ok~=!`64@!5t;a}vxnTNAC34rhZQg7b?U6@@ejP)Bj4vn)hH!JL{v_3WBZ)C4cdf^jm4Gw5-G(_60{$8VhIQJ=!iVWy){Qu4txY^j`JtePn3~o7PH= z1r1fkyU_!IZgc(%uEQ1?$tbZcrWW%7D(y#N3*l;rc>%)~7Brl1(|tIYP0-PARzRVw zr`L}LIqg`@c?-#BQpwJa(7hk8W@7^}+RbT0sH(8?TE7s~D6xv16;Q)o-OPHoP~ycZ zT{(3XNFL`*4Mdj&O7g}(h`l*nV>oUcLDQD zEM?HdD!YZcWPeS4e|r)*aFU+;Z}=|Bt`y8(97~kPfzM`!_xM;H zb%8qt9-=StC+4>^5I$((ok0BDllAfI9U1>OLlji(DfqMAa{gb)xbKBc4Ga= z92fP?v5@%qtKgy<Wbp6I#FN!28VFR(Y9cJ zdOYttJ9~0*Wh#7rogKoAF2=>62oB*{)fUY!o?DvcyN+hOlLlCT^NSls6KS?t`PDWR z)6)ls7FRtBg1a@d3o$d_HCx#CA3PYufClrq%W?@-Dl-VOI2NS8WAgk z5pVPW+gu!)KsQ2NVCnZn3CiMep#yOztVVzyMD|Q(z1B67@|>R8cFI z;sUV7rgh+1>l0&7nzBsGc%sDHlOek;?E7Vxy4xKX!v{EV>+y6K;lx``^@4+pI?SlT zZX3BiA95%^AIA7p zq{%O_+s=?Ws4X-$vD>Pi9bmVt_$oHGNpst!Wio&w+jjaqtRBRGY?g|gHs zuRQx0>ui`f%^G1BMy2rBR#kcaDi{}|r|VI9ooW3U9{omJh7R;Q#Bq=W!cgha7Tsy6 za?KLGXfJ}=C@`q-2bz4BlpvwljojTG8n?qRHzI}FhzITQFYmK~8_%pHhTn1d8QZO& z-TT^V2~cJvVsRkKW_QVL(FC(EH6vr0o3|8WxtZsa%E?-}`d&;OB``1aRym-k2fd_s zzPvqakF`E-uK6Hvf!#t3bzeYbE_RqF(XWTkmFUifu> zsoSV1@5`6w*u2l5e|@BnF+(UseuYfv`ts-E+gkQ6_B9RZxD`0 z3==gLD-_cd1)h#&TlBehl?2Pf0}c?}G;7rgKFk9pdq_NttVF;Rp`eKwrSGU?utcv%mEIYAEwEWR-1XjJdwzIIN?Xk2w z@ttV+iv7mG#mqc<2(_l81WINhHxCL?*l8tfuU?9&vK*LL9G@x7IgIToACm2LSbcfu z*jY(AJ|XyC6tBTr#zq8_{D_p8@79iJ`@+cP>>$Lzp5%u3A% z#sgy(7GxXAVoy_A9ekL$n~oqitvFeDDa8|e2+qAAU~H57I6pV)f89tg!`*MoH0y$E z9h5O8%P`g!L0AwS;NVp6!;{3RGTTy4E31?BbZT0qF_3woRb<3w^I%Nn*`g`!xGEWM z7~h01+J>P#3&Ax>^ilD6A z<`q>lf3w(!O6yVTWrcU1mGe{@qbcH*wBA+bCe(kdUzl}MEp$x@Q>e&leT{U_$c2GO z5eB~+8_#(h`K2j#bF&TN8>E_$krl@h$GIfs2GyeDqC;r4FD$ePQZzbNt)&WWh8JLb zcZZ)5OKyEy8;V57sp_k}A;wh9Zl`~p0({vl??`C zd{oz9ifZf9avL{BCzVz8^ybaDJM#)&DI|&E_%Z(XRs0|7HIa+p+_kapCsW46TgC}u z2PNu1{D+^Fi9NrsrcpS1ses-eLxH57-I@vsO8RseEn81=+i@8_TL=RmL9fZivu=k73 zxqYCfi1;cs!moE#$)-!+;TlPodPJ zO7|8Eo-!lN_c!v0rpiY*eD780cf#vGb|TqeI_+<4SA|_9_%uaQ&O6=()HT5D~Kqh77a+SWyd)R$Z zM}8@SDHal}nb zPxBjcvX)P)>S)~=aEA^mmmBnEq|a>G*z9Qqn8bCbTiQ1y?XOz!Ob?4T!bWI zhUXuXf%0p-v_oNmVdCbU0gTiJ4B4e$ej#uq{U$3bf7*!0-lVvAT^x@gL*%q$BTJ{MoiDh97Y_T|T(DFUB%Vw_JfJ zbqoLSKC^W#uRX$XvDWR&C`EZrjK%a!HsQ1bvo>V;A*x2#a#7oao(!tB(7UZ&n*YtM zN;QXrXOyKf?Qo`@V(40~C=vu@=k7QxW!fb`mef|Va*bF@%vX#S=%2Ekw4z?ush<%fBwklF%Nx^Iqj*=y z@9%)l%HxO&nfYnH5bXE)^h9Ch2VrQM_Iw()r{M*Hamv3--zcFVC-x?i$N z@$+z#3Bqp(nX8UillTf<0*S4PL-%kEllt=LCy_}r$|XJ4uUh6gM3mAk!l?Czs9o8o z3LFV&b#$htLTs->%5N+-^SRij{36V=Ip6i9 zmKB_3_!r2wFWq$v`eAHY*tcO@V(oQFK#zk+4jlirJ5VDLRBIQO~4&PCzZp= zfW=MMqU5=m_*3*6O)kCVI8d)S$yM;UXA#%|tKr3?qO(xmsVxwho8Cn3NZ8{r^CJw0SA7`e1pr~F)= zKnx9!Ek?V@tJ#1lEnYa`aPyKXCpES%n~^1)rCtLU_f7M|%X42bFaQT%2B1H=p4C?Z)!C?Q*-5$H}5P4^S~cI(&|gY72= zkhg5~q2BCS-vv?V83g?eHQlJQih08>99`jeUG{U!tAgKT18s1DzsjeO`oD-1irBRy!nMxbKH;WGze4RR^m} zmX^V(vL6h3GM^$GR1cO4D?AeQzP?B)*jGvSgl$OZO!fq}g8^pkJfx)WK7(PpWY({Q zO?aJFgpGFNuYyYZl!7J2`X5RA6%+5d+rqWr5}FOctQz^2dPUlb2w@l#$tamsk0v_KI=-}M{A)MUGtBnk2+&7OeM?#Bt7Tb0%&sEkUuMMn?2$K+JPSueJMssB??r&maiwo$K`D{i!-HibO z6h@xTL6tPPDWq7cgz2Mu!=kEjZTlnf^mYm1`Y|DA?xXpqn~Zu7+0# z`Uu_R$h^3ZG9P83hg=ilyp-z0-cymzr=IN7)U?#bzpJ)(B!)Re;8?TQWl_T_U0(V;)V z;o@QgWlWP3_S0HbBnErYX`*`c!dIh2=gV`y_54(`bwk^2dS@tWX{1|*66 zQLP-lYtplGv$!XQlf>(YDOb)!@2Hb+;gh`y06_)uWc)>$=i{osOq3s<_m>4&wie1E zB|g!WVtNEJ*Z6YEW(2N-MZ0%D8;D*3sdy;M*jn66+TI>dgs_?Sz?CHgWLFqTL~f<_ z^?k#rhS=V7?(KavQ4yI7DO{$8jgal*O_mcg_}{<)i-g3Ct7BC7b&~j$Z(%reE1h0P zsx$)nqr&Nz6^)qa@MWqM9?~=WfQ{}ehxx}!ZCa{dx;;d=@+85K?`{cl8hJ)mS73priTdg<&xJkI|T;Zl#3qJX+nj0^sFGj5X1Tq&|h)#tQ05ORr`S z9i8#cMG$mo2x;l~hgki~X_Iup8GkCArGN1IjEPGiOj)>pxdZRyGkyahjgS)C_QvBg zegS7BRC-EzA|rvv(?CkCdoe}%?e9_!@x3#YEAOg>3?7_}{;w?JHEa$u@8hw2cbcig z5D;z9FW%>5>{C+Wir&RPUinELIH1eB>nCy`5RVVwL?%3%9FLAD=8mn|XxHXFcQQ8m z0mZ0bwvPgiv0)G7Do0-4`(&_AmjF1liOG)%#02J~BuMebp3KtVZD1^gDtNe#>R~9? zz#=c)iD^zMjsbv?k^oeXHzh9|ov9GaK1t{ePNP2&FdY2**r;{172z>mUtu+Y*UH(y zkXaR^pSs`o^SwDDb2iXI?|Pz=M^DDbFD5`{2E!npBgi`H0A!k%BIo}?=Fbvc!Aypt*Y78GQQKD~9u4(CXqje+b?E!}=_ z_|K*Pd*cZWu=?HhoBBtGN{j*|Ht(Q50xd}yY#u64I{Y7E{5u(>PJ`9Y@U)ShI|3~YD|OL~jwc%k@D3{YOs;cM z_ZW{4z-F%=^VJ`zuKz~G5h!nEuy_>WvOBVJUbE)_9(C64S)Po?bFyId7j1&c4}UK_ z_7*^T`7E6v^PiaGm}_qUJVw6>k~!Yo5^VlUq}q@CWIUDuIeUQF>wp~N@jlpG`7vJH zzi8}#99!xM7LUTeNa>F7_ybh5nD|{Z_>06C>w?eP7Nns^^7t(kaCJ$nD&dj1{z;Kg zvH-|lyiA(Cb|f=Uc3^L~HcXE8{u6jiodB|{J5)7W$GXuIY(~iR6#q{j9FfuM;<>lr z<%Z>9SW04I;+s3BSveUQ)?({RNVT1fg$4JSazdMmU`ea*{OD3}~4eg(++< zahgA^Z*G>!$jr1sc6hd@Mrbeozb^;K(_uc_EHXVkjbn6X3*Tzxx0EvBV4)pLx&89r z8UL7^UZ2kb9^|_K{wV6`&|8IjDx8uG5mQ#)O3CkH10JKaj7&&YGA?!zFIC`dbQ3r7 zdHsnnM+_;B4~WVTX_bYUH30ue5hm};W)GWgk)86pE!+ZfHxe@8p+6fzdNoMzz$O9) z1y>)Nx-%xrMn?uHNeRGYhajo^i|CSiMUrgYa9W_xU>EAYQb1*~!2rEpWJa+);&{_6 zNI=i&dEN~z)f>{%OH&nVWsR8X(d62t^VEHfU?4>VA}%Br`rTFD>6%iRowVu7ew)UZ z>{irkm)@3{whO^gQ5*vU`d39N;oL6!v98j`(`?wzhh7tLDb!66w7B7jE49SRm80`P;|UKC7s>!2I}_Hb zG*m~j^9MsHo_+cocvztiZ5dp#&)T*OD@oGKG>r{ai0pf-t1~4?UG%s{QfH7J21|Xwu z5jn($uo*RCZ`bgvBubwN6y};mG&C0ENLnHSLY3s_e!j|i%8$jL2Nr*p@-$~p#@`}P zfYvkf;uRlE(KZcol&9mCHdBrxTst30IqxbX{DB)&w-d*wzj?=lOl)f1%WJ@TiJ$;QW{qds! zgn)k8T-pe)hkK9^0#t;mp5kS!I(Yiz3G3lb-@R>2HAPEr&V?CsP+h9+W>2x*TU_?0 zFeparT7tXg6%p9Ame*&7UoH(QI!^_OB%xp%GC{4an>GtMZd3jG5SJL926VND6x=c| zlt*7!82Q}(9N87{HjthjhImDghg4vB!S&9}^LPTRd z1)8UL*x5+WHYX+Jkw4_-$1efjr?3~P|LM5>L1iYsApphe-9r2ty4CX!sK&O<5De_O z+2qge>OXVb-Y#uu1Wm@l9u`AdsCf|=eKUMlU03TbXX+j&RJE;dv~UN6eUd;Dts~vP zAax83>;u(wX|ANlN1N60*5V{!XZ2I-6n2hWTonbW0k+G0kHP4E9eGrk8u4_r*=nqn zf?DZvS-ee;iq`$*ZYq+Cq+y)7vkX?y!NMF~$7Rtd5r~pSb!7ln!~JS70&48w*;Dc7 zC~pgCxM7un+AF}7G2cuJHDr$rzZvING2$a$JO*&nX%WF zD;?9%p!YV5w=GJwEasr9;HioHWR1A=!6rQ&yH4u-mrc)=W`bqQnibr;`m#^iA)&~& zW-*s>>griGP;%&@^q)d_+iW*bP5!vRCNNi#&vwQ_TG|AaJ$SqM3}u*bZ6dBlb=6Oe zru6>M>e(c_bo1!Yu%5X5i4<$sg8XewAYpB}Uxl@Ug05bd7U?b_J zz|4qNv&}_Uqwg{FGwOJcK<(t@0_VANE7sh1hy?a-8_4(=fBvikb$qb99fx)`c`vr9 zo;Kv5#pt+ji|ov>l|;P8fTSGAIC1Uoq~5VVFO2k?7SeKJZF+wp`6a0J9+`QGLdeXG zf;Xj{oiFgdY!p^91bWcCa?2 z?w$J%mv4j+g_~#g!TIq-g@gUdO(iW=F5(FEaIGaX3I5FO`Xl&jL_9plm}_brT#?^TfkxN&Ht#YYp-P( z=!V(s$PlBQo#}{%=mmk2qo`K4hCVJC zQtN!yHkXcSj^R$_^~yYVOy3Mp9*#w8a^f=U3q^Gkr zLC~a*xKHDT*LtNDoc4!sFaN%S{={C)Uv-JpV76&bS&j6tvN1|b%po0?XY5C`Sv z8ZR@sHc*koyT4Z!6<9oP8Z^~G-~;$zehGehw4@3nugqwxE1egd(fW0<_NTHVdWs2El>0Su3js-yS`XJ zVACyE#7Rmk;8P8n12a=^*)|7MGDK)-#BuN&M4>D-64w|`0HnOqDksWg2iWv;jL(`K19}Ir@ zLFM~1im~mJO3PU1ZZ4fu`;57_=y+$B-xge8gVpVM!7AT zN$F8Brnz<9*Jp^_>i1Qf@(S=2UcaXL8`RO*`+)Kn1=ObEBEHjm&aCMt&PB?~eV6*j zMIcQ-+*rvTSu}YD=$NoMm2)CX%h3lihHZl^W%t`bBS)$u`aG>o+{_bFdTuigU*2)I2t)WNh?y@`cFuc$HLNveGBU#Wsr)4M*@@J6ZuG3NS5vcT7tI)q?LC@lD?(-tG#jKP*^O8eyyUk&7w<;>&UARKfD2|_ zxz)vgvF-mb`d+=1Qg1y295>=w?m@xO;Gp$%9*i;s66m&}@@AG;piHhO@!s!?zka6i zMm{KEmwEWcqbSv%J|x9*R9X6rc1hz>h);x!tXa$EV$`{>*_9^1?do*lhUVukQCEIW-tl9Hh4?2X)zgXZ*! z+#^m3V*e(|(kx@$k5-;XvyM>_zEJ{#BMv4fBrs9_&Lo~7M;-6ME}Ca!(vDE^Rt0z^ zUxjVg{}OX#0I}L{^*4A4kFJ!O>cC=<;3YkXxIy_{$lifeKG&cNzL{wAm}52&Dtx8AhJG*;C+Hv2mookw3}-Q0idu zXeK&Kb}}Ac01lDP-Zm^eTK#emfRyFMi&; zO0ZlV(cPSQvgUe$)kA)d&krBxoVh^Iyf9T1dUE>bY8im+fd}p-u_J_#VdLVbuD<_w z_wP6K*uOgNV^zrMaMPmYI!Bq##3Ha+VL0E?$$&9YVwv&h>)XfDNO=|f=jqqj@|FKh)qnX{VG_WH z>bErZBZ|Gi7GGo|F7KawbAJn7DG>d2>x17hWEVl%M0Z_{a==Mj0s95sz;T_g89#T7 zw=F>Fm8&Nokg3A~d^CuN4?ku_@U);P&utaE^CvP06FFG>+jt7^)g!>7wE$qY9~4j4 z-luTM0FAn>IAxABW8fFC_c@1onmZ>_TKqg#U%Zk|JZ>F*P!5o4oWQ(uq)z^X6v}q6 z`h>Fs4c*b|ZGdFyQA`>CsT=qMn|QGR8MehY9y(U~Nmxx;NMlrSGO0VU3=wVUU3G+S z%2cpjZ;lRB$F6QxMZS{nfvHOOf@-ZG=v6dUXZD99@(;c6o6Khh+P`)F__Ur-{k1uFv@lVF%D*&2w$2+6` zqt*GaRi65V*N<%JAHfq}!+L_c3Z_SO2~0P!Ts>XLd;LT+=yeI3DP^I0D0n0@#@LcI zXodpvWXRs#1dw$moceJj#^QKD@$j8`cje@-P8VXm(u=QBHIL3TAq^nA+jdR=FU5-d z;7nfy^w*DSCAN@5o8}BSLEW0J@#dAB#pJHYdMv?&&`+8~;XguZtkz-Tk6a z`B>@iVZ}9}^ySr)A^XY(@Uc1L$8c=k=fT#Raj}F)Nd31s_wS!s5lnE5De3B35QfLb z-e6~EUuF^#XS#@=nVC5?%5sq$6(X(7Jjkk+`qa60Nr0ZkIAO%>+*rDuU-F_1==<^A#-{ zmw0@Ce<4YKakRP`jG@2KRpqv8JbTd%^w;1oVg^uaMVc{ue@RfD!gcqGB;PV-nizH* z4SPdE-MrQ=#&|1zZf*|DnYs!d_|%%B8{K+T!!Pj%$neWYXM@y~ ziQnFJ4vyfuy8AQ&=IY`B-U*fJ&S|)WwM6*Q*MS;;=Q-s6M<)LL3vnv^7rbLiPo6Lt z#achA9A~f}r}*^|COp#?!{#_-?K_1+wIm0Kn)=hJNwkEKlWXu5rW(^prnpnByt~>B zW(q$}y;qYe8v!!alT-VcQEK$OL|IvvhEd$KPu@jt-5Zk)0hZhTU?%%htmc1z%{%vG fOM5l8=8!01OH+#HP9DW6@JITg{Da*4&tCm6#r*P8 literal 0 HcmV?d00001 diff --git a/src/img/rancher/select-required-permissions-2.png b/src/img/rancher/select-required-permissions-2.png new file mode 100644 index 0000000000000000000000000000000000000000..d6e3459cfa5032b36ea7c6148ea9f8f1cbeaa9e9 GIT binary patch literal 399531 zcmb5V1ymeg(nL90m#Q?ry=|ok4c;d*A(bzw>{0 z_x$IaneOTCd%JJlTUAdzRUN6MAcc&GhX?@yf&5ikTm=FGu?hkLCJY`HeB{<_AQgO| z&RR@N>8qF+iIR(>g|(eI1cY>CN-CTh#xmaE#n=yQNQw|L%G)?MNa^Yi$p-czA)jPo z0`pD8%$#8sf}-GQk(%KP|5SX|Ml$K{A@4}?zs^#!S&$T zvGz2{#r2ST^Fg>}6f;uASQ}y{1a}*a*i%Ez?IY4V-?wic^C2bvbnO*KuLT7`LR2hY zUHEKH!Fl^5P~Lg%<7RFy2G(}qH9Q0~Vj7(S^tTt3@p@M8$THN>z`B<2OlXCtk#%fL zk)u*P*yc$M4VbEa1m?lb0oPw&vMjUbl1Al|ug8FL(SN>3V;8$DzT}Nwb*7}!X84C= z;U!blI>Pg^PILVHs=dWzZoF35rHyr2dZ6f<*vI9U>U~7SQa^U!^E_EcLAhq1+OpkZ z34@zmqm5M!pYV*NiVY+Ey2GOqr}%)Fvj-i>Wtm!^*h6N?ql#8*l{%{``g*YMC4FP^ zHKJi3x)ykgKRa_^v*UcQk&^IvpHEXPxq%4qyEKiR>0{aiwt2IxfJC{7>s{%y^vzL5 z!Hgx_6f)=NuwG|APaet9Glb$F7|5w;n4oWzHBeYxu+UK7(K~%?6rtiV3pq?gOjKY; zkp(!e=;OXyTJ+Sh1KHt>jz3Pk^gCWCoc1q}%N{)< zfc=IABdp4)NH&o@Y+T}?B@D^l1u-H_Xaxmj6t!T9L=Z@)Q%ejFZA^kk55@l-dgdEW zCFDsL)pt0=E|eO$W~O;OxT?^U2CSSA4T6$Satgf;q&SgIW)U zEl@s0zQvU^LLB=xZzSL)I2N{U6u|w_0Fkxi)FqM^ z!3TI;W3tSMFFlg{--Rh)zY6ya!BP-^k)%!V`GI*P>_7@NB)f|N8(v_lg`*lnK7fr8 zw`Hth!fAxaQk;$_hq3=@AIk!bE$k_**hIZ{Knso@4nI`Buc~L?IJ$OzN%GYEl<<`K zUH~QBbov^r5VBZ&90!Dfk2U_7KYughG1dv_s*K6xWfq5v!5m5x@Gf`i!@s zzsCJgbRi2(Nc@^5P5HxT#(YL>Mwd0CQlg0(E(vDW&IRF#`-#^3`%5I5B1@r{QmPU~ zvVC%IGUtfEh%RkPg_L{ofD&8TYFXo4^xWWFJgXZn8*bc3LyIE047nt^>M=UJgc4cT zB8DRK=_qSzYc6Xh^T;}%I-)wgW#l^Zx>9qH`QYB63zkcui?vIri_~t_aO}{|-ra8d z?$dS4wfZ&oUicxre%86j!8F$_>NL}AI4*aXU~sRr#b@R?mR1~7#B0O_M0CWTm?NJj zXg@Nemk=fO%9%S@<{I6z2+>u1Y5g)l=b&Dxd8+=B&#pME{>9*nVY$dr+>E7pYF(O3 z)V0E%#hw%`4kmeuQHnY(oI2yr-`Rud2i);oOaU8_-Vf@=>g4li^Nkhi6*(0RhR^GWlbKl4lEwlt%R+_x3_m> zcTI;JC$WcgN3OT^wmP)c`vZ^C*igr!R-0C1C6&=Z0@TfDOo^$RT9* z)+M^pGf6gBIKLfRoIp8QH+J2GIX|*$Q=}d}Z)rd@Q(KyD{?bX=B>2=}*;sfoS&*`tdoJ0Ksfqm1R`i0VQ?30s=wpn0a(ZH6o4UZ|n z190-n_@w$G_A2|D2aN+00i}c8gY=4ZuJh=Wa89;WxG#)0gs_JBNFyy|Wj@8!-TWv2 zPu-tVQY_LFQC`ubf>E*fkPcK=)K#K;k~I>&Pa8xc(ORFB@vlf{*y?CpNNfOe&t>@2 zw9`R{sW^Ue;&Sd|k0#aqzF4SCwc3fmACBd3GxM_54653xt*56hD=z2PNwrH$Lrdhf zhRuO%GUr|d)D8h_IFrG^w1=RJkYD1tL4GR!lGH6TTx`wqMR?vV2{zdl#Yq7n{g3BCP(pf5;ubHN~s>wGFuDkmSdW~zRYXuj6 z9Y05thA|HA9G%xx-URl2yC3v*e>I)2J~QOy1+;hl&TsxBOIm&TjEW_c{KDMAV6407 zv3dsQ`Nsp^^Y+YbSzDDtGg+Oz!FH>vWW93zscrL2yW>Eo*4_EZV8&p0BQWt>VyZtc z$m0~GlBwoXI@Vrk+aAkn|>E&06sHTHJkg{sV2epbs>M-A>J2C^jCY)x^v!h4D00h zxP+2TcuR2V_vv}J8_n^s|Kg}K0C&P)#$V?}Zb$npVs9uz`C|I~AUY4V6RkbnE8`)2 zjTmHz`IR|7!4Jc0y=~F6$i_o@AYrL{^o~w~k0+)rEin@mmB0ZNm<6>i{9m$|i8#ke|^3 z$m|N(&Jgs`X@XE|{D78rOAMmpUQt1TT~Pt>OES70Rd^MYvEe6EXZ3#JlWK2_J7syCi2NoI@PWw&Mk4G! zB@_%|5uBv8T_GT_DF1#xd{v>ign;;vXRW5?rX?@OYwBpvXl&+aV$SGg?*zUY0)pR* z7rbk4?q*ElWpC%;%IhUS_Rkf(;QhacnaD`~xx~#@fJ{qXiA2oN#hiqLk)4s5Oc0TT zgoNM4%z{@%T=L(|!T$uvtlZq3c$t_yJv|vc*%%#NESXq%czBqYS(#W_8NgRCxOzLd z8GA7}xRU>?lmFR|xVfvTi?x%RwW9;c-+qlv9Npan$jJWQ=)XSydQNjM>;H8p2iJcO z3p_xkzh{_O7@3*=t8Z{q{=Y|gm8`wY?X<+L?adur!S@hkYdSzbz3T^f|13x_ksmK*LBh0qTXL7@oK_wAFo5(|XPcZv*3c-imSuICR= znEdS=9P4ZXZS^&Lpt%FK)%AIGMS;6t$GJJ@hC=#dJK~wi-##fp$_OJ+kSbMbv8Wd2 z2iQmC&Ey1~S3j1^QszVd&+{}N{^K8I_#tyH12A<2+n{A*A- z2u0=oLvD~r*o;3$8QWr38f~S3Yc5EHo@>tR4r|=42f4m-i$X7#Viks+9omy4BZYL; zzh^2RP8KJ3-ye74-9Tr+tltG<;VR>q9OJET%6|oIMjN=^<~bXK%Vza_d*n7q=&5ux zQyg!liIgc6jz6$FoOCoyo%bVwTXN=t$iDdcW$n>HqN5PpeiY z{7a{?&~<_*{4(HdrdYPzaxyn0T!5m{aWj|5_mqWqKi!mqZYM2NqPf*&Pv-f&?V`-* z?$~Ww0(;L|PpvtV+D}LOuXvQ){wdjP4Sohzcz8{8Q1qF^`@O@=DLw+h%R6+aqpl0-gNteA5!f69c_5c*@7~|fsjG@wKEQTms)(R*0 z*%EoGW9|`h4u`dL1HY?&rP`fr9@jFlaFkoHw9>CJ=`?;^?F?e1N|0j0ZdII_9!%tn z2lII2;$v3rhvqJ*{~gt5QpnIf(e%eJVnx{J|9=+(O$9XIaSN{XZb8?7>$pn4t?X+O zRfETw4jzZi=huC%&Z}wR7agF3KJQ6o{ozSy;c&v%3--K6p!7?sPLdi@?xXC+`2TrU%^*Ltpj0h(vKg~CqDrK6@m>5DQxtk_VA9iXvcuH}Yu{X%GCBGA7v;i` zc-X=P+p3l@PP-*EYMVQxqkqk%7(D-F7u4;3mSZMO*3JGn-*$BrlhqqRm2t;js_x-V zyikc{u6Nibl~LPrRnh^P)thSO&eX z{ISzxwaI>eD<+Xr_R~t27{2t`Dv%4XbjRi_uwFRzVw9YdBcDR6&RXJocPxR%eLz|6 z#KCmiQ1y4j`S9p8^w>Rpinw^~PSg}`<^L~hmLV)$6?}4cA%`P>CZcdNA~mGiKQQd zW);CNgZ7nM5b^tC_))y>hfNNlx5uJLpD3D5u&t)%mu7L^7FYdDHh(k0H(A-6w-d)V z5$|RbO`C+ESzlLIW;0(g5J%?#RzWKLfY-Y>oFXN#x&FvC_JMEa@UP0F3fz9bGG3_E zrn+us840*t=eAp7Ug_{}i=6O%+DpSI%m{eg3U6>&=LOqNL9h({0U?_FBtd0+kBl&e zehS=M&^8N|xFSDvOXP4_>{CVVSsaZ5u6KvS?!J^}o9yFhjl3VQNTS#a=SMdQJ?&y- z3ixss5G{$N`>wk$PKRO}Sjnu!gs!F;0<6=G_`frEPBZbJCep~~3FbWCpUIjI#&PuD zUu-JMXK`{UJF>v7-_9xuWxPxLS(N8mHyeNx6fTRp20s?pc%D!mb5lCCG!7Shva??* zqyEZmKj0G9Jn^|ZpX1BF-J-P2w@y`lKSZBTLgw02uj=pr55EaE3O_`Js{=|!e_ExP zD~CP&2}bpKS@Cv_m)cioO(kGyu!5S9xX^Cc)%RF7H|USTY}YjK?gw@y9Bf~kQAZd2 z2J60eqwV7TscYRk^B?>vm>Sao#4Je(d z8#@v6EQDQ8$)Vp1+>PRkbbZSo**wqnHa8xxc1&05xpW$B%tva`=1prW+eb~WemRQm z7q)+_8-*MRao2LgnT6%l+C5(Eegm(Wr&X(Xm~v-#ieQOoz_R#WSF`)cLJ9pqa(}-` zPjAcmxhB}DnKaeLhyDaSjc0Lz1Unu!d;x+Qr!1}aE4BhyJcCOnEaj6=;Q5VMwgi21 zkKseo6+64>r5a!Y=GvK7)gJPebl4f?Qf02*`_B(M#m z&d{okf4Tylw?zT{{$o6tCSGj@;V6W^KS05H5%PJkZ%d$W7H`KhaLQ2}?$TtG*u&HE zJQr_b$3@`oVEBb8uD811aNCqEA0TRiZjUfj;hK1YDj$|iLZmM+QcLxNF-2R?Pme^&rik04V8Ar-faDLvcw79&5Ep~ji)%KE&VZXls<1%@anh&Ga~tV? zF{L@o;Zv#h#D3j`Z^C-9_N!dUDLYuQae{VoCEMYMnrF&W?*9V0@RTHmN(C^8Lnv3O zsW5#E?*9go{}-he)`2&BzH>av?3D>fI&XQbD_xcPm03OfoMad+a*~}3cH%gpo37bP-#krz;HdLOJM?^Y)TAT8a=3o zlL)5<<31jjjcUID@>FqOQBA}$-6_Se?fhZyXLU!NKI@5UiQLsfwc*9V>gL5EocM2# z9^3y_QfH+RQCs-pm5C%vA%8l#N5(#7YLe&@#+T zCS}z*0N8tO-ohn_OAJ{@3!`H$$ln824U>DHi2dvwhJYtVLgGJ+5enC8DDI7WvBq2P zJHgQlH-^_#AC}mvs6HR91L*#2=NQ&}DTeg2{~gvLXbGzW5d*!qwWGOEeW}|o$?E0& zit+}-gN3>`4s}(Er^$|3^-e7GC#QhECS>UMt|oiX6GFtRUk_8r#Lv;tsBeBxm~N&0 zirQFi0rNutFPEc z@X>rlDPqDE3;<8&d7T1)CV#HX3i~?OgNc$30inwr2P7SI7;c$5-0(XPCv#p*` zfDm(hPht$}OXF*zcU(&ZO{ekjJ&Sa6W(6^=9y0l_Cu>S(-+KiVp5GhzylzQA)4^_~ z9&7vj2;9}ilW&VfgF1k16W%wpH|j;zY4!;^Jd%cmoR{>Y)fr{`~Stf z{+lHDtOl6@cm+w{T}U@(8Q#c+{(KT!!1`q(p#3}<@MbDr3WnstUuYAigN{YSVXnr( zq52k*F_-GoD3K|g1VV(YbpuqDz5`&BR;zlZUOkcreR zT&z$ZeFw7wOX5r^7w!?D-8I|J6++PTz#wrzHuJR=Yk(bT9)n+l|3K?fZGYHM9*=9u zCh^r%rhUn|XvbZX(f>Pii$#cr8( zvy?=6_j+%19N-7ns%&ZR%Nln%kCnPYwp;^{%jI7_S*k7aJZoHh?pVsMafmlm18wIC z7@i$=DEndL*$+g9^ozI-S4DUH;jTG=Sy*o|e$cdojSYMZFJ6xm0RD(+7fK{nQBISH z?pkZ%YxmsLKS0K*>GpfR*T3+8K9WSa%ff?$SKbT=Xm>1C%yZwU?mUlVVRb)75j=G5 zO95`Q((HMde8jqnO`&`6Nuk?`rVB5xRLuNLw85LR)MU4O(SD;a@p828n*(&(s&eBj zXhJ0U@H8VxP_>l@2&r~lswsH?Ot3)gcPZk?(iump3tFz8Cj5+HoA%xiLjn(N4WPdr)g+t)h*5l-aJZwaFa-skc9SIC5J{z{O2J6I zBOm2q5G@09kEF8OHq0Ef6;6ClzDO9?u`h+69-RKy%?pq0E5o@*Ctl8kQhaoAJuOsl zSZ)J+PPG?Lm&lu?)JXxXZqFCu^lNbM9;iUOHK9#8DBhd;75QC`_@MKX=}`80h}?mx z5eY}^O)2N32JHQKhB;XZSWLdAeAN{^9v8EGMX;YSLtdy>p_i=0oeR(Z{WqkjW+IbK zt_S1sKxjG-A&mJHPP^_BeXfY<@1$aK@A?BcOiuv={{HO@^vEW(`rYYNpMI{4odP5p znO+bVN-xonk4WO-y28~mXAistOY8%~q%wYQs zX(fu*?C9+P#-6Q=7cBG^3!Az|!1#ectKUSQ112fljym5YN*Bv_4zTZ2 zw(M7?egHQLZCgExd4E@ZMKI(2fOR*mJO6WbKqC6^F$%MMJez0#apD$0Jp6XH-jU-o z|4Y_3!@YHq!v*E%%nt+(eD;W_l%enM0#C#}2rvH49_M-$mu;KVln# znJrOkQ7(G1)3B%ePvq?oH>3+8f6ihj(x)Hf^PS}L4z0_sBxrc!i^gkxg|a<@%afv< zCL%v|>1RB6?Zj=$zG3nnWV>1oCsOtm&QF2VszwRcV>k9~O^lD`R23<)=+UJd*(JDX z32UWOwB)umpALlHzk-PXG(!K|X@G%~$Xi2%q@_Tzan5)v~+tzFbfw(K^os(5~-(PMbCDPr7Dbs59ZNj!@i=ug%B*ed^fw0~L$|$R9P;PNC2Lo}elrO3S zkN#Kv*s}y3#E;`#n^TyYdRsuK_jfSiG`&=78cDpC5AJaGYLM9Re&;de0^`Lo*d@^p z%UJHJ^BPPyN`grk*7>ePn2}2BpO%j~E+b#&@-B+E+7O1%H9v#O$X^=|!u22iM$cK6 zW!TAf1N4Z+oTPZM`7LIP{WzNd&{>1$#YVn`98nx{+@S(>u259Aju0iM9^RY0#!`x&7Ij}F;cFHIh z$mI(4S#m!uD<~TKBF;FH<>jylnV`u}DEw+;>z8&Cl*iq1`^M!~){{D7G|%p%3ILLc zi(z1K3l8u1NtG_nfmA5sY&$YOdypo7?bvX_jW^(4+FnEOi($!@KmT2cS&#!zLB2$wJe=8}&GQVO8O@ zdO{I0_gf;XxfV)*s%o2fy!$#^vXN}iKK6X`f=7%M-L^hu|DW+E$%hZTZp54-38L+E zWdY5WU4e|(94jVDZK3EC=d~nc6~8C&UVAvtyGe`*z3H1+S6iNvz+r^-gY-heVnfkI zIJxn}PVgc!b`wQ{_1@jBi=A;Ke@1lqEs}fBX*c7_*ewNt>+0n1g-QFi@HV38^j9vQ zeajF79_pGy{@afGt#jX!hBW$X)02f?;}1B6s*VS~WZqxFjO?Z0;~ywf#W?f_%(LN_ z3_i~)Lm?VS%9na_C#onET7O(Ni;ta=Ep?7S?RtwBixa4Qz5+1yLq+UeP8Ep~)v+=y zQM6P`ZcSA|$FBu(^h>X0Cf(vgvG*$DibSV4Qjnm)!dj%PraQf9wUPX7WDWNqUg1OWzYR)r2vw2O<*r3|$5Z9K?_nS;jC-@Kq%`3!bLO!jGbPD^`raaX1 zWxt>Z?9SF6^$0cJJDt($M}z%FTj1E}#70hE>p2SfpQvxEKtpt`&pW}j$ye4hW~AYQ zsPvgG7T>)zR&ZHFVFbTGF^FSc!h|aVsPx2J;v^V`6C*UQdVA%!OX=5NTbB1D+*u&= zFP=;$g3!r-W2%;T-E=mtcN%va?^fkY8SZ=276=S$A4zK#mR+VKzMm_@*=Oj zuMoq7wih?#k*_Z`{uFkiL)derZV?Kz#yir?!?Iam29Arr7xL$BzemY@qqaykbYLEQ zg)6xZreIlg3!H8Z!YU5xm}^7%7nZ>M82rn<8JKZ5kcMNQFMzP zy(lvJMt>9x*X?(i3`LJl@H$fMnZxoEEu-6kUL}y=oOsXwxVotp`tzPZZ1s{fCD|@F z`j?qt$+6V_TOqnh>qiQbo_Rcu{mTztN`6rh8Ct|_7Pdx&e6Dk4ze?#xv0oW~3F3rr z{&Dg^X@d#ljL**QJtx)p1=M}zzE59_`0NjmaGI>#ouaWe;_gn)$XHGyz;$GFLWTHA zd4~9CQyzba5A+|)mtOshVXP?)tt5#Ay>P^n{xflj7AxFZ6(D7McA18FLL8F*$r*iG zlTt^smH(qHm;OB}kPx$~B&}JzCf0|TuKgD_ku5i)GyRrUZ03glgFc4xQ(-jY_2b=% z1);ZcQa1LCze2m0BUSUPBG$J6c3JDWe`+|%cGHiwu}ameLe$t&GqjD+F3BMbE!IDIm@i<*#vG4?kP=Vxq(N#hb zw0{$c&w_0|>hK@XpXTMu2CIF!?(9el;qSZi!FjU+NC~I9(DWKGw4HN*XgOiU z&o@_gcPSk*oYRgNoYJ0eCM$m~=$YpZksud?{w}iJtMRK2W21AwWrAAD?}Or%%{(uS zU*lPs6UY1h)OXUXkDlmN6Pb-{HMIi1CZRvaGZ|#KO9CY!S@lKe`)bL&!W7ftWK*rg z*CE_+6DSRxp5}4+32`Y`DjMRcoi3pk{$-KM9d_oo*16XJaBtxzeg_lf8ccJ061OQ1 zEZPNOg%e;%_+0}Mt!jjabNv7>GA!py&%D0hw0KB4+fyTl1K!h;X$Smm_(7gx8wuuS zI7roxSJhAaht`z_qQ(iN>-k)`9GKgt0Hu|$)c9nWxUrm!vr)*GKRBn z+8ke>?8}UzQ2X4#SnrZbG51vJR|xaDWCxJMoFoo9Ae#y8%oWUP7(AS>j{`s)XG?Gi zW;+A1?aD=x-eAwjwg*mf{RVqE?%D$Ykn#qOpJ>OIU4gyK=xW|AnHZ z)FugdUCL7la>Qx}*maxKwW1+M$D^&U^yrC4hB~>NF4bD-JzQ*F0E22%{r@r=k<2F- zZW@K~vS)|Yhc`EV?;kttR~m*v-!2*v#I#plqfCey5mav%vHVux6Rt4SB1(RP1426FYOzg3WHZG)r*~Yu9+}oP&we$^r!!@daGmevM*s#TbiQAFH)%ef?(>Q!}}E)q!t#De@P3TcgXK!SnSfL&>k@de6)p zu%9WcP>(MeWnz+D)N_S=;A)DqD_-G@n=W_$*&ko|${g0|J6GU{)e3jw znH1h10y-bP+kJ8*JlEapIvMC@;?Gu5uTx)YDEFgcjs{{u){mFtZv=^cK!-XPB<%B& zs~w%q|6AndiT~2c5f6A8y<#az5Hjhrc)sjKPEKhYJr&z% zT+B6k)@gA$O25u%RX&{xOg1#ce=)<~>Md9zC*2L8I;tCG?1jQ%+3Qyvc6*Qo%%DSa*cytTu1QOBRm||tgaQ`&K%1%erl+7__%jw zx7QhWLq41DO6zcXR2m+DL)oKk-}8c5+r_5n%)8TzPU^U4nNkBU(j1i{*zxB>a-ElT z&jwGBht1;{o7=Yc!IL}6CA7iqI2XI)5ZX$ES>&)#g`GBUxcA$A>&apBtOA=i`FUp^ zmB*2&yw6>sj_0}rQs+yemX>7MBqS9tNHL&r1)LYB&UR0AG519_bPaK+~; zQ86Exngkaq*jh}MZ2N7$jM7yrm7B)jjh||@rCOli7`;g7|8Vuno%?;Gz+2+y-I-mP z|FJVD6YC?f!pXrTS4XPAs~hi0e87(it~Ft)9H*eqcWDF?X%+!5EU&!Ig~O}u=14gj zKe1ll7Ie!^+I;{#+ROc>-0#s$W#Z*3x2q@BrJtk-UknmowR#p>E9rU9lU3z}%=7et z$6#`)2oA>LoQa70Pl1II_R);1R#4O?l!?`(hk?%Q-73fP$1lYMTS!(2}}`~c;% zC9!Ie4bVSvU!OB}h%lKCCflBEo?qWV0k^NSinB{;2CRd!Y=RffgGeK#J}*Ua6a+#y zPit{EvDvHB)voW?*cC2kjcSRLj)_x31W12sd`~oXsP`!+p!R4rQ%w-kZo*KCQJ)C> z?LrafQYV?D(&!G-2A@iF=PN8gm9WTVJbCZYX>zXt0-O2uWcSYJ2&PABk;~a^P9**= zH{$~jz8T%lrMbr!hMW!r?W&!EDf_jy0=615n_oK6_5Z2U`tLj-xK64MTorct+W_p) zmJ;vc`(fw4S7Rt1oP4CGCBsSwvybDho{5cF2e2shA6nvrEY4aWJ;13GDl9C?4r^I zshfo;)k)B5u_~vwcUs39ob)x8h_(~NG1jXws}(vyVjR)JLKS=@X}=o4FF4@xv#c>1 zyUh!o3HwThqda1YV#-)gvji^lyLU5Whoo;XJsa=#CGv>Xd=$LyZB84B><^!dxUh6# zS7?)7<3-X$*bE2r9HnP|o4*-1C$oAV!g@bN(;wk?!~<@pr9cvekHI%YarHEjp+EaX zbr(95nfoucL6`o|w+O#Rf}~8g7<0V$GXS_)urvLn4=k^uzfIW01fxy0={)Mc^pMFf zc=Vs3j7@wKLelC~3cau-mni2;zZkETo=LXsX7(R_Xmie0(5xGrHMaqFlUdk|Kd=;0 zv>7U&A*se-?91?+yb&VtYUj;!Z)Nuq?1jgUfm8hTPAMxPYg`h7QfkHdfQKDW2|+oR zwWqe8JiX8TXykZ4;4#z-=3Uk0R%f;&=VBrHI9yWCyikJWYoEIKaHXDi$zuJ1&Vq;B zl~B9SFXaB2mK&Q+y&PUwaKVN4o?~wqzO(!JS`G_HS%`)~tA=j>?!HN=ZX>^&Un7&a z@@(a7#yobhT(y!(K9l}-v}mEu-1j$KbvE%%{8Cd|1aF(SYh1cZ6Cvt0|xRb=Zc#r`)R{wfyyHwP8(Hyo1$hvioWi zq4V7!wjr1*+pE9_ua!+T;HQOnB$fE z(>g7~eSVI zT=&wqrl{ZAcM1gUG__lTJTB^29grAM1Evi5wi?%(&1*|1|=jOq#jwwEn4%dGEY@87q^#;gFt89B68NbS-@O?0+{yfe?^=o%L74bDxU?A~Yz` zp_OxkO?Gjml09zLhK$)s9+cNwK4CdyPTOj)C6y}jlK&x+R7=PlX?Q{}pKYND@upT* z)z1Hn7n;~#w$G1+g^M9Sswc6W9|9k31!W4wm%;xY^h`{NdLScS3R|SM;fLGrAwo~? z3VXv$GyJ=k0GZBoFVorTPbObeQ*kx!PE& zZzhhAZ(up)nm+%*h>b?#%97;-@^R}sHz)$74P3Bx(}}nu`dN-|#Ok~K6@oJJncz|f zm^5OgvT2;_PLv2CBI{pCP*C=Kyxi&tsJ9re8>iHldjEkejue~d^KgE)D6;Ob-r6rt z>2Ci`s4y4sd{lZ~)oh-v^Rj!Y-GXZ&nBcud3E!w#a^53kb5_#@Nm3ve# zS|MgNizqj&HRu4&&%_z7c&o_|}m<-<;(T6{G@ud=~ zY`_t-X*JP3lA9jgub=xZO%hj}a--*=4}(%Xrm^UA5z%wJAD_gP7u4mY_zd9Ll_Aec67 zccE3TU|#!`KFMKx4jX(ah3tzo1YPTu1_ERprO3Q65|=aB`Pxy%oYvqx?jb~4taLcW zBx+4_j+gFI0;R(o&jnZU3Ch4dN{j@#`nrn2xl!3wBZHy=0-Xk{cy{z=yO~{R(E!Iz z0Y0bB93JOwM{S-w49vw1?4~%YlFrvNJDvJ{qdu{Qhh@uyy5qbu?;E@0RnK5U_mzeU zXJz-I`(CadI|zlNZ!qub>HX zFZ+`K%AZDdB4znW&8e?cuOFk8HC)@p#it4g2-Q`Junm8#yuVNry8GF=87wo&ickAx z<$YT3u!tS5@ZI#kZL=7cOCFqjd-MDv89>YuG|_fU8{o?=M9LPK_njvvR$Bm$=; zvBj_3UdCn|U1n7CCsh{3v@#`B!U-Cohva65+pF(IMnuxd{sbjfF_JZ;(qN*GFoAE;fqz=cBX%X09j~H9?kUYDSXp5{BxvqO2q!NB7hb} z85-UCo-i(vwwy&MCHk<`>SmQXmwEZn6yM>&i(h|WhyRDUZ03L>2bum{A&mNgRa`_( zL_{Wic9F);AV^sdJ)`j=Mf2HTcoWa_+>T6=?3fy9{Kffak7E0JkFw%ly(YB)MjY`L%aaUGX#q2jALDEy;Vapm zAGpv}R-GI4YFt1;(oJb^Cx&4NNUrkYUvZviRTZbrCk1Wo$aJg~0YMHsg~8K{?_-J! zn)_vyd<)fF=mzMRnx`OzA2oGR2eznjI?*A{t=D^L2A@j|Ety#BS`kQlYhkARe`X8Lh7Wd+mOVV(TLHM zksh3=drq7b@^Hym1+BS@#}2U2my-g6Z)lLdN5TxhtqlMkxZUD2)Zzk`vTlZ{Z^2}| z7RS*HxELMjQOoi}Nu*iq4KUmB^a3^eWmN zB}g9VU0yHVs(=G625#H(TgAeYZeMYI^91D{`1nYl44Jmb)6dEN%>hANi=@l0p%NT{ z=$e#5OmFp0(NhjoC30EBPdt(lr;(;f5?m#?SQ%LnWgc0qn_9P0TBtHL!9(sMH;4&Z z{eo}ib`o3iaiW$h!(tOk4_ageFJGy1KI<6RiQmC>kmyja z3}%O%nSpU)U$qN0*2m03^T%I+GD|4{a($rp;I_srQK!pB1MUFrm?U8Tz3&0~eZ+AG z+Vv~_2BkQjK(0I7%dt1OD4wu(DB*8@LA5VVl-B*aHTkOdUA*{Fa0S=TkjpM^xA9m0 zvj=F2>4v?`uJsz6A~xPnzP;H^QdBr;K_8@kh5@C!8sBgf5c88fCE}RmyKr@0|C4>1 zi))U8FIWX$JZ$)}aV8#yAk?Doe>2@3V&JdhNzksZ_w*GDcZeExC9j&u>!h>j#GiKQ zj}l-3^#efnbicv1C|+!q=eN(d+JiDTN4bQ~^NrCy^A+QqO*&0u_YUpu35G<|s=teKpw+a43?pJMhRvcG7%EP7Wt2)sUbA27m^$gLDu*~xU z0L4JRC!$V6WzDdUk%X4wo+-QMy-O{T#3q+-51sAC~A4!ORn2vN80j#f1`81D2X6;6M}n0!Ram zB5>D3cg&a&qR|z|?da(jthsXi!Z745<;i#RotE+9MQe_fY#Lw<%Ig<*y znw6L2@nkYP0D{x-Pldu{iTMF&1S6CC)H%iWSl%+u^~r~2OOw^>_m7S9EFko&bA3RM z?D5UXk?FmuDQKl}pPbJwi+<)B4O8*c3!&4xdxroP)o@jaEMFaw-v>=TvM;o&=Db&` zk`bS5ON)ix4uR1$!O{^?vZ7_k~&;gy5^|5-KvxI^9NC%o7$(sKAuu!B|4;R;$(w=cgn*NmExrR=^ zm;46_>f=*57G^Udxar22)3nF%cNmaLUx%7$4p`&A*x4_+!n%&dKF91V-wz9*oS9P1 z?+_n+B9OgYYybz$sg`h>(~hnkTc*;5KkAkQ_6b4~X)rucoMRDX8@@~j7JnQNCd(`o zy62G^F=}yqaA5Pm5dxWlVME#uL&9rK>-8%F@s_Pp=4b+X*XQi}i?6Tmb0k@rrT-~K zM3RJn_8vDtt*Tn_niSzx_5dy;KERW$INNV6=v7lbZ)+TF6MEg`{9&n$^DByKNV4}DRE8dWbHO$p$ zDs?){Mra@HtVx1s?5MO-fADQkS;s#hi$j;x4>kae$qCRj6Xz41l*J%5Ici&TL z(vM5P%PUouQW@ACY${QUhAT!uJ4|@uhM>u^csxIPy->YLE$@v+L*C;0A;^#mnYd%w zGN@zK!~keVWjETwCj<)mAGE!7SX|5UE*v4jf(Hxk1eXB8-5o-35AF`Z0)gP}?oQA! zI0SbMKDaYja3Ahs%Q3hGs-UsH> z;Cq^z&pOgbXlUXEp{&(O9d$0tL~EBY%~QCT#@@$4vnXgU#f`$MSBwQh$;*|UpXrc- zgxv+pcR^k0`p~-lAXzfk4_RMR-Wp^tiECbN#aGu_wc+|%f)d~L(=V&Ogll|8CMMxL zcpNhIRTh^_0$j@|R+n7rjcR#Ts@yYiI7qVV!b!55M-mv)g`!zX@r1z^9wQB&Ta}5* zNgvyn{bJn`G4wNx`DzLs$XY+D^OZL)XeOU!5poM;B&)-^^?ePPjZ8?H4=HO&oZQAJf{|eMc?A-ivw5S9sN=QC8E^ zDg&`)D+Pw-;=OwLRK@Pxnhk61K;15A+f}32f@P1nBBG;-@E-Juv%ivTi-y(an7B9g ziqLVf(*MR;*UDN+x4T2*~=g#6xHBi+DvQYI=xvt4+273w-$Zwq(9Eb3U$^*ze~35GihpiO4jN+_#Rjy;-PetDm>s0v%tUSyd)n1{P)nE(c1K z{J1$kYx#Jo-`Yg`6TMP9Rp2m^8Ld_m+?!Icaisk-N5~wh_utd5cJZp zH6zdw;dwifG~9TLJLI*pn1~!mo5^2~LFR>JNK?1t-Zpzi^$-;Y8po^W0dl#DFz@yE zav3}Z33<5+z6x7x2M}?_lbusaJL@u?qXx~Dez)G3DB_b(;y`a!+$7pmjSPINexrZ0 z9~h5AHmH9>fu}&iv4+Ijr^C8Kvw>tU|fyijj50hrbN)(ND^ZZiY zAKaF{4z;l!W-Lla^fQ`qgI@%r$yjX$eWcuC9i$H;#aB&_&<#Scy0Ic+t>=X1$(Jp2 zmfZ>CIAhaLGtGf_=bJ`vrdlMzpD2XP^1*_@I(WM0!62XK+P=^odT>N<8ic-83*G&epv$$ zYVDSu83@@1qJI#%Ch=9BKy0Wb+d#Ns(LQwq_zWVj#!^w9XT)-3AqM(bc zxh63C)Um~ErB?)2(e-Dm{ETv#SqWtd0Wo2Zfhd3H%t(X@0GIKSVZu?gR*1wT{V}Rw z?~@@csM1hSgSmL5$4;IKl#e?*-wM%58Lh0rS0s?=qG$K%)1IEMntAM%$27NFWRyw5(aB)8`85sKlm#cu)J|kjgp263hzYsoA zd!mIm4(q~`%P@y*V2mi014nMgP{cxV}zR0#3 zH@_-9;Y3>PjbSPxsvxc*rJ+92u0E;LrBy<85)~w-=_6khG1i$8-TvBWI!6)Vz4Nyz zCakh0)H%cS*^_zzI4@?~w7_G!H?UXm=6HJ>c7#Ls5~@WSd~WKO)Azx=BHh|RZZW`g zmXx}tM`my3ZOxr5DBKP%xXE1HPp(_KyNj>8i%6U1S42mJCr2=Wzx z*{DQU)%8S9lY@@U3o<7HA{h(iNpU=qp9<7T9!zEuUQ$X|kXS84mc`!pPwTkSW0bbkVbvOU(@g5u*^Zy58f^jDC^$Nel>} z?W<>((DSVG77|-gPVNdFGJ{Sbq z8;Sf=3qT3840`&*87j^qP7N-Zp6i9tiXw%{6*QZz;$^lX4+-88i?0!l&JnW;t2DYn z4tI5GqSuo(0dH%vOpSZ1x+Y-@=2;+miot*j(yu4oSA#xhP-WasTFlt$yhwQfKJQCs z$QZil+loX(_7b`D+l^dG_n9k^sA#v2V+z|qNTrQy#t{zLXCE8}tO_cu1|nK+e`M2K9f3LlF&F{3HD`0D|v?Xjb)!px;wP; ze7!WdeEeQyU>K9O8;*pe|K@TtWetavw5(}yE}RGFGLn?O8$I(FT=gv~FXOFtK$>vi_AC7T@>b+VQ6$?I+>mHxk zV#EtdrbS~x*;_gcF=u8pXsN4@4o&k64H}(HvjLV+5_pZsIosX=99oq&eIiY>^#p&H z)DooxHe=tO{Y2z0iZf=v6GYX=t7p@yC;V?X4V0Qdp6k6c5~U}b`^QPMAO*&_ zz>>S0@(43pnaFJpmU{6_)wfLTs)x|y@_jw%c$mv7H0TwH`uUmwM0`O_!-1*G) zaLp>Oe&}S|$qY>x}Yh zq^s&E$yJ2Sxa#{QZB>&TlVtLaB`hs@?| zDjv&~gKCs;gA%1@{Y(ZAoBp^n{AcX6udpeF+m9u0{;UD?BG5fht6`{*SlTXP(msqe zm_^cPt*~Uttj@Behcbqr$JpoRD2Rrp{}g_W>WO@10^O^Pw&cG11E3m0lgXow(ZJ6$ zP?dvG+ni?LZ64QRpIWfVY>wDfC~={$M=h{hVC1X#_UzR!apEnZXu~G%E->B+!jI+)ygXUY&+QTu)|SHS z5EM&kKgzAMp06a}(O!3L`7R{Yw$npC6t8htB*S;Lw>36@2SA?VIxg#$I0tC?AuY zu(sYKDB>cOiG%i{3n`P&5>f66;iA1xb*PXe>n$#V9JeZd$(V{r)slUJM z0pD1$LK$SQIkA;7Ao}|Sj3V5J1IA?PX2y0S%f}hCTG~yn9Ns&d0HRjMh+?8ZA(gmU zthPclQbH>Opyl4~hIW)`Hi;CaQfvbr``!t0@XPxc(XLc3rvP0nr*;p3QIg_v*eq?( zFNLQ>wO~bMNbf0EV0%{C6Ayc?c%5vj-s%<4xQe+{k;=*XUgibfj{;akd4)xSU8bli zO}XyJ?2*~W4n0UcaM@3VJ45VHZUz(476U#LzC36>{>+@#EKzHU*%FjdB~#F<532g| z;>h2Q^ih?lU^U+@Q>nR33&9X0wSDm&m$hmlxex<~?yCwif#8TLM$4qZe0rG>b5H$+}-? zuYDHLi?gqKk$f?Z)%^wmyU}A}O?NIr^NVc=Z3216X5_(%^o$+7qCiJyysg_9$I_(( zDT3xi5Q~YWV5uh%WM!6bG%E(Ns9Qdeh$`Qu~h*(0_%|-#s$22*3=FA20)O z7}nV=P-7`wXz#|o&>^mhrj7-ID0cPC%h$oKh`vH1RwCMP{tMe-q?V#d#QG&>)E&@V z3$NS(Il-=wdSAX(fGEjiLIUk*@+BtN?F~sD#e!g-k@w^UPK3~)aJuwy%D?>-g6~~4 z$OzQ;GH8DD@ibNbgQ}S;N9^D|mOGp+FFW*^XfaV%vM^}gSZ8|0c;($odi+u=P%w~ns3+n2Cz(( z&f<~ni4ve)pWGEe6o2(nX)%7bTG!d_s1mX6%~IR z(R0N)EPf;0Jh^NZ*EH@BtqyNl4M#$o<~BsyHeLb;<=bnIRUp z*evmtxn>7`6g1!le}^QodfMTT-ujEa{5mK7UHF+@!H*mi1FqCK| zqT*loPDzb?*5wM5mEcl5hp}#z8RH1|c*_%7pBShdhcW)4?J+gN^u(HnUsRVL>x#IW(R}L|61wf?Q}=R) zRA@%~a#D4%c<09gjStwAk^0q!RQMO-b5Xhk07>+ZAMXWV>-+@Aofn)RSjF|KBPCzF zg^KQlRth`zW|AvfIXK*Q=+Ml6$5ymsX3+GyW9v;zY`W!X^&^<(Z#j(~@tku%?7IAn z6lmr?RkW5+xuvD0Pumfm%?;ctjqnrZzNi+ARmI&+T#LNe*tpDCtSz^}jw=1USzqU4 zG~?0(9GID%g+`u%&~$3I-l@Gj?6Yazzj=OC9N0miY^+S0>Klb0BDg^=A6_eBp!+&x z11Mf%X<2r+y@;njFZ=HFnuzti4+Wd@uTF%Y&>uZsT{^w|V2-ex5g0|>>*ycLj)-Ox zl$L3v@P_ZT37BSZ7bG!oApUZNrXPF;a9KVs`H48elshi19pSzHM7xtrv{R-02t|_`I8; z*SiM?zy&W_nP8OV*z@xoS=m39DwmJPjVKw_VMmQj^R8&)7y4xf{}N(W^NIIR-yyU| z{U5u6Syy$otieL{@BB(oJ+nP4BQ^lKHatP9cB8$>*RsSh%-6waQ&g_COW{=7_SYxd zIRj6fo&!~AK_@1QP5AoqiLQ1(@;#Z)MX8gAL1P)f@o}Wg7E?%L?5$)H^#Ehb4E~RD zYUhJS8#9@-Z~_OB{N=F*r#)yqeRa(Brr2XKm<50e7z9Fgg7GyGajof@O#^7t`l)#A zsn~|JNuOrVs1TOg--``z?Evsv#31Q_97xHRpIb$(MliN))8p|kex7mcxjtJg$DsQ7 zP{YXhQV2#Iu8uqiwczQ!p3hr&v<>2Kesxx0$mAkGj5CC^Q%2K6eYfF!-!uumG5}>X zI39t0cvY7%$w3(WA6^?N5E*E|J=Z5HC)Z7gGa`L7SDun^Y^`Z9a?TO_6aI{JawW!J zgwDVGuB>IQ!=fr`dH0L1*HOzBBB~yFwl3Tka0%1o9~3qmV&WO&Ujas z#82{Od`B%U3*`80I5ct>U?=<^DRn!oBvX0qS(=arovdd=%u+H`y*%oQ}A!+L2pcw%JOJq_@!Hx^N$tqCtY9V59@R z+^0)SVC=fFK`3aKfj5U2`!^1h*lS_={>r5BtJ$9TpV1)8Z;_?+PZqSW!zqvI4pZCNO%vE{R^Di!kb5f9Y*EnptE?7(i zf-_2qW+K+WSWQBEVQYkaX(pzCG=U-|V^1qVJr-!}9N_vTvh|EcGaC*bQLZY%@uDH& zo?xafbCXK84q#V*VCb*!!GXW}{85QY#xaZ~W5LV)#Si`a+X7hKpJ_D!L(l=5I@a2H zulLNOqK7WmO+Gx!<<%P|2fkALV=FPiG0!!K#?~i^jkOo1Uw*~k_sJIjbjiWXmz3Oo z9Y7r_FOFIuidL2#n$kY!G=LdzrRi#ZgRfE-%ym5HQsKi(zVecMmE{@BX~Zda`GRyp zTGMq@#+lK9q~C`f*7)9mFjvfnQlf*^u8@;zY5#VREyK&<&77D-#N*74Ou^5q8dY5- zfz(JOr$7;3DC#Q%(^4{&8$YwrD`Ze5krlW#E45md_5AyXM?N;lyA-puB>Fz z8akNN0e*yTnMz4ap=xz7H$oy)`&Xq5j5L2Ge|W`R%G{wd1@UMWN;FDzqgNGZojmZUy@l z%ZKV#_wS#iCQ8*gy}3<|PPeTlDpowaRX6(c%&t$(=Z)6~5F9Efp(Ecb;-LRvV zEv*Uc>*9leL0l}4bbd-n5W!gn@DePX0wmK$R`1My_k9G9haL!scUp+91(+H{;>l{pq zd)7Y34pNHm<)&ln%FqeqG*ZcC1Ki^9O3ZI)HOPpI+Y9{nNpFkIBXMJ3H?69xwzus! zOb^fZCrYff*QC|_-3#Okl+7o8x-ed@B3>`wLr0d7HQ-;V#tyvVN#tu-`I1TFrE_II zSvX(6rBp5Wxe%uX^=+R=mFESm8f~A4!*2CVNDDwj9}v2Q=<2xnLv0IRAjTB|4ALWi z(%yW3RDwa5Utd2LZt;gSK?bZh8xlrKIe~^V9lV zu0+t(`b(Lyy*E((#1iF=^cMjbzSl@?p+ofDNc}Y5IRgWe=KXzl1l5&LF z@0KUAg*4nlFRY!Ho#QBF4Z?+AN;!vS$;=!@)L#q}-Am9#i&lOo-*QTl_wj#wa_zE| z2T(^)zyvY;=Nkz-DLsT_gVmc$p5k57gtz>h`KTkx4t$r>tp-&XR^N={H%e6H-}$|L zRn6H-=rAtHyyPGlhvj`k-@H_a7RR6&5AEC1zHw(R?y^Skk-TZni*VGrGP4j|fvCeFcr@?6?-$!#mGbJeV+ zoQsAc_q?g=qq8&UzHPqyt|vSFLzyuoRm#Z2&f0x5$z;$i!oL)HC2!d@Fukd043sfP zW7hEiN-MIQ7wPPq_7p8tp+*x9W_nMPe-nzMUWGZ9t<&hN$GSWKKWQOeq2U_M>EUX) zSj=PgOyVf#3Q>p%?yI)a7cXv~e5iFGf<}shdX-)Qaq$J9W0e44Y?CTW5(5CD2Qm@4 z>ft)=RK1tE8R!m+D9G?$T&X4D{%&- zS)-G+ZmgSRc6t+-YT+-I$6H9p#C!BQ_!KOxdAmKxd+Q0NnCo5gxc)r%Z`VF2>LSVF z2eBypgx4R=0Hiz_T5b;XR&XG#_k4Em`0V<0gxqL^>yoDPy${N+kiXopeyW~!ZN?|$B%bVgZI4CuB` zKbPkbG&$))B0oih%IT$B7dxK}IpT&OJybX>XnzaxE)D-cf&=r}+Prgrs`-$Q#z|(l z1IIaucm=Qf8=$N=Ue13fqFZgd=Q5N$wsd__U=SdOjK34rkm~J4UP;nv_me)PXF*o= z=owBRqbO>~-K@u$Ep>!vihia-gqLL?Ke?7S)?b~7E?#)-T# zBd&P1hG7Q>fEtQjM2HPO(|3GUNp8EsN8(&;TUDZD;@$6jm|lUXoOX?e6ZC~Pn(*%% zFNN+S=DXFPb?{qZUp&TIUxe^@AN=USPq4;Ky;(Li!g3Xp1ugT;c076D(!psL9Cg)Z zIxbGCD$BMAgr1W?T z9zS!=y>`i+8!FfTRDse?lM85QF2cc8BDZ0kv#sy8T*6QU)`%2RXo(a;tYIfda(Q-a zyv|-LN30R+uuyS+H0l>p4*w)+({%J4HsaNXO^3+4>~t!J8tS1U5kut4Q%B^oPZYzt zq>Ht?FE$0(F7>SC)|Tlds8LqfhEp!<;0;uGUVb{pZw8ld#sB!Dd|N_Jz`vvq*XRSh z=67sLE$tQ$#t?Rs>$}>V!0V(Y1F(=+al6Wd;LFjHG7TK;70jDGKe&|rIf9pd4MIw) zxu(+{To%b{mvz4B-d=HywAOf0+O7932x%^hiqMwQQtfv&5PWZL%V(*4H+xz%>MR8! zI$$j6J~e4hI{r(&r+0UUv(E9Y2jNkz9U41}p7b@=&4VM7qKUIv9a3JtW_h~Uq`J9$ zo>Mn&ihxF*cB3=V-GPgPN0zC=T}e6LqKH(Sr?cmJUOURhm~oC6V)U>yz>n1&OcEBv zjEb`>s<@p&<2QOVezo=jZR>J!*HQ0K$FSwpt_N2?`dgf7U%6%h{Xjf!WqK`;tURbJ zNJZCpW_4td#`$i&&9oC0>A7gY3%1A)u(yKbvT%H8HHW5Nug(fFKFD%z=@B+M&==~&@}v%&|E!Ft>>aA7s|Ah=9UfiG2qf$+ z-b^U-4zS(cJq=ErO9XVwSo*H9&?_T*5(IzZdF&U}-V_mB{i(Y-sn~bU%4%qWoW=8; z#-TyTDTQ3ag4$PEPcB`b@~PXF951fhcB)?mA@Fjpx_4O#F+jqV%ilEpeFiH}|%lMsq<1&Drz^EIRj zM6_AvSTS>yP6;lfB7LO)y7THSA4ZTW#;ondY_N)4luc1Z3O#Gk0vk>(DKYxu07&~UY7ePYU;y1Sq9*2Hb772$Wr8R0E6B_ zT3Qy3=r<}lFVA+W!yjt&(yXR1CSw|gQcRSWTJUZg0FJUW>V}vk|9w-8`DA}kSum&b zf>Uc2pt$6nXC1lF;yIE9R1M+~px#V>1&c@U9Mb}7L8Xtd_7p+plPr!?>YN6<7mM5h z2X$lxURCw4)}L-}+(T=_59+DX$@#k92IGMv{_=0UI%$lx48Ub5#J%k~Idh(!!)*6$!f|q0exSHLwDTu=Xmpz1IpXR(R#7`aze zI^OmJ4OX!IPY&qIoZ}7YWYy||YDtkFTGhrGm5pvEUR(!ttB&2cd4{BU&uePkYfT_l zOT*#zG%Ce7{LHG+ay*qH3P<0Y=0OCebdsA>UtvuFMG$r{_Lg7)6E@H{~41rBe%IJ%e03>(6j*^lS|d7Y3)2_d~H)-hj+E z0LRher_=tt)A%bO7C;6xmeY%-Tl2g*dHI?wlKR$X& z1U4azou2Oeki`s?MXTp1-hR0{ZE_jrr$(yny5cVuSr+vk3HdJPf$!Ig@fgs=hR=Ba z{x_v)f+zO+*_pb4#f&~6{L61YO*gJhE_JC_>K@EHAZCY%ju$j@JCEjfg$!BjMDT9J zlJ;d%yL<$)h7(&T-kCtMWE9|*OM3%Kra}QvNvG3mEPepxriIX)hzExMyT{I1c%n{f zzep>FlmE*s;=y+L_CxgYxF~^0BopYB32^ET7924UK@WJvJUH-oxF!+DBuUR9XBDDb!l_geZA1?9-B^;@v*BHf!{-V-Iza$(?Spoy z2FM0FLZ%Et@8Gl*pSL><@&c81&mGX6-~6WHtMvppg|MQ$-2Zd(hYi)Rk$a5{`P3<#kMtp zFTOdS1fnUdK+uE_Iq3NN$%VaB;o<*|Ci1U!D?o`Fxx4)FjvGU)dig?dGi4WGJ86?P zq#-;G`W6hAh>9llO}g^2j|F1*mms(VHS<#q5{#DE->iT;>&|q@G(wylPhB#@2AwNyNy2XApqt5Wx_V_d`8;p;_sOElW&Q>N^Qf-Z zWF)r#bfZ7y7XQCQ0~R0PG(Ww&l*E)g2m7BAM?URRkM1Kl%qIfhf7K9m*c?1+WHuhe zF(1wJX-zZDbH6y4XmGMn&h@-GKOJNpNpwQ{vME|O2efurItLmn$ig_FRmlC`?m!k~ zTLWn8zcC#prculmAx*f-3m&_%LR4*Z+z|rgeAqyMI6`^*q+hI4!S4X-5(Z(wpXo>$ ze;Uz6NGRc7@9}S@5eW}$p>;a!u^IQY9U~lA=>EJ#Cc!iZC-&a7|zIPoWhb z5twzvn#|vNY9#zuJvII^mn-4rFpkAc;Kn2p71IfNdv&@R!kCN#G8sx11#}KjtXu(2 zRY#yz#;Yt^1i(ka7@B?xwR&**l{5nd_KgP(1GVt?0NR4DCLq_c0`%2Af40F&KC3M{ z)$}jn^ZJ7T>obr3yKMeW!T-D?gy4S$mrN$~nHmdhZTmh7G1s|b6NBD#I zQ^V7hA`uQG$P&;RK#sBbG?@ztAKgOby6Kc+1gid}G?59n;?T(xVb7 z0+_ZO8|Qno!bq>)WO6w{60HC>n)psFf~u!uL-y}{_Ie5hH3q++jB)w@x$OVv|AgcM z`s8{c@5DoK1XZ=2FiC>V0U>O&;Z)9vTuBU|RRd}qwIXSmJJ7X}SKI4qgOaFy6wosc zmx`yuRc0V)pTzkb!2ZzUf&cClL*=W+fP2zhCE1AAj0L@h% z1pUsyz%3f^vd+oMtmo^-0^g^wTR{@!YnEuV&c=Rk`XB(m9xtF@k4ot!#s6P4n)r)v z`-gp^=aXIM_WKGf@w1TS`-{z?6adJ3$}WC-{In2=mQXKu3W9c(Z%A1?DL_^gIPJ1+ zY6AIJUib4;vbMQ)6_FqU9@h#+t(v>GkJi^;+f@>>|0vQD=>H=^a25W~JAeFfm+^bF zqqc+*d6ztR2pH){sd{yxOcG1}HdTg)5PI{=0iYEBJ9cCPXs;@UQZ^e1YdtU3Ys@hp zAQ+`Rtw<3d+QNKem1SD4)4W~QctCncwIIC z<7YiIy7?fyKG*8)?Q12;*m6nA3pAiGJ^{*RbGQ%cI!XiJMfXjMe!4&OxPcTEMAK`D zo~j0#eLfYe->=<|fHTWOq0z$pv)zo3AB=BHBKrH$zroIb3FHDTz>aR-lBLq|*SQl% zexmPex;bck=!IjqkuRGf_JEnMfP)zd>}Y&t0f zba%fQ4PY4>j%ADH%K$<^zqR1WiQtQM*T3X>!S6kR{;~)Ck3I-6`AqA$hY^06OACVa|ZmniHrwXs4R=0(7KP*sbTc5p}dXe#3>J|BRD=c|HICJ|LqByc`FP^ENPo zW*MB z8%SU*c<3Ty379j%x^bU<)+iomeZl&m2v;in?RrvGcPvg-XD3A65P@h;APt#-D|h}7 z02X6Kfbz$UAsA3FDizbJ@!4+pznlvKf)5fN`{-~QcNn)(e{2?pJWpk2UAzT9aJDNO zGZXz!objL2y&*M8Z=WMP|&OsZWIZk0xL8+8-7Aph%#Oox>&CJE%TWR**y^ zdDeMan205XLH*`20{lkw=r|?4)wFkd-0(0E>dq;q)7BgLGAgE$*-i#om)wkS?J)pA#KeXF;cx!oAwC{(#9BiESWYDW_$`0?gpab1R?N%C z#!&xme1H3&zfFsn=n0(aNtUSge>r*`41u~i3&%Hp|0gs3dKkR{kJ=|aOck;JyU}M( z!=RR(zal{TFO7Fh^2wHsNCV(-{2yNOuSfrX|LR}v^b7JK6(atVgZ=uufBUV^A}U~h zJo9fp|J?+7Qv?(V~A;6on24TE@wcdOllYX*w`t;oZ>mR+vrwJZdQFypWzgoB7e?C0J zbqIS==+|@p{kLK)z+lPToN@7fHQrHRp6JhiHOYTJ^CbfC1b-Hc%g4Vm+4Dfa?;k%2 zQUB*XAG zDfn+Q|9j{_9Hi0z=NKxG1uPd0YE~bjU)e(M6A+0Bh$|BRIT{e#JVZ<}v8TU!bxchU z&(JyXul?0G{5fo&D49nq5Q%i{?&tqD^S_7w=3${c{wGsBdh-8bq1?%5)|_eA7|SMb zosQZ;F4w3|y+ zk$ENI`5WeK^FJo`7m$nR@;HiT{nz!d?%iJeYP!TsEDuJ*Jt+ioD|rl!dn_u-$~lyB zbeXMw;ixVCETQ6rv!(2ouBw2>ITR8p+>IHmc?aoHmUk*{y|XGw=5!!BYeNY?R0aE+ zhn|7&S*xuyGa2gFjm{t?;7O-xf}(tR##^<9n}gbkgx2|NIX*XC6;%$|Faq$sR>j*l zFe0%)tGkrRm4L%6IZmTiK|6yt9y%`&B)I+vtD(eC$W-g*^07uV3*SRp{Xal0dR^I! zAeE3AT-J#}+@9js7>M`xXkrSNNI6-KMMj8QB}P_U>CUk4#Kl9noQK)WS5gg6aKz8+ z_O`c2&nb%yO@=4DpN{df<`)ktzGmOrRm*tQ-EhffxM)zLHxYVk?^X3dMlEOZmTFJ zw*2U7c3*KJ_3RA@L}0$sj$}T~kXKf>%5>Ipu^*@97RwjK?>v&sChb5s?px46f>F+Q zf6MN4Hu=@O-H#bEp?slilE!8hJ1lXJ(pXd^9dbDJc;h4zPh&mcw#sOS$LW+) zQN55xvS@h2;qHWMhVaI(ruZG3BZD&Q3<|6}`!>q2_PkK@C&H9kY^33=!*2yl;5}`` z6vODh<1jqQ%?d2eLT{Zlyj#4`n2b{eeGvsT8VbDj&tTD5Wn13E!+yeyJULdT{*ZyQQYraYrJ=va%;#Y0e~k|!*f`g#*N=Y6kJd|`i_YfFRF zbzNgfgApVevY4|u!v9t|&exribQ?q7QfUF#BOt+6g%3M{e)sMg5Y}@!#l}sS9_d45 z^pNQDN_CteUCQNB^4hNvFSPMk8|?-9lY9Lr^9Kz{O<5@afUSW`epAW!MfVO8V%`^R zy#gs#`O(3+e+fBLO=z-wRy!yEu&0 zU%-&luJT@dD;Y|0`BI+jb?EM%;HIXN<+Yi_Sjc~?AJYK6wkFXyZ0;{NV({cY9W|aD zuaYGwxz}JQmm!kv(JR+=x1oPMtLu4QeN!|%tZjaCE^v3dWm6c2=QO&{chGv@yy9hb zfOyBF;a?({IpMZ-7D#TC4v;n_oMw$;FbW2ZDW1GTE0B6&2?o((!SY|Wtw6v_2X07t zedr;!Y-l!@nU$5&cUL2ag-=oN3tE2q2YFtP3vQ-2WSmcLi86R9!v5i+J}bfiiW}Eb zDSn?OS-n*|pZhTu<(Us?W4f?Iu5ljnk(gB&ROBxjP-O9Sac^L?pR2}vg|3mh!%6Ey za+dwA;t}a&i+M}T3Y#^?iaGwmXo6#59-?uPgICkXT3U+Ye7mG%Wr5;R6>02ZjNzT2 z)Ba?!8e8Nf_W(ZUpMUPLf7xk58Gt=oeAxp9bU8$P`y+$BL|I5ROBg$4XnEfWwuLIC?D5eMXhQZT-gzl(yZ_jlxrPx-4|I z-0FSp{4t?Z+q1E~1{A(J$)WT+kA?x0jJr%Ii)5|s;$^5UTUY?%zhb&V1&mmXtqRN+ zTI|7zRz#PgqqPl}RpiMkbN>d&k1c9lhM}r=)fy}==550Zrp~2iJNRsO`0i8B8CX9| z)1}1w2Lyc6HU{wn|zVi&=BVAR8y3XIWXbtz@RF&YU-k@2rey4 z;+>=k28-00ue`31p7m}QJ``L-9IPEB*w?KMm}~WQtU%3L!T56l{sra;c%uWyk&HKp zy;FL@OCM&UH_A&(MHk$*G^JQLg4K$P%?+v30sXbNPQ4@@BKz+J9NsFF?ak#m8qatC z#Dwrg%?X^*ItNr8`rxa2g9%H|ED%*aSLM{FP10&~7Tj%mD%>%f=(|tDzP4_a^6%lI znd! z@(`<=BSQOx^e+=L{bu5tH+i}leA85nmdYU}MEMLJqx#x9CBAqj-2U@ePki$8PQKZm zIS<77V3aZFD&)%DR8GciRaKQ~)2FhHopjP42g+b4Sn-Nos(uj9RjF3%&Y0@wMVN1gy)@rVSPUGo~Q zgTXG4>Acpj=QBAHtz4c;mmiN0y<1hjYJ>BT`CL=4XL`=Z%C-0;nzwittTNoKQ?54{ zmy~v=oQf(9LnhMQv5KS_l1hU^s5&iEo|rjIYugmJ-g{c8y|LDcx^BI9iN^XYivUjf z_|%S&?kMH5MZcpFQkavD91tZ%K)}LzP*<~aQ}00KKYiexoZK*>d*7f!;5e%0biD)X z=RoCfnb2yf$n6Zn)o2(6G}3umqh}s%OlY+~oYAy;yXX#{6h^U9I+h7nmYbCyS!ugI z8DQQn#9|Qr7l7TY-2U?hdn4Bk6j321w;C zDn;A9_lP%~D!u#Wx|b=^RtEP3=zv<=;fkrdVFH=pt?AvXU|KXc=MrMBfSW;nn+bO5 z`&4hKE`CXKG2&s&?{vB1?&q0w4=9^U^Ik54voe6%mgeV+_t0jbSKfsx(6sdNibX5M z;*yuU30KIbS;0P$u_{p03bZO`e@PJ1tkuJ4c)v!(;a~op-SeP!N$o6;k)RNIanDD5 z$F=uW)5YI{KBEPQoktMwyYl9tpQKwYWoO~x1d!`pT|~o;QQ-@P)srSS*w-s7+*OrM zhCfWmma5v+T4()AR;%~ibgz}9vu)X?ahTR>4W-ZJg8D>5bfzuD{g3QdgKi2#7`Vvo z_5%r$B9`vTgn55{2k+E)tw*^Rk9b<&+Y%))Wl5O4LzoDnV)uVy)kjIYdl|2}s4zKc z^QDr(*?8n2{J!~ukgRrb?Wku7e!BKbD@yIE)|*?c@0BBp3x5nqIsrr*RLkhOL)?sf zcVx7OgJx>uUvk)jS19kXs(x16YNY~PuS5d$^PF!Io?kUuz1&^B2k7rJIBsfy1y@J2 z#(%xdmQ~_Ru;$Rxu7UwebUo^Nwt{j<;3d|-$e7V;-`m3B4JCmnXUuUlU9d5YTm7j8 zaAyJr3G}pqi}Uk&31E95s*LI0&^D=alnW+Lsd}WFJOH^HoANEmC&vi2QfYy|{)>fXgcP5utQAO6E z5kxz=^9@+SnU^aZVvPQ*!-+UvoBfFk9fSdZhuk?9G#oTc$HopE%2pvWHak{DyPXjn zH~NO29QAMnI8fdZc;7BUbfFuM*c^;&aptDOS^kV9*8$%P(aVg{Pip8@MFY~X{57J- zpS0D-3ou0Hqi|k73)+0sfqYu{U|6$dZw3irQ$G6^X3VIN3PP*IXXY>A8 zJF~}=eN=}fU9mr!%5hqOQ`Wc90*aS?sSd-rBHg5>S9ga?*a%ukc<#`HmK#%E?;$Cj zuzkYSAHZt!Q7ByJlWu5T_QjsGs%GT+u;5iL_1M)6DDLkk8~4@R;lT#+`KWdt=`6lDy&eM927kY9I?;I--Swk0 zig(Jx;5%`Jp>*e_s@7N<+5}HRb?IyzZ3Gf42YADtUT7yedTU|zv{@YwgmVJDSt_|G zoUV~@R&GeIkL0b((*H=^z-nZVrMT33e^IF@<&bG5@qAX{~A?~|(O{)!H3;6e;gS8n+ ze60Js`NJ-)+!QabmK=ZVf`WbmF^pft^UytDmyw!h>#kYYFJGRIQ(HE5hV1rDrT$^H zfy~qlpn{I~t=HACl;|}o-_m7w)=ISp#Q3@i)$sW0q)(m?Z%+1lge;P7M9+#%)7&Ekb>TG{5aTMb|r10Z?ITq*mN?}pTlOcRxs@ql`WiuMgn9Pf@f&#)9LeDRrS{BTm{aQ%qA zU|jK+VIy-fuF~TgGw`vtOChFo0xhlY#6*(A#9-05et<^amPOxc9;D~uEVQ*QR|Zh| z78pw7B{Ru#5swMKppa|YB@C7xm~4M`(orXeGUlYbD&G^DWYLU1G05otTPii>o zrZAs8aAGl8L1*)h?^O6=XXY;L#KTy*s^0y^yQQ;=HNT9#MyUJ>FM&?+LfxX}n?Y2A zd0UfhTEl_!lF9bckIa&}3(_WNMP~(3)R$IDB(>f;r)U&EXMiDgJ@($wX6q^<-#K61HLK;p>J&^>LR3 zP`RPph#C2&6zv3?D!oFrN$DT?sz!Yt?ivIi9|%S2%;pS2T`I% z^cK-OVK5k7biGW)WSUwbVsmudK>-UsrLfU$86h!y3Tt;6w_b%cbAxmx{nl|3XFhp8l&wyO3P z#o=(WZfo}-RxvQ3;4bv|8LN3geBPSQ z!#QhfD%yLt#G>n~|qe@uC#wbdqy-~3E#wxj)PfnPMA zM8!u<%>YzznO}!Bz<8Tz%q#-tMLjrB)@ym1aC>A~rDrH;Lt{pCrct0@gOA`*8WD68 z+`5^UCXz==aHoI!*xd$#rD*rPJ6_fls$Yt}?QvWdG#zK_adg1DQtiaGNOdkRiowM8 znjNLjL&#X=%F#3FgUK$xBz#3o>O|bOXiFVSI{)OxJw&cL{`%v!T`P3D@8Z?jqq~r{ zXr1s2#P?7nUICate1GXlgl(JDmkA>3IH1FshK^~mF5L#&E#A10IL_t?70qi}^R#8& z9aZCsZ_d%QUDhNPTF-^5%{Syo~c9Jei~V72!A}C zzrzbMZ$8BR+Pm+47<8bv=O_3q*^MsC=6m2~#JX?8&d|E>0~9;c8p@P(;m?;@LyA5< z=Kf0=E};-rY0OKc`}N-d=3?@nNAYn->SHq*^lnO^=LmmC+eqWP$&x(-$n25AGK+4e z{bPqgr@U$w>RSy?l6wn?H*OXg9@ys>XRz|nVFf`-BNFoGzx64& z<<6&-MU36mGru!WTcgJ`!V&Tu4Du|27QuxJ%G|9ihbpKhu6sJpmIfi=N=n z=^zm&m#{sC(&FHvdfS=oU1s(<(+JuF{KZ)+=C_!bDWX-QD5Mx;$q4aXzYyga;f_An zF+R7Y`|WnP2}6ATM%;%Ze^1bJXDjYmQ*FH@%dB+AR5S{`p^ySB;ngeRK#Zyj4=GCA7ib-zQ6dPMNjQEQEErKa75Lt7WqF0p+!{w#6S; z+SD0M&a+u1asU7-zQ%EqKHUplzau$u_KyFNbs$jv&(#xWc;h2HrHx%SakE1jv-#M= zHvZ_GgRT}RB6w-=vf&X#IAK1`K}>Y-v+|lme$bp*57-?yrqyR9ucV;V zxE;#+?GaJA+0iMDk2`)R6Tf_+dT3Sf zYQw(Vze}?Z*iKpyjltMG@#*(m!!7f*!L2`ubMMgS-Siril9L@d)+#6b%v0Y@I=zGr zpDmYfN)Eh9rFegAyt%%0l82njAq_-sQhDV9X+9!~TWw}k%M;ueQ*xoS8vYnoA{5kX ze~oMUD55xc*@6rz^^-P8gPVacj*LYzO)3|7Hg zeX9jx1y0cnt2<7v_ANx^?E=4E`;)DeIR4gj0P#l~jiTz}SPr>o5Mem4>U}HC!o(-uhN&+#LLrkW^8Fqr z+2DvZ`88G$<*U#zyD7O4wzxVSY^@bnjdRd+#4im&7?bOlGqQ58H%yM2HoD2Kn7PH0 zIjO2;QFN{V8s?(d$Ht>wxW1OYnDRIxd!jwGe=<|X#L*7jJxQ}t%c|Ot>F*Sgl<9l_ z=P9xg2-ET3r8Yrj>sl> zyK2>%p~Y+*V3257y`RpI|aUa1~u5|D6BnXnrR8_7z~#m$PF-Rss^7 z_Ho*Ks5<-{d=&%A&4BZIs`E4+ZsB*tDxoY-11c&57l-l-+5D?0qf!OBq*;vouU*}X zpwZUE)B3J&Jp{QejRibYF0twTlBsFt|LmH?CTbvkbs$$#v~$$J`e=4H6TE8nMirT;duba&1w`Us0PU9;t9icL0{%7LnOv9Hi(tzfI&VvAjQ z_=?H3g@t83b1g=UjcAjE#|-X)GkFHBzE)_r(4qR$fY2T2tfpp0X38%zb`?gFKeB5|`lx0~#C=>&9%(ynMuA^M4kW?FL~tBsbw{bu&Pg1*~n z3)Pen)1v*dZ@iD*z3x#c%)YP3_`wLe(`Rpb;|?_p-);uahl)OPKix@C?bnIY~WB%ZVtf@#?=bfr5TgHKDUwdsp5OrY4`w zLeHS^)B3o?qJ@_?vO>WdRSH}NX4KGWgk+Mz1BTcbO-I`ZBh%RTRY`K^ zyA}U{TxG!>xV3R(idgbC z*Rqxd5D?JHCBM64^^u(=CYYswNwg_p)epd({i7v1M4mZ+2`c-cTi z6Z(dcK^Ejd@N1|Hm$cFQaIx<2*(?Se_2+suBNAx z0s0}z(_cygfvlvD)8F?}cuA?K$No+eMv=K2)Z8LU6_fW5WFPw??x z;z5dEE3kJz1+6(g8*sL}ED_amj>RPL$wnXFbpN*2g2U zLt^|S!v3Q;L>mW4~+^}a@jDw1*yo0^NcgNux}YeZ1BUNuI#F4*N3 zhDZKmFgWj0oWdAkhghs@s$6)vy`o?7O>wl3(3(!Cr?t?8lnKsHv*6o&RpzdfQ@EMt zaV9CZ5-u(h^YKNsHaItm=jTASwBCBDiT-e-|J}u(D-E^&QM3j*tX?LoB$84K-4A%a zJJ`N)?mv`6JUSn0TFaH9t?)8_rMv^AayC+(l?Cq7UM4;JIjk~({)^)oJp_-ZVzy<3 zLZs{c;m7fI98~du$B?tE5%7?ehW;~|ulx^xBF-gL#@z|LS~>s#h@Qwkq=tyvVBfnU;v9^kWfiuCWCfj{GkWM(iP6nL6Rcv@H+FJs#=57zJI85Wh0 zBh-tiE%NOI*RkTMSTI1^;GP(+%5#P8gOs?6;Y1qUL-+#K^DEqxJ*oV+lf`H)OS*$o zM+O!gJJB0~7HBC@LftxLzJ&8i$e3QHp;sl$kC2$WXA2ws}K7h?su)po*&F60w)T2LCel3 ziY(TVsjdYsq})L~Y$toP<_JaHxVK_#-n;frr@nNL)N+p3kE+FtMRiCl*YtcV%K6V#@2{+-Rt#25DEsnNIpDgP1n8oT# zLov6K^#{L+q90Gb89b8a71%H_H9jd60={N~$G% zbLt3Rd`8Z$Ez%`|Tq7lX)e%e?mf8l8WyQxErDEZg)6!X}3-Nm5X=RHCq&=lKjUpbD z4iOuzrhyevZTpTwk=Ock-t%713CAT(Qm6;n@=OjC8@OofITO^;s+$l z8+Z#nm>YrJmlG3!-qC~NONPq?428J zX5835ro30I7k`N7}PFDWO+i->f-KE?4iR)3MR|n4JGC#wg}RU+G3S zIRo|7uHn@(t6hKj0BPA5Dtcz049DT=%~4TWA;p)UqF;WNX&@k&%E**&+|%)0^gh2NVck%- zoR{Q}tRv6N)PC~vpR(Hxi_?2fY4ABz!x%E3qA))nvB#XjfifNe6-DF;;M@l5wgkFe zoO}r=OaA9YT(1oc(?`5Ot>)D77mhQV69(R69Xk4xCFcDtgDM_PyM~@F*tbvok^cMN z;BVvsp$@!85<;;bcMQ?I2z$_Z2MObT=#~}nrFDH=vIckiRcK?Yv0$tU0~@)@Z3~gF zu$6q#rLQ-dCeQYsROQ&(e^8HFNA;ylONNBcS|hFHAF_T^xtWDlZvoObL-c6P&6 zRs4eA!?Ch`aAyvKju%p4l1Q|-_1Yh~H5N~GaatiCycBm5NpSYB_zH_<0e)Ie*D?%^&w zw=8}KMEwy;Fhk>xbt>u_gWuv)L7!gBjSDKlKXU>#vQm)ArP02bkCap-)qS-kHjT#8 zxz|3-a0JZFIs*7ecvYG3kUmEUx~M88A-4|%FcUxh>aw{Ls&#Y83FCEvLh_f_&t3|Z zlnsrRzuk*vU@-QLahb6z-KwVSw#d|%&xFC7EtLY9!WB8gHU?_x^Rs&{y~AB-ZnR(F#F?Um5#cG*V1LYsN~YeAIt-$;@cZnELS7& z1fQ|doy;5hJ3AShYG?Z4O`{pT((tN`rQ4@_3g0f1LuQL88N=x~RPM6K15Sb&s!H?b zRPvJ53{7CNQNZKvosK(*9p@rmPhpFve-!_s%PCF62Xr_f;)Q|r%bu@QdD}l4 zEg|uJZHrwZXul0(ej=5x)yLr+SD&RQ-Wn7`FP?(2?zfy}idjU5)0@H{M?`~fzqR}jUb(|T?4k&oNc|4#s>cqT-TSLd@rdI^ zh!)Akw}2O^V5ORHeu0`=*4HTf2-?PRW0?NPuX+3q^PfuJmTTrKr_B;+417b1SHPQ@ z-bp^~X3^#9T=)jp>W|{D47S9~_z=paB8mNv9P+C^iQ9F>*$9dt18>2Q7IiREalv5g z&(L2R_FJOD+rtyj=PlzoJz)HNpXa?N3+J}7VFK}X0?tDIJohf9$UlF+SQ1n9LmY0j zIN?|jeboRo|B?_X9b-GPd-(y5Zo7e=+2H;&PwI|=DgE>Pfo8e6Yj(A25*;bi3ZUs>{+ zRx7x&t^*y5P6A%6k>wrYh%ZBAFXBR27JcKsw9$l4oV_MNHCtMvXff<80g$;!wX!rc z@{c2yHDH&p<&)r>OesfYO$d!+%36sCJ0Sg%C&v2e04OwI413*c_>|G~4bc=xLOc;f_OKXjtBaUh zTDG*JtBh)3+)m?BfFwJz#P0CYb56_24~NzI=Li~7x@To-EolXX$egR$xA5%KrF~IkFb~$e$FyrqiGYx)&0Ps`Q;1n zrD~xw5n%_rOAajo51Uzgu;KC*D3k z>j279c*_;`4rBZp8`2kdpJ~BV+bDkj$`(-X<#lm1b37FjxZrMPK0HMQi7oaqeb+QJ zG_<3sq7vTBca@7aH<*BQ6ktKli)f@P)DIlocXrW|J3K~xS`_Ta3mgOIz2-NK>M#r? z&u-qm6XpAndI_7BKSnUcrwnByxoy{b(LImePFFI{Tzw}LLDG2dBRHg3xo^9HNybWd zuI|b7+Qs}Qsb)HnYHD?1VVpf>s5S18v?0+N3Ef)DO+s9PDAv|8Y>(72DMD$%d3nwP<*p*F%)XhBM8)|sO&?HZ zx6ygA++0*Xeb;Jj)D0u^*F3BaDc<2KCXzNSi^iG%D89l`78U9h$6tX3dQp zy~UCq3dYbC|GVS$`!-gC_&QO?4t>2b3lTYgJ|}&Z?YT-08^C^BYD0CL=f3RoXR(FC z!w6A!dYKI=AA|6fQ7dk0Ev#J${A68AE0D4#hQm49X$!;h7Iqd=si3I^)kz`0G*uhBk(uf(xmb_Je?n(RSp|W4`yP(RJrOag+ zV~(gc+ZSt?^b;=X;tES8!LkqZJF_&_!?i6o?w zow(2CEWu{A2#K#7;t1~NGaW4h@q4W;v6^b!))X^yJCn>E>hvsOWd@ZVxZM~NvA>h{ z9*Eux&wDWxw3L7V4iQE>+Ri#7I-+_c8Tz?T+kH*xwMRa*&;z=eets!xAvT!d>6mb zdqjqtmld+-w!Hd`l9nDM@%hgrK8DlfsDAd3)2zLXSOF}5%YV|5i?3LyV7F(}!^A4W zMWbq!VVs(yMU9T+A0Es_Y^vA5P+p6QvrdBNZc|2D#=WF*i%K&>^;u{$ zG)QtnKCR~0iEge86a!gyz};ec7q}KU1rbGrWWaG_yVICWzNhSL4=Q?{w8~MT<&_lA18ZsXj?{aI*`XlZZbPNXk{hulbtd$(QEs+~A9pC%&JCilN zp~kfi;15UB8{+M_lDF2z!k`=Q#ycX#Il@`i6D17HZ8;*^&h1giq?~QvrRtDRs+dGF z5{~~md$ln91===3sxS#a+RhtP$maBTpJaD$%}4k+WVyA9<`_Nzi}t|6oDQts228RR zYU=Pop5V=h%D3N|b?)1D4wVIw^pQu_nUy3yyS=Y}m-aNVy=b>;f|zxc&do`*lotv- z@a~8s0CB#g6+!39oO+g!7xvhjA76SISBoJc)fnNF_> z;td*E%RK%U2Qr=4EcZU(O{+yk&KDNBlNu~_!)(`~9+UuBzidD}QYB^zjO;&s&{>iu z_0qlWU8fD+u*bSa6mR_ciuX}T?RLLG@Z!+CA($r+Dv)Aknl@8wB`v}F3^O=&*j;w~ zEfDPg?Rnaj9x9F}H4wh=z~YV%*?0FtVL^z4rf8Y!+9BBTi;B3I%O>w6U^aOl^FI$T7fu|8EcIM z!+0?4hI)wd;%>jD^yD_dz1tYvW0qDi08FnX)H}L8saS;)F=g@rMep7H*qmRYXeNHy=N!Kn=e_FUZtYSLZJRt$o*GSg}aX%Ia|SOsfnba#)?MK6Cqy{ z+ru@?MI0PHbOR5th6c<>t^3sACRRI`f)J=bf#R1B51zFEk;@76R>%8k3k0N+84VFA zjN%Q}B#>`c3xjBE6+?JR`o6CcdA5OzVsCn!a-FS$qBk&k)iR`bC~I=NPcpUA`kCjO zcx3YjB3{d$+ka`=yMAgmqQa8zlbRXE8MOgVXutotL2{Oqc)HjdH|U`QB_;ioOE{%p(`$D6Rg7P#p_1e z30tuWZixK!ETdzTy5q43bkedId+Eo9dPb?NhK))9Uyp;;lPv~NiSN@_N&$uMUKat` ztU;N=oUGK;7h1kk8_UJtG?MB%bM0eEQ!^s-c-5l%3uu+*eXDjL`C`zQblww6_HioY z6Rc*_&E}>A(yGsh7O{Jx5J8w`(;AVH_VJeQ6b`A=shPy|F@3Mi0+;lT1kcRtpB1h} z%&mgHy(vyqgId{7&fYxTe|$l9E8K|mmO$xYcjhx1Hj~-d$)uoq_2&qs(pn)hiUB3jfgUC9uGVn#7G0K- z-2dU`FxL(@cLAsn^YS$O6*V#?pOu>Iu~Z))fj;ydC-OG55{T;(`Wh*MV(~5Z!+g04 z(X)3TEM?-$+14%nFA&bt)C37HN3DtVUu}EO6%ODJiW^rE6lF`NWfyRjQD@A z%ujvD;*o{SXvRw=Lz+Y#`^A(9b^HR~XhkX(U((p#TU8p1TBAN!UDkY95deF+!9Cv@ zqxF_4_1L)ErlgtlFv+V8K9HN#ToSkyKR((o%ACvBy#M}}he?nTd%7k`A^umT1m@`8 zd?L!fA!CjBmPuTU7#QT1Bw+W|b6+B2V#=ijj{S0uL=2Sn^w`u~>o%_+HwU$%&OE00 zxwMFklK4O~8Vc(+jzjf)JYwXfeKzvDE%Me`g{_E6X~l`GS36;;BaNR{uz1&()5n9X z!qtx7;riiqYuai{>d%*^!0X;wy%0UudB@^%Io?bG6|-72mv%=H%rhZXxPz~Ep*W9K1mrAjlKBT<3BN&Dd}zI(7kpUTkHk?E-)|*itK|qESu)pPTZ9o z6QcGkHU4B2AZ&b(=Gxy$+i?ef6_k=Onx602fx*wVx;JYl#ieD>fRkvLuha*Wsg?yI&i(cfRR0 zkEc~1)mx;O^U=@o7PwOuR3H^Pg?x&rUPw{$?lUU}8VETGmi3KF9Cn$+B9xl|EnH)lZl9O3^@6jaG1MZlXFqjoEL8Wou_@(B zO*M?`fr&0HI|s&*qUc>l^Gg{m_pQav3c8q{dUbvc?@P=rW!sSgdwmrdvejvI`eodr zfmKVglk37@D;}LORBcjo+!2DlhL%vYR3RYZc2a;QnU<%$5bH~^V^$~R3^&Sj2KpsN|qF63NOyCq9ak4BT3boLaSp?i$`9GOE%&oWPi<;H}SW< zK+p*|;UbH@Y=<0i#GgL=3=CNk66bc&kd2~3oxL67`uXS@T_Yp4{k2erXx$_;k;jdE z?E=1+9;#kFCe2XjN6@x_Cn5tk=R`-|&^AAEJY-ynP9=R5CC<8nKuD~uX@Xlh>RQd@ zT2Rm`Hm?w1JHZ9D{oUDpm;DKHH1o+X+edoNV|_kj@}Q3;g1JDaYGK~9L3>UKw60n& zSG85QFm?;mpi_kuWb>19$}0MqgSV*^4Mc^wXf^9y@Fb6(d-QU#(q^aemkTwD&U zj9ahHFQVxv!lK_eERJjz*(_*#q7BNbnenDXM+A?af|8Push8*j{e(iuNP3Ep?q2zB ztwE`-8m#WQCq=`fxXaZX436Fnll2+DZqJNTZy9@y=7T`IgDLJw5-ILbdcKaV9^H)8 zQg~@CR#A8%H8*?`;(xJ$$i>NRoj-6T1w=EBShzZ3nNJdP5Kn{)Gszs-zKis_>rHYJ zaz?FJ3hEWxqLPbrP2w|`_zRdZlWyJyBdzk)j?S9W8l299^y)Fu*4@))b+zibu#_@e zhqSnF)up8hrN(tn%{*oorUll*m1Yh*$HtwvrSkV{1>wxVnVV^dr>*QfOtW`0%B{CO zaul97?6*Gj8O_~$rN^CEsF~&Ai*ju()*dYox~3M1hdOmsCj0HtHtE~0mK0~&8_Y6^ z`G?|-%9av(cbVo1+|QC$9g9VcC-rlAI-7GHeA-u)7AssO$&f3B9bD1*^6B>FA{ z;VKNG({iApM8^=%5u;OVz?>9lBNPnlisP(h2r0fGdatdAr81wzbRmMbjm!1Y7o(8k zbAM3B|7DW^Mhd;Fp-O)|&{U%lE?C$G=Wu(KjFd^qthDYxVYJeg85TTg#R_I9Hf;P@ zFYPT(1G$tz2Y8^v2iRp1gYRM{881^bVTs)p+@_x9Et!S(`z7+DHT(ub3WIjcPTabK zmRSfjt8wY?aMgyZ=tTaJPdZ9nCNK+|p!t%V`TC3@M znr*0pz{gUvL4O>qw3hCXeb5Sy>4EbyIh;w>cOB|YanD?a)fC63#?N=d8SBCTb!7#KWz^l%<|%=9SisL55oJ7SlB zu6>y^mCTt?JmJOCz)_8bG7W$Ia;_^g(3BeW<|j?_-*gwRC^eoO=c*iE&r|$C2b5+^ zgM>gMt$8K$j%CHF(yQr@z0yQWcFd8Lx6fEhc=|;@Bx3mSA7J7lAd{8fgu3|97W z`#=|yiblp3KD)lXt>NQzVG>TirMZ#EIlmDx>M+qzTSe}}N5teUCE%$e8p{H_=T#E) zFX8Rx2M|cmL`qGvhGwLA32Wa#5{75oa1b%k2Es|d}sA6YklJ0{w$Wn?QR&aTZ zY=ej%+BCtoyC4O|k@$&;DWjtzAfhZSAhxwC@r}(J8nw0owYFbO5IWude!D>zerzT1 zh<&Bn;QV?+ncT74e)o&@slzwM{r#9$gc8%iNI50U%M*7+K3(6K5U||9`-1u_mOpS) zvD|YNW)9DxJb(9L<7K*8EIn9KX70_2o7O7zYs_SZ?t6UbUy*j8(f9=&<-@0+Eq}U4 z!;l@`Hk>9;Q>^dvgv!3io)2j{W{M{nqt6}z6#wn=ex=r)8vpBrJT+&axnZ|mk_ zgD1*O7+zu=pH9zZf2tSxE+Q@l9j713=h``z6SHcV-V6Nb+7~856+=xD-wyjRHr!(} zVs1gbm)|&6#IV6#Q(L9p4jhv0l(~J8(O&A~%p!+|dCtYm{OoFJ>JK!;rT#v!o4xP* zBFIjsw})vh_FeD%v@&gM0j1JzJSD9Q5EPpk5bKzC<&s0=#zIYkK;#02L*@HN`SevG#!dtb{jLZU@c* zsGY7JH&=M`^Y%YAR5rdvQ;;B0AiTZ6X__V!v%jAjmp`2skG1T?>=Mir)8Fb8)n8JihERB*4z=u$|KZJHm#jOz)a&{K9Ye}V(a1dS@DErZAK@jqS8{im?GkP1eKhvuOA|~7BxD5@i)sdI!3`X}vA*mQ98P}qR9Etkvu(k^|1AYH#4i6E8NgpQ)K3#2DcG32 z7N{0d{2CST2p{I^`Dj2Kbb9js&;LK}pmSCO96`Z0c$E^5VcXNf|k9j2&|d>@`Y0l?jK+EC7TjB3%i09 zveUMN{2D+kB-hsD-Q+Nfjl7IaAJt!-a~Q32U;=LK%Sll7Z=*T3n#nMxs=g2ZpeKp0 zR;~RP`k#Nl;qE?s2*}ZOa)Xl7nyg+01Jr8OFY;J9lf46IM8j<-z|4@7obOAaXMHR;Sv7TXzBBzaYk0d;YXH z{1z~}+!Nb46b_y^MHV8NfDKndnF?v2wpqWW_Q^+prp$O*C?x2VM?A@n0bYQoyxad@ zx8ugLDDW!cwR@qz7xsIzPelERC9vVf$=ksOr@i5~G5|zH0LhqLx+n6KGSe>wC(^8| zA^Q5ilAYZ;p(48=C3S*K|8MOfJOhqphTiJTe^;EN6H5>zW_97Tzun?Fd4q(oSb*L7 z=5H>5Q(4h|?*yIa$r06ag1?;d^^qbcM}&zKGCyU#zn}2uli8CEto3*eKIIWlvMm6S z#Q|fKPj4&veG=KsCx5#XcDnU?12DWfu%NCtpLQw!y_t%%z}J6yA*9i8}8X{cZO$jlL56d>^mVAmGWb}^mB_KVJx0O85G zSaDONaOCBxnwnyOY+0N1lS4*}h^xs0A{`PV>5o0GILHHZ)7gX`gXT{FGjG8FFzQjy z$f)qXW~S+L={fR$n!GQ|cL7m;*(db*KVMbAGRZHUSj#q^-PTS3K^6jZ#ilCwZvr4B zyYc&=T5*5?ZuBxodiJ}Bh|#Z?n9~itt0Z0DqzO8Q6qEQ(sRw3=-}hJrI8vMyLd4wW z+SA)`gG$VL5w!gJI(h1wh!r4~JN{Mn5@U`uVKAmBCg^ZJ+%xLTc-}Ud%bk= zpDOc0`2;a&AHKZ)xAgoi&wm~JiRS;Q0055*Aa*n7$qEI4NR3$sn5fVXF-$Ub53k1- z6_32S#FT8%5UWc+ixn3J7`t~qT-QbFg;y4rHH%Nj)D@JL>Q#bKA~i;+y(y0vpe&%W zVyu!|d9imRU`Ya-42p(F43EP!y5DoA_;6^Xet@-ge7ku=U^AQ}vmg_gj}pfAhF!4b z_=ul!W#xq{WS>LUO_O_vFZ?w5D?$$ z!@8wRhT=uEeC=&H-5VEZOEZu5^tDYhYy{JK%IWR$#*+T5~ZFWrnD>b_AY6cPF#dk+^ znuO|S0*Rcy(?l&L#s%m)O+Bm5o-cw3kN~M?1Z;K3I>0nSiYX;8cx>+sYZjvd@s$n$ zbN5G015>v*aam8hZRu%2OPQ@o*7r6 zh2)AZKMU+Tx9PRuC%~{bUx29XUU;m>YH3Z;HcCcjvySwII_2Fj&xM`@?2p$J`a?;F z^J@|O&2;#^$}Cc!^KElxk3NBq%KkIZJq;NTC!oIIGiUA9NtC#Rgj~yYu^)d1Z)@I( zBX4tG0~prI|Y466F zVzSEsE&4#$XCM&`ghSJuue=G0y~K8SaTfdKih+gi0=4JQSS8y?fZ=P7$^oG7ejI*i z8e2G#7+Ff(XbCEbIX=ib))E2_L?$$pC3yqOk7D`!``Y~-Ey#Vss zzaRgrvnN>T4~`2-{~{~@_s`EC09ZyTzIg!5pV(EXt#_Oh6b8ng@aOKXju!(KOLug1 zv=Err@!V;uR={kdYWUgJ%G#semct0N2TE#q0k7ci-{AM-)uo|UL&{fyN84EjmzaFA z9h{u>0M3LmpkfHua3^keOJe5WS+cOcd0oaT3r->I0lkeAvzn^v2xor!r=O;#rs*O} zS405FidvcaI({Wib;zv`bOd z0Fw)}r@b&vMY*~6)||cuU%+}~5z|LK@M_+NBu>+W$C<*AM8COkj-lu&*EV2S#}RJk zX>3vZhsOXh<`sbZ(jX1f?$OLT46q)VHyx8UVt~%OboF`b`UlnJ%K&DL650WtMk$^B^PgN&s2 za{Ea@1szqQ%Pr;V*TUGMp9AZyKm&thYQ2try_I>8BGYZhJvRfzPb$^T$5opf8{dvz z-RxvGDAZM*_TOl-jOjF}iSNV$yGn%>OqL8%0Lf=;!wku}i_@OB zmV_~7V_a*FRc{2YCg#yL3YijX$;J0lKXT%qUFqcBTv>G)&eK?FdM3DcG|zlYmc|U& z66|MYQb8Qg*DTT+coeWxHhrOu0Fhu|H8AF;Tzy}~%=>WVVgo<>{haBcT(w~VOKdu@ zR&0dD;iot$5qp<}`V{=-8RyUjx6)s}TLu2QrodcVWftGeWe?{Zd;ixPN0)hGzfy#*N%0?tmqJWaxOCQfOD^PF{ zxQJl%;FWIP9WzQ~v%@zO+A?M)vp zinfGTc`OY(%|~k{H-P%a^DuAygT~FgeW8ad0Br=P=(bB%wa=h1Z9@g@o%p{tigulZaxW zF)7l{@ayR4>sh_8FfF*W=_mVkAHm4L_Ocwj@tvSE9xz%^n+-r-mkQwPgW@0f74vG9ZP&Ne_tlZmXn`0OKmqUB4`sMIDK)X8hUvVj5 zBY)j^o>`%#wX?>saX!e$3*@>wV{zU2P|d@2kOXOk)Fo|cVCI7RXV2fa04}2JJ{hZ& z$^oAh#)^Skw~Ha@{Q=hHfXxnC5F+60)56ut*~EL7`_wta8yuc_wZkCAWq~V^vB;<{ zBYAsR@&scNl%Hn|X2t+#5tTj$2CghImT`AQ(r@3Y#RKO965$!5*JTR?rg`&zn|#m) zZl)Va5r|jM?cJtMA+%Sn(`{F$c-^0Et>*Apy`q4t^DZ+xUUQbGTOUKcMGtzksJf`Y=E`o&a8pOa7GcmRab zET^wI*5FMqcRnz{Ro3vss6p{LsS0xy@PIoEfOzu9sdOSw0iFGI55ZKu+dM~BJG93SnCetgSR zM8j`hQspDGWxC(B+TR()ki=I*ipLv=&`DFZ^sV-4*zo4)&{_n*>-tw5F-aGj;IpgB z=GB3%mpSC;);MGi!iS8Wv|*c%W>qpKgLGwH8T-_b34HH90GT#!s3*HW>3{~eMaccAQpjf-qzoY zngPT{BeJVAji#x{;+QZlkXFH=ktJ-KM}UO^-sysvYk$e7k&i5$WHdG0#d z-UKsgS;>;xyL2CKSrh$8Jypr~K8e|_ozlI~0Rm~OBr?ys0#m~k-%Weo@hx!Knzn$h z>NsAh1SokK08TefRWL>mSkP?1RptySlPE@sMrjGNXH$Q>fUjcZzZ?dQJ|GBvQ%;pe zp8anap3dmJe69EpMRz8bk)9@Dqh$xXbk$pi-qw=wSvtU&1r(xhgqE2H0TAfi0pK-U zj;qL56;ZaJk+FPHaYq#)?|Y%fUpetPukAbQ#d!a2F$d=6$Un6;uM&e#Ce0NCuFkz= znV`V-O!GIEBFgcl!@7x%`CEM?%7(3X5aRoBpX05hmOjq;B6`$o3h87KmNNKW(@it; zSl+THH5AO?Zr3`%_iixGRwxsgVfJ5xD>E{S3Yqg7l2?g|1avgeyuZ+!$Qx1BzksYR zd*fC2sMmN25Vm(w8WEIixT@rb+Df%*$UgPA;Yw{!(6w+|G~|_4dvjH+&+sQFplfgm zBsBDJ7Fi7rNNBz{TmtP1NL#`iO-#Hk(d2y=HQEGRSga6(2#(ifP#h%IueGb6e9hLh znm9JM`99X#n_5O4IhNz5g6OZA36ywgaQK0)0#`Q<0RN3)Isb!&q;tIKQKL!KvrNv% z>r=hb%V_bx4F0&TSo4LeG&!C3sZEJK#}h7A=!EN{pRiQy;0 zA{PKS3~A4#3B73ihyeru^iKK1M8$P+nwbt;7l0d6>VW*0O>1dc8O70R%Mtg@x3RBW z&;9evI%#quM2j|EfpPsRCY9PRTsT7(b2aI(( zewo70mQADghMwcz{AZ{#Qk#T!2k0tEyk;c|hOz2}TTd$L&4D3iE8^}f^9Q44fw}le zaF%ji-Qb*{ux0CckK%y9?lvVRU-rJ#R9FE&`_)+$j*MHjR>BJ~3uB*RX*@he0jo@- z%xkL$aC8auw^o{`{U6f4GAzpNd)pvYL=IwrgaJy5NH;1PeQSHK*u>7VHOYQ$RQ3UWCpM*|ZhB zxq_}tk5JpXWRMf&R*)?xS=hReSte(E`Eg>#&{nSBj_H7^lkWXoV6+lTKfXS<#mLJ4 zwm>V-z-K4LeJ4etB>i&37PHAc-`d*yQ<>!2h1zKgO~G>pEQPl-rKoHK54I+CymV|V zVq7PIFBgzz3!I&Nq*s``Ykz3L*zIO-IP6?+07;Lq^KJP`nPjyK>G{P&+)<9Ks>WFW zGFZ1UzJ5{9rsc}~;LBlbcYFI80})w=_?vo}K2FR$jpx&Ccd6~eYd;C7evd%DzMVY~?>=DP zC2gzBbo(-k*>7}c1Q#L$_Nv%q>d)uJHcSj%*{8{6rXI^_b+J}AXuMFB6dC?_J$>zUmyD-2D7lx?5;8v>BdV;0%*ZngXNu!x*R~33%eoeqX8YM&UlVlz zw8iuI!F;8iJ9y!=+w~6?c@$F&Ek4Ro9v{wQQx`Z0k0<$lDkgHCS*jyAl`>}CQ5>szNK=_Zb{OxXvEp%TJ+V^ zvk@;&o=1RA0B*%{cn=dqL*r5~h~3f-xBLzzMB1h&0g$AdblW?5!F@q})Vpt!7?#&k zVWDwFEd>3s>?IX?P2;h8Zwk@)Qq6Vc%?js{rBVH{Hz}rf><3B7_}|bC34>d`G6DO? zV*E$o#VvAx+eqJahS^-@zISaWtnCSdqQPkKE>e(Or#PMQs+R*gr+cpHV15DfQe-c# z^P*#ys}$|uckG2UKsCo(NuvKZs!8QR#;ie2)PW%Ob=|y#yq)Ei9s3C>Tot$~GPeh= z$Nb2_%h1C$wPQCXl}lN<*2t`rtVrhLEh@{QRr->-cbynH#9!zGB1O99Xn3Q>yKs4x zDesRmgEEFO+N2_T+5A(1O64uNuVzxV<0)ustmTL@#kI)oG?NvC|f=t6BGLobMk1xvgx^TZSiBd_s+hC92Fzp zJ-z83ef&0Pb1f;6G%s`!!8kWW@qybu!#0Pm6}9lRT>^mJM3!yBxD1J+GxPPGtlLIz z;QqB&B>V(&+5SEUt8X69icBR+zOP0k!~Io9E$V39%TdVCy3Qs|hhd6dnx%@lO;Q2& zMlUaDLAVhd4!?KvF!aFXjFsq760ylSE^455w`ndazwX+_b`)7?uR_^-_~2t5w8whL zXLmt`j#f6rFp7M~GxlH%;hW+y2TEcEUfwGw&j0H*BR6;he_SU!EU5+(FIoYH~IsRyw-mMTFW1=g!-@ z9irbK3QwP(wyW)i?N@dHG%y>1B;>Rx&N(qQ7OXePU6l_@LY6EenU zB#~?t0pL5Q-aj zKZr2Y)4Nv=;~ZLak1Qu(0T`ZH2>?55?!P_PjD2~&=5({+-I|=DVSDwD+fmC0xAr$b z%$;8_d02}XB@_y=iQy_v)o!A^z%oBU`mFY^v)C9UJ30yC(ACwY575hHcFO#2c&(T; z3+DCI-hpWHp$6p<+^vt1R<#!oG;>`x%{#nN^ECNJN1(`wc`m#ccAk}_E~w~d%L#{- zcu}yyJz;PGXK;U>VOh}YgbMd(wd?MOr<~hJsri+GOM1?>*sN^fTM<2LGJ^MU< zZi)i@7#>X8C!GB9A2tf?py<(K#1}POt;R{$I;&}q-`tNh!0LZcZAp@hn)leP@S%LP zzq@FmKU_FGV&G7r`Mz}RZCbe+O-SsAz|D?D0sBRN0B<&X$yZ?7RyyY7Xh|-^ADK^l zd@ZNcoFzBg$`_km#pLepo-IZDa3tXYsiEU8Wrm`m%7ZqqL&4G}5eIn(aNlH5zEMZD z*;=c#r!mjylf1W7JgvjpeH1H>&Zasuus+Oo-6p}(34!1Z^nW3f^nCFMJb9;n>%APmWU2iU-1C*#<-3N0u2{c06yZo^PWo~bHirjrLz#Yv^5aiL_6c)=&^KgBIA`~c^x1VGMz!oAk(gLf z!}J-@cMnT+SQ!xu87s6~85t(_xz4p(c;MY zQnT95S2>ZZ=MVBr+I53#j|w;}pDHjL)v6UfqFv zrYT?S(Du9SS4g^#i8(w~0WK82jB#A`Cw_N-{dQbg_AOYZhUz2Qm7@m-3@Q{HJ-Wke zS*Qc&kBsT$(wlP zXvwRYd$9udK_qSGb;<=h>VO?6FLBfk5z}=ZHPIn|rBfpkO|0W3L&QG+F8P?j^9YRa zshu7B$j7cde2%Er-OUwRd*Q=_*oK{~rb8_(4LPUbjC1*ZBvxfwDHP)l;KR#@p>E7k zs5GJlnJQOsD`VFFNb>G}onz6yHnSLdafv)%WMEU<;f}#4cUFcWY7Te*G5b|_>IK0B zr`_ELWg*EN4)w|pec^E{w062;KNR4Z8zRSA4bf}2uNpl2DQUmUR|6B>YsYbu!bNYQ z@N@L}^93av*u_`3xXPV}srpCErwoK{oS7n#;Un*Hn>IdgnaJ^0ucs$Oeed zro_0dIgn&%Rq#KSaW`tD4P-LU#=+M3(YGJRA0=6hhA9-c3UUkS(cGosptyK)Pk!Z{ z1LNXedEKuy9(Zs(5oCj27vF5XDRUAtkfn`k_c%^?MUMKjdZd3^G~I~qIekG)-zHHJ z2q=otE2M021%*+iWN$-{6~+`lflyUq$~G!f?1o+MNgGYE(f50!(;z~E~vuJvDTU1PLbP&_kJ$?PaE{> z@K@tA%_VP7iC44YtO~FwMQA(o`G=irvsaI0S#7uF>2J5$ELIW}C?%=xb4q5!&~!K~ zMDKU*`h3bYA6$OrT60rSb^X$mG2<**&qzr)T`-`O4I5#&6-TdHXsX&b*=u8MooKhv zYc8^+%M>mJ(lx`}hMz`ZgR(|a{I;`Wwv6jnS57(y+O_k^_B{kpE#qcnPWo0`LfsY+ zgSt^|Oh@L;jspA|TtppGA1&lk-m+XOT&aj+9diNT`9aCnN_)ia6#>XgK(eI0_eicTZfm*2a`LIf&l5aUa8o0j+g@3?Ld%U z^u|aGWJj6)ax?-G1A~bX*?(2V?;tdEAI^`gtvipkc>J?wE%T?LJr4IuU5oDfQloLY9 z?t-paBH-TG$~>BpQwW-&T>U2hqMhZ?Te?@Ccq@%}YF8;S7c)Hm)Kk+)h-Q$ByfAHa zEFw;YdBc3LkTpI&dvk$4c%_EHl+xbK)gtsrs(ZN3Am}Xe04^@8s&+ktjx#uJrM^%iBxNc<6n{_Few0B~9UXWEm z%$O~tSv(k5BGKupJ!Fv&1G9{Fa^367gLsngVhSLaur{P9lVN^R**dN*HUL`0ykh$=p>8r z9hRN+idTCbdfo9Y`yu`^I0*#THKEx?@P9}=;OpzEWDj8pLf{@sH205$cmR& z8LjhdTsw&4rp*c$USH7Y*^KpCLuYBzT2;t-rrA?Y&ysvz5Z-qS9?jLM@p|PlMdDw( z=BjcxSIh&K@n!k4>zVc!6}NW9CcmM3U+YB$rB=kr|)0==}n8iCgMFTi@Qf)sPNMp_zxc-_RO)M{4AjVO0B`a;&SjfQ+8Z}VomXetGinzLA zZyTdu?|=DmwSBywNes7H_^hxYuyc`P^liBvTfUqz| zxN4FVg(|4l*&m<;p}=PThDmG5a;598H*uCX#x6WKm;nG+iJ|PJ6|^83pTeSDDY)pk z!iBGCbpYv8nc z6F+F0?MRpcAa>!Xfb1j4`tB0Ag_`_UQLG6zCggAKW+!%411y~UtiLhr>(K6u(9E3j3q_+E*d=`TA^xhFzfVRP?*(x~xmew-o6@#CxH`m~>SqC^7r2+a2PH0b8=IScDX!S_o)s>e=Sa5C8Kk9FK}e(tDq!HcNqR~z zUpuFR?U|`wbqkUObHu!N+P#HBinCg_0_PsnkLWtrb&bWOeK9diSfL=faXufEW?Z)( zahegg-34m$GXOL4tEyf_J*0eg>_rZq`2JnzEa^@Bip?n9XO*aXyQSV=H}kMyu9=)u+J!UZe&d9n@6TZ*@wG3 z^c4~Wb84jOz$|XG(T1-PCfS~Gr(O8~j?JT>qAaK8at+HWe4Uxi<;~39y49EmyS2Jn zl+)c(2pm?kx&9FCiO@P{@AgpsOm>%u8_NpSA^VQoDoP%x-b)<{vE=g@TJro1G4wfB zwdYG~(4)Q72cl7jZeG-vChwQmouXVh*j+iF(WlxzL83^2?fEkQ>Abe-XoA?T=fE?j zQT`tBr~|P$W5XB>rLCsglrpjoILB5ysO#cCmS5ef2LxtIX-X-L5SZrFa_9U9;GEeM zC1lvncT0}AtO%vSvZ4oBXTveO&YfQnZlil3oLQvNZf^tz`v%XDr6=!EJPY?jbk6dd zX>iaE`NIXBay4vPxJHydmt~GG0>YfpPC#@H;Pm4^b#LrCeq@`EvIeWGOY5uuu}9+| z^7eUVB0X5WQht`}iC8(Ug znVtVEMwn)>Y<*=^8;5ib<~w8IB~!ubpA-Cq*X(l^c5WDxXd7cu46@%F*W2DUZ^EyQWVmRPohgopc4IE=xhw`97=c4b6!xokz44-|q8 ze}PH1EgbHn4zGh(^4*OEJ6nz!oC8VH=hM^*;C<^S0b_%wZr>NezO|DB;#7^aH@Yix z$`AK+=XY~Jc96q$$JQalYa%}&0i)GkS876Q*zw53-oDT^v7`&y2RjVKuRx!m99@Z< zblu0IH$?UaI+>~t#E-uQH3R;aKuYF7lWcH)9Y|@zQqd?4S9%7;Jv$B8&lT<$f#Q98 z;a0U-@5=EVu9ZFO!QpY$uv@xb>$4p-X0Husm0gurl-f0HKL9}SgBI#`ajW|ABAhE5 zo*0W+*gR6<1wwAL5QC98iZFH9!VMFVJ*@4vodlZ3J#|)4*{2N>K)nOEzuR0=h*yj3 z?i|+wP$X~pn*te?5&`7ZYVZ;1wr^bQ3XB}tZX|(go6(0J5p6?M<++XBdt#&7=nVDi zl!dsDm!}Y`qqAgPNsT`gm=Blg?DqYNQ*O8%oyilb>d8f&Z~k)_AsHjkXH|=?E*Q?hg9I`OzM}n&zik*#Dl%DpZ+M+NUMQ`jjB*ZioAuIxBYj1KnBDuG)|+Eg`FS2^wLgdpiqRz{MfxFEoo- zQbj^pcd@;x4-<|dk5~+s_7FUaa!E|y5&8_u2pMx$E(4>#27D-3p~WcMj@ve<+W{1P zi`v1Xw4A5XgYtWn(AeEz0w~rcL@oDkZoT%=XUM6|5%$}Ec6S0~pN=6)CV?E8K!p@* zwF?**g>LaUB%Ip$vXEWqNfmV3=WI4}Y+537CP8EX1K#7m=!z-HmE!m*&T6oBKeE05 zj~(!)6SXWLGP?A?VtD#13YVWD!9md2SRSR|c}g5Jdbz}@f7ua?AxpqDP-DpX>7YD} zCVW4myvX{lN`x6IHtCWk^WM8{J`M$h*=s)#>%M#JZj`dTriyVCu?$I%|uI5QJ@zJl!6S^f7@>}R|H zj$%aQ;HGK7jPSx$?LA(hJ3OhK2z%%6VBysrZ6`SSMN26Bo&X7v@;$JHt0)sNNQ=f- zKMWdfA_~0VFE23hp#J^Wj{oZ^FjBOd0EW`Y6F(@huE_9pwrV1<29dmnx0)-LgKpvH zY5gWfAC5%TeOtbGwTf4jxOjiWg3ULz5J7!iV+5*3<9hGoElxTGGGHBR4>QR$d{B&6 zul&t=ijLzEWu9w&GxFzA&?#8s(9oWCIIyNK(u^IkSr=KW2Obail^UYfU0l+hU>1B| z-R+F%4l=wcKp!7PfX9RYd$%>p2jdm?YL z?TKlrZRtK&dsvNBGq!7g$>$LV5vuA6iN3PrmqBI4MtLSR^%x%?UneLebJ+0{-bn>n zMxkYH<`?H3K_Sr;$SEbbJgV^`5sz9xXRQ?G{PS1`CW4^^bnBb`eSH7g@EdPM74cyd z(}@Wt4N)jF8l}EcON9kC75%g_)ZD||DdpqsEzl&KQ zp~q+9%;liP^qzoTc2q!@K73>yidYwTHg_ z^h&owntHm#o!^Q;b9XrHcc*1ESu(P?-7gJi6fQnN>A&+tmRVN@sS}!=PrKg9l=u2n zqv>q)RmUmV#jcqLstQ>FG}ey&X9Hxhiit`o;Q>}1R-Fhfy+HfnMGEVMS)nUwJ^IbF zQ0p!DY0?_Xe=O(U&NsL~oFflTS}s!TmLLnKnph>L-h|2KzT zRQ2RFX-m7|#iY(eB(d5~@XU0~jUs#gPBdlHbQVWy=O#z>oU@@Tv5)z(DSmmdttIwp zGmSs1W{jnrrfjd5oDa>7;Q~1hlT5PrNj|0PG!X6DQ${rBQtfIA1FpQWPnLAnE99CF zUHrTD`KLV4NzmzdBAs)zGyAV>x`tjI+zf@Evrg$tAqU=1U=p zX${jvT{KEEQ(ao(NQzQsfd}xy!SRcEu}2Jv31JTVbmx19=x7}c)`#Mu)+WyROxX*G z@=084xk3!$G#7)ey$8XE`8p6DGN^TsB;2Y$E@@xfZg-T?Gkw zLGdSv_uxHo?TKYij`I?-U~QtB)?3+?t3pzk=BYtWE>O*&)l zl|Y7!E3Jx(RXtdS#GT11f4JX3?rmgJH~Y+nmugBnH-&*xK@aNeC5;xY9{mVf1l#Uc z@!zR}r)@*Pv~=&}7g3+;kW%x0OREM`yBI%&KR7jCwsA%SJ9@0}k0-4fxDH-c*}qb& zKlSdlXweCLm_vPc^Q98!(nBrC`+{VCM6Jx5JQnsIS@#8H9?b~0i$2VQl4#CM(&lxP9X%`LO{anKRS{~Zrbv#%K zC)ed6FCACzFhs${WOzo)q!fKv3|fxAN1%_Mw-~;7lVgL{Cd&G6-FV`3)7XhK8g`8TrRDxoq65Lm$dR;7Us+Yx@HBq4p%0&(=X4Pf z15%m8@P^h+_5S(f4Z#R&`ig^E&&%@iQ(ZMSH(rk+F6Omamkh|=5I?sh^WL^78_oiG zL`n!taxhc9m6{o~oGCk~ztPQVjV6D|loH-cV{X^)2?N_D^u#9ss@ZE0qqrFRMMtFf zcj)=M?hO!oItJ$$($6IOp^Sg}F#&40QRmJPHl(A(_V8h4Le_!hA~ya*tU?$_PR3Fw)zT!Qi74P+D& z*Axm~^1{BQDV`^8vcC<1jBY|8nwtlT#-00PPdt$yoSz{*uJiWwO_n6+&1ayfC34kmq%vS0@Vu8x(@ME<{qgz#Au4AyWOs^={D-8>9wR=l z!Np?=v-j;bExJ0m`i_eoWN8vy4- z)=v3-st?Q(Yw4(Ls4SZ-lXlLYG2)!*`@tdNFa^_Kk+W1n#RHSA;T%R!3FJ*)_#mlX zwk?rlhEp#^s7_&8YFC7j9% zWcEyGz5HY*y&(C7sjfxehNWe};0>i5J5loff`wRBAIie#@U0`!8DK*O47>Ql*w+n9 z4v10i6smy^h{TtWcb(p=K;i)a)9XgvIBn z&2>nAJMllI1O`H5>8gKv+Fv)sKlIpZDh;kplMrHqUcn2^r^;L$dV|_$&*{i^@Raw+ zB16Ya2A_Cl>3DPsEJR>9ML2B*J&}ZZ8?mNy{1apCT{0B?&3lM?N>3SG_F;Q0%!74& z4B-i%W-sreyl8qnpE1|SFg)?W&Dr@&4S%)(0U+L#&82Fc`g=h3)jtwlBfe&9*)!Cd zO_w&au@T*=%&-ohHEwXXgUR`(nU~hsOHkRp)g#@KJ&5{5WsUXXoV=hhjD1g>aPWlv zt=c2}t}p%zHpwRzGt4Rawt#c8G(gVf>Zsp)v)>M}{&=?~=L_2yF{ZN~A&Ewix39m6ky_S>v2UzF6!q)m1GvBzKnM~Tx@!?dTkGp)6FG^Y(I!CjwQg@v@ zB@C*xma8sZQH&29w&%cMTOgH_Fqle`zF*N;g|SqxfIMPu*ekd1Op9LDxE>bN+t-*O zR7=aO>UyG_!{KAi_|O<4*Zje#)Cyx=xKvS2Oq~O7#Bb*Qhms&>6Sd^3vS1H+`J0nW zbnSs9WCcTTG5WysRH1Qa&1S`5Dgi^c^WHeY=s;%VrL=zMmu5afL&gZ?hAJBjmHv{i zs{YYq^ElC-t7+=N=x=$>QVbt=$%ef5Ckp6K4rOp3EJBz^z1RH*r#U|Pkt*5b=K!3 zGBNmt2LF5Ik7gaIf@Bda{625dV<)c3TXG$>&?>1&)XX&=wpY^K7*kBBB~#4O>gF{s zsrZY*>-V+zX0jDZaWOMGBJa2O?Z~ktu#yGc4SbjXq~5@ne!dD;oAyHZf2ibpWD@yf z@FXeiT5PZF@{{My5k*3ox*VbP-V|nu5N1U7n$}PI`cvC{Ka)fNwxnFHI`{i8`&)tm zCyXjSLw2}&mxheNA5JBe`xN}(0^mLU2Tdkn3WV{st9uFm@5f&BFV^Bl*53~MuW$13 zW(G?!F(P2_A94N1YhVc&7=Dj{f33MFBM|__@b%>W!^;ay0su;G_sr1mJNxqs#wh5D z0qREmYeYYuBt*fqh#i$muKhl(A4iBO75u^p=gCmOcJOaU?FI_px>I@uPOh0`bz_R`q}6sHqzhM<@=jFPJpvfaBP?*`B(YT&)+&L4nF^| zo0s5^A3usGbqBmhGL?hj_vKaa1%X3wLPVAFuL=G8Ny6GgYI^6cr1^)b|5!cA%V$ok zx*w7s!e0TD{ zcgy2{nT>N`queYGKyiY8d#srC*oUKO8YR{r@0oO`UIqzVd`uFSRECQ?&-T=3uP3QX1JBFMM9n0NA$*75WKXaWr^tT@839*VM^IXKTr&cr~*LtUMZMG zRWVfwPSKN|&SKo1`p#ttFl=1AdbMV_Hwe^<_YqLlP&RdV9hmLs8+R?bzh{umy)FHj zDMwAy;o~c^Wok!IXZ1P$4O{LYsNO8qaGDBQt~6o>`~yL_emwgQ1TsUt$iB>Bc}Ufu z4Un*Bm|tc7F|J>N`}Ikb4=3TL&5tR4lc?BoqBBM}ZaO@3`l+2(DaLHH#s#_7(|VW; zTf*sAPh`Q3Aa!Qw%qVKKNJ2aT%r25#j<>3{$bMR+c!qxs<1%3Rs$CE)@qL+r% zCklJ_D1N)oAR`(Aa;R#cNt=8+ff~@Hz>({45zRf1zKgdF>h(i34K`N+{nF1d|NTip z3n#}R0#$TB$adhfVGxM!fUpgM)*it%h1#bGQa@Tv^Pfs6_$940j5r zK*QjBT#_5K3Ct3xZ7vO7$EB`iB6&N63W2P|2SEYgZ!x$Rr$SQCre4@gT_fcGC(sWF z2bjfW;goNwu-I~9uum2a&$oZhd6f*ePt>}^5w#rf^hrE?m?x7j{3#YRo_m&q5;&a{ zGy*9d!Uh?-ahnn@6^n6HBb39LSgLs1T6^$7(6gnIQbCm~buVZ+F z5Qe4X8bWM#s@g__GiJ^0^e6wM5od?OMvpOkvn-<9WR`BXGEj?pzc6NrOGkxgD3-Kp zDfwG0)~heknt*b-B%Sut)cp4Zx!uOAUvyTwx=@`l8!ol$%a8mr0U8|4iZNv?l_v*R zhTF$dyd;$r74LaQ-1R#3?j@~T-ypr|{<{Y>WEoe~O01`{?K4g}58I(%6gcs4vI`hA zhrUusE%M7-Zq_bB?aVVbG&jF3c1y{sgvTmnji=|eT1V)XY_MsT)&s>dq-&c53R%`b zq0@^3l5dR%(}kbZ`jtHkaqJ~7Ltuf}9ER;e$~4;>KR3Mpq;7|%)##ZNIoQ(O9$s;q zISuaJ+HCkTUNda=A5O+s4G)S7fgb5~c#8RE2XV%eGw|=m6M)u0A)}RZ-MV?Xa1@v%oqTqdAn>!7OaHckD#7i}VMfEW#_<;kvnNf_m+yoj7 zZZ8UoQH>l)KDZp|MgPF}(#7r`vo4GvNV4OUewo>J1}`Rt$08cXe6Vfz#t2uC`x&r{ zElK~(ck`Q0no@WwdY7-9 zQHJ=3Ieg`LBnIRCQl;+%T>`78PEAm zdRevsam(ibX|~lxJ{8w|`50kPG?rEWUS4=^x$8)}*HtP`qesla26}qMyO9)234S?k zpsoZcAMa>G(CTJgd(p6ujWQN{Q%ww-WeAuzIzef|TwhKC$vfv=3NhgLb^n*w@Cc}Z6~KD1if1@BHrc>nv(|@Dq6eb1X_ldD(s7HJrZxr!gTK<-q3`+ ze}5GakdV$&j{tkcQ1Yev(HhAYyma4sPE1ZVFhR-J$Cb()$9NLS8GHv)n4YF?9HFSP;Hxn8rpBkhTK z7*K2#gfmu5uuRhkoc_SooKU^(Sr7ruyES*x4i?a>F6*=7r;N2h|AGaw5Q>D#+RE|Q z0lpRXbU!5$u6h-Loh;3oT)@k7@?;f`w!=H_b|l+FVVK{q%+GtsBboHw{43SQcSo{qHbl^9C~Z{mb}P*e#XHZsVf{`Nr-#k zuO_S?C6^Sg3eX`m);kFp$=5_t^W{4mOH?XWT(bjMyqcG!AyuA)Wi#;p+$63}|1_wq z9U=@)SU0>B+16NUw{VS>wS^>B3%D=wacb9_scic|#V$jIGuFE=38PhP8P|=3-FzIw zeTs^^*~>91s$)c2j`lyW$!`j%6JRQ8YMqgU-(H@e6OD~KHgqldXQkI!v8QcL;-XD6 z{(IGF+XXYXW$xLqRLQQ09Ux*#+la59<1U`Z6R4P6xVi|+nU~C%EH&%+4)-uueQl;G z%$}-bYS*NwmGr1SdlsW+R{%7s&c5w#!}XXz(4Nv1W*E&V9n50o=YeGW9bCehpFmJ=`SVX*pwC z2C$S!S>h9!^K$MeD)VA7aJZS(7`c1L5Cjjh09lU{U=J9^fNMPfOFEX|4z7zonxicJ~y}!*lBW zm9Ax6YL!n)hTm&{f!4tcSK=XBK)WbO%F1H7XUdkdU3q%Ha^4-fX^!Pl2Ad?Xg;uLJ#t zS*Y9;2lsZTXVnp65X}^suq#07)}px|3(fM9Xu1JHmrhV6mVGb)D#uF;S&g)^%Gab+ zdK5Aoom;rj&wXy;Jhdapyymdmbzsj5u?3)p*P>ndcnOf4f*QEpAg~96m>ti&5zG#{ zVsfq$1PEfmY?^RnF~2KloudN;PL<8kLW9P+``uY?`#a|9`4lAQOoIA}$r*}=^C>L` z3(fwQw*hbswcwq|Z}mAI)(k+{BZto%w|aK!!u^`W(!`V$!bP77#v8?H zVl{x=q4o3{C^DTA==LF)cACD}Ar%LDJ}5}K zfO9TG<2-wLFc~82dFQ=zB!LLvGP%yGmhUec!QHU6I!VvNgC^hvQqOXrkV0bv%x!(P zPL1gy&Ibe4ok`$rrOc*byjJlf`feaLSOeS%w@hQaWVrJCf%M&hY4mu28ytx*vOf~- z3vI3KPE(pfATzDGPdWFk8m7$oN6s=pMux2tG92sLMd6?XKf$hOm-7e`q5%@u4l7!7 zLnV1ahV34hnYIuhNe!`Lo_Zj771KO6i0ibPLubVd!$M6Q2%1*ZIL{z^6oCUXX6rL& zxAkS5!|}_bq7@J(7$2{eyW3u2vw>eRFKBITU5&_@w+BGP@UoU+(Yyb%Zj`n@O9F`o z4FS1Nw%0=C5AJWJ#iS2wlE6kRD9GTEg+HEtkyD6lv1h zje>p(2LYq0+$Og7AOtFj8{`>rtbv{*nO|sj2SH*d%H91UxTZ*&5&io+D}%+ zOIB;C{+CGn=72|Pm(Jfb{9BjMUk`v#OdVP&6r<# zT(l3lgDnOfg%T0mX7}1`z&yPm+&zdCpdU_LlBR;Ct6T>B9w?G90y`Wv=)FS$!2Vcc zpQT5Ps%?) zb&oqZ0N{*@Z3~PJM6fvE3q-*00R$uooVlsl1ixS=2;#HL+vUDeJEV}@?t&E;yxaf2 z59O505Fp#o1HC2j9_mY3uGqd<@tHiU$@^48-P>G7?H^hhQ!O42dXdtyc@mP^lZuQ# zC)bzkQ)bEr9^i>5m{9&7?>{3B_WGe^-wV;R9 z%1q0IqdA3ygy6LHKjWdPhaa{tDYwr=t?@ccKNmGVc?txcz`tR`QR)o=3cy0O^xH2% zwc!99sn%b>+w>g)qrStOEf+1Qic>g+)tOt&HDGz6=D^5SpT6t4vR(xQD64*GU*p>=n6_nue$PniD(40Ni-J`-LEL`vSih}S3) z3)(o>fFu$`3q|WFxVPH^f5Ez6KLkIzD7F?b8cG6abJ!e*;sBbzlb=phmwNuIT=SRh z{-_F^^hmLb-x4Ms-Yoty9$onwAyZ~`<& zOV0UY2%D2wUXpS-U=+ENQc{|L4{1sdO(FehU__nBCA`2eTOzlWHIBNLRs%+-S*@o~ z4p+bi^tt-vP20i$s#5t5#g&SdkYw_s6c~4stN=MEZb(Tt&q#mCSvREEy%-gP0vBei zl|3ej0*GS`5^zy*IIkP2ix=EL3%P8V;&fL_1dlWvjv&dJXFmC3#tJm}-fK=Nf?9+& zcVhGL0M>FHc+@#P5CDchR7;r>{D)ul!({+`3W~tPlJy>J7XNyV1A|4yNuMxS$6n^) zfejRx7~Vw!fXN@{p+FShI1f`kZK<#K2LQpzAei(5@-623-itoO^WJevxiK?w;SUG) ztA3&j7cC*pgsvY^;C!<2H9L6CS2P~)=wDO(dn+s?q3|R~Mlr6VqXV8clEjN%BF$n` z%dZ#U{F$N@Eje?ebtcN%>Zr`IKZq_)BL2D$4r29?6dNAyO|dNaf6){9-$0MM-#m4J zT@>ea826@!k!1CPa4TKfDoecvsb+-*)T$wu?|Rh(PrasA{<#l`a^48DL1^EH2LuEV zg?!}tHd}w?W1sfR-z%$Vu>4s5e;qj7%RpR)?5`<(OWcBZ=#fbT(uu}vyxepRiHKkZ zTUaEUXV4Px_U);a<>Cwz3RuQGqG`SdNzcXAlL=dQcf<8mENCAx-9+u>Rs<%?Ml=S{ zOD6)qQQys&GI?nfg#rij{(av|i~#v&!|>huz8sB6(JOAP%vrt7C;!I+eXX@$uF?9o zTaW+xF}h^zTvweJ8;JTZtE#GwXj*AIwDthu2xHf|GgRvi++=-#q$sAyMZLP^C$P+m zODH4(7+w)TcCYq78GrF|i?X8RHoXC=zo)Jgm%8rSy9_sl+zbH;2Mt^Yy3Bjn_Y?Ak z_}avb;3$3WH|PG>nf&_`#XYc*_$3cz$iHsnlatq^&d@!~tl2g1Xp990n<vd#_Q;+~zq3eL!Je?Xx`%$R2 z1Pp_z0yoG)(WEf;UihA`=z>0_FIHobI{g)nkT~XXZ!aU!}25R)*_ZpOPQNvI7FCOrd#0YpOSK7a!10sB}A@{?M5Tsy7- z9_q?!@y5Xybevf@y!-~#2l5=9!FWO;hQF}me;Hfc%SJ`8(W>({=3m9-`44fy)HVWz z0|=1n!D(OAU5?racoHS#QfRw004cSdyHZNy_lY=D%f4Tq!)$<4Qc{wb%Dy9B90xrQ zZUEY9>CsBpnvL`Nx+^0UxTasKS72Yyiur!eVLc(fHZW7ZmegeWO*{X`z<~N-2j=5s zg1Gj#gS+-)Y&H?NR$Ooh1HK=;E{*uC@03I?zK#%13;`@JH#gCGs!<1>4I}{vK7!U* zjkS}R%Oe%)pn2bn>IsBY6QCyaz==+Xv~FZvcElxL_5oWbBaU0f?CbIUT>mZ?Q1Tmt z{L@mF&KRxRmKeDEJrOu-YXc@(4Im~JpNXe1RL?gW_bmavPhlMT-cJCPL9WH9@L*=# z#6lKI3rD@Mfyo5D!uLS)D79+2V~*)?DP+DoP1iFY7#Zi05dptDU1|Kx5S1#fja|ZL`E4%U)U%=_5VSAF@ zgY7o=V1QB#nPD<{XVBahmUh6uSp%PG0+|TFIE%(95w)NV&=2;y@4@kJ3ccaVnU%Kd z4HLC?KfSx}^ZJ{j7u~}T;4bC|)O}&XuBAr)cbRRCDGJxuZFffjBROMQTG}d_t@>5m z{_fO=xJJF8W?c_vSeoMVhmD(;)!p_Uj+9NFPE)KX)iAhovj>i5!w|1e6 z2ywx7*YbG{_*2aNgcz`=Asfu{HhOGC*CKw1?WVS>rhIwZ0v-$pRH&D9t6O0~Y~Kmu z8(hd;VVa?Upiqd?2iccGrg@e1ta>tw0rCdH=Hyd`@`7|8 z{q5UbBx&;r4qS_Im!Tw3Bceo>;C+{kdIYJkzkU{qP5Sf;g-9n(4zWOPn8xKO*;iLT z;R%uJ^l!EBtSL7ITi>hk>TFYfi?o{Us9Y`Q7OJ~MUQHZ!rWOC{eF;q^rxujag>@uM zJ7_z(dT`_JI8931>)}$#CTX^JT{0h1rXN1wYti4B51qp^=Y}l#F15!gPsd-L_gk)j z6#@gBYXpVEjdw#z-wPt%I$zDHcG`x;;WD(BJTB3MOdGN7l3lhcooJRs zbG=1W!Lat{EV#P8rVY!zRB-BKv2ai>=_?*$8?9!BosO_Lm+={aM!0JzgK%y$6i|H) zFd?y|uFx;hcLj`tdI9Fvw3HP$jAJuc=t3YV{egRuSr+phxd@P?>kyuy@2Z$o`w@x$ z?xjd@dL#m!uqDR)-1x?0&_v6fKTo1E+tTw03B`26(GweCdYyDBEN!zqA{7RfIjy$c>P&IwBY5RQLrO4=0f)detBB zS$SGxZpzB?rlg;*lbLxKUe&|Ja7~~W4`MfGjF^*M7#_^j)~%LeWh<@E1nHXwrXMQI zHT2!P%Yc$E#}A3d0(0r7yN32fP-?gWlI|oBh%FbFPDH&YxHFh3@A(6Xa~}70BU5_%{sxcyX7yqppSUJ#31N=r;_*|m!1>5rTgQC`ZE{#ZByMHUYo9r#?N6EBLNZg(|OFp1dX7ug} zw{_xTe__T)ruV`1FDTek$*Wn?#^%ohpk!sltt=zgIf8i9k+~GHjbu>9c%~hjVVPsd zegeAVC715|=&krtuVG-?4FQtxO=A*IXNG^+M9I*j+GIb>@+329TPUrrh{y}k(+;^7 z6;upA4@M|`YIUMo4S#;@^`bnG%U=R zIV)4ELQPRgNtZvFH>xuF*4^ZdS)G@&rZjbKl}@JSNsU1@UfuJt3o=uE3`+wqAS5IU z%2nJ_9L1$gf|NUR&&xgV6NE}l@mIA4uwtriW z^Zba`m~om0jY_U=_1@qz6I^ORZYiu4Dg|4yjij0=QN`&lX=a;?mXC{lmW)zkh=}}b zUKIS@j46!&SCB_tVWat9N%g1DFlhq_KPhLIWcYh7KNU?N$?~#k;ym4Hdo%b-hmTQb zd-Vu^#*WQK+E`!)Kgsflet8Gx)6g$Ah^UMg-4I1uF_O< zi%8*Ej2XM%D8}_<#j+kdcG*vN(nq@$C1Y_fY~ki9tNpkm>b4G{aWmxcV5xQLkM@Wg z^gn+`8 z^2Q4fngrTHDP00Cn^)6}M@XQXcq)=3=Yr%4dU+MuSeHr&>UtJyx|LQ&OlCg#$3Na{ z=d%(^x~DM6-%vJ+!zIa>eQ%L?Sm3@OBT|N=;tDX^T(k?Q6G`UAmWTDTF!$#;7VSBD zG%`hAIo-oDJF4e**-Je>kT529F2boXp6)w4^RUf9JEoAN1c(CZ8kwQwAIrHy6czNk zL1^W(qI`(o;r{&?U4I-wHzTdBPv;AM^s4H=!TdSb_0_|>>*BjT56sm$d=m?s*Xge- z3`e*-EsT<0KJh1KigT?B)xg|c5_vTe%Ug<&=c!jIuAZsh`A{!@r5vdyLKT57bps4Qm9*J*{139cS6xc3`Y_>fn+w$^8VIQA_d9m86Jw}cLhuU9s zT1kVylI_-=Ad`Qg*Z#V&;;&;JR3)JyXZ1!j2uay zQ;LmA({Ex91~v+Bhbqj{|%c7crFd+yXD68P0v%yKw>Mi9?tnvg%Mroq2xIOaJ29 zN>YOM;a$S)3XNbP9d8>!joxa|PD$)l*^1tO!@Q=Ecvh98${uPYKIgb>_CRXG)bpX% z3(=?wL7N4oa+vP*oFk>46blC{mDd_;D3$i7isM#0eM%6L*OW!*$}xh_pz zz^&R*-#vX`=aoHS!EN50bG9boR7!s7ytB9;8%V@#>XP%fOKJOEWiad`%NwO{$`!d8 zJNmaFzf?L2=t6<@vgOtgJGEy0M!2!LP#>No?Dz#V?oU0SUg@oZyLG#B+a6h8p&i(d zw@4&Ul|phgbm3WQy?9Z=>e8 z8G5NO1{&9QU7RVbe=$?&sUnDy^(F)9=#sddIGYqJ2b+yX*0GGVu?L0^xO*cMzX_5* z>gXLiNbtO^8Y%P~1txu%qb%Jes;1;E%}9x?yiKBjN)&SYKN%Oea>kis5PI(4F5(sOzobO3r5kySa0{6kWb!zGEBbWWA z!ReX>?u0Yvmr7h^2#jrz^UWZHY5sy=(UW~?zm9jGQxMd2DYzEh&O14ZUQ;~XyW&`7 z)E%(1f1UT9k=pkD;!0J6%?cT-via!PaDOiDd@BQhrWSUEKpy_Zi<-sbh4FEUD<-Z8D(5)v{gZpb1QuM^v}Jag_3A*Exeh{+`^ z0RUmlDlwg3&qTy^LpcHysx{1;g)qbcg0;azsFT0&?+k$y^7T-OsmV@+h4FyksKpFn zk^IhLv_p6YaeFk>)hYJ-4ywNCLunaBP4JZY%B9qJurx5Ym-SRMCjkI)PnF0HEZ#TO zGuGbe10<{=ub0&vaO7N9$zVAtll+Ra%_I+2LJPsNwAub~M+^3*AD5+pJD5Z9I-El^0nY^T~A8D0>h|mccMf zR{BlpzVmF~qvaX>6k}6ll$n+7VE^iD>wC;M6g$gGB3mkt;CDEOF<-ISWG82qA6hIhkr-c_>1itz=Y;~z{9M*a;^Wr z7b}DlF;FpyxeBT_x0=oApY+bA^U0U3nfI$H&01fQB6P`zk(0Dq-Ckxb(Us_|sRcc{@&gF@;!uBlq+?ua|6^t2jcAC-H95r!S=)pC%x7AK z_evtawWN$_?in`|BGVjP^SVh{mv!C4+S&#Bc|x3fPfcOp{E@gZ|E$jM$^}Y_5+TFS zd2Q*EUqL18E-><(anII3Bhm8-;#E*B;O;T}4ctClGX=|8^rGMmNTpx53W(F?%c7 zqE#lQCWn-?@0{5<-_6Y!1O*HE=9uM0=r@!68QF@qb`ebsJLTT6>WJf|)kV4$r%C6k zbJA>VY^HX~$K2ws4U4u9Lzy-X|u2k=66Z2T<4cOQ5k`19)4*W2Jm6iWHn+R~g^z!y}$#F_~Tevsg@U>UP za5|fs3$~mTmwWoMe-uN_gAZpjE-s3)q&_lY= zdfa>ate*=fB(KjfF5|Sthq@2 zL0xW}{saTIQWX}q2F!0oAoL$fF=0GZ)8kFj;@h7;+_4$3LGGkxkn?)n(sW)3l21#- z{}k9<#aV1`t&!}(ser|pKV>Ra^f^LAo>D-{TIn1+^8`bGshn)`A{J5b%D$ai^}-9u z!Giq}M&DHV^ETJem1<3nIQmhuA>nOe45XCs++HyLmk-*R&t4y(wtk1E209or+8pe~yP| zNNyFr+J3l%w7!b&=^J5Z7*)H@t7@kr&(}|gY+*fa|IQ#j6q6{8r^36K92a3(?B+mY zc{YTGLk)8#2gK&%P?#4jz8S-F#SVyw6J(S8~P%pXsL2 zjtKRM<2{%b`7q!+-OO1qagVwGC0+ zI@>8<#k=$eZ&CWe^BffuuSrGc(MT_yI{oXrYz94WnP)ZfjKrz`b8TbM14YZ4>nMq` z3nW9>lJmJe#TlScYV!<1iwq ztP4yU-z700tzU^T>b_;ofY6D_C}`&u54&FSywBI1=#CV>c7$ZTir*)vf*3F1yF?Kg z&k`P&7>hGX_c027TcZ8mzGYh^?+r#(bbRmq=j^xL>#3Kuv-HN66uzX+ z%Ex|~*cn429T+CEAMMr1Q^w%+FD)7%`n)Za8(4=&+GjImJg|E*^RR<&XBRH+>+5mw z#_&G(dOc=O8>5u_(#3Mmior^p&@}uzAv%7nFuUg|H}nj*p~TZXksDt3_*J{l3sL@L z&c362O4%p{scR*b%%!EtCPUw8gBK26%d;ZD@kq1p3_ibexkFXk78s@Kl-DkO@! z#2~-iduRBnxxHz+KF%fay42SNrdj!zL^cV3h1f@Cow6xu>og&5oIA2ygIWVCNejKj zc3t!pg!##ZV=Gyc5kplx`9DKi*d9BJCsR7g#6`L0S+FZg`Q%_ND5~GDx`wT)92fT* zC&?)LQBc@RTW}{1vG}U5~Cky`DnomAF&W`l|M+*RK z-EEUV(s06$FQLZ@ zP^l5~!6nC0cig0UbL9uEW>X3miW@6kcimDlpJnaP;muM$c2W_C5oR!Ju zcdy&U_5g~=qB5_;pTB6sjn607RW=fqKHYm3*l$KS>vp(HDsUC~n*ljy?Pm6Zj z&B+IYoor&E{VcX&aP!-+Qp1PF)n?@S9Z{;H1^(mJTSRS#{k2Ob29J|WR2e=LywR?( z5OMW;HYmC%gnS!{LoRiTh&d%uInx;Vgynu^e-)gBR>C;eIQhk%PF=m0pf@D)kz#NS zt2hkF6y0s}_RKb5K}K%1Z`_xS{8r&j;5_ra=)DP>ZRy)89a;%IOzE57Wg^(53H+!6 z*wI-{Ff^!w z^SNG%Y=8Ok!;FW^*83KANqHrP)PYWWOwsjn`T>JPD#%mx}M zFSQ;e>=Itn=dP37*xGW9VUzF`(s$Y@TX8*3x-T0QsT@12dbg}u{ki%;i|F73skA!f z_MYZN?Yw8|d?r~@u0%@(-^19t#>UeLdhL;>Tx^vqU3(ks1sWVWr){b~z4G?_Mn@I! z7M)e<*K2oid`+_#Bf;HwJB9J`pKq}@r(!n}KjVRJ#jjA|zkTSEr@H2uxkjfkovinC z!vFY?`IhslKz~SelD0s`-jIpX(h*W?_(f|}YJIMmPS2bD?c`>LBu0cqh?P?ZMNB=1 zX&+O1mxK$)K{kg;*T-SA?m?;J8iRN3Z=2t(M>@3Y822H$%d9@R_o&D4bvHBx9Y#_T zb3ec)<6%S43DVqMijjJ#3TyRliSkSTJ$5|9LJ|A$_-P=O{u%ga3EOZ<6NxqhMqw&Tb=vN z;&Hk?p~9fu`7sB^HJcV1>9i;1Rw?Qg?YLQ*_bJo%tk!&6>e&#Rhmx48k6Emn5CgV5~d_^#hz9BFwF~(Gt{a@wg|8`%?Hh#&;fOUb2a^|HtAAQyrq?%axJj zCMsLgXZv26Z_U?zzVZcAD<+Tzd%A4mTyrF2n9+>Ai_?x-h22WDSx4ZF^V1BP;RA0} z_e_snDlE2{w3H~@JtA*B7G&=BTHx8B@1V8r%i{HWvL?pvC6Rh2Q)RxjVB{c>msvAE z@y+z~!bYkb-bP-qMex*g-BKYm&FH_%JV^cW8SSwjZATjyfqrvv!oya>@z~Ie*7SOl zp7`0BcAT;o+iGlBPit_v#~CXJ>ndZ)2oivqq540kf9iCqHk%8Xcc|w=}LJ{doQ;Q(cQ#u zT5x!r;!{eQ8CK$aR*Ik2);5;8V%+-K!H_Ym_jR z%{wNq)_zZa-|`z3gGMm}M-+!|!E`%0-=}N%m&(rldXlnpk51h^`L)6_1Rt%nWtef@ z&-~|7{LdwF`*1zrPF?Q@4GtO3>u3nbX6sZ9n8q?*?GfUNB-j4Go6bKeqi7N4E|J9LG1;nFMY07@{tS|c8>E+yZ z6T?HJZsyNfS?3Vh~=LEjj0EEP@2P-j%CfLR>KneYQbLcHng#m!eQ$YJf zF+tSxU`cjj0n*QO{gzM{&U^*S&AEsBP}7?O5}kiYKq7vl`&sNXkP;}#1!TkN$AR~?N0L0{v+DN#hQw>?DwyVj9dcVs!ylxRSu+%prFiev z*lOK)It0{87y@D;Jb`jE0Z?hU#dz;u&uN(t>~6JB9t+`Lo=12RUy|^eaANBX%NHaD z=T1_x_jq8?dL!Q$^D)BR%b`oQ>n^T<7__Y?knvbO(9j@(M)X$mI$#SVqxADrkAR=e z4&^4T9hiObAV;&@X-IcE5xN}uwx1>Eb*Z#m7!qM>C)KWSyWR>%g# zH)s=U$x>_u1w$lDCi9`>+N7 z{W_*1!VoSa!Onbn_3uBQj0O1bG`>ECWo^QpKla;;6+D?ZG2KW#&1uCur7&UjP{Z2# zdbG&<$1jcm1@8oA-g1iF<^CptAJVP8d_mcoKMI&JUW-VV|t~e^yeh27aAC;bPn~yYYW~Z0VS*06#D1T;Xnt?ith>x+N9(Kwg~k*Vzq|zzK1;CfFW2$8BmpKKicb*pzH+G zqyyepPwrzO@Hb&4(?VchGBAue0pRKT{rPuF?g!ljGSCe;pi!o?{DakwT+Tq5XGgS? zO|pR61%Yu_`aPmM_an~XrHnAV7-O+20b?a`HN&}o|y+)Pa2qN)Hiv6Rtj0$ zo1Do#m@R#{2@N_5aBS;a1tTwTo6zo%3OKNnb6dQW3Z@eQK%Dky#}Y`tX;L8!wn7^} zz!hx5{GYiDXyNFF56?I&W8;KeV}a{_uZjYCIKQcji3d0JL%%vM!#A7;fBQ%pO(d{y zA@j@LM9sO_ z{@f47+k<@9AA-Fq+pe~#yuCDd7a|&twP?Gx2w6|8%X1)!5)Z$BXjCkK7-wPu6j?UI zq2|~}tP?@GdTk70=C}suI&ufR@Ydl+ku~R!lQZD8hFI3`$2&i&cy8nXJ*2NzD7Ojd z6(`Uq7!<`$|K8$1K1e#CEu8maQSYhCTc^FLd-uUFoBj^>oU1uaGk^5rE0YtGlC*`J zMS7e33y}s2NEJA&R@0IJX3OotumCPw#(eoeH<~ ziLw8oX8)`(`~nO^n`0Zh;m@zr7+=t?O|qr0KdM@|qxX=Ev z@_(GpvYVF*n;*>LeztH{|B8L_`%3}T*QH@cs+>41rJn`0lg<=glqbQ4@W(L7f}HHX zGw@*AVa`+;=3P?OPwF|AWA!wcY@}yWicmQeiwEHp|6brX`_`vj_gR7lm_u{s?N4`U6jOH*2O)eN8a`YmG;a?`UPW+)5G3D9d=|h{HOi-!;s7OUy-kX-}k>e?w0_Ydu zyBYFMg==lZuJ&hm>qC7@j>D+~@@vCp3n`7993<=fDrMV`)T5YD1}65B#_c-Vi$>f@DYtE?>y?OZurdF5!JOt^3@IDgOh9H6j}}38?!BE zRGaR9B+T{K8Z;xdTA?OkZr<|FZBuIM6|}LU-1Q1DCSpJ-Uh3;UO0c83o0jYPuOw94%8H<6^n>` zEJ8f3tX4f3HT5mi6`dNzcrtGy^{!38B(?*pLMr)!DydM#b~O4y{upBFL$a%vAx7-e zjmVcSq>tBsnyH%71Y?qcz4n4XWzwxfx|*gVz;wCmJ~RHT-oX~KM)zRB_%%UvgX zG>`D%i*fu&c)BvX7K7g2x%F-Glod&tg^{qg$0ArUHdOyRP~EJlC(Uuoh??9+Sx>|r;R{=`zg zut2a?zczVoGY#*KxJd$rs_c6b-x0A9dY9-#>F%-CbvlA4mZ@IzWz2|9J&~lniLCJJ z?u4Jnk(XIaz|q!geM|ECG4jQO_56|99kxo|7^{0~_A%A;CD_Te^z5>-vc+13@(~?S zf_w^2`l;=@gCmzE9pY8UDo<*M#h#~$d3!2^n;LUQIrGrkk`3}g18bNPiu|qluE6ll z(Lv1M`(<0O7dEs<^C)I4>%u_A=Q2z)qvh7AS{<|o_f*C*ffcbsKpRDlw#?D(*U?t3 zJNBlkR3Ad%XNIT|D zHYQ!Ka2FmSfTc}&(r%&?9l{!5*iHB)A6Kz#fiQ(<`0k!I-b4ny#%A;FdCv2AP37Jb zVswqxPdZaopMElgYX4@fKe*5(+OcVSyL|RShe%Ov#RCMEMzzj&2kT`!8JCblaMg)I zNfQ1gf(JkEBF8P-Z7{>Y?Aiz1v$M;&!hO4A3p-I>0#|~&WJJ9$?(hZhz_4{a2ccof z)Q!C~YVdjaD#R;GOttuw*5qskZ*2~CEjicdSwn}lH&~ReK&)9jTV*!NTNzQG!vFeh zVaL$VOMJo88Ux2XCQ znzt~-qhe~}t*3vPZ=%@8MIna=xSuX=pZeoVSZB$NPJpux2jdHkn}xWELBlt=!bf5Y zcUjI_ju>L8Ub(GlINahL5y2L`+5?PVlTQ=~gUd)@zIa#0OZ>H_)Vli6;+73vmuENi z_sb!PE8!p}A{r5jbindpQ2)Tv>rcn_wa9+p|Z z?xT?o-5rp+`BZUaN%x5+`j8{pi~by~!v;OUl#dz>*6p8{BX`QYO!c#O$8d_w-&rho z8{P@2#+}G`cbWFjTjKZU`!ZAn9a@LN=l=lc=oC|ABGD*t^N9a2)qE6?m)}QF=>7Jk zLkKs$TkJ|!!7T;IA^6E-`0WE%YL8ts3Jq}R-;)9ZL|!RNjm4DNrA)iJJsLFpQWup& zr79r6eNM@BEQKM7%m4FK`rD))xL_32@7kc6HEOw)Uf*wy<|)h>&(}R4LibQKE^{gI z18e;LV5M@A`FQL(TnZVfGAVetYu02T^?^|TOR7xI3R8mibgnCU?f3N$K7jU#As_QO zIa-iK`2ab>qOpNOh7x`CIVpBY=;^$^C1r=WQfs2^3(ARMpt&F~#eTmxQ+22CJyytj zmALijke_O77f=R|>fYXY-K;4EU`w#Yf!|C8FR8sh4xlZle3pwofuT1?Yq%yf=t&8~ zD_VNIbk5q@SjRckAmSXsMwk#!kbCwD&Anb^f1|J#od}~P+3{|p&?bomU+$Sz(sEi< zV_X;CYSmq-CsITs}z&<8;np5pns)9<~f3vA|(c$l=AzcMw`e+IEdMeOzjp zZ7l%cL?de$vOW}QAX$B+m(|k=P zH5A~a22^$fg7(ZZeOFIwCHJaK7MwViA3$zSZN{4KzIlZqC^@;nf9RNVQZ=}Rai#v= z0bOSbN_$qa*ai~kOi@p)id_7hp{*Hj{Le!*5^t|Q<=l%#P2sCiN#t3C7_1cO3`w1B zlzn1>ePmcDKINjInf2~+>G+cUIzO~5%yfq_+i6-;(z(T(PStpzD#QDgPiH5uHRtheK(A8SWCFL14N6oRjX5#vO#leQd zW(tYg(%yQ@COi{|H=}x75 zTl=@Td@oZbQi`*W6twH$o4vW*=tmx;7?*_4KfKm-SfW#pHSCXX@Tj#h`$KZFI)iT3 zD77W;s@CxL<|fcOF;2hGWNX77Ucg3kvCp!lqWKgoXC_YW6JYmua0nlS z6Y=83qAtyx`Daru@c_W_;j2JA?a9Wy6lTH)RBT-8snC+gS7s$A~iaq70|4O zsrOGi)!<3BJRhmPdhOM>>tY9EEwe#8v@a4`2n91#iykc~|0ucYX9_|%#^i!d1I+Ae zQ-rmi*ERJg$ajJq3m`WU)Da;%lcDW6fK ze^%pVChN1I>$Ocmw8NHZsu43If8#vzUyP ziSL?@r$B9dTmKxB+D!2=nBJ|i7l4E0A=hj0-e-OJgr*dd->0)(g{#iptYf68#)yn+ zbc7BsQ&&*MDHL03n?w-lY*g1fCFAhOc_d@-4GQS?VF3_1@%1zoJ=0Jq!J5}T;?mKLOd!> z+)TD+5=23_VQMv==XB6$fA%;?uQ}~6ja3iFW<~*rv7ddQX4?7oLD?~+@7abd)8A=c zNy>y+b?>(Bmi0#4R85Vf{ISL^;~Z6CneZhPop|3OeW<+h7j+g304Cj{m}M`uiMwZSz(omu7zkv0aN)r;gn@VBOrQ42^#VFfPyC;{$%VFSNpnc z(9jDP?0KuF`TkJyC~N4>P-cut=xRHSy;`-81H5i|nXkm`(?_#OieDRbnP6_RL>BEf z(;dCjNyC{f)mO{vTWwI1zf%FvGUOg@Y^_!asi`rF3elP%9&c#qOxfp!_b^SYWB0p& zZbc3gPblPf8j#=Tf1Y@oq%GP3K%9i0Nllkvw4+SH+x4UGW!$fr;##x=ZmfEP+RolG zTLd9?VB6dLE_pwG=2E7H5m(S5bD6TNg^=VCN_OO$lV77hWhp2qOb+FO;9VamqB}3? zo7*kZLRT#*XV1|OZEqsQi(=fkl!7C)x0_tZq*R{9`IVi3JbxlTZrnEmymeKDPKo}3 zA~Xln2c^7hJoD__iFHddq2RWxttyhjhq>sffNlrj=b(bP>m&-^6zQg zD0zSINI-$93W>ZBR>+FE5Tpk++umnLx}o0|8A5R30RRW|AeJGLYPj73Roct9HN$u3 zRD#R=gVR)w9arJ9?q2+EkgB~X2f1B$KHcf-qgE}qVg*O{&u5U{d2-5TY2bbE)d1+E z+~OZyf{-VJ2SwY<<}tRJ_&Fu=xma~jm_vFc>V|~h%f-*uGaQq3CTj7*r$;4JxsNa! z`#L!irD=3}9pCV6@N;wKIvZU4i1gYaSiNzCe6zDH%QgC=eCGr6j$)n4sQ+T{gHX{y z>{fr>X{4n7La*hR#b=yJ&a5PS<3&eS2==ax`ab1(!}4#o4MzS__EeoR=~=no0Wp=~ zM~aiZaQi|HcKt=O|82CggJ&kJRuV`-%V1wt-hQY+e9@-tQjWoojQSLFqRT27O5UIy zA*mnz0U&5T&NJdlC$Yi*$4pdxcgiDE6^G*-+TYvlHb8qyxHStfezKB=eQw1&CseW!6ASL7w?L`K*H{&?XssYFb=8A!+M{~K?W<~bpPdb zQE$w58bfuoJf7%RKo}T!3LWQu`BFIhKmU&~{w28m@R_WFQ?I65ggn;Q2L0O@t&MkF zWARX_*cUrDk%8;yQ9S@1^)9AJ0R7WJug)RXiHy&dDfz<(>ZK|cmJ`!FSg&rGJfz1f+jbLDn#z|6X zZhd;6cLih+65!e#+F(>lyJT6?dtKaTz=r#e^YT9*MN%78AzU5Oo%yvv-z84DpA(`^ zJ9$z!4^(NxL#-i`*IUvfvk=jd!fUfI$9;uaTLzYS%a^!LS%?}_{TlKOZKKW%fPe(P zst*tWlV_8pL%nm_bQMDo-o!+KehaGRAkxV1w0j3t z@eK|Qy$2=6WRwc-wwp!oW$8L)?JB$XfOp)5tULuOdekEacdniMgC}qEYuz_dxq@hKwd<9#pmy30AX^Ie`G!kbxWoRX5F0A4{$!X17y zHp9Q89)E*MROu+}L#gFm)2|3j_zBu2cJ!H7DkqQTr3&xr+aFSCYx(Ae=4c@T7XTfZ z^L$VmHttOHM0^MGWTMEKlgIjxB9Y?7DMio`|Iy-pZpPSuSo*) zX|2q-pL52-BNMcDk^nnWgcRQhlpTU;fvxcUn&y_+t3Ukc|6H`wmn2D0*3zb+oA}FG zE=9w#eIovZc9Ky|zK4uz(y}+lwAFN|C;{Y#x_)gSZ#Z0N-9krexRX;*;k)mO93H2m zq49)*P0BJV@r6CbxytR4d3r7Wf2E8Bx`V^GpWhlz{cBY`?!o(h*m9ml^L6yxck5a?oRaP}{n z@}Jz5|F8k!XLwgRj0vlu4w@qZuP1k0;FuS8y2ADz4F)$D;KC_)>0gE+X#n;|y|JLX z^4lMK%Yb2cS5UxtzYtpyUN()|XZNu`YRez*fC~aF_C*2Y7&bfVnyyjo%M&UmhOde(l*hv`c{B zw?ipG7$znc9o|;UdkNJFqsNXh@DAeVwtoK~pD@S-oxD_X)I=CVnNuMH=mIqAc^HbK z;d7-ngkjv7OF2U`!mKL)$sJY0lOpZkXaDr2vIZ1qpaJ{k#IM6k6^bGJ?UHn+o7%}c zQaPZC(*mJQ-{}b_7C>7DMQuQB`NBv!8}PEdu?Xod5#oAeir{_v4IzINd3iQts?je2 z%0+UeKUyOcv6ao4>~6&H+Dl=pseg5Vlyy|Q+5yKwLI2I0m%XR)!+yWjuMd~*!o$5w zs28UD^#hA+OyO@9*{Y|ePAovU0d*}kSjZ~nrdZg(=mw>H9r6Bj0Bzmv%%|I9hKonD zK}x6g10bD&pvfzM!c3wt7w|nk0yv)zO9o(*pu=p;i?nBh1uQ~^ph$NKfeV@syv63@ zV}4<06;WscAXX00g-r))QMROVfngsZf}4lTIR$l`v_XKmT4>U3zgT5n$6 zYZLvBl=E9DTWtc^?j^)i=ZsI?O0yFcIVEYoFTvlgsH_CFbtMNZyuXgp7sAsRBs#`C zm;P|vVyLs9_?nfTETXO#S`8H;_VZ%PN+|^Z@)hXSXNbSehy0Ue5(>~FOlFf=`Czh= ztL&Y}SZ+bI@?Ai)k%kE(sX%m@cP3o4P?KqM+=S^psgQXpg3zkXSAa#65pm8caS+f& zLY0|lQBlN6)$OHTfbB|H=AGviuLsI3lWtKTgY+n>cHdd+5pX+|WoYn#!e?`peB`*_ z)-qM*$UQ|aBCD{X)V2Io>XTmL>6{q8boo_n-ZPAd$EKYN;;EQ9|Nr%p!vfwucMa`{ z-LEs{MFVH*OPBGVECw$M6eYx8pVf}lQ;?WrT=J|~=i4{+WyQw5Pz570Dvc(84)csU z$*xa0LvN&CiTSu(vQ)@=3#SoQ{FFE_QdQ35Qe=5%0uq@&tB2K(@=bsez8x%{zEB!X zyqywd<}-M8iarnWy9z$45quUS-{VyW_+;q=|H@1WLUseN<((2+KF z|-S#40t1lJ|Dp}k%^V`fZA{@~?RwW~X=39y2`X2g*W~Vv4i=24==GKX?{N?S0 z&k?|-{p$2*fq(X%0QP>;sQ41&$=~&m18ycUp8rP+QU}>sUr~IL+;mST7-xr z$&e6|rNI!NoJ7qC-73nq)dWf4*jgMnB6-W}I}*F)a&6;*chgln?!@@4Gh7rX*a;?j<^7v{;;@RAX1pj<~pKagOqGwJ*m z$h7;GqM!9GS37uvAN|s6TkU5HF&Tk+8A)_Qap@g48VQDPmD`10*%(7bMt9-#CIiu? z8%iFB1%b^1KjBVNT%lbG~cl_TC&mV+}I(B|7yF3rWDSdtY+Y^kDh z+pQpdMWI%+^YC4Nn#R^bPeJcEzjMMrWs4Ih`+WibrN!35dV}FV-me>-%Ft_mTEybS zFJ3}b+{E8rBqs>|2&Xw6Xkw@c5H5)i#U}kQaHH_KK|K@^6kz@n{_~m6s6G(ZxqlG3 z2A19h*Ze`jKm_b(QyGJ3y&d6o?TY93SLfl%f54>2?l&e^X&VbEswfDRB*R}uY4$&F zxW`7KSjKC=u2=guE9F*uF3#yAiVARgs9*_QWT#mDmE=7Er`>?&lA(vrsmdwaxz91? z5<4DMKX(i>JH|4k6&<+tS@0(k$?!yi{r^Yb^sd70v0b=D_RFISAK*dQf7EvY?++JG zhq`~TXa=YW++Y~fH<;6uk=i;a3N=1j2T;`C+Jcf&8ql^*TmH-}0sVyR$CR~-`c_kc z5X?D%+F4O}q2zmL*!f&MtEy=IT7u#g(kfj!lL!?jDCIp7p&SPqc0GWHkt(^`*@a)N z_?0u1I*IjwaYb*if7LHrUcx3Ha7W$O|50M3_kgaIoEq!kQ-J8mc{5!+ArqAKxVn@x=PzDr zd{AX)S-|8Ap;FRLj5U9aAS5Qv8*N+_-j5%;!hb6x_Ig-`fdD$^=vMzm)9$G1UX=k% zE!fJR#U@JWh~^1W^SHf(085@rctg>(BakZ_U&nF;MAl8XwYwp&*>a%(d|^wEqYb$ zV3_*u>IYC9Gd3{Wxjl|RMGgRGJb?Urt8s~PTl$5Qa}N zaTbJWag&FibT@W*UAfk(8`R?fq_~gLDt#Ph!B`Wshx3k-D|D#X)sum7!jj!bPs_Bk zK>6cRR_E1!<4lTD#~;1-{iApq`O?8DZ}-(7KcV`k>fk;2!T%-xoVt|EhvQ{MV16w^ zY!iwg|%>aewN+2SSKc4|@s#=|X#G!isD>+>*n2mh4){tQcSKzE~1hlKvSttH(C z0>A7ID%IO%wGO5gvub4Hll8vE#rR|zQav9`m2FirK{_DkF!*Duf(}RRL@-9Pf{sqV zAip2}M|CN(#eU`op7;p+{UEi$Qhad@$f%37Ob7Brb`;$;7r}|;FS;U^xum^!o=4%6 z3~%UD$~~fq+#ri0rn?r7Vu77%QR&6m06=TZ{u_X-?+PsiL!-f{)vc9gM|Kb9SLn@KES8g`0yY#F&B zm1R5}aj<)Un)}dkNTVxJ_iFYKr2HHTxN0-)A4@2-+S`vFqvq4iz94gzpc66tdbh=S z@(1I^)~!Y0St%{*mLXjMso#DPZXL6$aj4+#?^+YE`r*ZxeWQYoJ>@n-Wl5Yf_2p{E zYNNwL^K8+D{n5I!M6ROrOB=OkoFY8Ca5+ydjepPu;=8AsgWpbI<^FTQgrWa<(_=}@ z@BSy9_$NSH{POIE0Jbpoymu5u*JpBpqC|h8SHRgBoQwSxmtGz=0p6u#n~OlHc&*AFK#8~Z3e zS|%1Ossr%5gO{8x^R^FE-gMw9YSl@&eMPa1!CL22UURHbdaH}z;kextPTWJa-89zL zp$(mOCJ!VKt)0a_=T>h=%GU~C8F@VU9mVZn3gJ=Mz+X!*;`7X8P|R3aBowS@d*2@q zv#cB_y}!Pz*Po1X{zxUu5Czg@)cS2mq*j69;MR=MDfplaq1WT0f znTJ6XRy`Nfw?)jO!u8mNa-}syyqDf(#_f0PuT7AZiCKUWV=PD5nz2a7-3Ne?n~Fd{yJ|2k39PjaM^{?yzK*>IHPjhKqG#(Htg zSBs01CWrFPR}wzkEL^^j1kKld5+y-<>+j1q#vd}_+pf^Y`90Ol`xsoGnLt>A-MCFj z{us0V*0YoF=AXPU2Mranqv>7v2as746?XYa#=Lf2?pF+tN^so1p)gK%xjdHEyWwq*@;2cS&b zEYqUhHK?=XF03v1sc9EsqO&5ga;3R?g($Aa)6qO?DoXTjVeFLOrr>)XzQVhOb815} zpYnOkxcOTheRq~26GitHT;JhC2C6 ztK-R9Vw~Lx82Duag=Ja;d3K{rsPbVgwi;E(PBdXTbD23<`se1GjDqguamR~=eLr!> zaSc+2KjY;T$Zx;<^RoHd30)#ZW%TcCgbDxgK?LYO&iAq4U2y-M*TM%c5>%LrLqk^2 zb6WA|RO|j%cWOMI{0D7>((6UC|Bti3fT}WUkXTCC$BoPFkB-BaevBZct zQF;_Qc7Lq4KIKtc*w3=qrWa(K_``>Dh+A;C^oRH-Im$+6+%z_i&z!smGreW@=rK;4 zY@PQOw6IH6Epk7aJP^cUi8+HA>1L8?OYm`X%}m#sImRQLo-1p#i*LOv$%CfX#LpK? zo9=cTyt6flZXA-_#IYcOi`>jnlXo!Skwk)7VRXbfMc znRfm#ijSGM(bBc@UKO1!LT&6~9jj*(q)&=Ry;@1H!ymdAN~+^=GbzvWP?K{S;}f#( zV+lrF7V~V;(~t?ZdEIlTGG*BXcH4iYYw= zpyd1Mz*0!xqtG=OyM}l5E#tIM&-q#TYg`@a>mS`i%)*SuSpI=J`Q11$#C-Rd?8)#& zso!siVg?ckwemj#0r9`1HL*UT;$jXpy}5+UZ~FOwA4bb11%8aCJ31#nx69rIPIMcF za2jE~-_8zl(|Y39H0>+4DW9K0m8i~_jauAP2QyAwogO9uE&P|PWrjo*32W-t3X<}XvzKGft>Bew2go;8cxkKM2WWqPnOG};}B66Z~fVQQGt67b(PnO$#bnMMje#o)r{(%j} zBA>05X`_qzjmwi`^P>oZ>0)Wkt^I5nEP!;z9d~Nt!fbsky8B1h?0@XCrHie6BKvWcsc(H{{$V4+I$uD#w|?JBfHc2NcdQD=6BEf zclHh8wU7_cDx-2J{J(P_20mUVAp)FF#HjzweKHXIyg|uEDSRBvS;85N6a9TC!z!KR zP$>?&03^PS2Slc|s`$%hz@#Wxs}*l7-Re*IuumlPV}Ut*usB2H@!bymnj(t#8Z>9! zDX0mP?rw%U-r1sNu`8d&2AiWu$@Y0&nf6JOMF!F*Dm_ue7(Nd8dl>E<*}i<$YHe(0 z?pVN9^j+S;`%Yif<%m;Lh9wd_*{ILZWO;ZG`EbCuS*+^`_{GK;5GSM&F@}7+eMv_y zSS?s%$?6;;=0;aI!cHUFUM0qf)nEm%6b^B(x+7Gw26Nj$0~;QtKx# zscaZhaCb3#wbVXjs335gnpnIWbCA}w8papi>ivzILBmo57Y)PWMy%9W_V>D=QkId1 z>A~gRK~bNPICO6-TjqOO=nZRO{;&Hw;-?uQR3d9?zU`e?MwQTB3r0{QBk zQ?PI$%>9mr_7*FGVqfHRefG(vGPSshH8uB*^=VX!X2`X&tuEVk8+?oMr=5=7NB5O)I%e&3g1bRX^>juvWcI2q%q2qY5F67FkVb?Ig^Q%oc= zSPDCo-Vd{=kK~@>cltu#=fvd5Z?|b>V!xrNMo5__w28y$6jj|Wx{Bmya1>}EpTK)C z3`8;IgW{j43(KVkwXD(HwSOFs+1b)^`N%G#BqyGV4QDSOM+AZl?`eZUITt~}Gj~5) zh3jN%t8dY7%blRTVzr<-zAAuvuMK1T@4M!AWsv*=PRH_&JIn80z5&w7C4;lXzq_~> zP#@qzVn{Y@r~YIXN3PzfmQDq*E3&*OX>DQ6d?e9|;H|LXR;=4$&{rGlVL*@f;Lu4c zDK^Sw0G||`VCO{Rr6>7QCR>vE_O-kd8Vhfos|dclwm^Qx@6}*)zNg7(K~nb-#h#r` zx%tjFVFPH*8H+ht0Yjktl-Xo@(p;Nsfq~5+#X&YYncbS4gg%69F62L5D$rT>Zs`Kt^R3v9($EdG?iA< z;c3f7#DjbPWu(L`KIWj;7w;^;l<3i$cU&eG;*eO>>DZ_;-acD!gMy3gbKi)=R{JU0 z6=Qpa@nqX?TR-d1bHj#?KHjF|4k$5I-Tzb%{Is{iKf|958DK1Il-ZgH=#T*Z zT;joD#XS+n5cyEM;;Y%^#@eh|BB_<=lADSY=y3B`E2{t5=6h)GiGE%L zP~uxB&Ydd4PKk$+A`yTx&=waes0ph4=| zt-Sv?8juiU7B|YQ{&ZW|Upec3XfPeFk!Pgdi!b++dSo$Z?Qc-cBw8Cr%ao$jKk3() z`H1v2pXNhF3g0`A&|vvIAXjjYiPWB0?6YCr8wURXAHK10N3$}S%JfP9)8m8ksrLr; z_6NosuUTf4bgu5%5M$BUje-Akhd=NGt3z77+K2EJ`Ne5hgL5Kjdn{>O_?2njGoMz) zeE_0bVfVEPVk1W%nzotudv_Y^$PIq?JoW?c z9nD+REb@$(z{9p&?zn!zGULmjNT~gV-+9Y*iy9aVkDNz^4*)Vp;V_#MrCluqv)YGaR zG50QTD65CnYWvd};hEucEWV`UT*%4fc)N~ji(0n8O{+j~HhX;k!0rCulg3{mx?za) z!tCmhhF{RH=SjQ>4<}87TM`-dA7KI$5yU+_&|A=+zhm5L=fd>wd+z>>_EpHWDBt(R zZ=><>n^}mUgJSS8?dWXI0XT3B1%TkU?h-$bb?l`*IkFvi-UEaWLqJ`3GL<$K?yW4F z6*?T6D}JS!_ZA8hP!8S>+?e#%#QklhE1giVobH*am#UrqUIW~FD&G@*Ka0JBGO6@nns4%YkzH)J7zftY;079b; z$z-N|lTCs;39a7tQS)^G3XC3mxP9~OoO26EGnFZ71X96Z7~Vm|7FOLsEZL;})YweT zjiu=uWhR%VD1fY9(7e;LH6Xb!M63eB0Xm(1;R8 zxy9KTn1sDOS!{A{El7+$!0+v!lnq*UCj21KEpF}5jj+|tX7r9>=!kz(>=UzrXLbhN z?78BCDW&*LwAe(aZ?EniVt75*D%$K+1A^=`s*^s1aytChG&24 zC0eY1Y$RTH#L2zSYI(`!0`j0iscN3ORl{YgVFo?*>lm@#+-U%J@*UuX#gdp1sP$Dihh4 z-FP#URPYAqOBQGohU0vW91*L1s?dsWIOS_B#isRIL^Qp1(b@hsty~~jiQO7JfD~4! zHcRC|;}`~h{lypoLBYXKVa!NI#=WcAjBj&l6RqFwGK#yZ@2j`$&g;MENZNfK@o8W%EuO zD@T+GlrnwyYd5SDGHBy0!Jjwe$m4?aAABFN#6S{#ANLO(CnAV;U46hI2MLz}q10Er zzIM&~Gmf9$dug8UPS0+QflV1s@i(rXYZ{pdkWdfV4{VkpH&z4EI?kVgk-gFHHC-y44)Ydir!8{i4x zI{gXLh((q&1otg6kryvW!{UMv-fIBim=A4$Mh7pVKi(g3kHsG>u%lSx&>H<^k!as2 z7dlj)6-b5&EGWq(s?_|*>%W9`AyURg+U8^^#^jP({VpXAa*w#XL6fC z(7!WkGtW#8kNqT?IbCn8=;fV1c6y9)l^0N&R&?6%3inH$!flKbLPtk-HuRIz2&}VAedp|8%DE~ny2j3ha;gRF;+wt@4457_rgnN zBy*;WM^L~=TPFV|wS?_Xs*>2r9rQmQ5b*_gJV*_E|G?P&Mb))Lq*|VrkYZR&(f}^- zOk;@@@HIoI zzZ~DC_&+}G?<9~I^Px-Rt-SXfK{katNvi`ACMj+x^vKsLC6j1ZKk$8A&Z|CgE@pev zddGy*b_ZJ~qd)~+*4AIKY*N^EcMc_jq0SH$1N4r(0E`yM@8g&G7jWRgEkp${WUf(! z_`#+_Xa!%*z*us>0x}koo-&10A*|{f6onEEmHx(9_26gSlmO?TnmOghKiXTrOAgrT zPe~xp7!u8YXdTCU@WDqqcOpL><$a}&=7RWewey3X(JJDNii7~3u&!*zq9bM{5AOhO z_NR0T>m`Efvy1O83aso;6lbqzQI(i4P=y&;fH1P+u~4PHsT`=7_l1SlRbLj<@HxYeD@9mKHA~ehCc}xyrF2nSdclj=Gr|l30NCx z7qq=o(fI}`mhCNgZ88~-KH59KiQ@R&pg;LC;6MBUO0@hk0R11?^lzLW;-UYEKlDk& z&{4=$aSWN-tv&GWe?foiRehMD>`F+n4&Ca=mX6&L@F);_T=;{`hRzHfimQrI4zB0o0)9 z$P+-%xm$_Fm$r)jzhExjulm3#*`t3|jQTj`X{d)F4aW1dQInqB&sD%9KAYEsXY zwg012DpHKeZA%F!LTcM)L{M@W6 zH&CF`Tr=6N)pH-8JWJtZ6BJ=ZXgF!} zz9U>&!sDt|(!n&%bH95g5#(8lEcCfbw%#`gYj^{AoNBS7rZ-6gZ+*^FK9Ek}<}om% zYL(8Bd#yiaPT_}d>pr>I@N@))Xi`*9Z>hrYhAA4Z)!GXG=kEqd*dzS@d6DPmVXV1|$! zY#s~`WqYl|6aU*zBA{``}C^p!Cr>wIg2%&Jk^q8_`Ivgbd+Dw zfG_SXDv7c#ZX-O~`;9|Kd%Isksosu0{qjb`c*-tZBupW_TaNW;&WB}OUQRwVI$A+o z=Na>9jx~>k6C9j3k z(?1KNIghX1>q|nnT#Bndj^?Tk#co=xoO96~${G-?ag8*4?LLKaRf+P2Uh$N0f*+)gXJ5$1ZBJN4IIJi0 zyK^e2-dgL+f4sw`aP+o6b&Rlkmr;i{OWp#9PSILKi?&;EzBS^zy;kjrP1^UD{PDDp z9cMk_syee|w8HuZWKG+je%YKlSfkCn#}c0IaQK*Jc8QHzibUo>Z*cj_(a-q_O4+=d z_M=J9FsLrBXicNzhQ8ij95xc4U3EtzLxc%yo|g}R|BySFEO4>fPeN2}rAP}QJJs1J zO+Tw2@z6fgWG10BAc}D-@dHth!SO`>Ij2m1ov@Bjt`uo`N2)?J_}w6d(L2k>Qahx6 z_Qh*m=@%^TAgkSej*+dYQ2 zf9+X*#Gd6>QSSPmd)9}y>#FRM372@3Qi*%{Vy8IEx2~tz2XQ~{E2l|{>vP*)C*Ybt z^R^|Lr@8I7Mf)^=(m6))<>0DZh26o_J>AnIMm2QV$}PtOqf}-C@eowTgH0|80iV2~ z?Y&hiMyoaJ5Q4S#kO+XVv8)z~CTRx{9*61fnrjb&aret068Q~o2lbZGU(v&u#UqVe@jpTEq zcbP_?zf31g>4`&snZRA{iRX{ljDbJk@)SCvyYRPIH<}3CooH1Bk+_KE{x7el`-p5x z+s>+xre_o5Hd#;AQNyDd*-^!xiu|o^N4%Rkm)&{n6>vIO+Vj-of&$Mmkc33V#=Fo(#3mOvGXrxL;XQq61c@Fopo2zy*?|DHx^stlYE&04iw@~C!V z8JCbjJ^`0tH<;{PLQAXrWA8*sC9NcLaYD4b;6ZAD+RsEVTMME_+iu!l73yg#UIwEq-TmGL)J^x{E@p57d z-I-lwEJfEnD_`su@9wyjY<}7Ni??H|-dBtXy*2vujF#NP<*?%yl0lqfdWXIB{r>Yh zR!_d}bb2#;0iN^Awbd|;x5qaGw*&<)E`~VSoVjilToM-3{bs{0QOU>$Z7YVzb zv~XC|k1JEXCD*mO7Q4~=zR#Ag<`e{*h0TkL(FtBg*WR{J(|)&Lm~GgKr$ppnT8!&c zW~3N+Di=!Gs@Xn*V$6qjB>s?_c5XDm_ilIvAHIlc7*1gwwx1qDNO&C_ofegCT7 zq~7zUxoa?*LgH$!l6<&vJy-RVSW^TdWyw|CN{wO+7zmLtCe^|1-(8{uq;j{y=vav! z_g#)M_x+$?_39#thbj-q*h}f#Z{}U;5T(Wwtz4?IT3D`HlU}FI07TOEI=NCD*D>-? zrUjeNI$S%M>dmq0gg;ny`}ph*7r2@l$B3M1pJDLSc!bk&eB^J`%6#e(>pi8HrDS_4 zj5f*-5YEs1?xpKVG|I~I``63rSgSh=TA-;sBaq=A_+#PM z)wH@R9(Q$M!enMnqfG5H9<{7-ZC(sx`b}``rDxI~#Nt@X(4)mum9L13R){xWWcrd2 z{oa2U#;)40M-Vw5C_DA-_HGS6mF{VXX3pNSF>aK>^LZBeC<&QaFSr-W?_goPG(C*h z$_;m8f78*YBdtodmDqyI=>+?9JK&z)!KMW}`da;2X@Gb_U25@XT>AL#35Gw6ML>NQ zmW9=)4m$U9y<}nWoKViZ%2i;7vP*7G^wAYfG z zZlA&Ow7O&rjz`vd{^hQR`-f#lI*vtE-jRb*%|n}SVuh~ArFhr0nB(LXRg{Z_T@MYn z_Gk5>)rmyhdTAVvPG1|&b+$ymT4n8@pEEySK#;C6$?u zXv$SR$kE7Nx`k?rpxrW#3VW4IiNDJk-?eK7E;;fF6XVBYy{7&aHt|ai!)sPO)ArYA z_LR3u<4@OhcoLSX2NrUQ&4s_t~@*a9HSx9DfAG0?anvj?*)aS46}c6hsAB zGG3GS`7i*AtX1 zu)Ca*is`?pmejDcJ+4B($z&8s$&*qw&4#^eYJQT>JjAAyZAI!B^ckmpo(iCRCMMYme zp*!D_B9gHiV_##cb}Lhbi*+tn(Tn4cJ$?!88#3P|!ZmK_{OCawwTqGS?WWRRiWdw6 zoYSbCV0iciB(|owNLuD9fMrz#`o{!(WxOs(=4XdX)tgcktI2JH{&Y%QA?h8XYze%6 zUxr|JR9Ov$Tv^o3?|ralvqR>R7MK@&0j&wmCDt_VHbutDl|P;;JlKDG@!mudCRN(l z-PMk&-*DIcLTJG>yL#DUw|%CEUZ16X|MYMdqk|^jFwAUT{Q2urj*YQhB)ySMB`T@8 z-oA9}q|$s#mYtvT_dp~36~V0K_FR_vW@QqVxL8OSO+Xto53jD@KDAo4j90QAlTWKk zbowabbNQ(xzq;RIZ+gOJuy*(G@;=XrY1ClWE!rv%j9NRRkWX&(p=CzBR>z-jv_PZm z1{t}+QhV#ggrL=(26wNJ~ z#fTZ_eDcfac1ELnl@dts1lYoOi_q`xZ%)xbOFqGlCvrJz4wPToE@5ycPVaVP>V8Af zI^0=!421Q)x*~;rTA$IXVju7G( z^5!j4T`~(sZ2bTF!v4Vf1y$C?q22%4W5aE0`T8wSj!U!d*_U?~!`C`+!!6JkE!N^U z2|VfEt_#Ux_3gBsowhzOnO0h5XgVBvV$UTkCKkbE?=M{EP+1~b@+z}NI-{?BIdyEp z-f(!}3;tNaeK9Y6^Y%gw|CtAc&6!Rgx<`BATK!3k7?3Lby5YzCHf|(y3`t66IkF`3QLhOZ?&^@w+ zSw7-pA~xa!W*5!6o)@cL^I!k_Cl`WS`$3rLP*-n`pMB}OJ;@`pZFJeN8`62K<$h5uf>uM$Y@w7QRy#Tmyur++r#NC<6CZtu-spI6l`)Aj{0Y-(zT?h4ssjrT_C z4S$@p_c+e5>{ z8<~>pw3SCSjSQdLy}c{V>DsO`mIV1BKdfG-CEG;vFNyG*`oe_x^q^&^d5h@;ND$Js zc2*H=$vI_u11((Q;RK{gbh3G|wBUf#1FRKIJOw3xx5lB0SX_32KYlOF_q;{QOQ0^t z(io;oa;;8WJRYYSAl*ov0~PccF0C9ff*Q;D^Q)UV3@AlFI^t5b zu!O{jQK5k4An3Jq0^LjNORDf=<4INm=38aJQDujIZ^)$M!PI>$bu4)+&|8uQ&g#l^ zZ8fbziO>PF=~rGh5Gr1Pfoq=8&8|p>X8^Dvk6Z)3W~aPP+^ykqgxfv$&##x>DghWI z2n+*+K#?aE5Dw$5a0LmSog97yxQ45Fh||foAlx*5Zw%i^6=@2;{5GcURClyW!)E&R zUDPgu>$%eHt5+D5pH^q92eMiZ|Yuj_s7 z9Idr4cK~3@cngfZ5{*KsWkfcs)*e=Zd4U!vB}89}R#R3Z&}4Eo>2r8<11e%hn9X?u z(_v+Au*TNH7ElxmK!rQ7#dD|t>RLDIJpIcwUzOXD9|Q?)`HPE|I^^0=*G#Qieep;!yM~>pwjp>AbO+B;@nsCuJ39v$4Sc8tSWZa_f2@lmI19``eJ&`Ky7rY36vn z2(C|>a>oaYPuz$(tl92R@ueAznBoB(%1qe=ohK{VMoK(&sMtB;p2X#ghzp?IVmQ&z7{0(=>$^=Bd6Vq>-l&u-KS2;~6rjCAv-9f|LQw~EEr42zK2GAAGld(Z0l1D8 zubV#4J(0b2ORO6mK%`1uFh}5rjB|%!lT1vA*H!ch0q>jrSoREOaPoQwlv(TDhRGtQ zK|rSnXuZ95h@h$RcK<{Np3;c*4JU-iZQbd@XY-tgjcUYk1wqNqjCEOVnqg-Re~)3b#eO05M+vZm_|7*1P{BZEfR2#+EUAQUBM4 zUljkY3i(SvO7ZkgRB?uToH2iMdV&-C3w&D;dQ^^i1IjimfK=cjobcq;OU_L8$KGV~ zJkw7{VEjZRR|-E8N^DZzk5{~I9rkD_H^tqh2g2}_Ia#oU_4;TMDME%#dgPg^NJfU^ z(=ot7OdffT>Oq`Tk_k|Fi|IFzbLqz(7#>s@6}n{`GCv`&~K^L7UQZ{Etr>pD3)o^SsxGLMQh=+d&O#> zuSi(%7j1xC|0P0l7awe<>WxPjfVFwlY*!7b^Aa$U%@I2P?E&A=sapmPXJ56f;4xu9 zYzuaM$A&@C{Du|ve>^c_7kBbNrCucQ<;=w0UzvgFBHDwL#3Z2E=dnVU=u`SNAVhcP zaeW748(p~=%&sxl7q_^EUXIY8xh-#g{p1$U&f1_cX2gN1dWDSC)t$AUK9zZIgWV}8 z!@FbE|9Y|vDJrv3H}2W!oXn49_r1gD$qo0PgF*REsexMuNMt|qWHQ{_qY7p`` zW`Xz(5Tc#;ez7SgZp>9s(t1U4 zwki3mx{n=cF7rH2*}ehwm$hbNjs4Gut~)jyJh2_D-8PkE5Tgi@79B}!pEm{lYkl#% z?s!0b@v1D2)#5VCuUbU&l8fd|rcor3y^QZK)3kjE*9J3jND6k}zCqt19`|{0GnUJ~ ztiICzT7Py_g6aGtjqBL&?mn9Z`JPck^bg>6Jc=ZDQRJs)K11HqIpT{GQh%y=0S~cg zxgczD`RLMl43pm65zz4OKGXE6d(*p#qpsQ&gm;@H`?<(|tfq%4*i8Ayqh_Affq>@f zk@m5l-F}sOAP%Q1_Rc+K{cq!iOXRPI3)b?hO=lYuH^G!(xWdt84FruYt?_B%Gf||O zKPb$g6DMNU57omqGeBo2^(t}m<=<(J|6l{Wgbr4>mL5*HT${+>OwVB3-~18(J6rv? zgr67>Rk9-bT5%i0uLb4B#S(hX=SHWGPVut~m7AkVgB2^@2!lkJ^!*Q?>qgrN^<8By zj*7Imjq#t;-fe$f!S3X8k1&LgYHZK#i1GA|*w~y(IdEN zKb&lg7LuBZ8>;Do22@;02~&M_yhgRtYgAbno}&afo?kp+2r|B3Rzjp^lD`WkCPL_0 zpLz(-fr$7c($HlKc;-{a>RNtR&Z^Elt6Owm4;7EpJ98m~LKi>T;#$6m^ zeC-^*r_uv@73^j7LF4y0`d4F|zFIsG?_cMqVLAKhk^Nq#gsw$@5&5a)OCH?&`p?(y zscz(U>%om_E%middB(IE@|cBahNdELT92NP$jRw%$b%^5RuJ@I!!Br8ro=9&DH)Ry z#qSoD*+{4f!&MOc;T@YSd9Noc z_Wuk<{A5tKB=_K-lK)x{L$FMAeb1oLQZZKog2!xt4eVrMQ^dy;c3;|Rz`ZvfkWk)i z*YBVRd^isOb9F113^&ud(Opcv94Gtz z*yvJE_9r1izEUjXhxZxh-Id7^=_tvY9=~>GYXA5D^Tc4GeRCaH?L>!f`<;>of}Dun z)pkqU?*kG%!a#-kQ4ty`I!O8rT4j%;qK)=Ott!EhmmiHmfGbOR0%2mtuSk701yQOz z1~Z|l=Umas)G}GA6Agq8iU8!IOiF}im5TXN4}q=(+Acp=ok|4NY?kG6-~H5SjQ}ok zKq24uWh5gL0FNOo3xdIX>5txd7^>XoCl>91))KN0Nh0K+hqNdH{-EsZIPf`s&yp`r z(_0-Izvg;U)){6a0b1p^+H|4Qpx*0Y=TH+1UA6c+*Bc-}nF?2oG*mT^OYsp2fzeVB zsEJT#c*UfXq;}krRZ0p-=}wqvE7xE}$fmu?2P}8pT?<D#MYyI53^#*SVXwU&a3k zS{=j)E4S@Sr6GQo_5tHV!ZKwU@+$kaSVT+5-LQ?Spcdm1^k~)j*Clodj{8xd4)jWv zW&Vj#_iL|c0fE4<2o*bFC^R&Rrs#fBn`PS@S|b`N5JtiM3^ZXkCdA67p`kAIJ(^CX zrXq%@=eFFF%WC#(bV@ay&G9sD~f4<(4C+4|X z{`jQXSZJ{%F6h-enc)ro^&M2#d;R@0kS(Q*?&~LeA!oYV#|s8dVBHG)Nw3Z%$5EwY z&5w{Hl#t_byW(~9KHFKzM$-;bKcz*HpSLxiE{$C~v6lSwFrcX|FP%TpCFt>I_H7*( zf>LH_)s`MGRhndIk)A0jF5kCPC^L*wzFD*tupAW~y*gaDLFtkflMqA@qgJxrq%e|q zo2kB~UU#oifQ@zmJ% z4#dJPVs(P_%w9U^x9ngFwXD^Aiz4ucO8wt%i9g;q$Gym}uKrhXKzvb*SpM>L>Z3G4 z&$MKiH@5)dackUL0Qnevm@4<~XSjbIc%YbbTZ}Sts!>Mqrk53_u;JBnps1|)(+CB^ z(1{qz-EZyMZTBY-k#o;=y{V&Z>l~DI?tYOixu#fg_nS|>BPcZ}&A@i6&t)s~@P|_5 z@tBL^Ew0gx-mL_>n@%88b!kGd(>IKH9kC=!2V?sb3bjJ&QWO5p=THFbJenxd@~IbT zV{jj_F^bt$gK{qx1Zk@FNDi@kmr&kbaNgvB(*_jY4(%)zMuS5QS zeBr`RfryR0#HSR$Vk7N?z#P~2ATnA_!sJ^B3PMsIQL_c&QIDHTFLQvG)(zPqmq%T= zMF<(8_^L8F`snWr)gIXpLM@;x_{~2T&YT))LvkKL*khqUU7zDO=(MiEbZ6I!aA-(J z%LNhvz;1yl|CqF$D2^rg!c8Qhp9U(7{fqRmL}k5BE~!&j<_*S*K2E5nQYP}@8!682 zYiRlH7Y>)M3GC1)aM^P;W48~2pxSE~Tb_^-Z@yeM(hm#`|+K7M2yQL^weKu>Nd8nOloYaU6$FStp)*zS=6>+umf4)Y6$-m(H2;rm1>BL9r@U0C?B4P1D zfIG&{1guY+iRbA$^Sf<<7@mQAX9ILuwWZ3Xcyz2u^&5|HLt}WH2jB4T-S)}^WjFcyRO!w(-k@EW$a_luegWq zt;Ql0dpfLWqIYp0bRIVm0z0-KxTSP{y2ehLqmgScf<9+t!=HUym{vdet_G-L++RHf z*+eFcA9{;z{<_u9=S~OA;JhcO197A3`tTxL@QY=96Nsv=BC|ZmfzQK+9gzofxh-Bq zG?OtOEqzYCa}9;>e?Eym#FJQFN%>uN1(qV4yCwon%IUkObay1F5mwwl0z#K7pn^{N z7+Ui`W7af0_k0_e;T+@6W?_97z(#$ZT?}-Qk#r#qgv%U_==Bj*T3=!&(55Elz*9rc z@O(4|+G>%D^pz!^Nxu*~PM= z?CgYiRzGKrVc52C&12rLa1^OC5s~(RN~{;V_NWpt8-2PrdwZL?je&`B39BrQFdO3B3X#e9*_roz&$WF}lb~H=Mw&P$bpWAaFR~q# zw0ai)P0}6{=u^Z20d`D`^B9PUv6;^ND zvm+Tz%Za2+4&(v!O|U(zf7kkUzZ(3HYe(7>pSVeUNszL6wA`(7tfaQ04f6Wykh}A@ zFS^bP?ZH2^gZg%<8#$mO>`>*60Y2ZaM~^}4Mp5W^m=~1h%3z( zzT7nbvfzSE>5W}F+sYZtVxrQW$nS-X$kM1J6M03mpL)?h*RYdk_ZfK`-p>Dn~Wr&QPj(Lcuj15U5K=&O>PBO0eip~1 z7o5?WVL$`fNGJ#<3f|0%SAQ!!!6{S`UE;RT@Mn6|LwQkUDNgESJ@$X(OF|7WtIxXZ zR{iTK1`eP}_5}{e@*2(y@^?aw+6l7{OE)m|?EvA_dx{#vJD7>4LvC&;e}2Q5(7O@a zG1Q2(zxsFomY+T5hr9UNth&~(&m?4wbd%}9!O8P`1cVek4nIvR=lwZ;q^!BEZcUU+ zfC%{mHx!KFW}Bu{P+eO9|HSKAJvEdN0R50WoB#ab^3UOi%fAnP|8GC@ulL1+E_h_8 zqXu^W`ZbB8P~l^W7DsIt;i$QNmPmB2_pnn{lYBxQrK$wXjec)S34Vpuqx zqTRJ;4WP59C_#v!j>xLkbL2w)Slh3IsNdPQ27eYZqm3fpAmpS3o=Gr};X32qPE!GE ztK0|bc`URpuxqnB*rbDP9l~TzHm=OUP!M5d3_|GriC)kOm%=c#hoTDMCiMtoC-o-X*DH>Kqm4%${A^h=g zHw8-juC4KH2h)buiJP&OpkCTed+_pGc((jq(LqFL%-&@BnEjRFQ;W}Ow!eg~VsqR#Ix#)M&at*5@2_`Q$cz=;tmKA z&}6|;qt`Rr$%gY+FXMOV{#RDt_5_}r_C1BWzndLRq`Z93=DOvrZ5-A|8BXsA^Q%mi zn+pDmR`|av@9hhYva_;NMFF^Y1~6Rqd9sp3JMV zK(nUC;QpD&k)_)&O{HWdW%l7;0v549^Z@S)hVaS$I@Di9aS{_}MSCwC|0-@^v0T>g zH>}mH&x&Mw2{hp5Av8D5!K2mgN??5aLzuvYA!dvqBs&*=nDVOXvRT~#sL|mu=>{?x z42vSNSZ}WR$qn8EU(-@Z93F!~4#N`DD;1caG8s?GVM^W91MysQ7}Ttt+MK+lZj{ME zI6AKq)sGoijumO;QBLq^UzI)Ow-No9jf#nZ2w)%N6ES}6Q%nlvt_WuvP0l}oMt>f1 zsCU0wsqA!-2?pCDm6U^luCKOsR8gKq<-U?w3k?UPfZ<%WMo&85Y5OPIH+s7pMG~u zOxpmBsjf!;FEOS8j~vX}@!~I7{{b3--+i0^o$Gs>=<7%SC?Dhn5#hKsI2=2IH>Xj? z_d86m%|BmfX#@G=AMcEk*5K@D0<$fcUX`0*WjCj|=Zh7w4T$#C;Imr_A+Ty7su~L0 zfftuvg%&Z|hK~FTxS1`LPZ$F#5uQs{gzkk16JJCN2ELBkYbgR@Hck@Yq)d*=4oD0qC7`4Vy|4Cg6l z7e6|Kv`Ga-;P1oPWg42y?M?)t*{Z1mwa=Q6fkB3Fxe}`4%RHVnV7UDeI*Y~}_Dcag zXMyLZTh8q0SkeHKbf_LJHbIyDbVs9X09wM|07f?yWd0dVHUPRxh;g>>Jr;36S^@i? zBWYsy04@@3)H5X^CN{)b4_Ui>xp7<%y>zPQBp7xh@C5IFs@(;NHc3Fuq%5^}^}~dc z5)4_xp@5aT%cPsQgvex|xuzB^Fl7yOmQNM~1?HN%KOC#9rDf2v95LuIaR&zvEW(g~ zxj&jN!31Jn4R`s{uV>$c2G_@&Cdu+YKvJ3vkWOeZNJhU9Lc+t!Q-22?jxSFo*C*74 zJg;ZJ%ETt&bhjx2NgsBkMKEGY1w7m4{MvoOQUPy})C~n5W}~GLHB2PC;y7drN^#s1 zbq}Cc93R`{K9VbVoPWyC}}t}SyOPOAR(>wo3$jsePbK zTWNLwgg;a|7G1?*TYw6v;r{-15Dcr3UhsQufP9dDi#KKAe##O;iqsYgW@Y>LE-^{g zgf?FiM^{=?92wmi0I0AAk zs-T*Mi+NAc6UiU|r*Q_Mo5eswk{-Xh@Nb7~(L|HEJIL)FlC@>pGIiFTsR?m zxhZ1^1OJivqeT9o9>^KRf~K?D5{xUof3AjiM=`c`%aTayfYzIF)R>E^NR!?T0qBKY&jlcqFknV1zyJOLD z=h}VlJ?H+}gW+I1_Fij#-+Z6veS)r8(AiFLc{+wiCT068^H_@}tfe}M=e@tBpy#PY z^%Gv88G}xpVPEw$T`Z&cId+v3L|~rs$PjJc`O5;G<9wqk_H2wJO-rc`ESAN~20)l; z;;eAg9pK9!V@zi;3dqV_=aF&QUN=G{YJO-^J^84|CKo81M88nO))vtACSN`rAH;-7 zZ~<;X3}e20S)X88QGwSn2YKjrjnn0mIezo7^5K0h@Wq)W!EpLtW7q%n!?gT642^MO ziNCiF{#Xe3VG;EH|2#AwKRp1#0B3#ff=G~tHI1slxgG&|$%IY*FJH<=~0ofB8<`f>9>E3q>47#qo zVxm=9o}N!M5ku2>0CQXJ!`TkXdOw38woOqnQt>u*-tceVLOKT*Ja>w((1-aj__4cL zntc_s6=u!FqJsy)r7!N93hTZg7M>U!io33Uv0NayAmF^SaAc;saFw*ZMM%P zA?SdN$YKGpG5x-f)LqvtgLAW8P0Gj`E0q<2|8e&UxnY6%z7BcxuV0`-hdaqhy4rdT z?;)r0Z`hTI0j36a5r#oz1e@|4gJwK-U!6ll)ahSOlrjPfP0XMq~ana zha$j=m3F2ew19+_noiWkW03#c!YB(PMP%2at%$BRw;q&2lhiGtM%KKPinHi=2RU4M zPiTk4?!4Fxr=(;KG^XRmC@)Mb(a2Zz-p=RjiJ)r(>p%lqGP<@%3ZeY#?YA9~?dkSW zKutssUJ^CjF4gF`AVEQ#w9q0CXu@x0n@6caEkP;;8K|}z))L+k5!d|;hU|#&N;+`m zj%LnR|MHaGn6@!73XlgXjyxY|Dd~#J5biDiQ5%-_E*S5cJP`)bkxlMYPqqA|@QY5? zdN-0_2i6xKDKZpHLa{xx$PIiYl|NH|mad+{-F1<8jofl|u zI+~k!hmSsBVrT&Jh(Nt^3y)+5URY<<(q?w;1@p)Rk_M;E)S`qW=n?)t=Qe8_oAl$2 z#I9uoy<7$cgYlC;HJ=F-gSf`Ch$QYpu+*ILtcZ?Q%p0br8z;uY%HVn+AZ>`^36HW7 zF3dAo@FzeCN@O$Z8;Z3AY8OV>kgRh8(8C100jKC*g5!)w?Ae|x+&xIl_;%k~RX+VJ z!;U@Iji1-pzDD3?$853LU%AG?sM-^#0oOn(zH2n-a%Ki$;y~wpc6OoIa#-HE#IcI{ zKTh2PWK&8o7*t>|$^AJwzzRjbk`J3j-T^7~pHNiD2EjcQkC1vo#tyzbl+hMm!Z5V{ zPjFKl@gY^JRV|bbC>TtVv3N)F^T_((NH_)E4-K_|=$7ym_Am!*RmH+sKP|CKKqYen zT9>QPs{kqc-TlazR=YC4y4=-tmVnbPCF-#?+q(;((p6TE_*56lgK}gJr1Vu%RRElV zKI}nI2rrsBkY?lKG+0^QUO^L#jy0?kyDQ-G{>nTkah+=hmqK4G0d$a*-t5`?jVc+* zCBwv-Y8rYuy|DKx0l#PEl#QIhZ~|EWDZ`qeiTPgv!j$p!RioGpEHxYUQmB3$T*&nJ ze?sv#4F4d!5^&qLUt!1*7=;rSeIVoPWV z`R5FOVT#Uh!MRFAo!$AWpls^X0pYz2M9mOv|Ln;A9 zbhex@A7Q1wVyH#E6oFQ}gpGByDB+UeKabqsIQNeqy3F8_8FgQAK4feCy_OoJ0GeeZ z@BDfGgrdj+_KixkLXG?DdLavey#i5_4;k?H*#`M2K~*gT_nDbLcXSx|Djp-e2Z`T@ ztLEqa7&@8hWJce%1o`>(VC)MlUC0GDC_+KtGMg6Hgqjjwc(ev6%Cv*J(?JBN7gZ_ynIUpD@m5xJYlX@|^8(_CYTIgjVHtAR29r+3zw! z$eW-zbwQqLiSA+!r2Tlx4}%oFH`+uIJ}cB`80642ul*LgHiU8ukXvKg6+_OGSrGQp z`dLOjC>rE>T*`P6nNzyb8EtI<@|v))0>SVv1O9#2Nx-WQW4QNU&Rv*5UVNmFBA0rV zX{h79YjBQT^2~GYpGWlXXZ80VQtV)#sQB0zGS-VOur{Cp1Ki_YJ5Vce#VTJjTnl_) z!g1>VT;GcD>nJSV7@hwftpG>wo*K{R>`^OWEEYXIp3WH1S0ZrZW@}_rvzZK{1><4c z^nJ?ZK!jXy>39=JlUaDP#_~Ac0L+Qf7Ag$$c{p`HkKd&57O?(PYfTCeYy9t!hdq#H zB&uUNM;32ux*{*?=JNWWNfzj;=Q%=Yy!NUlw;hd%0F-|kh92&_XOS)(peXpT`k{3v zu4XDfNm5< zFjtRa7=pV`H`zj=}q+z633{*{;${R!9dQpNz&S7iqA<%K`SU*n;nof1YtCb^ygtr63$y>DQ;&xRq~sv7hThbBylZqUfn4OHw^F{fa@ zj0a&Tyd_=KmK)1!qGB>Es zR;8N-cg}+BIT^bjYq6btYuEz4Qzdm`2r~e!Z28=vbT$_o?oBC)%DKfj;5Wi1 z1r2{@z;tkqw--t3&}`!t5I1#A*hP1>fFWUWoE$g!>j`WPLa_j{qq{(4SrrTZvR)te z$1SvL814jSEk(dBQlm%z0(WxPME3#OK0nYR>%|M#Ux5{Z6e!F(or}U}6(RB5%n;NG zr(UMJ2}!61&`SHX)?rD6AMJ%Uqgb^j7HHLSokiTkZ(;0-97<>%CsXdD{C~)~KVDi~ zqcFRul^r~|<5xzi?H9_39I;Ld3QImlFx5(x8PvNUmAPvDH9&KxK6vz$+vkzP&EH>V zw+#3?yLl?6IhiQuP%!b+WJ=MG!Nt89iK3D90WLbs54Mh6%GVQ2vA}|Ff$4`M6mFwU zt7j<#Hb7^rsd@0Os46e8^C{e;YyKv#{p!Ol1|O_zmPpB6IjQrkgd_YIwf&AJtSVB^~pfn3(e?a33%<-Xc@5w zlRU}}F85k+!>x9?S`dp_b9I49hve%$h&GqEAbsX&1w~vHfh#04x z{gG-C=*8ZP2QY^|KpEyzu0g7*9lA1?OlzN`*tW}dwQTFZbJTqCJY7If(hfRAw7W)>nhdkLFB^l%)Zal2-@toxKnlOjV9V4#S?Jm%hZ+{5UnAI^nj zWg5b^f-XCtL99z@SyYe1@6MZ3&;pSI7$Hi8{J`kHk-wQG+@Aut{t(+d-?@YAygaX& z4xyYv}8h|aXfm+DJW|@pAFecp3EME#z;)C<_RoM(o zYQu8}%?L`aEduWs|2zCZ8He2&e6YFgb^{@w`@pC&##pgI`Z~^HLJ3}@TEGpq|3!S` zrpMAU=L@Jx9s}{@uip0i7&T(^OX_9JgEp&Mchr3X1Y6osGdBL^WdxJt{OQsp#VN{-*Ub0_V{W? zCr7~&3IPTOWW|Lf54mN&r+b0@K^*xF)MRtq$AA{VHtO$|HAl01$Lsy{ z;O5ttLQomSRTBE_t~Br0_Z+;LAZdsyX7&JzQ&?JB&fqF<~l=i=eI?Jbm{J zYz9phT~`Hxj_)R&sQned#poHuhvSX7iDC^GtB!(0w@SZ8{?}~ypEoybv4iIygk8b` zm}tS7El{u+2biBn16|;}t-)R|V7iS6&m{x3hmM8~Y_T4Pi;e_>zSU2j#nCyh6CKtl zmg-}8Y-T8L$6B_J$@LfElmj<1P5HJlwCfu?bgIaEyZp^~wp45%t-Rp1O*Ol1t@bkx zh8HUxdYN`-p6~zs{{0c2gQ+V(o@oA`9fdy)3QD2_6Y*5 zHRSo91Rl0(&E@GecviW9N%|K54w_BMhWNYP@9($X-#?g#zw=y{+H_%fS1BzNLm8@#~2^<0N z|NZV5>G$;wLGZnq5+$Z)r3@V?R5i#RY~VH0J1$` zzDP9b81Vn^vs?4li+9veUB`ADnPiAwgc7+am}M=#68>d-`3{udo7C$F>ZUJ{fruQ0 zJBS3qNE4rm3j2jde<`4-VSYRB8n5dzEFO@Y0j_bhqPMkdf)|D%m6jC)d$`NPoC^$j z!LeXv`NhDOn+CAjFF^9!)v1irsGRs5M_w)4n;rqJy0cJSUk^BdCmeG7-&8w5yD%h^ z*tMQxQSX2L)xaDhpV}(;oqjYhbf`=+y7+jvBKcJo0UI4#rVWBR1K`^L%?8%Klip73 z|9oDCV1qgsv&f+ipNLbke6$Hx{bR$gFpA;Mk9NhD3gjp~&f}R4O443@R`3M{c`%nc z2@M3GAH%Vz)l|2rzh@G8Ac2MQ60`&nFHeJ=`5K@x6ctd? zDc!A?y<&`-Uz|g^=9fW&dd-ZMJ9!m-eF$E_2BXKt(vucKnogL(#w> z25?BlwEN>vcy(f)IG*C4`$I;7uqPAr(8nlc(V6OqO^@=>xJkgMHCA*0w11N-`qyd& z8MbCe=CU-OTI)m7II<`QE|^}hGR*M!~dLrcj*gaA?fh7Bt^_c7j&SITvfam4)FQhPJKroZX~Yp18m zan|wlb;Ki1%|zZ(_V8_2}A zyBBRM&F}IH!6HLV8!{u)%c0PUth3@EOXgL5-ldJgC6oU5; zQa4&W+%O$NS$l*eZtQz&QtP|(1=68bwXuV#^0?C-4S@pm5!^b8?QIZIFg|s>!(`q! zMNP;-^qIbtA^-ly7dWVO9cL)FwxY&L4OHi`2X@q1Z41@t$utanAj$Rz44Mv#0+*)o zz$r_fn#x<9znK@DE&T~Iz)dPPsIbnB_){3xxfFOnD$(SUzr<7w@MPS~)t%RP-$F?e z1$@%OQ<8IS)e2m`%z0WX0mX%}(`uLFyxU-!$w*d+(?Mu&7 zrs)P=z5S-9Y`Z$Ib5@U=qo?0}ylTxRs}I611Kh!fx4f^(P%#JNMf|g2D1PMibHslg zcM|Y*o-8g3KS78*MCUApac))ZVCh8;2KJ9YD_(eQK%C=uf9G#Yqx-b&qe~(XsD1+W zjlw*+wOIH^@^cEWYlWSJ{&~avHEzTH1icdh$g>O6wWF?G-FYz6-kW5W$S1K&Z{WKCE%Q<2$lYA3>8h;$sbu0zG3{n-hTCu{zmGVxG z{AB3284&YVC^KGAK3^1kQR%p%Ry)5t{W(WI6)RfZde#l7)W3`Va?eWPyEL`bv%3%E zs*w5ooX2{9u2CkG8u4~8K}joBtQAEAjfjhhbG~x!1Jmp` z6-yjOND6L{2)Y+^oc2rmr#ke>+-%iP#X8Y+0@U7uTAogWXGS2QLAmk9o*Ko+tBl*v z7YEw=&fBg#6oWTMJfaFDFgUK6V^}Wu2I@@Y4L;)Op+hJXMuuN@-MPzbuMl4Q9Sr%K zl7VmXWgkW7zdr2@*ksTX#2t%ls#-GxK)tI$PF_^O@1PzuWWw_TZW|qi?cX%^e>|CF zy~r>tHi`G4u}7I(C?3jsdo+BjeLncs=$rt)bi+(^0CI~ z=U)|$E1&6%xApf1MitWYNFKWR;}%mqwg%}9YGWU;l+^3o7z@YF#Z5b-TtJ!6e0Z-N z<70lezSt7I>aJf6onzhhd60(&B;IA&;T_vFq{q^E@*7*BRS+ROAM#q8{kb2j;~Ldn zakSSivmCZEJ&P@PKQQd%vNe+@*#=XnlQ}67+>C&EPQy=9O?3`S#AM8Cw_JIKiK3+O zV);_Jri?SZ&^7|53#5wKgo$ZR39|41d7{u^q(h5t0%4jENM8X)R#ibJrqT}$_jlL( zlwAQu;Jqsr?D5a<|LaWr{#QZ~Zj>~D!;B8bJ$P=rVa-p2$u%R*YJO_kc*+$7 z+ld~5Jo)(h^ZUDWuBfbs5=>f76l6=FqL7-o;q;?jo%JNs?br*kx8mC~RfSPKwP38y zLAlo5YVFuTD#9+Y;=4JghJDL0Qq~i$RI5UwEPdD|SFA7ujTcB0dR-7k%=%^W54&+H zW7u%-K_Xv?2nX}9v4T$aGkI?-8#9TTtM%mBwQqSGR#?#j+A^L{x;)h*nQxco0TwPR z9qd0=KVr#vP(A=Ne*(`B-OS*Oz1dO?t1Cg5h$v!NT7O3m;#3?0NS6x;xN$n4Z@;hf zHh#EdG5!5g*MAEjES`)U3-Uei-N?*BHaxdi4EJW(T}9@|4jSIZhOav+Kea)zh>eyi zc`ma$y!T;&O9)~7pt0_CfyVir)q^+h9Z%Muo33^}E-|3_eVOTR`U3V04l;HAK1uxk zNq>UvoT&$W*E`ZMmbQVMtvJnURG%N3o3hwZ<*}-%I0&>KN=79A6L*-R!HLOtpcK=0E@!Q<5cgDueOEyX7ZINcV&RYtWxvU+kGtIJ2ESA1dS;%>~X-u z$$$g^7xr-=%-G}rFjuX%tPa|ES?zIRmV-iHc&b5NWsw^>3tpUnoL1CZ0ECni5a!of z?MJ?zPQ)y3l?3&Qjh^3XE&ViK(&>uNYFEjJa#pC+gwtec=$4B?>=iVWBvEKP;>ABa zwnq3WF*RMaW0sS-P>`47y7Lj3x$!(~ri^F0KQVuvwWELL_!t8YHjc4#dhKEmY6Tm3 zmrJIKX;=zdb1iL`8Q~RTop7rceyStpv5655R30yV9Nt~y7+(WF_vuxQBy2$ImTuOi zS)Nq>m--d_p(u>DVT;eRrXuEXQ9PIU?Hj4d;OH>s5X=hj12=s(`v*09V~0v!yb z1lR)owtz}l3=c$6goXtF??)vE0hNgBE4${TRq_jMI@A{mX+@_x)gD(op4bXS0*<9< zvw#?SRD14TEEAhS=NO@=!To~F`>tLjob9J7k z`$6v~ZI-jyjPvhoP?!u@ortA!U;QiLBNleBUy^?DLt6*@J0y}U<8iz|@)c0_tr!W+r7j^&c|Er0K5jw-f=XT15$#CqbLC8xiAj3jJ zl|OXhz-x>VfK&h?Zl^Zekn296_Z~k-iRCtIe$axpm@!?bm=U0J05F|;ZP^PMJlrd6 zn`+FrPJI3~cqRM48g$5XpT>juQVqcWM7w~JRj@2r|7I4Up7G#*$KZaOR*)DGN%QTb zUSZs!TXfVfZr_{dn1v3m;{}vXTR9O`$q=dWP`W)nF9rxYSWj(dOM8K=j?ddD@8{?c zT-2bCM15y<7aK83W`bR}vDK-oddM@?R5q$6Aw7Qgb<;%Kwu5PSQW3ZtU6&hPKjk|q zbk&CQ)_$Vh$Apk*ACy~?3VnTs?KqxpU)|DZ^m?fv{Rzx)^by8U9&!EzlSbPpzt~j(W{$9U4Ntfr;H2{=}qf60BJJX+DTVSho}UA6Kh131(4PEuCRRoC@xzyq4mjel zHr|oo+ewu|u!EJsn-JM*9XMY-c?Z(Y_k#;#bCEOEy|p4b2}FO`O6q(-94kvI+{S7CvAZ>IRuc;P5tZpf1#Qrgu_TkGNg)uYeVLU{;yTta4Z zJ)r^0)pka}Q}cCq=5vYocVGX4Bf@~OLBS@fqOJ*+T!-=YUSindQG_fH=^5EokUOeD zfvDmofVdL30k^Li;Z8!;uQN#-7bk6Nx+I@**d$bfc!Yz_-ln)XY>hbg1)uY7P$Sn~ zRO)^d>zm>We->hVUH&s~;nNTamQnuY&&e?itCBCWWfOqW$Ky%d}ktD|N zW`)$vac(cfg!FBcnLj8uQa=%heAO=oKa7Nctg*)d_F?BY`H$ZKQ$sx1d(Mo*pZD){ z`}q)RCMN#Rx2O=jmWbizP{#3MAR3*ICO6DSgw3eU-d1v}rz&M6)B%ns)jg6v0c=&=HTSv(=+_2xM2Ur?NAPmS=Ghb$GuqU%2>|gJeqZQg3JCp}ZD- zf0J>OSbBeTzCiK`tuvZeK1+h$HJL)(*HOKMZx`ZqIt=A$l8k1wOKYewZa1oK@;E`A z5|6UvHEfm^d?7!#GGS1E5tHXz^YFRbxNXS~vu`J>p9ts9o<1vbKqXclkd!_ItJ^9& z-or!=+tS&`90eK%nZ33Ka>0*KP-|_C%um+YRkEvd>s_{j2L@8N>=KXav?|62%1!Lt zx}uiG%9eUUp(4*-2Es^k%#;VeG>+nTrN!k&SJ+ozRq%7DTF5q4rP~oc(a|zU+fl;e z4aae*0}r3CI>n*WXZHfxNbMb1Lr68GO8~`~Wq+g?HM*T1&2V~cM`6k2drbX~aTahU z0t&h9-@G@d@dzsn>k49nB~+|u1{J0`%YoB@Lq4^JdIyGp58H2m+mz3?uYP(KtP^j8lk$Oh~Es-%Nb~;fDo-zvv&%KL4rNe}zIs#wOh?N%qBg z6O@-MaZkcZbIhM#4ArM$F7e^lG%LNMXUL_25;!u@xd*%8t^(DNZPw0vwDaf!eP-^k~4*Pqzk?c># zBLk_Np5eAiZ-%%R^U_f_8;1-STGcL0f~tfmloU4nNbun-PSy*FFAO6T$sdEnoqRQm zG{&T=>t9Xx30JLdvx~{9uRL7b1n>Bcd?16kLA3BM#|yw{=-cF zwWH(uiO}cs1ISV4@Yvxv#zsFAc~|?=SpqTg{y9ZGsXHCjrwZHF#~O8RPd`AOMQ5s2 z*!=c%rbIuKIFUk)T35j82&%iA` znD&W6>EeB8v2ZtT_cP$Odq*PRJ@-xLZ6dEklRJ*BQfE5whwMYj!JJbQZc&0S+8MQT z+fOtqcr*WfZ56K}A1R{@qrptQ=Bkg4&~*Wa{w_DOEBK0d8J!JwUdg19Kv?3>jt^X& z5%jff!Eb>C=3&Qq`gW^01jtce|zA{<$HYf?>L#7JADC7!$4G+SXZwSi3 zub^L$Hhz%ZuRK2h7f6)nZc^a6AQTD0;ELiL*tKZi0R7U*Bo@F$N^x}&OZn^ib6Pkb z*B*iyuwt@X3^jYK#!8NjmKl3xPFTKu8NqwwcE-S2OBYnIGg0z%_UFiR*~%Ckcy%!& zafE;53V(guu=S87_`>(W7mlO`@=h`j7M9YEfj*lk6!|>tu%S*G>B9e7?JkJ=ZIah$ zJ?UoN&lRv*`AuBsgZVJs7lMGzsQ_i9mjJa_L^XmLO$i#><$@TioXnw@qhCgiP%;%o z?DaCKNULO}BNZDWq6xfjVR(1z{gzP}RnG{^#dL%9C=tYYk&K(Jtg36fJ#-~i<|}FY zJ+^Wfw zHv+u|Ar`b!_lNjErZ{5ieBEejTpX536@k!Ht?exG(e`q?;$3>^Sa`W9*gJP15*orC z(Sc6+y2IEo*t`DYhj%|LUPBzGS1u0+yF6;hfHtMhD}xW@Vby8R?GpZeb^tW)c!MY1 zht5g1)n!SJZmTy%k>D^qD<6@CJR@!PD1UhUxv*o6T{0o#G`a3Aa5T?36H_=XhoHKb z?vCa~&-x8TalZ|T7^roj_04{}tih7d`tbS|qzGhs^5Cmxbt!?@DVUb2KZt#P}V*EIN=V0IgtStM{lRzl22Q16deg-3T zZ|(6&_la?7mBlQJ8b=i5LmuFsmma#vJKOUV9vJ;db*44~fg2lE{#2^U(c0M0*)ecj z)yhgq&go&ndf4>pugwNhX#H+?3|5@@wze{FelajN)xUaiU!cKEgMz1y{LO2z+40BS z)f*7Zk`eRLucO{0Uba8Uyl(nW82YC9-SJ3}twfoiQ@gg#*d{_cr?x z{t`{rrkfjQ99kt2f_t{7#I>R%-VUkUV>&Aj@pWCtF|`_a`c?J?Y4mtXv$Iv5_uik( zF6>t?ph|<48UM7ePMQb_Y={>6h~D*?KAuDxUZ13m{UM!GT7G9@IA)(TxZ=gag2%4A z)wXXQATaxeH2^->fTl3=zahkzXrz2FTG54eWSRD(fnr#rw0oL z4R6sD59W#IoM!U?6oI8Cu6;=)o`P-S#C_ZyZW(|Tp&1S5gXCje28)7%^KBeYK470e z8uI}SC}UM(a@A>9Ybjr0K^LnqG;%59O$KxQ<{R{N8{8e^{W$KS=U-_A{b;M8X8Wye z0`XXgJ?QIpzV0h#q8r0o&7}DC?fd{Ux1bIvVlbda(y+MZ&O<=HNCSJp*tJhMEXX9_ z$bT9Hl`KKZ-!3*?HB&A4UKj6U-Kv%9>)l-r`famLxl-<#Jnc(*C7UasT2SI8ue*Z3 zZ~z4JFmYtwj|KbFQi0X5D+g+zacY`#>?BURqS2th&;lyJ0S(eq1ZTJ}1ajZLeLDt$ zW?di}E^m@(<|oNj1HfzJu5;;lPJYkShm*wkwe<%n*GJM>?CF$~(pG>na_1HCPOV~7 zWgN&C{I)YCo{2D+#IOHWMsa`O+_rlD1@JU~t{4QB7dz*0eITkaYZAVvYyt?6$bneU zV3BX8RP-XU>b?b$G&J1%TZ!#S=#^oyf#`abRjF1z2N)a>Z?Dd;jYv%zmaE>Ri#C&- zgu23$#%xa%7nV4Z#wq8>>qpGGmBGrFdqXiO#rU1H@QgmdqTAS%TBTD%P7-cs#u6L- z$_FCmZGhYND&-Y08tk!6={vMMN@AR#9SBU6#uwx=+*_Or337EGmE)8K!%eo$^!JkK z$Pz7_a#bG=%Ys4T1ksAzJt!^;^CX;gr}r7c+vmogVTPgiz?jB$2lVIs8%l+VUi%%F zeP`WchxdfZvQt1XFGz@Nw?4)xGKHqUod!@Q>1_y`3Dr}IIw3EWX zLSRg>$%m&*8^Puvr=BCT*}&n)2~$nxcYVIwt>K9}OLL?fNE#%&J7?8R2eJ*3b)*bpB6E9v<;0|ifeYa7Ma#xkk=?8bbja6IOHn%Dw$i%zfXak83| z4N`~w+FnAfaWN^VJ%&F{ti-M5#(+y6fKoDco-cXm&(eK8vnm{xgmY}}<>Emold!_* zKgB*<%Qvu0V6mOiuP(MFjFkoALMp7IN{^FqJ8X3oh>>VgX9wV}Quk(~Ju}N^ zAn6`vSy5cpGs%pZV<4;c#UTD3Qt4)%e#2Ut(-bj>O-O~?9!6@kMX})Y;6jCb3^H=A14Fa_fB)2U|W?y=ySl2QcGtD_HYgkGdg>L=7#RfG2^?6Y|QKV2nr z%S>T!W^LJnVc(7rYVtMIbJ8+Uz*H0m1sNQp3%`sHQDif5;k$o8Bn&J26|Y>ReUqkiFTLBAq& zMPXJ<&u{xY9~v4SzF8@YZb8}^lt1$n8{>M8;QGU`@$lLAodm}giOTZC#`5=3iJe&a zZkkQG3>JlL-H-@RKajK#g*g{&o7eWkPKyD{^}MsT0%$SMv5jkH=9vUg}1g7t^ZuJL}Kx^0B|z;mnFB#$=6V-q|Y&_33C0-gO_kFV+E?9fl>{yXUQ%GjHA!d+S@>cZs4>6dMax zAlqVi;6UWt<;||m|ME`!A$$DepIlf7szV4qg9r;gyR+5I1t>Kk_Knm>3s|6PJ#WNw z&%t)FG4}R0S&wv~bJlfUVy^oL0aHHFI0$FzMW)5Lz9YKo^3jP7gvfQGm^ZUM85kKg zIMu2Pu-c`C=@32%-r;*wq6R49^sA!0db<}cXJd4YZs!L`-}S|Ga_e*9X}BNxv8dB zMz;?IsQnJK%8?ULy4py@-48xU;Vjcrij|YPex;~EYp|N1o z=viib6^!F~$RV1Es?tiOpIQBqdjhkm9CxFXS}a@DAl=J2>q$X0hy{TyivSDgR}x|J zj(OS2%Kr}OKGNZ_fDqB6qoi=<0$)XECt{%+$s*(GTuC_FaM^=&Z-~biB2( zCDo&BOx4_Y)K8`g*;~Q4Q5!QGtUYalcu8-7YNMeyOAS5%dwv zT!?2bt+Tgvvk*X}a59ys>fa_Lv)@hruHy2ce{I7O@zY_>MsSH22vx;>mV4;4MR; zdhug|-^4oCeWq{)LR2eX?w&KzC)ZKMtRPKoVBp-&v-zfAk@c`|;MEW8?jS3yad9D? zr^Vuwh}#<(H85}sm}(;{WmN`=6{HA=rhstnI4+%Ib+b~WmdzSkw)|FUJ>uS zEJ2El$Ug|PWM)`>e1!`7!Bk9NE!yS@XJb(R{eIo8l{a;J;glr%_-WB-?h6J&ofc;XJSQUgej#>AW|RIHOhj6f&8q2L*Ot#Zm*pif`yKN0M4;#71BgjwU@=% zh;ZfyS3;t90D+!ab?~uQWciA=3kcdu<4MrKn(r25hAbSm;Br5sL}xS6z4*zsYY|#zOHtnH zRVMxh+ zzZBxykB&qjPhCQrbz^^hU;C50nOPOGbJ6+6yQ~_LKaATj>(-1vEU{-A0cGKQF})I) zFz1){?j6C(OTY393meH~ygH&eM;q!C!pJV{+ZAs-+16)}_Ng=Lk;+c)-l&pfaM<+? zK!z?q9>LP11s1cDM66*+at4m>n?*9INXzX6XHJUbtHEM-!Izn$hi%bhufO|12J0Z3 zEHs(y14ehgk#b(v5h_P3$h@w%Dq~g?31P3Jc*>r}a`*7K?QU|g?Z!q!_oF$U4nxY# zCDkiC6JsaCeD3`9{8o)`LYq(Vq&0U@n`gq<&GX%OI;{q)8&D(b+&qdf$d76{Y$A#6 zq{*l;%LXZh51yV~qHg3Bp+7LgGf$DNko{`uJGJg--(OO0nxm)dm#|54=B1#1h7k?v zy9R3o9cSBcYtehx^TcO^?jFoSC&lE1%_4^H<1DqjmAQw%6YLO#1EoWdM?qwG83Oc>K|S z-!>@9BUpic2EQ0}Lb1Zei^`aVm(7b?F0DbYCb0Uo&pCZ>p3(DM$Y<_}=4F?CZmQ;w z=G{l~6XDs%{@q$8#7M0;5b)dODcsCvgzIVEtSH6n+jqQjNLk`s+DQ4)qA_`ovOH@- z4LkgXXgYnC!pFK5N*i8S4aYJS4*A>;aTa?YKH)!|+?zPk-i?QnX?Z1MDTL%#^MT4z z?F1UzkybrD^KL}_ncke$!lGinMd-D7k7R@BGJojuA{_RSCA<|98Ai0=9&7bjZSPb7 zl4^wMTFrW1Z%lcJ=VqgLQW00%j$`b^05CE(S1GZzQ5ytDGg}1fAs?dCM!M9w{IJ}} zkYA~m-R)Jc##*z$V5kq1As!hJX8cW9f6o?Y56k|Ga+(eFKIC{@>DaJvhp>lQnqDf&V|)d-iRyfJuxB3d|RnDtsaSt;UmhmhcbPH z{DOt~R5uPHwa{a4C;gQPbLd2BGYRR%ajVJ%_ZeUyBtT@SiVHAF*9rD~ zx$=(}j8Q*cN_z|ZOFUWw0ww+KmO{rs3&Q#gq|jgc1tYOTiIPpo)*k3{H0#p2Ir;>@ zwViw0-Qe$M+g=~Vj0?hK+H$Z)6Y^LTmId&b-!AE|gRvr7QN#N)oW7zfO)%;4%Kf8@ zW&be(W=8)dV3j&(`+RX6be0t1;=W`8lDPL#&}vb?N8?G|9fkDD%IsAbSc5Ed5cJWlm!w$t&+cTg7*S0_}A^sJR~DV`4u; z&{Uqav6QV>n>x<8xU|>1K^9WD$YW)Kf|bdf1%%$_J*W$5|gd=gg{@ zZPTPw$qp$&PLko^xx;R9fFiu@C(rAnJNqqJ_ZR)tJx3?FY-Tw`ehfRlgWD=iHaG95 zBxW89SE6dSC38&ncu<*;SK5Lof~XkDNv(9s8J!n4Mp5!!7$TG73!U7U+xAG-MtJa~ zp{bIo9>{c z-`;fdGuv!(Lt+}efyZ8XFB~7&?Uq}KPvF{yg|j;XqbACN(09i8GK2rZ@3B4^w*DRN zIZFcl?aCGBNLK^7O=h|azpM7Nq~0(ZkHv3Sp6~hcQr)z@qf=cC9yu1qWo)?XMKwh` zwJ0BNG45AU4Q%N3U5M(C8%{uOeLVb2@aueaWNx3L75H8FbOwAE4b{%a$KgOZTGm!< zdHrwGfpCbM8wI%G^~O$1|ll`MA2N||O!3pYt=RUn7;T9J7iapY;GVBR4!$&a3oRn^#XkvEb#}bXE~-<4SW?SbjC=VT+UNOXT-SNRNW-1Zf~7Cf;#R zjZj2-4~H;iRs7XzC->te3ckqR2sW<$rm?S&Hry?jKs2kf!Mk@GirmbO3w2->CZ=Jb zu#<4^5FHr5*~Z(j+CI@_M)kx)P~QhSUZcCZ2evE~5sZ!90v8B8XvxLb>=I#hQ zpZ)ri0VHGnK1-yW<575(B~;wQl5n1tdtCR7C(O*1K+|YPI#C3Hwzd@euW9Ns4R=b0eW zYK=$k7REJjjK5g^mqq#S>vB3+qTXkuPq}~o!dD1ZOo&lc12K>{JyfUzg+hMp4sRk|8a&>lIC6LfJq$d}o9e6X#}tmR^~TioS`Luoi#q^*DX?KAI}dXr zI(dX_dDB)>Qn;_vX5LP&e{MZ?gAq^H9m8H?*_L7v!V zLT|!nKuV#%j&14OcxH)e={n{b>tnkxsL@v+%b_66eW$Lu%DeE~;G2nhx`DP~c4zW} z9W7hscx$uBRXK>>;5J+33yAqG^2pM_Mk%l8>rT;zK=(tVioV`jJ9IXjXN$t>$BiH{ zL_Y5MugoR!rza^$w?|GPxKkI-(PhkT@?XlypP4mjses(9LmrXg~ zbsRQdU`4-8y=;H_11T^k?Na~2@ZL$O9#7OYmEt5)7hiw}V!CL^lp_#N4~Sj`q6y#+ zMu$pj6N9`Syv~q%vlVf~#6dE;xOYE@Ns5o0qDVnH&o8d%M)j@lEQmluix*aeez2l1 z-GidXhDp$PpHa$|;bo{>dUy$PUkAfl6&CVZDj^Z|H5}V`#4!@p-|&5}?wt}I9*HEO zUVQMvMm|KK6Pc{M$I9>>ktqAg_w8X@qEmyoPF1y|5!q$P6N1bNi7Q{mF=n1$_kQNB zF;^Ko5!Mx?`{3cL;m>HKb-QV4^e%@#V_~{c?5R1k#lF7Iytl=J`kXEWe8-{G4VIfS z`!^r;@1OIvL3W-xqy3k^q_MA(-tl=C4u59&?xY zhE=Er72hg$wDc9Z-6na~)NlZo-g_j~n~*eR>RUr)FWuk}ntQmSxaT@;KTpyt3DfH) zGi8X=)dh~XLw1dIs&zUeI)zwzj$H~!ZLBjgkV0-kHkFwmmVH$HU@w(5oFz#umWoff z?4bxQ&Y2Y|KI_YL^mzAq<}ymCJQklNvy3I$RE~hBO;7m{u88)Q4&ULqhiv_z@RNO{Dxju zb7N!lbqE^izGP<;_3H$5=b;U?6tXvx3Gc5SMT%7>*#8=W|BZ1`ik1WOpwd(RwQR)7 z%NI(6#vMf|26vhRlX)4nhQCHLWkMTH^w>@{agv=#a#Bw|4lHc*T%VN4N8C;Rx@~6Y z)hQi_-~ds8({>CQ(d&ch2WM46s#owPB7+K~z84uBID@tVUa3-=o3QD-IX7|*-I`_=g?~`fb`tZ0@(9_=o@n@c8uX7QAKcLh!DM@A@dY@J8-fIzf33 zBjTsIot4JnCPXpgzNO<4^b(U`z&;k1?kVGL;}@XVtoW+WeBDSba)RD--^623rKg>P z>Ehz@q^!|*sg~K;t30f@5*$+5FAQND{BxyU4XKcwgPr^P;2Mi{E#}EcVqT8*!h^wJ zxT%o+)Wg=0`Umg_b-t_cuQZs7*=YND>;&T|eOB6x7D@Hp5}`0voECmW1+ z$w@`N%rnx;T))*p)*!7Zr4BC4aYc6i+qLu`ibSDcq{A@r;6qlnKb4AccyJzvTJpss zBFx^uxalp*F-fFkhR~>w9p^PH}N~m5VlZFQoH!dEY z2I&!-_myO=_ETrmd220>M&aHWCsjipqGBzz_TPKP8IH%RDNNLRhJB(u-#{(38_2sJ zQQri&(eR}AAxiB;AVEE{8=ALoGJN#R{eC^o0bMhyx(gyB5l<5flQ`{3!s0o`wBYOE zGxch|fKb)mz3cQwi5d1YV?-UJj2-GrMTv|JWSefyfoFlnv!rNU={T!=QpqNd%XJcM z#r3Mnh;D-vGy}ENuSIRgOmHpcdvc6ThIB<9_M|> z`)7}(!#&qrb3SoD*L_8;(QP&UZkJ*qoDGc;r#>Jz;s2?Bz+1x+UFsZJHcD!vQJe?^ zl>@OK-wx^Wpz2w8$rY0a4(OLm!U#!^OP<3>d{^o0rRIDmEI!n`(mi5b#645e$FDF| zVEVAo!iC_lN|y3q7V}&R_o1?T<$UX5)yKr9!grhRR)H$n><~a}bzBoiPTv~A-1Mv(Nm(I~1Rmx!y$n*b1j4K=!y*C{$%kWY#1PK5lrTme%&J5q^u1GwYM` zOeB&(s(YBYCM52DcglZvW6Jm4>pKXi&a4nLHC8nz=6s@Ps+Yn7PP$2fnB#F>LzgKG zuv?tqd|?%CdzP9U=X>-Fv%j}dJEnW}WfD-kWsJEqz%grBIR^AjI9O?jh)Z(aT?kXFVhtDI@_6n+* z<58a>E@90FuNr;uKHidyz#kd39@t_sK8nA8-?{DM0^afBHs$DHWQ^W>Lgf>!Hv|I@ zqTb=q1ynFeDl8m^As58H(RgiZJFmWn$q`Pty2*AJ4E3fug)f$pni97!Eh#;IS1Ng` zwaLba9!hflgM_(Yb?ZTdy7Qu1i`#1xUWxBs&pH=166WkI66Q zidbfCzm-m&S9ptUG8?j`=&mpma?n;4h%V$p-XTv&7C+$Zq_Y1Flem~!HCy9e%0u2J zD@95sHkvo9^98J9E?}ZL5rBE})PqIXDXG&+a0Q@;>>!R(?42|2f`tCgEEhjCE_Eks zK6QPiw*8P?PMXQMM7oB|8AcsUx5e3rlgxzl1~mB}-|!c&|Jy+P7yt6l|9%aJvhqc1 zbkbj|q;SCP8`zjeR=508NCkh;nY0{UNsR0hA!AhO#-`E4CSTI+j6>w!dq6v}gfs8J z*N-iY8|0k{4B^*mecvBmrQ%7YF0AAhv(sM@vI^rnzz(n`(ZH@%b-YY`-U5$C+6ue< zNnj?)k{4=F3f{;~^4&yJ=YwW?s&>GGi@i^6*Mnpfsq{xrQB)1^j6K-vKhqLkINv9^ zLN&3cMT;$a;=PdBwRVPkRN8^V@o7>v0+h=`ulDbda zof}H9nT-yyYf*eeac{ipno>j4^!$OWIKbcNCXg(mqcIato0Emc(>f($2ytYW3cZKw z?kmxLQP&_jVfduua|>7s2Vw_3arv9u76MqTLL%8d7H9+-c8%Bd#5NC9V+$i$qivj% zc2YCrCnPFvL|sDZll2b%litc6a@JybJd{HG#nsl7wXo1R{o>Z$V&M~)L(=@X^-Dpn)~ z^YLRSF&c^RH=^qGb`1WU4i)Dl)%W)>-gB9x&07y?+;A&>EIfxBgL$aZLnU5+z^r?) zH}p#Ii^;~r*LK&XsubRAM|N6dG*n=!+2WDBQcubneHCzJ=L5`$Az3Bf+k+X7XWZ`{ z1YJ7toKGtYjn?qc-mXMi@{dlA?H*E zzsfE}>7!T?>_2e5rxjzlFHcgt> zfc(qdB>DBv)!5I(ShQ{Ce8JFe5e{K)8uFc|TSCvyZ4uMaTax7E++MbDcqgS7hk+JAwg0J3!mv`57zlsjnhFX2(zzHYl znWUw-aPhh*j`@7+d=PGSNKV>lNa0#ugpDUGwwLU_cXLjbyOj!mS9@H|ORd$FU+Ck# z{Itn<4aA9RX2gTT(3DwWQc9gm|ix5rSTUpY0X_?Fy9 zEswdmcjYOC3g(R374oOO?#>T8(B&Givx z3N_DSC7sUkTc?s$1BXB4am%zmhaw=%Af`Eg?KAd#yIP9*j@ywvUvzf+@3__PpJfZc zh&n@Qg5h6r&#o5@InMJh)T;AdWV}!(s>QEDe{-SJLR8G>22`A`gmImjC38`v7Lw4f z{A4%jpwc(HfEu^HbnOq>Db4R71F|Z#RTrFJbWnb8|E1t60-sr^Co8uBWf{_V8+3q@ zCzLF(F6~=rvoS19)2vp6Gb* z7;t+!Ft@LZmFv>cSrZb5?c`Sg zh8fJur^w_jF~qgVR=r!e9V#Dj-U55X_r?}8|3DIYbkB+=mKa$a&|P`Z4`sw2M^WrP zkz?I*C+c@6w(Z|RX$d_*nRlj5%o#Kgwal$2bck!_UF^)!!X6b_O6*;BvQ_AF>~=13 zq5ZR97?i|JM8zgg|BNxwR3JGbXMX$kO*giiH}-aTC`2qzppidqd1+$D!X*60)HXwR za$;D9^M+-_$Col0`Q`%udtnYGT8COtdV zm8)4IqbU_-hiBe*8gHMP(QJKTQeH~T!ga3LP{wrKn7XcZ>Q>=+;HdnReDg5Q^%mnQ zr;So8o>nKzi5d`&i|0W^B2Eflg}s-Hr7qAsB;HOc7ukP7or$ z)>$bSRMQ12UPq3;0MiG^;lA)yhft5AnNWr1$b59Acsj6AFoqL?l4SxB=_mt7@3l+n zuKLN`>wkXk$^oRQ^R9Ja(Xtl?;ftD z?k05B1=zXmU_~@{NHC2%odJQ~sk2LH{$xi9BM^$vwF1E49IDX1TVMwqTZ@}Hj-3+m zL#`ivv+~&L#JDzAj2?gxF*a%Ccvb1~ai@B&QAIG2hk~`ze1d8cT1e{a2a#EfUfZo8 zpc^B-Wo!{QlV(}@3YU5QE{_I7-R;IOiaTt&PRg^pB--TK80W8ab4OAbI?&GY56hX{ zS2d5V7U-6~iz}H#4Ea z-Hq|09jb4`70lbK*(WO%IdOsGr_@3GS`Y`%R%E9Bj%|1LV$s@}c7;|HKvP3x1GB?f zypa$xQUA?i5?Q|kmFD8>$Ak0Gmtxy(xcGXkvRUJF&*hA}!<+0_XeOfSILQdbSy?lw zWXhL5JNi1(w9~SMF1eUvH;F{sEB1?8g}nuNANuSBWE!qU;%7!7DN@qZh?nt3$4YroO3yycZmW-zJ#|60KNvm4HdtX&5>Ep`{C=9#KfSef*s)0)$&lB%!3(BiB1__4EK)01Tr-K>g7Wrg8SxwifdUieM? z=qOXoRR1$c75?6pTEh%GhLC9L!5=ux+`E(-D|U<@s7@kw8z+r2Z@!-3Yn)m{%SqaX&Bl{R^gS|Pqn~NR1i8Tj$mrOGc)~o%`u$xQzpq+s> zk&2s6)HCcMzYkik#))I3nPsxKgo*7}F<1Fs(C{@{I6J|64)yV9lA)invU?&liCMIZ zw)98RF$#0S)G&!oZJpqfyK5mBNbx=~)v;G$^rBe06({sWeM2PZOnaD6lj`V|+%}AW zTbs*t6RJNLuc?_J!6U_wjBO=1)bgF8eN?~|tPix;ktmgNA3gj(ikzDHFe@ZnIUzjM zax0`5X;Q!=AqttwAfN8oGt63kv9vErmKaM*s7_V0Ul)OGuKLwyT=vLUfD4+OG0A<= zX62Oo1zwK3)mQC)m{_;9GS5nO*#26Me#ahfxS5E#lFK8ONPgPvzpEy=uw9Q&jz0CI zQSjnpTLO$^X>!K;BUv_7mtP1G{3E3E@4+<1*@Ck|PRLfN{2h{s`LIWU2Q6=1#|A%3 zjnt)1HbOQ;w6bYQ16koGf%zRGq3>_;YPFOK1;Cl7k3dqAEy^gsJ_umXf^r#GTRJihso$(!QNcrmgH!q&|7wbp;chy232cPudfb)DezP?9 zSCUt?vHNPzD<4xJz{WE4r731-E-=bPKRH#(%iX-FzG0YQQk$2CkA*rv&T;uIMhZm; zjZEP36JsGd_S9)Kax2KUypA-q%_PkSLL{fffUm#M_N{$GuBp^wDx2w+7v}R6cqmhdmP;OclY|v_XJeoHVa|019SR)!Nc!kI)hc%pJkd=n#p&claf$^R^0}$>Qk6XRby45IG}*6_!8ir1o$q z^6kZ^=n8JhIqq`3*_xvB`1ugcf!-P8+z9RlM8}GhDZ?Os2*9sDeCS@4p+64R$<2=7 zec17A9(dT(o2Yn%c3sXb6AI@)8P#DsucPEa4M1q{aeJm=Gvqy_jjWXGxF2=gT{8wj z3G>^Q;ZOd+?fd|na_LzsCp3#_u41{?!P-TNN^j38bo>L`Z`YTY!x$U6?{#Q1&%LrO zYv4(JP)(HUt|u?=Pwnq5B9c0dtx}C!USkF|?SpIbU&lRzF^&}qjZ^JR>+^Is6CdV; z#h-4o%)hmUmNgrQ7}$ZyZLWP8{kzW2G3H3wJ`c+4zn{&2eE8}GFiF3Atk+*=al-94 z!S|zB9nf|&EWU*sd*;{U^^9TK@o0Xh^-KeM&)lPH2I4{+BrKhxf6oh@`@$}A#PM2< z^XZhfU-gmeIXasVa=E`Ip#kphb19z#*}!X;6LRxd!A(ov;&NoE#s!@0%DXzgM;@~M z_UCQv!1+_g^1IuaZlK^C(b1s4d%yczwtp}&G&G; z#Rmz6xIC}`w}FG(v>{-f6PG9C_CVLMPxOy(9ImtyF-1j!=KgEZ6LxjK9Qd0pC#}o{ zD7reGb<*Hp8xpv6#NLgDil^j}^+Hz-QXX`9>cwyM^1p3RNYU_3cw`~``+k3Y!xGYJ zc*$xn@7FKadF;Apr!!V!Obn{80Lpd9y^Mk&x=4@=MU%ZA%W3TM!~Z9vxf^a#_aUS! zYJfT&`>&GXIe5$yf5jE_`=!`*GkE}CF^coI@BF{N*58YoYvORZPv)#YbI(J$;c6{q zF2j63H(|F@Nw}DG(c19OB)$Lq%|BIuDF(>%uz^7B;a}e%%=t$`!bjpCdHO#ucK(l{ zHy3T=i?05PTKoNO{_V5y6Sy2B1|i;0^L#r9tI{+&1LLt#e`3xSpn!El>M>tnB;<3H zEN7OrArB(RaII&c597(Cy6Z>4$Ob4P*WHzDkHyiVtYMu9)jL{&c78Y4AqOcM&amw( zRcEJPz?oQlj!EzU-atE8wvO-fZnd$ugZYMfd9YHHHXMrQTIjPl{0N!3V67_RUCFL9 zG?4t7JYrz^>_yOzr%FPmV>})utKh)EjjY=nE^dVipVOWLgMgQ4TP=u*4^k~zUK9dE~rdY8Bw%^rMdO~O%*cgmN zfNy8cbF?1rr#WZGwH{2S^j_0Oee3Icy|fpo%XjV(pjR z$}dU%+GL(1)l`0)YIdtrXcFn@pm(aOLVq!SAjp=?WQ7J{cfmMalh=W#XlO7`i{!6zZA#@|C>Kpg?N*HKU3EoJ89} zrx(qR{bhJ&!x#4*E6NYUoWTs=(Bn3C`nHn!jy&d<9NEk-Nln$8Q(_1O?mSH{jf;Re z<8(3mwx(vP0zBVBh5FZV~d7of)WW7Q(hc zw~wqt85DEt%K^ju0wFDLUqKG;ciKaVk+J9f+Cy2kmCk2#(Pmfp<&ZjNkg3&@f{kM( z`su{|i!a-r7nnmLLfC-lfeL*4ld5p7@IAXES#9$FF_xidzXvOf$-OYHzx?SE!eLR+ zG-`U=m7MFDhGSe{(A$V%yIUAHuluaH6rXdi#oyH@yE`4c14kiJj-guwLmrRE_cWM` z8{Z`5J^Re^-Xo^KIo}&MwBOYBQze8MJcVN3pea}Jzdzx>t14Mc2rN;;yc_W1XYiki zIBaJbFU1$0DgJ5fKJk5PXy57(I57G)BL>MCUc&;oPD$v>cyA9pE*i49fvsz_2Nqv* zzd1O-&w(lGU1ToT)*#7Vx+Tsb(bc<=YQgbEF5GW$g)Uhx0@787DFUB!7* z35BLEGD98w3a}`}6045J*Ix09P_apo-i~{QiGQvFsxjS(a=SS=4qMFD0Z3TUuI7Ny z0jpzu5TMSMXB+-l0%}(~#A290VWtCiZsIVkk0K#dA`**?k7pxo8_#(0oC96?s3mkEUV!6lNBu0!M`HZ8bd3IeIMyRQ zX+0)^vRlOqcK=ckcym?Z0WAk(<9CQqdkiK6&`=Gq9&wst(c{33ocW4g`9s#nB}c&>69Zf`+R&&>$K)z7vgxLA^fFLTSeh)x2TG< z3{j|D8?!2ueeV>RA8n~J7XfGdVoMujK|Is1eKJ^eT5$IaX^X}k2q{1s5XWE=cz2a& z>uB<9;uzfN9jKU{VR)9Vov(oIoo zf4eHIP31XZw5$#9tsOI$qv*S5tXzRYr?!?5EfIZND(XRa4C9<%a-4ljd%RCQzw?CM zJnz~llwD5J_Pnw!L-&Oe7}{Q-@ldb~Y950xWIOl(P}8b3L=u6QE;5CtW?z(N=ACF; zmh%ohH=))kBj**8!k$9wOtR^#E2LJ%0#%rK1s2*bn-=dlFe+;{Ef!_&$DdkBI53X3 zs9mGO6Ll>ol$@on(0|7HFC17x#SSZ-Z?ft#3boCoX0)H>rxTBwLF?r zRTe8VFk&=@k@sqrn+rP=rEHjwrnfC}qaaqM%BpE^B+V^Wrl@FsdcsEV>LA^dghN)4 z7C1PK8#le6zI(>WCL>rf7MPI~7^JS(uC-P{qQpF~{J6}P;Iwu#C-m0Z^8fLiP8+&z5M(#a>+Zn3Wu{=$C#t-krKD0|L%{;1mhXF(5zC+T?y ziVL?yhr6>skqt5##8(x3YL4Mjx0?-P3fd`-@^OIlx-koSl>lU_s94O|G>l%q^lFy8 z6^N6m)5*I)6Vc(@Ohum^klw`>+373)86qH##Kq-8uPbV5vS5!GHRSTz5EHEuj}7>(GMK>CHSPyPEYU*tm2g{EN=4eSPZWL zn?-t3u_l6kEipv;Q9kPIQmN0?;YVlZg;@=R_P?XZ$K|)9@)-0a7N0x~uPP8>7gD~7 z$fl}a0MVv&fu?x)+j1iC?QpU-JnZ6q&!XX?@Wa5+xlh$tAy}`i&o_{|uiuQsd0IuG z)GAf|G1PgbDbP8n;ctH3ElwydM;aZ%jBv%*Pabg>*v9QyNH}6%b}X2xY4&xs9;oN( zFcfMj)Y=eJJAM!yoroOzm(zJz^J4882-)=rM%E6G`*j|ke6??rEHP02fReF(w-lBb zkCm<}ITZ@9075-v+4jys1kn-ESsN>}zRD&I&6sCCE9HbfOP?c@ec3s5s32ALDiCUj z6YX6&j&z7c(}6sp&lLo1<_GTv&z8p>9!eL=tE{`>Uh_=^-P|D_|Sk8OhD~si0v}z0F z(UM~!_m@j=)+yDjd)@s)UQ@bNr)XBeZeo5``yWxWze_8(D2asQP&&>aR->P+?1DG0 zXvT(8UYO}AJHC42q__EYhqS5D$j^4NT*L<~+8n9A1jOiLlJ_ZSe>67j*< zScJ?c`~tH{!CbYgs`Mfvt8ax{)?9{F)TjMRClZA;MF4PLgQD z`N5GF_C+OFw<6Q9#j;a%_xy6-X$@j=qnXixNM+u;!OW626)YHlyx z>SO434oq^MZV~gzjI!k5gE0=C~x4a2!`Q1=XxEhoq&lFymLr24)%mhK|a!W zUUow1$^Fgt`~lKDKRk?G1=hm3?p?a% zm_J5~ChTInjzD$y7OH7t3W>98#A2QpTtpIJd#CiW!sLER*}A(At`oz(Lz$@@uLoo% zt_ceBJBr>T*p$=IJyI2d*f(p7lI-QZ9Dg@0v7H4ORe7|I3_WS?FE5=#bNsnlazy6Z zo*tgSF_9qDRGCa$@QGVB_78@!E(xMKA`<&6BD5=2k6n46Y<@hep{P|6h$n?0mTsts zr`}7Fjp9g4Dh?rAh5^)}i&bq2UTKlftoiF(i12t&Elg_1+&J*j8!+S{b~O*L#CHKq zIS5A%95O1xO>jT7Y(%Ijg{6dt<}GKgiSLc?C7Co4j|SqSD|=kNHA-byf4guHjC2c~ z)cT6n2x`jXFYi*gIDVKd7?Ie+eH08SU!>Yt7+%? z{BHhhu)9S)N>I6U71oP@@4?cTon5F(46}aKV)-)^gqjHi=kR;tagyAa#U8JJokvwi zn|J8#n?M7!GJ2iptCuOxi=}MajVXngYkw##=G&`}1o4TEZ39NQpifgSrkp6H^!@oG zCr4KG=8&}b%T8ZCnAg3~o;Wl(fqjKmcL!K|e9622(b>!U0j_9mxRCSrt9{NRW5aZ} z8QC7Vczo2IFY2a1ZB7%=J9N5(5Uvu|*At=$WUwgSn{d#+jB@#kc~dvj1`|4KZ2m*G zA4Qp;No7VM%$u1>8;VZeZ^vA3JUgjUL`mc_M(#Wf*+N5zDqEe2?9;?4)ZkxO61lMC z014p|z-98Q=4zVIIB|Y|Dk`u}!;r+!(m)hqD-g7gXeyb*qyP(;1|H@)Vnn|}hm;B4 z?4!veOT5O^m^2(}WOC}$c3aHLrIV5$*!>pa6trXaydg4(BrbShhF8Jbj2ov>w(GRg&eEHeL#5-9>Tk z>lQz~0B*Z%wOi*%^<~&?4R?ccWJMXXYAJ7s$NJs9v65XiZ6m?ZZ2O&}jq=wc6GM4)jm zKSkW?X`D0);!um1cw z#v9zX#d|c0!Bl6;YJaTgq5-OLwPgxLzR!~&lZ|Y2v(ypH#Q3UrlRaDlOjd&9LA0HO zCR7L%Z2s>f$p;B)>*p}a3=Y26DC`?xe=0rJ+7*ACvg~$T8c@kCmydWG7yvcq1iFPWZ7nUe~Eaj)byj%k1MB?xE$q5 ztqQ#exA~`}-tVq4W9^?O6~kfvgm~IixLbHwk0-M)UNUJfJ)kYRCokS4o~_{^TmR7u zOcA2_HvUTnQ$$$afbSs8&_Em&fS%H@&L zZ^`ZT(@>4x%8WjWz41o1QYF>Eo5yiIszmC9@B>4(O&_soFT#`n8Z+ZlOa=T?UbBAjsMvwv!v0N zztHyawzvkB(q>Td+q%u2l$kAY{r56{KKW>mrgHEtJ`zwEWZCV<9D%hlwa?xR_QctD zDVdQEy2=qAP6ky3V+RKLXivq$lLjRGMxZx}RYkj}oV;;#3Ej#uDpGc27E?XRg+ti{ z`}oEKNxV~n5CZG4)7>VIK9nXW?1W|-O-Q`15$r#3`oXmMDUK?t_ew#;7zl-Eq9C&S z+KX+uk;}RtH@+w?@-4WFAiAbBY@<}6yT{+bI$>ctowvg_&}+Q>YFn^8%KZQ+O@uYm zbep0#FddwQ7P$`9mk=sAl2BB4?#+Xh2nX8AQ4 z^G@axYkU@>wtb%NKm^f%d6`Y-vp^)a4pTS+j-%S=3)`}i0!`YPZf1(Bo})shE#rUMVpCtW!jJ`e(rvZnE?KaCfxC z9UQF*nZ{mLU}X8d!BRD?Aa^0hl>A}Ac~eDv{QC#aYn%ONAo0oDT6`?O_S7@YIW`fC z%J^g>NN-5+$*Mw?42xDh0an!VNWo;I^}VuQ_iZ~R{-A%#{Qhk%zK3bZdiq>|~Bb)Bp4F(Y> z>tQYVkzlj5OWGgVW+L;e06FK4le#7Kz*XMRNu)55ba;t_65EYW%`^YKd|?k$JC4Ou zv$K7Ohqr8$g6Ib769e-c)yGQ6rQpHIjkYUxRAIUKuN4LECz0W(xO-FF&?;N_+ZEqQ-edgQSUIR?SmA zW7s`7@l@4;mX3*{P_1bdso6x=P`c zPigAXd^de2%sG7WAG02Rd&}0yw_Mtsr}FbHyIpK~(uKrhNj0&`O(q}?8EM0y^&=R~ zEm2u)VVVN_ZQV_o0l7clHFIqe3KkF04%C{yRStDcQS;t*iZHutGQz55Wo$h^k`{_3JQ(k;8Rtx) z1QCR~F%Wr+=zeU^$Q{JGKnqpSMa}Q*?x^E1+69wi_hX!*xFvE@i+Z^H#c{V6ZB_Rm zoMtJ-R^3=%@D;-(QN%vOlay9FG`fH4NU%2|{QG3EY18XyVPqaD&F1 zCJ(HL`QV4z>lyZc&4{~yOEpc7LPE8S$@lVACGrB3yMu*Jz9tSs({}=u5%w$(VtXzo zHs7S`g=y_{#B?>Bp6i59QY$rrAk#3Y;90V%CiUWu+@S)+KPE)~ei%n}L&&B$+1C7x z913611sulmTFdP2IYhR*D7)jn`5@ELfthy2gD8N{>Jg!~^i%8*Rw>Spk#63OluPV4 zWeoKX=U=$7HD=lQ0RXoKyIh-_@%Y)-kFMJw5qYs!%c|W&GIr7Vwl@h#N{yFsd%-ul zXE>Ki*bJm(Xy zwzvrroiC*=if0Z8+&hx;e^|yLTJJUVhF)H?&e(0=w%2iD@zADdXLP zo-aFlv9Bi#(rx<`a#HTOC}EdtvE{@Hxm5BlBzTOm(rP9&?n5zy_6Pu~XT zm3F9uNh1sdildOnt$Aru+@at?$~%1#rST#g%`{xw2if}FR9l}ZPSCndAFBc6Wh%5C zbV6F1s$S(xd&go08g=Yo6P>Mln1ZTwAz8lQm<({l5Nt6+rHb%PVar6Xi>Ip=(b;(YG&1S-ofx_>OmkDHRI z<29D&tDE)mNJhyzr0=P1wW^=?JdWcZZuf>xq}4akL3Dxpa5Q=<(MCA1m1WSE68xNb zLMbS7F7%nSh4toq1y3;YIQsfAfT&2|W4cbR&k&NraL<@*^Z*6lwdWmF8zdfDp7^m_ z8sRJ*NLJRU)+%Tt{y5e?vLbx8@YZwSWHGQus1|mK@2uFlmTdP_tdy7Rlrn7S#TJxR z=u#MG4J)TV81E1$%DK+JpRixdB-*oYXC2iMD^#$DA&ID{4O$Tp!y^kTjb{$3PX;HM z9u-KG%c~&oG}nPr_iUv+S0elPRas{qbI!%lZyx^x{1(2z84vAl&Z-~<(Vq(#+lATN z`U*v+vAj@S`0uzI*zc|w0OTulOF>EI?a#(_J8p{ajb_3r~PsQxp-7_8@QrnB8>jM#aw84|m=_mZXn4J`J}|;Me@x8h!#Y-H8|wz^x`r z(;VcDP+sXFdU%~jr~^)_?1p_QkM9*EMr7n)trFET9G59weNUmB^YP%uBx@7tbcfzD zVgT9ZzIU&nFvRR9Z_FIwv7YrXBys%;l^~j}wSd)0Hn!U$u<4?ng=S{0Vvjo?UALz( zZvSSCE&N~-+Cee7y@$*hYYkX)(<0%AY@p^0PMVK zUddbAxqOC&&Tzu9c{ClwJ#yG-CFFgDw^^(87OHq=$Z@rh;=-^++AyQ$=ZA8Cv&DOy-S{(k7)5x36pY0I^bt}+$L z!&j3ccIz^C6rw{e7J4$aM06%aD8+Z_6`hD|C3SB&SG{F4h`={5k+Evsz)`NxfS8&0 zHwyaulxdn_7VN zr(3=eM>q>En{b(W;6FR+4qm09-*0`}$Zu=Lwe;Ik_@M%>qhRU=|C+>qP z$Rl|u*Ci)t;8K0Q_p|kKVc-whx!KmLoUP$2%B$BL7^6+IbfQJSt=N?gtF>0Xoo1?X z{Mc$)i=OwnT`m0eq`2~z;;OukDD8v#;gy42DqBY*jF@K!y()II;hPlp`fuUfj9g}p ztO-6p&8paoBgm^ZU}Wf;BUD4%3){{Z0+;GvER6pkiv9fKS3ltc+Gk(=ZnXX+aIjIy znz~s-5u;0o36vjA3s-ED%B!$PA1ZShGD2!Hcig$?Z>b18I z5M!a;s1%kSm7*WD*YO{9Ki*~UN8(vjXaSWFX}JJxq}LmO{=MOfC}Bnr-pA2+E8OF} z$xl#3SqUu{bmgQziM=oaH-ox^o&{UR;vTLs)rW1d4|WfB9MG$eAl&jpbH+uzS3(f5 zyh}}P*$WjunWec4Fn6c;D9N2NMN`gj;s^GKqI)Q^|HQ%}E&TOuTyBdgv8F4t3#IsX z_2d#KlcZAAUj*2-bL2By_soN0O>xn}zcT#bJYo@I5A$DsBX~mHc)4e)TsZ!F3=*_y zwB-ftcY4FUvO&eml`Ug%hzH9$_yA*r!g1Y=!~tm9TKQTH7&NaMY;Cu@C8qg%Y#76v z?B3sUeq(}8mF@ZNRkdr@3a9Ohj!8e}O#jM5LriZ$r|_ZNA~Y$=mKc6JfE1ndc*S?e z#*DLcT2+oo%+kZCRtoI>%T@2P2t&rA+m()p@6+r2Qxw5UXTzBES>bagaVr02mw zKlpc7%(vy3%2&;ML;i|-W9`6;w8{W*cEBX5(&^|y%n1G;z=Wtsn9zf-^(Rb7{3wC+ z($$gCgnZ_Fe78WWcCh4Ly-0q#!C?_OBRMLvk8&?uz0l{OINChsOum3>Apw7lQQV2K zV;~|wH@`jK3D@L+>v(c~6LljL3kIFvL_XT%(e{Y@nA^wBcz1iUaLf(fL}l0(_3a+p zw3_+Y;`%=H+g3ceYB363khmftO4r>>FF)EO@RNDE>E3KgR6Q+(M7|NRIl-lil<8)o z^@#_ExQ%)H3FDO}XGNi5icd&B*r*-u9&bHenoq_&*%hcWtkI^e5G2?fqH{_*!bY?$ zIrPc<(OF;5Wwv~hYN;!JSi#rmSeX;tsJN*Upp6#nWi+yj?AWy3%T{g~iep7ldsI~E z8C;MxFMuYW*E3~*%iSn;K#0&&LZ7}?hVjc4gddJ|-J3NyatCG%5^NZb$n|_~yUt$O z5lwF6==Qa*T_|(($phkzS4#fooa*FnCB{Pwc{8K>Bpp=39-z7P7Mt)&|M;5yzn72% zdt`sU;#iUIC)tDc0+m+kld!LzEy7kbCLxUcH>Y~PLqzXui%Q|gf>|pLc=*@>a8PbP zV6d$GD*b`&mIVK8s`enE)1m&ly^a(U-LR|O3MsMr%%1n5^7H@BnBR4ywjU@twRVoz zOzkmcGAqrWt`I6yFwUVQ%Qi<`R@0RM^k2ipSHSTOnaR3P8krX6y;bOg(?qBhksPf@ zqOnGJYV}abRGxNBpUMG`s0oaRLshH8MhT=llMP3BE@cY~6R3G43K^-?)c4Yw;0ODqh9dTg_m! z6rxYRnQz#C2YSnK*YM1&kABQrLDz!U&Y}aN7U?=ZzfL^!jg7t`QVyBfuUbS@Eh?Fn z3mKShb41KUvj>+@ov8I|3z{0YNE7QlT;2Oj8o}6T4jpoj^1C)GL=FpK+qsN7#@aDn zjVyB|kWA7z$ctdace1X>mAJU~sq5P81?k9NH(M z4C;OGYo?W-i9Mk-D78|YS=nAL+Bxp#5;=OGY&MznQGZn3kA0cTu#dnjSLk%(%5sG& z=aPew<-BSBV2Vu4)pk!vjW;F#Yx@4(*!ur{NV$Ds^rOmA_WR#Ds%?;7KTjJvji^Dg zyg*6m7Ga}8l7U8JYWBjW0$-k({w5o+@Hnm#bFe^&pF|P?_K}>A-qK)}8Hir;z#Kgi ziqYf+wiTK$Qot|s$0v!R&n&Lpw{h98qlki@6>FBNkb3IQH{~v_#~Ky)i0P+%n>s+E zvRM4am*KVvZI#QF<8+oDAdg`+Vg!xbKrYZu$cq-UP@M+9Mql$-fuq!Yj3Ak#;aA+! z8hN1>ky)BV%PHI!8mU{V?Or@Or^nJ5j~^HX64d0VoKIp%ZBD7x&?NL5RD?dB;j(n} z9)7dG$%Q-l@a~7ET8>*v=Yo->)Z)JJx_T zT)g3p<}c7@_OZkX2+*dc)e6izq^)%P)2>d~HEOL~!xp8n72)E$F<;F(*S0N3)mGc| z;!Se5@>vJaO9Z?NxdVtzN|L|Peo6lv&U`kIuCNiHU1WnOvXM4i*zMLYA-rRB&Y1Ln zE$kp~7KX&KRdTt&zp9k4;ljL_@@e5O5zOs`nFFT;IhStA+Fi^yx87YD{y-&P)%VW4 zU#4ynd1lIHL|Yd$QlhXGaw(uV(w_#vCw$Ifm{5+*SLy{_=jmHiv zV92v?u;d2f0S*<2eU3{g1P*i`Y`^lpukANnJx3t(7b5*1*ZcLybphD_c(46k$!P(U z-AKE1+yVain&ADXO>VzH>EQ(IR=13cckZYN%tdOqfy+P}9Mere<5bwsvWNViHAsMl zJHh2C+579-|L}Xnk)Ro^%Hzj>-P^1bFs?RNC$*FY3ykD@fx_RLr7mRo?N-FKkT8RX z2`lJr@j{cNR$cezTv4!Cz*c}8sp=|j2Z|mGl7Wqv0l?RvWWG!DIwHttl!A7CV*Z6E z`PP5W{Qe!-xedRcKIFE^PhC7CQ0+t+*M#Nbf0egSVK^{fx`O>bao^{>$ZCR=7xQN| z5haNvM~`x+U;i~?pCdV+cSM5h{xO{OXZd^w`8LBIh7|twdJ@8c?fNnN^^LUO-YXq& zXCp4W@&2Dz`x*mRdl49O>2Gd3a;&x^NCtk(`Mx6p#9sW5P38adHHJL|4j&}dDgX5^ zWm_RWTDJA>yZ&DkPPc17oR&OaSNA`!_Cgx2c1NP)!cRuv9FitHw|mv-r>hWL0-v(_ zsNA`k^StIHtDz( z0EKciG6f=4J}YiGThn705X!cUq6tIT6XFR6*gN^Pp~IqW1DyT{f&&M@PKY@TL%Esp z{yJL=t0MITsw>uoz*hg)YffOo0Rp?~f=*%Z&%gTl{{Nnp|N3Bv>PF0{qWTv&gPetb zaDdc zMOyT|U?%}+6K!vfwnQ)JlX&hPen*o2q}h=?^VdvG!T*>EpYq3rf~UoYt7U6Ze?nQ- z1B&+^z*&tOmCWiL@01U}z$gdM$0LJKe@=%?AjvXr2L4v$pD zAslh%O*LH2G!ycozK>`?97h`{NMFLJFmyiMijM|KCU^gKwHu05nGHha*!4WhW57(G z^|F0>g@!cKK3-NoV*@6!QD6-Pn3>K&>y@L4?6pb;&J8RQt~N03Z}bVdl)nh5Jg3oM zCa2KBH<`!az2o0D?5th2KZV%~%XS_l3ehxfSMl6l{4w+cX!6{c1PtaEhK0@!Ixpqa zj2r;1bFM80+%M(;Tziz^7y9Cba{l6k!x|?t$>#t#j_pX>H2w%{CuE8ttnw6FU8306 zS0vvFR&ROXQr}04AtbLA{nJwNLM%ZJO&$=sI1g&0CyQX?!y>P0{X&{t@yfPWTApq@ zn{BK8Uu;<>3W6&@9aY(yJUf~E0-Skt<&fJ_ugqeB6Ttl^$cbdP+5tVG9oP(JHp4oE z5xYoMdvvt0V;e z@y=V@_D210v-YN}AguNBf==JUL#2iNHa8VZ0Qx{i!^ISL$)tIuDI}MH!QIJC&N=P@ zz6fS@Q!K&#@5IlNpWeC92za4_?f}Kvev>X(PF@xnh$0o^pfl=M@P2a+->6rCqEX5E zL4qGw&4;>SNIZ%fOnpX!6ya(-i(piq8%W=n&4nOIVt>VSlzGfU(tErLTf19M#~V$V zaX1e0IevlYjd=P(j5WoLgKN%!WfltE!B;>amXg3oC{S%GiITOvw%&ND^(w-iVO?_r+f0+1f?)9_t1NKDZ6UO#=dB#x{XT34 zTalSm@dT*fa~3D7sw8*dP4%P8AoFQonGB2D;e0W~zPjJmgM@*XLPCBVp(qeFkxU;- znW6do32(2RoiayWH4#(3^^*v{**nu33x|ZuIUtMvO#0PAS-se|z|dbH9i6)RM@_c`1zCF0oU64_{tHsNg)3*r^Fq_s zYN4+?c;^=u`kc}us866`dkhMgKiu^yG7(t<$;9dPXz5Mbs%j$P+L#Zi%V|~css5qy zDcnveYvh?G{N_^5-L-OdHKN8TdclCiI*3}1CBko7=Q@CWkeKR}&ns)7EABXVi4Ku}cU+kAFfG~zhd)|4teStTS3@FjMRVTabux$q4H1#W*&)L6y zk6EoHCmr!ug-Jkjo<>~-Gb`O$Ip={(*FDsRgJRJ?OGnuv*k@#m4x=;vLKmU%yNjG5 zuMeXbrDzfcXCd9mFpz(<=jR(g=V~_meNVzTiQzg+KC<$z5WOjyVhKR@&_Qj{)4BpkrOS&8y_A~ zXq?27%X6}>{;EZOt4QAotZ{4$|3SHb{t0lrg{$vZ(vUdiAY zlH9v8I&E>>%3MY21f=*4Gob#iBT?)3`n?BQje*+E6#N3pWw%gAB2tUY4qDQ2uE6N#&;kzEAbStJu`Ci$lLD z#D3}Me5o}mEE|np+9TSE+&PONZdXm-O9_`kj-ID=?+EEj0Rp2h za`lnD*D6j8#C>@;I2Ws-(3(CJ&w8O9TMB&qRi1$)*2^aeqqLUxAXPef$&_{SH9Sv8 zpzE^9?8`gfUGdTGM$?XBRADwhv3m%6PDSwwj4lDS&O-GYtqfv~0YbMEvA2mGzfj)) zrxU|-J~yRVi+(2AlA^keZ#49C`9?1r?XCzQ@_WZB@#CZ7k7sC1Co%3{ohVj=2wYy^ zvyZV(PT#>&qD)1K!&J&oQSDp~d*e$*odxZlkp!>z9D-j&H1MogI39~nq(EbNEfid-?7imOlh%p8`deXiJDU4Y0JFpV*)4-GDwK=`midJr2h z4lKZl5c9D2$#*WxxyN~L5V}2}H*_Rm)9D3I3e_+wtL1Hr`C@0XdY_W6ig#H)wO_ow`%phOu1MaUu;AS2u0V+!@`7yJ`Sba;zD^U({$lw!X5kJ@G?F$o(tu0yC3qt>IA=0ms(OytFFG})W9YhrjUr|fS8 z^eMO05yU+W1~Aj&NtN@-CnTXDxQU6c5#cVOFjS*HqP%JI|Izi90a32q_wbQ}3I`Pl zK|#7(lx_s1q@;5Q1!?IV5CtRzq>=6#x_guqknWZkx_f|u_Zsy)=lq`c`G4b_56;|k zUH9H=uf6u#^TLW5-NUvUi#7TWLw22ogy0LfNPk=k@|B~h{EhF>pLLkeJ_F@g!oDq& z?te_cfjen1xUB0M-sP1>816}rDhyUu;vX43Z7|Ii=IJ7izHs6yXz3)5E_ltcN5>?} zw%O^nW?Q)050&aF#%;*x}zpX@p+1rN8*i65LuFf4{~#>Rh?cy1VCrr z01T-$7tdq`8vV@F3Lxj#oWvok6=k@W_$y)9`m^#JjZu$+IUE9sN5DHR_%26%-1oL; zq5Mr$TN#+hpb2Gu>AB7oae|%(Dq$O>XZaS|{pHSRJso=m3hZSJmr2>V*%V3-Wq{z6 zH}BQl+E}6*@%>2Z{k(tCg8A{Yf6AQylRTpFz9j5$^JHRcnthMM<9Keg*X^zo;^~up z6t_N^MVyIh6Qh0mT9pV#0>_+hc_s2XN2{MmM`pJqN#ornfP`gmtcJRVgG=ffD*7mp zTd|L!{^p2IJ9r_t^P3XmU$<(?_pKgoRiGWofATJxbKwECK8)v(wdMw1zom1TbBwxh z<7~E{t#JoL8mF*@48Yp~5E>qcfBfqj`8$;Ti-sy}(z{+dVaZ^6L!XeMqk9AFwG4vY zoX7O06mKK8jy^=+o1eO z)*`MnFs3=D%X{@}P%^Y!XPz|0QIx2s2&k8AU8Nz&W zo>d^JeHX)$K6eZxeR6G%8WrF&Kwx)y>hs6Fj!zWO!uM6dA|LuSyL_NzpfVI7UYX)R zpS69cmJ)1W$LpkCi!a!IfaqfmppaSL1*l=Pmk#6TzL9_yu8f`Xxi$w%rillu-QjRgn{xatLlf+&WjKn{Z%h&Fq-7|0b#bux z_$d7|I|pr))MwyK7BnX`_G-QD854))M)kd_-zJmmcdpew8%`oB&-y3UDD$H0e4E23 zx}O!qiYGeV^)>D^77^*#9*zw-x+gl^r8s-{-1Rc*pcDvtwqJSb-vs~R$|mF6|01;I zJQMY>p?CRsKxFHI`Y0hAYw&SblL*bFPU@Ci0x*hUW_2}*tobblHJYguRuUgSBOHIfc}xP}=E1mwfo4{z?i z6&7ayB=dyqk)aqhh1VCsyu%DpuP+oBFI(TAgCcYB;_mkazJ0MD`D5?eaG3BnI0L*o z1nMx!ZtAA(7T ziVXdaQv$E+mnu4Cu!}>CI@qbKKd0KgRFxxry-jS3^O{>}ZlIqWwpPHs1ObYLS6^}V zF4Kt@oPM5>yEsut>0Qt(w|Hr1v^idC_t_jA_BTHaB8;r2y63F-fjEvU^!@HVoGHL5 z;9jz6l~9`5@v4#kuDhZbuGPjwnQe?S|HF9Y*8c>|=gDkyaz77jW^{a7*wrb@K^lj! zEfj8=>*vw5t6bm$#`Y$B#}$jE}j=q_2qlgB@8q5Gp&akbA4=fl z!wBqVj|RvMowUgW9I=W@n}gXKcGI`hs;*Ew-eDcn-#_7scf+2>7w_Z1|lk;IGqW2dpoK zCKjM;45A!D+;=US3?pmAJ)hXEBMUb=$l6^Z4 zM1TUn^Br;55pm<)Vr!ZZ)}_vO_e0H%nD;3`L*-Aq&jJQSRN=T=5>u!j9%0dskBn*d zbFd*$kKd%6GB5TI9Uswun@0HT1M8oL{dJ|PY%UD<9>vk#GS)RG?t;F+6S>mG;s@)8 zRACW1Zvz@!JIS6(pm<%jr?tiz7evORiHCxo;@-mPk`%U_+;@jx!g0OV>%)Vu7Io+q+e@a{rQ(c2ZkM^QYDyZi}Wuj0o1C zX}rB11d4oL+bs8rs;Cy9h3U8AFwA%hP@MdyzWz621%Fow`;ZhqAHaE~mAX&d+A870 z8ekOcCqZ`jF5ckoP;ksQ2HO%E4&Su>Wx)kUk=E{a#0wWv9IYFV!=J4SzxnaSb+7lN z4lTmwyW@74{<-%9UsQ1;A({Y_TN-(lE~3TQ!3kK~2{SuBJRpf6{%VOq6#93#W4~6b z0je4+{(m@A@J4|-b2E6EdfU&OXAt}98o6eQBh^E|hnXkRf|h~FlRs3Lph zT1OV!UB(5=7b%|mvYCyM=^tHY-55H2D^yPrQ|op@Q1PniZ ztE<=@O_n+$sUjx^)6Nd2tr_Mr-|{*juRWXJDrRU?vO`kjDY8ljJ5UZck5Q=`?;1|s zAG9{?^SbW-aD7PS)fL6m6zDpAx)p7gcFw`@HzoEt-*jB0-l{z)+!AhlKM_^YI z{oA$c+>Mm}eIlLBO#Aaaj;zk;Ddxb%fFY!z9!E1W*dSo+6*Zi7A8m+H8s{%1!>YDW z4w1>Z0*7I+6wQ@81Z?Z@^#QI5^u*@?2jY&Wx&SKFdq(01KxFz6O|Y7^*fQ)t{`Jxh zvw~50ZnanG5Rb#34sFlAj6f6Q_aJj6x)W@|p+O;6Zd25mz)IrL_ zRo1%I$@vp<+Q_(|NDS`_nIv0);9U!eOrAA_o^4H4n5%Bu5qgdmLny}hmpXaoP9>27 zA>N@fDepf}d}yGKzh|JWdj&K9wsVv1O>Y^U9T0}?DYP!OLt0{+22rt*pZ~?R|KILG z6%)E?a765Yy3X0KHST*7oT zisNnm3V=Sg;)Z>>X+`vIn#X>BV&-eF;jL7w?%T`%;$K{_zE!4gSH!XXg9Cl)#L><$ z87UK8Rv?P?LIe*SjP>`?8uIJDz=!E$WB{2rn?f^XeH|$PrtWAPiL8Jr9*+PZ zMD)&|Ha{=DuCjrKa1LLZC>$aF?F@rvS>YlbN3>CJkCW{p&wv+Dr7|!5eN=lL+~EC( z*QdbE1^2S^2rN5n4}tqD&092)8w&js5B{A>K!+E!PQX;I|LKs7*4qf)S?(B6QMcjP zrzyQc6Q_1UM7xL7G@IR|n`K}8z-X(%Mr)2t*xaRY0#U>9#+Z_3$Cfvm*uh}k-%v7` zAJVm+tO(qoMcjGtn3jasM$c1^sJPP3b6aMe7Fn_d7;`SbqVaKrB9qOGZUzSfgFwYh z0>Rx&0sEzI!)^BZxW5UfD2{8j>`}Hj6OaFe0}{|UfcLzSy3oJl*+fI9Zy9fh;}MGyVrnN9UxnD}st!FdTP|>LPd-ESt`)8qf>)ww?epcyRQ+a| ze8y#Gk-^E#bRPSB60+R5Eod4@`cf|Z>F3i^zAG|DvCy5B@6)#r*?I>-=_?7AF_iM2AsH(g{dn+*Ac{&p2d ziY@GPwOS!zf>CF)&{LI ztg0@Gpfv00Qxi?+?_(8vY6axS5`SRaeftL{z-@c`-N@1G+*z!0fD;89?w*p5=JuAoKX03`7rz28LXUR|ERBPkBn-N~X2 z=CZ2t8$7ju9Slv?E!CeN(;tsL9+EaXeZ%v^KOf3S`^CwCir_ek-Y{L7R4}CRmfy>) zM)SlBC+r=y?qH6lxB$tKWiFq*32eU)S(4tP7{S9#Q|7p>x+17!GuiY;5ThR>w|2lR zbq-mVZv5Lp=gF26bL-tX$1LYeDJ=EIOTOKVmPXNwkbAhR4R!117(0 z5BzQv&Nv^6#&n!bwRV-|G?Y=$Tc(V_9-BXX70qJi8Pk<97hZTZDEUQ%82Ll`_Ax4% z)8v`rzz0;OOoND-_jkYn(|C=(b3%<;Z{hm2^Vl>aZ_HaaDE#z7C6ea}! z+PeBaewO+fuTirvnjDM0ShJP`B4fo1QVm907(53N%T=1y`#}`7rc`^A!t+t+ANdH- zC`yuSt~khY*_o{cW<2-Q44t3O8!-)}JP7aamvqiI18WEQv3H_?uiiuWJAGTrh(891 zFSV1F6VkuLKYG!PrZlT8&tLYnx-p|=Wqi#r@^s$%V+#*5&6oNJ71F4~9~Ynx7jrS2 zyZ3|PfZ^qjl~N~B_iSVeQRxAQKl1CO!tNFK!eV*Ip=r4(RD=^}h@&cInC7M267zf} zA0Q-e)&k3sj*b+dduq)b$+0IP4GLv3LVzw=%J^VuKgChb2;J9`#z1+f2PnB2I-+t2 z1>rjd%yFXWQrJ=hh`rq%<&yy5$ zxGPpO`7nw!?G7q8hk^{qYoFv%RE6;`$2Cw0qq~2C-|>IFjmmh}>L=7ys2>08^;8qS zR&KcX*GDsu>Lp#V-xh<htoC7YS$eF(6Ep=a7v%5r5BUbpd$GW>W;0(|D+{tcT?1a^2jpkfLi2;f zMQHb*z`{o)j$&jw_pHJ=_-sP&$*MoTYB zg{z^CEm3HL(fr5&b&TOhVeqYL-NmlHVv${%YNFup32LWpK@@f_0Qq+sk@C)azJJ3l z-ul=7`h{O}Vqj_N-h#fmHx*`e7H$iE((g&2Usel7iwG~Uaw#rZmq>B=;DJJrjMg=BXp}nX&T^=2X%L``~eakhMeK%l?0G`KX7^N_Swe6{6 zsrRN=piucnfUDyr)viW61||fwM_+1x6px_N+Vk`C;!+b$;Ly6&@d5MW{su5*lsoF! zlzC%yd2Xx}$ZiWp-k0JK123M_UaF}niwXlQ>o#B)t@(VoI%p7PjS?ZpAZ$WoK6uW@BRQ)vyx76ISpiw znvW@NQvJ$8ZCC}R?Ie3?tor1VcuCWK#0IPBxlh>ZuIU%7ZKCtWCngL4lA5Nx&bMYB zm?h4qGn#+4APw>P19M%PGI-4Gh(Fb+Pk>Jv^7<&`Sx1%z%$ZXAb-eFv_;u(O;$R97EtNXV>YR$Pl>V56PJBJ zIGQR1ss!^1J;JnMHb~QSXROTW3J*}>r1PlWjvD8;8h>6Y<*Q2m7M{M~gN z<2!(PHkzEjv7>sPo|{^PHk-sxY-epP(t42$jQV(wnS!R*tHzCSFpb3U{`LYG1NKVB z69>mIHb9(&xjC=)Q*CE7+$wZ60c%1Otq1v-+LadB@$1^RAhq^c8(f&l zs(#V--)EVMkD*P#C0RV^s8SIvclQ%9_-DnIvCvhjJRy~xNJ1C zUIg=Q(dY+~SA$qGUuuB+Rz0w;s$s-1y)ZP=5jhtB2WR{z!(GGTN_>kUfI@J1+YKa` zESyUK0gAFphWn?pg7RK_bb~N>mVK#L=-~MnC~4A>{D1hg(}JYPY0eW_xLT>MsFb&1 z?kIJWk>M|iC$-PGf1!;o?3W7t{Xn^K^8HC)4O(kp^X(H=ky&4IVZ(LvKH@`E`xSW5(AHSvA#3m3o%5Sg`v*I}at1bYc-^v~md+_-iBE^$A= z-r9I|QwQt+!jEDsw4b==Ek-AY{`x@34$>Ff^HiN>acaZrU9nVmEJ@7# zS0brTba26Q7UmS^4-BC>^KBr{QPLag!IjdTaU4>JgckhkV*Kk*uG>D>afoWrPN(2T z@k!~cmk?Zs?hk=(_9mc7iFfMe{Yj^R>|l$+lng^b@sD|nNSbVn-`{M5>JzuP1o&p| z&+wDMS&cmX_02T91HOdm&?~bYh_juDTUrV>kBp9*j3A0bDBQT;{1D@HTvcY+W5)j9 zFOwVAEeeroGN)k`yH`fTBS3J>cb&`)48jEcrJK+pZ;|&3Bqht*6LY~|fsvB(*S8>W zBu+q|@;WW}V8hB&6^2KT#VA`a`EZ|1*D4Hi5s(`=ji}oIH~A2a?l?{pJuu>_Z!%@g zb(3?L5fijL5i#ug>yuU18(=uApOJ?XxFv^stG-DZI-`Vq^f%(;F)Vv^V>=51|DCHLaepRvLYW8^WeMleO2 ztQ{uC1j84%IFyLZCK0uswN?7~`~N`JUzh&(V~8E#*ML6$3$(j_6~ica zW&!^<4Ww_0n1#UW+L=ty`MZNvX9OJ>4-Iud1C?2?DL#O%XVCR42!(7@2r%JGSG`eG zPd{}TG~40E4XvL! zM-JSUuNHeW_wWU&lxe^@S!QOCmVU<4B*ml8{$H;Wc&>g7%;sDea9N56On;&vI)T~( zt3h&?FV}7^xmAIYxiO$D=JmQbb-e1YU<_f;e^Nh(>QzV*;GXpc9%^-HKMVs% ziJ{L1@DqJFqb`UJSJJQ0Q_%Gwyv_i{%OX|*mZpi`#reBGn$`U={!YT!J_Xn$WuxRy z!=G-R1e{y$;SS2?6Tk8L2cW9&R)9|p;a&mBDJe-x`x!7Xay-1 z^kUj+`UER{Y1J8<`mF^aw4MC=~&QdR-DHo285LOEq9VTzfOgb z){r>JU56Qm$#P32g;KAl`CI1gyRSul->M$zN^jopWb_5mB< zf|P~b!}0~+)n9Vl|JQ*IKl=S$Z})(^b3_t|_J2exbZo%V*lhql?L|+&;&zFgA4bjb zuOt${-O~Yh*&dYVKm;pI9Fj0Bf+gk)nt`lZC117x-DLx?fbGK;x&lU$Ltq^+4ItV! zkdm39<4E+k9xA-t7`GCg3qv)r)EMkHYk2a;aE!lqxxb!of@uJHiyccp(I7+vHG3BBOpMvU*L{I!YRo(6=> z8vrHpOLY#(U>>%qLd2ruVYuX8r$*q#g=b#Je{`}w!ZKl+^+~Mq`}>gvX)3B?u~hUS zk19fVHRSP%c!*>-|9!Im!U(Ad>}k(~o^A9tlMSGuNC3wFy0(o+eG%6%aPO-cD~CXO7HgB31D5@~CdYO8>=zD4J{(#ajp(ve zD6~RRj^S6D3Rld#Xaq|rU05^w@%-AW@PJOV?>$d zSV;UZ?#F+XzUbfY8_BhLxXyahERd5Y&HUN)JJahEw&bhB5@$btjzN3Hx&Q%$VBjk@ zVUPf9z;~}uh`CF-z-;pOukOR~cZAQ0*R5H{c@Bb5hvaJ#5#bXABeQK!H4Gn1vwKlP zq4pAJF#AwT45EShlOR!|V=MtDL=}kys^i*ZVUPCZqbzr0M;cWnzlb1$Ussz^G5<6i zsC;T~lDmGn4Pe0xpb)MsCK=JUg?X1W1D-1%(+X`KtF4_P&y$gxUNE}GG!a2E=3D#BGu)td{KEhgk>dZ4YPSBcjn;!15f@e$I zYmrSR8}To~tq+$YbbrfgnowA@ zbq)68CLpLR{k8@w4QG(cozMtyU<}D6ek7$(H9S3wkCz$z^mX%}gaPYL7LBj4)Z zOa}Gx&*(LDl#m5_OA{7S@_{8l_V13C_*Q&tVA@MdX9a!X+Ap@qDv(}k(NdE_>UYOL z1~F6JbX3T9CY3cdcs;~+o(!G3#`GLQ1cBrEH1L~Lzn3CQh2KcD10r6KixQZdb;A*h zD~_)Uwj<-W&jbp<7Gq5`-CPguPec54kvU{jCwH`IF|=_*(dA^kUJr}}Ok*=7tErWc z+zG8V>#<+K73K~7lD`U*CUdZg^Rxap<&BOpyI4`@jjAVi59=edfL@U;G`pPZ(C|=gZuVs5!YK3pq zi&3<{Yh4{upNgCi9aYjY`q$rdJh)=wRci!nXN9VP4v``J#=Yz2fJs$UF^r-$zW?~8 zOoPE@O6#?{2l-`kAbi{3lrG+%0vgdpQRtou^RbkaO31U1_ve>_sWG67q;qfT%nLX~ zgYIOir6jlqk;9y2Dzb8}MK2{7AW@=M2ckvbIQN?DFVVOKSWh_EJqV;6=4l+f1oiNT z1fW{8dWt3?@1Fo+13Xu@Qe`0z*mQGvQQOTo`<13{0t<0R$ko}{LDyQKloX3@lc(E5 zs9N!O{}~!#gMI)(BXgFCjmT+K9fdL3jPP0VVdPJe@R1E=W0xqYez!hRyhs+Qhxo)ZgC#ZCq!x ziRxxTQ~!3uL9d-8k0soSSwIb_aTdoS&{KHVm2A3l&s@*~l&Lm3S?C+I>K#PhYRY^y z5~V;*!mM>5{QTI)M&i95Oo3XJ?jh3Wac=Or%6~;(KqT7L#t$ky7htiy^hy-1k_E58 zcGZmYlU(J zRS)DHq(2pX`}*wL^ki?#v)7O5No2lA+TP|;t#B>ffTv$4nSWbEMI1IOyq zy0XeuyQ|wb*uIu=lG;+6>&LE>6p@HTHXqA2KtW%nqaK)MBea$_R|ZyOxTQE_ZQE+j znn&70b2p!ue{_OY54euMj8q_L(Hog6u}o`kxHISiRPXNHXvnJWX2UeNuE0BcSL*Xj zbCOp(MI@sT!a0WeBGG%cb{o`$&eCMik5i31E?sPLBLDR^a7(8~>?GC2YK`eGUz}4r zp|-0)`6wu5tKgB^uq^QI1_Qt!^o&}7bwejAu0#OZ{hwGp$0?Lb<#hPky}iSctfnz! z=5=VFxC0}-bkRnJt#W^dRyw%3NxVNsNSzFJ@Ffkx`z33>T<6cmY zRB!=FMV!(7tj(`CDL!5=Hh)#IgVuORlR2r`YvEN9ZaITtxIK}*A!3;+9(sH?9j>g| zMvo5a5%ir4B-2$%IQlUTe4I4YJ{BwjR2_WJ&a1v9AO!5PP(HNiprCbYiAI+JofLF4 zlF_MSp121@=Yy8khwvX3(~LorU`7=$UbaeI5kosLmCa9xE`~^zKtorAjc#9cszv1R zKyAqV7f$4d9)K-+M3Rv)Z?)6Ujb)ARg=7HtE8^}K>gQYBGxips`K0u8~LuLstT6xD-wei6g{ zt#y*qC==^+vj-?JmJj>;;g?6n8b@!GB}ykMl}+?-u6cwtU9Ah&lhYr<1-XaE+8K*? zY;zJlBS4Xnaee^lg=tk-hPJ`Efa(p_IH1q2L#9o>jeJsTo(E-R2WNLYFOe%YpaPe}Oa>Rr<{|Wv zr;Z|?%1~<_zSlM|h-&JL*l2pA{w^LZTSkwuynG<2)u|wS6`jvqOzH|`mL3l|2R6;! z(Ax!ZI2!ur)E#GR*ujkUlh8wLu0`UTAF~icJzBx!mgj``)Kng#mVy~P)7~NWHhAgR zDN3zAW|Hm&1zEgPu&lN^A1Iv#h@US$43fjg;$ECy%Pf0$5)3t+Mz@eK%*SfMQJ3Sp zZSXFR!bI4wo7j4;1995Sf%`h}ab0x=cSm#x3Jae~{`NgO>9cfQqWH{J?0yYo! z`s-drZmYl?7!q6o1kpWdp^=T;Xs|b%OgcM;vYnbx{%%ICxUu>9dk%2(prs^H<3#xy?)Jd?&1Vf?FN`7!qAw(nlUk;)KUdab2(<1O|o z2rD-`mk8}Ujlt>cy)-1+i>QYsUu5(>_L-h?g$>%@U4LHY|5#IyZz7D{>_KIV5nq&P(wVxYKDA)I>&!!V-suDU>HgY>0 z!K*8e_w+mYDt5HyU6SOiPTfeSl5OibM{OJC1x_3t3!Ns{%xbLVC0jJqG_qa{sLh4? z*1qo(7&;1UnxlYzw+opk=lQ#?`Ws6Bz`<~D$soVb7$n63V(G;tuX$qa2tTjIQQKL$ zGkpc0cWVBaK57^Pw{h@)-An)|0;0D1 zb}u~yu&lEmP`FsqBD~H;9H@6N9f+x2izbFUX-H%B>}A={A|iq@uhp&|?YVV03e`RM zJRaby?ADQiaFJwMVqQGPvCcdeqz@C9qc(v2{t%Sb`ipNp%cm3L-)-in*t<FGzRB@4CpMevqsw`_+&xC|_?d)C#Te#FazXhhx#%8pt1fJ@#ulwGO4` zSxNu!#|vnGA_?kI45^Uon{~Shj-fT@&ccYiE2Qgi{`X*?;=n&_4( ziMQzElT^t$u#z&Ki9o7vZ(#g~1rrKnv5J8&R*s z_0PJlABrI9H)D+UhR35D?YTDJ>krioP5AyyKNtI5jHDuPm4IcZiOm z(qsIU5u1V7Dc<>h>A^HtdtG^`Jk2^L-BVG6Jm;Xr<$#(52VRb98^?piAxtGvs>}cEFHt zj0)FKL)j!2G?-d?84+l(7(T8+21oYT?uW`_S~^*-;Rtz7HGTUs$6@ywv!N}5gFHN! z$9+Vmv|!Im6h0@7Pn+;Y!b?t%Oc?puOx}bgC^KPRIi(Oi{iO5PS6wPlNQ zmJtU<6w*fHKh!1TQGChk9-=zY^jhSkP1TE(WiPw|O?O=BG{cMbfX-#!_ux|sL(nw2 z=%-YEUGI27+Pf#kpHUY&V@}bMCta2Z|630tf~l=PXdhHLp>iB1yCm_990oSvi?uVp z&`Z5=&6;oiztb=hpu3nyN z!q3#nU5?D4s?eJCdHy{dD4{OYV0E5A_<7FFwREgS{-fgdprTroTFQYK;^+_AL-#Mf zK1GF2?7%IPpGb3EFyiV#9%qIKv8FKQ=NNMDi#?&DI-YQaDiX$F) zD}K-%U8e)RL-+F=eZTWck0N-bdJOCc)Z;3Tu~Z$fG$rsL_vfGCAwCwy)bVdH)K3(f z;L`vXz7Elc#UGr;dybXgx{hj_-HRHz19_{unQdV4mBX2NA4VO-TnDomXAVl<)T(DL zT|1}V%S#XPmp%8~i?19bE|Aru-z%_5oPu!9zy8KSn5ctFv#mpJGGN~-=+W`#y^?^V z7MrXgFMsUBDwL`X4+BvYQoUoN$+h+3zKEwQemD>7kCl^inTCRfm^Pcs56A*xs=f-D zaP*qU7at%lt0tA!q_Hu_u%A(wgI;OF3|pPcmT~>n>B+cB7#)Vn2thKAaX+9LPlbkr z9yGoaah7f-!}fM;N{D+QFEzWgV^!_;g!&^wGN%RGWREm_Ogddj^9TevPsahe}bj+)8EEd`50J|G5**d$2J zr{*O{()0sYxvEb)(|I=HmXk|9TFdLj#ax2PKq5Ai1>K3=Vy2p=oVb_^=kba_pB zTk(7k7cC+iZ$G70f!j7WL?_?0h!t6s6PBc@!Y@91*y6Nko9Nht^zuhmvO%0gkey~f zAXiLRU@>asN2(FCF*7f>!l^jr2S|Oz7mYk35)f|FO|5VB5pI&!BS)`Z&&^epLIP*( zCpBfsrIb-4b{$dbl23>2+j7ga6$!`6nCS`r18n|AMSox@$f3Ke3vGYHaVNYI(g%gz z8w<0hg~Ar*=!edP7oOnhh_e^+(@sIjgg++qRiHl|h;7V@6xIud8?^S2z)9`6i;d zKNz#^+Ie_Fap@nk=pdhr z9g=#TynDy^Ge1yXsA+O-eKH$g&JLhtySm_)dl&KOaeCk5LVYh%)DiGZUO7^Uf8EnZ z5oAG&eDVpvl#@#diTJ)|ONOgLOo0_An{{zag8KF8 zNUg!Ji=w_e34L@Q)ec`ub!oQB3PPM3w?wg0MfO&(dqmwge7f`jnIOy0VtZiC4>dpV zv09&eo`UCoSA2`pWB$FlMtdl%fSe~n6l^hm`a+SXd80&`5uK7d5UstE5vF7CY}OGX z6PmOVjyviPuIfKt+@eTV&6FR>DLYoy92X%I1+&Ksxn;+9QxKdKM`Y4-!57D{#42yl z&TPY_&`M$6A@|q}fAfM%+0G3p_aaNv%FL48O!G`v$Skom1#yQVBJkaKEs?ePc(Aci zborIrh6nlS9Ny-|zO_A|f>SOo<^rA-$MP~+? zeKK>>WJ6UcAAO=n_KD%AQro!RrxKplnRXT(%{#PZ8MR+A*GLH5AC(o+h8Io@zfcLj z$E2}H>AA|dnIN}3J_E*C0q$h>F4FNFsehqhSx zcPwqQ3KR%6*>n1m!3^pWD0obQLz*%d?>QM55~pKTaIt@6!v#7V1~AI)|>-806?O z%dXOVjcS!ZmmtYsq!7UqG5sc>%kGxl!fEXg`f7jbK{7lhCoxMB8T2T7j1hLH@!7c6 zYx5)j>2(5ysgns}($6Uhc;Y%$sM_b$JOtfZjX`P~)e}1m-306{m$K!gF?)V+b3Dvw zNE5Qz=;}%53h|^VDMqE_7r1G^Wd&VCg0P44L#H#KwD~5O5-69QBz74I#;Qe&S3f>@vX5!bGq?PTxs2*73iKUt$m4gV z-dtrE7 z1}>ak@DhQY0V!bcAZW+5!NzUSv!d@W=n1wcgW9F*Fz-* zNxDXQ-|xncR!AKBDi_K644wNs8 zcOKG*-kBizlcl)&&1t9iecG*y{V-yWfd1+nr#Z-#P^qU^1*)Pc&yhS_pVXr)=YZ|` z(dU$>q(?I%`vEQXyn5c&+HEX&MP1oek^fz~0&Jh_1zK@1c-ZdUU)ZGI3KMw7l&g=o z-UE=nd1Sa*U8;Xbfz3p7`votYZ9+jm`ZkTCHu(%?`8U-rGu}U260(|J4|G|qjp5A> z9~>Yz(%#7N!cbVx>twCA*v3p(V~_ z{Kb!a`hl;7_{vk!ya~x`H8iQ0pIm3veO>C_zSP5Z-j9Q@24mWU%Nk|$n!w#)Uu;F$%6WMVX%+UWL$5;IGvlM}3w$vV>^wl)GQ}Wq&C|;_lx0e1sF#4N7 zZ%~TtV@<}93QVzi`y{pen$n$!A$!5F?##FrNx zM`pPBer^|A{`Qpzlot($$SmReG!#}=8usL?^A8sdKKjgw6rRt`TyVZZUO428w?uTI z-M|^FPu=wI1^^; zYbmIdF0`?j&z~88>?^{(wtXZo4|F~@G)GF|HqGKhkIdDLtS*1v zo;ERFq~}+)THg7Kgh=KL86PiqK=(x+M_H;Opr*_#!A3nz>3Ae8Y+L^6fqzyM$9)^K zI+ef5F0<|H%W#^ju1MIVBJe=vOfab{=~wmm#{_LV49YUl-CAE@`TDl6o7()|!5BO* z-@fV7vi~J;wSq|OUD~)WDnD){vXx`5V+V|&vZJcY{rmsm~uQl08$MZ?O zY$311*Cv@+22L=|g|qXZ2}Qwbbnq-#SKEimv%m#3&%ApGnpOur)zr8eBSu9{kNht) zq3pRlDblXVBM665&B%1SDv0xBJxVw3$>iY&6(z z|K!7~aepy3Jgh$Lgcd6%&Sc4Oqrsz`Kmu;jwK^?hi7O=)Wrfr@dc&w5upYJ}Jpahz zO;R_J`IAJ^%|s=S@eWTGdZNljC$@X@FK}P4mZQa8eM!K8EU@O$g;fbZZDK;HNkK>fXgn-UHUUG?Y!o2g9_E>8%9hx46JFQXQ75V8jY zXDnNBSEy%ALA9bbgs%>>Vh!X(4xnB}_106K*i%Lwm8@+bWR{4c`f@5Z%v0*SVm!#T zpd>3zhT|u^dM8j>lZB~6nui~pTj$b?&YZiLiWyINco~};=-^7hQsLDNRjfH8h(_Q& zwJ6Zi#3`r~BN)b5EUMAG<1VnBBe!{mSg*f?Erxb7MOg6XMFhaQSf*(ItKET4+W9G< zhq1mxBlKI%!$o?no@vPH9*>eF(mO|bIN!F z?0IBuH|Xmdj|cWA6eO=qbIEZ0Osc2t<&#k_c#k6FGNSv7nN+iBKhP;ZO7mG~8_T{m z-XnIPiNSrv{jpA#$-`Msh=^V9{+KXOgS~`@ZnT@-&ys!MG&Jn(lzUgtr`jk&mL`?3uN><1TKyHajkpDbW22E(>PsWfhc|SoG3AhGt&98Gxg$@<@+67PL)E$?byp{4xce__Mar*Ys`YJy0k0BBcx}lDX%A+`pkt; zO+O=N7sA|__NchB!)#%UH1wKi3Y;DC{72T~`IW?!u~CIbITu0qi`+Qakj2JC4Cl}H zkXg|t6qpu%Z@qhgRSQ`y*cwfVo>fV_5{pUaovby{Yvz|+G0qdcx`@2p6HTAYqS3od z2QT8Qv3 z51U^fL5Z||57AZ!+p$1D$8mXSv{km@6&&&4IINOm>!4-5T*zD`W`B;tVOc3JtFLeU zPV8-jg^1tQQHMc1#pT`$>k^api5(c&XX4i*J9E4tchGhwVZAH$EsZmz2lS(b$cZn( z4$Du)&f9*koQl3R?VqlsW2aWm5m)#lP}T%rM-jy-9E9;2kHfTPL~{C*5qV+yEK{Gd zFtgzzm*Zv6)u{EsDjhN!e zm~|Xfr6Yi>UGs*;U$|3_1T+aE{SkAZKiE);NC|H1#Vc1Ct2t=H-_N3|Lh)-Hoj0v{ z4#CX373h1zmD2Qku86q%M7O2shrA$s#z$xA3<&JLCvz*y@qJ6WdB^KDq8y#J@DxWO zHa{q2>^*haeDL>HdWB4a$&vBsKXd>_-T48oX%x7oXSkE63p`2P)ichznSvColIVai!Ohkd(qv`3u}S!M8S}RUZZCzG{?&65L;;9 zpHheF3H2^J$wFUNrWABfpnDxrh$HK4DcLGdoimh4x?_q@69bX_F>*un`^)2X{FmoE z))xWdOx|19(n@TZlcWo5V7wJ(9UGQoUA!-mfB-|#K2G9xFikS;x>uwK9FNBTpXig# z`)2vsga2GvQ*dP~3b^=ypcBr84y%Lo&Q4Nc13iY2)O8&5!+fT-Oq3xC&vOj1`AcH|ZU*rZ&&BN!Oe+M)#3UIh7N{ zlHWw($;MS%^!9njLI9YS;?V1{MUPRCIw4u+EtzzkSqU?uEOJWsrxMz`_SL5bC#MI! z)PpGyZ$44>UsPtbj-bUQ2SM@;M#WTBo>{%&%1ih`qA$B6md8|;gt_~|4~EiI>g@Ax@#$+*K$6&s7`ekdZfpWR;G}JI@4~%9w?al(1W=Ggbdh)Xthp* z&?PJq>ZRdNhiMTGE}{PljQoDdO@FSiQ-=)9%VWckz(*}^Gp=W2x|b4I_ytTD4JnS~ zx=G7nq7bGs)6yjzUh5{dn6YDs$5v&hP@3DfS&X~nxGUNT63r+LMfn5{D8wp-(aCTd~9dBb!r=CZ}kINd>GdN_vDq+P2@Al5mAcK*y8_=ct<5gAtJP}LN- zR^}4Bjj3{z+ohH~BxQ-9$)WYqz2#_Z)I3}7C;SYt?gD(?|4&uwvyPslJUhq2{oUB; zc_zjya~K?0ro7(kSK$BHpiN;f%+4KKcpBDhc$%}Q6SJkD(PGbeITZL(NoVWAH5JPe zeD^@@-0T=tk6^tHF3!jPocyOY<6{WD31nAI)8Y!M>!^dFjhC zq5ToQ{2ni|F4cT+nNt8HYt5dh%1SShE3lA#_lZlRtN3`$zanLQU(;#)3Hp;e;ZAneX#1#9B4WQm)<77_1IjpVj`EgNT!y1Ol9q zydD}&i$v0~st&GvxGD+gVuXtf5mpX($BB1vEqh*z>MM?dJbW)Uiha6bHHln@%=s>O z68wn8|Nlt)%CIQcu5Aky*?@?Gf|P_x8idk{fYM603MdRM3>~6`fPh7dgi6f7&|Lxo zO4l&dfPmys(#^MKTl;+;_w(ob!@&XfF>_zF*1FbO=XsL(Zf^S7Z~8ssj`dCzJOJUP zDh_<@>sN}=v8fcg2*z)$(d%~J^Q#LAtA!?Z*9!(L%*__w&jyC7(o1C~hc1y6yr0tb z@Jz`+{RzZ|OYMN5)3$_Hf}2?G_$IDDModzEbJ2NazL2f9^?qK<^F68I(wdQ-{iVc) zX1VZDdH2E|=ffTb>#?ERPK#UFd2p4|a-YXBF_qzM@SYz|E6(X+6n8cr8|H^np74hF z91)ZWrBP-^S!5{Lw3hqb!{XQOJ0mSkPgxCkxQ|hF=VrcG)=y_~XdLt9W!K?3Jvm7% zA+#H&y!(`vr5=1Z?-fJvA3}f@w|!Y}70kr%b^N$Ted6AYzt(D~aSPxrIvdhLZvkx1 zD0^l8ZB=MHqjc=c78RkBfO^tbTh$KckqFr*6=2U=Zk*5Z*=j$cWKF1;Sbw{e^)f+X zg2U$Wjmn$3nkG3!{?z)j8llcmgJsH>vZOM?yYYr~%s|k?z6LFYW)9fe8Wm#0=R1@7 z%`!yf0d#eUoUj{onEJPT+)Ov0klj2q=BvWY208|6`g!iVZ@`aCzp3@BpQx`H?SAFDj)>dfvrXRcBvSjfO93H<)}}&1vE_V<4fGcT z22pipj0;RU2N!zs_UQpF^8#AVo2yRhkt7fGT(h<(<2jB&DUxkM8;?s;(^~-XwFVsJ zM&j>$PM?Kab|(JYt*foX0Bw7lJ-SR{TWXJ4dN59Ow)w!ITeRl${5y6!JyMA6*Iy0W zQ3Z_^gC5QHC>!MF>bDykZHx&=_DYB5uAyJKm-FhbtVNNNy72hK`qd4~;&a?aa?;fp zU3c*)HcXH`Qr`(|MK`p+C|iM!!guj{LAtBX+QBxt;$vQzrRg3?AiWNL#lYJD1)>D#5gR&$+hrCfL>qAxu}B9D3AjeXffR?s-m6dn4EmG8e& z_i-kqHnj;RYpOqhNpYxyU5XK?2dLdm#%W^Yl2=+e*lr7D3iNZ9cK3T*-J#oa-s{I2 z`}rhT;2})E!GF)(uUze@g7gh?*3k8Y4*tyGwHGw{I+ay`&-yBzxXjA6kvAQRy{9a{ zqh2<@1b~EZl(hs9UUxecm$Cec-qHoQe@PVBGFrAFQO}+b$bUyu$5lNKW7^{p-R`vh zs3#}+ZrLuGX`Y&kIhJ?XLT{Ld80@yZdUPaG)cL_~!YvUty>En!vX%!RRMB`=CoYzs zg9wxL&Wtsr(!%1(=4$KKH!Yat4|bf|ZJ0blChbn+VpGw?WBBBF!1e)3#@DKgPVD}P z#>zJb*jus}R8DDRvs1m1euI0gUwhI{;emp)ndm+L?Jp;TK}unz2*B7@%4a-D=;WnJ7@ zjJ4rH=92#i<(O6}1GB>4n?@v2Fc|a$MumY+!}z2^#5tDqn00Qw9MhXqzKmT(kT4o< zR+nDnJ}vMH9dlr4gzQW`6{d4cR0Tww*GrC^#wOWGTMu6XIRBwC`N(m#SVDjjx5f}+ z0uo|!1?z%HJxVG@$eDk(l{k_fOlt($q8H<8?u4B+9MzreyS-5t8+=D;itn{-+J1+~ z*Um<-H?huF^_-0+=6^*)#_8G_BltZzBVz+{)5|ta%iOh+mJ=g1T%2S#I3^Jq8gyW$ zJiW|Hh2jrBmxhR%B#BdH|8ZND$nYCBiF0EJ<9TBz?%novD~>No(2$% z-+SplC8>6Yd7le7%;EKJ`zV$6qrjT$MT1t)!*bQUGe)l;3Dn9l@_)zXeO4$X^%~2( zrXJ^=_+>e7mS9wVVUMm=ug%-PUkLHse4F|pYb;Q@5tsA+ z<6QOR%8DN@$Dx#dW`%I>`JHk3LL|zg8@H)(WBzS>qFBQ>APHx;4BOSV?}G=!-|Oqo z>F%Mk;^T*sA3oDSZ57U?7h39T14+5Xo3SG_Cj?H0pxSS}AM>i4(7QxP&6c|`*US*Q z);qARK}6<9k6g1GfG%0G{%w_~UXzOQ91R+=pZ$u&?boLG@%y={A z$mb}1U8whE+s1Y{ddQg@N-YPKEQM(~p^{Uw69`ccUe2SQUPBYJ#f8&6 z^GIc5tb_z$uVPoVboSK(u=W%mDjUn5nYhnP!vR_w%^I)cS2|Rck9Dc#$VoSPz~>kl zUfrE6o%h$u#dxAB=Ztp@^#dqp&;Ec1V$gHm2dv=?Ozm8Q>}_baQlKIC*O!*0 ze90*K{GiGd@Sk_g*_7xjZA{it%N&Kp(MU-MO!7ZC61}cA9REVi5JOjmQZ*{p`lue{ zcPpiB;e*A5`ij|KALVaqZL!&o1MK|yV!E5sM%nuXw#LMoC1`tk1H@3F)`A9nHF3 zD~Yv_!-a+njtbmYONX-V6ozw@X?48YhZZvM)PJpMq89eU+yAb<0)Uyon&GP#?2*d+ zJ5I>2p)>z@H0yygKpD?nL%;k$#E&lObafSu%b)_S5XC^8u91}Oq;3arTw)6}!fIE` z?SoDLp%XivdNq#f;I&8cwEnXCa2k#s|6rNZDq}@#3q?2s`>c}Z^KYaa3(Oh| zD0Dhrlr<>hymh~x&@x5@->xhcs@3bzJN>%p^cHa9HkWQKr#elYk%|Q{iQo3-+^W_s zAa(w4pqCCg5$T+WwmJHv@Upn?I|d-iW1otY`@ufw>*saZGS=e{pc}C&81!AOLAYDo zyeRnr{gVq||DGVl9}vRKwY!vi()@Rg-7%l!aq}T|UV9-}n6J!3fBV$EhKRw0Pn9zO zUreRJT_E`FOXX91eSGIeGUt_oTL6YQ6~7f`6|V0XwC%#8)i`x9?#_SSkW{!JwbUu6 z+^+O}D3T|Bylvh1)vUi!Sgb!_UD5$7s^ZJ9YQeFVZK=VF<+?KRAQ_`Y0XmqOaI==2ZlGHg1Zm%)@XHF7{XOQ~teXbU`18*I!3~H=bSwisI3umc;H=#pTRD zL#|uS?NR5^W7rt#oe9mS=I(AIXfNA3uxSihYg@a%dy^I2$=U62Zp3Unn| z7TQf)%lWefD+7juO2R488~rQ7?1HBi*BeUbDv#ibSA+q?>U>vhcNLLf#tWz)fH8mw zBLXq#uZh5Z3+fEoB;K~WVGSi0s3L%&&%U&@lxQ>Xn`;Zv=|iugvX<9gv|V$!5;qB( zR>Pfk@K5{k*ZaraJD5W^I2nw`IgYIiWZo1RUEGQO%F(#Zmf8KP5=(FWn%K3TN$5zi zycMev#=X`zogpQ=QpJRs&FeulmKdcu8+{vU1~8RCqhd@^hdvUk*%x<(zPeGnh@TcO z8as5aL2IVS(VB^2K>Ti7qJYq`0pc9OG66=P$kN^{y6|-4TZrcrK(Xbo$@!r!75R8~6dbGRR(I%dq;)YQqbfJ=Q&tZ&$7gQR4`<_48KxP%| zJ!vupITa5=utnWq5u~`acSizklT?@j@NLh>IDOiG1s%jZSEkwlwh2 z;=|o1@JfdWef>asx?~tr^1#YsXewJMs5+%Se5^0|CR6n(rED>mMGdPD51aD35#iO| zXaq!nJOIPy4NT}q+PH6EdJ(-(hKb*vb)7lz(SCo;X5gV0GO0V74>UX64)m5p+AbBz zIFKhHa+AzFz1U-_$6FlKbH^Y|p9*C6yXk2fo{npGXR#5BNtjidUy( z9Kr`pO`HCpR%WPXQ~~FS&Wa$_~YTU|gJHfA+jinC)7$+NBUYYsGUEa4BXbNN<{ z#|sluH42qt%NoQMTduAwf=&VnnMO4aq2FE6aVk?^Ki$CGl}EpHy~`-DPh>XLMr69< z{PqT}T-?@ki=dYz%>Ej0nUCyC_bh$hYx>rK#Kf|eE8T6>s>JrqMzg1eY^}Px#Fp9p zm1*mAg3HPqz+|tdN){lNtjgW}uJ^6KH*8PjK~i&Y1GQ!j5^k7fu1nbFK51I_FFEDr zI0vOXo)typYH#4R)P9TZ_ETOVMhLcchf&6lDHBA)X7$Zle+TJq0>vc(pT${ zJ%Tr4I205ElR-g>tB<$1WK?|9=Dob$O zYtI298u{E5DF!fleE`1eem?Ix5-gJEAhF)Me;ebpg((&fUT!|qmCkU0v7ihZ-Kx(I zm$~Br`r64#vz>VF-f5y0q~mxP7w;<)oA?uu{>+RxSw*g9C;#VUsZ&W7Od>U*?Q81^ z3Y`#_4CRC)D}ja$Po>`+@h_W~Q_ja~m~$BL=tl*fip2!$Aw-~`Jr~d7XCJ&To=N6Z z=bKC$WJ{c5p8&1_DJ%#_!m8I&c4xf+%l{uZ_PI(-YyFL-D-|9SGN7K9+P46=3f&TEn`)vmqix ze`nk9kh00je0}+m4N*jg>`VaHXw5QPSBz-keFL^G*IE7Jqy_^DlVTfFig@vj)UkdK z*TRiP>wbR{w8J??QHxqFBKHw7rlUjrj_JVO5lIMBm%0DJOZW$Ckt4oGomX#*o1^Eg z6ur=Td8b3M(soDpdUL+;Ms8{Y-(CdC@Ee*Tg`_Adw^Q zihFCMi{lDNaQWt1-?!?+g)c}?AC_sDsW!4NGvgh*kzfJ7)m z)o$&%qSPSjR2Bt8k@JlBmZ= z?6$XN4Uy()xkYnzp-l|-EzvWEJ37b1Lsir&)!s*543{11`TT9YQ#XAAx*B!!zttF` zbOv0^3ki5vol`VCFx>;R7`bcc>*>+f{o)we9p2K#sxycw#LZMUvCTR1VI!8eV{bNG z*p~HApUpS^Ja%*A9-HNJC#R{d^g=<)7u>0TUobw#urpON-f#BydjC`QJ+4xLsJhh-Sc3 zCh<7D&DR#`_iXSCD_}94I2?G()!vkTcH=&qP3fSyc`>bo{sixvZ0@`@{MpzdWr+~V zVnV)^_TZ#hk|kWPk<|HvzUZw`&9XD9r&>S1%y(oEajEOTVraK^oICPj96fjf8rHRs z#xHT%@@v#vK>yh}^>;W$!L?g%DA8uo>`O^Fck5&1WhOFd|Nfn>}BnW&DBJ9gK7p(j1u8WEY(0p7s0Z7Ah0?yjywd2Pp=|!x; zT0Evfj&9$YX?y>Mm=XD9m}7T6@^xdh_!Yr;r5^qw%*Q2mL*&;4|7lXwVkJY#G{f1v zn`infO7l;RQH=MA2S;#Lpk5>-%RO6PU5@FSz0Ye~YgrN&oxN!%Wc!UX>B2xv)+cwd zfFhUqdklRauV--5`#I=eJW|XXXvrWlTrZ3n5Du7J_rbp#lF|7lolxaxJ<*eIST*vX zNij03L*J%ipB+0yuVc3uLRW}4nW8KDTcvIcub2>QdD)z=a|paqUY zFZ7v1PtLUdSd-x)Cv_!m2mF$N5OT6jlnP_WtN0L|b!2XPTz1FSabU}ztJ7eFl{j<% zA4eY|LtqrT?>Kv0TDDR8xw=G<4~ig@?h<}Zol2Gc)^x5_u~r9km1RDExYVwG`F^Du zsV*&ILn6?~mVmk0-?|W1yO!1)B~>7NTk^gTF}xw?Go6G33Vr6TGtHhJd=AyL_Uo1E zp5<#6^*96F$?etJ%QIm7^YlsTGfGHRnuX0(g^WJ|Co?VYrf5K?Ft#xwvoF#HyOQ+k zS!c6mYQIf6smjKpcCFZ^4J9uA@qx4RN>>NG_TDdywtf?PT2E|i(UJAr?17v1UC6%G zZ-&ap+EBKg2Ht2A{YDC+lO^4~kDT<7#;*+}nRpORY|6~L^Z)b2YAD8G4{Ay~4+#ku z5+w8(W#vna>w~Sb1$ql&6%9{1KJ-rOIen9ma6OJQev*BbN8UT-NFL`rYMu*$&I{F~ z(&7>Dv&oGxeL%b+1dCv3{5hNT9o-vqgZ2ck?`b*xW_oC8;U6Iw@YI!~3;RUxts!`Z&gUBzF)uO{U2+X_omwqjUZkTBy&uQhiMv z;$Ms+n*znlwW)9h{&5D!MghB+YZa`riQz9}-iEvxu_`hXr_z*4wjesuxr5B6bGI`N z{W4A$u7R8Q3(2AQ155tjX%ynjJ_YKK_3aekOuN{};FubmBW%@&>jR#X*lP?+AwZ_teJ-|g>z+iK zmFK|OB#SBD5*xevH~DU}rN^wY8x4Y1e3k>T=9SpHPmQ_LQl|;6Mm%tu#Pn-}*PiRB zE8VnQ=^92tO!(a9@{#=^3>&#>cT(qH5MQ$60xWfI-$o9@k1*Yfn;OhXeW`r!uhsvf zISG_pI;2UPW>c$V*pbSgK9KmbH&=CoBc=UgX!W(1ASzrpomFpcYuq8{jSlF58oJ`& z(Q>#!4<6{>^F?=H@AgfXEKFXk{b?h~}|Jt`$&15gxlo?lM6+A7Pa{k3do zYa%n{0U<5j2HBAu(%0-Mei1`h!sR<2$?*M5+eSlpobgvLaa$sugJsm2LiP}&aN<2l zk_RkfI*m)DAko|ZtE0qaVPrE2Ah_~1Ct()&)wK~TG`BQW#2=s9~K0eTF%j9u9 zMf2^uVb#P%d;Q|P!2Cde+2O~n5<5;wN|t>Q=XHyLYpI#XaNAj}*=?nFpv*{Hzi`hj zt}ngIteCQmnM1hJ4Rjb!o-2g2uO~gHbKk?AGasn%Vn-O5_)Xs$_iA}>cW4$A-IZ=y znpki-^$J*!cxN7w35IAlMP{GU@f^^%t?qm0;f?-bi;fbrVDWKYQ@__z02n86&XAh3 zXKuInbwBv;%hjiSUX#Z#9$5_xA|@W$SIay$c&%_tWQG?9jw}5|w-{VJ8pT)r(oB$D z2O3xyiGeG0J~HM$L6tf2e?FYn=R%MLKEM0x#kX)$@yTmPXYwoGPnK;hlguPZxYuWe z>G{G5)P;(vR`=(Z;YHSNMu-~{Q(u%l+PZ@nOVth3G(>8MoC1<*#9Tmp=f=x_P?@uS zK)!i?oAj4``P0dhl&4PC8Jv9mo(sR5TBAI;tdMzYK{vX%Q8+c&zNZTbxsKwSUz@S% zC`wBZTXF%Oo2elRQJcN_qfuzqOdUpv$%&8ty+B)~-AggTBl|RBHdyq5Mt@mCHN(81`Tvxsb(Ruy~Pq)_}%lk)emPNPfE#!?a2X zNFpiYLp()U{b|e(9GhNT9TozHRUte$m?14TqJtBe3c!juOx4bOd3^sGm99wfbJljB z_Zos0flr%XpOBsqa|m-CkC(oouX6(SKImdL;(-?3fSZxRC&xLmo4C*_!?5i;R(Hj% z{oLTjVY_h7k<&VK#5~Hs9&JOCeAW&HU? zGk#+>-M&zd7ju`8hI?TCm2jKBbQ0*f0LxLRTXsCFE8MP6ci_gENXl%QJTa5>?boYDz^k5^(Tn=uuWGUn zrBl#Tr!{1CjM`~5vKpfti!-8>4eF@_!YMY#uh9z5A;o!Z4_Az2lW<@)Z5Jr`q36aoWid3+I8k0Zx9T}iYO)YBEu(=-xd`NZ0AMy znk5B0Z~VQJcX?ffQ5=fQ_?;6o_JaMPJucnz-zMuHQ2nwGDo7X@x`?-e z<=3D7G_XeCn%2qISFZYzxc33ubM(R;%3rCIPkZ3FWwiw65OeCk2l5}kJ|l;5Ww(ap z?D_sw%Nh6_{zEcPf4#aF3aq{X7D-C+>n8VWYyV>j|C?JBvOCX6U4K0yNka_HeGGtM z^grI=pTqOAfI4|pkjJ}Y-=Ff5VS&%NdG7AMU!zcCAoBHNtf|B=+MKmEbfdqoj}>i3G@`2I+D9Rdq{#<-I4*D60FA*R3LY0dWjTEjoQ88bbM z>)u-?Gm`I5#odIU-}LCyDE(u!pD199=-f9{0%kU1Kb2Ki#vLLXVuSg$B&C=>WsiAkT)ws8 ziUhE@DGkZpvfTp=<`R9ts_^xrBKHo6PZp%*^>F4soTq>q=;dXo{1VBr*?WO`5t6EZ z*+yGr`RjuCFHkja^<6o@@ap9KKadmrdTBX8uFpyp7p0h%}6HhWSJ5IKyzmY%zJ$O+hM zi&IpSdN58W4rvng+d;yb4=zy3r`MqA@))FbL^yiCXSe>ec;KjQ!2kqi5B^xLxKY?n z$%VX06+gF3$3d7&PQrM&p~q$3xq+RnfzV^Atd5r*VxcWRKsq@-Ba1=^F*yf{6-KR- zz#l#2z%?}a>a1#?X4!nGlPl=`LdZTiLoD@PQPbTUTBCVWGr!kLq<(09abmb8gvpTE zSMfr|pKHF~Z38K6)qh;`C0jlm|9v#Ni7GcHTSc{uu9u`+h#k0kM*f=YI-z(XId@+4 zXzSO{FY!WU--2?azLgQ>8!(`oJp+M%ef>+0)P{PMDteHgumymG^1;6tg!zN-nTrsW zS7ha4&Kvnob868Hqmv70^=z)Z*m>hRV|(DFjbv8iq5pA8-x1m3n|w;Y&!JZo8`v<8 z;ux8qnQoQ6L>r&_Qqh>xDu~5^r?wy1iiVP7j@Fg%!oZ9t=d46XePOw!=bwKjeYzA)6$=JMV42dQD^_ksBj;$h0Bi`^hGwYs#h%{8%b;hn`-AkuF3 z+-~R5&SDcUB9d*xVaf-_T1eZJb)U@|_uRsH7OE;;uI?^Ssk!lzqY&cdc4A9`JD><> z0DxkvYmw>mH`_Ud@HjJ3B4Pxa=u!jxT1PY0ZY-TSHH8CyG`0cYq&3=6{FJiZQ6qrU zYd^N2x}*n!VVQiutmXhcs&;-14iO?mQgVQ*gm>}YAAw#}|E>HIB7;p|sHTBg^tZN< zf}T>>l}nE%iKM0Cn{!ocK-q!nIY;EQLz{R24qqRdmMvfYXr%jt@!oy#9nmfA@zMXW zqB`uig)qpy|Lhxj#sF3ho6c8%41`h*tei=uSD@!c>+3}Ci@68Dn7inREu0}cA867^ zn3^pj@Z$0;bwS!u&#{v9bODfJrfDrZ?eOIH4S7II{^`5892efQ)uBs!QcuubeqhWk zoNGyHn*^eBY}XaJ(ubiz2MNlgxu-s7iJvmat*1rNP=|tCN~%vp@*V`Zp~rKN z%1=S_1k;hXprLcDwVOvfI>slV#Y9M2A-yvw01B~_Ur8^Q>;ft}`l_Yd0YF|JIW zrl+o}Us1ch>-lvmmBWQs4pyAuWYOY%l75q_#fhXeVYmEK$-e?_X2gM>*6yRy0goPp zCf=0|_)8jfVNaWH|6mD0d$=bRxPVn}`>+IjfFRlL;R@ zzULtG!(IRVL**UGK@81AZ}V3w$z8km9ezT~+;Vufg68LwDq8ziUpv}6UJzkXE4}5= zo0OO+7eps8w12`+GWXCp@E)=Ni(MG_&6?cyp!f3Obzq0hq+)MY)X$No>Eylu3(zZv z2K7fWrm*Gd-g>XS2aG}1k+k;Kty?b)YMHX%MBu+n7LL8)g8F?-A2d`vnEP_Yc{oVu z2u8wX(Uhn(RJlDD41zh`hfr4Kh9;fUfi6Mw^=ArDO3*j^9J#fK@dG$nVrv zrlg1i`Fk|~@#EZ{eVWenKjuM_Su&0#?l#HKXV0kZacdG;?~TNsLumA_vFd>P>_BTa z4;<4hwFjNGwi4%sccIspuF+zi9x|Bx284NPz7!0I$LT=W`zlJnyoN+1R}pO72vAsr zgK?1-B8pMblDnoTj?PGuw5D zT}aR;dqCv=Z#M?Tk~V;C-4^MVdlj3l=+FeMhE|q%TXHIMtS-%;hbXzr%XIf6bSv+a z^xv}(cm2>|(=#vfV{Wj1Uw%od!(Z$Sn)<#rTuq5&P!t#&OHn<2Ld3zM1`$R

    {_&@X?ExQjxc^4PqUz$?)AtpKP!A8^n&ukwAtXb;y;flaa?|`jTPC&d4(Q z?%#RgdkyQ3G%k1G9pUV2ev%z${ov2Y4~H8)=svV~e|f)nS|_S=LsiJJ&!ewr1AW{} z71=L_8FliSU~kTQudXI~5Hn2RYA{0?xDw_$HxTcc9Vj^S z^!F~qmU!G5#4}k%)dCNAroCC{=XUGmuVLLJk^I*mx1f>=x0pw)xY$lw1U3#YGeTxK zrUi@xq+HF@bCSn8GJaY&ddK#iW(X;dQ8PQ?d`~qhbS`Ad&hvCJw=izkPaLF-Of(Lt zg?@n>j=1?ipN)Et3q0if%6Bs_BQwvQiC0r5g8DgM;At-WqI%_}70q0E31#-@%O<|m zU&oa>MLXZwLVv~M!;HOonnW*&Y`7)NdQeH)I$NzL6spA48Dn3or)-DIc;7J`Hj{jR ztB2|tZg5eW^@&M`qNvmPBTf1?VX859Y;)Z= z;eDU%S*kY|%AC_d2s~8i68i?JlwsGDPtdUlL|mW|G$7+iR4qKBymhlH zxyY!1sNGZ$T|-%J(y;0pHCBq5tF7Ds5YT#%!m6h5u6JvTy#U4QMQJ_dCQ^n-cYtJO z^|*1uoz_;OzahygFs`>9Z@S!RgIW(&DqfWuMeMQfZ?H!_XERYkG|nF-v@Dm57|~fF zLK(LYjjS*)u}p)Kgw4g6*&6i5P9L{v`Gl>%cQs_k)506ZH=3%IIWFDP5R~vV>}D~D z8pCDuy>|Uye>6){uKth=+zy$o556{~Yn*U2=TPMhVhMp)9?MDaQu4`;r^Hy|COtDZ zE~qvAPTUR;t-UxwJ;We=d>}SYHp(tODeR`<6h(%BCEHoy>gh9gQay@KcJAp(5V&?s z`AkZzUkKR^h?j|A_Nbw|@IhWHQT%GkM^?x1Dyuj#gNIJ)l5&G2&|pGZV=w$%%AC9W z(}7F4doM=@^a{@GS+u9`6&$#7GFB9-6+8c$!^G)@Afy+_z8GE z-=o(dyF(UcUI>d~6BQrf=pV|aw;Ut;dk==*^FrdiUz&UKP$O^(ODd)0&kO6<}vO%LuXZh|}&mw5A z!qCG>v4*%vH8$VTrLZd<&c`_2xEYY?=$>c>g76sY?Vvs&CYRz7sK$%=ohGe_M#ZI{sW0iAO!Yde4T_Gk8VI zS`Hx6;rhY5cU|_ZCtNp5tIM4#mB(W!;ME_XRYfB03sO>#wGKd*CrWb~QgRE= z9%fbj_61vL(U1pEJHm_%TZGnY-yfipBTmkDe1Y`Gi;FLgbCYr9<_};lFBzl67F>IY z=N91aRbed{C}rm+MPMr0>f{#rM;7qz$^r(WYW9bybh84e-xSw7n7JzyEdv=akxp>q zo;OPsb#p5dgp|Xs(feD!RW?42bZao^{7n%<*QSD(7kGvO9`bRpJoXKphCC(wFhe$#FB|^KxIhD7XE_tup0PRZNfd#I(!5{kD+) zjnHKQcgo5fLrAGcq-&PESSr=(Co&41r(pCMFPr?Sq4QJgX52b|c)b-QCGHj*Ta0A1 zT1nZsU?KQweRspxFCwV+hHlC8O0H~;`*^-{5Whk3l^=MT*Y{#yhnB)V9Y~w%B_vN@K)`HL}q{W#vts>OyN}{ z1Mdlc3TqWZEw!NBDJH-u5(Vv{8f;y>QY1!JZBL(@2yu?D#c3};;HlrXbq6kADoe6> z^V}6=dFVd+9%Li5^nA=5`_`(c&6s#H13h^8-QN6p)^X(_Wb}#6>lHz4?A5bu$MUM8 zy8R-7#19iLsoh^|<@4wZh&UP6nL2h0tpdEhcQ`(Ud?-Za6|vwLMw8vkJt>gD9uG7f zdpef}7)kwg9OrK%G-TEpsOtF9#+NhXM;2IQbK=&Oee7v2y~9-+3Hxqyp)9G8nq{5y zeADlYgq+p8c{5C8qItYVo;!#|J0E?Lo_n{{yQHTon{mBThs#cevkZA-cNDc}C4L*| zNhH(pZ@O#T8pCRv@sL#Ds9`~npe_v`CH%p#Fx8jdEC~@=MPqta}p1sjF9m|fYSxSKP1on>M?YQu5 z_6n@jMGB&O1It?7iO zv%LN(8r7M*tc9E6M=i$a`EYY69r&A`qhYUsRgoN`#y-t~vxt{VpMP3n;-^0)X6BR~ zlhj{tWQRx5&8mMMfw8Lc_1W1d--7aZ&XEc@uZzqrhK<=HJ|o0Wx$;iQ@hR$WqYzV# z<$?X4%X1ZtLBn2cUulFK9Hj8@H_#2>cL4on<0%@P_Cx1kVe~gfbK3!-O^=|VFf~o7|wwmsrY`3L>o6eT@ z))q~obP?yP3JlvYFUPCB3dfI?$(r4|pajRB#a3gFjaznd_5s89a1~Tx>!;O3#Mt8`^_QE2$ zJWXKEGomUY3lY%(y}=fF`9$O*cRj0xoZ$_pN3XRbMT7f?GePhH9|T#lZG*P(K=nc3stLLvmjs(cHAIl5;dGjtnRE5!3!l@? zv~3A(?HP+aj0gHy;}_kkF|@b7@$%yI3t%Gn&+WvcT6W22k_-yEE%ayF=jb-!zv>XB zdG6^VlD*G(hgoPw+N4Cs5k1fV4a0{FuCvcH;YO#ECLh<;Cg#!uD4ZVJf_o{7Bs>m1 zI$LmfbohJ9K~_^H?e)kwuf%pL^ZLsUT>XCZwua$w#WvBaBAOX2QSY-;LkOyG>;Rr@ zpy`s6v9K|!%~=<#r3ckNFqcRMm8!aqy=Pf!IzJRBTVUY|*mXfTOY(gWYV~wJhT3PIiw7_b5{J+hD1I-K&-8H&t~$&OmV#mYfgNIkj~9_xkF(!VM(~ zXC`#Ot_3*P2#tm3c0TtR92qrOHLD2p7Oz*$ROP^!e!{dsba>U;Ta_uqZ6>8N!aJUb zHINhH<;=nO?Sr1T(PkwF-5^L;tfttD#N_t5+9ECCEQNmMv0#cOTAiIOtbQB&vNp0 zU`|257(CpM+h|KT&w2FOXKsclf$0wpdPuJG4+d3z6VP=gX=mo?C{O_?e~ggEa+F(N z-h>X{ZS0-W-n1iUq_v?TL)GN^V3?ivSw)OTAlCKr1)Vo=*{z6@9f z{VmTnNj--H-;!yEI5Ew8&s_!fOrpIe2^qwHT3n)vUlA(ti1BVZx5RJtmZF;vBJZq; z9~uhRk!y4HRWG%HU#2dDR|is^8Z@;He;(`$0`N6Rt(}jDo_m5NNR6(_TQv2_g4ha8 z!%$~i@Ikhlj;DRvn@A~V$Br2Kl{zl9tzd4C!ul1!BmY$0(io-dTBkDk_`uR`xNLa6 z>U3Aft{vVrvALkNF3HI+ynOZy;T8Qbd`ysPd*KN8Sq+Fwr$vNJlEQr0d# z(6!){b?Eeni8M<Yz8&BA0BGM zrM~v`wLYPG8>hLRfGB)N^9Wg}z~W{~^+)0GE;dx0B;)R2=j&2QPC`3lM(Lzmr}NYM zm$ZDM$8|}=wwVWlVL+Wx#OqA%awUS6(O1$AzrsO$W3&E~_-{^M|JdxQE2SfEkh;60 z3*wrjgzQH0OjA-HimL~AKT2Ms>CUZ+MckiwY$ySlD+1A#I)`5;T`xkuYEL$p*gb>m zfArY-1x6@HK;PTGFi$!7>JxQX;gl-YW?&~=s%*h}%tL;ZcB$K$;?Na>6Vc9|TR-o8 z)Rv2*>|H08<>LK**>il8KbF|fmLl9si-M|4-DXwhltu0mB3Hc9byDT%u3C??0^NcCDNMrb zJD&!SAWAH8Ieh=oos~|f2uCv>SN5JpUEO9-r6aW;u1)R(shh%jz!yc$h`l5Fy&x~} z_B|M-JI~5o6Yv-L>iP5*GbID%$F`!ExJWYKRpfym&JWT)po*$xi+&}BT)S?_`esE2 zn?1$n;;X8kF2TPZg#R%WzRi*(j3ma48#z+3ux_5TCHYAA*3J68UG%hLH($L<@?n&| zWAAg@gHcNRyAO*u0 z$tW$6UjF>A$N|+%hf#8^!CPPcC9z3X^{+-7o?OKA_pkdC1qMd1i+;^00P_UN{FCy( zpVoA{t7+G_s|x<-Is5GwNowPhgbs|>CA9t}L8`CJuSh`uFUe7GCC55KY3}!O{Mf}0{E+g1DN6gI_JZmjNm_X-!B48zzfw2|4TAiUYVjh=9S=IF@X~;z!Vz~ z%&h*398Q&h9EJ@Z?6iNy6umeBQ$)I#^ZgY$pjTeEc&35u54`R_Y3|oZ&PbAB*Dyi- zSL86{2ISD*0^tG9_}^+NiNpg;t9r(o&<~6Kv3Vb@fYYkFfZdE}^~ftF!j7jg7XMD0 zRT^OYnO7E*!VUWM`)d}LN{h`WoDH9P(v6j``v?kHyH?z{!wGNp*lJh-xh=&N)`*FT z*)GLtyHFDc&y~XH9a-cfI>Ox7^K+qFURxd$9-#f`=B#M(b#&vYt$-Drs~Tu}f|6?+ z4BAu-%G*Zr!B^7=N;UtDT)@S&p>H&e5AP=^k0XU7Tt2Fdj0^DdGzOz4X4U$N_G>@f zg5Z2?j%9xh;O|*DUw8oN{F;96!*cRr=z$7t==O@l<-}$KW~M=JdZOICu6o9u6Vc8b z&NUxQKsC>cu9~?w()N=*_uKp-0*tIE1lsJjrm=8nV{TE9VOjZj0u88OllF*wy~Wk6 zXcruM*YxBkCcz>bC2iBd{ob?jx@J^hxUM+>M42kKbYpdj_w`Smaa|x30HY0n{@KUX zi=UOCzW_dq@~6*j|H&Huk1*|b3kYE(L;LuKPwkubi7@w{d#*}F@3CCY!0z{Gv-!`Q zuF=r0Os^v?eJl4UUbey2d`@2H20!9kryzuO`;2O8J6|5!T`mJ>L$B(g7o6nW!tcMs z2zNLH{ctylWnFhWA0k!GFJwb6I?UK*kohN3}SyJ-Ls> zbvem=dM!5%?S0&Bq-FXZMhA8}-D+w&onFBWENC^p{wF5vR0u53VV)12*_VbSP9*z* z>8cp=h?v9BH^b!LN@kh~9{ zya9YJ)m98mXS?0#P?jjgtrz#9R?Lx)1u?Et(Wd)MVtu;#O%y4U?)bA-cbG`^Wb-=J z+-5bh&*qzTw$_h9ZSY&4vjqmbcRR)U!IFV9__8%j-8A2r!GbDqol5ookWz@;+Sf6+ z(+aJ*uyy$&=fp9I>yfE9P9B1-$^S{+|9+nHo1wf{?}yue${5&*C+*50M8!XSQ0V3F z$Z2za@skQHi0R-l*gcVH3=gdE3B-=J(gDB0W~sOn${0b)B42a+E-OLTO5EMh0TDl3 z7_DOja6#&66DGRy4n&xbWDa0|b~ZX{rQ~qu&Lh8;4k988{ctdhom{r!i)Elu7WIcNSW?BW zg(`I0ADDJmj<%(IE5bxc<*OOn7f@6KHC-Cra&mB0dz#o6YDZ#=xm z#6u!Q_+=e^ngX7APQ$j+3*0iJ@^$fW(h4%IAUNXg;>D+jQD!2^IQPT7vJFJE_kPy& zi%j}EWa;TJl00Lrw&_~O6lz;oBu#=ihb%;7XON&59tT{lo3mu#GGRJwKjQ=V>S~d- z>@Q`yfKo-nbO$oQ1fAc5c$^HH4&eH0*?McisC^779Jm60vt}VmmmgX?cMjaPX|Hcv zYpSI+>U?m$6p+Y#7~OQ~T|E~}W43kh_Uvd!bC`o-R;3A#*Mn$vOu5|tkA1ki)SGQ= z<|D?Nn2tt#C_l;j0T%zM`K7n>QxfRUVDmb9B&UD0?zRa-efpa~=cv7Ci;mkMHr0Hi z~0rI~%+hm)n&J;>j4U-Khsu)FK=rs7jp{XgVC^kb+j5)S*+xv8LMOCl`M~Rzu z9h-UF;f951;&sxCooJt$6qiZ%DKU|)`tso{VRwI9cQVG@RBl`7+IQ<(m(g42$`>hbV*6-TS$S~EF%AXSD{ z4b&mEm93V6uoyG;0ig^{sptc|BU(O^I?nX@!8{Ne?3EtXzT+>_2l3tsee84Li8=1~ znTezm;pgP{!=;i_Xk6`elvJQdRQ_Yd)fpeVUMKY=@%OMcR>NI~H@i!hl=|{>6Ulx6 z=PLy2T14ZD2e&9Zn(S*iSdp3xay^y8ei#iD3IhcJ3P<5X>j|f~eLi|yX_sfYG-B>f&_?dEL3x@SSnzrjEtg^P<&4Kx zPPFr2%4ydguvarKA1Za%nXsuw3^{X}9SNw3A7_8Tyi(#`QWe?c1p|Iqo6BMT<3nhi zmR@K6%L`x+rQ(5mG!P=LQ5w-;u_Rc=TM>;0TJgc>2V=QDE{&h6>2uPXeT%9lIi^CY zKodKJ0@E?yO;Br|-xp>B7|zmFUi9bAEzs=7cT(8S$<=jDcRisrH;Oi?1tQ|N>-?=V zZWRnpV#m7)P2Wo$Flh_xn1{zdmL8 z7klLTo02Km{bf&Qy^;hT7GfzZNO;_7o8b&MjctmX#`kL(nosf!c~d`35x4Qhjmsx* z^mWR973(PqdNhCSPpl1)Rlw5jaJP>s!vS)+zj5lrbad={vd`9P>bB{*Tdm|(Ge+dp z&ern}L=l^@v`z>B-}RoAc6oT5Fa-|`A2caWoB+j&K8q0# za=v6)xcQ+T3`xPPBZU0yjg6FHjgEZ#XtdRp&R-ys(bM11*id^I|3EZ7czgZ^(iM(C zy<2_SM9cm_guOVISjUp`*+`Ng6OCrXM&b@!?2it*`|jNM|4jDyPx|HHA^(0A9~RLx z91X)s-;x#GCiC!`bh*VBDErAJN0xx93rK4nB;0(qN7 z7{l0H)>Ij!w=%-HWb;sOZx%<^x0=_<3Eo)MJbf2ZcM+ zIlgl;KPpk^*a3k{TNx{EAWn!Q5@UFNNiMp-=3zybufJXDsgEz&mC0?o`Bh|e0KFw zb-Z3Bv=(jEVKpwJKwn`6d2)7w_RpsX?h8F*Aq)uqa0%b9^lY7m-Sj?`1BYmN1?GOG z&3t$QHy7oC!CE(=o)hjSgT=+aXlbtrWT+|%2{UOVxHd6JZ)b#a%2nHj!!>?^@t3R? zTv#52*N5(wFMGtpIH8_sBDe=EJ_VoyZRP<>u^5JrbTz(t=!B{IR-K(}TK7IZt8QST zXZaHmjo_Sn6n$?B!EwKO*e2O2vF2x$fW@Fy_}WZ8rF#&@nYNZPz?zIMDct#?<1;%; z63f(3kQ{ujme6?hsT%ne@wn8p=l1>n+&RVTNw?JI!EIqv`s91XhnG0kmaiHH4!W(>r zb;fw=sKeZtb-bBiJNvBee7He-qOYzAr@yOaoDa5HyK%qsOi zT9Rpo{Q1SW+`Ze+ow7@Srl*-k%S^s-O3WI!6t;+p-pw|151K3!g5(P=agE%Y_2%(7 zN+(cf{zDB{uDCf0o+jJY=|Fov9Cw}kJ;zc}2^^gBXC3|SY{FLCy5f7QzrF>k#BuYj zan!-3A^N2+Cq6#^bF3{-TPMwGnL}t(Q9P5!PeaRQM4&&abhoD|h;e^;(~8n3(NN`g zIwj*P?e66l=YmqgLfLjKT)G*KYOE;o!F~1RH}yK~XK2rJx&JuVwm4k=!O$W|ayJ=V zq_&(|{>$2Bj{1u9NG@%r|=Y z6of6LP>j8H7j##})T0t?Q@sq-4L25=Eus>uf}$!Lr_6;WTS-sJ%DeNrZ9wAPhjbCh z&`=c2yV9K^EB+I4B!0kge{t&ubF_ELyivuus)032n$O(nx0RR8&6&%9+~;;&QI%^L z_lLOn8XZSj#Y4QJL+W?|Uw(zS2T*;fPbcUO32-yU-7V&8cU2IW`?_XnB{_}ZV_2_Y zAO3OAY!D;H;TRxxpWG#?5I5q*HM2yY+AR#TOkB5PpuL!fsV?GKIcRUfhKxh0fBQ%w^R=vIr?!c9H_z5YKS6V-K)qj2N6*?7B1HY4=cO||x9q=RHmy;gz)YCui@D%6{ zVZ=|)$c{Y9N{MRMaRVzXP@J3GqZ8qj3Ozle>%$lsRTXD5?3NN-9>RbIi5_*?C%z;0 zxv^b3%WFryUv7Hbd#g5X_QTDULp_9{dd%B&dBgd!dCB*!)hTE10hucOv&|~uPoK-^ zu8#ehD02&QdPraSWx>@cXXfOSdlKPIN2=b0Do$#cCfiPh9h1v@Y^v_p-BG<^INpPr z5-3V`e-Wm)w$`&y0Ya8*%vCQo!y1$q^0M8f+0dMlWs$h>(b%k)g>kj1$P|>GpXxP0 zhj4X_6H+onl8{`lQO15vC+nmx=kdDUy&C`Nb7@>um}~ogCeF|A$v@;oQ_uILg7iWv zJcIvm08sfu;;%~N8# z5p7vW=06sEB^qEWX^N7(V85E z8Lwnlynw4EVye|Z@L{5p8!VDyj00 zD>ARTb#H4${qk#4wd6?(64|Gojr8|MT()wF)8R)>|XlQf3{L)~3Y<^KTvD;>C3fg17+b zAD75<=W+F8-W{TifpT|>HKVx_yFjS-V|oLeY+l)u#;0dGux*Qo^-rQRMGNVdmjit! zhv707h|*57d~-S3KXcu{)LD|2PG1`$ExecZoU_IHC!HK)5^U}{Md4_ zZ!)VO1kpQ=QX++%$3}AbQ$6oX-O>O&i7?YA@6^leH?HSU52&e)n9)nJ*tz*D4eR%% zJ?;E^LEX{nba`-zR2lhpw=_dNOYlnAa0Q&bG&b(Deq@I*1b54C12*zhEnIULe?i3!eFQkUeF`i{0NW;bA6%}XyvsAA{L86tUfep|Jw;&i3f+gt|34~rvK?( ze9;{uv&<>`_}UK-gtqC@UoBm3oG@Ei4RqcNq36jPvf*=GThlM7--Rz%wFIUHZ493x zOTjddZnDHRc8t`0RF?JRdQi6Q&n(GY+!8Dc$=|OnkYw!X1IE;Q{Y@oA|g(t6$ zqS&dMU92lR6O+HR2>5UFWBX;D^04*})OSD9?plYat0(bPhotE&TtT9a;9R=`riP#n zo6ZwZS-&Kjx-!Zsk~U5H_K580$pyh$N88Wj4hONuKi~X^#hs+$qm*RXUPV@AVA*~a zP9IMq#u=aS1^%_{z+uK43`h_|5n3|9pFLZTAulqJ%5O}sB^GN+yfM3+2rXc_ab_xv zm3q>#QX0QTsW)%QZd8*a4-^OM52zU6{e}fo>QLhVP$(F5{K%F&K$lX}#P2f71u_u& zh(J-6Pn);k+_564fP}dzn6i24*i{RMuNZIu6`YlReCo=HoZO|jE{g=ThBve`>SPxCD9E9|$C zQDvC8mO-}#N6!6NB;(R`!wQ=f=2s8sD(_Y}XZ6<%i&aw+^xkS3T~e%T*;KllFKklt zbKB}jI^frw!Y~ti=I~ovS3I3btT&v~ zUW2lb8{3r5Oia-2Rix})n(r=_{<(k0C?Ut+_zYOeB+R|5&1SL<=ifjEu2B?4S-F;>bcy;w2w?1c2z zx2R;d?3k+bO*pAU!LN8~Ng!2*FyX(t=7yNms2=(>PLXNw4Ir(t&sM%eyKVcCa^88q z;t)+9=AYPDTkuwF@eLl$v&i|W+^OZH@A{X~*Fn&UaNE9gzu82~dkctQLc`|!d)XTL z+-N~!TEKGR)|KTCLPa&_nPXn!15+RvqlQ3?I|tIfl~OTI$x;{v9cTl-D$(?cmLBO- z;-m1Iz}wyaats}_5Vv=nzcLk&ikB+*5^|lWaU=kv%ukIUeU_{k;C-{V2R~G82Qhu@ z*W^$IE=Z@jY@Lx1^{U@%U3BPL7cA?h( zW$T{HddK*$_=YA}@g@{aZgkwmb|GwO75651uzbyCN@rAIb~R)BV+#Q{YKAx8tgKte z*`(tnxn?8<9BZSbM)I=m-DDQ?GlLd%I7+UEGfT;XQZHgb+w1x6xUrBi2O6ExUnivH zW+baxF<;v4P~pDvg06+0lQUC+Gm>%hI=EU7+@*!2hVk@`dotfJ1@VnQ2muxZZXj8s z_otX!SoYe8ohwac)jRY}QC-sdz3#raBYoXky37Pp#8Cb?LZCb_QDJ7FwB+?RJmYN{ zg|u8xD3aOGAEd%awah=Txx-xW`s9Dw=HbQYYjY=EJ=<@dnm z9qpOkFYjuHh|c!?p;bOeI`6vcjjs3QglqnHcEaDFr3}%-b>gh5?z&5{7g+MxX=u-F zxq{cMv_8NI55{N_q7@OI3s5@qp2d_z*-!A8gG+RG6l2jAtm(Bbw>Pl|scMRHXu-)y!gGaRac|Pm|eJi>! zqkCgQ;#{6Rs;BJx#na`yK(%|rgh=o8h_~_k{?;y=*VqYKvG*G0W4PP?U2g;y(!-nkE8=%YS1iT&BLuji_40((xLH@#bJv?B9-{T&lR^KbxHOIXW?X$@?P zYN9fpZ9=Xwjr8K_YXaLje}$HvQs8b-mG7qubGJPj4V>$>c|$o8*Oni`I9I3W;!Vcv zabDRx(x`9q1CC!`g7nA^=?e)i{|c<`alv$x6O&67NyXHpW!AO(^PfY?hBKY^+Fkf{ z8e>%sOU|-;1wcX4E2rVQ#QR2&v*ss&^l;T2fZ*?2k92b5;~rJhpPxH}rEV6T)GRY! zo_sWC5Q!lk9^to?TN59GwuqOhVe zeyQ9ZB&(l%_pXfIRRkH7VfUrrd&Qkg3bR0Vk`UY0o`b(tIL@@z&Pf@}S2nSjN1|T< zH1a`;=~|VZqe&p*f#0N~Ss|&#kF=p$Bm7U1j6}#X^NqI^p=>-DgZSTSv4S@Oel6urE&GQag9wiv%LV<+b86F`vZ z+SMM1{&gHxO$!d??V}Zwt%>mUNo(OdQByNSj?`$yjiG#JQ22dRh9cx<074?*0 zp%8|V=`a>0qe|T`(QOMLF|LbuOi`qbdvjL&(l7ugPAs*Qyt_~7>MbdatKHqeOg$;v zyiK5j>sR0_%}z-Tc2cZV;zvPyaVWEC@|Nm?Hra`Vg=X^gGPmzMqn+e>{qsnww2_)$uIq$);VSi?sq3 z7*F~2`JL~+>>8AuQ^#$ZcWwtjJSFOatqXhmAd<~9LH53N9#$BlGZFEShsnmC6IHn- zrQUQJ6c#mH>jQN?Cj%1<`CEwLv5H&}5XI{wMym4(>S3Y7RU-}sukhg_rn6i<3rZ!< zV*h{v00yf(tLo%Y4c}&Zz6w58)euG&vNEaUYSX?kZ?iAt*;Ck|<0r$fmY&%3m{&P` z>U?loEk|Sj)hA=sI4{RSYZP!Q(*VQ1lcSyZo-1&rNk2+q@WpBRvoZED`g@aLR;7u{ zzLiS_suY0R>v&2RaWE8O)@4$C^K4bM#vmIDP*{r#)g z+xXK{yt>nT*uAN~sXS0hF1pWEl2sL>i2qXV-r-8on4*H2!yvHvK+VPtd-mNCit85d z!h5OB&*^MXnH^s4BNg`ZcneS##@OF)=5pU0L{9LRE!a#^y;W;@O}+r{ZKL9?Jdi3K zr-GT+3kHb_lD)hItt4*mp-jQz_OL+Fy1A_Np|@k#kX#=`Y{`9rLg`VJY0(#HFN_9l zj@erkb}=ITD7u&YcuWYcP>Sh7ZXJ*|9G-H-xIMAHxAF=V08?1I32ugZGYv8)cQ!Rg zIYZZC3|-6KoPyt7(K6rd@g8V-=D*!jtJiQL#k2R;up4CLdohdb^xIdhTcLLh@3?3t zV*EO1NKY-T2fV3!O@)%6kvh($>veZzR6pfRRvz+50b~A$qbGlobZkyvz4supBZX$9 zlx1>lh3C)21|7D!J(a_^gw9wl*btPHGM#i8Ce}U#9RS$-0QMLFq$ ztG5knC`0?ki@O!k9MFD&&#FH2_}Z00qX!ZwN8i4(!HmR9v-=&6;cwzgttF%5MIFuv z))DIk8r|epz1P;vr7Ro{qwpM!0=iO)F1{TedGU=`i=*Jt9awD|r*ZH86Ctq$i!$Sy zxA(!ZuV}%h;hiV3T@S=t!lpk{$1Iham%dk-6y>4f+w`)T%Z{FTQJ=#?Oxhe-%k?78 zBKy{&_u;$zNR8f#B}cM1w`Qr~!-%bhwPK!wNoU*BV3W?c2IZZV7A;`o*;FU_1eDa} zmwJ%fsnT@Y62|J5_-erzjy<_{ILB%%lT!04^}($SvRo?GNSd`g*crK?2sLB}+69j9Ee+mqgpx8^4+>xQdI z{l4yi9sFQyj8jTLuv9Fn%&&u8lF8nfWGbP(;NM2JpJiQ0s3uW^>|$tymAykn5Zw`7Ir@lmL=s@Olf}X zZ`Xx8r362$#<+2%f>__H!;;*Sx@K9-bXMafJK8+Jxdl_cl<$)W5L~{?{{3A5TsJ;X zf2+4htQwzC-f7|9c99w51VGs~xF6AJ;G=d!w}HvlWGLemJKy>d{`{7OiSw>@>s$b& zd>c=n^Jl!h2YV=tpH;PYY3{5l%(sMx?c|HAt9-Y_ay8Ehq4=__EHRAxSkK0Je+AWY+)WuM@M3I;ItKis{F5-wEGJ=Wx;53nq_6!~Y zZi%t_v$N0vRUZ_)q!MoC^I!#_SX{oROJ`67FYSbZ(0sZUmsW7|c8Hl@ha*HvuA;ni zNoKY=umJ8B1nVfU5<^5t=n-0$7U1tU&qP1P$kDeonk(8(bM>HtSmVO}>4*`k0u!5n zK7lB-1eB))%yOa{b{~0Irx6Ub{8RdTf0UsLy`Fn$eZf35F{_GWk$KvetE;P3`Q!ZS z8d%^op9{Dkcd_RFc57fRd>a>BpQ#p^L*`Tptf2tdeVUru3GOI%4b<8V%r;MoOiSab zZaykhL(MX|%zuhst_~zWW08LR?S&IXiM5GJjU1+UBUYkDQCQ0*o6dv@K%P&&R9N?M zw|uQ#sNOoBgnSqlMv!e*B=zf^q8QtM)@ki%ehb(=C2jrXIFU3D&in|xDZXIH~Q1~c3x7y8R`QzF$F^Dzvy0m|UeD!SX z;d3$UPofT9>WL3wpm`Iq_`gy4RieNCV!FY4Lr;-!i#L2T@MNg}^(_Ha23gX}TV?`) z>&w3U;8pk^;fw!#pdxydXqa}so|_s6I-dg(>= z_W#Sl{-1Ge73>kFWtGFS-E!z!9H;MiLnv$iiRQ>7*XQaN+T!G>Jb#@b#_5B9+!_D# zK}ZOn3U6}?CN*H2vvM;bly$v2oS$E|8u3$1x(*G~*F+a@<)FNz_tqS`I5k4uV z0d2I4)bZKk<)+-)2qr0?c+=AXcpUPYj{v0PGX3M7aYQsIWb5-Qgx-em57^Ovbs-#3 z^5LH~#q%@|L#$Uu>ro9?(Y4I+tFEWKGSXPTRhDRmuk60Kh7zeQvJvA2Qi5{ZZtp21 zth;@yO*gogx;_9e`hT92|9S`Y(@emKJ$fTymWD0xOGp5U{v3QRj7`eOKjhx%iO>d% zojz1lO>=E#M?~Boi;n!AYy7AO2oF|Tn^g|eo`wH{bgX3UV|c+hS#~qnvxdS9i~_ks zS?P8yY5v}ZKO8Al-u-SHNOIhbXYdzp(NbcyRK)UK&$@Da=TQT%9fAkFGEbjky57P# zyQ=)>)%CaMKVV>ek)aaKkErGS0TONtY}5xf2NFIS9gY%VP@RJ94A;i)X`MLx_fGvW zX+X8SiKtSPVh#`6&Po=6ZNeJzq9mH-216K2zfdS0KqPa+D|Mc_SckIRKe6|35OIS#60E|58JE|M<(*3(wR)nCIzR8|{IQ_I4R6>*xJ*-tcc@!a!Y0 zO93~0edQsJZ)M!;sqs!OxxX#RL=ZIv~>UOu|Qiw zeQd%sq$`7m&D;-Diw4{l{?i+tZ#TkAN;D7ek03AAq(u=tTvjEotC{otFYf0*X7=?u z=)R30tEDB30kDR<==lNzYiU*Kc`h?6fha~|Z-}kPHflff(4Rw}zr98!`nOruj2+^j zJ=eM3#Ne2(dD!b+h6`)pN(cZK2q}OC{24j9rayx&j8}i?mW+Hf|IOu8kQqWt~ zNq=z4>!auUG7m4)BHMIKtbnZ=MdndeYL8g&{bO=i$4J7bR~9M__34psUS`v`q|(ir~~@tx=aI z!f>4-(f3caM*d$rfPR(gA4}havbpR+QC(|I3?18PtV+|t9EnEG!7E{N7R})MO*U3x&t{om=^dxYtCVw-7znj(H2bzKREeO1>A3OTt zU$r9xT(``Y(PJJl)D$cW}kiaB;miL8b!I9*IpwiAH$Euq6-Jf3) zL_HEf9+zMKJ!^DH;3qWBuy+=Jp2cko(Dpqn{q%1`42h=74Xu2b&;B{Y$*`j8Mu*JQ zT7R3;92D5fHWc!f=FhMB|C_RX7ra*Kn~mO|`~UxUxZxb=oNM0uOMmYF7*+o0L$J90 zTmGn`1xC5z8?yb+FJZb3+Dvqylu4S9yIn6aOK#Z9$!T!(gf3OGd?( zs!krJM2`O1VfDPE+WMsVIo-bu`32}2cNyQ0e=ua4o1ni3E6RTe{_bxObz&`Emn;5* zg(0ZM4u#x5^!q#hcfcdevoBiy`6qQ$L2%JnUhY(F7`pl^0#Z%_W&L!NO0ePOCn z)baaGQW2oqi?e`|J%PI51y$U7W^+Q<4G{YcW<^Z{kc)B0^r<`c_5_$hYy$e*p?nMw=j zl!W&8(BE&2VLvm+ymk0|3>Nq0&&S>fg2FYd^QC{*`!-JH%xm zK=mvrs>`SJ#v}S6#&hk?Rb^OEcI}2whe&k|kSr<4+xiH;4`nO@$9##ezc{g55vHC$ z)eFkxTt;Q80U%lr;Lcp4_qd;}&vGp;2me51^z{h`?%al&;e&}1I0^#e3@{Kk=vE74 z^is0Z2r+)uwATz+k_ z^Vsnj&C{j2_xs=es}_JkQCJX}J5#iJpxFqpbG5Yob5_B6irl0+y|Oz8}d5yPEc8wjr1CTH!nICRvIK> zsr=YPK+`C{^$Bl0th^G!a-q0k!$ixTc{Qv0S@Ciaf^ygP;_8-amew6z8a%cs z0TG5>M=L1uI_2cK*Q7;aCm_w>5JOxT0aiP-pY7Fwu|w^z+Qz(t@&&kD{na1w1|zEc zi@Nizp)^N3V#XE*z7%k`^Qv2$CLr=}Ygm{Fv#Lgv+jQldhmNez08S12lnOGPeM+?T48S zuWorKD=V&HP-o>f#{m>P zkEj7cVZk^@T(SwJeon?2w^4tw&_w}@mSfr22rkeUZGr5`P52U=U&GfO$xPp-sto+( zCXz6VvWl+QYlU!?`o^i4ZdGidWx6e$Bh3TsE%f;PdXzj(NUW zh1e1RN7|SG1pzhs5sZWcCjW^?VkB?Lx^0d3I zUIZM63%E`ZmrJTC=4?@)fv|sY0!o_s+67?nr~%^GOfI>8Yx1=RXOf2@2k!|e1%u78 zCg9~)OveZtVb7P}E)ybdnRR|4G?pO0p&PmzG^Ez+nuE5Vu*_LR=AfCC`<5CMtt{uAK*7i>tz52w! z2oMOwM-4y-YsAk**u58tCo@${Rhj#3x5$j<3`nEGGLIGqXnj@cW@_!uXt2IrH*?sZ zn4$oBJu^L0?g@p`IqF^>iEmfg33Mi!^yTUScOoo}iF{8t_h?e+}VYSnBwh zt(hB9P>k?j1N?_UQ~2Xx-?VfI`}^PF8?Wnn&sUP{+`=3onM7SWS4J*j4SZ7RN(cXi|KoNOoI^XqROt2 zE%L~M9}p0Pk#iUZo&#S$;S)ZN_?#tLt&cx*ISHM87IEBrr>C#)!>rr0C)HDmZM@W7 zS%q-av%{;vw4H6)dH;=*wEOfA&-aAoQ8OSm2PKs(C(cV+P#_6?UOVipo0Y{uT_UC5 zjxPhaKRE#KKSp~p)lvy^V>;qZBtEZng^*e=HAF`-lN-pfM_>G-%>j=$X`*JqC(rrbiii?Y)j5cJFut@xQB_ z?hIwH8ZqNN>ZVDpHDVyFY}LxN2^MsRNZF6`E|J{cPsMFf+8w{@gS-m9l)WOF`N?Cg z!ZAP+P)#fc%L%}cRQ}k219|jAzH)J48N55nRMlrJwv@#c?i=LU+;7+KHA(L*e})D_AX{7Rf+f z{HlP&15w^9@(F$&PeXIRPsvv;LjwRz*$3~?oDnO3b;<#Lxg48xjY)d!RSQt^q_TW; z1G|oL>PF&P)`arjl=3JL6me4#z3^mrgrho@J1=8=Y9L+Ay7(siSJX!GT8^9*naG^A z3>2}!F1wX-M8N(Wajuz&uvbL<3S~?gcn9P~gS)@zm7h}UD&$w?`MYh7`GAUe4}Z>Y zrGcsteRV!y4E=ZJjqZ-E`Ji)=jtMIFc8|iyR1uB~C^f=tsAb`JmU{}}_LYhX&P#C1 zTkK4-kLBIV9*tC5&vZ)F*sPAe$ej!}E_Z;A+twkXTc}lGmVs*U7QPXs%F*opANjWT zvX1SQ9o=AdGtYYq*|z{*q7&pZY#qNo#2i0>FBu()UU-l4f`T$Eea?8Jfl?CSq}MON zALA*SV>KWe6IA5CtT^n9AkVr0TD{K*tTF-!-Y+Rab_x4?#YEV#n=lGh7G*#D00C;W zpuqnB_|&Z!5v%X*Ka)##)G21T>#2_VI?N-u5zTz7y?e^bn~nQH{z`pb8s-zf(g{mN zHIqkufPc0@e$Q1RU9Lv*1boDGJT-2pn!1iN*!}F10{p;y@cj|FqM#ME?_TOSJIKvn z05Wg&s0`Pf1b37SG z%E9b+@9*eVgS{iSm4NJumM^LAf2ft$_*z5Qt@QR)>xYkbr2QiEpX}7=$4ZMc$K*@A&6aw`wA+5DW4QlNhrS$7zdc3~UFV$E@ z%U)`5nfL9J{1vIZW4SEZU4=?R5!u~*wvv?5Z6#+&C6v#XiJ@&Bg7&Cu)~TL% zcXSNI99mB%UfV=}C>h;;Ljqcuy6k8SmUM&L{j-GLRd|twU`;8d?|6i#`EFWG05Y zslCg@^!-5pR7QOM46@a_eZZ8|xe>3VHZK=2@tnO599u3o4DJHs@r3MeAw}wow0GML z)Y+!B!enA#JIA&&0__5o1`%1RQ=m}kgcfq3Q%@BXJY~1u!?x0I(ALUrnFa$qz z*&|)6ksY_o!)l)XU~fe{v?!`Bhr%P)*9a%jST9u7#*>B9Pd}c3E^Qa8kub_>En{Fj zPhm|-smtKFqv0LoFe`49fL-y*#xS8@S~x=Ih}CQQ4{-Xn>kaoB&(6zn9NT6p#FzE{ z^uzN($Ty|xhr7{xHYw|YSxbVh+uSO+gF)Vdk`K}GWop@tr=~w)+Ff64GcN%pvKH*# zr$WcNV72~LKCJ=eR0{C<1gAdB)a59mL!z98jWPG8b#VHt;;`*h$-SW4*p?}RcIeSY zzUkdd8P@G7niYXRdwx`zkQ+XBN?z$s0N`Nm&A-kxBO@kwx<-zC@T8ILhr`l)9tV9kmImDPNzIC+)&GhZV}1kb5+?15!cRR+F5{fx%_;m4u`$+X-x5Cg?$ksbC>;+gcljBl_GCh;LT8IB z0Gk(g1<&asSXB@hK94MpO_wP?-Nr3np!pgCN)|*8Kv;78pc!TSbikp zUdGdOa%<){XlBKoPgeWir3%XZNV!hKLdU!PrZ}w_H?{uk2+jm=i$(pL<=WJ~X98Enjj*YF^%h07av z>D_ZaLa*^?o+kH?C0HM>((;=k?lCMHKLWbT(rK9pQ# z?l)HK5O4EfI?+?*m4YiQu+PVgL@;;7{T%G(jGXE2DBjPky$YT1I#;ZD82dKHOmnS$ zE{rz6>-sHFPs3uy#q^4jz!ft?oH{qX-#kV_$k6wgINBdaF3}-BE6d+;xNc_z zMn{Z-iPkggb}%d7fsMc9DLlzyz0@L>;?{chIca2n<%7|9r!*GM{esg%Hv$ytJSz@l1+{pTXN9)IW?mk4}jS`}=h)G+9G1Nm46Y!Wp^=JB#D z4u1RD{+4^fjddtVv6#>C-t_O8c3`8={R9>UavF;pEEPrb*}YRsyB}ExE)LDXrmBA8 z4HMTA)W_ZOJ&Ii`M843>=E}{59sSTHh57Q-c)+-zxG=4+MGm{@_IPFxcM$u+G{H47 z9uV>P+j&GMBvJHF45l&Cbr+TFBvMZ=C(G<3EM-jzRDP%}#!GfDIy=#NAtcVwRo%L~ z*hG|P@!`k14`|a=mPeiK6JbvT4Os9-M%69ys!&kf%Nmc79cV?ot39vSV4w4_LBHDx zI`0wVda_tRb1OB^X}9b;h3@MsiLURhtKjwxA8(J+pzLnP4P)bU$tl8(xMIK&mg$OD z;-ktX=br$_QskUHYy}@Ab<^9}k}JiGc!;gms5TRebhGAe>?}{Tb&)^MG4G&PFsMjw zw@Ov;PEc-Qo%3>3a9nkupeWUKq^A~Y`&lgo1O@ls-4IWhk>-gXwt>5BnUl-piKK?} zhDJu!YZYFCz_t z)gJ6_gG5N`@HdR4#~t*wlgBJmU2uMt+Nq-DU)IJu33?M=C5r?-Z!;9-PDUc}<{YH4 zsIt%iDtg%?N=PDFeDpJ6iFdAWXFl>YWFXb4q={}mq#E4kdr|4O?Cwt;{*O9mXDJX< z99eX8J3tf{8LQJ~D@0D1(amFbY7BBOZOrQo+9eshcfiyUwnS+O+l*IXTpIcvyy(##Fz199BVqCB%xgg3X=Tiyges?Zz{o%j^Avx>CE+t<;$Y}H#Ihi+PZhvn{F8D97J&`1>TDqqWPf=`KxY-DHj z>c0&OW+Ji;yzDK7&%KU97!5u0i-HQsfGIEcst|qPLhEM~rj-be+#AU=9czVdifTf7 zLdPaH`hVrMs_gon=4fxnhCE8vf*O@T>?gPTw1>;X8O@D0*GEJhzV*RkCSVzYVUj5( z#|>=11j^}Dz$%M4?40XbS6S>fW`rJUP_84>g1O3h&v&8Yn@Tc!H>@54r=%qH8k(`{ zqs_lvY7*za_`2%EV51ntlyWC{f~BuLxsG3-uO#?e*;GqAH?&Egyq?;sP=N@3($9V? ziZnj^oyW4)`7D&*(x2zFq1FK0GS}^uG`Vb5(v}}@NuJu}+0XE%%F{`DxU`b!%iXI=ejp1V zwD$!lTTVZxF!RBLz zX`X3l7G%|aEDDtI>$`#TgXWq_0iq%2Ndas8;0Vroqk3kbcfbf)gJPj7ORE&`z?hRu zS@0pwdT2LiUG$aY)6u(TdGkul#dne*9CLCG_&KgzVpdV9!`nWVU^(5$sH26mV+&8W zXmU{({nXBcpLbzP13inN4UeT0AKD81&($PldsZA!R@bZ3o?|ck8oW zgdc|@FPpL?$u=5TyH6a(mf!Gpeo2$wZ^s^N-cu>g)&JHy-4dlh>~xBY1@~BO6!Wkg zhwi=L+)ENMbnO>Eb?HjvLU9pJj&2E#*4_odJEBX|DwW>zj^S7t;rfK_GaE#CvX<|7 zX)90cckIi;FAta|l=M|TGTX4B%`g$MpE|D=&%a3m4zkviY`3A1<@K6QesIBA3sb2OoeP3a7wY~ink&14_dQ#R96k2=IY6Jk6~CQA{#Ui2QdB)McRJ>8@8&cR!_zaP5Ip_41nP6Tiimh@P)d~xKQs(FO zNTsF=Uhh&7L~%b3wf|YSt-1k7%uMBpal={dQ;@^L#S@;pL$>dRwhwj&b5-0RjR&t( z+N)35Yyy{=(#|1;e}o~9br_tyb*YiuDpq*Mc^c2N8_B>l28Ji0l z$iPC(wf=(23*4SS`tWfUB}pX-!jd3^v?5O|5E8l;;Yb+7qO>Rr)xx8BodyGQOUk@c z6Sx!R0*6#sN@hI|;qB@V*sXcg#J37-H;@tX+4&@{kUN)>yA~N199}wg$7W*8&9YWf z6rp9I?2QTT2`+~E!*^Q^jY%w7(5CS}e=ZyU6qaTN-L#3_#wCOikO?fyD> zOzha5si5O~GM^wfTU3=3jQLc~+|97=RHa;}h{1^u(XXB+BTQ$m4zEXEE6m+Jg+3@^ z^k7p`*UJFEAga(Ei5uTa`01bIs(d|9J8IcO$oA)672G6k(Z$kPPt7+diV)|}sx*on z$wAppu+l4sH_+S5?&l?R>f)?9g;#EP-L!rcIp3FSsO=z0Fo>+Q_@XMZb8b*7r|yZ5 zUBR-+)f>Jk^GI^ZK~=ob*O-OS;QoQTRd3=V;cgAYNAUDX|4fON*4C}9c8rZop?O1v zN6Eqqrpfw&b*sjK;S~j*SyQ~^w%@f*({X$mdi*NHz;M#D@QoibKrww!$%V5a*fkPZ@|Qn~4Gs2SHe=8%`GWfPW*2BGe?EzC;ysw&xagdGAD|8yBVl27KVK|09YX z#%_Hle`%U|!nSXPtH`=VMZ#I=m<~(W^=AD0SUvn4F>)h}S#Ce_;OhxoxJ}0ZCrO*k z+>x2~b8;M>RA{mNuwYvNV%B#m?<~uHdV}jhjJIH)`T69#_wV1oCN5icHcKq$`~X4p z^JP*s+AcRcvqD~QRuqwB$#C!bkv8)mE_W}}WjblxxICeEBv!z_48M!^+f40-D&fuW zWyel~ql|M1CN|Ao*%6CVjuQv`!`@cJ!rwVdsb zB*%Q)fYwTdSiNe=9(gyV6(K1+OjY3+$EM@S5qgN0hG@ud90v8^Jq zlmmvv|EY6ts8UW4vQ9R$$eC+Pz*521;AY0+7H4ifpt_)_P=_i^XoGj-?W#haV*LT7cQMfi$=+J z-uA_BT0Duyai5n`Q+{#QH~E%YIA-b_$7+p~i8gUJ=c497*V`?fR))^ohp!96wvzEK zh#yUXJ+x&Nd_S(<(dD+wKGA-QHY#2op|`t=qUAWY-v3^Ppk2SmT=ku zB%(+caZY4yfWAe}Jo%}L|7SOb`Oj$%hcBRQ@o z=ianuV%@xMqb$XauCCoH9@gE#-X<54;?@e*1*!)fjq)NsDNo-> z4Sl(h(s#t0NxSxIo_qZ1rJ9bL*YtvsA&ec>3)g1O=xg-0De4CgTvKFL^mT5c%|?N_u!d% z;0AwRQ^TVoukOM`jmLg*!5%Y2GnV2CN)YcM;^X^!ygTJe}G*6iAca?HVR@nU64 zPc^GqrgPHW(Is=P#bNK=5t0Z_>rj@W^v{APpEsUf{8 zI+D0N?Yk=-z1Ub*TBjX1rSAF`*;g`XZCAVg80P(8EWiC4I%^qqVLx#9WdrNe%GGei zZNzP<`a$1fO<54m244FDojyptpgN8{?I@!Hbh%9*QpA)XFWIqOVZKWoEcoXq_O}dL z5D#bGod zqPGL!|BxdM_PA^PJ57k9U0;FL7*BK-A3=1OM`j+YD__p=Yn|&}sO9WnRmrGbPhLCd zvsT8vOETyA`9e;dX-ZmPum4HFAptJ6%wBk1c3fcqIFtMtB$@Og=Wo`4ahi=oH5Ph6 z#v)nz*-DBTLSw1HL3@W}DB>JmY23Q)n^v35bN1{~zWRbkJkhef{B-Hjsd}7;|8TK5 z(pO_nBCc&c*Y#a!NQ$~{gu=3g8x{v%ws*qgC+c>SpP8A%GF$@Ul0w6KISOd{x?`X{ z@Mml8hlDeK*7SOyF|v-;G5wO=>Xt8n3(RSgNk%)v%{iBHIH0?7@%z_Tb&x66rW$OJ z`c2#x{RGw>;vJ7(_~QVU_}_Q-N$T@SDc_X-&2D~8OUFzd9~g?=zj3JU^oE#!FQ!vT z^+E6VAZW|}W;D|X0rN9EwS;T?T$zDEfra2O7I5g(t6RGH`$QJ1)AOGEaJ6Jt3mk~p z{c&&-52yv3my6*SHi0}70@iRIBL0~6-UHdH@6zY0W;=n#Q=EJE>m{6}r8EcxipUk5 zcyUOcSxUz_F=}PHBN(W@}vXE)zAs&JflL8pR1Z3O&iXpgEvYQCn= zIw-49OINL~ktSO-Zp)y_b@!TmNDePouw^MUpPyM|2L0)^laRuYU>I^m6Q>MI@+#`T z2p;NU#LeZ#JiSZzIVFxR)KaCI_21K%F=_e@W64LvBo*cG`GM3(!1 zFpV`vGAj2=U29rDz)U7xZLXDFrwmDMD{)iQ(Xnqt|?z2T7;^M*0P&HMEs?qV3i^4mvfkc6<-z6jb%{ZyZ`DccGzzP zm-XAWRd6IxL57ng4DLdsl5yyv5GSs~wbY4A6Hte%usEYgb)~}_tHHqDd4Ppa z)_D>>C@5{=<<_R0mfrJxRkBXs#0A>18dmoE`!C&*&P(l_h=XuX64tuz88)ZRU~W%S zW`eO#supY<6mPtGmrXs6Rme7RKao1EsnFtWFK_;Sx6(Dra9H8vk{=)G8wM}Zi(@72 z$1Xp5#^4UxGjZvR?qk>XU1#E!YEX`LiivI*&|=6lDGH`p?^_LLRY;KT7ph~^DM|AW zw$D=AKQ9*?#nw47Ojoenzc zm|M@BJo3T+qr zT%4oraFn$_TTQAiN_m#b6%8k0i;cOz(B>|WkiPin{XG}S&T+vjPi-?fSKHfMX8Pt( ztcl`lgA1ytMy7Z*T`j$6I48L{$!ACrAz^tp;3uDs?AcP|o}sTkn9Xk}9UknGeDIa* zXQ~TvhUOmaRpvSy4X@B9QAT_V1jo&l%sA{hH@%`?iC6cDt5=X%ga;DTf=;C>Ar7|O z)<$Z2=Y~x!gONl>d230RRo|(|L$vB13T@|2P%vB!5qW~YX?t zfsS;;Lb==tNMsCC;{P;2zcS?=y4u}7&H=6C{-wF-YG?3WIjboaUX7_Ir(&{UPfxs^ zn*f}Nij8IH#h}QdLD&mV|C(sETvr!Sh1_p>OEfiY_%Iprm+eNc+T(&F;`<+slf}N9| z-#r&|s`y8*?;le{Z;Ce_{@N+9zaW z(ruwkDtdi6z(GK#n4n#7sxy2T(`ot)YwynWCL~M9#a3ZkFhrr%t&zhYn0MtvbjeOV z@OK9ZroXo_K+Q2xfR75O-Y`AeUV93Db>g!nyDV*zZv$E3Xlf-I+>~iJA8pRpGCKe> z%kIh8PDE-Rg;xc;h0O!hMm%)34*Ev?0krb3l7MyTcR z2q166^~16Xx`#N+iB=3U^j*FNZIcZy=`*D2;+T#LaH64|z5}z{d$1m00d$k9ljDSi zEb%kx0@wCm{|soeBKWlUkaMkks!fwLS~W#)N@JP&OyMGK&~Ko^tJ_yoga%LVabgU`fJZfB^MS}{ZJP09P^4>yOb7F%_Pex&Ff4z)|J zj!0CNDL51)X)!KqdJP7xQKu;gDW{|Bs|lhhzus7imr&H)gVCK=4{|@}o%CHsU zYrXJy3qSJg+VQ|242VY#MIhleF1e5B znl>z9+cTRx^_Me*lyI}Mk<~q4?DHs@XpEt1ErD>(NvcA0;;u@*bFh#K=C_&*)VOMf z!&IfgDvLvR_LI#7eR*yUz{C7gLI_RpYq_`v0rULmkS`N)exR_){assph!Pj zbY29#EXkOhSbpz|+oQNGOFHNzPd9`Y>o<{F4&5X;%`p*^ceM(Jhbob6a<#k3B9NYK&MQ{YO4*d?%-+xbl%t+u3Ogu4~gQ`^pD=FbLAkq4tmiGZ294{@RQqFD^ZI$Ic2;=85W# ziP8C(SaN?SWUA*!aggsyfy_Eg=>p?yx!NuNHyu3*paq>N&iV&hL;gNj%3vk$yZg7c zd7$o*L^;C2uc+sPaKb+3POwcBgE>+jLYe0?}nAPOWCaPSC{T`9jM&qU}~4u8o&@`I0r@_ zcwDa#{BA%h@TR8q!ewXJpn+_*%4xg6i$di=uV^4tLq_{L%{0fHM|b~Hd*F+fN8+;Q z4d+`e*-87!nIJmZL%TMWXc|&3SIy{4JEq2T*u(;7I6NyuNZTA02FH5>u~747ayyok z?J6GB4jFd0JxBeJyiD%=~_ns90p^rl#`~K-OSt$s|T?kL=zOQo%Zm#ln~SA z?zq>}^!t-3hyB%{Qg7+t1?e72df|6{hc#RC~U1am4JQkQA5 z(eOV?dY$}$*+yfVpljVH1L?+;J_q!NXw6ZCwY08)tZPD zE-*zTx$rtLgk2@SeQGjPA%=cq9?m!U;^xJY*x<<%F^YanMK%fEEM)k@y|$gA-PcP; zsl3a{pglf|Qp#b6sfWohTm?5BQBhOG?~uo|i%6vZxav*%_v9E2SGh+LE!T#+TQ6h) z!_*C-Bz|On8O;O6RBceY{IK_-UcM)oEMolkQC6z-#)ls%uMdp+^^@d!l{O3)-@kYL zqHx4$!k(9KliqCT0U)`^NF=5pX^5>O95K!Bu|W2qdZ<{S>}+}4Gs%RZEhr!?jvU5(WB%RAHR8j3yWPZ3{e3yxI1gq zxbae~rJ`X)ug@N0Ocx9NiXhH)NFJn;Ocg6oq0cMV&Nt2X|4GjgQ}8Fb&_Izlo?mM{ zX-scZrgjzg`zkqcKf)yAnrC##IMU-NO+lmnLnaS1CbokNB+&24#Z$B2f1b6M$yCQkhj`FX>Yv#(!M;_EhX0jc%799Ri= znVmV75&Dt^JROQ!(edjBhh67Ta%1$pq488C3|xNwYoguXde&sS zyHH`Cr3tXEHT23*#4mN+Yyul+d#uf5JXLV4j4^Nx=LT+z;t=#sj}}Qin5%=Bq(G*B;^zTvVBK?RfY>`RD^b z)6xY6R)I)%|l2HMrJH2s=qIFXOPMd+8=lr(t)|M44Ve7-F({ zD9ID9?+qYu8+qvFimOM3NdKJpOuC2_D-s3l#+90;XLqgCM^BOY*aZ%dJ(!&6(gn-B zw~x}uPlP{YxBY-#h#YrcRU=s5Zr)7NBEh6a2L%Q_KZtm$Y&~|RVfsKFOlA|H^ zP@UT(!wfCo|F{z6MXHu{kpEP=bsZ38S&eR>?$L9`%KNpN>^iP5_}(s)6T=w*wjL{v zbu1r~CiYq<=YC=+Ns%U_Z}X(!>b>-eNAliu=beVtXqe_i6|yu`O1i2 z3)gTcXH(og-@%58OU0}5BSRk50q2Egx=z}4%|?h?Eg!4Xpshp}rvlPLkqK3f zn0qxt9%!?)WkM}~m$pQj4Q7JB?#=A-r$U3nZTkKL6$&C=!5r2>;@8cdPcmAOu}7)H zvQG5DmJ(PTkY!mHPH$)E@(K(XpMA`*z!YC(_!QzG4W@shVLcWDt@F z9)to~&enL&z|P3Yzvb1B0y4wQdJ_NAW&w|pG2k)Mg7kc!7=BT5QMFN2Eze#uPuoQ{ zI*o|?ZeX0@KPQuO2s}by#x43CuD}z-4h=5nPWPWXdXY9aL_FEYj=Rl4eyf3Jgxc0W z3c(}IOKPlOu|3z@G2YO*{7t~*)Or8XwG)Tzdp8}^_X0rpJIlWOY@v}|T3TG7O7UAo z;Xt1+OH;1+V3%7fl6HqUxxc}|Ap3mu0NlU3E)*U;i}}_QuYlg>RrFHAncA%X$1MEL z`_@xEEy=YA;T9R5sp4N&Z=LoJ`djrT;@c`6>qWReNQxZW+qQl(iCS%9@7{j0ym9Jw znnLTSyDbKvS+n2rV2kUsLB9c1(`q7F@rs4>CzCt|=G#pj35d`I6r(!R;FtU0{=T3Zb z>Ae~{fV@Od%#&kk;tM=@B8=CF{oRsZ65P3(r6pK*x7#8@c_`C0`U)Z(&42Tlqo=zJ z9RjPb${Yg8-0|DCbP4pByB_B5Z$2oAh;IETf?Yrc^-_G)4NS&?d04g5oj>Ec2|v<_ z-{k}=48ESbQbmj1f21Rv@B>NvcB7M04(J~L{nmOrQWmiquh_UGG+6aTEBz3Uj5OL~ z)_KT=feWKEe6gqx$9pF zP9AlibNa82wHkEkJKX!093P>j*gGRZ;O{1bc+#RpEE%KkJ-Z>fmXHVWmNy1cnn3Vz zt_K7k!YBjU{dh)#e7-Ve#W=cqD2>DFuncV~?~EU1D@jRHgdRZqcJW7JC>zzM#c}s9 zUz{~TE2hTeYrJ$r&&%W4Xldck$+S)l;=;MwM-Zl(;okY)qOa%81bSLDjJEIYRGa?( z&}{<*9qT&GAf2Q2BgTyo;@0uL7g@tp;^_+AB_4l2r~WlGp?zM8o<$U)rM>K!b8OrY6TH? zvig$;ByjixS|D_7o0|iwIm**sdb#O^a@cBrp=_XeGBHF0((sR$UeU73)}OFY7OI|N z5yj$-_sQPRj=B9x$%^gjnApj+FjJG+&(kETiQt2k2}O@$RsoqaI&~dp&y^rUYo`y{ zawz1dnCRUxPuOFK>JBqYE1Xt^b3&1hW}3NlOvR$Nh5uE@(Gae1&>hd*0z`~^DC^AlXVHZiy*uv%vpP-@Tyr(%S?fe)EnmHJk6|OB7uG1dTFXh2 zk08DlwzZ@iFXa^Hx}cyrYb-pj3ZrD|WfQcbSiI>1@H)~lvJXozL2%ISO zJ;RGEV5lls*LSX!r;DTV=H;k}ZNL0fLRk~_rmjOy?SGfake z!yjKJ+d>*)4*{}LVByY_enz|k?C&N}aH~eJoHi?8?vLc<5(i*i&Am;>n zOfva^9N7)@%$G;y?I#ph7jJ}$0{I!mVNBDOzgfYFqUzs@@8Naru=9ny5tdgC; zwL`N`f2}!JvK_+P-F2RDDvIPV6$o;P{~KOi5ffwVojCVGUOl^u)$=KoZiCvIxKzUK zW(_EO2yiB0baQa_Oy!>i{Ddb{TyeG-T`}U(-rUTq&2= zcHX9>9S*^jT^6xi-N7(K>yKaqj}#j=+1{q^VY&Wf=VJkArY;a0c@sjw!x|dgK1Wn5i?t(`U;^N^KE-L&4Xh0%pZw>?G!iDF_krofE7E^mNVo*ZoNE47rtzeXMrz z(Y-RolMFw;;@62umYViD<}F-bZB`mJ;yTbNND_3Y6fX;zfAc=Rb!;g?fncEEy-WGm zalf;iCiIP-FxnNhUhtKyLGRJ%*gfzUtllqDnePmQ`@}#q(XjQ3lZWQ{IUj=EV?v#| zyPpWHI<vkjI)>Wkg1KU<0di`4=D`wf``yi7Xie70 ziQBcQK&gH@l4sT43)XQTfjX=F57xGVy-hB1I-$wHw4)+>*<(qJ?ge_b0_@gdZz5o> zW#!K+VC=U;`6kQfd$sn|qyqQRi%U)&S0(U#vucd1_8833;N1BD2F4dw-$t^WHTN45 z6NBNg_gJETNkv-d8QjP8%-~JM;IBQLU3I1ic52DFS%L3oIWUZOmEqYl(e~_+P)<(W zdqS&pSs~}TkEK$rIJrYaJcjtOR5|jaAILBB)6g!Mpu~YvtXtCWr57+5J^PFL! zBHhsI9Vi*;y+@Ad=^!2%?-qr(9Ps-BNi3k>N=*F1< z&}?j*$Rl}fBz;iL{3<6O2fBTpB#{T9ctj{uBrxyZ9c2a)a&Xbb5PF%P%-z>vmKoV`S;(9qS6@HYjd@RiM^`f zO+`N19BJ`IT8al5Kcq>5OT(0ZO?Jn^2HPb!B&RgopV--X(NSN@n0_fi`tUfWdz2F+ zbf*o-pF?#rJq~JG>AHgV?}b2R_&rN}OQ4My6mMZkijQMCf#o)S&scKliRAi|o8ssX zlUg$^lhu;Qr{&!B#d|uSMNMZo>VF~?zuQPe_wpE$i+5wqJjeu7D2p92ZI6Gric5{M$m&F_zv=l;&n5MkA_a59R@7O=6*n zo55&Uy5gh86m<@F9e2_75H`*_L3zsuasFA57Z|KeZ&6a@=i6a9ipF?{v|5gd7cbwm zC7RlA$;@x+ImrEex(>pa{=))5_<)(0riFq?#;e?P3GLkM;O|9r>2s@~8DHURdst0(0h1C8)@*Dd6l z^$ig}RZfN|*cfERASOJI$*MionK3UeCY{`&b`j4Do(8PMwP`bhC<7HYjIIRZa>^5@ z^ttKMET0C$ct*}jY!JP%iv5G1a(5G^n02PY2%q(gg+@Jzu%-`yySRtpyZaZGC^|^1 zZrI#Atb5+-_tBi^1G?9_m#)|8L3|K_Kyb|{T`o^N-R>?R5&d#rD4Lte68nL>dia?P zuTaB&KXdVU-14vDR2l7uY3p5Ne2Xfv&Dox?m6+D$7nu#CqofBGUZXxLgEeH&nzI61 zyEPbb6UA88;0)Ni>|H+piZu?>e<(--V(h%A^ml)3=6v}MixDZpOm_&hBUZi*kON$Z zsr7LGMFtO<;%be6)}h=p9r1=BXp?8T?nAcqi>dV$ zVzmcvjKA)i+L)UD4vajXPC2S0dQ7Lx!Swr5eI&< zRAUI;wkyEn9bB7uC~3PTj9bHs9uNO+7eug+e&}eQ`^&FNu9QkRe?kogX~N#*9gIra^Q^aZ=w$Z*k=!*X@QJ zwST3e*9iJPXucdBryY!?8YfqJ`DRgcREGKcnEzxDx&U|sMio5qH*h)oL!$nl!R+c!DIe~6D-yt0$uu9XB z3O?g?5x?1)L6YGq?g-huaYu_D1-c&iOJhZgFAT@5MZvyLTMBl{|MXTH*d!0#tK}j` z?>?S8T=X1ro4>(R*oOP_f_=8UZ_XH@CD5BseGG$xD%Ip%#b) z<>8cb#wHa>n+tJG1VKwHq{Hpw7}R{KQj4(L|D8Ph=$I1-2kya!0}+J3Dm{kz>$Usf z&A(#R1j2uDFFW}C>mOyw)IuXd$8)s;Bu7TeSM^^M8Zm!1ISoX|0>yMIh z?=LZWz1rXb5kXrKB~Az4JB_;6)aK_(o=bwQ2CIeGO6Oh19rs54$9$p=zsz1bw24%n zpZ6PEinZrdw~1DsE^LwYwR;?{9kfI+F1#L-6}nm+Hdk2ByL_5CTmyN3p7x=Jv_c@V z# zE;bJ?pqH&tqly7rvX+Z!ZEqvE0&JyV#jJ1RRk2rdUpuUp!nRrkp>mb&eKb?ui*EZZ zt08+ohzGL31tjr)^HU|EUE$%t)VNcx;+1lQaWu)>LHrXn4&iu8I-AzePg}s;i*p3k z9k%^!dZnsS$43@ptnlPQZsNx@0M%A_#Z>!zTDCyjh)fd^x~imji}vY*_N; zoC-+1jT`*s6^vQhmUN5$BEA9`ImYx8 z;;2q8gJQ_yTIY18Z63b)jZ3aqV4O)0-Q^EO# z#4BTWXN<_xDTZ17m06KUV^{|9SPPf2IYvotT^e>k*J`z^H#cX5Nskn{)ZW&tc4VSG z?QzXL&ZZz;!nbOxZfmGY`l5i8Jn;~b46L)N-rvjg=eg3}mRP3;8opptheI*%KgRib zp{Md#j9%FlCweL`f35L@6%-ap_jck1U|Fqm4hf#`i3%z+vea zEnoFEDcD@w$}NS{CW>#;j?B@E#b$d2$KdYIP1VQxWpe653}%LK;uRxF#T1wTCO6VM z#4cXceDX)^@Eaz^mOFM4SSxv$U7K**misg+%6N1SlbL9|mJZ`Q4DQl+2pSz~TG}9G zWAI0PZZ4JO_Mw_b*3RE;qNRQpM*p_=^!jNGWsrzeC9OLpIxG)A2ri6gdG`9Tpjl1* z>8xcesRZE-72h;!x5KCLdEVn^ojBK{bLOlpRJ7957zqXertjD28E!hQ%9cScWR71c ziAn8ET62ODr}jS7iZTkZhmC; zHYpQJeC9kTBIvK(Pe>PZ5&z_U#JI{@Hk(q~IoSuim?w&OadB|$lr^tw0Ux-FKM+s)W;H1O+J@X%dSK^9VD6fjocjW+6c- z*5~SOxP0{Lp+h*oLF(78Wl*jDsiCFS6=H@qG?NtOn+fwpE z=Nz6q3)zd8=K9D460vpB5u?nDM%$B8Qf##~x9&$Zw~`T~cA)$2=VDIK2{G1UA0sSKg`6k-X=>gN}DS}3- zVz>LuvuaFuho>xJ!5QUba}$u{TUpRZeWUxWy zmYmaHitatWG@KQ7!}q%RUrmR zE#y(wn11UJVOA)_?!MpM$6-`nTaQ@g07iYO;}`N?-FKE=HLS^uYP~LHi8?c4{oaK? z)8x8*reJzK8?~{sCSR0aZ{F6kdF?spimbjEGR6mbYf<|F1Uun{NVEttEIo&yxml{n4j%h zpa)CDMa2;nGAVNdmH!HTs#bJQvE7b?jF#XF?3xF*A*b>*GAo>XO?i&uR;x2l7+%`e*V# zTcS-9bjO1oM_0a6gK(lbUk33&;xle|PO;SK3eX%^wSU$-LwcSyE&n|@gjh&1Mpnb< zwa4N?!c!3HG<06k9q^Ye}t>R*yU{E#+E~g}+ZtYpSJ`5Ln`k=6|M`|AZ#6vC%D|s# z`Cs;^Q?PaS9+~{fxY=1a`hD0%4Qr~?rw2|}ZJ!-6oW=)V3IU<32fhG6Zxf^#dux&Y zW1eWRa2$Q%j6HK5e;Z$EoJD+~J%9aa5HZpiv}gB^?K-|2bjLd4IUrNR=z3b|S=BAB z#zKGn*II~p4A}eb%!zG_;u&LdVfN;YKg-oL=Yvgx2RFzezMeG6RH%f7tcg3 zHmKRnG9!8mamIU)7(mkFD0I1NgIgV7a(EbD6T|j^_}t4pd!$=3tfp{K1tS#oEf13P{wvV3Od-cH9lCw6pjG(3ew*x-4o z^QjNo|NZX6B?{R{US)=bp&HPUT$AcIr>wP z#p2)jHFGnze4*R<#(#9t>1c3u+Ox@yu{8QzSx%*gEcf7v%!%@q>*shlBB z7=y5{Ej(;(_F1RK-GMXlHC^DLnLtd28&e3!oJfhRU9e(of88Rb?lAgZ4l9#~dj3=i zd^+-jfR)MO*Bcu=8g`tdSDiJFrM?~SWDz7K778iG+5B^OZ_N-H9t%)4I&fm*s|3X3 z>Vw%_E&u16fETVcptQI-0Cb3mZncq30Nu4TUPax7f4q090uFIEg{2?^+Y|BH=U139 zKS9&OP@%Wt8>kqlcWd|rI z8iJVmZepr_+$E^0*X^{!xp7%^pBcP!u-=G;IAg=n^0)Ykxrz^vTcGn8DBa%x+JOa3 zthRg^Gv&H03vGoD<~>7IAlrG9HU7h&{Sn^yFkG5W%w&ZAsJwOk&+g5MOxHrsaxB`z zEYGz;e9p>!aGR8`pjjWbxBt57`7$asGJ7H?A#C&~2Rs~n7e zxUt<65C1y_;Ge);Z3YsnxeQ1NFOw ztl-0m-Z81Ej$;DFZ@T_iKhI!i;*!6MQst_z6($Paj;a^ya z71fPK5guaNye(1tUak8K)e+o`a(=@CJ#n8NytgX{FgobfB*mgxtbK|b76$X zU4)hnWm8Nm5`xJAd#5$ziVAxT&vT+EP&M5J9bgu0I!h)jtMKh5CX^}6kj{PoN3>vh zweyqooEoS?W!-9+d)J-~-ljOtR#hYtpUt2kytw{7%7E?F5X{^bKe7p6QK~Waf=5)nprUxFZ z8;+#;#i)2xpuO9Y?*Pv>Z8*8tx^RC4zkJh=zxc+WF z6k0y-BCyXHuy7(TbXueKo+>sgg|6@bOV>;W! zpV`tZveC%kkS_)Vq(>Qxdv^KCWgZL!ljC2}j~%Yq@w&49``4ylGFTJ+-!}KZR+bs> zV}!8B(NOk3E6~ZLWYNLDGDa)CnSe~6@rvsVp0GuI4QIK_S6QoM;?T0O+0sBW_V1@c z=Q#ynsR+7z$Q7B4Or85`cfSwE#n(p_7BT9C#8y^fOM;*98xd-ZjJ8-Uk{+1 zZO+(HwFN|J_W)tJ?Aj?^+0ebF~Q5Q66DK%%kiqZnl1!UiZy_A8U%2do$27FUcSK`c~=iAP42kUD-JM zYL!#SYcOJ43IZI8LU!S-OFQY`nP{9Asba?j%;UTZ?ep+}^KhWS+5dYclqdA`-%c`J z4oBiyx*SZm>z~b`dGPP^{gu}B(OC#G@z5L<$uL&u6Kd}g+B2%0BoF>V&7FXztfT^=^6<- z;jq1rPHk%AWCHkvK^V|Lo#)|N?LK6OEHdPpAm+jh_~0-gcg5K$jE#X98iU;*E%@F9 z`Tr~h5P%2326OJVqB>TA<$q(HP?sQr$lQ_0SN~o;s3!>mB<_SPMu_2w?SJP#7|}D0ihg^?DO=x?mx?nxO{?A`i7DBw@dmPj zh|;`${p3un`hUH?EG7xHe^Syqr+4S&{QIT`wFGwh+BE^go#l^jjumenHy*+mjWJQp zR@&_h%kXtiYVzjZBrJxWCQ=HJ?YC_h(fAL&)c4J|qZ!mtXEqC@2hg7PVxw4VO)DCu zuPbexFUflOtG{H;j!B=^-1l%ANPaJd`h^2g7Z4Kg;+Zu4g#EC1v3FWI6e!)Rz2L4u zO-o(}kmrzly|?Jom5M$hyEjwJ&g zZ^y5k0kxLzI*EC=Y@*=n-PWbk>M~F3zWW_N@wFdFqD`IqZyvJI5!*A{0s#d-&%t zW_788c(u7t(v+)`&K8ZriE1slx7eK>$0K6( ze&i0|cI1Fl?$BSWOn>{hdnbakU>~-KsNZwT)@Yoomy&%a@ZnY`yGP>BNBtZlC*VTs z$g1!N<`ZmB-nOwbZ(TP9TsGmpbZbKQ11nTJrf^Aeb#TiGHsAxCK`ct)xPPi;=1 z>j1hk!vNfFJLEl?@oxbE$+;6JyVVf4tXc?QJ-dm`4n9YznDaG>xt9CP*O%qZPMgi1 z-hpVbl>6V&-Rq7dw8?f3t9iGLTkuab1B>k3{z39snQh4QbO7-w6;k+e@A zItISBl*#5nawGEHU>9cdFU3a1U>YCna`=VINwlIJH&KjB2l%J~I&muI+qc=vVBoR* zGd1T^JwDxI(U8tZ-UWU?oO7Rv_pT5EQ!Mr&Z!4z0J>MS(DFR4LH8%0T&AT6hnto4? zRa3oi|HuV;mOkvKe58=%IkRCo>R64i)D6o(&xTOzmPF1`8lA@Wi#|@_gKOB>HR?(4 z+ho#~Y*A6Vw5&Sb9*v+3wN7sK-ia^&bIqJNgw1vDr2}JE*T~UQsizE(?EmZkk+pPE z;?zyVO|s}GU#=bJctNF#siozT09( zmF;Ng;uIb23SRgv-tV!u=x@OMB%Wo+JuRq692J+}khf#pcrPHm>s@e{8Q@n-<@Ymg95j7oXq|^Er zHGFO4cwde(wipOdeGjw>yJesg$a|+#d1t@9fk}4g>4dFCbbBs4{(4_g)$OxY~v%#bIZY!uS8$LxNLsK zuvr0dfgo#oui%p<^lXzZA1?0ZnpT^moG)g_oP7CW)PvWT5|weASgaW@KC!jjW_Kg= zCL;K_e4Kk0lGbrjJcH`ESa(4j3of02-fG3#);LfFQuydy!)vkk`=jY{890N`2`-3^2KQzxF{WgvwfG|C*6M z{hnen_y8ziFopulBdV{rUu+d$J;?hDV7|%~o=V@T{-*Y0@zZOaH`~nT{(B$HD~1S<@HbXf zguL}Q`vD>^Mw1+3`ZHh7y-KT-&a)W+*!+{r2)XfVSLdEy( zL1^YvJ~vjxierxZEYWRCMM~4ROGe0yUt#&5rDE;Qz$a#FJ`5qQ)Gf!n=J8G%7!z(J)6(rt!8UoZkkL z&uJ3K=83lBCZEbjU0nef{O2>Q-(cW?G`r* zNGV85mnfYg-60^|-6#Sg-O?f5t+d3@CEcA;LrHfH-3{j%U)g(q-`V?p&vmYA{$Yma zxofT8ihG6s9Sx*9x&3f=*tG{XC4e*oJ?sqG0_`TFz6J0TT*`VO)X*44^mKvIgPfwUft_A^Ml%3sn*7yJF7%NAzg2&*TZ+$ZB} zd>bEIIyC2i)exsNHA5TXJ*ZyyT##7%5~_Dgqi{jB=10vn7;HG|5nMn;SM)YaPk|MY z69vAzmXTc47=h;!$ux$;kUZNCgq(~T8>J6)a`32MMX4*}Gws zToaRvxq(FHW=%KWtCba%6I78AKnBz=4zW==uk%w)k#tC7?M4`&n{$>wkNiYfon__z zUNuyncelbwQ(U0qu}(R+v&bEw#nc3<<}Zu{n$j`R;k1k1)d;brFPu^mzE-JF{IEhX zt6+aX_*9+FGuGF%lw}ntp?&X>ZuPBuWu2RlSC#M0BT$|wI=?+KN~~+0wpF7;i@X-o zAup3S>*nxlITiVgPpiv|Nqzo-y8V>cnZ!1*P0N%Cq$h}VqXBI#IlUISDyEuZWn7ueopLpzD|Fw-P}qrA+3GBJh# zlN+v0$oUAm5`Fe-fMx5liuJ;&7f>&hJrF~m>3zp+C)W#R_W;%DlfOP8IDN}@LkpJO zh7_-RoPQ(Ql4okFBtyiCNtWGiWmA^R!E~7J_WPReeRl+tgIfXzvb_zT3sc%f zn5|cY&1CzSMQm#gzVAzaoyXV{uAArL?XeX1rt->8fWC{{t{m|l)8LhiT)@oPvtH>0 zJ|kkjDE$%g!k(lm?&)yaFfi}cWd8Y2Pj??GXD?;lNfx&>m4(udW{-XF9i&FgOrbj$ z8!`zZj?}|T+075=d$ACuZ*dI{9aT-kMBl2|4Je<@Y-Bvm7XE=Us9R>#jBuM-a}lG~wWp4`UR z?N4EGVyJw1!U;kCd6;`VjtX4j{WhGW$zU}gGr#rMzf@%M5Evw9%^~h9#iy7w`m>s> z&zz)GP(*nW7v4qi`)3tu_e@CQqTa0JAuF>GU(9X@a9S)T%h}tCMBI1<)DSt-?R`v| z2241l!xb|GWt)Io4EaR2N$14mwq;_xFG~T=i7nZg#GwJysFaRCHS&+;i-7%PIJ^^c z*lJQ2ITlB@toBV|5@Dj|kxPqw9gGWL^s9vs-XD_PziN5JHg25}z7MYoCj6b$Lp7!fg#KNt(K14^)g;FS7PGeOHKDSKUC_TvI8Qg zLp7c+Vxl=gy)8h89V;QY&l1fW{QEBB?5bOs1zv#S}94r{9l8gM&*@4P&Ku}^2h z$DXrn4Cs9X1}TIJ*>z|nZ9ZfW`Y@3F`LuaSo^$j7&eP&Wq#GsC8bt`7Ec&k2tRmm( z<&dWbIns@yt3Th*cn?{Cdwn^<+H|^ z^XYPuVbIp6}yXdY=4uG3AvT&LAt9y z8IpW)F4K=X&4AC9DW`N9$>h=gyg6Qcfu+0IV|)6JV@qQieMcMZYV#8wzY6L}qx3!g zAzQQN2N z_+3{!92Uu1x;~#=yk1disD6N`wnu4ZqFcucJ5Y8>$Pb;dFzn zt~OG?;a;pR2l#hpy*6%XLpzcoImY8Po{_VEE&%Qd-*v_*iY}NhD;;DDLNT?Yeo4hQ zIwy58@a2@rFv@^vhsK0wsl8^E6J(`pj393|pH;uJ5>@PL8(^CULNzcM9`gI}o zK1XW$st+8yvq6bJZjV)JER6db5^%TS($~{BS`r4rsaq>w2_;)g5f+}K9J^!j*(sr$ z8L~!-qth{?V)xMZ`SUO^`AA%tYr>{}-1HW^AA==h8U(p4RO;jtYp}ie@D>{duv=`6 zqWsZ#yv0;5vM-D3QYU01qYeY*>y9<>QeSDxfsS(QF>~?;-+kVqeT66fj`J!T`|x9K zOg}n4JCLqwG$)cOEpMcPN3EW)N%0aFTZ7{(n!V_8S!}q`(W{elN(5qvi@A9>>fYe%*Q=zczvD;~p zNdZf~^2MZlN@u#0b(lv_%b~mNd@!8dNQo|6K0!(fM$*7*U?w z^)sz?vp4=cWNUN|X4iS{%DX>UQ?IIb=_xGJ_`nqkC7|15z`tNTyhjnC#7{9)OMUEp z2ES&HpAbSyZ5E zSNcU$&Zt;g{eLRIy+|swk^qPdpMZ&)e-!M>>=8+XeKQv64AcAZD)`{Lyan6dJu#6^IX7^TnKLWOtz9{f8$`Qf>yUY&C>+ZD#pWY4|l>m*M}Tzsi; zQCBS~<|MO1%Cm!5_L@c{gRmC32`*)i8LN@otkbT> zK!`4}dmn}l+nn9gc+9eSS}VNrQhlPNL4OI9(Z^(6y9HL1nw1QoI#HKed{A9}%-*mn zKfCYY$z$SLlsXj?gI4b~Z6{;;lpLo`Uc7wo3?^GF?Huo;mR_!o%rY!o>?Nws*VLyi z5|&_PCzCkb-nWlj+H|YyBK3kn7hzgVy^mJk_S1ti43Tc^*7WcKDsS?NHJ|nHg>@mSfpz?{?x8fWmQJ)GX6X#?-zly_zs>eSi zid+dw_LVRD4AU}aDsK_Os7OZZTw`s8<{o+I+T-$ZY&~y_B|grP)&IsbVZ1X63RiNm zeOIk$tu`(DS@hF%d>mHSh2F=7#C=n%=`n5xv$4yqHs@jssTDbjg-CHS60l>vxu6A( zuHpO%ZA_>(_a5db@Ht_m>;&11>BP#ZQKLxq%0_Sh9#$jEPb}VKW*rstu=YVl5lu#g6Xg1gg*|;0 zkfNs}G#(_E4Wg#>O5g}Td={X1F~Tcl>Qw4SLJJJD?n<;0$Sz_K>-BD@U|+$`y8o;Gr9S5yMJ`i;RB; z?tJ61H)tpOXde}w;VM=-EG@|`NATh&Nk9ajyfKV^{M}jxaoDKtpdm&U-u~UeMJIFzg1RPL%(5!b#2|7GH<@b8qjkTv+Wsl!kkbQM0W92XDb}5$4vX3?;nj9`F{i4p(9|)AIMBB};XECIng4sxsL5 zGs(ONpuRm&;i3HiNr*|S`|j~g-2&pghOlojL+)1;V}W&AdRA$jEi$;qVz&J3E;wnq zx07cRyAR&}wMp_DJ(YX#jmn*Hf%HP$$>FCYiH`49_d26vPH|<$;eKcbD)5~+6+KB4 zjo-wR&a1e_M!us}TX+hGG=Ny6;``X7xXJm8LR90U2Ps0=74rk6UYyTYdCsb*#qC!) z#P-FE*8V0|jkqI$fOl6#7S|J%gOa1Yw_S2BCwMk-1Xti;UHosQdi19fu@f(kib~MT zQrAwr-8QbwGB^8ZjLT(pfXbUE7$9y#Vt-k}O`=Re|0~$b+*7nw6QG2n(F*8~mcank zGBg`fzCCCe++Sc29WIjO(PEH^SC{culUKgm@*H*wH+vxQGo2+kVo^MmiK}i~Rcp9L zHnu=0N@}dS(N7a~%}Uf*+!<5y^v~(Mh|-5W*r|QZ%UYk+Nz`~O=It7646%8Tzq)*Z z-4|KgbBnW40u%%JQKi~V{WhvwIrqh^dtB{LBhJxC;LPGv#)Q=$6*EzHTc>=ns)yOA z2P@}bNum=ZwAz&jRgh`~ja9JzUiJFZ(MN(TGX30yK4!K2K&OKO9{7riJ=qoW8jhHY zK>5_zp;)Fh)l>}elIZju!1`7;&WZ!mWM|?h^m!^bM$LTfKam!vJ7MOxx$OpY8$lH( zWpM#jYAO4J6l(tpU5%`!*C{#F4tiyUD`6+nF2(k5laBKAnVv#|uht-n-~v}i3tyoE zISz;ccIt^bfs`8rPAT}=$|{SZp5i|2wX6UQ{nCp_{}>=j=U39PgUq zaZCjyby^+1S@-DeX#VTi5o587wW5; z1108_8v;Z6vaS>oCQp>VWlgG@v}WccL7v}i>&)DhLC`KsT$R$U#}s9cay?1VPn46{ zEwR;81oZ1 z!Y7ePzi~LII^D-ZV2tvBs(z!&^7{$^iDsP7W_0S>Hk|oR797+)-h?B@)o4*J4&^+Q zy07Bf&PvrI5uVzVualK0jhm}Vew9+Sq$*LN6Fp>a7t>w+ciOt%+XYAEZpSJq#4qO;*x{`>ZkCLefWz zYf7y`Exkq4r3-lq7OitQ^`BtQC*o$f*sa?xPNG7$KOP0#-(z{8R2~*_Ws(oGvoYds z`6#v4H(fV!uNZGX0PxA&bYT>oboTOADV072=k;lSue`3J;DB#kgOd1lg>axgbrMA8 zvGnbH4(SBFh*bF+K&#THq;0Xw6uN|rv_qQ-S=6s{XU#mq!RkBTB!)@O>ZNbZdkU9S zA{NzcwYngXw;j|ux$n#{l08iB8)8#E_Je)91{#03n?W`{>h#4fcOIqh20?rwa$CCn zuv@1inzEeZqH)inp9PHCF&neBU)zxcf{slY<;BPzz1T z1Aky2Sn>EXogKl1>73ZT-!NMC>0}FJ=7F712ZB5q-BqR{sP?O_I?oTNd+zJj*5d&< z){}e`IUr1Klb?}Xx=+CSW=&Vsf4~$K3Z?|fDZ&2&(;yfmSG(v-xY2CkV#Ey?eiE9E zCi+Hj5MsLS^eK9CjwFe!?<2d}{T>8qInsD4R)=Nmt+myb^C~7hPaNPZog73rta0l0 zcqFN7@ffvKWVyx|i`U-w9;Tpx7Put8h~0ow7LiMCa!^=*E-+y~*XZ!OgGKKN3gUBs z_PsK&3FgVTb4CiYUxMMu3~>k@#ZfDh4kLJ*`4ZGMz&Lmo$F9!QgOXNT!Cn&1y^fE_ zC{Xq~+`(|p2oX8Uxae&~mv47&8x7F?c#j~trma(OZ^B>Bi1iz&engXL%5_^sJ4ZtNp?|cRIamLI23gkmyqp?aR#m`(z-ZiCekhsU+!Y6ox%hprC zgPm)fSwKTY6SIR1CyRcm6LvUUDeEva3T7)WIK>4Yf<_} zYpg6fb!yY6QA zzT|QAuoi5?obI7K#SIa; z8x=oue#IWhwJ%jy>8H57IX9-apa<0Of>Js-@IfS_TF+J5yJZw@>rIa9B zhSl=1RS~l)dhP={TTJrZhe)@r5j`C zem^?a7|HXN4WM;xv3&&fOB&^5Ah+vom0D1-WcnOy!6Ax`F$G6*Wz#*!jBDL0AqZp6 z!47Cp3+h$%f6S0(_Swu}=j9aO2&dyyPO&74|Mh%8=Q9lwG^n6}O^KVJI@VENQ+iFr zxGy`*d6rUBOF^BGP=G&0v^{J)rM}y15*l$qkYzg8mLjZi<827vwsZ?*SQ3@8(57mV zg84qQbr5~F1xr#N+O5RcOJBudnG!XrFcCDrM7ovcDX{(MvUpy6NRtMssKQ=Fx(KZw zd|}b)V>`B%nL4i+onX7AY)0>hs;r*C5-K2!zV@g=1d;I3tCU#IPObz2(~aeiL|;Cq zubL*0s3pWP$@42t)9lB}JBYMr?XQyYRRm=&)yK|oX!vkKG|V`^2h~MBF0rW1fUw+h(+nNhe9waZ4*Dtdot&~Jj zR~Po@kx{->6(4V8n+5t4Yh}q6ZXdnKp2Q1?4Zr(v>35UOqu9QZ0^B6T{MIRZM$G#| z))nQ@m3d^FrQNqUc;dloGSerbm}x)?KA{=?K=J8QGf^Z+sYw0M;hPvkrVB!oYc=%^ z4BwMH5XYKaRJyn1;-~Jd8oYh!c5eJU!Ux2`)RZ>_AiQah39(3nFimvNYu?bAzNc(ohBy}+qB*0 zORE2NmId>;VS~TKhLtsC_}vZG&@3#BW;oX}GGf|UN6I)v%GNZo?p*1n>4t@|Gpa5j zCWKc50})$T$C-jepzIwkuk5Cj+o<4q$E(Fv1kmGER9O~o$&@x9#k$NS>?&O|7JO2--P5D&-+_?ZWU0y-+1pnG+0XuYXOJ@M&io0Rl=3kemvYiG0?2 zo`V;MvbDtAnH&>;vH&!C4XMwqKbY;%9?c?kM6(^i!4Bh^=GrL5CN_=g+{b)xfxfTOL*3Gyj zxbRcif^F095eVvnK4?NG& zJ5jycvli#U3v>#jcc)?WTVoNv(a}_|a~|pxn?cl6avETtM739TxK-118)A$+-J(Am z$OPcuspVbToeSM-&uuvRK8?Lqe1jYdhy3dft!+jyGynCn!uNoE-5LFk=lfcF2mGLS znX$ga{8^dB9nvwRbYW1xYfXf}qZp=Jg@f(}=E~~K#aUeXif3;AAuGImM0QZ4>Z$lRHch?zlJN6umfG0-E*zwg{vnsF?YlT(jMjeCRDRwFjzQZUN-3zNp) z=`clmGaEPqZEn%**ML6g-*_OonRHW1Up2y&iZ>o=0mxyXi=!s$_}zV%S#Vwn8)xF1 z^9C)|$M;ilZ%RjjWo6NAiLcF_Z!8y zrLDeqahv8^eGy>zLE!%M0E2)0adwoeNs|xRaA(x7w z&OQl1Mo2o38iBu$&Q3vQrU&<>CVG~~H!5&Z!OC@&aEtC}Z!bsC=S1pHagK5EEE#g9 z+>#E|c;~<+andvp2a?}}IL$vM@k=+{n5vTsb+RFEQof4kMruM_*to|%D`9?sbB!1RY9c2k9#D|Rn5HEL?)F2ekv}>ic zC&e>SO&q&Pd%w!RmMw`MCw?`b?Kvxv7L__d($ZKQ4nA<$wE&um8;M;lX1q7e*Z6ol zm+ii-wPE`0s@NFk-HS0%Yy6}i;c#aTiFEu8@=%j(nC6ykopQBXKgs6lDp|G+on!5p z(y7=CPQ1-QkO29*#_;(^LeF()vFk4dpM_A|rNY<9ll}xw$w0kcGPwH6zpvf_)?oo* zE-u>3p+vEi#4z&oj2jTsfUvQ%_XAyzda2Q=h=a7ZzRJaqfCX>mQX$Sw2W==sqn(yp zUs>M3G`nA9B>(arM6feZchY%DRq@JOp$&hbewECnhrf&*{#`&_#bSWuGa2iw@XL_i z4+8;g$#;k(bBwA9RghPsbYHsT@a%QlD8l77<2K(JF~|KVp7pZS*WB(y*lZim4*OCY zO?;6GK|iWy;=38c@D7Pj9P57h4zK$Q)$kiPrsPO}LT+*yODB#t$F;8~(nGUZdW5(k zsFb$vgGkZl;;3Y z9mND*JAz-3I#Mb=nF28>ev)!C<)&Hdq&Y=|ao(?$ilwc25-O>M+-JeEg|Cmw1DF-eR#A)=E=~rq!SW8 zAT&vDbX8`pOYtnXSxKUBw2t#Bs9B;_cqHMSm=2i<3w;Ftu5Z zOYg#Tg7|Fl)z6dZ2}NZ6kE3rxh6K2(JA+XcbnUC;p%#C}&eo5yGZwPTo#}wDZ<0G8T@hYSF}ou2Xdfcv z6FHHsBRQ<#gMAE?l0xX!_1zuR*hou~naJatVtRm1YJ7>rRF2L@hp4<$wbvB7$?3*T zduNogd~qAIb194FfSEod=Wle*=ZIZk9xd9wKA*Jgv?eh++)LePr_p{u67r*dw@O=W zFQIYASXtwz>SRZ?zwE**$$%h<0rjSp4!E5wrrHS4n-$dtp7vlJ9fpea)%L+iAR^ec z)U<%dd#-a;It{pZox;KG8h3cy?_ArQllc2g^! z7M;pb+IS<~7mZL$M>rXUsfN5h9kJF1p6%#MxOy1*LOl;Yll9WxJ0J?8Vl&Zng})KG z8(Sj>A(X7{AUULDp~fqDz0AMWRoBJ4X>ndJ**=nI$6Cs1Mma(;rdpa?Hg+Besvyxg%U;8J=XPuAtCd7j6z3 zD;`_4P`dpM)P>Qnq!*ew-&2V&iy7wjWzbRgSI_|vg*QGBG(08K+Af^z3O9TDfaI_l@DmlKxH_=3VNmud~+ZWNrla6PWOa zx-E;);@&tcApnG%N58!qW1~7*YR56ayZYSzuCyI3X+q8iH5G<^o>a?GcIKcixxm6F_cB<~QK17no(hOWyyp|qB zy84_s|3~bPFjCe+f$NiqddTZhb8U&ZX*TePiFz_-^<(;Eua?h?K&$A{RYJhyW#tY@ z#=_oo%67nnlmJc0KYRotFjYz7!q25EPObr`Km=MGq_gU_qPULrYkUP`gBXp4*t0yfaWHQ zVrYE$YMgJi$0XyMbMah`%ikI2Qy}j`JD@h=P3YJSltP8GGoOd^#E(?f&XAb>rP?8P z%P4XE2rfySWxtQkCqS;ryV24vLUX@3b-h~V+NhNQ96=i!rjExIQkIK%e$;%=3#+C- zzBo>Mfl=}T*~X9t2-tk`oGD9f2wE4RHvQeTBM<-yf796;BbBi1r^#q>Z~@fR+DMK2)+kZzj4%8f`i0f9`xmO9q|`Q`3=eo-OqC%NYh0e4wA|CCC-M;@TdGIA9Hls z?(*!}ijbgH=MR9LXYY8thY<$Tz5;YXpD6TR2LjVID;ENB@Ho5Gs>R>+z+ANu-1<-p z90rLsvFX>v&QP>clBS2$;qs+7F;q&++FxB%7eU3lg)xyjKk-w&wwxqOEn)9-Ap9^3 zogrm8J?$A@a6VTqlEPWVTtBAo{Bwq@7pBy9a=_)%LZuaH+|>qm>Xn;l5(2-Mhv+;= z;50An;zTmQ=4!d+BAfdCCipIXbIhGgojX@r^mckP!@rx?+H@viqDJ@hs|`D8pXzkU z`x+(yQ4>mo#U-8-3aRd5L5M>c>uP|2pEMp&2ev)o3dc=``yQAh!E_m*M_IF~JnYu) z+}jF)Iv@M%nyOu6DIy2w2CaO^3$gY&Xk0CSVFg&qth8$(-S-kJlpubcPx3`3+Fv%B z3Gy!t!&KwkP9UrKx7N!d2VYau^Z4EdtY=yw0K}&Spt~(Tiu+|lZ59Z6!N7*hP=cw! zf^2{VZEl~xx?6`|YampfE^d(e+^b1xc8LUc0B1T8 zFId!2qn+Qj;EFg5qAiP~kD(BsBzeQGg%yz#R?dGUCE7tVcZOd7T7HO1!bbp9j0y>K zYSO~$`Oi~xAy_N$NW3eEvx^AT77$B}UCdaQneS;>XlyL#(ZD zIRLlCh{DvjLVbOugFM^sv0LE=fFN0o%TD^QA`Ma$M1y2uEnFCZ-OlQ_a>G8tZRYyd z(>9UpPk%e1VPNt3JL$XHfD|RIan8fwLdaNzFii7*q;RDp0A4>+*l6E}?=*6OEzZy# zT*=)8x@6Vx226j|4PM9i?DsEY9BECiV2F*+=W$`Fi&dtB8NSnZ z-K{hPPoDh*dWh>1!G{apT>yZ}tJ0m-&D&pOXCY*V53EJ&h4o(ThW~EWOmY6ZVjyn& z;HQbe4+kBjzl@>ZK6e<*(&und2c!RjsziT4Jm&~U-wKKPK{IByha!O8nat0$znuAF z^#i%n2A1T&?>v@Axx)fKn`>Az53$w}%cMno@EABtE=? zCZ7rn4DtLs`Se5_sBO@gVfW@QcLJ~}WKbFyT9Ia|&EmOTgh~lqvyty&hM*M3Cjb^r zunBtpJ9YbmARId1fe_dA&X0m^H7Hd+_c!!{=2!S}Hg3rpX2+=!9v!1Uy!^rD`%RuG z&w!B_#*(XNAHLQi2W&%Ja!TP+JNS@izf#T)+R=Oyz5swY3u9Q~bU1N_8-4)w|L^}GrB&5i$_{DZ^fKOQ&m2Tr36_0ity z!;e2HpCT}-uc6G{)${zn?9u-{eZVIP%rZ2<^8vzG;Cuk?fk$or=hI?=D*^~Zgg%kD=V8a% z-T(_hdA-0``DY=&IrP7-+*=V!RWzI2#Sd$C2?s`AcR|$V`>*8wK;*wyg)IaOgbg$P z@}UsIPdw;C^libm|7C;!uL&e_L;u%KgO~DQAUiaG=6}{Qyl($LM)|LQ#Pa~#s{zq8 zKz!KWpL)>uxgK{V|9cnz>!ZK}iA7LCsag-cWPOljDA0{y=z;(7|AD>2p(M#2Z}?&I zVasKp$N%-sjM@K(vB{ugd#q+=|BJmap)<$SkRAIMdOrO0e@~{R0g80TJg$t%4+k~^ zow(@*chx^1_Lo55Y;lc>wLd&;IU~T>BGT!^KmT!LFHC$WuEFAXJn)tQyb>_)NQ&i! z|FzBku?itH&9Lv>Yo75fB*C_ssCg8TF+TbP%+~#d)73)&u$jX1B&j? zY?e9$<|0qKyYn91y=sYE`mTM)!uT`fZoO=&*>TEx+UY-};io_YlK(il|BG$^{YxDH z^zcL!_LGF&e|_nV;Oiy-MuSDuLinHeCiE$Aguvc@>U%Hp*D_e{p_F{nuPpukpYaw9 zoD0yAIcDP3=wF^BZ|+bia9OW^b$FnX|GGQBw@Ugk6lqvR{g6l#pC~KW#PF&NJyQ>5 zKAzP*zyIZm&O#r&b9>M7zE`pw3myRnmBC1er3ex>%WQRIxeXwC1I})mS zi`Vx(LYT=4#FjZR6%`*ZQAA-O3~%A1mfLgf6|=$JttK>b9p zlwWi7$I>QcnG9)xv!%lrh8TZHz`YcLTML1ChS{g?qNs&M4*Pc>8Wi}xFba`0>JMLz z>T0@EZ4E;BSEtKDMCWYmmg97juPewnagXc_`n8UF2rQn=F%J+WaqPyHy_@WfkuQ#y zj9E73yIA~Ydpt0(Rxt{Zto%3yiY+yk{;4dGNQr`H8KYK|-?uZRn?!_sZotfuDHSYnFh#P5e3BISfDBoL@{g(>ZL>Q-C8f*N7&O}!Sa$3y zdaH0E&b`=TT@zk0_*I+vhTCjQT{?=`YTK*^U@xYmy@HXaw5xs+JdT9ut(;#MS++{M4 znz#xp{kb0=kuQ`%mPdupZ}34`EFNx1+*g}C9*Li7E-qG{mOCG+O<6S)f(z7lKlNZ8 z3qj9GQxuq+rgH30iZVzF>J7@FSndu(#}-PMc3yRlMd32G6}@!3Toc!9%jmDKtKZJmaobLt zol;Uuh~g#-UeOG#Wxwl&fPa`2IZNC@S;6~>6hIEoDi*(5{2k8%d_e=}{Uke(#X&5! zV(K+jSV$s_Uv67(d4^RV~P8 zbvg3z`9WG+tDU6`nkwH&RfX4g98F#7pr19NzgRoYyinl&raRE{)g8(`;gg6C)MW(2!ya6eiK-LFXG*@<%nx7j~ig zy?3(Ey{o(U>hceJ*Apo8Md6Kx$91di+2;Ps_#gaeN=@fB?(BI?WT+4-hkVs=JNjO- z{J`OAD_sI!M>73a~2&NIq~|DZm4Eepgc*JPpCmOs=S;pmQ-zTPy1)xRT%)^gGTANCM}R${LC_gtbC_Zo&9uu(6Njxo?JZCba#&)eRZpk9wqk4B8)W3T-|_U z-_wg*kRW>$>?1-RY1EChX8h{e!&ap0o*?RpIC+67@@_K0p}Fhzq}$a+UnfmgZYF@Hf_H5o!Y3=3IY^@RNezDoZFK<)DZKxSQ#nw z0V+7!cJI;dZJXt75q zeZJfJTZx1uBb~L3_ii^Acv}hGFrK)FPTow_6;w$)NQI(74i3Lv+|74+LZX}XVc?~!@x^l&VJOT_L8)>|x9KOzKLI>ERQRyic%-U4 z(IlF$7k0?g{}C*s-}EYc$isCa*8AOuo@vGi7fP!HknhK$!l9b<8SIcqf z_H0JoIphE#9%cRK7R5l){ULm4O@_x zvbVK(OD9);NzeYmBIak@UnRXgfpA$~e*N{BY2M8)sJ76>ge0@B9}l%R^bY=?TW) zlOW9FEZOu~8VVIcR&F*ssKhpSwzLUau0{>ycTQx`ZkDyYI_J}@VJZ{z)0(eBog|%5 zyV}z}!o@7KZOH>o99MlXO)D3JCsJ#^s7ASIEx8oD-cgr-Wl+45GxN0NUR9m(nFfDL zJZh;kfQSwL5^H^Ne9}lLDdUJeTpwgy^LBQ144+{ZX2WZ zxnI6;&TDMbIy2b1BndSBU^7<}8;kBJY2J(7NL!epeN(6v$4s{{B)DImg%QUrn_vP( zx?EF0UMq}9C0|nhy*B0j9lJ+M%+I^oiUQAJN;&+as=C^zUv#2^$uCeQy0m3snn)Rm z`gFVZUvQ_^ekt*sCMT-eja8mzr{S3j#NU}b-=d=cfJ*gj3M91D#x(7DwS~yNSL4Fe z$=vj7^2axYe%*Jj2sFeR+wc?lB7T83)tNY$_Dh0;Kh7U%Q&pHM8uYgG;pdR28@A(M zj!k=CNjj>z>{MZsxs^sFI~(a<-W-S7c3|2O2Sf-!$f;A<2MCa7~4D?izkgYwq1FMyIuCnfnh?eFv%K-*DpgD+RZT$+7H$SvhMS;U0rIIqmZ znNPdGG!!Etp#SpNbLwT|ndPEI`>@)#$vmcoo09^D!5KOQtlV$Pl5z_slap7S0iV@n z^2xovSlxc~OfWxrR>cQZ#0J|}d#|O2QW2gYO(^+TG8!}=c^(fqrmlHiF(sc8rGS|d zydR-d8T9l{8DqlQzN7b}lFi>ax|oTp98T9}X=!UK>mGCnxmVX6e?#h8=r9|P)|nBQ zj!Wjahr0pMgD;nR>py<@nJ+aVSRA4d9#YC#tW zFDEeFOgM2;--_PzLKHG%{GfAy{9d^^OAk%AM#v!!nCs2UaqpDsXx7;${fIu;5M)jm zNOIz#M|a&-Wn{g#huVVP!Ed4HS~m9eH+(?9`X3(}LhmP_z~MYY+1k_6iKF#d_Ka02 zQB2s!f~R92YnOwwlB4{Fk}tmU;9a zR0k)cg8gd=_lpgN=5U`BF&qILVIPF}&>_A25$IJjCgK~$Nms-o22W#dzkk=rpi?7j zum+1uPRPmB@T{XR?oz4oGo{&ZdU@JdJmV|wlVP2&uipLe+^?GX)=%QZcJ5ig>Oa3Z zUQiWEwxF1gBPY^$AoCj`qM-=!zU=krKOw|RfM<{w=^4fRZrq}N4C#@tbQPUbwisO^ z;IYNlIneVKzygZj{axHq7tywxpjG4ept4l%{(Ti5P<|#P+4IimUTti-uCfPasNJ7E zfxhIVs>oDHjKgA@_J@hpAp=w4NtNoaWyW={sY(R3(csQ2mlT_;2^?rUz(o~16g zKDl=q9^&0EbkbJOMbfZ@c|`ixLJt9%fHCCT{5Lk(Uq3}-({KhO_x`}zUuigB?^?Ln zRo5&Fgt18vweBYAUn}v{C7>&43}Pe}xJdUUws~{oQ-Ats8)hJB=)j6{8f>uKp})47 z*-l^vukb#RCF7lVFmmaz^-h@`!q(!y4Y`|Q)Ir%IZ1_0XD$6hzZB~X*1tFtdUMrc1H&?^?Ysl!x3u$uN;_DT z6iuk6@HZcC3M{C!Lu%Fo;9R8?*^+=#`HiV&eLnHT_u{8Y%aaRkKP2~>T(b>O{7YBn zUA6nNfpoVS5AvV-3{^f#ZX4t%aH?qSdd5OQHIIhNvg1EZ){r0!|!}u9G*m$fRN8~1IJD@SHllim}}27yL<+ z@m=f%S02*Wa3LGNY}4gZ`i{0sc(VY58C-76zOPdrU8tABygj*ZJtJ(eM5fI)mLI2F z9+X3HU1jkK3Na=r8PPkxFk_}G>7_?=C{d|o3AR$8c7J&kz<1?kDqpGp_KW~KRufLM zC@_6fKs$Z|2a984KQ^5LD3#B6%~?!ILO7xqBo1pziH z7;5l~QT81CSyp5xK;Ds^U-}FGxNZKI1}yX#I>cjd{*F%r|Hqh#l?4cqCTUG1?;n6BodFvdRFjFM zPyCPIt^W#;h@%}W%RiaxGyzbKM?(pt_(KXpX3(XZMKKX=0diOkFx~F^@>L4}2KorD zb1>hUtFK;NU5$MTOZ(fR{h!+*R7)--=4Y!YgA@JdlpN8$g8|>yyKXeiTHEX!pwc7S z=ka{iY^gXpC6FA6*;sB={XBnmlt+FNheb3HoT4QjPE0ErfEEYTWmV2sFCiryaoumE z1|{1{CC>n1xwN&lwdIy`JR2OYXP;b_zTmAchcJg9ca!}C6&pNOz-$FC{$_UQ{Dp|U zgR=rlKc9Yd0WP=KfB=!;cNjOXOoz#9SHgL-jQit-L9FN3G4cXYD-nY83FdvVwBSZp zr~7KXhWoo~aJ7~G?N*v9=F*4+nS+bJ@4WeNy7ztr-v5tjqz7VzbiN!59$!F>IEz8Wr6HmQn}lu?bcXc3=m)MNn23~-`4h2qTX@${rbNRK-H{X30uEW!@_6Gc5+z=J2K_J_?7$|5ycLc-;_UthwvBLU^{7?D=&b7so z3LwEb9T=I^KP1@4>itRWjTe?kiC&|dGz<-r1~;JTZ)8a)FlBTCu16&oAeeQn4TU*& zFa-#-qzy|dH5$&8K>y0`>KIimmB?w8YQOVqB#7Vb;vh>~Iad4*Ec@?k~haPod*}I?ig;f!th3>UJPp3zQ9gX`8y3n?J;0wO_`)UV}K-7x5rZgR}k7;ihBQhJnv60f%Si4P+brDGhA?x zP!$~opxiovE6vr@unNgh3E6t?btjmstQMH&>Ybc|k$(vo4JLD!10k&MUvgCGn$A=e zp(H&8zSpAY`z|K#g&+9mW&a(N$Sr^+z9k}f^yg%RI-f^|1tXVf$RMH-(*S9O-|2e* znoynhxVFes%9bj_VW^UZ#+&Qh418m^>w}|Cv5(gAxLkv>70`#yHpBkt_}F;oSDBBU zFXGcxKWw?kO7qD&=dK8{{hRy42+!Ehr;y%q)=Ekvz4Iq{$I-XIx4>-ka z0JvqpvqOlyWwKp`kHiJ$DPPLWl$ebEznq*oBnAl%kjogLT?Op{mncO^jB`ZB!ai`OkL+Wu(O5zkKV&xi-!?* zW(SbHg~ql8Tqm)c$A9`&+DZ!|zX2*S(mQNVFye??d7<~ML6Ju?hN`w=u?mQFsX1vW zayedyr2MUgk!uYF_NCxtf;a;}O{{ z;0`3;suuXj-R&chIt%%u5-i`Z|1FxSutAkMQ_8`c=)Z)$5FvcIA|~wrL)ce9Rk?NT zN(qP(($XMZ3P`tvASofR=@5}dx*KVb?hXZHOKchhq!p0v-h^~Z-?csQ-TUAFJ7)~W z87gP&Snrzk%;%ZYVAF(#6rHGJ-^@d`jK*rVUIQ@4*yi8dS_+o@0`@~Qf(IGi5M4&_ z>Ra+68`T%8D0T>}R@!!^D-jRsnr-ll_!n;L5-(Bfu&NYvzwH2}l;g`C$&XAf zn>hp2vBam?0$*FuEeU>EC*T^|8v)%iVLr+x27fNe8Q#ACKUr%wL?opg}0u zk;HefK?ZH(=H}*a&5}K1H(?aAm{_^G2j(>QfQK$^f-q)Y_T6T}VnVI5nSD?*`x#u`qM2-kh3g5EXn_={2r@r)3$dPK zYy=r!e~`oj74KV&`)0cD7}tU z*QjiuxuEQ@#UOZoq}AkJJ*|WS;rY^wg7e?KF2D?n5vHg5JoD@?(<8uGmlPx_t%QFW zzf=}I%kS$4!#7z2&~Z3kjQK-EP+M}xyFb^?f=F|UA3m<78*(2ByX2AYyjFLXs8>CY z<=9;@EQ&F)OG&(Jo7sBID>Op9k;BWg!vgS_cFYNIN?zk$PEk3TEPU|;;0I?t|5UZ* z8UfwU@$z!Hhr-Gkf*QP56V$R4PU^)i;HK#!BzS8?>URfk0rq`$1j*yJtH2kXt>{#x zO4n{{{TUqhs&xRWKhTpc5#Z_4q}AYDR*9TL#H@l19rE?mci$*zmJZ77BuLiZdz8WFLjZ<9Jy4FjYc&NSiCsrj0B}&C~+l||S2VS(97Bo%(7|B;(Bou#% zv$TIQk!N4%#HCR+QT}@1e$SBWvop(x@V02*J`8+_?QDNukfi?}WJLqkvDsU=o?THC zFRI^Y2%OHmg#$^a!{aH=)3P>kE=vpy@}m|ZLcBT8L&c5xmX^M_S;5xX?gc8Cu2zjr zh9OxvmG`e!X6?JATwgoX38YaQ=+S%E!Pnobsel@5mS}#j`%sN)NpJjXZ_ys|CW2gG zDB*+6w&C*P-(%i%Je;$6(27WqIEhv==NiEa2q5c}-mj^orzWr5q7$Z*>zuN=0)(s}|FLOn4D{QT; ztUSDpw^(n#EVJ<=FXUUMh)|pC(Kf>MA3eXxZu^q_*d*Tp-W%&zc2nHph6=lum&Zd2 zKLSy_Jnr~#Kr9K6WZ7QqJPLWK??%7KOTeq3u3zRLH!^k?*dCGAqi3f8*7_a1IB~3` z?LnFlk|+@W0t}MpK(J8jdj`e+>3*9M0@{G7hCLVeUzu_vBDgGq+T}f%s5#=-)^>8V zFJ)RIR(KnFgl|73gm$;KczEcEsGr;Kzk0N8%#?CcCVoJd75naAQqI+^#k zKTJn=UDWoUQfYB%8jwncy%_q&_~(I`ic^yj;*EXMV@0HmSkvMTAQ<$4)z$BjGW@BX z@q~xb*3}7am->$Rj4TOXLVV~8-o4-zT}gZYgly}zaLDa%BVEMAY)nRG>QSx*7{ys~g^DdnGxm4yI25cT4vSFhy$ zU`SAlAa2zy&wG|euu9h5eYNJTLhEX6TnrQ?+`Qma*I^N z-LVtmKyZJkVINFq=wU8OUrLY3%GH{}2+unG+Y$aRf5;X_)ZK0@?7i}T*6;-i)DS{E z%~CBIcAcs{3*+avtnhu=Zw-lTC7p!EBj4{x3v2VeXM1ImhNNX&45|5ay!5H8<^2mO ztwz_+Ro2sE$`?Q_ftR1K1+DNSW5WuBFMjT#jI;by*C|chF|H%!OYaY&386gYe)|hQ zO4UUC5s}$LkTSzT;B-31FbWsCc7*5rV?i^K0YV*AXoLGNN(Iw0YJ~n1JFDqsjr`j*n)DciG#@b8^I{&oy{vl@^B*d z_lVKU2Ve$s{Wi_WEJv>_^W9>D^s*;Nm)C$A@9DM&iB?~##yW}?yROv*@AP0sjPcNf z5D9l3EImkQ_PRJd~0}Ltkz0b_*7W}bBN`!ole#kn23Ge)gp=`9`uO4;a znI#}YB#w6H4ZyA`_B9;&d%y|junM`fUp`IAjex+cNV}F7L#PsgJ*$I>(00oW3&7(f zC?V0trUxPa(G&V_mSf6{@DCQPT#&!~137AiHXf2E05&!VaQsUVS(U)v7ZeZ#y<c&ZXws6WEa2nMZ%6W!z0N3#O`=--j$=@M z2uO!yQ?X5K8hf$qGpKQiUw-)2N_1}`)o`&bNFsL08zLRJ0K>MY^tnK|=(9WIytZSu zb|v>ViA*Ee`4Mh2p}OCnB{p9} zf?HiC!QxHbK2`>SgNI|Eh+C@Q9$AJLj7{;Nh8+!NdFzyK&h=^2nYmV~crp;i$uKCU zKHQ$F#@C|4m=-koIr72bWYV1YMWF8ua1>|uOUPkZV1j?RttxH*j|-%5bUpy{lY_bT zxz@M5p&DO7u0o zp9#gK1rj;*SS-g%@mA^pKxjkr0D{ExX5`r$fD+yhhW8~kbiA?Zi^ zAkXY6n3*lL4@!_)p6tOv013py6@Y8GG`2)zA`$0(6gVVP`Re=33A*aO@8r+Xk_==S zfH@Q>rtxxE#os_L5G6et7Ew2)$JS!}qX&F8>5skxtU=IOKtRABI$H9QI36EX`^-^X zX(V=gx<-gJ=jaD`gjI0G_}l+@0kVY=0IeH`Nbm2~I`9Vc3fZ)PMEU52jPjrE{!bV2 z|Ir7v5p)f0gRkGH|BAdy;2%;dO`iRglKvMU{eLS%z%@jBb|m>PZ}|{cmU@!_51O_2 zp8oj~SISlwNVHZWxci^2M(!X!r$QVa&tJ0u5RKnO1jgM)D8T)@FZkcS3HWzuh8T@7 z3=q&0ysyp+&bzE-sj{*^7N6Ce^pCi?H5e-`ZjZ#Mg%OC-LJ*UbVLn@>o< zb7};7bBFy7V%Zl6b3{ZHKnOJk%*EI*VaR{`8NW6}VU~=!`=3|&FR%WPA?8UKh6)P; z{TeBGshs^fX1x~Ra&Ux0Hfj&<0VQx|H|t*yJzEm-e1kZ=U;TwN{x^5PMf>}OnE-$* zv;r1;fHctU;r&ihOh&Xp!VpiJu<7=rn}0Y~#IIsR{Yq7( zzMR~7p2#LwKicMpPRTS}qzu@Toft5Oh2MNB#Q%qj;7t9nTL1S;phV3|fCv01>(%*j z++34K-`7z5_P0N0g9-vSKQ(ZCXz9j~Z#CK+Oa5w1o4^t(G+w-@7ry}B?^OzyS=`Z< z_Vaqj53%<02*T#+Y|RU7k*dTQcgwduJw5y^xBuw>Fg-;)lHfZ5x&QJ^#06+#2toVP z>XFS1|6gD~wsZ@4%r*4w^-i1bbrdlovr%nrrmECBqx2Y+MeB4J6sJg%hW5M0WBWKP zX^XP-l|O2->lXyFLyR*ITG_N~?b52=XlT3|*r9d$X<8_;x0<$@?{gF6@bkm5uqFO> zfdjnOY7hOl;fV{-17GE!V@L4M^`bATGo7D9`MX&<9)3^NzBcyM>%xtqNd2PM!;}-=|S2Q-)EdR z_%Bx;3c-x`kPZZZP&aT?v^5alguno7!ET6^!Im}YBN;=|95!-jAQ%Jv)>Dz!t>cN(zWzqaR3!rhiZE=jVe5TjPSqD`~ZUX!dHs(Up}fhvOQ{VHLbsn;5z7_ zDWvm1<}f*b%FeLh0uY`f=ao80jZJJKAuUS52Gq+#A&TEPN+G49C&+WN%z5tQZfF_L z<<+iO-_7aG)xzbx-BY!?-R4A#LY<1a=Q?;sYfAeB^36%4K(A0autOh!&c`u%7tOe3 zqmT+d=i&1nFj>1x%3%re3CNVc;t&;7MLYuet1?Vs|CcDjB!LXq!9yCm2jE~v&c;1| zK%D6adenMHavElhH5*-zM32hE6Mr;zFUzO-2Q#gBRLQ3|w9z7Cf*Wlx4Si5@0baR> zTghq#mr>ho(AREo+|(StLOZOn7*>iNcJCR8?!janA+$ou2?^f*&HV1BbQjvW+^$Jm zp}Nsxo%gDloE_-F8xWLWw=D_0?Qh3_pBcdsYM*{#)TI95MNiLQix0{N{U$?tF;3f} z%ZvFCKZo;nWz{COym{(j+>Z{{w%nHd6DE(?jE2I6cCNnBGGa z1d6I$bpLW)RNkQWmeKmNkb>Yd0O8RmzH`@mFX?v(YLdR%m_zp7V4@LE{ELHb{5^G4 zThN6=>zndJMu2_Vb&_JG*C1HvM?W>D^>8Q~rDURX=>Q}l|Ea-7*=69m-Pof@sdBcg zC+;*MQ^fMDKeWwe0y-RS`yqT9$B-lDIuMg$*7-ib*(P2ruIH_tk5L8RogA)Q9qeV_ zd)m4f^VC5xqJiV{LRQ+ewC1OooqgsQucXaStgP)7X46gVtj*JKl3L01dCy@vo$9IT zvX1p1E!}9uY>C%bn;s5hv8dm>i1+Jt{#73+>T1PjR*Qz9V=`R$x5DF~mtjX|x$@L1;!oCin_@~umg8=7-+_d>785QQQ$$`v zh`iKBE4nmqS^lPi%!+{^E15)>(OHhI^iA8AAJ&$>4Zjp}{%Se_C48S$^HkprPE3qrTDS6ECbK#) znenLxDOdi7N+u&hju@g+v6U6|_Z~aiG@$9!8brZU99vV}KG%$PM?k?`W4XsgV06m6Y2oEd@yj3hi3aR9kjIw4wIbHy`%91NjY_k^~Y&G?1A# z;=!m4MfLsk@c>jtVn2-{ZBtzU*GO?LxPP)zER zrYmg8C?@&{-0}(pO_kD6W3h{>rmhMsK_yP%u`tP}MP{Q{$ePnmeS$U5_>{B=^2+F7 zpAz9h;~7DHz@%Itt^Fs&_ji^3KmL$yh06rm*_&f!_)N4?6vKszafrSdqS*<^rO}74 zK(kD4@e2x0#9Pits?W);W8_4xVFa7ACgu9oAo4^7#p8|)%wNM^*fhJ{>Gu>kg{uR24sP5hIjFwQ2?Biddgn(iJZ8*!8=qR2tX$;MQucLR!g~yNH6>6k(^P z9+=!d|7NF`sJ$7qlC-EQFA$~5*T&K7>?eU0*@4*=B`G(i28$&=BFo{|bkXU{-b$H` zAg;UI zWgGLHQ;!x1io(O)SGt?fAcE_$3V29&C{fTkVu=lO^Ca>u$5V%jl&v>r>IzHs(stu1 z{qLZ&@Dbdd^KS6U9|{Ct%s)B_!G|FP3)t~ko=I@0{o5CdK&=2+J`pZrN0;OnZtwg1 z$h|v&Cf%Ja@m%+D6v+>rPxT+=hG?r334V_B#C}i{lDjw=)#KNDNF~}BG~=jNDQW-x zx3g!0=Ep=yqe=n7zqu_@H+Ei11a9XqX-b6fuK)0p9gk@Ww6V$Hx)uj!!!JhEO5kCviS=1p z!Z&}go}Y{g>k@_Aj%VdX*5$RkTlVvAY#BzoTrp$@DD z@yv!`@C*V<%=Y)Lbzj8bnC%yoGD9K~tOE0`hAmVf##l^j{^< z`HCZap=W20Kj@2iPX~WbGXcaGH9Zob&dY0`9Wn1IHjL*bCA{y!Z8IG=1s4AY=L&Y?8WH}^Z( zoPDvScL%xFW!m~X+#l-!NInw^0K8RU*s59gCr5f=D+IHuH!O5karooIBu(`*B+0pDup8VqF-HbI?7|b zqkCg{o0abp4d*-6PRoUjhi%`x`h#|y>2!aYL1gJiY`?KWaW@2O>p<5%{x{k6A5ISt z3QJX_Fm#?WZOUWljHt)}R{=j5Z}~I=!5q+Q7&~e{*;VgWwrg#PL4QkE{4P8EqE-4v zO9A-*m)$`2@hE4R)8qIfJ3fP>V;EY!3YG5Q&Domg#;nJua*SK_ezKGn>>w|URmynP zCHvZ2B4-H@c+VhAU*u|DKAMv<{|Hts(Vmr{Vih_2#MlKH75F+m%1e z;eW!||IH$@34YhIzDQMT*a3R(+98%2tn4`=JQr;v@;2dP9#u*BT# zf7gaEiP_^{`(!Ia&yxsr7P@FbJ8PHS>tgKf^$2aNFVa2JqjgxnyuS<}pE)a&8bwjb z`Z)y&I?UJ~dRk)sBwi!4wPFG96c>Dtb$Yr#>?_o$51#4a%xt68fu7H8w_tn*1ljhB zGLdhVtv6L5Q&lO<(85P1GUf)YG_f=Gv95@<(bZgrUubW53GqA$8WHAVj4+p_HnXvR zc;JX%Wd~w_njh8jo)H-023NvtO=OM71UQO|{OxHVr~+hZgvg~EU%B)>=rvJ!m22I) z8E-k+hw)Cdw-gbVyj<%$KNgxHx-+qp?S1vD!}B<4$L;K3+h!Bhid3~kGm6JXmwuK> z@``T2%}ppBlE9LXubRj5B2T73rNtfJ?OV@>hoF!=g6R~qXdverJ`XE{nC#$`0(VGx z`x&ADwVG>GV{xO+wR$t&ulo59&0Q&iiC4;|`6}!meWEX_e7ty_rWAAx_xxysZn-m( z^<^UN5c8y59B*%|Y=0;gvL*WI%|Agph3#7L9Yw4#hL_aEdL^(|p_fEw#F%@|KF>V?&?{C--(`|Daj6;KE>E#D*#o ze4pgcu&Tm0hk)+fBN3^EPAGTFzoizA z;HohRKJ5fa^6wvQ#0Ud;&1;vf2^t8@@Ocpn5X2lGq~Xc`h1UPiS5(=-w3@1tb8v9T z2P8hYDCalunZ(~967C0#=YJLwes|=ubD3!;Iy?wmwROK3d^Qg91Pp_rTxl$jQ;3f(ZctZ;-=WK4O$}e(MJK-b{CpPNGwWpBlIVB3KV#Lb8DAY9(nrGFHjr z-k|w6i&z#f4Vu@9ZnX3S4xJICTxPulfM{Ig2uKKlFXT9<${;oMx9A@?E0}qb(6e_2 zBS=DTy#dFdz%u!Gej0 zeMy{27rQM6f=)lx9YPZ-lPCGWFQp?t%X4(hQXPVpCo>8AT5U@w^J(eT+i~-ZZ3^|}kWuZ?1^pPaF+_2D^8&+E(Dv@5`7_P4XWrq_6$e@x& zZh4pYYr#B5-80eaU(0Yle6wc`Rc=*TV0$$82_V|V)ATUi0S~wybwaH0xmA+SHkPu; z@kp)xAZvN!QZzHT1J$hJq;*q`Zf^lF<*d}HS*Fu*aB$$rq0_fG0-Y>NNK!`Ez!E(4dbxf?2ElD3B}y9hi=ap($PSMkc;z`q4q9HxV$lN z0*`HJ_*a?ByTI1?#9DI?t(mQ~wqk;TrsBt%`(O1>jQ2%T_qrYkDuWJHdA<{L3;xh4 zv?}7vN;zY4XYT`?z;j+sI z`=K=R#yenb$lKmm7Z6x+I=n$!<$}`=)KB4uc>#vqyV@e};H#^h3+SiY;=e$$P!*;vEvRILRQDkATsMYQiYj&m*4nz$sk?I;U!C=6tQu^ zmp_WqC78@!7y+HUJ2~$byhJt!=(9!HwV>2Af+vcY`vg6Y-$ZESKkIvKDBMsTxhQZ7 zfQW(bE?(e^o2f4?;XUu;k27yD|IqP$ZF1jb|5=BYKWbIF|E`dPk5NnBdH0aJ4YBkI z^fG=$1fVMq^*R;*bS&_6UykmiL#x2BXg?Z#44!Cy95Py)rzZgJ1GoG3|27T-|J)jcopoDh4}uYb|D@RgisD96`VOo1cmt(DTJw_VdqU-Y_`;r+e1^dmxP|-HF z`&7uQgQ#?cIdC2e+h#kfVvdxkyQ>qOOy4SExQ6R{n&m9etpaRg)iE*CfNcv7fnMv>Vz{!qkS2(NR5BbwV-SkkClH(H6v6_+q@`_zm+@T04Joi*$bVdU8!vwb_4(FF{-5K}1zpy1 z1szI;Dknd30~otOv#{Ik=aV5yxrss2gX&X`1ev*kkztipJC>w&GpagY`!ogNWy;eO zM`3@R2Y^F3e}!SV%-DzAkSm%Byz^44n2M`wpfG{2t(jA*3Sd}V)TVHoC!&Og%Sy2? zJ7#U0x#^d?cE^`#Ri*DW$Jsz;X1($gD3%v0Jk|Z}=K5~`-Sh=ng;X{W8tmxv-XnH+ z`?f%>NQuK>P7{gCc}okSK*(tf$u%&FIGt>CevF zI&Qm7r}^M-4q!D+&r(OY8DOnfIKbsMCO+qZuqoXr5&;L@T)csm&#s)T2iPvW!XRAtJl zZ*<3JcL2MnG^B~lfQ?$Yq6yH0FsePag&HgSAr~tf^fzuB+fABH} zcI*MvOMQTGMhoZ){pF`YL4AA&&OljF?}6Y~-K7-P0u4z9!0Cy>SK@DtCMJG2JuTDL zgPdXqNQ$x?bu0HRhVnx%C@%R-I`6sxI-eOxLMx2gZ~M(4IDVx~oFe{n_}BeF1mttI zX>b5oL|DD|LW*W+fWzEHb1HoGJ=Oac_)wwdg35qOLa=sP(Z}(2YZooyE;b6?k#!6(#=s8 zd=hy*tH~F5%J7xkr|R*gjF$*_Dv0dKzY#UsaVj@hdiHWn?1mY<5^SIa!9%cH5I+N= zG(GJ+irnuxnT7885Jp^1*X-+S5D=WUREdQTMYj-hwY@Lg=uT5=VQ=?QFDOTxjt;|{%xSQX zCfE7)J>}ugiahMDU0t`AViw>sHc z*H8|kuQ^=}b%BbLLZ;=@fHQ|7P^10!+D?$*lqtXt#Jh}~RPzHNKEiV${zl`!oC zoIe>lm0RgDcw;b&9H$(iAdEp;yuDiH1;J?90+7zNvenNsJ>LV}_fKN|*oW^P-#u46 z(jy`JDHL}uO>s;F(G_-0w47FTiO4yoxMfXceQOux_59q)8=Jd9_7vx;BkYYPhMxZW zu8-Iwxo7Ru9oYIGf7mV$+ng*v8|Lm6vbuBz46{0O>`YE3u_MUTm{mr^&&oaTAZOIM zRu}yI3=V@pxiOg9_AuM{f`_hs{4$_g(b3699bHIv?=bK8gfeEXck;L<=Gj`!H;bgd z5PbCN45Z>S7wOH>>&fe&o^UdYmzQ##%PChpiLzRjbT6i3QX_YzTs#YTtT<6SH9gkR z6tL*URf>aZ(rB4SzGp+QMK?@3Jkk8Xs|)PDV?3SrX({oDB;#}5O(&^YNYP6VF^8)n zlmkg(jnhV-7Qn!JhpT(u%M@Itwx7M!CWKV$cNaDy_=bDLdJAjU9`jtiXW$P=QI_*A=CfsRLbylw45Q5PJ26k5)wEO^<$Y44NSfa3$#faB9dUwU8+%e(;k$Y- zH0fmRK1d3VbPryhCD`4_q}TP~P--VCV3#?L4b7ZRwGq5Z493hX+d9#^cU={k%_*VN zdU~Qh_1UWkP%xa=lZh=Xy!VAWJR6!l7SBo!A6LCw__6XI!i~}wGG%_nGrREvH$IK+ z8`HY>6Xae-*I;Sntz!$ES>gc?`*&{mboNF~#L!yM_1$-iOTX5{%3KP-+EjccWUZ&A z=o{K=NOBbkop44rSZ+O{-3i$)+Pas0Rff+~3VKe#-p-B#f}1wwO>zmzd}k|{9-K0< z6*Lj6Pw7sH?&6=H>c1N;5u&>R3OO%R5>^-8FYl=4s0Fw7Yzh!lLj>U8(yj-qmng|bj8_#08_V~f&C_7VDA*oY;z7m+u(U;>Oo@sdT zPM-L5IFfM|R%lT)C1WMBN0h$Y`=tBHD3?N!*gnH3UES^B@y5xwf)+ICMe&3wnPcpa zl-HmG_l_ELIG>1$s7anfJloIn+mg^s|)JhAK6-IfI2?28? zaIh>z=4i`z3%!rF*q1t?10EH083&)QmglceYPzdL3Va7m)ylGR{80Er&>E9#aB-PY z_)#}Q*`IHfgqxQh+{tX}sTU9XoGj|HryzfNhI^b4S(XOF8UL!b&A1?z;mxhBS3RKj z-DTo>yf`Z~^T|S(1CCB%#hKCwLkKp7&T9{LWtw3sGG@l~;q3-%EswH+QRv$3p-wGs zErX+)8u7J;AZw>s8?x>|H9>1ZE!c-ZX_3K8_wYQT3?J)h9j-pp%%%8noU1&(o}XQQ zSR-W0a^LFmd^!{DPQ=~TlXW*sYkn&BJE=CS|X3r3GO)Fs&SK^ z4Ra@YbGAh8**`5vI%ZCDPuK^SxAdM_8(#t}<4xA9y4zU|(#*0WqlkT19P^1;`X0R$ z&1qvA5K7f?=eybVliaw?{9ialpfC1`WP0y5yI#y*vtXE!1a(}y(ktUf!NgQ-k{hT*wP?%ZNFTX6 zNaKWnmw)^1f~${R-orrb7m9T4G9QB)Si@AGe45aL|HLYL!^>>z@@GCno4Y|&1DZSA zkck8R57cl99@^3(3yQ<4AiYee6WY#X4`Tun=SzSK+1*_w-_N~8v=`n2lF-qfO^fO- zC}FUktG}3nC$(+z<<|uwSvwjWdy_#?&tG<8`uS&oK+AvgYt5@^xxpwqvck8*pCewo z?n)ewxRqFoZHmrTOXbJ5@YeIdxu^9&&})1*Tr1NF#emWd8mIA0b2H1KEik;OfaJsYecPH(26mFAB;{qy(xbmo}l>M#5oC?B|6#)@*#6^#HOL}VU1T6^Z1Ll;~ z$48>aX!1+&-xZ_7?kzsB@NZFiuXFv5H4a9SPJZ0X6KbT|b|DCWh77zUbJnch%=L7e z3}~D`6ZZ(!h(O~vlX*>rF!w2V=zB+-jm|hZ$WzIUDm(~I)pbspAq~l~exFDNmqN9e z#0*UAYhc)k8j~$_>?m)cFqNpy!=STsl&p$o7fbY|OMvybA&a ztkM~3-z_)4o?*k5@HJ=Xyke0zLmcT&GQm)zaV{|y`Fhc3yRtLc*->-Rw!j4XDcl2J zXnjofVt^A{@{MCA&eThE#+oXd;N#ehBm8ay!7GMyLAF~EGwdpq2*yUvt(ijt`=vq8 z>7KVUIHHFtI5`V`?zVl9X_U70oHNZa{(0wV>&I-mh+TNzq)Vdb>87&vUM{)6a(h{d zFLRf%h0!1Ne|Bqivcv1=l5orO>*H-vSDY^)*5#x-F=en_VN`QFQb3 zNu%6R%JuM8`Prs&$FjFpfF|CY#u6(%%3ig<;ICpQOjJ7DZNRe3Z%xNiG!|(%pWL6! zQ`*Avv(f;_*KtgPU)-J|&7?V*M6NNM&-V;CePWZIAPa5j3$*=cEi@|n-QgZgH9;uO zp$bdsWO5Izqda#~UmiVql_IUTxkS~rbanz_e7*T6iW+f0$$6x_rB?1UU?UE@bu8%p zM!Vguk8k%rz*1YEwuf2YH?zt*RrUNq#G|*@DpX0?dh~)~__cxcaz}&kRDA}PZ=r z&80Jx4%7>d071)nOztwD)FSBHWZ_~ySC^r(C&Sw~`)qBs-z!&_$DfQ?fAce%3GPrK zPiahhGdltctn4pe^ui3U`0z{O9OffF{sUR) z<)YZ=b-#4Xf`Q<&gH+tlLk@}e&1zZ{3L^|wVxNox2J9kdP7YhwQi7|Um{sdx>~AQZ zl1`kVrRne0W!SV7xM2vDZ1K)77!!^M+!@+{nM9Z*D8|1}@1OKX$<#AKq$;?Y{*Aw< z8Y4jN1&nn=I*8o_QbTikei~mR8#6H*t)XfwrSp$*Z~Foib>JXJX_tQV(Zo8eD zDoR9;D|XvwFs4R!M4W{4wevy$G)LR*x8unR9a)sm&`}fz;*;ha%!RV=HM5z}>bCIw zAl4?E=tVy}rhk4lk))O%i4ynnoDi2NM!3@T=WNFQbo1S>0=K=XeV!3tKKikeLW%S1 zT^+GmS|>thNVMr6_u83O=-2x^c(|hq`gT%FD{-*niE`Dx@lYH0DH)^K&#YA(^FC?D zLTY@5z%9R~Qm6Y5M?+sj5?hlvA|acf6FN8s7tNTv3C&E;%%_O9+n#HAg&f?`S{Udp zs$di>f-tI2qBvoj5eP%=-uK2T3Bx>NTGXc=m_DnCoN)ZY_3eRdp;>aN*k}9&BhJ2s z2c-t8>2U>w-^}+coxg@V7dWwuItSXduE{`~X>mXzT|-r~ZR_tqzZ@NE5g#Ig+rpA3 z;hi6Za;jm0vFLArlE*n5WPHIkXil&M=y2%E&As9z8d^`Az8*eIpwm91#-0|-okt@R ziTRX4p22IKDkwmyW3wT=dxas%5yRW8aH{Z_*Z~b+ao{AQwL;39x<*9!aNAp}kKEhp zde}=8+;zqp+@i7XhEypwVt%zl+kAMhVoAd%xdPHCQ*Ea?7G7l`*Yip5toLi z+OijAConX;PUxkD2zu45vi>C3(1gtzIS6REK;M;|wN8$S^a*6}st_n`RBaeeGTaGw z7<+62o%3g&aXO%Y+jfx|eY4iX=|wWr?<0ttJoyDi$n4Bm3rf6dH4mjgU#4jFK2F@= zSDMB!W&iZp0@@;fvL#ofuk98mf)ij?3LJuU-RsNNYYzP84FFh-wVm_yjlxvB%N>d! zQM}(x2X23*C|yg`+k0TYJo(ew9Ct17T9#P$euA`a_PqCN(Y(1>YlDz;a!=w;E$Lwy z?`-lMSrUVW+S@lDdGd{{+&3aDs>)^3NuIi`etRPC0yFV56p21e?!;+4_2V0oN*ifk zC0m9q93ow}O+{@htGS`qII(B!7xt1mag@15fb4{fa}F&)-nzJbEH&2pB4w6OUkumNXchQOhCf$iVGcC0C6l#EBV~Gx1xx=jp9y}ZIZx>;wdwGEZ|Qrg=~l{@DVm}${DU{mrwf+G3* z2ZKI4AW5am!F3or#xXn5hBw&FVC?5D!tknA6cnYaDZJEC_w`$ZM)-Pki~~`%9Fmoh_{A6;)641Mle=4MKHX7SIi57oe$^ zs_^nf>bEQgt5Ty+5>U*^iddv41n<*_N7BW?ULS^+W9{V<39Cf!9aHiLRTpI6sC&zf zV)nJ_oIj&i+GNad<+8TifPomlWgHFy2bYv9^AT5j{xm zJ!~y3^LlRgE#GN)3^P9g7~UgQS@jmon^e&QQ+Tz#McuS$8y7am>J;>(k81jpb^S*I zi}uBo+%R^Sh>qBa&Y8c7Y9`V>!t4AMTvh>Wrcx7lqyjQi;de29zSPiZRksU8cP1}#Sn{@ylvCR%=lbxHH%oQk=|wu`iDECGtHIfFsjwAU z#YSQKIG1vPb%|#yZ}EZlr&dvAxKa&yHF?ad34gjFm`S>!hZ;DDO=O+i3XE{I`7^7l zmp&?6W1of21+9GUJ7-f3J6p_aup2P>dtAJ~xLz=rPvcR7j1PfmJS*PVx{tr4oWGL4 zQRD$*=nruFO!Ts?(_e=#0A2w1y9|)c&0|{rF14RHCM+YDkP=A@nGB?GwkoxTG97cW z-D@(3V?wkBs>Gx&b)r>v1H7~fcMEy@i`OJsysJ1B%u7wQ`^Oy|PWiYY$I>9A%gicLCwbdqE=i8aU%5)5oC@W{tkF0@wM)cR=sHPL)T zQoZo%L!{6|=NIf_%}uuc*GWCiHj&1eZ0wMv0E6pE{(ZE@UV>4MQXk#v^9SktFmEU0 zFJmuRT}XTaUtaf=@~rb>@p?CO2{czhkBK&D%AFU7MSWr^Gbv!@5>#(mMDMb`OfzqS zokiTqbK=YJ<{K83fy=`i0U}L8B)lgrcy3yaf#eK}%6~7LZ_emv<(h^_t>39_y2NCR zDMA<*42I>av&2b6UTpI%8Vuu94At6cYFjly7w?Ops2JpY3HX)Q2I=J0vwkV@YAjm6 zXxPOvx%jP?cFs<5uCERcCKi>ZOW4qDwlznAf*14cy+mj7L}T^n#O(0~6R4IX+%v;# z%u{|GE0*)`JfQ0S+&_P$3%u3kab|n9X;}Czj4MhlO4aEJVT!*M+cMN#x$wBR*SHRC z7{`OMEjk$IM4Q)>BwFFDa2lr3T>Lvl{_v>Ix;b}g%r3O^7OZ)yd9X8U{lNfvL?n~~ za|&fi1zs#=hDTJ?OQvbCO+u#%B4QCy25z({KD&W%boIQHo8b>8*NG#90UF>Z_;lxP zn70Wtu^yD(aWIm{UvG#}z6@fQx46RWP3sq`6(zsm9BUL-na1C_Lx zEhSOA!WB=9$fx>J-K~)6SlJ9)2;z2>^6JWLii#GyOxDONUG({4V!v=qB=^s{m~YB* zVsTs!22%WIt?qRNrx3{SFb3S5v5f^bzo1~PuW%y$9q2M$oHbr(@3&p$J!^%88 z$Ss0{cgYM(Aa=MBcACy<%}TTgkue<2wehY+ZSf^KymA8_{W?bZkb*F)$@UN(4eb)P zGm(dHz`bNflhFPqAw=uhaS|*6WxTcVjcDG`4@|4TYB&L?bH`ory%tF| zZ|j)*JIG!sNi(D=#rr6ZC(<8qwQhBMVE{xLQasNsc1 zS7-*;qskKkvx0v0<~1@Bl+#SlYRX?{f z(ddzt*34dB_#$sVnCioq_|uvA9ZE<7Hyb-V#ma&3n90hhk~(4U=AuSt#ilAtJ8pOnrmudNzY zxuz~)-oXV%yGAA0Wmvq}9%T;H=?V02aLj*I;!E*1u8PgBp)8Hm6M7a}x=mFKeU$lC}=`OZ3X1gco~oHM_f&`hM{Y+8+CXxU>Kj!@D%MxwWSUj+l z?eDM1=W5NUeQe38@$(Be(!uLSKydwt^=aB=5{43@o-FYJ+sv>}t4~CAQj3q>ApZk- z_*;e4(z~S%39LVLHWMh4g0$Dfz3sGooG%MK17@%!2`^t#cC_-%!paW(0@&#i1{|>J zOJ+9W>6X+w&Wi1xO&5}lQfkO}bPAm!hB}>!83BjMW~J+1c2)(?vq?0_ZN|O^qqH_w zDmJD)b+m5|vuMAAJf?E8p0r2{dU0#$9;K#sTQJu7^J5nk&1BUsEo2`pg$lT7 z%InJqqU(u2g=)>xHeA)rFf*M*bMx08%YXdFqhC@>_KnUPeX}`HPTdP@PPv-$gK%qw zX3B^NiO-1b^h@oOZLhSJV%IG%R!AC2A> zX+;X>LXnI=(|2lxXV>)9>ubx;lxh?wphg22wbK>Yu+ZH65;z_kYg%U6VagFCM(n4` zq;-ZO4=3L0eDFQ}k}b^--#cvyi30B230gJDyt;NY1I3d)q?3{K^Qe0swyKAYRm{puT2JS7q9PUB(! z1egN1!O4Yo_z_N)5CzW>c{_CgClTzyxw5y=2F<9|NE_M!wEJgjeQL?A15my<0cN~YV_T=ZmgmuZUqOd(tiX66Fz%wL!kGC z`5~zW@%!UwUhM74uoq%wo~@R8&qgkDGfWl_L9^Bc3)$TOF7C=|kUVLsNcS=QJzOj~ z7+&o4YA@vz+~VR{ADec@ixlo{z9(LL6{S4-=}+c)#m-0dD$ITFMK^A~tW4!-o0e8e zvmxN#?9wlqa+!W)G;XxVHP(ZH~Y* zqjP!Gi{e7MDgrJY6@*EOEm;)wnX!%R<EnD%NF#|ouJc7rPv%QqssG1$21H?>9{f(&$sjKm}M1#;Je)(40m zeRqG1-KCYnVBYn<9y zRx^EcBp*>UHEK$p5ZAS82{$fv|i3XjL{NTG9SiJ{d8R0!}+y6`>WiO6b@JXBzJsc4vmK0;d` zLY$uOuqHL$?zLci=bu1}+Wm#ebgkGA15@U$h9#lgRUb2|UFnd5VNX8)s9a1zbbBfC zZAR{d*P>m6y$FhC22i@n>Ik6Ve13s2Y^aNzu$G{4br^M(JG!D6j-3H_P~i^@Alon z-rtN93rB<-ypmEDcCcc5?yL>J44GI^Z%X!D&EFLLT+(J5YsiE_-5yZ&v^reI4D<(& zqfzf{8N$phly(jV?&xK&q&h9=2sbEjJh10#!0uV3B5e@lA z*+VPUpFYPbq9a>2v)mWy?}4q3num;Q5TYWKbfZ%AfL z`%=71vcco=xa;glP$i3CHMrHsKO!OG8FuWAL4S-fI%xUEu%+}3+21`sR=IP8OlwB^ zh!*Q@X05UE7H`Eq<9W2JyGCxvhEZ06d^<`+d4y&5m}(MHE;88Pk_xLfFUXyir0hn# z$*xnkaYxhY7O{+N38%Ia3r~Iu#E$O*YoP()u@Rr|bSVpjeD%Tj>NxxfDT z+qKieCSKWSVpGbV#6Hha5BY}H+i;;WmjO)BuT~W!!XiOT&q(t|k+>px zO*Rcl5ref<=#;wik^QHID!~C%S7g(ncbNxbX*#N7C)uwev_jr^Qb}yefWEKc)H`cK zhh|Hl5GSmLRH17T8&EoolcZ>+;e_#y>Z&;u3Qg^KHLSkx5&!qrroJh7tJ7hXZ zCzW2(6?{~tu|CxZ8nd)pp{7gix9@nJP18@-MDklm88v?5tzWj5H0zC1*W<&;6qAIH z+T}bMy8PMBRF6#}?cr|aUKI4)nE&$$W$InfY7x1|Xy+6ia{BrvPh85He~#KStC3}8 z!rdx@W2>VRDki5W4XDTo+-j~vGcr+<3!sTV&VgDDNLpVY3Fm|7lR8*It9D`Y;jX3d^E@V6_zH<#RgFJs{s+7~5^@b!a4VaE zXeEv*qpR1xo*wJ4PZe_a@vWXXkA)6aA3s~u(?VN$3Q4k6cw8$mMq6spo$!4GmD~+a zzn;L~pES_#7u6YLOYR`Nt+kbRi_@dvfK99 zwJrnM>P!-BY^^BbZ(}JADvSF(7S1_#S2K2cn3gxHtJp|YxoBf~YRLlfbJg)`QN;1u z_C(D~?Z}>(_~wDi&fk(n@q@wZfPJ>g*R7HrcVx?T>I9#O>@w5 z$qal(je5M}xpkEo@7b1e7vq=K3Ovee8$Uy%`5Popmi(&W(W-*QNLfY1`FF{iMfFaI z4>1uEu$^jDX8<%N(bjoSd-;o5Q0S=S!1u5rJ<0L7!5qrstcGbQ zo2>dSGtHV7zn5sj;wisRtHln@J&)=w&D`ha$IGCNfoXO|7##`p7+XY6TVriRz0N3AS4Cagv)hxV#*{{ z)}BL7Y)?Ryz0}>51j;>Oub-ikX~$-JBhc6E7}CSoLE7S{(YxpbSM|{#4hGNAd%P6&Cq@fTp_^zgQeTQiN)td73>|_V=zU>Ey?r;au zMr)5fK2Q6H-^M%?&Et4kpIWnprHiW35N)_AVkUOV8zzMXeK2D}4&M8%H%_^}sI*)Y z(1x$Dhk0Qom^Urz_%;QuI`MV6sN73W2tpsuMHD4)cx`kZXRGHJDQ;x0j2wO(TvRM{ z-bhunI2ac=4$R&WnR_SD)Hn|jfFA9|%MXM&0Ngk;YJEugTBrJWA+|#z5$)enwL}P8 z*L5pUc6s;Xc~Y*}AX_)B;~ z;*Zd1yA}s2(+MZz#xat0Y`$v=d=GQjID|($chF!A2NsjF>t3>=aZ%kgNqP5iE>chD z=FgW(qWf@lWv;PQ3^vQ`q{5YF(l|b5QG|Dswq$2{3Z6L42aeR{RA%S<;Tb)SHa^U? z*|?y zS>}b6i3kq$8wZ&OBvQr`PPNl*eNJeAF&3iyboW+-__fM1sk;oVNId0NCZNi^UwnX? z0g)Z9fgc|moUH4p3>zqMV*qOiMxxZ}glf+ehgO}{`jLr=?W z^>i+FE7NK`I;ZR8B(pWPc>ivNN{0QSqvxj74Yj2EeI9W+r$;La5k=yC$41r0tq;N+ zF^|@08&VI~%RES)S?AnP<|ojmJYcaPpX{HE$}r1ZYIL81T^)Kch8>QJv8`69*6s&%6+2C$sy*m&+R11bN86T2CwiV3Wr?0BOzZJ{G-ze4X7coFCCV zsV@k(Yvl=xawsbucP-eGKCwK_qfQq@mc)L89i$hc)Tgx%x2*0NPoSv-@Rfpy{}|D8 zzK<{LKOtK)2%|&IsK8zuVqD--hp3AH`9xWm&#=6$A!(R_&&|K{N3HKg_FlZ!Qrs5mAzL*(}VF zPfSofS-PLW|5MUX99=?{A=PJi|H)^7Su$;MB)Cq*S5L~{=Q7)2DfLm11mmaDrD1zq zyF$W=zNR==u=0rfrIm(L+6B{rz{>@K$r{_vE9o?|ZT6F5ziA`nyj9lm#}4OqFldB0y7)?A0;JSC~AT zG3ZZ2=wfbCOvyeMhV%Pzn%c^DvC1{<+ z0Q+9xG7fyOh1j02;i`*xpQ}sJyZAkSyZ&~RVdo;PrjTS*mgxLgPy)1eTaNu^Ii1Uu zp?1Qeve;?I=`34~fpCYFo&L{QRIZOwAj=pGMcaS(+t#ik#QEXw;LAG4$B^E}r{+2P z`sBv>i130}Jk}E`hiEfF;^Z%t+0uKG`Fh0Mj+5gb3s=T-?7|`fD_C{7-)&&porw#` z+l16sFw${snovWyolvLL=2XVYV>C-eP0!b@g5U1=0a9|foo*wycE#NdRKI3{!=jlu z^&0DGC@54nVHkks@G*upY-U0R3^6<^LI;<sfvLuB%Yxqyo{!fN3CCy z0|MjkS}L52nt~KTMy9sBYE1vhUeHOft<9=#>7in^o$O*MJF+Z0NaYeNTHcLxBvZg- z`e^NP5|9_QiwDZLsuidxmsb$3k zwFf#@A}eG0COFz4ct|8?IP5_E%Q^vxvia9EHO8;Ac zzkjt5s#&lxxG7?ZVXZ7M*5H(%X8HtOWeRCw|E-6rd-OY_I(Ks*!lxsTt!o!h^tX^g zyPY(^0W}m`K|S4yX~Z6{MK67@y0JKRI@@99pqJv}BM`T(F;E4~at#YNtHA;{B6F@` zsI^DfpNn~3UnZX6bt;NVrBe26joHBP zCct41K6m15o2Z6uj)s`u?H5IMz>nhCAhrco47(l=(cVIHu|4dYBORNND$x}5!7l)0 zE9{+GXg%*qXFHMCW-zXlnxA3xTkmKpB|Z2PV>6Oo`+WIJFH^)-mq=Wz0s$<|$YgH6 z?~PLOxnQEDx)r2a4L;eA?**x`sjvzEoO_{1M>AdO3;`P#_4i~R!+PZcX`on7JIKRB z!YM22(+L=9B|jji_HV8}O4V|CFBeo5cLa>_gQKBhPBR&g9@z7*MqRaXzsfv>N zBxZjP@|v|d1lkqfS&@gCJT;4r)-U%~biH?Ad>n8Zs9`LUAw|mrUzQwqajqE_?6E8U zpn`Vhwa>Fq6izwhvz@D6y>HH!d#@<6(#6Bt*yn5dY<_jUx3JHLEIv8@$@S)-)Q9~} zgH6&oCn!T8y9467FJj7%a$xuD_B!dLQurTz@~^SvlDnPnW9R+DVxp@8cI;YdZtsN_ z?ORPKKiC==i;WLAaN_eji8E0=%J-VUd`;oXIB;1@#8Nw;fYEQWm>Beq&Q|l2Tbnyb z&U%Hc=8O$#2}>!!*WOab#uiUec3Un=T~0tCdS0#X&pnL5c>9D>8$!&h#B$rnA5lk)<>9&+Qg~x5{vhMQGA^Xec5LguaTC40_ z)S!BXkMwwc*7VDS=e3RWs@gru$6;QKFTlk5dwgO<|gA3befYKJQq+ z(4U#<^Z0TEBi{@MB~rUxcNPJ#01?c^DA^vKlZCS7_mP=*JT@2QNP&)8L5d7-CVmWq zR@h*%rig15C$3wk)unM(n!5EZReZ&JUnd&*D_l@ABW(O9aFHJn_FN1+5OYEzGXGv< zrf6o!J3qFaB=eKG>H&bPa^7@W7!c2xjadGttg)W%{);C{W3dsj4?Zk<4YfXf1}*=BJ7q z4zc0hS3L{o;QZlnqt*3+l{%u;IySq`v4_bKtA-m+i(N+6YAHLRtph>RS}!f@ zDGsYKPm-|ku0E&xaocJGYE>Y@PU*z(a=;RQ>J@N!p7wdwp>BXA16#S{@vtLzIM#I7 z5^rOCbupsIka7(TLP|xS!Ys6s(45{iKE%2c(q8B1oY6r0f@r04Ufb8>oJRC;InFwM zEE3e{J!gl@KQo>KspvFn-=fN~jv9)lIoT(TMt+Lt@%-?@^qjxgj&c#K!jH_fCzAaK(d&A@`ib~${F`qKd^-JHvGj_QrwZX1UB zk@ru!yIhy5Y7E?B?pK4#;2)wviitUTQLHuHSfowORKR z(5(%Hd3+5hz>{sudaA>9u;U)i<#?`UkIM@>Fin13*IA5ta&(J;Eq&5QfHY7UpijT0 zn6`}GaQ)fZH7_C(XIocpZdgKS`7_NmUJ3?1ME9g1{~=NU!5~$f-z1Fx5$~0ZxiCqh zQOCyWef)nc-O~(6IHJErr8fGVfGu{iEWM@gfJAXiD#Kb&?lg2Ue#4zQEY+nLSsk7% zDjBy&f14w$zdCL)CCj36S}>c#zgf4%kX}_kRW+&@Q%b+(?7`c!0JTJcq{=t{h!~c~ zY{&+I9}5Y;&>F=XACw#QBJB3#!;MC>;#EhCi|0TEtp0`V`cAgb{Y+oq2!|M~`Y4Y- z5Dvf(`S|N!(feX*GakSw_gf5sx0*+Np^=oyS~mNsk}PkGBBNUHdsUAN*#NuQYm^s` zl%4?J(z#n?sd}|5No0UPakrv4P=_z^yGFXeL05m(30M@?I8)Dj<=cm~`WM#lv(=-o zpZ)8*cW^_XETpXk?rsCLm&`+2j*Xn~Z_9)E|Qs!p?A<}=8f^QScYtr;P z=%wNIv#9JPEy7Bau^ZBraD6=7qsb!DtLuL zd`X$g=+h`k26rMciwEXDptg5LKU|bU5FqFiR#DEyy)plt-fMHb@QOqsSi^OEv?_>{ z+llEbKP?RvC6jDR9zOn`BeL7#7xuL-gyIJx_XnweJ1CrS=VSvq79hILV5F|0pRm1Y04p6cE_l7xOB7s-X)O-$M_4Y&;*lsdrStAyFI3!$HLC^D z^@J8{hiahcSJ8fc_g_EnEP@tsCXh~qxp$vGQ;UTJBN8{6WDTNtOgw9^7x9*)DGSqk z%zsd8E9fLtOA#NH(6>wwl?_l)B)fWcQ1BX$l==FTOl^zbFPL`?Td^g}#+Wal3M&iXk!L_|0uD2ognPDn`3p?D9ZYGm zc$jOt^7u904HBR;xMn3Mk;P~?K1SQfIZ*nD^p06vPO%;tJxKbAfX0eWb^)y-!3&_P zyZq+MA9wrnwb^N;p!EQ;KCiz+i;f?cOie=h;~2FbJ6$HGWx??p+SP4THlMsWlY;1b z=j+~-+3EeBXg1P59Vm7;^*3Chr4-s=ID}cQjh2S&?4<)AoMV!mDZh6w@XUJQf;{QQ zYmWg_6Cjb3p%t?G2-nRrC2b4&0)Ttv;Up&EeZ?OD7v4fN<%fR-t&Q(O?e}=eThWU& zv`n&46oJh@XB$rY0zO&Cb@mXMv)~bDApf6V3H`t(^s{=-N$}^>wlHu#QB6klXB+%= z45LOHZgV)VX}kUTkJ1F-I{F;G<6my@?{k6~dP@dm?+U@yf6X;DSjUHc5`XsS|MO&L z1LLnr2fydwXgYff!uR0$F4(zzy7ITT`S)hGS;4=~#(U&)_I#2+>fiSiDNp|Ug@3iy zf82Eew;)F^Sar`vnUaE0R9%l)|LZ6UB`_**mQCPn6p9&W7S9T*?Ekr}|6_&!{Hk*i ztj;G{E{#iP!zft6u(v{2n*IKt@BWWf(=o#hdoiaWcs9%er_V-tq_O`_>i_ui|M}H- zRRKIB%2q(>Y}WGbfPcezc>Ccvn$IU$fYt#REhrcfOPw@6X2Y&w1 zr;O)(uY(8Fdhz1ydH=e|K*TPA-TLfY2;-jz_m#!XyoOPV=f7E&zixVG_Sd9LZm+%v z{CR)OAgNWiG0f!IO3|2j$&jMBMoz2kefS03ON-7Hh{ z*?*lvR@_!-Czjqnd#_I_V9|9Q=sGU_b?(mIGA{vlv#wX^I%mT;Wx%i)t4oCE|LZV4 z+^~YhjL&Do-r{EQsYld}|0d3i4ET(4ZEy6l&UApUGfr5NzC?2W*HIA!VANbow$0hS z`f;1Z(C_=1LHPR~xlRw}IuN;dW^EbY-v!q+naqs;?N;Y5NC71!t^e=VVf+9#vz(y& z-*55nU*Aio84{4;==qQ)ZpkO$>n4NFw+CExAWuzY_eJ%`}`YZ+`#tucGsR)F-eLpR!5K z_SZ*CpEeWfR{-=QWlBC%ZX1ep0F+iTG+FOahAVr=Q6vd8Gcd^#UR66A+zd9(?I66% z|4jnU;VCh`r;-i8k>I63kF7;k^D>_nh*@^u#6i5QgCm6WdlxB~mRtI-l(fA#6UqBP zwwCe#Y^?vk4gX9z&5)2RLs`HoTQ}g&^B>fJ#_ajsOKwvhxq#yec6%}98JXG6d^q3uD4(1^3{04`2_WvZd>9leAhz{kCc zqs}Js0uE*;AdbCZTVXa?>k5dBQ`>L=bAZN-q)4LN7OB=PiMBfeoXhc%sjv)g98Hga zW%re29KS07l1rOQx3;ahDz<(H1iSLoEmr}y23zLCut?BE+$%Dar}?0~FgF!i3%2Ei zU&(Lr@x8$M9xfZuu8wzbyw=hl*{)1jZjmp9$EdN4XXt9n+HmaUU` zEkc@CDT_yO$@tZ%1;15q8fmE7C&2C5JySyuPJp#M_t!Z%c{OIfzGr%1EN;@x#3|QH zfW}cggpg`o+g1b6a`S8(7)1c4H1jZ3WFs2raMxGxa_ynrUtP=6c;wKodFmJJ=HxA612 zPfDht=s>6Yzc;>b(=FT^r%wiTL~;a^62cX~SsC~5sh{J6Ffv0kQ7qGCp6v40W9op@J`ZYJE42aSYbuTod&Z;IUzxY&dk7)-4*=xzZ6`00m!YrH z-pB(0nDGRUE5xN#gXmcPB4NA(gU{Xv9Kna#i-qeH%6UTpRwkBR2@A0m__v(@$lpbI zMo1vOe--We*mi9fl0wHz%K#@h4_`a=KKlH3t$CZ|!jNI`FB~m*y~pnSuWux7c7ujr zLHMzWhqsyr!KAv+hT!PjL{F(q-M{iA_BQ%>xzV%B^$J3F6Q}PN5O@|Q^7a7M0?Rf~ z{c+<4A6REr3LI}6ju#P!n&@DFSMen+@fav74&w|n5Uk-CtgGIAv(8Os1Jt}OGlRAM zg#YN^rzP@A+y%%^ec9x(+y=9SBKIRwu@bvK1e}-C-@N5*z5{r+HNW~Jj${Ks_CN(> z4&l9M@FNCr2RvLIF5&{b$gz;qW29N*s<8WuzGte`zW@Bz9Ji@~xD)2&=ide!{0T5& z*B|?9oBU0wXne){R6#1kJ_rb`~G0IZy$MbGvUpbb``MnY1|03=ee zir8kgIrY?4kT7E9RO{`cVm{nlJpg=nN;o=^I}9F?%A6cny9IV&B zkJmW!)&H0ORn|$vmWar@#kRz0B)zLgzK7+k5HasfbQHB#78zD3QSut!hWMaj z${wc0lH%ARch$%Mjl;O`^=r%g zD24yFn&2z*N{oB~_%^;z01q}1&GL5`K$Sl;p3jzwDT!VB8(El|04du-Mkwz!a=L&J z&&z%79+2QP<^UWwBoPmX$EPX(4a_+&eE$@z4DQ$cxl7d)8cM#`U#TlDc?dEf}gT6faX;FvfE$=>n z&^IUeLPpejg!oQyl2Z#!^O#%_H!enX1`I*>5mw?5>K8o{2f>Eizl0$tX`5_>y>R6r z=C5rZZef0Abc$J})Y|#;eoHfoBxO=NOq+on&RiY^XOqdU7bU91$(U~w3;mwnwrJoN zsVK(4suvn0<4{GhmNA+etVW%~ju`HO`*=a;@OBcxH%=TNHfLeLfBGDs2z~2GnQ#9n zF>mc~YNey&<2durP?4J6J?kHjPd&uo)4(S^=b6g%PzP%>C43iv+v5?w1CM^e_QfZnzc~b)A<|R$WEqs_ z-dO^pK9NUlybU&-AH#2Dz z18eNK&<_!{$hVs+uQA?b-qr!SOv~fN-`#r+NxYqh!D;T7K%xQ=<*G5cf^q|~&P$8b z6gTs9{XkQl;-ILn+NRsuaF@LH2Y*Ah-gfWF4&eB8@+JWV$J+&H+uH$KST7^i!LWJU+?hX`0|%E3ZF2J8|ufOIL~Hmx5C)FmRc`H=Q% zV+`P7zwR}W=u`^+1r%c&9EvLVY=_fm$yQH+*UQ_}d+YwMKzuM;$vB|i$MM)>B%=2C z(`}|&V9P{aEDzmnd|47?o{V7A4&-KWfnuuC! zWh+4oZA~!QD^VAAknIT^9` z?9n(=2HJbPycqL*KdQ)Wq&Ck+2K{dNp6p_S0AJy!{jl@9m#ZbOi>}I$?w6R;M@6OF zSF{<LJ?7|q@a|V==Y{iMii}c3rfQDpJQhCbb9YAj z6gU*kyUoGa@7WB!*d&rPW&8${6lYZ_W|!bw;dnFY`dD-CW5}lQ01w<o}xb` zfOL<~To}0=L5xd#BJz1_gz$l*v&$0XO5*^IUW8Ksw_5Etjr=}jB?8%q%t@1MTy7; zIa{_PZt~d-F{(XFLy4hAwJnyug{G8L6uYgzcvEOvY1okTNI8Qvl=0Y{+gRoREN452 z@UwvHgrjG#s`n%0#>J6TCV}MOG%gb0b$(~d?bPxH*w_v! zz@ieyshI3wm{I;yl88Fl%DTB{N2?LHvJ0E>@yVRm{yBO^#?;LDFpW5vx9&;6VB{CQ zdsUI3zEQOKscdw!AGPn>pp{=zbVv*#1DGWb4|G2^= zE7HVj{kPXW=Zj0=lFDOm=6(DLN;0AVA905+r_EO;n2nO^9~ZA4q#8rB3iPw~&jgiOnET(e;C%=(gC;i&tdbuy+=0Cov>9&`(X|Z4_e!bDy@~nKS4?k{ z{lw}Zz0_q@tH9)>&)$uyZk#Ush0J8CGCWfGO2j{RMB_>8z_9>&TCh<44R$H9HOu}iAMz4xofGC^{O<8h zkImVoXU%>TW(nA@4!N6bQesP%{hn3BTDh8ZOWCt(CTu@reBqD!^^e1LJwV?NfZ*F1S5^=MWlfAVwX z4^NBOdY`#*=fi1|xJ9vhZf1?1Xf7JJ$@|0!rPd6hvs(&}TK^GKnrv}RPOU83j}M7Z zjjnQV=emN}m>Pd;=-k_=i}1j_Pp&+DbKrfOVFD#Xz5nIL)o7dxA-cEvGxqHZdKreq zqa78?beT@E<9B_f`{)X@oAz#qt>HY~2gBZohdJ+3n0rt@#Z7TB_(ZW^&&vi}VI=!| z$~J8fShQ$bvjvvkDn|&7s7qdFy?Ux-DIizv02spy+pVEL1dQ@s;@^NcP^mz#=ts!e zfd`}c1)&cGQSnFR#8Wn(3)Ea>i$4u(HeVEQKs;FGo-}k3xl|GG#7HL?cF@>W|l z$!9DmSFNxd*uuPdSldjOwpbOgb8Vm1I8r`D*#+W@u0S`9mTC!h9%;?2pxx^E`1WCa z$!l_lfvLu~i`*RPjul8;E?|$8Q%I6~+>frT?5(M7dSg0JJ98Nf*`wiIvZobNg)z0N zZ`n>Bw6^)id{wvomO$*RTws*7vad>KWKzszZM1j9Ofzi$(HPsc(4S`U50%Q~=J;-7 z^li?TL)0`hxovDmr@J*=TyOurZAA28A324(xcAR*85>(mbi_;D{!oF^gGce`MPs+I z-Psi9Wx6+Pu@*y-y3UXY^!ytSsqbw1qv3r{J>6V&#`7e9^Ya#pcQrWMtySO1Yk9Q~H_KgglEvf6cuO{1 zWyp(KtmM!Q(Z)L`qf`U(h|Gc4h$vLB*tGyy``}$|lip}&xd41sF+tZ0_!X7!+xMFo zOy84iavw8G)&}^sAQe3@hSSqRjuYH&o9?;ZQU_j3^*->8g(Tr_r`Uf^UMRMX;**ur z$MICFtXAcvMkl?js_YfrOC04ZZ+!A$c6IwlU{71_Hz`*cHOy9i=`NXAXAW_qtnEcg z{eyUXvZ;mz6OW^gxaR(TcRgg0m_stNq$Xl{zbn8oX*un*9-B^a8S*7#hNO0Z(UO9h z7Ab`ke^X93yR+Y!VKxjm!8*Y&=ZXRX42>J za`xpLdXDc6Q8w9ofm?`U)6I2v%b4VTYB`q2!UDuvi$ftr_ zfcW-za%bQ>izwqmMSwfVS982tumDKUKa5pqLo(1a_d(o=Q@zo0Ai7Wt;GC9H1U$N| z%D@8%8Jl-AKGrPpl}f*f8aNcKIo;9a>qJ)}_$HwPT|5>)iOx}a*GmVT)?3x&|6Y%! z2Dg;*@hX$YEXl87m0M-}uIoD1b(TgV$G(}_2Dv-3}`m)}rSUQfN7mo2FS>1?bb~pcZgBNZJ zTc@~m`l_XBMFQc|0i3n8uK?|#)+b9S1!Mb z%vV=+rMyE4D;c4{94dszO{$G|(XC0XrEVP9ZWRij^i-VQvN3odyl~=;SelHyY8bIi z65%#XUJeh?W4=J?IQjS)#{(WME2%+NrU}Z!6)h@q`gjc&(?IMkxjfl08O<}>`X8>Y zG(B+C-(L;`0lDGmXET4hiE2%o;X)1&a{ll))V%mxO7jSD@*Jr52oki)DK}DYT_#?A z>d(KG>|u7%2xPhu=o7b@tg_P>uSn9b%`^<4(#Fqqy!utQfDe!_(L)Issqu4 z!XE96+?BrenH~iwuX^&XPKgW5$>2_icY$z-_sb`fKR+?AU7~c){q`y{{IW|lWwKGV z#Z|-g{*1PHtonJC;P;9teeI~_`T7N#$y|Ki3qA3C-O&nHeOPF@#Ulvs>Zttc7=k}) zC|awz!}()m`zKxYu4Z!Rth8`Fv{i4Ut;w7n{TYa2sY^TM-Q}B&#VeBxSp3S zdO8A2N$JYoe)HgfG-`^uI1w-}1zvZJaGJ{~U&C}Qh! zXk^#^#R3qU=9%s~E`B^{6|aIfdwFkwQ<=%n@XZ}t5^U);=v1G1#X~1t`bDPmk|sQQ zH&27ngibJHD>YK1Nl_3J@PuL$cp6O~qL}{XRo{Mu%f*+D<_rG$lu-a&^UvwTr*{|y zr`b-W9!z=6?BE?!9F`$qLX{nTirYO8z1h@L56X#dpvn|6RY@ z-0n5oaQOr672yU*^}7E8;xzRj?jNkPbUAe?bjY)+-amF+C^X7CrP1{b*eTgGlL`a$ zz|UBA##1zkw$-ZcoitxnFKp$Jf8un)AHx3Z4iGJC`8C=KJJRGd^__@X%hEv^G-j-G zbgug?t?3kDnRL+~q8o%NnZHw14UJIH0=`6|fvo zvqkj~|7y3#?#4l`+e=lB%3GFHo|$yw7+r%?5jc|)LlC9qXoAe z2o5d!4{?b%Bg$`}AAq+gFO8A&+@qZc{y__N2V1v9uDaAJ*iDL36?YfEdh8O?;wWi> zccd9&x*j{#8)YSOBKn;`z#F#kYofWQJ!t60$+~tpBKfGu8#S!Y;h;MMs={=wE_VDm z^ZE~a0MgH?xb(B5xy@PmU0Xc3PU_Qr{C$U#S&oN*MHOJ7EMgF=3<-Vu=isK~DjCy{ z1w-g5n7_x5>dU-Vn?e?9m&^G{d2Fc%p&<)f9#bjKdl-c`^>HBFf8a((n=QX$2Us3l0h;4=1 zitHU?*v9XDm=2p}ru+y3Ly!4h1!Hj@bp#D&BJyhNdjmPEp$+yAU)3*MN{-emxX4-G zTVz`1>D+f1nx%+lqa1Rou0Rzzw7==SyO;*Dq0U2Y`XaVh7BNHP5Rt1kB{IT1XqDwqGgVOlbBXqNm?BMODf-?6ohM_t35tihdk7rCMiAj#%bC z6`g_bKbd;1abgduf_VUb`Zbx`wW9%+3h;RLvxp_qIqj{;z%z7G!wd!|av9&OWtx2=qyO zI(Jn7r))5($uMJ7ha7vsTmXJTxEduKV^);-3#oYcf{4ve)h^9JQ5Fw1u)yeIfDbc5 zV+;)>-D(EMYfaxu%YLhewW4>Po>EOdgSqs>+UHp_V962dNz9je-Pz=N=bp~K`=T0G zq@j)JdSypxDBJtFHal^dkFaC`VQ8dLK!nX9|AotOB!JS;-QM)v<1Y zyFWWd%_=PAWbumLL&@Nf z7R%Buce5aI&yh?HnWzAK4&QomOS7M=%tZgJ-lSkYBwt;H?Pz~RZYnq)jhRf&R$7hj z5xHUdC8EI5a9)K!bO5c`RV&~5DEc}$-ERyGj%-RjT8-~7QEx5(s-ltZ3*CiJKRSr2 z%_W9_aA#H?1OaCjwnNtc6}mi%?&=5=Yaw(2d&1h&X?aUh+35grj9g%(pE#AN67*+y)J*7u z9aC5pDq0h(o4ePEtj;DM)bdBHupH+1q;QJS)kbZt|2UFD9*Bs{S3a1a+FU(qflR%3 zLWU82yEj!_l7t#F=+Af=+N(-3==oJS4#DD;QkGjjS{Ak&%1i$K8q>@(M8STPDRM6o zWGavf1`#6W@5(%%^qFA(StE6tsZbffigh(>w$vUmU#Ym6)=B*_HQU;Y!uIAt&s^3k z|FOmS{T3Dz!;ZuL(YT;k4i^spH^<`Fb271w+2>8(&VDr|3Br1&b($pYuUq$TQcYcB zk_y!5yr|ux@_}95qo0Su`6uz^4ygX-QsKjZ5WJ@sHeQZ(53@NP-M78YSv|`6Zl!+@ zowyGlND)&7X+un`^i=#pIjM`k5yAe z6^ZL6m`R)X{U7C7Ec~yKeB(pnrzE?u_iP&pZNhVi4<1|H$~PcugIKDKN#`rat{AG! z#ut8mz`qlN1s>OKLcr@Qk&6F{Q3T=TUWo9UMQ-qa$YIGe_-(carV|>QEuJ) zxFAR?fPgVU*|^gR#1Jk=W)a}4 z%kDoW`M;6QPtY83F!qkv+BTQ?=U-c6!T)VT$Rt9f_!*nJd@ju7>O}g^0)DJ$a*wu?7|Glz~%6;LDK76W4uyL{yrc)2|R%(R3>UuYSdepO-< zVbl@Ii6RD}h)=E(gUH&b`ye+zv)^9}_20{v9gZDSx=2$-=g(jJAXGrF@xgk0b}UBD zM-!JtESR`N{m#=r-_4)$>BHW{h&t)I^H`V+z?RD6{{@k`0>0K654-FK z*zNCK!CC%C__i_xclnRI-jxx5P|*jtvzTag_1l9;gilYI+p-||QRqJw@h zyQlKsEA}7s2R>G@KM4p@{ECMjt75TgQK@gZicSt(^uQM1RSU*Kj~Pe_vkBAprl$bg z{p41fkS5NbRW291l!N;ITfe59d%?$xf=QF{^QAwYPQMrCl^Zs=Hi%MZ{N?+OV&CJ+ zr9kw@ulWU)Rb#{Is-lv{@5JwU>|0KSvHf|nzqA7vV8_!xik=$$1-*NJ4cJ~fy5H3= z|L|-u_EX`+_P_u9|Atfrt6TAz@K;8gjRC7m*~K{=f6}GjLP>jx-L=uSEs97lEc~RQ~{*UI*`Pt!2rO`Snx@kYD>)|HhF2_lp0u7z`KWu`uYbTwd}jizh8Bkqdo{QZ#-tkL);edDD{VMnqEGj3%!_YGl0R-b zT5lHU&D~s?CB`Zeidv!+A$u?RR))ZsQK1wiHa@ZF6u|Q+imSJiJ(Dc4uJL3 z05JG&U!?=5PO_kl5W#mpg&Q_QB38qNuG4UFWA%3;Ix!_!=w~Y@cFX48&N=t5$|ggo z31O6x>t$DEY&ux%i6OYE8(TpmJXKZj(A|tS=QY9h)(`Mv&f6hUFGgSDORjKe2|1H( zsWNxG1XRbW?>Z?*Qia(j7CWy7#VU$~ot(nID@p)XQR;5m#6LW2ZJ}si?e5=;#fX%% z#fhO&iL7q$`p+5SmTC}IA>B&*(w8)-g2d>``}Cgq?~=S6Z;BRFpaINBducvSr#0!e zO@>mOM_-=KJ8OtMG1l%d&|^zOTC_9%;k5a+skWHa?EDE+^C#G-&O{ATRFjOS7w%ZT zsd1Lkn|A=%b?TQigAXdktd-i|$@9jMtGt=N5-yUP^OCys-2hkWBipvJq=-Huvi93H zkw38}>R78q{7m*=weJ!eus&8a4NU%oPi6eN66LzZ-3nh`slKlwk`te;<&S6(^CKqn z*m=Vg#ag7Gm%vEkUH4<}q!D9Zk5A*n^m~{5)~&xR0Cr-z)IZ*z|JI+-v}H~AzNIlG z`CFL)5?a}>;RZZ;Iu4O{&Ra1765Cf~*J9h>E7&9r`a>M-SV?Gyo|Gp@KGY&}pFWKF?3d;MM%AaXy7RdNJEj z#(&hNq`)Yri4=MH{>!-SzH?70NgIwm>Q~B#FX`1i^LzMI&ZhccVYSHvR4yoBmA^Bg zyjxGPYV)g{y`#}-un`K3BO7W3Y_v7bkm$4d5%8Xyl_RyUcM+{#DH&q#UQCtLx%$jl zk8iXwnOx+dr`_g$80|12%SP?JO8cCs6YDQCfwYuusmEmu%*vwQHmpgcD?Qh&c%kTu z8@$C{4z&fzJL`?gOUFy^;O)yVn2SoD+n=r6O`h0%!{2dw z?=3UW+mx0o{hFY?V}|KOp3XIQ461w3`ykYk?lx9c)hL04i{ETxET>x z^`_lru-0Xm{fb$tbN+r@J}jcd-NWb0>(%QBe=6_!;4Fc4$aJ65A|%qDo`OlY;lUnj ziY^apN|oHbwB;#x3s0Se2k#nUYS;9?_i5mK{Two>&Lt?eH$m$2+~n??^)zX_`QAH; ztvW^pQK7ski+F?!)U0RtC4W@L5o7BUW!7;9=>N^pdnN8;%_6J2YCTeINaAjrb*9hs zd&HxbtWI5KP9gi)7B_n~Ram7V&G3ZcnJ%MiC$-9S2dOOOa|0hw1}MujoG=L`ZpQP| zLjg8s6Qs0rjkN;N50r-6vdxeN347dzixYzHOz4ntwQ~N>%0ljr!pmcVgIiJ{{Xt1? zU-z{3k z7q@i3vPi{z`Z5>-qo7$5vgodn;^O~ChrB_s-Y_nwUpe(w{f)S1G9*@-TWl#d+F@W4 zB$e1?xcO}>4ea6qkFj;kK3YLcul-_CFK;G@HnP3jgTudYbDEIp6pUROaM0GJqVW67 z9bqyvial}Iuz@FWH7ZB+-%cC`VcbEbV7|P2!D(6;hqyq;$vVM4h};=&n~qmfx}eS@ z;|W|CIafi4=ytFy+iP8kR53bA^Qt94VSz$qctcgK)HHWKpCtO$tX3~x zs!Y1${2dM|08FH~`OBp{RSgJSH~E2 zhtlt*P0R0oAtxmBx^V@&RQEt>Bx4ML#c!|V&qh7^ep&(%nRb96%|Kxa*TY7=aBJ;x zJpnZwUwi9$Df}}I&JJ9s7xE)d>-7Itl>x>+9)O{&X*)N$W@B$p*0$r9ukcyf-`>G{rI9BNe-<|d9iuU7nt zHPtz$ppqvyl~)$nIyTWskmOG8CY0z>YoQg&mT;jt@AfZ#*szomHL6^NV4( zdgOh$Q{Gp-eVuBUib=PwikbG|^t4f=r4)wSyG)ElR?Xz|K+fc3BzbJgT8v!8RgH-o zl->^|4U^JjW^);4_h&8IHB_Oz3aG&+KPX)O-*+abteO&`-`F5&K9%ixF8ZS-e}XXU zU~-ylxziMME0fu=3O*PnONNSL&Wk$l25626pXUB z4(7~nSZm5}#;Nw2T>x0@08qHarA5>rfWg^@}d zBPJ^|OkEk$4Fo17pZeUgno&i8#vPUThCVI50AfTYQvij}v{V2=jn|J=NQ)&CsMFW# zbpl!Ki?(@$j52-K_kp+R%Y6O?3r4W>4Zo;j*GD#A$@G(j#ALaG3$m5G4Z3unlOw-- z^(k~=k7k8Rdz9b&)df+0X|SDG7J^9OhTW2lW{O_oo7=kqgyt~}>?vQ$pI~>4a&Vd% zY^69{{n~{DSz*pn`br15`wi!%iw|D6yo>nS((l|Y2`d!a_;`bhNjBXP>(G4!LDMI{ zPk+2H{?8FcO_nVo<8MqIaMt4J&4Y|~j@}Q+G$HzmY!O{7y&$!ISbm~s(e)a3ybal8 z{XYBol=p$aR0wN#Bx@>HiT?)ZWycnDrB9%Ycp8n4+DizGVMo|6x6H5B8vJqqxSq9p z&orS*Rx6BdRazb@93)&|40+8$Ni{qn;#Nq@CHGAkF|1ntK5cUVA-g_h)GoS?Clf8T z1gh4;i)9E%IwS@6xD+_T6CLT?YYEhhP(M) z4=siCQUr*OF?+OTMfI7tI`9F~YamjlCq=_-YfjK{+-~(f?8Hu;_&aaWs~m=p7dPYx z%*muNow(9jDlU(|e_kslKPhUck@3bLmw9sTZ+8Kdzx6<+%ohslD+rh-HGSSsz1kjz_`l}d$M z-=4wGBSztsi9to|Rb@o9g8nyI+bw9KopoC<8Qpu=RVL=9d_Ck`4U)3;`xhS?#*qP7 z-+TMM60>g?$rK))QiAU}OjHGm0UFZf{;ZIENF{r#Mf^j@HnFoD@x-`XzNr-sWHZR3 zVWnDExegvnUFALC-32d5nzhs1KA0N?4zslq%dD3Z1yjCJqu%cLdWYKnligA7xy-~0 zCoU>3UHU7$k-+b{7)t;GSl=I2jlXK6gVZmA5GolwX9#K_X}RdMB$SL}N`hs9AGr1M zW3E;nu8AW_j!uzb%HT`HpKJ=qd}5cP!HAPeMPEDpdXS3)qj&=pi;iwpt15)GuYVdMGa)m*&UG7!rL5RqT{}q z0Ar!rE=V!zr7RJz$g5ZtUwI__He}+HE= zgr^LCu0zQw>lT6QS<$Zx4`RbJy0-mDC0=2fIdv-vm)t&qYHY3uiNkDKhxU>rv*g%{ ze!z9h1u91(jt+WY-MMwlVPDJ)hH_I3FDliuYN0%P0Mj3f2gw!J5feZ%mX{lzu=T$g znipi*LNfmN;NJTIJ!Sj}uXd=Ttpjxja9H^9ZimL638p;x(45eEd$H`5 zY51tfGwSt%(F=Gx1sA=x6sSgRiq3pnT02S)iftRUpyK{yjI%pgnT`!$C*0r{sRb<4 zCt$E3q^zHdghxNGpEP9vo3(DSjXFIReC%t?;>2!8Ga0S&~%#9sf>rl zxI5|Ni?0Dr^B`jPpFv5**;LI0uFmno^w>ajz;2$-$jtX+LlP%RH4u}nHJ*68gK~w* zIhAz)L>{WH&a)(&sj2l~p!#w#x}{D5!Yxfx?rIit3`m%fmo| z7yJ&_8&8f^vM-37AppFEDV?A^S49%zym$mEmF&~n(~TVRg6FD_%ZasS%U|w>Iq^lkq5!o z!ta@Y2#Xg)Si>2hevW-jYxVQkGAIQg_HGPotHO$3t00BqLCW=5j(a)ndspe!mHjh% z*g!Gny$?yIh+3Z))ACpU#~AtaT>u(@S1?zV!8zYSfmGChznop`s|w$-ALX0f(BhxY z)k=K)?JY@(`?k4Gok}v|3@>kc<$GFT#f`zQA^`8`WNh!wX*F5nx{;xE+d^L^1{B}& za_ZPSb{N^#yC_?Ym1UAUzcCBR4hXy$*^Irqk&-6+5I5z@+ZNXjoZN%0kEcof2jf9! zTJ#M`=in>*u;JClaa$ zaTe97A8!Onw!Wmkne=Q1>{3!zznxH+U1Ix4StrNaY$Hi6OFe3{&F!*~5t)ljOOJEC ziR_JBugPwB$}Wem>UU;H>KP4O)Ev0=#wJCC1p~Y=XXrhoh{uklusydy%>b&P?*Uih z2)1s{3%y!dG8-;Rsnk2B5C9S%;aww4G76?oi(e9dWDLpR1?Y&qt0&d702lles=MC! z!?paK+Wp}|_#kAliO^hf-FE$QqB``N;-~{S$r$Cq>6Mifd16GRy-Jzx3|2`C%Z-31 z=z^uf4jMt_=_Rk^XmL(mR4W{WMd<5U# z{uHThAloRiD@^Xa6o(;aRXO+Br~J-3vr=rUhN}2{x9aWrOMrIpQ9zpYZVh16@{!B> z(kfKhUd$=a|nlAX_kUu_WDeRja_MkYf*Y(tiaYwdL6jP|Q zEo1Ll3cQyE3?%n(aiwL6m_Q)|x9_<~|NF++XNex;-eBD`YTTZPfg-ggCxqvf;kA?l z^;%iE-3Lh;sOWkmVCi8{Gs3w@hTzoc!H78TL&WzUS6bsKX84&F-*y^eRuy+qNU_cr zr}ZF5^dI`Ym*$s@NkW3OPaNWy1U z#6|rq$9*Q5ewRReGvv(_TdrJJZgH|t!!CXA71}uG&s&NNcwEuj>jlJW{Ff%l3sMnL z!DnpK|Nc}6A*32|Pu5cZiIVKC8UNceujRG< z=}(?X?a#4#e$|o9hv*QiiWT1g1-Er&7j+BM2 zVqB*vR@Fk(7*34UI*uPG6bk?x8f+>69>kvC1qrzd*e={e3hQ7_&|$9gpiJpSmO}`R z60IkS=!$Th)tw$CCYd|rudT&W+qk2+g#wr+>%2>7c4nnL2w72!RkQiJw2p zNP$?#wK>RUK*mtZcF!zsm1c+Z#Gr_YoR&-~E%|KOJT=*lbzo_?2l;r*qQ9S879^l|LOFL7Vim@%|w;|pJj1`Qaeb4!C z(&${0jyT?kBGVB-z@uCINbVM(m6&ZX+Ha!rH7x&NKUve8rJ4!|CW5OB`$O|mi1(MZ z2owz;oU#LDc{70GP6Coi|>wn0GvAmxwC+jrx`d7 zmjSQbjIJU6ne$gJOYBwmd=UYq*4&fw(2Sh6ROs$#Ns09d@KpL8J(&I4k5(OEXNMm; zDL;hG1W=u+PcRwG)tWJ-N9z`3Wn(MLo?r~Nl#3eY7!$GO&CP}I3IvMUG8 z;7|9kF~Y3D8)1>x589qgJZ%X8KF!n%N*=qFHXBfSjAfkIEN6lp&C*B7b|lXtWd-a} z=bzRZVm@gegW7wQNdDAdXqp|3B=Hl3)@4w5{Nl@?IV$c@xoCJp`}i4+2F*2*VX%?D zfI26*b7`i?a3_;U+*oeJ*TtNyl!Q)+L0<043|0VmUmAvkGI@K`Vu){gn-^sWj*ss%6vRAal-MaUOJzbB`u`sfO*)@(Ob55Xefj;rv|;A7Fue zCcd0d;+aO8f*cf7%&c0gL4Fs^e_9U8zXDH=dQLj)RZ90B8BrOCmUts_vikTl8ktYF zcuy`O4eXlklKQ`Z9=lW*y2=ujQ}i$i?Fg_pK_NDjeFqe#%JE*Tst3X}e=C=1j(Q{`8@S z80~DYNWKTpCayDR=+`(~c?8c<5NBLpPXACh7LVuNzjYXiH)MKn{f(hwCNb~$UgI&c zvE3WJyX1NC91ruS$Y*u^s*>Wd^?;s#cAZpWKP~#Y(WNy>=cV4Nb>Lq-inoP)myU!n zOP4m8W}nAK0u;)}yGDk^Act?57)y84{QjU>dDJ2AxHmfax?HrtnIn0Oy4C%C4>YC( zZnv_0MZs5YtI^K2y+HorM^0u1db8R*744R~jBqoQHgt7FAyQ_n$c*5=_jOgr7E>0S z%|1Xx8E>zGn@G_UgSXdT0s%9)q9JM!q3~91ra0<-{6zC$mIO()w`L3cXhAptb>FwJ z8pWlb)6k8)3CY@SV@H2OJ;qp?+2u%-+UXy928BmmzY-HE1)XsR6P$L2OhG>s4&O6P zx;cK#Z7_UXqjXWMZ}-gu*PN%(7|j}s_OzvUo^KBhTC|inbXPY=IZY35Mrcvb9`ivE00R)?@ClBH6F^fKeS2r>x84Z zZv5%R8M^oQYqlYTly7vao|w?2J@_b08~wrfgIEbpm0T!g41QcBHLfCYEL(7TS{=2u zmGq(Yy=ebeV(CT|u&p`Ub9Jn$qH&R|(;c`v#4@a^saf+{r1)Nuthq|WhY<1Thtraj z?~7OU4ZSwMWXusQ>B1im1((d7!Ot(lh{6w4*xk28l?(Ya&VJ630H)E3YcZn0acnO$ z(f$QG!OoE3{^}08{aU;U!&t82*urUninZQ5q}*Y2q7^%!-W`nXa(g&GV3ry=dd%Xl zenUxS8N>{#m8`1DEj7%lYH^WzH0mtyh}9|gq8h#Z#jCE_EY5&(JXZNi8_PG{G-b4*^EbJS$9Kc}{E5gFt+VJ{|K+-;kSss?WH#oPZ=j~FNUhhe(*rl+)p_d zu{yM0iqbddMrx#ft??e{22{q}LpS4z7z?t#c7ZBWC;i06_Ch5()fAe&HVw4dUczI= zlal08oJR)DZMK&;uTG;MnvWutO^1!nZVd@CbgV${p)J<^T-am?2IQ@0xf#@Ckq{Gc$rm4TWki_%qmWd0Ha-rh8}#xm3uWM zKJK!ysLe~v9_+-eE#mBI9=wJ%1%wnCdvKT}WshhJmIOn8mSer9D(OG-Q#jH3;FGJ{PI7ZQ!$Wzvf22pqV0HGz3LSuBu5{l!eCqD1XnL< zZqc9BZM{Z&VMAI3-ypP2+}1f|^~o2%+*PA~#f!L4|KKt4 zdI_r}#i`QxizO}_IK24ROH|(>-V&M9X2;D?|;?4VD*MIJkw$ZqG#i+5`4Q?on zvsQg1`@CJ8b57c$8-gx}5LF~=(UWYK^YmqHL#i!&m2-lpmWx+H;e~qFcA|4nCZ05t zEFTjeBHrDIJxa%WZksqLWaI#=TXEYi7BNrl-IaDroM{eEui<1sgY?HpZq>lE4|-?n z(9!G~eH9ZP$O1F;QV>iLUU-_GtG`%a3ez&I8bUPab;LhtA4Weo3X9ayc<-Vm)o;GA zfgZ|`2z!cQdzMfppp z&OzmIj!E+J$<#Ygvzu|2i4uw`#mB8vQL7`zhKo@ITjquH&wPc5Rdevf33&X zsIl~4F8B)|{Rd_B<%N|}VWjsh+s#id6{KWVMv%VUfBu}*)y(f>MNurE=aHo`ZaWj^ zbsJq+GqQ4qxXEEz!I7ERlJXQPF2#CR`le_m?&qP@V=RHd}x#vQ*LA+u~jDf!WOe~WZk$95p77hG9-lZGw*KozI3VN z{prNbCQqwf-#{-f%vN~Dsg$sBG5A|2$nk z+09u&~JaSyK zw|Aqlp>Xds9h?gT_bjLsIk1sNLfYY1;r5b&v`$A0VFj607Hu)4|5sL0=t~S_>Cj!# zg1bLLrZf(mvqPF%RTLB@Qp!SnGvsHzJ~rc0Zf)S;G)|=i_L!;}>$h~ArJ0Y>Io0Gl zJ~~Rh)sFsHiQB69Q0==9<|fDqMH)n>MF!egKro&FgG=YLr4SC4Z1Tb z;}%cH@AW;U$S&w8J8H07h|-bdv~cO%)}rpBOw%JXbf1rjG{2}uuQz=gDPi9EW&ixr zt`T|2+o6cXVNX(8+KNf|c1dY~E;To}HXhv3-)PxDQ%&B)Jl$#-$8_zb^Dg#07=CKj zvOC*#V%Idv~$^8)Y%v`f7Y6a|1otK1_<&zmH~T+5}LP%0U{~d*nZeB_!L^Z9UfzlwL8j* z%X0sXTHaNQ6nAqg5WF_DLyqiG{rwAy9<6A$?ChGyP{HO;AbI;R?`p%;ltIf-K54}y zMDMxLJVv*&p&SZ&dMvivgbum8rS81qE|Mh>O+^_%5vE^V^SQa}Lk%PqSJdiD=?&0A zQT}jV2oD;9Bg4$7l^eRgjt!V&yLMG~s~VE<8DqpAEw*{ejD^p1#8<9!ir&r0Ft~QC z>mr^tnAO*}moqrnK7P5a`_N?Ejy<&w?*?+)x}}t^hqvH-11ZK;G{|?xo#=GT*BClc z(W#x>2wONdID zkZ>ThuMHMC-CqC6O#J*;EAgw~R}?eCzqaOkT*|V0I%ThUcj>oEeTW2mRH+MhIdx~q zPkTvy^es*3_WJUIg2LtKHn*-pnIA0GZ5OlPj@Fg>a%iKZMBlk7olvJEvg9Sf5J_UM z2hE4NkJ~{~DhDSC{Eo;GF_|irPBypA+N1TQg_xla!OqD5F&eLMS~jqhH@2a9b`4h{ zHwImmLmV{bZD7oIUtYOgqFoPK1SCxiTUe&9v>>wh&3$HVso_Dc-t^gJHOQRrppixq zAPE(Y;bL2!ba~jADo&PfI+iD+=@wHQ(e>4MF}o~ZV6~A>RY`J+BMe60S<#TE3hk^? zpTtzuA+ywdUx%I4*)&&f5+WKUM~(+4bn+!DoJm`iqBk*WR$dE}qysFa zKSWqQ-QwhQy!xOXT8p`CpT7x7Eza=Rl>R>nCJ?ak;9h4MkP8K{R%{BU>?Y1xfwFRQ zNE!?6n-8vs?A2Q4pq+pf-zWjzRoKy{bA9_IsF##9&NMgF>w7bu+eC53_os)R$UJU* z)e?mZl<#vcMQ@;b&f4ernkQ6FR?NFE;`<$G`SnJ@r|Wi+FKmn%g=)s#-9U>mN7%Bi@5@H_3&ZDqMw;}Z3Bef!{~(Ly!h*) z`140C6^nE_MP(m0-#=Y#F?9tzvpN~FM6fCA2K1)3)zP8>43!gMNN=)Qu#TEtEwwA# zOr`T2b=-x7Flo~(YZd8)?MK+{EtZ`sH1B>k8z$_vS+ed<#O7@t0>`YmnayKJC3#l# zbJhj>UO63#P(Uk@cf+-HIBm`lw_4a0yo~jpkOXO;WtQ40j>((-P54H(_xB}shoc9FjzQk&7G~`Mt9Js$dW--21*VRkl=WOqZC`~w3S(J)fIU13|SDE#^ z6ji#NN4lL-QSM=RQpes`x|q8ISuF8reXG9ZOV@&kLxJdO0hJEhf^L5Q((vpEdx+i2 z+ztm>H$m5x5#1s4dm99$P95vuT-#1WU?vHsIqDOd55HEXOQ5U}$d<1#*Ohr3cB{K> z!dsoR*CcYj8mS7Yl)=UKCZgPyZb5=FO?9Xp7SNErh_?~=Qss?}r23Kr^E6gV;OMeM z)&~{kRiODJC(Y3|2jC7uHqX}64z|9&m$y(GPcaG4yDk5%ibFqDrzq&E2b-O#;B0Bb z9tE5p>$e$dJ(`|8UUMH0oFH|6%cPVS)kvv1b(mRwvb*n!ermni7Opfn38Mjh8*T(1 z-98BaTeKjh{an^RpRkear_0Dd(FiafM@x`4)#{jt~BjyEZ2GQ zo!%w2OW6Ybb;hxF9is9N_?Ctnk6jSQe)LCaD=w$ZNbY&>OF0@&>-UF4=*^LfQL)&b#ajV_(rR@;j@{5GF6JIN}K z$7e&7X>hXHp1c;PebcIq!IFj2yyrhle?iSX@uI;vg}|T<&LyedMeL1kGGK6C=69a5 zmZZF1yp2$Ro#nB12bYVn;)5%vOULA;UCyR(8#UDJfOJ92sd=zBAldjd)=#0PF|HwRnsY z0Pox7k6Pcq0OIrQ0izZWCZhG#yg`$k3_vo@di-wr5cRqoVU9`5X|@Z*p);D5MlWBc z^w+^?R?^y6F*aP3{`46Ci2$majSoviQb5-h!j($xfMK?5s@iZxtpu3=O(%a zQfPfbkZM~Qzjlt`6OhQh&5aJ=^-6!NKy6(b>GU|$yLi)Pkxl>bc%Zs`9po+^rM9bw z+#aIWKaA%>KvFa7ylsyxS_~hc3+l!)`QN7%j9~y1UrzqyDF1Z}r*Hd-A}-cq0biHF zLMGX3#M?Hahac|S+%wgm9SXNmg3;&q2)=zGIF}^nS}|2fJ2*T%Sm9}^SHIQH`Av6q z@Y&XIE1<)+sQqF#h0@kedqMAdZcr6=bD*Urbxizog#~(qer)U&osK)wMLf^QrO>P+ z_6t&bk6n_dq-ArlWF1vsw12FYD7hJ;`W_}JAc1mg`>O5A;tPy~<~lGE8oT;GW64s} zkwaZ`Wq$9~eee7GjYP9w!%7)HUHtD09N;GTyZ{HR=A6m3pH9*$ z>8$K94;uKDvd%Mjm-g!bXL5V{{?;xATs*R~e|!)Z;d{3NHg$tmsv2a4Ibw(T5sAUZ z8V6{PD^EX@<)p?Reherd1V=0tzF%2UMNZgp(&#$KXFe1QgS`-hd_CzNQpIGk9zdy~ zdn&}f7L^t-&rn+iPKb8nc8Z8FZ)5(P>AY83*Vj@Qo!r!coq_AQQT|fZd>xPZph%%h z=Soc%xI?>57q^vCuSB|WHS##b27=6cP9Z(*$!PK7_)23VpiiRUF2Ia3l*3-Y+b?mK zV$zWx5qf12Myd6rLnxXDp0pk+4zU>f;V?u}L0&t@e!+WccxK%?4S8*zM3vJh^4F#zFdw267`=H196`YwXB747H_-(Dk- zi`8abw})og>8HA#hYSzEJddD!qJfDXAYe=vU9Y=|YDGirUAcbQ=D)n24IqtYBn`hV zouuNQV+i(2V(g}altWjuoO!Kdae0rIN8X+)5l?q8uNctCPN+|7z~RJ~1sRSifm6mU zgN{2(->jIP51xQa3yyQd*k~yO5UcmR_?jU;;{k{#we#Plv^MPYDRm%bPN##5Ba;c& z4(`fmIwQ$WQQkLp8VweyzU6*wx6IM#3S@1{m>0MkF0jP5J~u;YP>Z|gu^z~W(NI** z(z`1^&vhag?>Cis%Gr{K{r*#SH*f8HSsouINRRit<>pC{b zR$Envu5nWC3|IAI_I=Otu-Vii($W5h-001{(_Pv#>qz4Pg3K_$w4Q$35VJF90dgGf&AVmqR z6tg6hCW{8A>?%fC46o_0m2~i+Zfhp*ecQi}+x-m`XsjuF!+NWFZ==4!$-w;=J?da! zz9AA1(+v7He21Tdt`Fwv2n>s>(@#=`b_(uF9&bhjJ*EtK)p_m$XhU&zJPrNwm@=Dg zaEcVsui{?r-zYBU0#BILnU#m_VSD#!(hdFXvY0`QMT$v=nn3bbWcu;!tKezD{ojt7 z3&lnVA-21Pi$Y+#l595efIZ@GKHMqXu4~{G+f`25Kb1f~0NlA3yiLr${?lM{W1T$8 zaY4;dzb6d+}x;C>raRbsWN00KTZGzlBH`s0H>3zXo`)t=9{|32nkF<^rPB1A2I z;hk6g_8Lv%Ln}AM~05I%h0tmR%0e(Y^-W0%~W?HXByi_0r zoUgqSY__ZGJd-2|8d#3#i4FU$LPjxS7{?-c!5%d%OH)RsYJF{y;2nmq49O)>7-fVV<9I- z;XgN$R33J%wA|=p7Ozc1S96V_|H?4 zN-M-I0HB8u0v$0S$@^ZWX31l~L$GVgCaYy8BElfb=mUPv&QcXS`K+nTf`1;HK)6(% zitJ@f=i4X8r=4i8KQ%sCGilO8^NY&(T^gmv&M~b3r0sgOJ!4(}$DaIU9DAK{3xvpK zqMw#V>hN<}U5cL?cU6oe3k*0-uwxlL`xJ1 zhqL#VNMI##%=vrfw{KZ*?3$Hcxv#%r^2~UwqzM}Ra-$uez+W6~ub~@A@@tueu}C0D zM8DzxYUppJqT%V~ASVm2G0}hKvD>a+aB{feZ88u%NgPEKTQqg~u4F0SfyD#eVsq01 zjJtBPc_gj9?!~JfmRQgZUGvix)Kp!1jCbMzj+wsDgHB zA|m<8TY~out8%pu9O#Q}E<;yR%7=teFSPQ60zh>KJ!oWf;ShzqQdn04+p5p$(f2wk z?Ma~r5TBJ@ERT*=Rl$a~CD@eSdH19E_I&*&IVx}rRWyN@*X=v^NwMFOI z#=}9+VwL_(5|TSX6?Kn8DDm%_U63-)1KaJxVD@dYe;&ErU97C`orumZ25xG^o#}d% zrg!1|mELQs(Qp-N3iG;c=R>q);EBM>=;Ftn$_6&-nUQhxh3= zJN@+j@4`LA#lO=!tWfQa<=Gt8vNr&~M#6bzgmI-rX;D8&a=q?gW>M0?AcPPgXvVI8 zOS4%TD!8NPDRJ~fV+3}x%ui;Ll`Ikj%0wG`^M;31WpyiTO?7LW?_3tE+C@sLh`ShG z7Oh|b8~c4k;OX;A+Cyi&vD(*#Jqn!Koc={=^oyjxg#h3l(l@zm3siG1HCbiZotH({4I4@FCBcqWl+^>uZIos> zjoh!fqng^Etd^f{!lzn!h!iVeCz~m#916N~KAwz{cj`ilr+w=FVSue4$e&{P+}6fG z*PZdeYvD`rlM{1|u$_06%^7h#FBenzOzsto@|bt(k{=%}lFGmvl4tYyMC>tQAuPhv zc!UhSB3P@OjJaFzFUC&AM<_m+q1QT!Odzl6si`3+(r>CQ?`o`pi|%Mm=25Znr^7jg zV;#SgAss%0{;eXtQuh1FBKbr8n6L+=T^F8=nB0ugxs=cDg_5yRlSC=nMG=Bk<#QcG_uO zEKJ!gxypBY^9iG<3OSH-It{h3QRLNjA)zf&<+h@ngP34Ytbl2nkK=t|@oXWUQF&|U zI8&MNigWKvKC^bjlMe3Mpqt$z#oD3z8caE>Gc?$G*3 zP~7t%qMKAlY*$;a$l$oz2Wwy2hXlVwppZ&48_h;%!Rl}%c^{r{EsVHwIsE?c(wU8u)p~rKdbP2A1Mo}47Ie7{C zjU5(843`ZNxI7eGyw?z|lL{09T1V1v@6RX_)mX99B_h16VY^=^87>-30dllk_rnQ6b;pp(6m!-a-$8K|K5 z(boHh#7B*Ya?;AlUHi*77wSibb4$lu`xKxyD0wlQ6Rfv$5gaI&&-|l)0!*=vk9JHj zA0|0urh#2&pghc^jliinl5{Z>Z5Bnw(ydP|f$2!d!4&ikDat;Zj~P_pbH6LLdM#pw zPU7Ui@KZ{PPOrz-T)Ih|fe56$Z{EO-n}ju0Ot||EpGniJ-W-h@cJFUUs$F;^OZvz$ zL!yNx@z;-BPcUOP1pa4vMs631%)WF74dpy|6?U?VH|D2cFpcjwCGGc+tF>+qwwmp0 z>#Y;5xd$ykgR*ZULa0xMp2}fFgyqC6oY;frjqtiDKl{hA^&T^Hz5(RLF(5st&?=A3 zN-DYI)pa-GYGM?_(dAc(kr%*OYgPc=17|?K)B04rv}WFQPT+!wV_lG|p2nCQ;{JfeQk?21)7U;uCczhN0(j_C9Tfco|uC zC8$R-@ZD_imTtrIm~XCKw+}9Y_D1c1xL$x#XZmOWG$|%_CB59sd}a;xzJZx(gkMXg z^yUs?kp1D)FHL+;zY{#|f5kZNZ`B_d(9NUsJxkKyN&|W_ftsZ(wHp9xho2w|*3U4L zF1^EKs?gEYI4h{cdgY66%5U-FFT-|ACnGiLY)UKCZ zJ~zaPUs!D}l^;RMK=1u5;yPiyD$TvnR*v4*r0_ge+7wVdvXEf&c?D>jswvEUh0(IzCX!d@UKeicwSly4|x*OMdP9*EyqMqsChbk=Y9N08${{ zJls%m`*w3`|L~XH!M?Gm@(l&@#guVgce>9X_jB>ab%dSe~U9D4onBfFn6y0v_ z5?&{ZqRdaaA1>~yo%B?y4fm$S`A`Msipg%+_Yi30=NHoDhV{m)J-dta#~+xy4mun@ zH)qp-eK~r~dA-4X=ycb@#$ZvmiiOCtt+ojN9xwA+-Khwi0#G?M*`#NI3LW1m!aqCI zGI}ez72r--lxb+lrTRdlwEuUjm^RG0BzV>Z10odLXXd-B%k~mP(wvFN!E>`MyreC3 z!lFZ*=ofxQ$BqgY1qz8q7V(EeafgTQ(ffCwfeW5}ZvOC%1XMYxK&q7au_Wa!9W{eR zxXW-?(F3(nDnnfgi-)~?R7MlR3bspyMJ5B;a&0e(LLW(?%ZCF8$5c@wbFZj3CyoV) zhOW{z6ZE4X^j!;lwj(=l%3j;`z)u>4;!V;Q25B021U-k2#>Zy&24CW$S9P2^-};ln zUUEY#-}}_b;xQYs5#0$n1Hk1~LwN%E7!Y0l#*@`1Zhy|6hT1&K{}^1*E&XrBgs!y1TnO{yCA=d#*XJdChC8UBL-Jc6|08 z%NfOyw!)nWu$oVm_n_V8y;+Nw!?9GHb$tImHSF0eBNv9&3&jJ*y_4cd-VatmUOCPUjC2tBbIyh|9(lLn37vXvDV>ww#vqsXC>jUkZHWpI+ou?B-TH^9aYVwyL~l-2JbK0OmuFYxS$L)u}(2 zGXEKeJ>&0a(VJ;(IebLOXd9uv(R;W=>5p$%Fi@96k*~c{paV^GkU)sIYV4(r5 zS$1upw68+lVX0bhRjMa~`~c>Vrv`Gin?kiC+hCELP|#aL703RG1mJ$zM16z0)E z>f&GIR$$>=xE(FYtQ_8>b|A&x+PZoWJ|;eK)5BcUH&J>m2IF-~55m-|Z3mT)e`7BH zF&V$U2|Y(pF{5g6Xz#y=@mifoGs*H|4JoQ#OgIpdH#+i=5@HZ0fb37E?lNZ0qc@!o zuqa96f~2DxpVmaTs+@|35(VIUBma;)F6w9ny;tez3^k9rueL81+KEjz&o8%HTf_xq zKvbU(&C(p2BZ>VFj^+gjBP4ESgyR>txy~TjWde}3RDjh z10M^FCZ-D2-+%k=5n5*6>z_TaPFI&VL6bQ;lWV)R(f*&MVu=m-2J%QQPZ;`d33yNI zEjM#kio}cEdNT}>g6mGZ&%>YV19*GvAqVF%3K4_TD^dv0yYx)o94U5^{(2 z3pZW6!9nz(_6U}4=qr^3eWm){vqt{;m3kuj2W$GaSW-1;57tBmD{V~k{P;~!5`i?@ zBTXnO)aRikMR29P^ALgNDKNZoEVJ2jH^;ZAw^E6GPXIjOBs7(@&*E{xiWF0^`^QT+ zuT1{t4hqI+7mkwlaL1+^#lke=zZ9@_Ax+>W3mkUFHl1*<9istNqn*=L#NC~76+Fc1 zyEBiudvlkgaV6^oRl8VHf^Nu-s+Tt(IY<4QeK;SvEF&%swcMS{zRRk%8S@kN$!wQB zo93X4w-niF3$1fgES!FDyOE^dF4TCrIAL&x;<8s?EoJW>SKqw(b<9HI8WaI)N`^hP zSuGyO>KDu`dU;=$1MdNi;dqG~m4AB|_nN7csMCIP^Ma)2N7P6@(CG5janwDSI z6bRrq8J*O%_cbc{s7kWDe?8glUGMjUR+H&RrrwLcHV6p zxcD)v^Y}WpWyqn0?&( ?~d(UivWdLFs9eFE!=4rqK^rZZK}W?>KO zktld;WqICX;Oqy8q4+rD$3du5yEs_3j5Ma(^$u?Yx2it9JywCxaMMLBuEs_CqOqtY zziAG`xMAL;HY>vjgwR6i13|!S(tUc*|Ia`Qu$h~UK!-igHucLM`a8CaK(o-D3ySp2QND9^R6J!u{< z@8r3;?%#dKKfBlZ!9g11DTsg;hLQ@MPDE?ikG>~K#s$G0xC3KqwCaf?9ghP7_ZSwk z!g_n5Z}Z*>OEnT#p+psQfWets>UM*Xm-k8JK98X@R9k9JZOcW23Wy{X-oM%tOv}$_ zQOvo);4i0&L0R}%>Q*Lbo4=Mc#~DMIYEqLUORh|bjrH0axE&7wv?=qj)%l;D4oo_1 zC@5>(L%*c&H>H_-W9*meub@)&&^OTF9vbrf^|v`nK2;Yvry#=9N7x@a!%t}Hcek9e zga4fF8#~6a?l`7?CUq%Vw*wTAiXIBT7dl_Sn7e;AUBQ^W#d!3O{q%hkf=H3_=?9z51Dh63WPj^d-fguL-Q&|LbQl-C{t zR5K+s=m%(Q3*ET?ur*Y~S31rR&LlV{b*^lzm?!JR3I8(1 z8sM<8V@YMdu6-aCI^^ff^Ob*jkP*w12)bmCw-il2eua zoALk(Fu;02@7ws7)4)Sd<0X}j^6NBDBBASrrrYXYZl)GGWTqiQ@AnWTa26ySYnXq& zu*n3W4{zVU%bBT&Mf&~tgyi9V+(`wjNYDUwk-XM}e|~ddyZ{Tp=MO4|3Z{-O{r&H3 z@~YjXL5dY0}c?0FT(AGqV{jWRt zub;*8;D*O@r{jMSZoEdJ3B9dN7UN&0=l}Ko2uWg|-@(Daz}(%H!B3j}={>fcfb970 z#gxCMvB+LMoje6<>H|b!(FoeqWG#4xX9$R*-}^PUKW3)7QsD)iPZ*{q%OYf;qmK#k(X4I9xc4LI_h0q!I%#~0=4%mxd-&(WjF4~V z?Ywzl31ntJguV1c`1g+*WH|-1*$Xol;?!wiu_^xL6{9hxhp(CqxI-)-R9+`;)Mh;<> z!Tld2A-v$ed}qQ-pZ|F*R?tInMKK2c9}B@64Hgy4y8C5W(w~v{!J*ROiOT+E5kUV* zi1`s_rHHTCn8la-7)+4?Ew8X|#NWgmXb``W2X5}E%aHHOe0RMU)m~R9+e&pgv6Xr_m*0?D2MX?eu&{h0nn9$_2Bd0i}#LVH5H1Nrs4c ziuh7kGFuJ<2Atmhe6#iSxfQqLesbN#YMgAN`wiN3P)L#aLW|$w!Uu8*FF3?>je6(9 z7BrTZiF{7%4XHi?hfj*n$yLZD*U)uBk$8BSN6|%N24eE(zNm}kt z60{U)|L?od<@SnXP(+=zP$*PW20hbh5z+8^4xi~|A^C!C>sw_}kd#)j?tY)n&7{pA z$5n-j`H~8J%+l^`2k``yvb5;CkFV&&I;D=n&A=85-pkHR=z5@-q}K->0uU0DV^RD`55dZmP9i%-6N{bK z6Vi5^*c{3V<2QHaW0wuETVX+*FlCG$?-%EEj2D48CH#eMIa`R1*R9BnA712 z9ahV+;$#k4biVED#B1}^02-0-GN(FiU!5oe1j!Jge#q@-sE~RJ-o&DQzn_x8>wpTjhL)(5z&Azrz%K>uz!1yN zXm*_Mri$uMV~zI)GbC4X^9s8LD$7{^%b(d#aF|hsebiVra;zbu+nTwtGCzAid!RK;6xC- zQQb%f%O!l2hLmt^kkQ?Wk7&k{g9qNSdy_lZZ@FF_Ix=Fl7)jk7eAFcj%!b_yGT}UD%zX9F6sLIP`ZK7`mpWQt03vF!d~54urs!N0s9Ui zZ!sV^<9Y*bAs)_(Q+$e+Tm#DB1ll`$vhGna{w6s*P zk|AClXcrnL^?5W;ZibXuCsyJ9Yrx|Bv(&32n$8cFRzM+ORqbqpn~UB+k$P>VsF;`p zFifTsr7zqRzX2H=L^1?hR);w~{|;t#>EgVNpH1{%AW_mCF(STz!`%gRGKxYCTOBf5 zKVYC~EDPRUAMsSX`JJZ%9{B0n@vJ3NqK0*k`0vxkNH@`oI?j6`BZy~-yfj2|_3wCS zI^UJ+=}^ff0=MTR`Gqb*zPGdTWYv&T*#cF zaLo$&sXQcNQGiLvSHEXOuU1&>%xcler+hq0Rr@MnuPP_$OYVw`x%G4`momRq#WdHo zSR@|O$pY?&?wHS(a?SG(VM42MdBgRgWaFMNCOoumhTV9W zuJ$E_WwcP8VWlgwEGc8n-{jy}Mu+V8oB53uA%0JIsBH8bE0Z2m4pwK0h;L`=kHhV{ zFeX^<4CZ3{VAb9Gb=nBr4i(I!nIUXsA~$CM)RG@^7{H`ZnQ zk$$CG>u|hp%G`U?m##=h*5pvKbZ^m)Xi9a{uU*bHf2dLvF^O_HU8iGH#Y^z%t<}qL z-ZM9$Fpx@!SSS36pWF3h1in42$W5(ll!cg;yp0^wi#7ct%=ojNsdtsv9#%2wxY5F^v2|Qf5zX8?I@KSMr_a4t6CXOe=8Av@dBlN3DjpqroITy z)#aRZOcSaun3!jrBloy|8%oBXdzsOF*?4y)SPe8G5f5q@Njn(+?8wli?uf}$QTkHkjZ>aSaG^LUXoTLPBL2l5@Qbz2yvD=U@i8n zfDKd?NE@UD%Z$m4cHlmKC$lvU^wI=V!y?yb>uWE`yg^q*gYtXLG$r(+O%8!Vb3Oyb zpd8^X3bw7z3?D00CKwcwBwyw=BG0=Zw9RtPxt3ir`&@6R2m6q>VPEp1Hn_Y`2uq`q zh-NN`YybPgg^(~U8<6d;8t3wn?i%Cb;w*J>XEkG+UC#m?f`BYxBoGl4ou1vf0SXw# zWdv&Nstd|u@R*DUY27vS&-vhT0gFeF-kkLXD_@B&drgUn&= z=G~YlgVSm-AA_PNrL6^i1AC>kWhKg%?~2F=sS)<@B7O8BVe4LUUC8H*rQ>+kTlollbUR@&c3eSk>|WDPZst9?Vb8?4B{ zEFY^7QF>B`w1Gw`>X~v{;z9P=`d-(Mjr1Y*{ApG}7IY@0s&MD3VL7ww!Zio&AQb1D zK}qAvyc~b6RcelvA}fyxK5EGqU1pjyv|R4mz3ER6*TfsBka^$J&UhNkow&*0><{d} zO$%es$vk4H9Pv6MvS~_HH@73P8sTVv~Ap-9WqVKOi zYG`Yc^b-iiL%Rdogd=#)O$p4?n^bkDlO|AK-w8;xju;%_YjhTB)T=yJ$fwh<*C#q6 zqY8tCNBSD(_+MM-LrgJ**U$NC{P4Gx_BNw`nyWt@TQNUy%pAM4S?i0m-|$V`0B z6%swg^L6W8zGlLfP5{Zgn=l%tt-#Ty8cUqjYW>8W)|^i`vOhe;ozhZ_b*L4_(;aB( z)6Kh}A|POze04+rGOHH6k>vO;^p0 zTprC>U&Ij@cJuWP#BCSgG{PWR^<-F49xm0_#|uwGU&maP%od!auYF0Zgis!6rMkLY zRh8;A-){_}mJsb6fiH^sZozWOc6mk9TTD1Sxu-OK)?ER+Nsnurv7{3 z;_cjS^kzYRLi(s}17^#E+C|oHZ1r}G?gk}2ZuaH`$3f~8UOkThBC*Qx?B2mD+EasG zb2MWEq9cxwwfzv!`JOHNeE2%DVc=Y4bSx4C>t%ny>UoxnymruCJtZ0a(NEBxEdx)( z8C{gW2cZ9tGHTd)_%BwbR7z<2%$%tsI-*i4CX&7vk z(-CjUtf847(bQ{XA*ql%Y!1J2leUZkg|AOJd?9pW#}rJdlg2)yzTJ8?!UhEpVJKP(D(2T1Ht|+tPpf4|p^v)O69e z2MVFT7$mtVIC-!KdvVh5{KOUKRJWhdvp)tR(WSIeKJmz$Bv-x&=Znqv@x z#0ecJ>{D<`*m*Knomp8pDB`;_RdwZ*g~GM39_!~Qi=D>-UKCI_021KC#zR9q68Z69b+d)bR;lx<_a3H zsX_vYsF69zdhV;sn$c;Y$RzR}#`927>Awnb9X%{F9eP$qsnWBsdXl`f9y+*p>F?b zC0g@ZEg=P+F0v$9&~n~$8py+x>h}`yDZrY)InkcjZVdg|~sgxV0G`wqGVdCQW zZ+ya+#S8cgts_GOz6e0WTE4?BroQ7RGKf;-O-x8QJv~ntLWx^12~3no{QT{n)IH)m z9oN}(X}QNatwm0}s@53Ci~d}hT;~RLta+cnUxyrXUz=o0+jXyr2+w3<*tUI++)78~z~ zi4xA|z90-hTgH`o>e=}B8zw?K?;1@=M;+?)Jr;RS5Q}1+gk3ivfkfm*U0N+rtI%r? zA>6FC`TV7tRv0c{FC1^9_|)6rAxT!Q4<10G7fiD*`ksEVlLtEQBdb~Ta``wg`JN}J zvpOwtjCJe_q&e{YuO<*Sjhc2>0hbQNCahN5g_C z+%ggDUYU8Ol!%zj`jRHT#1~S0l2k#vY_wJPF)iZoBCSedI?6gnw`bhYk@K5X+sE92 z&yVt7soCk)sBd$6lvY348&e}pc}qdNx~o^KcUeEQ;+XGXkYw%#^|Naf3*}n8_jb>v zh-Qam3dt-h9xy7%NNw|`AYl1P;D1utF?QmAs`Rp|Zz4Bjmd;_dm19MzhpjmR+m3e( z*U{>$bN@SejVuh_SAm-}>6cGOXiC$^?j1MCUoE%I;#jW^6UI27y`zCyf0h%s%<@H3 zAyl1yt3f#{PG583CgtdBpX||P>?Q#6IY*>oQVk%#@omorNuxvvmIuwEklO=5BPu8itr!>mHr zFq2MgTksqii%nw8(o%|0R>uj5^SUzlS>$IQ9^!UpP2SV!7E~*|G|9YYU*rdQ$?-e5 zi{$grbzdn+m5C8q8@P1%cSoWLgf~}MDOOx6m_O%}O+zb8Qn?XAX zhRm;WTq@e#{i?e5jT6RovT)S((+=Yi79ou$be}|5r>OBUs!VGOfP@ z?1M(}d;IWc3QKeH-!=w25Ogy!VbK=vlk$xBw)RnFf3j$y)Tbv!cR|>f|^3D&~jRS4$b~h$p)<#CIMobDpjc1EAg@irN zcr-u7YAUee$uKOf6y2ZmxU09_nUr^Hi$-zdgD2yf3Og_z&W`Bo`rA?d3*@C>1x*v1 zB@L@Q?Vg6-JXRZ@e5Z#Hub8iXFHT#LIuIK{2RYfsEcgiq|8clAQ^=K;h_BF=&N9bX zGl22r^cJ16n|t=ubZR3P)D+{$rk|OPQvi1PS+~E=LoHV!5I&s8PpXj26*Z9~!5|!6 zMLKKUsFdmkI{ygk_i7i;T8aDvDpJ_O_1$H`uRNJMqWm}{hkeV^;lh3N?Xiu|gTt>T z*sk_u48aDO2DJI~`?p0vHqd?foWpB@}_OB zPDg?S9}OZZZgE&pG4=7sNO5w+0TU^f9H-}RnnQ2iulVO|&BObc!Fu;;YZlbu6edxi zSfLz_$96#BpwjIby~88Vq@9P~nx*be(GQ7y$Qrsl7c`wuh zL$6S+6bt(8nK?MGk`O_{?qM*yvCgYKt>;CEOCw0aiWJK(VNxy1=PN#k^|EYd5_-sS z8dM^|Wi#h}wVZ0gVlA1OxN-1`A`{dXZpaT6MkuY=2OaC5Ns`Ac@;X%tEg~d87`g-EBwCr zqjIC6_NT#9vES7`e~bL!4Of3BmKaL_E6!mk4Z*OF{)WaVBGmsn zjV+{y`f*se?+uF4?lHB8AQdi4(R#1JM+#p=@k;WD?8LXm27FZUE1X+nuX!5ger6SV zVB9eL==elaYMcIWTT+I%Em;1Q6}+o!*jOGMEx+1rt6`qQb}MU08ZpJoZ)amJ8MXz3 zT^#VfNDw-F-dQXGlam-{`Z)_Z!4<;y2fV?0yJa@=B<|eb;V{KS`vaodo(IaNncbrw zOODS~MZ>Zs)@p0-vv>5OQ_0C5-ZIXKuOI0i)vWBo-)Y1oIJF@32wo2EjMn~Ec}P0p zBsyOWW4E4gI{tpH+(NEa{pxo15ij1Zj0RQLiv*kkC8q`9_r3TU_(NxR_Koi>R%R{& zmY!Dj&d`e6lSCLRDt-?7$Z%Oc#mp5M$GlY2iHo7W5Nq7M&BR_kq|1BX{}#3uDf_nL zS3ojh)oeaExqIBhU0!fEdfTPyZyv0VYJr1aQS-8wo5>o5M;yf6osX#_#Xox0BBSz& zQfL+C-`Uq+PI;ff4+mm4KGksg=!uV6?3;DJ2Nq!&Ai}an4vgcJ`h;s=6&!{LoBDo?vPL!kr<8XACXe`7%fQnC$u&oa^-8~zxCPabA^UBbKS!VpJIqE{vdVXc`+3n|ANEg22gLwr_;k^jpW)hS~bUu(scEcoU z`eu&A1UDdpPDK&RdU;kMBdf>5qT${hJ~5lTm*sOOVUS=(PxZHhJLSh zXeSC!-U{{FKb7a6S~ZnZ9F{x%RLZ{5{z^bxrs<7GKRtgWLG!e5*lWLT+$doeBzj8G zo=*f9`6~vwj5lcJS63FhMTu1lSj8hHV0Mt>hK_vO zz}oR83&8}vard^uG`{lf$lN*X*50bz-dt}>G=7(NG+y@Fc_iVIA$}h*cIN^#S$Pfn z1V6r6qX|)Ud{ZG-FNUQ>z+s9cC3DcKrqe^lHd#Y^r1MW ze)uS1;#s)%XJmPcZ>TL6y+jF>?b5@9i34Q>e6jbL=btQZNqD1R*^*3VI#h4DW;RbB z2WUA{a@DOAhZKIc&MfbXi`r`9haX`>luG&VW46~u=!~Tn&3>5r`e;Rv{bV;sV5FwR z3-bJk=d-Jrm^^tTGX{PQ6$$r%!3**g8X^8NF0wFw=FDi+5H!&T`%+$7K`idhn~yG* z>IH|7v>JOF(noiX`?$%y0!J{0f<==nGoFc4p2Jv>qq#ICpO^g0zIL&OD3AYi|iv0@AGnAt)sCr_?cJj-#3<_gcYASxJDaD;^ z+H-Gl;;-aHeq^_N@*Fs{dQ;DeD6Cq1Q8r0tv{p82tZqO$9ifAkqN!pBG)No%iJeoS zs#oleXrg1RsnEkClL&P&X4+p=c`5#P#&i0G7RV%fC%6Dm@TJX1BeEZvL$M-i0R+W~ zW-~PvAO)BEu&C}Z$l2;6#wwaanOc=yJu|tY4Jpa`_lB5RCyP~wtI(7o9YtziWS#bq zpJBSc@|miF&Fq8xAOk0xBTEyBr$KpKUnU3~3@i_zJU!`s?-&c|qg>WB=a*(x#5U|n zkU3YH{X42pkMTUZGqS1wr1HLxTEoscKX6|Pa}TLktMC=v$kK6uXBtszYO1$+1FD|7 zUV}|rtT~XHcPAt6sch*M&XLXN5#NL`*Nyp|(Qz~#ZC_s;`9v9H_UB&}<50m258O+; zc2e$O581J=+MfFQG!fI*=e3Tbvo8b_-;nc~_4MxWn8liBVhk4ry*xo+J3XW#^J~+S zw%9~$+bK&wVSC_r>UCla3ot#i3?8#GBo5UHP$tpACx02BwHo6-XA4c(B|NGiCRn$! zeg0hxH^cO%R5n+P-iwXAgM(|zV04dG^xIZPZMswzPi~idQqd>=?y~>^eK?GTE^_l* z$&u3A&VpNE!x9jz*&V}li8Wb07&mG(9cDk_W@==ul-_euDb6E@6(?~0xqwDvnmt+? zJI%Ipf5i#bYM+_4X4f!q4zGw$>s@_r?%Z3Fm-uvA@m9JbbWl6VpjKIY%=;*y`7Q3= zh$D-P&GuSO@7tq2WO47FZ4Nmq3DNNjegl5v-AebA3TOS$GUduROv-m;_Ih=cUTRP} zN)Nf=U#m6V2G+bGV7TB(H@jvzH$UpPdb+ll^5_2OZ(qbX9W+7hVh&TjPsI!)@yQ~Z zm%DQI74AAse%UlMb7EwYopBD?&&5d+pMz+uI~h?6yWP9MK__Vt()M zpwgj)9QxU*z4*KO)qQ&iHKdouqYIVy$2Q=g#<8Q3Qd3(ywQj!!4GzDRM~lC(KAU?A ztq6-o;>*A*J-{eAwX*NKO|QgrXm9<_(ZIp>_wv*gfSN}0J@y$DFT1|a(gGWsG%y=8 zAxEpR2z!__Z7|SYDs=#H&6TiuvtVkFd=eYeVOn+3_tWf+LFSvC*=lptcLv5Qy0)(8 zs8~{}QQE%OQ7V}lwMwlH~m|XTS9T@3&T3`20UvN%^??wqQfvtVcTHO)_2egpzDoH|KKmsAs%#SYcicL?c4`c` z;ZSIQN@}2w;!JK_JH)$|>MS-P9`McStEGt=YYEI?+=2N;Lca(u6@_LtU%cHu2Z}E* z;Bc{f`1T@Z4RxB0l9|5G8;a4334RlwG@AK_c;yqCQA+X6QNQ3wu(a##QkdW}U}3Zr zpz3Szv3A>;q#YqrOh?9SPHUNQc8jSyqFjIuc#?qLbnrGI3#qE~vQDww4Pe(@X)$XtGchET}%6%AXS+N8Lde*otdUx0*PP&;sQs zQu}L%oSgofAPCWf13GeF(!|5Mpgks|HQlTG%_~46dtj6 zw!(i0dV2IA!`e)Z^v7O%9X*_PT|2wnD(aqZ_E}l}@!6e5TvT*?i*8LnGea^u_b$nb zFYtWyyH*SB=Qxt(P5^mW<=S}*l?w?_Tw{)B{wm7NpJjX`B52e6YP*D8Jue8vc z6<7S#28@N0ql0oy`3mkFgsXB3bks67^Xb?h@YK;Eerl|nj@=x)KWS1V-yd&6p5%+a z|J)H3YgF~|gpvvSY8hke3R+NnML=#6-{DCUbLoMiW)(4hcvTph<92S+uVe_#GVNF1 zmghfwsR?H5&(-zNt3G}c-h6uRQ0jR@p|lGt)SRX`iwe128v4li5k|(nQ$TXs9v*}B z_ka-GH{*FIA1fcx`6P>!-G2~-z_N4`J&3h}_vDd4E>xH^YtFlLN#%qT!SaTss3dD1+}Y&5Kr z=FuYtN-y`&yo=Of2WX7^C?z zewGL`j78p&ezMNV#_k#+@jpfhSSMd{SR2y7S>f<8KUbScszPPuemkRkvT(HWIWuq3k{ zcW(4D$)1VK|>PfTQL9_Lh||W%8C60k#`pD~CZlm^ziRkC}pYe^D;G)#AIgdji6DSc{8`2wNO8 zcYw_JxJcRgCcC>~U~K;Z)%8(f=d4Zc*Ptj&STZa|N)a_%Zo)emhgUoii(NM&@ZxS5 zMXpMZ)!)97H`^V*pTPtTcf8o(X*5Lze)_vC`%umjqT(@Sha6m1n*~&ajP~i^*v95# zQXNkXOOralq}_}&v`YX=&kV^JLmk{a9h|RQ-sz8!D}!-w7`~wcsTAMpvbi5KPxhbd z?mKPuyM;yyRj2rF7UW7!DNc307}L;w)bW;(IyWR7pc^KFHnT$S*y!xTd7NQ)$bd`y zko=83tz1$scQQ^}LFnf&=DU|3uaBN8)keOgCbcO%@cC#K27xBa1IMIaSEz%Hf2Bgp znp0ltcd#Zg?Zal{@BKah!h`PxsX??E4f;dT0X>8zEK?FYca2vR@lgKkMH*obu!xmzk<-Br`M!X{8k45A=O^ zPj^gY@KJ*R$T zCAr5Mi_c@B*UolDRfJOUIb`~*!8j6ej3um2j$9-(#msHU zzv%Oc$GA>L@uzhA4oQ*+Bnz_X3QkkwsV;?S^89X5TJIpsk zh))dm2FMz`_nUxwv~OZ{ANhTtCs@LYUlbXN`y7Ya%-m+RbexH~onVl?_1Mu0&`3V- z{1|gC~77z2gFo=LtK1T4I2BS?;45)s9ng1W4!pRtFZOn6L0gKmq2*GcLxjAc_S-8qu?$#6Cl*SlUivp$6PgS9SkI3+TH!* zp#9r6Uu4dz`_|EsqrOKd`=~U$r1q@r$Z!N`tVi;hLm+9avOM*|RM;FaunSHIE zG^;zz&>*6z5EqcZis%1vo&T|GlgLRb@M@`1PCsYZ0g5S}`aZ7`dv6zFK+9%>CH>N6$dvCWnq z28}rmtUHOjR7m_09KU)}OcBODGs_M2_UT?7zTEEV?*AKc-bL8= zc+v)ksg#Mg&s+kUn|IY_OI@wTS)k5N0EkPh{qM|G9H{Eety(Mh-9lMJhtW}Im96X#SxBqjxjS9r zkJ$^mT7G}7*qM8f_vNSj-nqCoL78fzvRttVI}W} zr9)n!XEo-PL4Jq{kCX@c zMr@RQmO&r=&rXf*?&r#TgmYVs>MV1o=c7eth^Y9*{Lbmm#Myv2HM)Wb&V%yxf*0%{ zmDtGMttKn>_-WxolSUPjjuOoOftHESmHiMN#g`lS;w?6wI@;R9F~<9h zGASa6D+*6|PaXtYe6#HZWdC@O1E~1<;N5y9j~`@m3g$~2mo;4BSg{GJThA`+&Wl>C z{lyU{JT-d@!Kpv2S?FpB7l2dRBja~|2RhnO?%R4k}1O!|>RIq+2rghmJJl7(~`B?`(4S0{=y#&O4Y-=15 z_24BsNCY?~@mBUD@+4T+Do+1z0vX8j$gmhmNQ(4u^31_{P!z<=!+OTI4a4%3hr!rFm;u~S(uiH{a3r3O%FB((jGYpp znEfWp%ekR0x(2IuF*{wP_Idv*^YH74(Fr$Z#&?LJniagmQMCp$I~;|~T93mT*bv*xyZ*Zk?%HzugK>UnyhC zkm}&6WTpMWJ-M4;Kd5bqR(pks+vB7kx_xKR_znQph0dFg12?f~uEutv!-z6S6yH0` zHI?AY?Z&2d1uzokAfORG4YhA|d=B>>3PG?EcCzk>QBaC}wU3^m`sYfoP9ZpR5npsh zfiZksu;qRy4_F&$j3P$>24@5ELx;3`9_NOyPrno;+~TgPV-mY(+{SCE=vk*6+qmK0 zjw#O=g&AVT*H%87H8vRbAhm*17>7wWx#mQ-l*_JUrnEl@7kKqZ%2{f|C>Y=NJxI8^ zhU{NfH)Lkbq?GsS=4{pMY)yS(74kT(CE|NS>1}hn?rL~N?ZHolON2N#v#AS{f>K8> z!D6YdvB=}d+337OR<;Q-&u zshO#1z-27V0mXiOs(CRh41b-wAWO?ZAe4nbSucG@f!xUD^#XC5C}kIU>>hPx<`2FFTP2{wMYiz7vo_-Rh_PTk#O$>F4K2sz;ahos3T z?EGgf@*W4d-!tA9`4{dmyvqzfR-Ww;zg~F2_|8=AE%3&2LbG1dPrH1u&%eyJb`&zse0%vC3PGGhA%7j7FwT2Z@t1w&3O$s1iJ%(+XKUJhWtSMyUuB%$#X z*t^xKB2jXnFie!8TF6Ltj9j!nJyzx>vUykCfI%~Nk=e`!shAv-ZPzAoveasYojB?s zYt**#6}eH}$`cTe3i<+Q^Vp3{vn&Zy@T|N5l}C+aemLbZ!+fVg_9PzmrpQ@d{yVO? z9*A>r2+n8VCPUJY%Dt{S`>0E87Nk`3=c67~80>$2Td!v)PurKk`|Ti^0r`uMm4&4$ zyqzdwXjzjLB9}W=Mfj|JmP236|3}?hM@6}{51*FtSuD z49h(rE@OFEw8}4mQu3`iK063MZxKN7%HKYM+2|WHpc0^gjCk}d5UU8!&!SJ@ReBOQ zcrzq6d>zBq&6p<&ALGRg78Qy=FjJWV@wo=0FVFqO|JN1_RYZc|TGaw0gJ$2d-T`I>5g57>tZPX1yR=#nXyRBprz+0f zNMCHIx@5{b^)vbMuc+p~eW^hM#9$5DXVphP->Cq7=b)Ef#qZvU1bwI9fhyZiG&(|o zcaHw<>Yriu7n_n?L307G!VuI&@BDL9P}9?tA@wBMPwU{noP%9VP^rx%((Zpp6JPy+ zVB=Olqkg>KE%#1-kj(rHGmn1>oW3%?JsH0nDFbX2EgQDS;w~>%P#l_yL{43f{JYg^ zLRYJ~+&BL-WjO(AbD-3a`O7i+HyZfsrw#xjuaW97#Qc($DI2Jc0~I1( z8loh#zVNm0Hzt*Sv*a#jsARx(QT|ExQ>jpX_Y9pB{@q9mCPzZMkmc{>s6BcwX#I3@p-)z-}9Xj&tqU`kN$UNxCHw|=2zZu#3 z3D}n|SK$s&y6O+k(nkiSV)iGO{xe(rZ^HLKKmYWd&$3SM{0tM#`Up&A4A-%8w}!tY z!~c8{CWWE8|5Gjq3PSl`^c(zd088R^57-m@J^zTmq@O6Y=nuO8Ea_h)@Jm`?N5fK~ zn|I?#u%W^n8-=}I>SwUU|E%!OE#N{8WXLez-`!Cj2?12DhG%y3|EAu6;2H+-3R`fw z-QA|ThM@Qu`qtTTR}0~%6#KiF6O4gMYU$F7*FQ(%LPz2*w<-TZr-05P=m4cN2RxL& z((lW0fsL0>eJJJn4Mrki;a50GTR)OZJY!-SLNy1f0(`MrY&|;$4E$H~4S5>1)if@kG~l7zrK*{!r5e@>4N8%nH{yu=Vr99C8UZFzd(H9 zwfA0rf_yhps_Xvf{H0Uux0 zTKL@?-T!#wO>yRtrc5xJt`(%!MpDd^w6%UHsGMhrRy6k&YwAgnVwZeiDf?L|N%CVy zttX^K`7vo|La>W}1{#y7K(%)jQ~{o!r|-W3aT9<$j34}F0%z}^+Cd}_^vvYxh;MxM zFC=+KvtFTq#sv(;JE9Tz15O6(P}yUMz)tE7xhU zrctJ=EIJH$oE(F#UHGiZR3d4jcdCI)b!%LcYPDxQHVi*A>rEbDRV|rbpy+sjS)1|tWL}%m)MK7-@b`9>zONaWCd-X0PFLR(ys1lnkOyxtlO zQb<9S0o)+Evo%{sgCYif8)mKo?w9Dbr{m`N?gc6nvHmDX1~b*!Rk{cWMnyOJ&0L5K zWPJ(dZ|36p>Z^fb8oWiCdY5)kp_Tk2F6=jFh7A+I`Shh|_aDmC@J-Y^BVl#Z-a_{8 z8^m?+67be|4?K3>k@L5%77z1YXOpE7qM~*yX*yAjkfCs9x0rU2{>P{7!tgiYdY>9ex3F54BMcs zGqtS4B6(-QbDDeY*?J(=Ff*upn}Cqbq#2o@M%@`x6-57hM~v4Px1v`@npD_u*x;we z@-Jfk8CnXQO%j?eVE#W^PjOPUIjH0#11X0^)+y1x+#IH{nA6kKTbUpd-o(esMQvL;A#4cRC)iDI4dmsx-gJrY59X?v!zVW$UK6q7Gg;og;xJmn$(;2DgSSH={^R$Fi9r@I#9lW zp+`Y`vP2p%3P(Rg!J8ZqK_>&+3d$X=_86@XaRdbg*|cM+Y(&I+G@^B=0ZM>7&Mu-{ z@)2;OenNJy%MWd8@(07$Fk|@JqaHk)_2e(~f<=X`&km-H0)UJ^$LFM70JpjEcExQv zrT)J!I^;z_C3*okIrM?sv&ZsCo+6d;RQVSO?-SD2rS=d5AUMu}$bBUD75U~+X24C{ z=EMm+y2sV7uiNREZcqEIExyE?%NPE5=5^lrM9fmy42QiiKMe(7 z>zLf!m*CThWeiMPsX1-uFU`4Y7l#!`tFZyAox~B{nQ7*zm1ldZDoB7Y+;TT=wXF@fNQ0fBP2Z40g_ zhW1GfDY9RVGugPXP^Od%URJ&AgIeAn~2x3#+rwta++R^z}Q;^@Y7nk|Aii z=X;7V)}A3YSH!uR#BK_*xT?C9BczdN_r<%@Mf6t3RL=9VtT>u&4BTl{hqq~9I(j9D zrYN-Ctlwg<+WOtU%#6st!oi`E=Ql$jb9lQ;N8jig`w=*Yu2zPKvt{yV=IWwHiACxx zral#hm%VM~|IP+ESXBDFs3AeGl|(Y3fmtL_r?oy%k|~O8sPA%Fsw?toHCnGxHFTiS zVnzgY_p`hJ-!pOv<>>pc-B(#&@0b1Y*=flO zeJA0}YNF**-}}_7FVYOJU>;UjvNhceJ+J_ zuoU7738q%2E1}5EH40OG?~QX(AWytM*?94eLYhF~drq&fZ^dxwqRUkEZWaZ9?iW!U zftwAs@~dZ+{BEa8DBJt36N%naYqE)-3}$P59ICNsx2A+);Ga%c&zW^{S$fM!ET)4&xa+>%?pwH%n4~`1W znPkIr#;Vyw$(;hRrSUPbyPX1&YcK6|JV#0RSjjtXDFo^hUYq`@8;G9%$p-9E8|LZ? z)cf>Ee;O@N8=6MgVe`;k z5k@B?;ItCFnW~asI?l!+BbTF+Uhe))C z$wdM47DO-k@bRpjTV9K$i&t<-{=JHhImA;ht_G1Im#{%y~sPEf@j4=sW7rbC|crS!XXO~?I=QbTK!N(C` zrQ_oPiQNn3q70=}yNu(_Z{MS6>?80U1+k5_uTE#aY_;Pgv=A%+a`U}-UYQ5vw9&ye z*|y!>%^k6nf5WBTZfc1ohP#9abGr-GNV&a2ud|P+N6$w)i7SOx`QnCfi_7;+O#=C1 zb89#x)bm+in(TDiioJfj}#PJ^RE}&i%exW4wxwa<<5$#e%!+DDwr% z6x;=GQgv54X5l!Dz;z`~7Qy;E|nkOGhJGsY2CBPbe)$vQj z5CVuQs9&3a$yB*}VP|KmiR_+c%W{OP82$7HDygqwR{MSK7i|RRb086GtKfTf>b+o7 z#78g?l!WC*&t?_BL-6{eU8doI!H3Dp1FnIHbf^S%&MD{f$A~dW<{~gr_PNVO*u9CY zP|HVOSKLoa&wpV4--xi`gIa(BCE(2A{Dy!kn9KL6=tF-@(|Q|=j)HaLAWI=n9f|TflMvU9KChj4k_A*939cHIhrXgjL8@b2lH? z_6HOcbHt&MPRFGf2wb5Ngo51Ky)G{q(^vjL@E^lOx@W(f__Cr*GN zqwC(E@=+>h;eQBZqQbKUJr0k;eO2zvq_c?epTO#IU6o;Rxt zeH{2?mR$_(_G&?QMx@s6mia z7;YqOo04EK3hQB$R%3$%~U=|riy0C$e{Teo923=GnK5=VTM;(fDs~2n66+7Clf`#@sn`~;wXKE#T@Yn zzC@`W+aSNwgF)M&LiKYt1rMM$kegv@^11DrQv@FZYe^q7EFl%TRN~@k>kA<2;tGE! z*x7C;?tB43@gg&Vi;?d!?_nE#bEY7x0H`@g=QP2(KqZGD@4gVil7c{Z$e={mhG%AF zEYJyyX0!0<()+|vK!%cXTcLBHci^fLY8o_eh)ej*)#c^aWdwE7R=`5QH-b%n?8fJr zcNwocw;YcPxZQa@*U?D5*}Ypi*Bv|>_F|3GSRA7gA1;9AkM{V*RlVBa*PIW$LTl^# zM{-V+&-23ut*D(7l%KDkypn2<+COpsv5;#AUhuY_>j8b zA1& z%=u&dX~kTN?^BCiAZq|lNnnj5+|FsQc5bWUDPy|8^vuI>h|`t%e)B5}GK9~T<&W*J zXQ$hZ(xFgim6H+sjoaZ_q%et@A3Td;??DYD%WiJ@yQDCjd8r>MQ=~PPI}1vvA$Kyd zzdp{ZKHFv8XY64$)Q|j|9-@rX=;@N^kqp;9Fn4pnYv`-A@RwtmcP{A>y%k~N^-s{k zFHc_Gy55AcIa{aT`S+rIeD-To{9vF8WU1ViZ9Bb#d72~M+35xMRXWnw;)`NUP%d|p z`>=De!B&IeObq?0V-%_`%$9wDx@}v7?ePkFu0`V&G1wb-?(`#Je|0_6IHYBaAX8xt z^XUEK{yMY(otV4`l7o(mn{jvBm?*VGHfgKyaJi!wtkLq>u?W5250_E%4~K~`lBVXS zGddAZA0=e=+ng93Q-`9HFY%(_7pt6R%D@2xyEl`b(s|A zCs1jy+6|Y=>Cxo`b=dJL#=QIua2MrBP`TgZ;@Ze?+N=Z?@_&AogCsg_UQB%}6;@7> z1$BE=ILkJ%G+FmZuKsYr_S7x8B!8bfUjiN zDBk^e&QW6JYz8C=J^}-!kf~{ux=nJ)pFK+gjK%ETm#31?=Z3$WW*PQ*^XD;slIKMy z*Xtlq7|6`b%(9q+w{Lc~Ew^v(&w1R#;*E@pQLt2?{DQ>uMpgUyo30Z6Ou9h#&2+DP08{A4=Sqkh5*b$`U!)P@`5R+a`b;IJI3QP@T^mD>R(w$N zB^R1jch=Ec(TG9Oa)&S~!)uH|jv9Bx4aew=$ehh@robA`vT+fmQE)8oUP z1wJQ3|D+Z4`@1RZFXoxATpUxrwS!Rw2wv5fqJvB)B!SdOGthEb<`l9EM@20XetqO4 z)U&#m617%g9tS$zTu42!u5)?Y++|2=#3A<_uPY1*m7M)i7mSowhj>8AJo|m37Cgm$ zP9WFhN4qU@;N}~tH|u>=RH>(L{hj33`xE)rm@o`oPImX38#k>#!)f%GMxavf*Y7X6 z=kuoW$MGzSoCbdA4tRW8H$S20MR)-}*>`i;`Dmw1tbr^1rQUeZg*-pk2AA_u;Ujm* zW=MJBLE{;IiZ=^)D(;jYnVic&||hb@jVMq zTUOjg4S)ZYK;oqo_cr+Eik$y6Bg}A6Z@+_hQ$`D*l-0O%PUZ~R#P>=J7u-Iol$RmR zL)xBv#cR|@{YjfMhU^3IFfm=V@sNgfi%Xf8Z!9GaSq^K9U!7f4IM@#M;0%>oCI}&v*4UZDk7_h(6D|7JhZS3G2|I?Y#PMwXwCx)9cd0 zf&TmVr5(%^q_A#O(<(LAB%J(d#v1XnwNZXW4xSY*W9`vKrZ5*5KOIv<>TqG7D6-bY7q5zFS*&pGFuY7oLu1`Wct@Z%AEnfF4yo znYcRC`=iDoHaSg(vakZNYyFa!SNl|L-12h+I0%jhsU9vL?e?|09nOo7TXWTO`ne~# zbu>hswcW8wKAmqWDtCkzS=85p9PE1l1MEowYS4m5eK3}avQ(_xA$keQlH=?vDN6a` z#fhgYu50mp%w}(sYH;<@iK&yS&4yDwJrsyMoMN>gZDmhR z0CqHTPXDEh5Vr_wA#a^fbj#p}v(urh7A?FmBIiOmwlT)euB8#NgT{8secnZK@taa^y%FCB6)>c13|E>w6!bzYm$Nld5i5Mr20Vu@3B1!^gD}O70L}}qlYguZ ziwgx4Di&h?Nc8V@{gJ^QUk*dF+xK6?;E;VT|A7dD_Te5J$-VpVKK8@Mz!`@?{;DN!&ix*zP$g>ule)eE-Dyj<3L8eF~bUOY6!;F6$(e<{(f!Z zl=FJB$QcqgJ!=%lTY*#Qrcah=W*o^07HqrIRY(w^uy%`EqghydbEBkFi5R44?ZaH+ zWJ!@D>b}yNSffj-vY}m@(mgouw2B_TLL3t9{{32`sgiC3>EQdYYw-cZT6@vQP+N27aC2J5{+>JR%$#5b21Ovonsw$a5N*AfHO zAKswUDl-^<E|ZcbIBJPwVYXkxQ8Td(3w=-?xr@Mp<``%O-&DKbWUv;e=fJezVEbVX zF{3Hufru}GPRt0cKm0131mi#A{%$9Ngp`qv{_ys1RrDLbBIJ?^*O{Gd4D|xNDVwsz zLOwb^4F2k9}BqEUAP;^{tCK zP8gu^hi5B+efA5wyAQvDe;*nBNLH^)y%a8nVZl(#NjDmo-Ruka;M>w?H-~Lyefs*s zDz4Sfh89=;Pb54>5n;;Nz8!WBuwqi0F-B1mnmy(zG%kunA|+9H1(5oi&m@ba|3c+| z?9@I2z@WYS`U=jUY!Jx?ETCN6PvTd=xd+!o{(%%m?EW3=c!>h9dX~}h^Y=efgBKk1 zsSk_nKl!f1;*sKjF1+_Wg8$*b|DJ(_78t4Thamswb6$0l_e6Z_@*HhY{`L)54S?nco8vqVx* zH~bP|Bxo34(MUyG9{gMol_`q(nc#^N;v?3cxV^>GKC4@94V94_IQA z7-rY6k1k?h@|B3<$R~foT45K8K!=rQ@W0wvmn(EsBjWcvn5At2r>%m$SrG28Fs6_T zCB!#4E^}|`=4SFT13Q5xqHqYN@ezn z`zv_A1PD3+#y7r1x_5%=fgB*HU{n~VeExZTfByRhDl78uJ%4ov4@4-U{W2tveu?N@ ze(1Z1O<#NeIm-$mlosU-;E{g?#$0P))MyPN+MT>raD_?*S9>4*e?rwyq3ks+1#DzG zA9v;MWuq|AX<#TwV17lyBm+>L%?MFMqT>4=w{BmOzX}j$du-9!xwG8bN4#ciZBY0bt5q=vMytR|un~^73X8eOqZ! z;q195bxt+04KibSR5{shH))GKk|`oR(xPQ6NP-W8&%VQ$DPF{Ox{YtUl~*6%5w>lB zSt#rQG@>_pN;hc&^x-m8t2TR^Uh@Zqq%lLGjQb=A_Ll?=f`1Z9+FJKwrcV!ZJ#oG1 z?Pp~l0h5{D*?9S~W)D%dOr|T1^(`9h8Ad9NjW3u}whzJ< zzo{hH4kT~GBjZ;`aP2qn<$nf>zbE##Jd(FH23i2k@}7=1WfSG+yKS7l=Fdv{&%!|*&EL+$gpVtec< z!4Mqc7?&BIpqni_^Tb{X?A}S}8c$pNKKb1!5HV9Avp=t$s9c1XfXl)izt%VMmN%{HHgK{HGKz*dKtb>4)Z;iFmKLxoV0vSm0bQ{m2`s>_%=cPymnN2^5%Zy0TrIerFKt^nv)ai-&3Rr)?@g8;A zRM_QdGB4II$EZ)oo0gbo3iJh{7xbwb^|hdpKEv=VGn-;R-YO_aUS{wp3z#y%u9pzO zA}a502cGJ!v!Cgcq{50PzD|?G$`&7m(s((P109kM9{h^FKM2x53H)Li;Yyv{H|7i1 zNwHxOHG6Dml1cC`BBIU7#^CUE-u6vOL_#eP&Qp}_e#MZa`vC{dZl@;dcOU*UsREim ze8{-D11*uAMSbGtY;k3Y)0U*POAH6D2E@B2c?J%|$0EJBUlD2%bf3<3_I*~LIWb}+J zJT?dsi`kL^4M=`+-|e_r;3lBnu}l+7cQ~VJ@AABJPp_Xp%RG2t>$=R|R41IrB0HW@ z*9T}x`_ynSt+6k{gS8KOse=$PuUt7WXBLW1;gIzv*SGJ~??1tww#v*b;$y*O{4NHj`OH5TRP z3J%7L3!$GLNpiFK=z=hiu%;Wp#uh*{J<5AN`<%t)gj-RgVeT3{u-kic#liGS0I=*2 z^PUVck2E;LVxKd3)&_8$j?T%r*H^Tz^?BiP*@QWRSCz&OGC!_rnf3F5{Mg`(brV=6 zA2gbbIUIN3o62O0pY{%TRJ-CjPCZ>dotTIl5Lno#R*ZBbux{&L>t#tygq)cYtO)^? z*=W^S8jiY6Dy)|ucV=kTi_=(lMWEn2#J$QK=LU=Mb3N0}Nv^I3(t>MyD(W{OiA;J? z;EQDx;O6--+h|~}7hBtm)p4$>tqTI!^53g0zc+jM*lhJ=>j4r2Hr?db5qRITgymCq zmg7b`PvVIDLLY&xOpvwoMm%ter2T*&6%&EBU`cEb!A^{(RpEALHyQ0>HJco)rV*>A zH(xBy4CcSusptdZRV`;?l&d|Gb+?z-(y^Hoa5$~faDf6hwOjcGy|Ns0`ZJ#s*u0Vb zmSKJ=*&o0ib)YRSgBcQIn`snMSP&8nuG0v zdylYy%TTkYG|%Bkzuhi(5AK5vcfOFtuWdn(66YKlu+%8GQ2Ct_M!tpOCbvr7kT9;@ z-dK9E;i=}gDE7Cm2h*z6yVhR3pr6;Jx{wZ4=!g&~?R|DzW8Dt;pj-{5)P{&NC5Uz8 zc$vo1^ezsf$0y$vvkAX9^f)bey0%l%9RAR@8Hnl?I6h9@Pg$a@&=p zlnG#VQFa7`j-W1DuCzZqP=byng6}NOJfK9fpaF@#<}2Pe$ka~NgjTu$6Kl=w&6OSs z`ps#HXS~H+ou3DlOq|Y433=;+#@|)c|I&jH!vyDX$QpQD196Xr#A**gm>o?Nt*3Jx zap6Vvc%H8Q*m6i)#a*>X9QFG&fq!fN)E%(sx+VJVyZbAe$cNVf`V>yxV`-* zjPA`EaJuu5BSQFe1f@ZBUWGBF1!@k&hKMi5(~bc7>7a#%#2&gUHaO)I8Wq z5`xN0Z_D2Ku^8sny$SqxeL(OOE%(?TzMkDeXWTLmR|HOV?Iz79JK>8osP_8~&psWv zd^k0df3HS!X9eQrFw9XUc;Nw9SyMJAEC-&Tj^tR{U`}9wWEih#X*b#`XV05Y@ohHo@;!&lT8XHWd)6iUnMqom3{i*^E~zXzttZ3w7S~Th9_*C4 zf!WvT)pfhDZ!#qu;Z-|v$pRPK{IFvRk%!VnFim#`hvbGo7uT0r>*=tYPcI@%*&NcA zUvQtIpkH4tF<6ZGfEKh&>l_)FxP#V2PG9J@!!LhBMJ?ApjIp>Pq2q~KjGskdsl%??NRB*l zJ=Op|4fpnJZ3P(MJM-($ElA!T^Q4ucz;5sazY>NwfM9m4R8iB1_`-xA3o}&svRN1ue0vYX1B+kX$wD9`4D{d4dMCr^xc91sW4A)bzs`rMjz9 z<+Z8yn_NF|ZDx%Y;kV&rD&`pXe*hvv8qIIi>fW;@eFjPpb4~6vI_4dEr_xVA1u!PH zz6czX@W$|$5Y3P8ZE{6bSAPsi5LcZh(SM}8cTe!1q^QuFcR2?so=l!imG@EAGK-GQ zcqWKX5T)Lw|fI5rQco~pk$q-WEG1{VoAOzuU}BzN1ymaMv-UUuW56b2sDt=U zZ$Hx{_L2t3*m6X*c5bQ<^IacoTDT&oHZ}+Ql{(*mA-#v4`*_9d9}~EnN$z5maKruL~WKlcqM3OY-GJ;a3s9t;2Cq$ieC7Kh+j-B3 zGo{#F0xqCs!kisbUin;a1Fzhr;}Rz6r!D)Z22+`c^DVyRarjP zi7p`n>hZTMlQxdkoDx*dyqIX_o@{JVRIx(KjB9dlW{MDKBBPiEbY{RyG38(yd72<= z1jqDV!PWM1v%dZXzVIV@0M6bN3c3F9(2fXPCxap)jo+WcV{2FmUGPkV2s4X1?N&|f zI7k_B!U4q#%Vq>ld$1ne*pie2oqA?Gh!>I3^=Tu4wzmn%j&hofGyxk2i2r)+OH)Rp zh8KZbs7VW(lUp1n-q#CX$k9)A{c^q8TD3NRsGT@P%f9h~d@sPY8*5--fz)2NU33vCK+|5&ihJ zrnCpxW>ddLZle<%QGecsc@?J($rtrZ$d>WYc2K>3inm22NpCODZ1{31-9`chUDQw& ztUH+YWvzPVX^y^-vL+749?3|yY#vPc>2}323c4L_pxr|fGGAh?sUG(}?N6ls7q7%U zIBP9IMeIO&XzTSF$3oY@0X3i<%{#Au_`EABEb#|)$rJ+p;k~N9ZUIG(*uJ{VZf;eM z$gwaqo_sRrk>1|Zh>q(=(@iXr0RlF#)N?FsrT2ga-F!@!fJ(vHT+Y`DoGyzoTMIST znVSpE%`EVfK&$z8-@0vXFezoMEHIkgR2ifp(C*%AMWA_R^=dPw3ZsGQQ?O<4zUQqg zW|%~E9uAjHmL^+np7Yt1Q6CaR!;dBIqb~B@E&hp`1G3u)kCV(cbJ}+gDmW;1fyRXD zdNrO?>^4bPFFb%6t)3&95~$=yKz-1|zux_?gI2q;^+R=b{J z>#3L{#|C8E*>=zah49P3?F=5e32f54wm0hnw@gS+=@_>sN;t3q*Bj0l&}BZft6Hz~ z@kouep3#%xG@-nY(B=+1)v}qPzPCW=rzWR$thpGVZl%`n1`%=nyQz1S`aTa%>Urm6 zi3*$mxKpB~%=4DydYjGdozL;%=n;^?UbT=ej~pD#kK}R^ zmwZ9xv9ez|(u7=XPK)Kd+(Foq9w29H;qz!cCKg-k?P_b4$*FUx%@=HAqFgT|x1;6Z+ynrkd_k80Gxm^xVL^qpLV^5X=IjCqL0_0{gVSSiq~ z{$bNGkiY7H0Grr!-FSOb$JnsOKy$nF3YWsVTHP29uoNQn6lIYbIL)`}A_A_jG2)Kb^^wS7G*fC0{u1Y1Y}5?K->7 zTy5s0PP6AI1)Dw3ObK{Qm_L-Al*IDTtvei}`x_BKzzt$VCH*>oDx>fyKG&6T) z2R@C*=h&2x;9zgyR;bW!VHxam}^7o(0Ctf@2YlG;;o(q>&u zgLHknju!*ASJ@xIktlqHv$Ls;EWZE>K>J12G9#GBc9dA14daqcVxbfs{z#{njc=PL z(!(-pZbdbCz1HY@{&+_U$zX407o)q&RE3dxS$^qbkXe0(kPb+Vdf5VW4}LkG%~ToJ zG5VVTDiJRya@6KKpwXT|DB2Dpe9MJ3anlr<6n;}LfMoi=#=Z~o;yuU>N33Hz67gNomX_i4YrpBf0TfmGZ5#377S%shm97x#l$I+h+~4`>1**mQIr(ftFR ztq{%70UuT%Ua*G$xR<3x3|sT_JA#b5QD!ouk3$wri#U_J6s=BfnNJTLw~Ij24lW`a z^e&Y%>b?YS->@aM;|3Br7&MqfLWxDs*i6T3DwRvLc9$^tQtXB$b$Q7$ea|CGnl8In z#aeCuo&9o+VICL+{`mG83xm?5p7Q#5&g95tv31xSv7gIGZb$ikliLmZW9F8^sKJ}8 zDgo!60NJ|npv_>wV$al?89|Rq)gW-|CQ`HIRU-z{xwu$<$K#|`j_8{Nv_7Wfk)rHT zDVbl3fy7>a*KhJ{la0LEvq}CQQAZ`)Ms@g-S#)F0RSvi(2G(x~@nY5w zzK?TU(A;k5$*L;mS5Wkaf3A2k3)8=eB&`T3W4EXR6#_k@?2DTx!Wf18Z>^->s_~c8VanMeoeam_b^(A<~vR z+nPC#o}v&(F;G`zmXwz6J@>o!z{x2|{Gxx~2bCY^GK@J4j||>tV-cUMD<7eDjRudn z`QHO~-aw;t@)Jt2n?v=seJz244Rgv5Q*4)3ccv0|e%J>cddsl(kVcJ55OK}Tc`gNE z1?esm0705nNL1S6C7SAWzMe_iw<#Xc44dCoE}lnudhC>~8c?=EH~|mdcGJfBw~bRm zN4n}Bv>Ey9#^r8W>>9faS~@2!Zy67Z2J7??a^nZVK zp8YI2;gzKcZFJqGw$arXissiIZCx$$iX~s@y4Z=VJ9`*Pq!K+5GLgl!`1G-mnED4< zPc+_~r~;h@dKiTj6p~04e!$sfR7I9=%1262`Sm2qCpUyA&Yn{xw7=B3IvcKbytFg! zk*4gM0a@-h%`Q|LE22R#zj+5?eqm5p0s(3)&7r<2?~fh~s)7}PnHuJ@Pv(ekw75_S zxmg_^JQPUj{;}Az(Cm3DDgq;*d8_vS@b%ttO|{AUupKNEDIy)D2?$YoM+E6b5r{~8 zL?Y6q3z8rL(tDGx^bXQ%qI3ulsgW+dw@^Yt0`JML`}^#7-`(dw_2bDo_c?RVJu}yJ z&A9W6AU$qr1R)w#G8Ld7`%@*GwrH{%X_c?^G*t$diNr+cs+^s!U(ad+Bq4k&%{)ti zC;!{L1yUc%hy0`rcX`Oc<>z;CCG}*-;`J4(nMqR@4XsyoniBgfP7eU^Qq)7YW3vYQ zs%lvGP^6QKZ5cId+qUx-<~dOax0!B?vH5ks_)AS|+#(c*ap)YlF6BkSGvtrnPz#y} z!(MR(PsJbK5}L405i4|(aGIGLaF{S)Z3e1yjCR~}In-t~ZwBv|yV3vX(gV;xwF`&q z2_qYUBW9%Xy#s37le>iTqrSa$VfYa!#CXXhg5$$zQ-M z0o%?9X6t#YgomU}Q3Z^l18~?$5tkcGV%-GP86j%?{Z0$A-tbCPXm5EV-P~p(&2lhT z%3D78qGycD3briA#fT9_TpoP1p0~!}px0I}IyruD$&E zIq}l7R6xn)|J11eEe^N+2v8ivmE`q?!E6;U+SgH# zQ(Sa;7&mXoSH8d-OAJ{CSbtu8RXnW8)lNV^nz*)1pE^Ol&p<2N{O*-Ab-v=`{e_}n z&X4VfKvb9_Iv~}iohqRN%VU9_9EnTL`c&DV%go*(MBa6Cp8>-I=H>~%{i*uCb+Ivb zX7&f7x*YxfI+}7t{rU?SrzGl;>rYy3N3d1j=LciaRqY=JLF~>;T~QmrTo?(UKP=WM z5Dg4-ZE83e(kk_{jN4`VLs|H5nXfI0VKk}@s6zFMr8`3T7%uU|F*<)D$9>KWrRBVm z`CSyXX*VF9e}J@@jj#huUnreAO}nkCrYSi*9tXHt>}eUSS~{9=PHF$TJd~Z z<%}Z&V`tpz1pR}S_3rrW_e)OOo*xt&CXVeUhhOmVCu=JGgv^|N#A!C-AzmQ#8bLe~ zmG?d%CoWkAbNG#wnc129>^-h4Y6V76^qvk}>eX6JKj(Nz*bf@G+O|MX$qV)ia8UR2$K0uqlcZjsoZ^=(> zKH^Ks7QE9PdY+8s?T4_+HF>N;R5_h&%1 zl$@uN+DK0)(A#GHG=rXXXl)1;mN@{l0qz4RyeqQSP@tu{b|)1q2XI-QCO}JTD&PC0 zDHp45z#zU9Afgo|^#5-blV1vnWTx{3H7o{du!4K-{(t~A-HP0FerWVq3aG18<>-%@H1^o}W=Y!ya}@Kj0Ht@~N4O#wX0a#FYkvxyyvNsJ zSH<};_WeSHWM5%^#ySjNtZ#6I%6Efe{L0IN)xo*mn<=nHR~a+>9KnIRJs2oQ%`HvL zw}IFjZr>@mr$k+kA#^F84o(Z`Wrz#^4c;vf2H0f6<4VeQV07l}gnUxcXEk;roP-Cv zb97nV{0D$|ZIl{lG4MFgtjXi+M~ylO@DjMDPjtcL4)B`{5_s%-8mT z`B{u}8Cx;BNidemM*ouKFG0&nzSi%LkU_VzyN&4kQ^b)H_4{=|7d=udDlQZ8_^!{K z`R%*^o9hHHVvYm_DF0vKk6P>d5zhsjVEaN3U#6Sauw1VfFqrelM2+36swMzq|6Z0x z4QMHZK1(@UhGw3>c%{C6llyIj%Th00T?Dh_6_1+BD~^2a7n^cmp(j7TDnDBUl%*^B zQ-@t+r6&H?8D6}>VQpm>s5@WswTr87N~f35e20y*cR~;cATB5SoClJDOZCnRmZl%S zGXXQTH9xB*8(yL6&t5+QhMGntv^k<~$^rN;zax``063KIq>bs>CE!-fst2^Kxt~e_EY^@ zUTRuqJw0eM?86#Rne!s-b)~b%>;Pwi>)etL;1igEkpYx{1JM?!0)#mOF8kPjvGth!9!aWDLrJs4mJf#Y^pdLw za`N{Ux>8?7O7kA%#chj($i3>k0ZZ!ooFjCtp3EQ zQV`>t3LH%TA_e~EAva1QJKC!0e*EXL??>PyVWKL`BpM4a@vk{1fjUvxETw>>$Ds4Y6A(K)qi0k0xe#zMplWjSx?&x3i-1>4* ztTKE=5vWSgc+GfBIxJ^}35&en{HA95Ha`x7`AIJ6G-J=^wRp3R=Htvh$~xUWaRJ(X zQ!SvbYL3?Xbi372e9nmTry)hwc4ceeG|(Kzm$2vP?qASEfB|FRriv)wsqy(h7Lo!q z+yqN(*4~7>zAJ?+0CQ(4!5-wS4gWI+;&^hAM9n?F%6;{pudf~rE4>&&a0FP*#&*hb{Yx#~t(58Eg1(qBq1u+Q$rasE1t1IN#C#r$Q zm#_N%?+~w7888RT6RsQoBt?FSq%H^pD6}dyR$R{_g?yLsn9J!umwS_zwv_J_%UZ5|5hH|K7d;J~~YjF-(uj zOaCF9^ugYx_UK&HwA943&T)&EEOY<5iX=92f7tUU`u+2-|6v;(PkKl`!0L+%**`tSU2fo4=wc;$uK(R5e(@&l zX8AOY%YWQd63I9U@n;=Rnn-_dI`nt@&!_r#i}agN2TW+9fZpm~ zoP8SL5l3hqb6okmn{h;uSh8xpj|~27F?Z4yYYd6|Td@j|tO8e^$#9eX*p2h^ZD{S%9js)I_%(~GXB51Kw_!)NOcc)|a=ww=WDzja;mZ;h8)UHQwG z8#h%=7W{v_Lg)5477kNQN{A5k?uwL_yu1J)H2-|zdnD^zX*K)1wVt~aOM*IDo5slJ z;MhvhM^9KzYTvwZly>l}wR^&m_UA!J0uq%EyMKE`p7RSQvBJN;bNvgi&@$C6z5OfK zS$^MiHt}_L{o(Q`NFwK*G%-58|8dt=ic1vxzt$X2QqaWyyN&$+Pq~L>{~(+fUft;5 z)eC)w5$+`OO#2p;T;)?do~r@fUx225J{)^8m(bIZH>sr4KigF*x`3G3Y&G@m-Clma zVV>Rv)aoVKVbASDX=*?HsZLMo3pV58dp6Rgs9vleXT%E zj&h2di6xVc3KgA~^j;_j9Hx544-O)UFM=k8gJ;KPa?T>0%3NOZJgK{wnj)w-Q>uMj z)I12#SzoXIq_>G%9fE*GUu%;Me^GkjB(;3=`~%9>3HQ943m2rX+<0TN-Q=`WEe*6M zGtBecDIdn$%)(=ED~eS2(`B~k@U+T-f20Lg6pTj_Nv1<0ZvSBIKCC7Ag+#hjOvv}u z!R-Ezm#=F_vB_&A6LGT&3czUM0li3m3Q!tE ze-Y!R@SD*4A|W?S@8wui1~7}hHEdQQ`$G6Ko)>>bUzssHf48u|AhbGI^o*R&wxL`o z0Qd)EOipEs1E1Sx3ivns`HIAz7Fogg355Z1FN~EaFp=p* zY3qRpWpP|+e?ug7x0Z4MXiI=hGW-SPmdV0Lw=OR0Ix&Y7@%tCm?uquN+KUQGj7kz= z%}vsdv+3HIFSR0W^L2ka%ZTWkMa_ts86<2=y#4LtdPYQ=HcQU@s_jE>&U09N$8OZ| z3EnY~A*O`A?Ty!2j#kbKyijdB`cpf3Xi)bfw~1xs?Qat#DjP$dudhj-L&L9cT=z-T zWPtl25?)+T08f^wi8J9*a&(-a`=x60DOt{o>k~OA4~YX}dUb?e`I47(LI~>07+#Mz z^Z*E3xZL_otX0QFvSzS@(6wO5lv`Suoqh@{L$APMdRzT}(9lOJQdyRj4H0XJxF zF)*0C>dh{Buq1}f@&-~BD{{XoJ&r=TgAFu_=@FH?dA@GCt&GR!Dp~Q~1^_{(x}xOK zJrC@E-FF2TDWmn;7Dw_Z$|(kBjSl&Q-+s_KK${NHmE98C#~?vL z3yC$*G_8!s4-`I&T1NsqrGh|28;K@4Lqp%=$amiBG>r5FpCNnY#OXJ88c6 zuD%9MuVW7NHqHhgT>psMUm?pJ_{?sK#cO){PUo@ySYR)`zVN)x=6#LJ?fZY3|JB$2 zJI!_Zl81hBb|iKE+^0aLr-RnI*eqWh^8-u6iK$8Yn`wxnEk3f2j>09kLZOwFj1%|U z7H6mXt(a=(g~;DOmGh+~n`)FN#NLvkrD&D!M*;Toma%Eqm*F)69=H(#X?XYLxVrV; zVAki?N|e-UxWO^id3u>_>-ccd0rFZWJqMFwo{LNBi@*qEicPT1H_pz0N{IQ>&{)Vplh|=?*q-B0RKR z;}_vhbXin#;nWIP7YTBBjBj4kFBL>(nvHX8F7%un0YK(wO0C~@z|PKjoKTe=4;l0m zS0T^o7d%)9WH2X3&KQEt=+%vVfXaQ?`f#MSMgYYX{lOI_7t26vH|8R@I$o8(aDqmhiYGd`Q&}1rPyr=}NMuyahbY!_uXZ08 z^&8J>3s89kUIlM&f$8}DZyBqZDn%t9z}?n{9^Rl{)Vm@eWlQE~;?y!KUru7z?36-g zAKM1SyFUwcL%F%HmEJ*>TAZY^o2R!2e6^-M@&{Mu3*KMC^iqFC|9t%88}^<$ zZsX`@-FDsWTT_H1P0#6#Z#2GDi4IrCCK9M%;yxO0f9zgXLRjCr{0cF(T3rIm+Uwa_ zQ7{27@%)ff=|13`$$D(!|FX^Km(qTM#|K5&lkL*FF)6Hdrr8>A7DVI)Zw1fPe22+2 z7(-$!0b~-Vk8JX<$+}o2x#~A7aYtI!2cH-)m*MTh`6w0!-PWT`Y1wzjbC7Rw^Vf8F zr-5ENkk1(b%u;X7cPH$MX(>Q6zP@I=h%=Krna4W-9bmWIw{-Nbs|-@}Jm9?V@IXU$ zM#11oKXm0&olN)xpe9EDW23y>BQlQ9iNtc*_}$Hw-{fQQZcg$CgGGFNdga%uCN6?I z{iQi!%-T-jv$%x;t6+{oJ1Of{uaEdx-YukB!?iaNB{zJo;wMT1ofp!i{6ZyRag{>Nx98Q z$$4IASYzkq*RBf_*l zC5LQ$%)ZjEhhr9doggaqxuLo}ODCLi(R(h%;fDs*y|<1<7o7K_1TD-mXux9IY6=At zOG<9@QmOPet@O?KN+4dRtKdD6kg{!&abfnNZZHOa*rI(Jw)X)alF{*wbNd+OJI42E z5J1C)?e5-pwsf|X^35_Grh7%^`~G}{32G%%QSukvVCJU?S;YRpMEe1c?n}G)P)!>;J!!}Ziq5YEXA&b;!DY^LIX+*rsydwOeVuam&10G zuUZXv^|5HZJShNnJ8gR7E&+O!Y_Dg6DZ49(S{<4KA}-H6Y%`Z>1`U2G@uhC004)*L zyNV*08ju~)`9&K|*BH$2yuD;w%y|KN?b;jO3y1CgrJrqy&K8{wNQy^^-Pyq1p@KU~j^@*F9s0jQ#&^n9Qk z?<9<9PH39>*7iB`j35XIP3^RcjVSu#`B`<4i4+lL9cUKl!3|L_7yhcFE#_o0w&M%{ zmH!GT07prJvw)C4opU^|`bM!f%>XJeK>|talX~i?JAk&ZSg-=CDQ*@SPWA(IX-U^* zd*=bksh?vcEu!%^%T%wm+|lI(uu&?|Tew}!Y36%_)8y;$>8$U~*coqZ6F|QPBxB_@ z;?WP5hqP8w0b*Fg3EB+ZIpyOj>zTeb`$sDK;PKMm%!!+8ixb z@yr5lCL^7ky;o=-dj#m$9(k^O;|j0ptnMq~2czs|CAx^Uw20a* zwtGF^o%K$X%C{t(j!c(e62fLtlz{ltTd3XQosg zkVK?Zp%f--ZL9&oIdjrpxugQ|;MqQap(lgj$F0*v76`cXdO^0SOuCG_3-)#2=a&kn z$FGL79$%l#z>1xnViEno57+^WG6xtSkx4njo}Ff@T5qy#zXq65wenu$BxHD6arKKo z3sr=k<3s{?9{^2+=lHIqd&>BN&AoD^frdiiW;(4TglD;;jnWk>N<_8`Ojd8wWY(7N zg?{q~=e@^n=K*5GWdPO@1-QmF4zDi0s*|{{lOlGNnC64&0np8%(~i#%fFFwe*&|em z*z06o{u;z4LR0=$9w1mn5Z4EfYGNlxLTLF?fI+b-0JY}Rc&&f zuRUznpFLpPnW6Q`P~H2LWPoD*(~C4AXG{4&)WcX~lKss#<}T$$GRkUb)k#D=*!c|L zH`|mv{TMg-B5xAby0`3!I7!FNVBri&@yP(H{SCP+3oRNbjrq{9niXc6Jo<2aU5TiM z(l-KHcH>TF&$fqXv1DxTzHb6F>awYjfz2mJb0JJuW{n#V@L5y= zXyCEZbWI`||HUMLWwW}CtlXjA4+CUMhx+n6HoY}*pRpto^QfUaPcVuvmhf4^0eL_!XW zy8?_43c^=pnDQ;qghf8Z2LN^v;qC0c2#{G;4sIu9Y9E@5wVFzKA5CF~*O2c~o`JQ2YQ_Wkvlczl<`%(IvHRbvB zBAk9X><0iEmO^4yc5rTm9XRC(#mgvX1ipdhhCn9yZk|1D(IVc3o^y~@$=6TJnK?Q! z92XI!+Q~dU$d4>P$j$}v5Wm;I!eN%mwrI88oUH{7V^#_K z&vw{=(ry7%=t%L0%4_mkOljqYuUA>+)+;<7b3%Dq1wtiMGYp{;VM>4^ zVETR30a?yYid*-|An>SLRyU2b67M-fP3(Rx%qZo+Xa@8dtZl0ZVwGE&$1k(cOKbay z`B7OY3scqtRMUY&4vHTY=DVmLDX44#n`khdeYX&?%@~ihu#5kVr;k!Rt>0i!hjQ=O z4Yv6*P(xKWbO)p4T=lW)GdZxN74vm@8*rAI@RpC5ecr6$pl6~O5wDCF8LzcTUQEC$ zH0k(lpnEI;C&?rAF`6vC_Gu?PAch65J?LB(8_fgD*?FZ%O+HJN3zgn$r=30t zJ=0CyI#v^2FiLS^1j`Y2+YC$MUCVaj24!;Oh%t2M;U{xg-yC8>Bmd+cO9W`rS>h11 zV%kYAQWH24RnUjMl29WD&1g2hIakufa5-q^Q0Ewp9q;(jwXa!Ae@qO%?6>)9pK$E; zqxjj_WCC?9nI5cC;^6%hbl;wt?h-oU1>4O2f@b5bGeh^)P;yKl3`p27$gX8z_$Dv( zWtcTOv{Ihzg_PXjI1K}&8_Rv;n<@agW@zbDE%M&D(L)vj1jiGe!#62@9AvM|;fPr& z@1v$*u3PuBzx?%O6OcZ3Zj}#E*Li=hn{{-aR4HJoH2m1*p^Ss5n_nt>LI>mSAx%7H4G_X-A)Q<#W-T9o4 zalZTg$A(e{5;1mL6C+TbfWbpF=msRtXJc-|dG~j&cd95*W%f%W|E2q>^c5zrDf-z= zdsRAzD=toMB1DM69AO(*e#w4CU`1*vY!Jx)<-);?>*JI|2_eIj3Ox8a|Fp79S_&%* z#|zW@PZo|)r?8o^?>{=6$V&am*nRHv2x*v5$^M{$<<58IqCJM5w_ItA4QPCfa>m`b z=<69HRBS&SyY%}&kXiOSOBpvuWrzZ}%yjK21FX2v6{UAm!)xOF-gn9uId6vu;|w+5 znIv)o;@D%8Hp-fWCBg%UfS#7M5z?l5v^XlZFaU=U%L^R=LRtG;kJkF|DM>&zoaL*5 zP7*hfkJng~RjA~CZEAjyvED}cD4?+lwC^EaobhdLal8W54T+62ytVn;*#5Q#k}`a9 zv{v(E9C9aks=|Lg#971VPG2yQbtcy5|bbW^&4hP`YK)n8;nW+Dyu1*x10;|`2zqO z+`8pqsq2&^y#am;NUP}uWP4~ZwO1hgb42`eWca(?$#ByX>Lvc+6tInK>9>b>%M-85 zhf%sp6BN?Ke`|-Jb%g_-_UxC~w5M-zgIB>I7k(rR(F2OpK*eL!i&BfTPEom0g+Rx3 z)%s%;tWgGER9qH1J=R589fVRfplW?|!l+?tAbBdCbQ;1gye;!AvkhGpfLc^6jG9;U zg|m2I?&PMaW(JueogW`AArp}`)z|Se?!-fM)0Z)F-aeD+jG=m>=lL@nJ(e%iN8|>( zknEs~z^SXl3Xir#(8zVbQIAy<@m!M7yr#`;%fa3Vkwts+r^~^{ zeE?$pGdDZF7h6Rrk8$hwi$gQVn^_PQnAVx{LVry;XQkEfjMakLeD9%g;{7A#%S{n( zQFKNyg{^jv)mu;)x6eVhfv=$vltBl5CbUBXW6MGh-3n$uD=2~6dreRx!gHC+qkVq$ z*jd?zO?iJk+ut{Z9Ly}@epFoLF}d6wkRg}iINviz3 zy1nW}I6maJK`z$gV|F*j9O~%14Lr-8W*hk9j!(I(?FWIea)d8Yy>m{Lu9W=zwWQhT=BJ@iWd7;Hdkjq{*vsC)fe|HXwT=HOrix%X&twf7s4>R zM9BM6T!PTO=0=$g>bYr8q@(0Fd*i~J%4KnQxUi2uRg7`%_>+ZT*8zdFz>2Mswy*IWEaZ-|dGtYa(hc7W zN^L!tLhj9iE?z%<7(RP`RElS3%yI^o^sZy|(fm_S#@khbY?sD*6`J`RZ7VocS&lX^ zZ@)a5YINUtO(6)PC^_`t@Yha`v^R#NCMv$k#Zj|%e{Wp>g{6f)K>v71A^4J;eauC+ z!lE~jCBVT=$U%>goc(c%x{uX?CU+erhE0L-@V!3GI3o`(Wz*L=8hP;}|Z1 zy5l&=Znnz_tz}Baww+MgCR#)HweKBeE2FkB`@=8JYABJpzYqjXe(R%RSQ0yb7{=vZ zP&pUmHKO+VCIgM5{wye8rl8O!#N5Yh927id1vl&GSn4ndSFMykz};*)-E#81UXlP~ zl-^{3@(walIC+-r;rNG3{iL5TSs<>@zphQ zD#+wsI@aoF7jAzRru?*AIE`_xLZyXkzP6keG28#P<&+ho{q2$}FS8hBq5o!5q;8r0 zVHqw_&IVe-xWA#Hp$wZW|8SwnTPqYky!T|>#j8x5xH=BX9`sfr3hcarRhDAK*c5kY zz<3A5TGKfYql~J8n|^rY71Wl=>D zzDZ*avwr`^Yj+rRB)xl>J(um^*UfoxcU{=p%VQI*t?L1e9GNbAJ+BhQ#CYsbwXDPY zODv6O+q3ZK#N%JR0H(`&8#OZ5><@WS&9hz6b~clbt!L0}` zmu*>An}#S19cpm5NVRB9eqFM#GVpTK*tJjAAmFuEdM9U(kY(36pXRcN1ee5>(bVYz zqfqeMK|~CHpZ@`tpgg}fiFk8zmzF_>a~1294Kb5~3 zeH{7bWO+r>o3%fv{r#jvUBi*)#@cE?PW77pSVv}_;M{V*AnvoqaBw1o@k5Q^=RoLt z3PEec)*&*d_lxtou~)miGK^JVJHha5WvI&lS3Olch2K2!N)qA2H3NCsql|fB)E8eL zhlp^(+aU=Jb~U^$j9rb;?!32vDR(7>*xBfY123q2NFPQPtq^MAn006|LjF~5ss0W= zw6bTZ&dH5KHP+>rNS7Qxgk@Bm$+1>D$bzV47;#`is}VNFGnm#%z?}^))>BX|@xh+4>m>XVYcY)x&j#0OT9&X%DKZ9U5vS=g$DT zushTU!e?#6m&1Ot+eX#o!T=qsT(eVWtF&>d+lS0CZ^M6Tp4guggFkbkt#3RZ9< zs4JWfzI92o9#D*(fLP=e%w%_7z`$RFRa_S$D~Y`Axpx*w_Z)T)(LBX$$30Z+@Kz&Ap5oi9#=MnD!qe;Tt5_3RYcERl<8&mi$~#Ws z@58UsYKC8Rn>U#^tK=3pSBwF{e?8|d=`L~U!S(QgxtWwoEG%r*Ig17QQtLVx*@E}{ z2vFP-?@8|Zr~7a>-0srQ2C0{ylp?<17rdhMhGWBH-shTNl?rI`?(Y7*&hvxH?}`T1 z%3O}aJEA$ffvEr?NUkC@E#tL_sP7fc_b+GiTbw+L?Er-hCfPK}6<%?*9vl^_o1$44D`FR-8axqr z<|d-Viw#I3Ttzz}guJ>iwDif<;lVH!kEXQRoes0>t`SI7oK%rx>_Hjs7BJe;0j zF*MV7`XxWU;mwrgUpXi{VN`k|nUG$C92p$O-Q4}TOo&?1a*is96vw4sOdRu)44 z!*SRccxf$8<#4-vo?E2nue5IdwGi#f%6Q+LSG=da$Vp$`Y+U?1sON)u4bS7wD}x?< zc=4Ab!K3WebS-ONakqr^)vl?@4;^y$n&c&9=kU2Vu68IAJh<^wC#P9xn1WRer`h2n zB5p~!*N;iDs7aBN+X2p&+*?^O;zBQkgrzi8)5q3kI@a!x!;E|LPEmPLh4|1hQT(P> z#u5m~k+eAqQx(0qz4j+57~f&33Zn=Ly48+*MAh;@PcJ;*;5))BoNa#n{cOt}C|xOY z&RKS6Mynq0FJc?$Sws9n=qgfAG0AQ)7w)gJ!Bx7D8^t0{h!G?B;8BrG-C9xzwr33l zg%b9lioV=*^l|LK=%8n0Z>C*pBKQ01dny~_tD*&vXY>2W_qB)mu`J$-0(w*Eg(U|k zZVCtHdHlB*l({~OBBx)SHS6n-I`t%bqRMAYGa#9P+HRV%TkMuUd2H5!Li_RQd>NEz z^cc#Jls6MsoeQrpIan3)OeCz`4xeQ+cx_?i7GpO#x1sl3D>-<*)sdZcopZu^ANj;o z(KzFJPkH;+ipdx58YEmBK0}0Ow=+POd34uKPE^(O2V7Xsy7Nd*af4oCc84L@j%geqB1aUmQ)vkh#+ zsp~Kw6t5E7X?skr9t%4?Qzlf>FxQ}%j zr%Vh2XmH2~obTJtf=_ZpRaU3GQba3%S%Q;-*`8iUHJT(TaN`N+o{W% zWz8o0>Ct6p&`bF2YRwCH=uLmO&S6%`sVA74FK+gbN=5H(WB{e=npKGpYaWPaoJsRI zeYKu}3PCGi1a}VV-3@#>}6D^cI6uW4r1# zY<++BP!)T}Tk{NbD_da^_iCFVxHC>BZnT zjmZbm!sgEV$XLa>k~tq%o&;wzn^xZkNh>;V??fNoz__I6&PfP+#Ia$+{6MccuTwxW zTZ)>7TH>cDSs!DcPKDXk-z}XBqM>kuB5hb2jV=VkM@vW=&iV0|j%aGtnG2JUT?)Kh zR8hCzb7Y#GTe~QVhds-6j+LTZZV@JossWiCOsuf?=i_yHorDiF#)KNGZ}vWYzIshU z;F;HefKzpvhAA8l`GEGlLa5#}&zW;gvU;*~l4PgI-k<>ZqS%QG2wh#iI3{{>J@LC3 zgm4HG{Mfy=Hs8=t(uQ$A(`Md=#UJ#TJ41CwX26NwS-Vdjg=VU{1ERwbMeA0+4{YqrdlfB&-e+U?QL za;~Z^WrG~;6PHdQr0~VL*t$0j!7jn4V?OFqW<5RFg`~Qi#s_6Ljv>;*<{E9~dW6c& zq#o1BYdUoT8@>qP-KC?3LU`6;xWY;6BmhrU014PE?D#OhB$PhgK6)31>pg1t=@vHt zd!GPEKPq4f3$2Dm?2jin6=z$;%Nzupq>uJv!r=3tt={W}&-1Wj7=$cNuLS@_=r_rC z<1$!vX6IMhbbMX;&E2Bc&o9H#eanB>h_ke^p5~JalRa?vf?L}HThCFlYwTVOF_oscvx|rrcVNKXXB2r z>En&2O8(cLY7rp9(RU|AH6q>2z5%CcD@#}rT{BbGAF7;3ZqG8X@*E0P!^75}?x;;d zEO;#d;W`9TF(mi6OVKA?Wy2@8>?PDQ)7fi=kLY5Oyp`&5>$D+qZHfXpDikJ^XC3aT@qOr z#c3xI2&PawNDD2qWihk!-J?2u`Po{B*0fOwfsZ~{5tfe$41~rztvMQn7O(I&-9;B= zG|E4bGg!!>rnM#n9=7GDt|o3#jHoLuB<=tFn%l_*pyN5B1y7R4O8CtnO2b<-(At_u zFR0~+2fYt5+}JpvH>-)nn`RfI^d*tP9jCP~m>gM80DLx*C{(=+$N(D?>1jj5>Lx+2 zwN8C-S?IL`+C!uhDaqBilrzlZ8|ZQD|H>IuEn=MOg{rCA_8hPR6g{G^+vjN+tE>1~ z)p4O3yu3t3oaGZfBX?@l&Ko|8997x_*&=6J=TioQO72NOZTD<3I_V;=QZxA&BmtK@ zB^KOpMpQv^Uy9}~A$&So0@UT;nFY;wOFC#FG9La(i-|jScZu~mcInXKmjSP|9loJ= ztBdm@qsU)(1v$IXU@$NtreKHUE`E10du}ClX#c7Pgq}<|r?d;?&MUCFQZR1`mpf&p!1m`8eT~kMd69E^pB3PKlUscc?tCt`hnO|@B zOA4#~61o8PeawTfx0;+iz^$slEqEan1_-v1QYAu2)v9QWhR5i)vm3`QD-$yUT~e&% z)`Qu#S{mMTzJtp9F$T*y(__}g^%|MqceuK9;vIG7k%|1~Fg#~W3iT~xWVDXK0&1!E(^%X^tTkC2aqiN%;PEoYHqtdG|`K9=6b ziJP^wEqiIgNz0Y>?5EVQJT{pSzhZoZG#{ZJvrakK3)tb?o5`4%6H6m5n2nTVW-@u`sh^daz^8y7Umz{UwVDA)X znREwUcx3naC=S{!EhjY&UTF2)RR=_^*f zI&(vk@14vA6(U`V?dSO%C&?{T&n7?@8@e~Ueu$Ge?5q`nVl*&oL(E+*lO9+DhEMPc z&<~ue_Eb3eojQ6ieBsW;WE#~rr16nd9OzMQc2UsmQ!J6!Y(py)HXVZuQ_0hh*YYfHo;fq+Dtn8Zv0vYyp5Fo!wGWHNDO7E^KZh(rcCBPdXl)#`4aW|`P6}LIO#U=niMW7>Zq${hl_IZAva8xqUQh&*9X<6$#FMZ{EruVR$5s^hxe z6SA{8%r6ev34nGW)J9{xktS1<<5&Q`C=b02iPg~l7 zkn^e6!a%R0u4D>AN;1T*@AD93*zgm;AGj~HA;l=>wB+R&caVeAZxBg8WIR~VDneCf z>@JP^KrHiIIv(`X8TH2G@O$lTi1>bxF_Q)}F5Sb0AIZ8^ycmi;PauJ}xw#fiz59i0 zCrgI&&&FNXlnZ7=*Hov8BBd-4OC=1AJmJSvMbieAIO7-OF)9=mBIIqPj51l-zEPTd_bAxak@WnXtumLJ^gIE0h`gZGCsRAGhH=2 z<25rrKA!CPnsD+$x9w#@P#*s_te#tXR0mUXkuh-O3?>7gf`0^OenDIjt%oO?FYw2^#8roH>jo+>!B z3pLP5TZ}z$T~IgD6bqHOlVmUWWp={lmOsCRxtX*2!eQIV6y%Bh@9%!bFL^S7c4KcN z#^-vAeqoz?X%x`l$#Lr^eX>IL>Q2WhIS6qxviMCqY0T1|JA>yIS}Vn4WIU-0U4uWI zUKqmc1Z{{2k-_A-o$XEu6&h%`y|Z&spUc1!&?;=mKyuU%(Hl&87jLs(vx7=9nO+!B z*mx^tan>>B>Acnp9UuF?<3HSdV!iZbFTO}faE~6pz3Zi(e#mt0~i}T<0 z+Cb`s0z@pff|dRg*ON|YrY@NrNtab0OUz|HkXt=4_s(GaT3g&_(}I}TRV z&984+BkQ6b&I>P^-Sy`0@boXAwcPli3JI?8*~;siJ3BFceKHF(UGW8+6Q&0J~rBl&17# zY*c>>%N_od<6Bd9&%@aLs;?>sJy?HU#XF%1ZuLDFocIuxv%oHpTFx~qzYVxDTrUd) z1D5lgUoX#>h~?^=KaC|)5T+}p?~gv=)Pr^tz~(j^N4Br7$Rq#yBvA(4fVu0*ATha? z-CxG`8<^VR+7rQvQ3<;aE$9qio zHa1VLB8%Bo;T;X^QUWFAUG;Bif&vU*ojYqoMk%gO=!puOK5)@`v4c2+MTiLa2av#a zQIRka+g+X3r6K=g4VmiZKv`O`@XVF^++)Klij*xYNuxO%Il31UIwa?R*0)!v9}$>I zy&4@h47%=5-TdN3=gDXgB5UADV@`HcjJ+XauU^+XLe$jUfY-uk_K`xQ`*V-vm*w{s z@39j_e(|ubSa#<+&aG$-W8Ig#N^wWi`%pM{M!l}&(oL)neo5$F6)4j;UGH-aVfon( z&I_EUVGUI)NE=crL{+d0H?!B_qh$Z#)GW@R+$hbVxvp%8d=DZq$TH)ig`)G$1@YVJ z>*wfjgnEK?FFI-;BZUscWLp*$#P6nxGw&busQ5k{)X^$qg@S^?xDY8sEI07?#{?c+Y8z zJaI)I%s(jRN)cZe?mhP7_4K+D#VZvFFZjrJr4079l6c0~t)O);ea3mWCD&0Ied*3M zZl77uaPNbjyBZJ-GH_XbyX0j~1iSmHD0`yNdYuaf`G$pE0|~e_mJZ>2shHhNP6R9@ z7UWa@3qPBLN}5c1x^zA1z0k#0%`5k^A`2?K^;&saB;C$lWoj8Powis`^1)c^PCOV5YUK6FK(t0sM4-J>(hbL__1rxXd5jLX8am9~rX zUHn^5XMbuM)1PEum-fmxinlgJ?=Gh=BR4HhAe@dizI*Ja1G~s3l>D}gDF`QWj24KJ z+jv?mTKL{nX71$lM0IG;Q@NgUxbZHF!ggJ)I6-P*MiO^Ch+$01@U@uLPzcM}kwAoh z%4Clb+TLBD3fe!kum?&!WlkRoaEZAapyu7yz835Z^X=zqEmWF=fG~V|PBBxXvD*;K z_w8VKcXsfPL)p+nz9?&aa`?>tEGQEWD(@7uhO$Ai6EHp72BE_f9chN)%xCtBCJN9? zy`r<8Uynf@p33~|Brn48TfwAJVV`)iY$ZdLZf@oNF`OiS_ zd*)uVX3d(lepgW;b;eY90oqEh{0yliQm(E~yTxRdMw=ikAKd_rltd#W-8aySp;-+7>AqI=E0 zi^L8>pc;-8_lwADd~Cx*tE{C1EN{)jcC#sO*?8Z&`WRB^PgT;g#XuOVOxkagQV(YR zy}Ps;sr-F+8K1?N*@>OFohwwu=-EtH*?exT!m^97G(L^U3ki23lL_0<+Z(e%N%9YL z4P~DjZhF2A&;+ZHlCY4dYS~+-99t>DU`>2hro{;-J4p^l_7snoB}^#=ePMf*Um@(F zH>KZ;2s4jJk##yOctYf?ji0^8o8*DiYLGjg}12-4;cm@xE zLM3skL*B(MXKJXBDD-vqvGK02Km{W^bNiS^F>i-xc8PQJd8NIoBs0C305#mffjV$v z^o^H`;l^Spu9ut-s)sXJfrrsVc$mn8EZa2=BQ69?EC=I*^MGi)Z&c}eho`0c)%^LZfB{ z{-Iq~>@1&(A}%VS3Di1=k%Z{%lY5Njx!xI_h+exNnrOtDFqG!mdsnLK?Q`jGlz~8s{sn*9_qKPA3z@UXS{9u zx%CaC4tuf9)1%bd%ub$7eOTV>GK#P1R8m!q0SSSpuTSW0WUB^Zc*-z`SA>g9PK}}3 z&*Cgr-H4Vl)O8%IM%WvfzHHsQ>V2SEcZWf-5;F%nQEPP{+nx7AmqW1y7Nob*g^Lo> zBGh%Y=`zm4wY^h;9^~qg-gst6OICR2P+KL@w$F;PgIDe?6QM&G6D_`UvBkLFEcw-b zf(p*ba<}J9nHIhKEI@MczGY~C$m!BNJd8Mg71p1b5-L{qi7sNKee)Dw_kWCtPZm?L zK^bY=S;TNys$CsM ziw8yJA&gvU515=Tb=Z9A41ecMvod?+d-)oxLum>A70WACUd-*kR1(%W0?5icil@ zo8>XF=;dE7Hd>Y~`0HqQhyuRMOA@Ncgv-d-cF?*bWo%GvI!s?v+Z)S5a3N-+;}Ni7 z<*A8J^hjo=Em&iF0JM|!6Q ztMEy8df_*r&e!iU2}C08Gd)yM;LefO0vPHL{Z*aYvOTc zwd7*E!%@iCf7 z$Mf-Fjf=)UHbRo@DYi`c$gr75+h1!V31j$k^MhP1oX^SMmQa3UMq+jjj+7jb6S#0X z03>cxhJelGg~*EzY8V4c7!-a9^S;rWvs@SSh1N_tD~iuF)vhD+>cXy&J+Y8I4Iq># zxp!Z7Nj}#IHCsG29AI1Ycy9v>bQ?Hal&ucUgI|`v)*@A|^4UnpG?q0CxV=$9yO3(d z(XB??>;{f1Gmj@39$F1)>@zOYuM0{as!Z~9ULMZ^HHep}axO|+c7`wC@Q=9N-yN!K zst#RQi1+R?9H#H-BJzsph=UnblVl&l6ow+PM63@GiEE zgHrM)iLq84>%8shZkKUA>^`*j-aRn&^GgrU=XXS+s&inCYim{osF|1&1%aQCN^A@z z79&cR#5VffCQ3fP6Vb>Zy_09|IGxN z1AA<x=GsGwr}*UkboDoqZ5O5)&D zUN+4UIkvkPU)FEHJTEe;xp>X}KW;0n;?dq4Zm-UNY~9UK5+?6ZYqP3pbvZyx`Ud&x z9+Hx7bB=CDr0L>qELt0h(?i&@nLnti*Hp9HY4R&-LO~T6qpUCD?9_0G4WoXaPekn; zWA8M3DPDuB*rQ5wQMn9YxmXHNe4~bUCf@_GA8K*{O$7GHux?%F6NLPzD4LAE>eYbl z33=(jvqR$^spWnhHO^c-;=58L&Psmv0vK{ouT4$TFd`0`hw(KGa@A|pyBn|bn(1P9 zmHZ&@K8F0P^sRu{DUigJ+`tkvi$gxL!Cjy-AZbMgfxayD6k zfs=F*zU9*+b?3K$d_3$r;(WM1?D(yqO5=FJ<7bAyE!lL8j)*Ku+hGp=L7xiiBu5&%F&h)q3Z9HFck@SIZ8BxnwQZ zlgYXe99zFyN+qj4F4s|1sgZ!I3;T3c^)?Vv_|y{ySwt;m9P>HTIaS3E`&JAL_Bujq zKVYd3SrwL!Sdge!vhHmt?9vJZnjV`9*&IIp6PB!MaejfolbM3yy|LfLp(&efw51OX zeUm5#uGCvg-0V(dOczfb3|>I+6$fh4MbOXgHUB+Xud8@Zc7gaa zn=W-ESNp?axR`WLQLWQKRd6m~o0iRIOn8Cr|J(5<=cRXGr(bLLGzZkh z+4_~Wzoje^op3H^sLw*R%!nfDejKTC96sl}+_8#bC^R2gai=v|tD&AMWGpY3ZzDdQ z>26cx=qo7`{FXw0wqFqx&b_>&E{_X26H=+6hZk*}v9dZ8xMpI0m}E?6*eXSfi+EmU z`0WBc&)S{Nun+#~SmUfO8&gG2Xnqlp!Z6qAI64PlCcD|o&j&(YPB->d)G}S(y%(ci z`ShIgwB&5I!)8{fe)DYl-mv9vmxan%)x@1dEBN^C2W3p16{@i*}tCP!CtBsf<+VSw#+u)PrE=2g6df^%r|A ztw{4?w(w(sp)W3FFVBAksJlUCOV46=N5!nBBO7=n!pBcM;ph08?Ij_%4PKvv7S&;Y zMXRwh9sn=UEcf1N3es&hD;maRD)||URqt69E5!CH+2X@TlMXe4L_h0FQmbT2QiY~- zB`P6*PXToHxcBO-yEL#w(lL46JZ-m%UMu(>;GZJh-BKZ*MRh>OTJwYf=@RQ!|hfx`mTAi2 z7kgB@PozUxYnYI>!GXLPqF)> zbVeizPbpqfMB7mJdFdEM+UFXI4}`mjp>Qsp#?}UKcoj)|W@V+JdNxQd0I9ZjK~2ZB zqn`_t?kfz-pClYjOJseW$rO_D_^c3RtiH$G0-Fu*y|C> zXShxgnrWI4OLy#rbsxUMmRJ+RyDdt~ope!W`+Zf7?e7}Vfg~k+)aQjmcj{#wfqK6& z$I2o7muYerR~6pYL*?%(mj_#!joI=$MDZmSNz#_IPfRvvDA_Hsi+YF4q)R?n!WGXZZ0TSG#8bFc zpF?sj&RIlEUzrd`vzzAsv^$(#L?oA`CXj3uCypD%Cq_%+YCpt5W}zb(w$QO-H~D~4 z)P1_`>NkRI96QS$(nVl-kFa;z>z5h70(hqB3VWyz|sczl*n(Q<)%B_j3IGBJ&o$BE3rD>A% z#mYJyH^s#L)f;Gx4$AGz)b4ET0DXGSHgXavhiEI$&>~bganJBC$M^~MxI-Tt;Vx>? z;~q~65z#cqluLQc@=CnjC>Unt<&=XjhK-Jg6*xFjet$Umx{EDJRW&IE4vH0VlkI$> zRdMcPohAu7)oqD(vlaJ=Xu_5Vi0P6GRs#h#&w06A9Uab;vkObfjZQ!7sOTXh2w35I zHz$5Rk-K-P(QH#n*ywy{{Me@;v&mz*f~P)4`-EA}>depW>xat^o?Q*Tv(C(vg?ieg zN2~CorZ=<#>quIL5jTXP-XmdMP;62ff98QVN0;pmB1m;UC7m&`+`)$#EEl_@_<)yzk=ZaU6fZWDUk!j zL<-7XYWT(>Ol#iCC{;~1ex9q!B6KXCC}Mora3^q{GVVPla9|;8WD0*XlYZd`lPoyH z1u2@WulbRR#5tI4Tkw%yvHm&;M)xs6JvPL<3KaT{lu57(8#snd;bh}ov7kJfrw#Qx z>&mYEq5~&OwYd{3>FKwhv6tg|qBZFx@%A5DGH5ivXLwJa^3XTvv~TP3s%&So!>D$g zGVj25x)fi;%IEIMv^(K%SI-`xzV96&YZH_-#2DF^Lo4)^?2*1&Q%s3vBwtkO+Woo! ziUV!pxZ@lR$3z@>zROz>LFCARr?vL5}`#HEkcA);B|G3kS~c|FG){lYQ1| z$RS?87P2B)WJUWs0X=9Zn=3e4BJ_xN$Q)f z^P$sFXSRptvrEa8&k6*z|G;-<3$7kw$U6A4tI-zc*e|7$l--+zQ**AED!&=Wf)J+r z=|LIxzlggT&AT)hZ|IoC^SyF`jBdA8Gy@Y?9Mov1odtqa9PxTBLiX8=@yOYb{{gA54- z@Um%}I+*o6k7_7iVbZ1xs4UaU3rHV4!&uzuHggy)b^AvKX*5o=h)yBll(Dq6(XU$q zkI~@B)fVzlCQT2K*bN$t8TZ^U8fr{?n2%H$uie1f}A(9$(K*hN#@S!f6kwwQ= zja6jzYbf_Cch<$!<+xWajCBZ0ItS38!lPhAeL(#aR>O z6|VhEKsTZe1}h;`T(Z)XL3)TQGV@qVAZC2%C4J1N)Xz~yBl#M)cAxcmI0r>)fbVH& zR3S3@Fev%+zL;^yhpsmqhp(t%XwE!~0<8wmK8BYRImdo?fOvXHe>{sgV_OIJFM;;4 zC*+1C^lMs4s|}+jTIA^_40Xp#RWUarGsPRtjMJ^rN$>eI#gNE)V5cO zRZxX;E~=xX?g`rpSJ=QLzxZ7$D0zm<4=N1Es~{HQY9w!HLOWQ9Jz=SrVih@Vc~C9m z`3yOfHkKlHa6A(f?y`H(r!s_h-1`hFGMXb$@`E!aC?hkEQ}P=`rEo{1srlRd5VTe< zeMWZ=v%SUv2m!1=+F-Wu$`RQ1CAG9})jmrNGlk#VFZ|KGQGL}n+!{QnUT7@46o$cM zX=8yt|Dd*v0AjlHtWlcW#%5(uBp^@`wmi5}5XAH3ZG*Zx25!}DmbR94IZVQDQ>$Q! z#!y*|GPPBf>a@v_Jg2{Oy>ivUnP%VRLj1v z-o8H=Wjr(cuq6HpN0vc7iDuMJsrxu{#6;FXhK$RQz@bpyGqhR#4MdaL9l50*LvDAP z%9*LWXHeqikPPJ^RIj?Xjr=iYr;xjY_Cte9E1I6I!5_^e5}HtLKb z`|-_9hUBjWKqg`|y@>$#CT@<z+V4YgADH4FB zMB-NYBrBu89RdH#Z>Gz8DPf-ID$IF$1Dy$8_-}DvIm(*qvlPhhuk?`f>goyN$ODXx z_U&^0-twL^!sNv0FaYl-F~ii`^eYI0&dJc+lo>B3S1RldDBX(ZJlm9h+gGhhD(t^a zr}%uvM^&UxMs30QBHWgFt)1E>+?LVgu8aSxt=QY45h=p@j#D<$gP>7s?9C?Ub}RNz z;>k~@ldm#TW;TxqS{>;t+4q9Wt!70yYcJz@9G`Wpy(p|0HzL)?!VliMZ*#TmJmqn| zMcWj+kfnoTLL91R6nDwH$KZ@#ezXWFS~AOXsxkjuoMKS;s-#r+Dd4W@X{^vaLl-jP zSANw)svS^muJLD&C?C}qB(qft^^GdEYK;trbzbNPHK6!R5M;vkXc}RN7 zm1EXkg14nib}t07$rhk7W_98uqFZ3|t{4eY7+R51UsymGn$2-lSj4IQkSCqVIZj5K z&Z69HhVEtTXUiz-fvoUV^@&?xv8NRy{cI(niU016DjoPGc+Xw^Bx1Px~vD1s+97PF}(*ojS5X%(5XqjVf-ktWfyJlmDsqd994t=CzcmhDyu zzR${MVUl5rZidk3=Ml#06ZdUpsv=f-)xJQrz`v&686_cOW34M#da@Aj>zQxxWa+FpD1U1awxpkrSj9k;>?b_;PLsm z1h3BlE#W?^%J>r-*0LUN>c@;Zgt*e~L^lDE_1)u#-An*aoMl~t;f0U;!NWK`rL;6%<7$wP+xDEKA=}eeOkY}fO9h>;GaG* z{egQWD{`U&UyjF(DQSI89M$5h0H=NrD-g;_KZhf8pO_}v=3eI$ZemRQMeViM6-;u( zHJy^1uN5@VL)m}vKA+(sUmVv1VTQ=vuhfsJb$2x($fn?~7J|=Hufi_z#!aA0PEP|* z7kVjDa&LU2L`|Zdi9PiiXsUw;NTKQfcwL~i2cmKYX{QlGhCHwKDfKG^tt$+CFA(BY zb|aybsT-}*A9*MXF&lV9+-Ysr(09n9QyDpUgl^0}=x1#)I|BWUzJ#~YP30RX!vUg` zS0RCsaceo}?v#OVmUhX+6hL&arUPZOX}1l{*-mmsk?R*YlxXmT0ih7Z9~=A$69=n9 zr8yz={FrzoA-T5+Q~(a2-yreP;}`lf?iFE|4Iw%L5n0fGZpKK6qN-}(eTpno zc!fbnC3kZ|czn9#BWIHhP+hl{W9=$2b%YypnU8&?>ao-99!7s?ToYHVc^m3RCtc!(eu9J#(BxV4hH!+C zCxS#X=^_?e6l>VBl{(V8y|}H08Sw%Ilj!wk>JAZXMJf;n@qV~D(l@VMDaAjyAnSz5 z4rf8KDO$``WOe<2VvMOUMSIdZ6jPlqpgH z{m9jFNh4QzcNmwNF#=p*w+aDGlHPXS4ob^E&!(S)9tUwq5DC5gS_K4mO}K_C7H-QF z@m%uXy05JCibEpjfkTwWudx74Wk4!@5KLIl6xRUMAQsdhm8+?)rlLdw_Bs53fcF&W zKA2V7(54`#dH^*qa0ag&FY@ViNqJ-z3)rP`YXF;v(0-5y(vbt`0a{{IUcmluk|mSe zy)ljY;sdDED(wLZ889_@QuZL8&i$JMtl`)jMm>oMY6UM|fnD=%b!foaiC@!{Y_Uuto#E zbM=9&<+a_@A-=n;4L`VT;Tnl1d&>TYqH}bq!_zXagMHCz~}4lYiwwFN=aHv;A?C6S0f|A-*#jjLR^W zsQH?(ef`JR-}29EM{|I2b-v*DNBKSRZ{7gLGj|z^4CTLJ$$y-Hf&4hJ_ietO4i^Mb zyY3S`^}i0x6ft}f)kwVS=~zRc!dq{cTulCXZGvEJtS+51ePYDS=z6SO`M=mOU1{&Ic&+=~`imC;;OPONZ4wCEXK=7<{Si~By$NBd!_Am^LJ|^4F_K);O65^w0 zG}8XtqyD*h9jshiohUPy9KHUz{~ydbCgP_WtbfbSf!EPzm-u++KbG?!3x2P=(e%$h zqW{QBh^hR~mwxsD{QKKBD2o{Z3|LIo^F0hewnX!?0K(}ATC|qKu<8o9?Z^w)ijx1U8F<-J z|H#3_Lz#KRKk{R4IqjHB-FN=0tOYB?Z@VOfSg=yZ{4Lq_?8Hb>S@@!XlXx-$ zVyA9mdLIgQPalHtYS@^5Sb_CzgTH&dk0M~L&h@wAe)s-P_j@`T@MV&y8^M-t{>t;x z!EUdEAxXE%H=*ABJpC8`p8wqU zIsD&?_ceN^#Xn3Ir=P+RUaDR4oeLWw_0-?ZY8|1XNHJ^+)>dw3{8K3uk6^(HQ$ses z>yLpYL1lsT!lX+P=`KbjkO(2cyRlv;mB}n|Ef?~??VXVZ@ujbf519A2SMz9h;q$11 zNlvQ;9LLZqssU}wmA(BC3X9~lF|_q|-JZlAql2G@E88`MiKDN&dS~m;%X!pajrX|0 z&nFWL${Qbi3RMv;`!yxF;@7VcJW+{=(W$6J>j*#2{oPxAr1)j-E=$j?WCP~E2Qc)q zW85=;`n1$+bY*20KGU;VWxOHb$#?C;pUD3Hzr%jIj0`xXbUJPCggnnptpq_xG_H(( zT^#;!IM&}RJKXeUNGGoDoOV=CWdak;-MziO^Mqoq*d$$eBIz0{uOHd?U{%ZM7gz!D z)m~i73aC#<-3u)KzEyF|U9&wgQ0Vbv=xJhEYoYIsb8JMT9NU&r{eFt07!lyS|8gG= z|9LZyF(^tk4f|4i@pd-^@h&1>+#{|YSCxMcy&fpuyldjmeiU_g#S?qW$m6TDbasq} zTy8#I(`~LZ?-rwj@wyF3yyw}OLpu162iOA;Fi z6q&h5d7q4x8^vjtcRn$=x(EUGRyec%7?Zkurus{QfJ2J&e$S&U$K%eZNO=Nm_WRkx4;++ zLkU;4{Th9o-#wPZ_$Y<-*G4_LoB#G0V8~J6+(szQWANRM^7~E(B60ZpTI|O2Nu*S)% zCUV%y{QPru50}%n7Q$1mIs$>#cvkJ|Xl8Ai_o5=mWz0rP8D2>LC3rZL_?V7~X9>|Y z-iP?vb49Ic8>{7CJ`k^>D5uDMhE?;FEr$BAo^?c>C)T?!q8_>v z1MOlX)M?{t&BZpDWwnEuE|6d=ITv<230;}86Fi^k$&@t%B9LmUTh$xYNqL16B3+kP z=Y&aVSN7#=6W^*%cbe+U^=qpD6OC@AY|u!9_Jc(?v9Wy#3UZo}Pd}wi9^aJ1=wrL@ zw}zQ`b997{H^&>F#{ZZk;WFol$8GWxanIr-HgFA8Rv3?**=@5jOLenVFV$F`6KKBtUO z&IJhscA!RAG*p!~?2lDhrlJe|ur%s0_S4B^5@IVtOw`E9T1`2v`9R?@DI>ysYFvZW=?T>4kM$Qv2U9oVc*4H0{T)|h*gP%n}reR-hElM%>W)l)|8SoC< z_~yITos8t&I`D}uM{}!yjjW`4?l_&Rsv4V}?-t!-#X2|xk?2assr+3aBY+PiLCEuO zJa!mU%7`70!N?6EzyC46ey0txJr_(T6{@ADZk5CHaVLb3yJgZ!=QV5n+ro3kZ5sXK zZOsHw21m@{5-zUBkDGz2aYHOL3{qHfoEyS8g>??=<`S&7<}y-Ah@f@VKnfZcJ1OnO zU-ZXjO)IJ`>C|%Faxqm>cZta$=2umx9o3ze58V!n&TR&D=>r07yXs)1pUd_8eO6Y zBV{m2mp7nU8 z^EZvsE3V@j=fU!o9g)SG71fn5Dp>Uqd8riQiq_ubJQJbt=#{{`Nj)OxPm9SvZcJ0b z=e}zPV_$VOz=ytEKJ~*M*1U6~$uEYw znUuCXTtMv1-@WtHpAhj{I(2<4*eB(YIGLPv;TK0*eFHCeRX2|9@${QFyZ*7RnH8=&?jF%?#(i(mg z!Xf39g4{Vzms2bAZ`0(x17H7}!Vo$E{n&6NHnUSP(&@kp*sX+Lk~sh01JOtGUy;Id zrDXQSGOApxB=y8^8+oWB8~T#S91>$z(6FfnmruTE_($)MvZ`5b8+^OLA@TNj`r8QK zCztbEAtam!{FN1DZ* zPc*9@=dL!1{w?qHk>c8`M9}gF9 zyep;N7j{@zsbNv0WO)DcnTNiAcz(oA=e?3)Dfrc86jDrt8L(W=#-Im(w_FZnk{Ig7 zODh)c(l|9qqvh@^?e2U!RimlyyAj*A$`_kc#h*{@`^Al}_EuA%xgi+x!>y9rXGwza zqP4LsOToLBUJe|$iNJkP{??sjDh~L?S5yDF*_x}fZO7Q@Bi1r=pPj+9ULJLwy1H@G zysRUkKG5GqXxBzA$mgUjD~3t<%EjdPbr%ZI4JrEik>(WT)=E&^FGG__LqarJ231#||?0mY9y;6EquPt_f6S zYx`o{mudtAw2i>UizTjQ2wguGDGy&0lJ?ytP*na1f*k;N&G;EtX@yS`M+>BK0#9JfXuo|a9^DiF(sa-&jC zwFZ-)JMcCXnY2Gd*Sll=Lu{~{wZ`1A!uY50%W`u)Y=~R+Va-D(iU4&iy!(X!U+pxQ zt9sP%zTNX^yflPJ0MKrr&%K)?HvG8|B{ehUQ58ngmF=e~u%~^2N45I`Njg_0dD%T{pa0ms{57rpj$m3(K5qg=XFq;GKL>S&!W^9lnfPhJtCPio`QtQu z=nsVeV3o^uNv7ucVA6K%2|s8X?=i_vF|t2=mz(==znMU>^1F%#jc3EV8%EhFjsp*- zPJws~I|4tw04Vrn4CO?zPsZKB;jZWGa3kehNt)ac1V@o~MbsUvjS=2BF3PeJ?&F^a3fk;SE0)p0U!S&H* z2Gr|-NKb*a9+4y0&eI%lUT6+jIbBV2%G1l&sv0P>m>elrh8o?+?pHc#mmZyG-_v}7 zP;g!WAa<@sDeR6#fR8tw9B7+Vt*quR*QHN~0Sg=LPU7ve-<}%Rvg>&i8Wq%V2m=X{R%4N#LJ{V-9@wHk=aP4eH@#PCD0!cT2;K#c0U|mA)P((#XELC z8gDC?KEGwT{5GQ1rHG85_V0NFQ68@$P_g9I*id8@d=dYf+K*03USx zvZ$_n!tH!=F!_Lh-fenYezH|NjI^TD@q?n%B+b*5i9Sa@-r|%JSj{l{QUzI^tD@s1 zBREuyPQwO1yQHli&ur)m4r&TQ_7t)3BFjT6cN+N}4SjsPfC)Yn$5m=<88=q9`u_U7 zJ;btyiiy$fL{~?U9k*v8BWz@R7)pTsOv0S3RfQp|zHd(?D@YWuX;D9(B{&9nY=a`uY;yD8aKIg0G* z<(i_WDHb2hX`Zf+P&>L{R1wH6``dh2VN3ooZk%SJo>DzY5?OAqP$K`1=y47lvHg{I zY?tLJ)ZN8K++p0=Z>J3#b9`>+bPp*kQ{3Jah#u2B+jzt9i-=Gp$n`#e?j$zNrWZ8_ zF~Ya|9r#3K7hPx1U!6GaoX2Wfasb4B06G^QMdM52(`x*T00c9?*k#%(Nj5bb)|GOaPZ?44Bfe+I|0f}F?d{rwL?wx6Hb?F16AaZwcfv%b z*?^{6Iff;R#$|az@lM}&m}7yXQ{H`K-Y0K&t$|7FEY$+{N_&3y|}JRXU$uhffb%(&v{^2#4@#l3fmO`>d=cz(Li;)(^+gKMVk zGPUEK(?P}2BveW*b6@OB8tdxq>g|=>yxfXRG)vpxGLm%Eh=WpVBqfLe<_h2)a()Zy zp>81WBFQbb?=P zyBtqDRrrQcqHxVj_xO8a5VG1M?FodF&$o~`IyxW?>%EJJo<#^okXX;mr=yXA0_^vF zN8eXzD+OV44{ZM&+|2r>s#%$V@~6gM_pBEo>#^RIv0($ zU$3M<2i}S6&rdDeGYQ53)VEnuwSBhNRl11R7baXjR7LK2!H^)I^nOl*kOZFM#EP~p zR~@;+TH_Y3QQCStdX?Ha&bm>&a>-SOPgbrmFrRcEC(#Q3A{Q!h6n5|2Fk;>(ZKP%~02%t^f zPuAvy=%YqzzYyH9nuXOMZ!gfd0bP;zu8wnK<;1a-=X-#&x{WcV0*zu&#GcwRz3Elc zO2`N15NK%H7E5!N`u2hUnb)D1RoQ}l*S=TbAxNK?9V zhaUo^k51cCDGpXk#;B36E#;~;DBF&5e%+hnr76iTQIc0VFS9YbRD}M^<(UlQ4Gq?B z{bZlHC2*TQ++u32sfBW#r#Ji~7J|1vfGdVycfNhAoXal#JWA}uX=Z#NfK;uWKv9Jh zH3v@2mD~90CeqDAS`_U46^pf}S3fhpiMgyBPgTYg@7^)>w}#bWc%MiIzfhrlRkz#0 zFfK)SN<;&;b;F&O`yi0Gwe2|R*S)vg#iir6D`~AbpbSnAunzss-FCzRIHkse9WIzD)9wgs*{5-z$;z>N8IC4#-xSBvBgS_+} zy$O>Jv40$`&`-;Xq8wdODwLZftjzH2G!K$WMjd&sQH_BkEWA|bm4q>>mi3o3WSj;v zR2fU+!N`%J>;&lg>U{0D@p;mBLLLugSZQUTkS*K`)xjhn8T@4UiK8Pp|L-S=kTg+A za2mSm2;(ZfC;Yq#O)MC1eFFEp!b%DGYTB5>h^am@zm8pxP=!F_#VILg5TR8WSEZUU z3RYso^6G9|MZWDEA(Y>4#P}4W2>+|&mXTnR&67C>%UkdD)FpP*ox^J}i88=r^iM~DoAszRMzXGtbzbg-xiL*4np#W)s9r_aLR=<2 zVEL2E-16m=2rp~mnkj-_xl~zT-Oo^$K*K>v17Q*|F;SeD^J!GV&Q-97_N6Emwu+~K zzj?(oG^1Qt4XnOAMcLwx4LCpW(IRW`i>bf(QJMS>9qu+xR}VCU=uQe9_nJPazXPH4 z2~gajXlGjUk7yqHqKtHJFk7*Y^WcY&A8O0+&ql%l%MjdV@?OvZm)vOSL8dgSD~=o> zt(E}RzZ4d%WnCZ{GHe)vTuVC74oDbYt1sP&c`m|ZxHD@_#tB%Vr#)6TdD7cLbXcnH zhCmz`D^PRCKIk`hirSYq%OHLbT*I8vE+JGGVs58e9W* zZpYcB>F)2S6#)k|&ZQiFlp@o?H$1B|2@!tI$a*^caCLIYhu zd3CvE+orY~oDl}MVKu*s3`w>ZTzBU9f87xX!lu5zazdvGFN5x&1l>TINQ~2& zncm*e+B(~9Q+0$*cR0dkRvgooJ+j38ipc73*SZ`U)fDZka2a-1=lq-kz={q1qlr9+ ze8JxrUC)HP%C=ZiL3+r@@6zm}@=iEyTeaO6__zf@_YG9C*E61QcfxPvA0AzvALB$4 zgIK{r2NT0%(#w_Ba~4QXO$!TtG@HDWVUd*n1-yhH~;OBEfcZ;B+YoTe07e*5tnH=fsW5 z1bDoP1Ry2-mI1m(lZhk%6JFUXnBKGNdF;Y!>|*Ti_?v>b=-f zsdqoHVm>=;j2MCX9=kIFHpd`jJJ5OH=VlDY%r>k@`)V=1SSoaS+H327O6^>x$u1E) zxx3RmTUqT>9vRZ4gY^zaROK#O zC1)u_;valQaCIYGx&%i3sNd7`*({LQO*`!OL@BZkYHF;KT5am~3KrRgh@CMj9<_nv z=2)^_ulXeLEVwrrYTK+f>tbdrg4R!va6Yv=rtowlv|9++DxF$x``O>sjpNBT*i8J; zA7I_jrx00oqh|jUbC;AQHEXv$*%-U9&Y-3FNV#$@9r)S3s%E%ljXV#K%le8$=5Ds6 z6#NJrmJ6#cj}lR6y-~jLLN6_xKrTFw%Ki84%*V1ndBt+l-+9H6H`egib1zVK4WFHX z^P~evEyv^F5UoBe5a46+Mbiuak*!EcD6#DcPO9bZ)-}alCxT5#HWf^qm9q=7Q!UTL zLI@44XDkQ9nL3z(-xh*CnsRH#l47`ZfO>TaocVKN8gMPcQcmt5i=`i$14scBX`k8` zaoYW+n}yRB!NIZurN}t`7KUkg9|DzN9RC~;9Sj>HnO?<6V&b_q#XS%Yveufny?eK{ z&xy}%2zCPr<;CK7T*0n+X>Gi8ixTTG$d<)mXfFLdruSz+T<3O(|ZP6+;Hqd1 zMeQ;SX`+meyP@w{UX%aKdb7AK5oBP7&=`0nbOblQdJFoYCLy*0=B~jrO*JhUfeUsI z54xv-ognOb)LpgL$TMlasOF1imlHz$K9h+_+y9gFC%@_P2DEd?)o$2G{82~#T%&fd za$x^ABKDK{%@KkXkTK{Bgj~>4((8(UP}gxEjwz^Ay=iba7!>JNW;X6BCiC@=6^J(K zMQ_2tWu74h>G!{7?*Bo)dGjtvn&z5jjVFJ({rZFuOV@ucyYClv59GJW{v-rBpJV%? z(X{=kNvrA>xbQmNc~?k+Yj8{E1aAiAab2KNqplyh(Mn&M6{u&B&MgKx0?fbZ<;wRwbXr+n%&tJ3_`0un3>cnqP*Pxb= z0fkg4Be>J%7)K=oVWeV59}wu%c7g~!pm_9in^fv&ENb<-7qrDkg3sgPEv+xfDOt(w zMo=uetX3S(a_8XLwticvL&bLOz5>_Vow;-e7EMbnx7`+!y3-amkNJfOmyH5%*AkK@ zHBAe{dJq7td~F9hF9d}Owwhk>KlB|rX37v#Dfw@)u>K!IpC z@ONp;hrn97T{nyUqUMjGaQ9fZs|HViC9|dS7`oi@rT$QqyZxORjJ9ZVZ^3h2?{e9(^ppUsL@&D)V zMDO32G;MF!c^L|BYY#XNPQ|BnwAbDY=c*z~TB>cSE;e7An?H9na%;t&L-lBZk`MKm zPn0n-1(P52?q#^__Bpn?v=$m?_#Myo*yaH zPEw|<7phOj4_NB4)W=IOinOFNuVl_~yBa6)1!u;(w@%W<)#XfL5}iM@4YBaFNKV=D z!Xl5&3ajXiYaM<3naQ7wA-cjM<{Jg>LYEyMl-fpNIR9tx|LgWt`o@c5zkw=g(4Pm1ytg%5{FfPH*FSR3SW zl=E#!JBusLG&Zi4_T5Jv-(q$q3}Xw&+&*8^@i<+sw-Xx$-Q;d+S`RZanUDqr=2%N| zHTj^C_0=In9O+VL_-%lIzuFLXHe5R0O2g%Pv`LkWSq+3yKpFx~*>W~oOsqDp#>y-SPW(NVm;PS)CbRW*=S&P@(36G#hq12=sB($g zHBgWa0SW1lmJp;t1d&FhOO#G&HYrL-gRlun=@jW^D@b>DcX!vFjd<=k=kq)F{*&z+ z^R8Jlv*LNyLMcIoH4auntP4Op$ues?y)Y(3-4PEsrH0pfqR@0GU#5FYFWmWgxs}aw zZxcL@Z68=w%pg_DM8DdM(H`Uxx>*+Z+P2DSPNGEmgDI4(<6Bq=K#XxJTXByqv_{Qr zv+zKZtQXqBBRPGhbV1{@!Ku?mJ1jsMlG@cq5A1cCOSq-`M=J#S3;-URd$_r;pf9tR zAzpw`8u$GPV19CW2vOw|M%>3d2x*B#9z?=RC z&;5t?xi`b{vvW%^#8-E3Um+)GEkvgQG$maH0JU(l9NGSe)FOlA5Qc?BaBnuDVQw{2tsuZ~Ozj`+wmrQz++5{fMV%zeoS#_g-f zPw>Y`8yY}dd)%&*o&M#ayZ;_{TBRgLHvm}A3B3cs|H5~ufAZiHwgEm(4#Gp*aCLX( zRVbrLJ;VVV!}Q@`+;y38{(k~yy5EK)d_PRnTK)o13H=_o!gvbe5qe|KyTqnf^olAl&$}h9U=4qj-M6Y3Vr-*Z6y32 zH{C|}2OID(Zp?&n21F*Zn}1q6fY)}9;$>WW6YH=4C9}9PHMW(gNI;cPUurP!yiD4e zKZ;BkAQ3wg4xeA?pxouS`!W=03v`>X*&*AypvCRPwpS1s#x(@v=dYT>=u)*|uBqUl z*Wa41EAkJxLa<*=|Nq_l8smW$9Tn8jUVYRwQgR#S6i7mFf|x})_t9)<+lK1_FYr`0 ze0%5!z#5_d@a`Tth>-mBCw$aQY||+`4-DfhfB#U)KZ*RBdp;SMG1c_z3|8oR?+d{;-!EG9p`&|8kZ z3>AT&w&4I=t;kJ;KVN_K>pQSX{SD8Fqzfk^L?gofw6^~?xza#fqyC$}(hcza1n6M) za?_Ot1A+eSbAJC5P%?o@9uWBMYI*L$UvXHSPoEkk)s6rBt~&TmKK)Y0>uS?Fg3p(m z(%}`H_|Jh9p@h$1gkcE3pZpq#5YzAW6{7zCYS3?`_%&g#!Oo3&(`)3nCfxf#ek0|# z3jA4r-Jje^?#9#^9mUn}8b;G^o_?gizfE6Y>zAs(V5SxoTWn@@Y%@B%yVhGSCv$jp z+PtI!;-Y`Cruz#}_`gh$9K($awx=ppIt68B(+l%SbtX7pVhWvTt-H-*vCk&|qL(mG z$ld;59&xq4AH)b5qhgK6!J0=;#+?iFXY_l@Y^|-Oa?w*S_RXXt`k9EKLkyX%rQ9t6 z+2P;%kB5w+!{;y7s;YSL0|PLx6sno*yDt*-i-FY@@9Lkj`#pjO)b20uQ7{&cJk;QJ zEoOgmuhW`n$J*o-nfIu6pN9z zG^6hS+bmtai7ZNp9u@27x5*@GleRA25-x+?m1R^+U0aV$JTw=cBD*ZIkHR&${cl0^ zT&7T+BgVAEc=Gp%6KLQ&8QatqbL4-U;U)yaD)RTHMVqkxMIj}=!ycUq5Utj{Pfow0 z&ShczRWR8R*F(E{H)ChJq1N%1`s1gbQzTbw_WzeH!{I36;gpS4!_a?k3btm4>OE{m zU}Nh+MU~H1(}%eJszxWYCb`aReH3lJ24x{KoGChTs@9&(476F5?3akc(4)qha5Rza z$r@0imQ4yqY6#TSGcVJt9@6p7X$tFT^(!PpdD^)j%_LlU8@cV%D?cB6|A3 zw+ZDR*<)_Q$R}|UT8}u8VfC0_-s*e&meL=^@{-40%;IB$IwPv!wuydQy|kDzcVmi* z>Mb3h_SPdmAwR;=%WA^9U4DKPoe$trind$(-1o8gSrFd*$b`Ac{sb(*NbNPRJHRKh zRcr_h0p8>&9PePWD93(Actdd!O^Z~f2( z(F(_&0s|CwJqbZ|EfZz36^i!TiW0uq+EtDPWy_fzZHb~pZDk8~oD)Yfyakp?tPz@= z1E#}adA416wGp-}oY6VO#;^Cs>`j2*ITC3;rWVF@r&(i75ipC_2(bTX-TW3wLN^k8 z!bkk|dJpMG4+E|-Pdj9X zv-JA*T8TxR`WNc`u3)2x#|+Fos&sRKym*8e_B1l9Z-z@O^q*>C{u&}QqG{65Y#!Ix)Ey?nTLHTQ8XdzzI zN-k_1xQA(sx*|yMEjJ)mDD&5blk+w>=mp_0rZD2!)BZ0a6}K2jrQ)^pNL(GB2YZg$ zTNnXMj73xU)Bs#0H-6^fH%sunOeB9ld*X?&^jWnaQ)**8r}f=+vpJ=lpcg+?6``!O zu^hF02cyUpnxcDT4mr14*x!3e@ycSM?9+@`eEi`~Yyle^SuN4tTPDr_3}BN|kMfJ$ zdkJ2fesguHf2nB3324<6ApNDuHkCC4AkZVYxWxnUdbZ4>Q4CqAeFYBzMxLb9c@iDi zfFK*zTzyf1Rtc7o9*^CsVey!qdO?p2@6dv!U=P4Tb)$5BXEh)E_JbI>p!;XX;i0nt zdd!vdEa>Zxq_02kQho$zg4Z67po$oPh9V9qTKxokpuZhjv(L$voSK4O12Yz6gmml} z`n1m194qFd6UXI3axv$Hu=iRpp^a1C1_>L!ySa*2Yg%*6crWis0UhzV~b1% zK7T;xX^gS$R~7A2t8y$_BO05KssB7(BdIM4P>X)PenOYKYp`@e7ZJtbP*hc7v&K=g z>4nnj-rh|+wk$4F^KZCVy_i$I3cQg3B^*VguEft3?^-^7I*G_WIvKA!S%+`W?tQ1jeGtyYjDJ@P`T_1;)4Hr>>7I6uM#Tw%dG=F-vq9p-1>4JaFg9k>5-3t#t~S z7z!vHlBWsPkJiv43UG>azem9bEOt9RXg70CJ_ujJ-Gc(q_gp^@Pz8+pS8s!W+U8|I z?XSZFO^oa`CzwiH1RZZ%IwYB3luYg(0Hr<#MCn!J?u&&R#U=yoQt<*~rZAV&$%LO^@NK^1p7CdYKjEp7tzObDQ_u4~u%U9}{UhD67avCt;ZgU_dq~O6n8NQa z%xj2ux;_>8tlBbo(fJKr-(?igtO` zCJe9(>}1N4MspDrbO?}gzllx1zFi)cLf-S$&lx1!)f!$*$MKcrE{&8Z2K!rl#8k!r zhW?9+@VYrov*9uy{FuudEBA*@>_p?Q&(B3@x3gIVw@XJceThY7sXk16bj+8n zyM%-F>o~hQ3gn30pHxTCNJYLv=iB@~jh(6YpqlQIK8%DFoP&diPJC|^nnNthvy?n( ze>lBAVqqW3IqN#`RkIDGd`&8S*lM)~FI@sMmKz!DPgP3oK9s#aH7&49 zx}V|ySPh)6%ww>Ms7k{e)l&Tr1cLUS^0gjF8@6_m%1<#xJi3zX(Tepu5q4s2`CU)x zcS>MPc`XaM_QHC>y9pnLBYR|4X7?Qj4tKLZtUUKZ>KhSZES4$*8{PEk{ zDY2bgx15K$)#c5tahf^sBa~aU`k>0pWKmrYRD3BoI+=+0OdF>%zs($9a1q({RK&ki)^ph<;C#1fPZk<8NwD?%X9N>}lzJpkn z+UE^ddm`)AypeLI>r}Zd5f=GM`SE2Bg1GgGxD>RDQ8B9|Rf9!(LY#eMNL_3){OtFZ zrR|og*XK>Nv*OC)bH6_2I!awb_;x|n8p+C#o!9jujkb)1hyVO=-)^&7Btc}4W#Qq7 zvQ~(JbB1cMX%drQETi}GDRjB4V%oQ(Er82)Y4&JE+er`F=8TG!ybfw19CL34;BL>c zK=AH^AhjgOdR4JGtRteE8n_RGdNpxtk zTE(N52J=+q@M`7;QR?+>0Gkqf^6t{z^Y8oslR8Fr3W9Y~px{mb}OiS^2USvkY|I}9!Nm^iMhM`qXaGGcnw> z$@?`d8GcZg+TcPwzyhL!J-*J`WFdfBy9W|rM{>0oV3C8mBgyTU!ud?<9HTqy&O1ZR znT*K1#U@6s=K*UUmwSDs-UaHZf1^YYUs`zeY zs95XeCSS@X-*bn^?_cqP(Ai3mM)feAC%-TK;KX*XRmO*7UJ0;0HoV;|27_5Aj@oT_ ztu1W_=?>4jB`Z_~)r-?H-vm_ce}1jsu3-UBQyX|}j#@L^xNyvCVOEdw!8wWCUn@YP z(Cs|wRWSGr>Ot$@y930V)5g2;a);?BrtocrpvTj1q^s+X0BwvlNo>s+9ORtKn6ade zi#7$Xg!jFnPdmSADxB!_^_F=Ch!0zoB zBX0#+cf^`S{8TeFugFP@RULlx7P~f}M5A>7fi7Axo^xBl9cr$mCoUd>Z@n={&0Chr9woy0Iyn)tMOoXGxTQ_2=O7Q$M8Jr^ zRhBM1xs(>qNgMO_eFY0@-9zCPE3}T$-v;upgQD3>sCq(DkMiMrVCYa&J_N=+ue)ia zpR5vh@ESfqi4(Y2Z0cW1wivUfg8VRqdP1F3^wiCdrJWJ{)&) z8TB{EH2{1_ENgbH`8 zkCm`diZQYsOuz=~=uTj605r{YqNPs*@Jy@UrInb1p*XrVUs}bh_lJ-A-;xW8Ah-#= zy!}dV{$PKE%bwvTAbv+Mo3TD{*r=*bH5*wb2skIp&_7HL9lk{V1HN<8(ZDIS%7!7Rapo*e$Y!mjvbWe(17}vYABy#a9L{1Aucw+3rhkEal_-sim~M-?I-=}CmW>wfLsBnis!73k!6&Qkx`*_ zJrX_}&I`PXEYxvM>tzoi+p~+e7Tnl#v3=7c@ZrT0^*?@F&dl;+aaod7b=0m0WrsrR zT5gQO0PtGZR(^D-Kpk~>R#n(vck&@fJmXi)S#>8r?<(lQA=n`o@%p(j;*zMGM4NOF zWu0gracjsJo%N*S;<($weG?ediezudkRx%;rXv)twV%#2KG7uZpp{mx7Y54L6+qF*T z5%jh?jK`DLP9o!b%m{!59n61%C%l0Z2cVLr*NmS!FC0CIuW+Y+Zpx3lf*zvt}(P>DHRNuB&;u%Hb@zc$+_Q(&nZjw0H`n z9c;?90htWH;4zWe?i0Owe`?5W&>iX_?4q4la_1zJ_8F5oqpVx4H|zx{9Hj?|WCmC- zeUkG|k)8a9b%55HH*^*%^SNIvP_-cZWunP(rgO8v&ox~7lXczj6TdGJZG9gAovy7fKhOWfwc2&}&iDF=C&JqZq}be`#AWJqcEiB%Q_p0nJz zK|Fs_zM;JBSRXn~$92R?4Ig!tS#OIT;Q#Q#EbtfNFZ7v%wl~cT%;>psQ};_K>DL(m zev(@@>oJ&+hW7Zb0092*cH1h zPkbt?oz}VYGA|&-9}oq#Ayb~WAh9-G(2iJsL_kOWlIWP?ohym8u&6`1(X;I2nr##W z>)>50`9x`M@`=5BC;83p;;o}9Lo(>t&c$>wGo;i_Upl;y^rTQD0_UUPJBoo)hTG2~ zuns}eYWiRxkU%*vzzgZojw`?%?v#pd&CC{IL#Gujv&U=#o7W%9$Y#;cL?51=RyfzH-bo1a-`aQod^jP@5PxrSUE5C#UEdYCfTBr{{nn78!wGBH5^0 z%=6O>mwroBhh$)Vgq!|sr%*r^<-ni`r{u%OH%7JuMlMjDT|RlW)HwoW6J6V;TOaWO zmElbsGok#;#0J09f|LSl4w9|szkuAoa~d$(&aR^ugxav8B>OV@K-xHm*L@b-h7V#r zPmXFqslJ}(Cfaxn+z!{073V!rZ+}kJL`HriMw~#5+Mw^WAtGa?6sk>4|2(UCebM(THfuv}Nncb>XO-3E-01#tQva_QNicRp1P9N=nOd7Od4qhWeNSm^=_p|3peWfDz z&ep)lsWhbIxFO1d!xJ|}UW*?R`5Khy&WH8L#*@GXGgG#2-?UVB_r2RD+HiJILO)x1 zqbsaGgYCqhJ=MTUe2d%Vc$!mH!pKkz5npStrkUX>wTb=x>UOQNMck+iwgKIc?CF&i z2G6X!x#cX>;#YUQRiAK$MkwiBEU?k|q!v9%mW41D}r0$MY+9no5`N>L|c zt9jSlEc4++e>kT(BzR$?rRc2%SqQzc^!RSIa(G%jO0%-qgV)Sa-G!o%W1iC`*^SSJ zDFzb<-KR_;P)dUOKr@rc*IUi);R1U7T0;k;J;u6ny(CInyGkJ?Ed?FLgo6&n8Cc%k z$J@%gWd-@V_Y^q74-KST6uc1GZU=|FWx7L@txXi$e}%Rz;fjjEPi;5bfZ_u=yrnlnpknP`si{`T;BINf2I zUKVAC<$5coFbfLfD7*NPN=$yib{uO`-K!?qbH8Z@0Ep{mld`+%1R`+r`M7g48}|YH zNs&ct8ri$Nr&*lp>tz0G?!V{a6DDxP-Ll{y_Mr_kx|y?h|L8S`Em5XM<0zJ;Rkx%x z9j&Q_1u6lTp*;}{eqGW27=>P5TKdn?F8c-XW=T(>SBlFP=9+F@lCp(>=J$Fb83^n<&Slxln(o+--n0}28wa7|n1YHt;ap#+ zH(hUU^&arO0<;j zR@J8$w!zb`^Q}LNghJk~jrxt;ds**)lt7V-@M4z4PG!Z{)dF*}<-m4#C_1rkKzXS( zeLA~9?JmARfMyG?XHfvlK+Om*i$-bX_VJ1zgRB5I%xWcPv6)kNt4T>y`(%_R?!cNf5Nzc$SE8VgE zF68{SMG!3RPRp};Mi!U`|9qp+LSfH%iw3@sbwE16ZkKtJ~i zkFA(#Uf~o@%dOja3Gw`prp+*l+ZIcJ?)BrPHY!(YpDimNxp+1(-LXn>C{GkDzi7#? zhF1vX0MKf)o7)rH+Ivx-Pgm}3k&L&)X7y8R7AHDurd8nsqCS|$Xm8<84KqFaYP?p6t2I6&g8OspaT587pAt3RgmVhYJ=nz>vjmclR)>WNt3Ci zv|Yz=&FW}Z@r&~P=3=W6_IGka{S*9@Z&psSn@kqII;{7KJtG;K7XBV#p|`lY^0_!b zfYj}D1$qZZE#SJd+KgQNM2+9J^accPd+_y?mN~oW1INH@M$(CvW?QoxoMl<}{W=3N z#c4}jKdFTW*<(4v*@!Hov&g+p5)YaiWINYHW82AUOEW*f3TeW)eiqUPmh1c>h?^F~l_f28hO zEmIW&*E;Az*5+mng7rO@_&~S?}#)saT{ zJ2y;2wi}KZc>sku+cDPlj5L;|RD41no*OYUPO~Rg`zUAQAVOmCQf>vZ-w`7_vvcsq z$Bkpl%gX`Zb?>j2!zt7#jxdUk4#kK9BjHiYUyDxklq^AiXL9J zov{1#V>xMeTecFFR>b+uhW4|Va?>6~; z>R_3-XH-QGa&559Sw_3@l?ODerRST34))R_w1J1E=FF)UHXhzCn~0nG90W_p)uXs_ z_v}NPLaK!-j^?A8(syH0%YajcJQFV6s~|9Lo7o}0S5%&XKCbd(Aa7Ar7^vaWf;LBZ zj(De}FbvHj59(aKn%GBRG_+O(%Vqzo3?@7Yx444PJ<+lsEyy4JrD%Z_w7Pc=46bK6 z9$QO3czon~%-1aPW{5nOhD|&;0;fv(@m{Y&Rz2dySJ3%-HJ&@ZK4PT-+ery`9q8QI zJGc717(sA_BHNMW&xK2tg1bIVXBrw-;OS0sbL%a?0zpkKkP%fDSAPa*^!jxy33zW1 z%J>c%Tn?%ty!(a^1Qf~CNK(W0n@!hJ%ul{XZ}$=rs;I?|?VFt2+2yPefrLlD%Z8%2 znmVbnn>JCxxPWec?FuAe6OmxTrWl`K;K{=|KyO zUifr!L`X1`2;M_`682TFD{Ppk_hq~JIp5iKLNJ;Tk-r7F4lwENeO;r_ zcSMQ^t8>zQ(gN9-?l$jNXfs3!7^)AP$ygA1x+B#4mGlgDP=g(DHn%{=H~yJOgS|DY zGr{-m)3$a&hB_ zih9(!hLRV|qSd9maCLupB5m#;xE+^Rp<}0`_bAMbnT!#0=eZw0pnA!I`WDV{uXb)h z@E%w}v^p#<00RFjyn1;7+gyP7)2Wdwk zn&N|FmEyOrrfNL9TGqK0JIuNY<}T04bJaZ~zGs5rg9Vvy-C*KgyK$t?oX;<@c82;l zT!t~pcWgEfSD@@O+Dw!l|R;LwHAm= zk%bNw^OQBBeCQ~NGlA-44J*RbfaB2NMB;F|RV?w8faV@buK0n(3%7|Dm6zHZ*PkE{ z=GWeBrmtXhi|1^&wNgG1-BUUQ)J2ED%{6nj%oug^3_E_aBgr9)dJ3Zv)#Kgjl%mai zM~A@b+y^dEHwMDys!5dMVq3by$4YF@ojdq9=FK+rcFa_YKf{!`W6cR-~g z@wH-p-gf7#rF-DD3FNR~xQwzRw)=BLK;n7krkab$R8gSXDYSi=PR7+g3!3J6#3=_W z-5(wzklYD=wY54L$A}jM_c`wV_Bp=BC*#f0THNYK=a~Ri(NsAutXjMyG))A1Q%GIu zTAYN2JX9pko`=#D(TSKN6nX17c}GYZRqA|@U1>Q$eIcNSW4ZAnuL2dT^(-S|JcrGSaPDk3;>L9JeV;;^1;+h(87 zNXN61&~?p3yQQ{LUN~oANH9wv;Mp=i=^=MD=^LqVwS|1od)16z;b=JyB6k6ckDYPX z-+RU%sgyk_=OygB`$n(19?-=FUFnKJy$RSw@+exl^7rRk8int*B$U`0#i7orVKUHu zSKC8HWyOjg2YYTubIWIw3vF3iTNajW(vGTUjB)KWp}Kon$=?(p7W}?61#VqNFY9OW&iMGL3o_B88v)%OIS<2yOs!-E1c1B zyxTxg&nO$p6}}rB17Iclu7tTPF2#3VXlE)|3{b~T9zQpxS1<3#xVsLgB_|$5s2is} zBY`AugDF%@m5O?C$YnNM$Z^sPsLKoyns%zhL27&`gQ{XEYOG=5taht|oRDNL=g+-D z-y8ODtUAc%X0#WNb^-g%mbpZO*pc$iMPdR;EL{je1{Hpe;gcG+yMeNA3meyVrSKuzQfS`0)wM8& zO~~PqvwfRm~*Np=wV7a(r1JT&9bb#byclBXz4}G;NcDb=l*%Tanx-TiS zr#tcL%KHqAa}?uB;gNv^JvBnBxuuD=S?G03exT>8^-7ENJYyTGTrbRd3}6CPqRHLO z7RXb!JnrOpvGwB_@uc+WOx-tQNXaQNoy*yGK0mqzxgdOGEWA&w>NH`ezPC@dMnGZH zXPxHQh*Uottg$o|pT`zxM0jHA+|q62&%60OVrLtaD|r!PQ&JdTk42!mR3-;|z}CJM z_wpqoKYpfcmpn~Nhbt!~gW#i|4$B#MH__%!8U)+h3U)^Zi7kJIIWx9W?slPo=2y?M z1{nGzXiG(vPO+s}pp`|i;ptD3%uRaxEG2jMy#-InF;*5m_hnAc4`8J6KFc}iG_w5` zzDksyp`b10Say|$rq0K=$4hA?bk+ctq-c7If*`ujf($IyAj8hWQu?4mv{OluzOH4) zBZJmRd8iU;_palY1Y9B>=b;P@WZ9nMh`Y!Of6oaDxzPllYcWT&r1;ixSC;+uj+bM}kDdIJmHeZapxQ?Wp99|E=?v~f$2}S-uDe#P zbzVmQIS7ze>mYFgmHj);moA5IrNDBm`}qAxf8a|t+%uyNsgB;vw}uzLO~{2qqa#qU zq(bOCZH6Q!je77JSia%OUeju#xizk8Q1qaav2u}77WswRagr2k?qf=^)|M8AX4!-N zQR~;tx!d77PgFI=ShhJQ=emlPcLFS=GNOW@Q)oAmsfxDGT;knST@+J`+~+h`G{Rvl zk^`V;UO8d4l4}O}du?)UhS-{NP{5(&O(qAY*wWd4*xYOR@Zv?+%$G6*;!*MRNx5aI zb@yRGD<=l>+@D$k+l!&yz(zt9PgXg|$JNw+`$Jvzf-B0#JSfK^H<8aaH*P^j53)hF z{V+`Sl*Fwr9>fT%W1p&OcAtX+RYOpvIM!Va{QIK$4wNV<2O~9u;ke~) zQ=S%cs>2S6C!exl4r1SYUZTJE!=(X6c?Zu*wkaF^2I6s#L?nPC@dlFT+`d*WgS+hb zJk<$L7H0yqs4WSR4Ltyrp2!6#nJ|2mb^)L;Q@YZd#4(+orRtUB7$3_#xxtC zqGoOuqF!`wW~9YsHmjdBwa1Pahf%G=Jp)DJyn@<@HEmNB2esndin^)4_cm}pmmoW< zifNB99ZxRcB8Iob$aGC=sVkd*#;KiO=D)DKK!qGJz#h#-Hx5eAX+pKWji?}a1qBQOpqu{t7G|MFf;yCflcp~szLejvXb5kRJlFVcYm{X2N~+1CJZ$E z1<6a%4uQe&n@h;A{4zE_pgU5BN^c(tLTEP`+Gh?-HTb!U=mYB_4iI)sUqJ?VBrTnq z>6oM#F=C58sWuCgl@1udj7J!-<6Z1rb@q#v8C?9=m^NApp+}$;*#icJ_=doo38rq! zpvrhUx*k628Bnxz+H9&*MBA)KKo516`pH~0J|f**mC3o9?cKX{PAMGHM+6Ved|r(Z zgS7IV$HGq>^iBcBVtv!^v4A_W;#h%I(q?e5% z3p*df`CF3`X}U!1OY+!B!Wp%NsakJky4oDJr54V)FKY<1_l1>CF1AQ7uuiN##yO}d zql|(m+z|g-G`wH7fg9k&Lx>U8m=5(aELis9033+1Izl#%5EL(oX^t|8BXILGg?f%? zdF@r&gr1(K#K)&cY=uaQKo<^t!lXWpC{Ytc?27(K6Fgh;RT4`la)-B;9!%V}=F{GsN~{&(;lj||ya&iVrRQV|_?4{p=EfF^A1 z%ynxC56xBPHDm)U*r7^FMP_;pvFmop@Bm$vHN}S6kLHW`i=+5v_)=@VcKZD$M(aF@ zYjtneQA|?{!HqWY@35WDO0ACPU9WFuMHgom8ay|sstEoxVUc4v#p(LMEN1}%%DF0T zNQRwXoKIXt2jDE7T=zU$um!$J6sl5c`=<*o*pc*Z=V^o#vs2o117;S+r6ug*{#_#T zDe<-F?Zc)Sg<8-eYY}^>MBPH}aOz^HQgVBFNh*{aiL-Z)>rw>$*bg$qxXwOf8 zJ(fkv%B{8n9dHs**5X=9U7ldpDk`bcWo@KJqoXq96u#DDQpW?iddBw1pA$qneoRVe zA8z+WWGu798OyQ`I?Ujjw&G?<1f?pCCB5chu>SrI`u@0kIcs1(wHgky@?2~eG%f7< zj(%{4Yn0{K++UD!UNmgXV8FIq*+j!Io~pSAua&aBnIRj10)TsuL7D#vPs$(-*t3yQ z@c} z?DoF-8s|b|QUA&P4uSGE)CvHs`q+QCMia==Tm!mj6HhNk)|47Yz#9;e(=VdbuIbx| z5Q_QV!-B0S-I13knfBvGq363;vv5PX*p(!fQ4nAAsffonkX!Huj*e&g zW=G=BJ9d!|b)MV<^^2mZ;1soww=sv#9?N4KXH&}b)&fKV-t=Txu0pFL5kav1FaStlxj@BF?adXn<{!}IDj-kHEk+0Dzn z{IO^*6yTv{b5K-y8V+WJb5K`fC2}5nz+v%*5;wMP+4Ye8%EFL3a;S6_Z2wBalirD3 zfKuclorNIUex<>58`bTf?Xy2Bq(GQPCgZw0}!Se#{d*$=dtJst=hcn zUQn^qH%d((Of)ol&;naCF0CmCDnXyM8cd6r!}0BqN0J00D@UM4pra$IuGmQV6P}=G z$SdVBp@tS$Jg~}e0C&w9q4V!{j@o85W$=@qg%dV=|K>mcO5YlicaA$ZT`)&*mG*v! zE-sS{f|Iz9ENoKTKtYlG2ji6QT~F}apd4wP^eemRkJ8fZWs>!)I@Ia{jU@7A%dj7*G^ zoh~b@@3NiE(~UE>&alMJW0jLi@_<(5i_}Jz#pTcLaSp!vu=wLm+Y<^)3Sv<2BEr+? zQD^zeS9QVxg9MvnqQ`P19!kFBhMc}yqDlwyN{c+2KVFR^7pjS8k-wZb&dR~#zil>Z z&TVyj93~nD+s5r^)BNY&J4@nGKmXY>qCEcH!N*rw zk&ohieOpft&Qqh!)k?R^vr-hwdQzoZ=I_fdMRh=$=UHN7J8X+aXA#}Ss1p_(x)Mc) z;>XqRLX20_R~=c%JNz6;6A#GtDkC=a9=MDylM`w0y6WT<^)J6A5fJ1Q9-Ys z7gC!Bt?oZ*)r3JpA>>bHp8Gug%TG;!+~Fu9f3oxXnbjp>lo`RH-){l9Z9`QfzoxHrfBoWK4yO{} z(@@xwgXffE(y0EE(2@eUm=8on{vrxsE@FcR*xV6gyJDX0O2Z%6W@k35))p@)xC*9P zXS6hY?KNntw)AbMotG=WvGIyhd*$nJkh_E0wKQ{H?69`&T$0ejtyE z_7?#}C?5WIyh*oLZZIE(^E`X}9X6rPtr`>-kNftcc~f&@LVst92qlyu#aPx8Oo0*} ztsd2&;Xn=S;snN}d@C65FUfE`1|LgU>5h3tRPBrgpSdV~9QLbI-)~|4jer9Gr=bk^ zR4{?$zl-EN1G4L+jHE;O>%srJ;}UR`2EQupb7=F`f0l;>9)e~|=;&`U;NM-qzXW~e z4z4=;0?h!L1t%ybgu;hN_4w02=jUHTJ%+dRI<}lqu)PwV6P!yMggN!E>;CoXWN?+Z z&*txZlY0z!H#hRHl2pIIs{gtH{we99;40hq6u(<33BvtH!D1fUKX(tg`pWEkV1!Ek zq#0L4RTnq~)ukMgLHu_+?%%IVP=^bVNu>$ix(1Ho;)4IpH5{V$2Z>+tIl*;~pTNWU zpGW6kJx>}QbfGbM_^(alUvJ~M2G@=REX?ayFH46Du{T_p`5%h*FTn`Sz`x&e%b1^R5eg zQ##{J_4>zU|GL@zD-GCLlyRspd*1*&6Dgd9PiiccdE?iK{^yBXB!@p7)6n;72jrl1 zuh###*}fXpHi+8zcW?WDJjIY6zJn-QlQUi|Y6JMV3o7Z*{!1vG_;6*%R}0~}5=yy` zkT&QJMI)vAPnO)j=lmVmIp6=)w(8oAJ}}$q^FOXO)_+OkufYz}0x6vMf4stmE|$Pm ztwdV3?rO#US){RWS*CS`fbPwg3-kc~Wd|dXg#Sr)FNd#wP3f@HE0uHk2;U9TSu>FT zb2spY3q&M=?)KHoE-MDqEB!wz25i6=sQr<`?}`Cm;6vL&wIk;gytHfWH<{OA~Dx<2HYVYU!MSKYl_j z=J-D+MJWdUIKIuv4^sfGtGY!v(5Tb&iCSl=I|YJDK;f(t-?0#1cC|Qmx!|jz1TU@n zKc$EZl&Z!Xb?%N1Ftrq)f*z)zf!gJEy66qpFYf>u=zo4AgE-i_Fs?IeRX%1^FV04$ z^+Hm7taMmAT?hT9`}&u6!6YhdBziwg zAmVZCc(T|<>X8<&g=sh8()O(uJ*(t-;j16ppfQAnC%`d=cn1&`X&%nfBF z9&d_KF6)>4dBXs|5=OyAI_kRNqI2~Apxje0gbM+eweATkDUAmr|j`jkp%RIR-|su(XDTPOw9aB#S+5%7zPZ`i2vu=VrX+i z`pw6;{f!Z|z4rKa+#PyQ%y}j?waATzer?LrU2Sh%ubjoUq(Da|4VS$URZdalQ?;WB z$igV-29c{T&pB);1RQ1Whq{gQMW1ZcBmF5ruX7Dhp+%KO`q)9mX-!GQW5hg~$P2?F zWG^|C6Mf=jTx@DC0$+5-Q&^{J&rxRnc_^N!h>v1zf-r+E5eggJqUgkjuONJND9?W$ zJLQ*a;Z*l$i%#?CElru3v$~d=?zt|)FO!4%ABt)^_SZ>75Fi|-v!7HU8E%KQ&uXtD zW{0{lSE%GCW1r7yYas^-@Cf>KkAP}k)72;Qo^%R$o@OPQ{DAPPrkEK0qwbqdmM80* zVvL)J``P5*3ymaeWOxHG*bSJ`9CXr+2?gM5HyyrkZFMNH|7#z+b|Vn37N-O8v>rYM z6ZVO@hjY`5=wDii-dkOG2W8)97JTK6%aTrpXz}se*?yJ*37S~oC=Kd8In1Fk$JM+e zogjXid3(YinB@4WlQqkbMsg7l^{^l)Nqq3JH=tzpj?Un>Jk>k0f>maNkcCI(c^vtd zqC9}_0|&!lg#RtdXdxKqQwRI0?iUtFHzpLkkop^C`SPR(%}O4vy@|G_<}vT&Lam)#iLeI^(MXPYc;fj+z$*IZe0qa5Z>){p8)Hh z-t)hgj=S*$Qi9sAMB-)s7 z@`pX~<0v!rOsLO@^IS`}n_&!lgb!U$Yk=Hl@_AeiDu}#*&V_2qMt&2SmnT2joPq%u zz8CC#uWGZAa>IK-OFd@nKA!`0b1yd+zxuGwb~ubxr>17JR{^EwcqJEmf5I(xbJ~y8 zW2fDTVe$Mn5h{|1_g6x&I+HfHf^ygWn!Y~skHk-v(ZmLo@%Kv6Y6yjIM=u^}2~1oDG;0x2LS*vjPo# z3g>FZ>|sRb`y~*a_82`?7qE%~Hd9z~aNwI$!X`XD4H*9K->#Qg=rzgkS(rtZn&1{urz_Isz9szLGg+HiAAdI-Xt-(~`5YO->R?+LvW z4J0kZty}CGd6wjXse5;G%>qUO`e(;-sO=vSO{fUMLlz!=N+wW6OAJA037u2^0}TfM zd#sG3Z)-=Uq9>el9tN7nxt;4zdEjs|qtX64jMcyz5t9A4TK@B(Pe?*I2K~=yIZ23J ziw`)bIxk$R1F+t^hbVhI({iFc-Oj+PgN?E99C(n|K$Xq0&;=aCRV=FT*|1~;&nTw= z6G)uMvarT&r%k(cUEA$!!n64P$aS?9*9uI@Ba(31s*5%dy9qm6Ci!x8slxA8SO*n>b7Q6ha3EKsmvuXW@{z9B6@!m@aVP)>AAg9Oj; z6ztq&rZuVNpqlH^PIAJ#9+?rU(^=YReM=y(51UJ}K^3inA5&Rg3HE*y5AhvJ)c^@!pl=2b3{a&sEJL_*>-}&WXMtv;2K9$=4UVB2)woHLH?d@1F-4?Oc^{V zL}9aC`!{IgPsQ{dz&3zx$@@NK>J2H8y5Yx7Z^23;=pm`c#lZz9I_T`T{Cu*FE24f4 zss0uLB^Vly<%vg-zSf;E7}rw}EPn;UZ)Uan(P%H_>@*yvS{H?1so61!e5}RL-lz@k ztj8qB_=vBc{C4q+$a{ZMC1YG#@%Eb-&eVRcKW>TC9#ogeSL=EB6M!13bWv#ttbqEm z2Fx7|$l?b4wXlkP#!(p?!gpF&SbV*1zbU`~jaH-wT@D^uf4Dd3>C!<4B`rK%(L3Ww|YPcmyi!-4y44AFU|}$NuCs;Uc&7#E{r0 zw29jt(?=U$Z3LNP1`ZnSv|>(8(QSmimlpys>6i56BQjF})8~~_toF#(}U)K?KtTx&e;*94Pi=}w(bB#J^?Pk#6lNY}5WkQPvB5JZqh0YO0NE|G5O91xWdBqb%KyPJVgkPwien?bsyh8%`? z_bC3p&vQSwzW?xn4`=4=v-jD1Uwd8aTC4f4Lnw|50@cF{+}Ba;IvQ`ah2Fs{Wu*x& zTaeRh#0uTnM`9v6=Lx5W(UXAcMq*QI-cfAUgVgbKdkP9-=TN*LTeO#YL({h2DQ_bV zp07G*P6xlKcb##fiRknDDNGzE2EiQTLa&zm{S`2~)eQu6X9=bjbt`emgn9XexSVV( z2_^=xWuyJS4eGHU?&;Cual-0Tbc=9=%>!<5fvWGL;vqdw<0~gi^0avR`;DUyu+G%2 z^3uJdIeKs(*|yUZrGBiN>Bx7{BYf(m5EGD1kKbHpS4S^*^xyd;MBgU(`Dl+2FRy5A zS0UiBF_YaF;v!$mB8XtD;>$U+7OW+RueOF((pOuza+gY|vCgJ1r(7V-H3a;9z-M2w z%LMudy|p9J1a4x`jX8iFe0}kgmmmU$yTA3V#y^Ai|AToj9Z`N|@va|EZtsxuIFG0K zSa8$FDv?R8Cc>gE%j%`{YS>Ij=+7Xac+!iV zh6YMMaqS1-BS3KulTZ4l%|9)Jl%b`+Jj6m_*sk?nBkl1WKA@JKV3l`a{o^N4G{a5_ zlE>e&KfOE0mj9zczAV)b$Ez+dLsqg_T4NJr()Z-s_nH=nSVfgK^!LFA8 z&KdgYS1|NT$4ltKUk_wA6vR^G!NKeK%;zan58JDkt2g6#RdtJ9HTRz_AzzG~6@0Uh z2_q}?a<+)SzZ9IrE1`fgAxg1i?(*IYiUUIB2;9+z@1L>#eb1i1)?3>vdQW11r^wVF zRG#jzg+MO=K@Kccy>o0r_wbAD`_P(?XpdR%-e;;SG9rzh7qlLYC`Qe5n(*tp&5_0> z(31Aems@G#AU0XQ;6dnQir@S@l7iQ95DyCK9B_GbFxR>4fB~B&*-nwprzfZA6CLa;w zfa1BZ2UBF|b)pccp<^sROf}pVL3CkZPao~LKS^e4q_Ym zVACtUnFX0e>okK#irRbuQZ@~m`A$tz-m(1VCLa+(igJ6(G+)IukpL_zcBd`vJ92TQ z_pNH?V%gx@HY41gbFAXI$c10ZUHure##-df-(S1#Xt88&35A`m5be8G)q@sO`Qh&y zXZdO0823;&j{C}%eb9H=U~Kw6poV+mHHJ5JRIMuRA!Q4^8Bp`R8{whvx|&%>Yg0Oj zK0`^FHi4Tb4cG(;8bA54HnZa+FbhnFTT;%#>mpl*KNV9Z*b5Xe2-#|nFx?=Q)l zN)%lxE4_~(`s|^1UBq)D);WkRq|)iSKzVaD9ob8~pCN{sI5>mwN>~3C!+9wtc;NuJ zOE1^;e8}@d^>jZwjxaVrq#7G+md=s;6%6S!$hmtw5R}$>UDrqSS%@rsj7noED*^fF z{z5|4DrjZl+ z!i0xAHnXF5=5ULzgMip;ua18zO#F6Ci|};7P7{gxp>D%1Um;E^_r=*4D+Laq&QB=s z-2SgcP!+Qy`~*~raKAnOtp)H8fcn4izU3R;j0D8_2n6M;iIuh*K?35=?v%DMA0yz+ zBnd*1R=+Yhf(Iy|-M0Qx`J!N%R@fblIncW$fMOBahQm4a#?CnQq#M`nxNfxD<@p%^ zs3^u4?(LTV1JYL(fj91*`T+j9HFJ}*7f_s}RgScdeE)y=R*To2T_MP`+zMNj0 zbGfz5h088$HR4S@Qnq1~bQ&~eChP=2@oV(9lE&h> zoB~X&G9Zn1(N3h&UIUmGs`Ie+{%2_OfVw`v6?F5{os>~x36A&g*hKbI?yViH z5HbZ@zRi@^zoL&Upo(V8`2v;Yu59~dz`6Z`*=)0$Udkqs-LD50Unu780YxuL zKvt;QXretX7Dpn5Rf5sLMGg-bS<3UIiwbby+-D+;v}*?(j`)%z;0ktKP1k8aC|{Ao ztmBb6?(9Ee(eC{VA6kf}Y?TqXgivllC@ftPH7+tLqoLq3URgt+=M+_Z!b|B3KRj}` zK3{XH{<_F`;UJf;5mXtI0DpzIKO|4|JXT2>b}Nbota`}rn!KR}VrvE{kTeXM{F<#3c`sePEf;`@@H2Y8IC`xkcOjS$ab5V@y-K_1wi_#OKeeHK=IOe5Kt}j=d1X3l!M4sS&YRuqJ`2f{9EVM!_{$|o zCd~0&?CzC2zD|-H&IjFgz--4CPj|J**DDRxY)gTRIuPR6#r1<-l0Y4Tl{CofCa{7Q@|&1_j$J~Aoj$+ z87VV0g+KFH@}SpAQsfzwF5E75?;x52zLojtx-Z`TyzP4mT2)EMY=n=1C*|VVJkYR)G_X3-UK4MY5!feK#(kVq0^s(nYQE25U zXQ+@Xlrn}fqex(iBo(&}bFTvh5%Vyl889{iCzB(qBGwZiG5zDka!!_?iRM`=NIGBF z-lVtpFfcrA`u_QKlVwqTv`5XNh2}w;QiJGVO&nVV!WPGVUeLO|zjia>4*Zy%;22c((5?}ev7GqZ@`R%Jn@4CG3*{2M zY6F&gQKH2V*0!iVX{Wv(j#b) zmcLe;X5&Y;b=%N|wLrM6OD7qqbpaAd*VlI<03MvgS}{!gnpc$76KGz;6*Go-G0EKy0EP)b>zi=Tj*%0!Aa`F7R}#$Z9|Q+nR^ldnbhE7Wj+8E4ZJ za5u$u4=)lAq+Z4L0!{KQs2pXf8;bJ=&b$PpvO0QHv!t3x>-wF+IPLZN-BDJw6?bMJ zSMyNiRgA&j{`i6j8SjK+A1{5|tvz67+$vYXW7?I#<_VS`0#F)ZL@5~uw*}SpxPZ2; zxBt!7>uO=m{0FO*Ghc7-Au!sOO}Tl6A7XZZS`L3_q9EVl0wb6E^)?1I6v-$n<$AwR$DvGcTUrr;BC^B;KY+JBr ziEGxk1XIS$<$K*Q&d>=0{>!5y^%yxEh}_KEgCVf!BuvPk)69)*nn#8a!r#`TR_i+-~FbR^HJ^wW~L7 zOf}^tQC@6MJOR!*B!d8=v&whhY$j_0t7*)HdUDvuz?Sk*Akk&ceI~tfbgf24UofPySqS%VAW08-EEcJyY0XC@d@K-(Cx7-i_dL$`Fx*MYh0M{^jhn z#_8suvQnP;#SK3k3QA)+yU!QNj1a#4WcN6ZTfGmZR6Upz_XiGWdbf6CV28IT1+Ae2 zF5|G{6_|fyujA6{R zsVB}m_hZigcR4<0A##rv^CWKjzp(uh?ic-ArD9C@mh=dUG{XN`P1z0}i_3j_0HfCOlqVWY#dG?L3y)41A zr9yoUDjN$s*(_|Rl-j}Rgh5V<^D3#t(&jZ5d)Z-6WpY$fr!z~BcE@5egV0$E=BXu* zNI6;jSQX!@N44xlnI$NYL~{qoG_lE7xT)|AzO&rW47JYO1^1B zK5ZU{Vw`rYvgurp#&>d*B^R%rni-Eq+q7(p*`m@1HMpTvDB{P8-r(J?`)TER(=*96 zW;c{wbfS6`5i&rHc^_JIu-j8{kg;Q!XpOH{Tbd>uw;HE*fT`dzIlB4!K+j!6^lb}U zR0mMPWFh2Y5=`AxP#rG^fWudyNsn&I%QS6V~?gG)o_fcQ?KXp zT%M-@Hz{+&<%+W9Jo{8)IYc4z`3kq~*#3ycrjv%J6)jKZRC)Y{*Tc%Kp>mQCRtl>~ zq>^Tmt&0$NR~pz}m!%$63AXUR5B@JAIA(9!7V>Gx(p+@&i#%Qa7t1dEF!t2XOJP2f zjvqzW2*jAT$k0j`GC5D4eC4Fkt6}4~Ytosmr1vE%jfDADIva2d$J_FZQcGSDP7e#o z^UUj&B0LutL08yYAQ5vE_psCG9=URJuzGbRV_o%^sFo<;%bb&|W1BFwRd!4)d_yHQ z=9P?2y>>HwVdS^mI-{=aVEEv)&oA0SF@^-H7uNvfV@(NrdY#J zVP3*@rY0eSuab(1J3m@g5mA7Qn`#gI2N#feHVwAS9bN4+trseal8oo((7VM3O)Pe| z+&OBPy$d)4bhjTyd|gUrp5p`2m5{CnS#bBzla|HA+cWhY9Ca#%U@_0PfgR3q=8ZlB z0==5si?|=J)ZbLWR8bJ^TtSzN7jsT-J?5hwz#haz;{PspPg{~C((=2GK1liUP7y~Lnnuh!EcC30Xa}0A?@ks{EZii+lm`A+ifNk$69|V2-#R^_QY5{s z->`9gAjkw>;=^34lUMqeu6xHm7Zd6wTSsV!UAm||tl?g8pI0*I8XmV!_CnZn`#$Rt z(BJF19XDHwlxtCOQ0hpL}hk!7(2WqR;>F^zL@S>qhh{U+9Oc<(q+kEvl(dintyJGqhp84xw_ByVuQ@3_0nXiDkL=u{MJy2!MX zc6lWKcUuRUB&Sc%U3;>z7{br%ANOF#SZk4@$5C3=haw5t8 zMe)KzEd7*(*W9+d_w)n?V+O>n1i=zVi$?Io_3f&Sm?k=@=`l`XLlPq!>bbt0AQVP+ zC#JTxxicWLlY+HbrTqEw0$)CP6FRp#%&n}B^-jjTW9{{>vq;E$)%1%v^BF{yTefLYF~!neRk z9vvF#HBbJ@AgfB69eN?}nOC)U>scyU+btxMSoLiu zqjg8TgAUY8TlhEsiIkl2L0}xM){$9`zcQd=;#covNQ>i*;7-Y%{Z2p}8O+DF5qMD< zKfvF6b8Q_>(wQTzv@slrR9OmZ88EG1{Lgd-bE-GrEIZ`!;Eu!pQeWL|+gU;8Rx6;U^(wCqQpS0VM+iTQ20$O$q ztNpr-Q<;10xY9K;Ys#?bG`L!_N{)?PeHH<;x=Lk?WT5<*7X6$tGJP+~MamT@LzyPW zlt|AEMo8Mtv5V;ugY+;ePzaZa_U?V@IT$$e+V5UveA*clv2fAyJ*e*CfWheTx8x#% z+?VrjBJREwKA#vab;I+XYfiZoL zO(M*IeDk7-fKTP={i!!l`E;i;E_q1HXbWfv$w^|Kvr2pn`9+kyg|3Sc8*+6jn6U5g z8_uUta%`jgZEueS~yJjPgotUJ`566lQkr1(U48sF$=WmY-bz zpCw!bvxLJ4!cLLJ?&1q_%)`a!oR#hO1dtf;rdH9>xuAdzO;V zc>qdBd!u>GJpdBS?>j~uMh!LI#b&1W3{o&dF6Z!$|{%2qZWu4 zg1tH>PmZ*ClWO#C+lJd{#WmK^b>XNz5X*e4dRC0=yKkKQ>6;cAbnZ~5#N&5m(!SU@`X81ivrKVtNK|1ypw8os7^aX2Y zYLpNlz-O<^J#j9#)r9<)`XFX1i5X(}yj)`!b53I>f(M`U7Wv-X(PetWd?pZ|Smj;8 zvDy)dDTpI$QafR;Fi-@AL<6~;eX>2Ju1XizCV%(60}ds!nu}XDbWMPE`4hNl$aVnJ``DBWwwSYwh;p2Ae$)j7f|4&p0_X5xjaMi z%Iz8S4td7na$CFkoPmsJQ5ezGGeXkTwT6O=?f zxu8t8#M;>1F;fIdv=la!gu9x~Zel&nJmeEU&lyt)N$xjY!8V?Wnl2wABx$7$?j6by z1Bm16t%ek9Vd#|!|15ZH@ZDu8FDqqX!H%(OU8AMbfI_<2mRs2I&MKFl#54O=*<8+M zE9K3Mk$uxSU_RXSx*)kj3lBS}ese&X7xjRYlbC#(j{~V{8%)NjYz>rpr+=8TJ6COOfmb)MW&MfH4AGyb4 zJq@ZV-fRCrHeZU(5Mc@=M$bL|Jzi3uuAL=d9KLkP=+a9qPUsxP=rUj)cniRGIT23` zQe2G#Dc>%WNL5U0R&1wE?v50y=NOf`&iNu)l_@klzj^_WSdAV~$%@>E8Q=qEH6x8bxU0FXc zBJ!G^Mg+Q8TV}ni?h8-gFMBeGk=xoGzqWH8)~Nmib0}debd%nQBgd|gl_EdzJgg{k zU{_xl)Q3~PYdy?B^y5;|{lha`c#@H#gSdpc_`jsK%xp1~#VNf3!pBq=I zv!pwf$E@0~TT%6r{Wvy;MPf;^npJT3T*Hyk52aT%Kg{jMpnf^7fclkME9YjgBW=8g zekWT3>XY*uxlMrZMMVURO*FY0tb-->OM{zOm6Xp$A_pW zko%h3t7pV#rdUxV)z)WGjz&e*ayLk;*J)27%~Djyk2l(@Q@xY{>}%TNWIEP=O@0}@ z%y_JD!fp6L<)g`_)x`quhQiuq7Q8MvYvUdG&6*9T!DW}7k!_#^l7%$Y&kI|1Tgew1 zEo@xYQjurXFC0HINGR||->I`HqSX=-X@=ppgyauMf>8~G?r`j% zv+Sk=G2;YZTyKLDh;e4+W_u(i9gL-1L@#EY{u5{o};Jta`85mLXGF22J<8BDAvt zCBQDczmAFtan#I4B*2X1lDRS}yl&ep10-^gO+cVSd-eHhAs0}D;nMVqSPEnMrnwQB!>=e3Z`e;4}8!56a%x!MRw{ zFr!6SaGAMj`TJN$RasG0%NaBx0o0rC=382AB|t=OOS!N8(3l+)mjmI-9<;&279y&l zPjprE5n6!xsZ#`0$<{HRTRZpkF%3z_66BOnO5P?;jD*& z$cp;@V9A4NU74?CT>`A?Y8udOwu_b5aH;vzv*ouolj~Dc<=p5pe3*-rMk=lhuzrOg zjs@;XFm=F})ouqhW{e}oa-60!<829U?=^45V4vPda9|N|$T1ZQ9jo zusY*?rw2wKrIq17Io|%UlF%OS#evl8)^s!a5jLOfg#hBZE`xsh+$Ij$xzb#0K6Z3%?UCwg(Lj4@lHt>EFv$E}9V;YjTk8FT(6(_rgd znCS8nqli~eg>}|+$JS9v5_jN1syD*3zW&NcjQJ1+Up*2gZ8EWf8M&r*Ho>eUCzULB z^y8lEN?#s3am585L^nFZmX}nhZ z&>gNMgz@)91vz)9F91I*CUuRcA9$F9lr0D50Xc3gQ-iq-vqLr>W^8mL#Jl4afnW5)yhT@FMlKtC=BGZ$7*Gwn9oLRz zwJ)Gb+#4}X_Vg{kf=U0!$suGP#^cWfgH@pjTvs?*(l9>&-2W!&xwktYj=>*;w<#Fex~9$QH5 zR9t;}|6}eN?|j}wZ`06YJ)A=g6GN>6t}pj9CaG5;-tBjqyqYxlougY{f(-mZ>Tj&* z(rVYSW#^&B_p0{C$&mMN{}&mj@rhD#OsM|9!;lZ}1vM@6j2|?jWTPp}^~6!+20+xx z;QJ>ZIu@r!lXz=VEKqhr0Ykh5-W|SX*TU!W4taqNGsoAV_Lxq^@T+Q?piC(EcB7VM zK~$8%lrAJhW}JwG;sL}e_}*Y!dtTPN>>K!s{I?88*$zNCg}%Dhz!Rtbk^`U~(k#C@ zkkn)OsKp%!evwwySXMDUcDRHm9ewE)f)^?aYe*!u4@8!hI z6T?mLqNJnyC&aaRY$D057#7{u~2vbvk1U;_+IUOW+@TvY( z@&AE~{u`f=1np-^Z5009d~WcmZsOk~@*fcJfBd@01V%$Z=H32jk9uLYX0QHX6_Q^K z{_hOK@B4LQZna1sX7rng6@>Xas6Zz1uXmfk*j2C1$*!H=EEB^lRpz5@{5MYB|4VJS z`-0x6f0g*~^bP&?0DQ~58Dsii{i=DcfCr<?-Em ziA#Y?e0sBbNpLd+y?o8TkJRad%ws0iRwZ@B>4VfJf+kOd#Gd=Nd;C9cB_sq~1u1-- zLv$K^uVA)bC$_JDEqm|Q$6Tea^}+p=kPB)Y#os&?W5E6AO#3}rm@!OA#!QuDmovG9 zzdAM>^I%$zIDd5|7fZp^SWBu@pBmP`6a%6N7X;4z?M`RTQDb^T>Mb$t={p~aX>ce- zeC}Tv#I=}P>0XGiI_)z^IHq?>RCBKW?QSU^m`cxj&#$LaCf)s*VP2jWcm3-y7h#53 zy;zy)wCDLTO{7|V6ZzL+euSy{XQ;p`J?&YFcc6&`gEsBtN-}b>>QYfJP#P? zexI?bFgMelWhVRU6oXsQ{l+2)bhAZI0u(`oPg=M4G320CI0g|#u9HK#ZGfDs;eGU17HI(7b~ec;3Yl2-%! zTv}q-mA?+NG-jC72gOKFd;T@1$)71M*!}LFf4$oijD*K+vzrpXMJz}`lih=a=Keax zKE!|r`8MV(eY({yI)edp6nuW^U+?jI6u0@$K^loLwfLG%`K9eFpmhE$q%b^NVe)pd z<5KU7>9>r2Zd>!dAguHU8a|v>fTHB2?mk*>J_Q(&gp^jr4`M~Vy+9R-H#Mk7FR1M+ zGW!AqE}3+|@g5U30#<$%0Y;AUPV-#g`~=Pt#wjL6z@~O7bE-rC*j~eFK$Y?Vo6$?L zP~zf+8l{|Vjks%nElYnX=5WOb zlMO;u15Y5;19*}q_va#&LA93na^cHsNDLQjzseh3Rol0%Ch-*r71jCK&9oTP{|+e% zwG)79{hQUwF^(Wu&m+o<5I`ra#bbH9UpINgL1o`Yr@43*n<`8=hWpYop8q=`47VD} zf>AKKKObv|gafrMQOqJFTF&kC*Nx1P-RA_3fP8wanHWUty;#pye@Pnq^`qjOk0jG# zuCsEnR6eVBAILWQQImSC+NS#1jHiUbx&O>A6N|=k$+HHU0&iGw*dRW}3*Je06I|d> z!Mk-GgK^*lly-NkAs5yBD3Sa5XDQHMZ zG%75j`tvoFM=LDVw+%=pHpxb1``)N%@^p1{yl=WJC};BRgK?eusMs4ou9Gg(tG7br z;z+mxfikO&P+qa~#J8V(Fj@$+RtP+_1hy!p22EH?h;#(f_#@{2eU zObjj3RM{j_0qM|YEV{+}rOz~KM-C6S;2k?d`ka#S z1<~QKJ`Y!r2Y*=sc}$(WA9_$7Y`|cX)EW*4F2};<$7TG%D@gZEYt)Ahy9vSWIi}{3M@;5 zL7WXt82$T#C!sOjZs~%r_G7wW1=>}ksG)q#yC=kx#BDfd&k=J!k6pU?hqi-dsbV z$WbrStJz#b)Q@4&RL|f$a!>)6n>jTvW70?)9~_XqeTPetBiGS8xYI&u+Xj?pEy@Te zdF6QSd}gnWu4L12B$n2eO2$KwU1J*Lw8ASkVf7Er;5&c2Dg-1gub_k~@5p zp307&RXYY($YA@v7)7yO;GZ39-{b^jbzxPeJuC4;%9(N{LE8sdl?c&=1c$)#4o)^f zL2dBz-qiO(Wqiwm^AL$|CBA6Hl|;5!*6q#!I<7x(w3oq{*@xB+H$dvfK~co#aI!35 z_0F!`cR=c;ErZl08wO6^OrvW^gz-n7puNqOXI%;W++K&SJz}^M?%w+wQ(So60Be0q z?P6V5=f1bbelQ3PaoX>trgYSCJT@{me!DhE+~7EN0^DhOLMDI?q{GrA4EE&8S`e1% z;$3P>?+^kSq2V>0D@lf0E|~eJDWK;b>03$X2?4UxyTKXuHFoX02be>Y+BM&@t)n`F&zM^Vi z4G6QAZ;73tUjSTY7=1hm3(3puV?{u<>fI|qxg!J#a_+-0&WQ(8fFYZfXvnLa;B9^< z80&;htDMOdbJ!oz)pb1FSywoT-m%qjL4ALiQVJG~Y%9BE@jtB>VmAmbbW(;eJH%ZS zhEU(#Z)LNQx^(GMpfwDa8wVLH`K8T|fHH8_?HIN2n&);K-E-1oD~hsP9$$Vm5DDEq zdm&u>GXKr})ha1ieDh*#X_J$D>>WA-y#mv3AMSCXcKrFXMC?IP5MyW7js>jqm5ChU z#n?c{dXQ#!h~w($J@c9dNx7+8`z400A#E?up0`42xwz?hjf|dv{pPm8<`mcdiv9^j z-vST`=f7@ScAvVOU#N1e3ir|5e0`WmW`o35tGpv%5M%EkfOh=nv={oF)2_YzypV(K z8%17mU{h7FfugKmvD2GyiAc{JOo=!>&DSWQ&+G(+3!(<@-%LqIUvHbxiAr0ZyF!nt z=-C(>m=ZYwJMl%-cnl-^HunfiR_nIs zjp#tt40<#!>wrmr>0HcV3en#9iDSrA z$tHSrJ}Q}W#HDQJLAUME^N=`ZyRix#*jnr>u%%tZt9H}wy*YlK3k##t3+TT{t}8cC^>Ih5#@_ggRUA!Ura!IM zeI`WF82kL)s2q^YSNx%q^mwKX*0UXk;V;|`jb-45o555gJ=o04@cQSa13!s%KmlcWb&Z_jdTLPH)Jr0m{M-4^ z$-LeR^w;=W55=%x-cu;*B+=TjS7VYlq3=Hd5Y#drQv`D1vK9i6)=3-?1Eq2 zVMAX0@fLvo#@rogd|w+JQd2jsvVJ=pOnlP+bs#5sR5X!Nz@+x|%gRY_n~?hAZ-da$ zO7MMxu7y6N0$q4y9Od4IAMT6@ZB6J>gV|T%Lpom_+=kIuO|gQk!O4!$E^gyl{Arj%a7^l7V`IB4f0ZB_(I=V(JZrPXnvAn}y~r z@5l{l&1;S?V^OeuM}Wn_Nm27Ww$90p@=8A|G$0p#cmrGA&+8y)_V`s!a%T1Va#DP} zi-oV`;~Gi1}0XrBvH4Uxtns4YPu??VCII>*AAnweJ`hYgF<(3P}~tH;}YmYSdz z%1SN*L_~Di;>mR-m#T`&w*)<}J%k$4HqI=s2c`rk2)WsJ^LjI08}iv0uC83!+JN?c zB00IV0Qv5N{i@Zg*#CnkC}sP6cTcjfu4Hp!+(Cpmo9!$gA#0w<@`FFF*=KzE$)vxE zT`<$#*$zRsYQ>-+0DtCqcv0N@Bd_$chW((NujhzC`NLyT?TsU#8jd?U zJv22`uiE@LA-xf*)&A#pRU$@lt z>V88RWR$!~+R`+4`+#~ae#HU0J;mh;h;2bPw_5c>>AF!Q>qxS&BfH%#^j0e;L%3Zv zr*WL2SA65v!-ecMqm;cJTBps)QJ1Z*^`MaCXcVX_`9dW*wbvoPKD6HZ2EA}j7recz zhYdiy_Z5s^Sc_ioS6EHGLR~N=F`rYj^`#y!4>tE=_}Ojih|bFkPObcJRtT$l*fsptVVfRg5P(Jp6M+X4(w!e!3Ym=}{e$um(if)-&uG*ZM3jWfx~$+SVXBn4T=!6OX)= zBiIvysEW*=*c01TvctP*P4b)iC!+|K!9U2hg zxzBPH^BA zK0WEP)pxau5bon{wBB2YoAmPL*mpu(Z?EjGGg{PP@$P>X_L}gb_LNFVy*NJUEjc8P z`r8U7a?bo}K#DkWcgz+WZ?g8qH0fG<>9bfXy53|gdEp%ug(?mj8w7MjgyZo$Iqekf1-NN4gjBQA zO4A4^2-=-!mOS_6Wt`V)@N@$VA{yL-AEY<$nSG}A{k}J$Z{>2)7fr@VWB@vec6e(2 z<@B;sa;^3&%c@HFMeRig*y=5EzP+jpH;BGB$KqWVl(%|Au=fd&dA9#*C~}lSW)0JK zk$dQML*etewe_r5c^_T>{oMKUEGo_L^Y94{!n!H)v+JB!(0DFWWs6OM=ND5?h^45A z%QTiMZ3#J3f$7DnWbV+#Jxugy=`*r`<8kmy8 zYU|C!ZFVoR7u*JoZ=U5(*H0AHIhak@BtSx6=ue|!979k?Tj+wF+kzh$Y)tFp$11IZ zFh_Yan0~0}$zii|jPSVV&|Ybmt?nn6q*0ox^MQGRXDWVc0pzKRHaY2o+CZ)og3YnQ z69NTOu&RT1ZhggLA9aM99y2QrxAcIbQjPZo1I@HxHn7VL3<^ExYzoyJg(E}%77#LE zPMilVNC33_c$MHmIY!`Xvo%?y4|`?@*N^SztDkrn=(YSjJ^2KoFI8f(?s1?NqQExAyk zjUteMY-W3bw$1(3yWVx^D;>XY zY--x7asr|cZ1}xk+UrPgcKIT->02Mt0Ryo2w82SKRg$&mRT)?XdJ4nk=Gv(OKTAa5N$ zK0a=iF+Vwa0&3vkT;}D3$8%M>=yK;(trNR&%*GI2r!ST&cHtzJz`8DT>m+`AE=Iql zT)PjOUUJ{hHnL^ zd-dL;P+=&?B{X~oO>UY%Tmv4O9@LaU!cBpfkmQ}+sY*ueHY!j}Bd4k5kENmGzLddb z8;0#0^SxuRK>PLGH4Hj;WtPb;qIVk%!N&gny<>2s4&YK)0fFdeE&qkbt~~;tLVokq zBA(UMhN5CE!5P}`h7Ot_cILarAz=0+mL7Br8sa;;T$pH{!jwc>B|CN1G2j7Cxtqs2 zun-I|+weW!0!5ZBodbIH?iaoFkDoW3RLxj5fhnRFjVkcL$1LQXvG>e-Z`y-o;V2hg z9U9_jjfWjZ1xi)Jf$Coo@oMs#GqFwG37<-Y+uR9XM-?u1!(#Q~urR1K3dc~?Gv#eW z_MPf>x88~w<5cr&kUJ@2|1IeE#{~WRV{vu9;jYQG12r7@=$Hlr8cu7d$MGv;S2}Jz z_Y(vFG*;B(?+|^4&op4VN^-Qo*LU)Z%TiM^C+yH(ZerBgn~Qhkp$U|)xWaRiK6B&B zVYlxz;6K1QT;Xwdvo7$U&lw9|NrA7X0-r5aD<5O&Ug&R3*Zn<4;R{!GXl_>os`sTVn?4Icv?_9 zfKDDugbKabyZ8Npi(v7j$29I^~WlGR+j zm|^BVam!$ByoRe;9>_14Swc~z0N{*epw|NvDfaNd5bS%b5-uX-d^S4WSVNpgD)JSV zv8Ae^2PlBLkf7FIbzODZZhh3Tb>b&8y%t(?GD)Hi>(V}2e>G`xR4Awbwh}_Fy@hY_ z3#FTH#WF5cqcn4(l*s?~-j<6ISl4SBN#}H2zzxupBi+iZz*3T49j(X!(RpvaX4!MJ z0jXs3h4az{S{3O}69sxJt+nGt6n?|S3Ldj(E0Zzyhe85-JGNpcCfgPRxlue8{cZABJcryWjXOxu+I=fjPa=8S zR9Zm1KY1|etD2|w7(hSG7iflIo6f7F7a>mudA`-z&$WMtF*YB$&}nL-k)5<;1=?8ZZ`^N+v}F`-9id>~iuwDJbmp>MtbKwvutW8R_x z=(_!IJjYV#|MuJUSc4e@@aBb_nPy3Y{L?27jbFlvy*ZXV}gG*vd#w)Gk zF_2|MVxqOO*VZ>aZs3>m+@3^a-pubIUIX1rF%_{;z3aSIv2p;kV}6T8CzmLoda%11 z&qGZ}oGlH|aTcYR(m#)Yv^=;ZkX(I&cq%(B5TE`s6mBDX_ zZtG#d&!l?-Xl`BcE(4AY`DfDYj$CwBT3jJU9CW?H(N1HW&O&kJOgNE zui2fYOMm{NsGH!6Zaq*Y_;pDR6Zn%Qgu?pK9}nRv78q<*%iBWg=Ormxcpw*2;P2n^ z=O9CY9rKasriW?2ayQvD=PuBzgxaN${P8WsNsl<=gOkIfRZjAAynSRy!PrK8&bj>O z;pZW`K}1J@70&T1A)}y(xl1JQnfzn)6V?DONnaoCz5DB(ZD#|IABW5Q$A>@T^X@9R z$&6pZWrm;Ms$dWLSjI+D=FcxZQNSglfKPI#Su3A6;FdSjr_TO)OmJ>u9^@>3)#)23 z_D1Z2$=|MzR0GqhH!z&$S6AVKnL_s(E57j053cYOv?B8A&E{WS6&8Z&hnehN#y>v> z3+5()I~k6@E>Y3~e@4=X05R}CJ&9Np4tO_%n=RMuPRvGbW59=orZtgwz%$%7y z&pb2dN_61yV;mR$l zOj+=_YtJ&&aU=4*4@}Obhw{p@ahll7HSiah-6GCTTtUE7{4q?1a0o zuKWk@Ke~*Eo0n79QngjIQvjZbM<)XH{yOF0Gpe?eey&0 z!78ki>tiX`^sx;JmB&p*mqGXWleOlW5)k8EzjTJ< zOVriC$45-JhJjZ)!6-rdz;rz*KI{$teF?M}XOXn1sNSEPWJ=V+{e4cp#r}Hi_N;A@J*eO*8{DWB~z}Fq~o2J+?84$+)L* zX*U0n(qFU;;sq?S;#hu~+3`(3YJ%4npjAKd>3iMa8o|=_T!18 zB85<&hfw=|{*Uz~!#z^*JHg2^p;pAb2>u1zW83=T1*tD-EB-&O=gI*Zn|A)P#PQr* z#5pr!3L)K-Upz6EP~aN%C1GI=4%PVUAVm=ln!yDg_FJuv*E)cP8BL&7Pa4Q2P0QZn zKYp{+YMdjIdWHFiQ)s4ZjDiM$=5b9g>GduUvi|VzhXjD!UNaHB4)qHE_8;B9jnjSG z#`zm3i_(OyF%U|K!jtx=#&qja0YZUSuv zYc_QKjv~p)YWl^=w}?s>B$u*4n)p8Ms6sYhqBnljg3qP%*zZLIvJBK5TLox3&dPkf ztcp0<><_y57E#JRR}cVQS-Z9xi4v}AQp?!d<|;Grxz_Ueul$h&97tkbvJOM_7mfa7 zkk;uH7omjo);H{b$%>$hdhjJ&K!bi$A?QS+KV^Xe|C|abLqMW0Ilx{D6WogkG}iDR zX4rlL?Wb;mHhb@jXQw*5F}`;^Y)d7>*7|G9~wzM73U&^w7)%{YN}pp``(N1T`VaivnZ6hAs3raky3 z7cKbpaWbAZLQ>xrQB{SRQ_GW`&$`xSl{ejd(d>FexT-A&Ehj8ei+wTPX1TEA$`<)#Nv0dM*(SF?ob+E(lEsvc*P?006GlcW^s^`f*F2$1n^LM$&AurUQ_dQA!$N&q9UT}NNzX5Kb*eF2Qw$J) z>baJO&xf(!gDG{yZ@zWi_az0#MQ0}eHh$1OFO=eYr6o9%B4G%Nab^ZT(Fe4Zya|^1U9=-g>tcfx@D@VtK4I2 zh$mGorB38ik-=}jbqOp|8OVX`Ka7YWQMV9vEpu&REulL`W*}EL$e_$1;5l_2NEV{i zC;-k`BqIOJGR$+@3l!-HHGR$C{h$)J&{*k)O?&peS6h&SI;ql3Zhbx0rGoitSml7Y z+$rBo5K1Op>-|c5@{;MLQ*40}N|8zvkWq@xB?hFVTHJ!vB2+-z;|-x*W3aN#-imMZ zd>Ytxdin_Fb$fTpRKVWQ#WVQFS zp=3WfNGqC|J33}k^z9?sk)0`8<{*j!CkssAdq4az{lkK=SQou}Lq11S4VE8GW5My8 z@avid_gFlv;{XClr+sue#3|xQj%7=G9E}*qaHOo!S6+AVz^#W3d2&I+>zE#?&xtXc zTduF8O>YMGsCEc!e0|xQ!-)7!^Zlq_JI30lm<5|*HBceoVC*quhp6D7X4epW-%d2k z1YIM-BUD!baluDM0YGOy$-6*5k*7X}__4}97*Qczo4R!b7JF-*cdq9BICHv5)u71i zk(F|}gJ1YGdalp>H3#*snZII7zL+KIeth!%{MG1JFOY@ zjaNCRT|=jS9BdF(Hgkni_$N zId16{(Ve_(7a*ZRAou~^JB|{w0Q@k8Xq1pmv}Tdd13_2myk^l4wNFeBr|H&$$Yr0; z>qufN=hI6HEc=bHvubDm8{N$x==?3BK6Vw9JqQKds|}dTWrRJNEQw zRtioMv}mg)sVRnYcqo48hDvm=E{4Lr>Q^y(3yEwY;}rbVm*vuua9C8w>usggw#Ygb zdYxLDzS3ti%PqQ1&!_=bAWaB7Y?!vKrpd}J3-yOHt@C_wVgvbhzx18d1fPO~@(g}} zrU*l@1`Y>w<_Z1!p=6wdD!0?6n| z`K*%z$S-$&KT^pK4nP6`mMHpsAdUue;Z?Kf+e=?uSLo>tsPzO@KB}yQu#P=$mqN(h zKYR4v*-Km3g$(G&4bocne&*AnPCK=Sy#_BM_1^O4f*FPFVhVxj*NW#Ie$A&FwKC)w zT!m(3pWqAL4;o-7S_N$=i{`(>Y03)nDjmwj_vR`LB41Wk)`8%idAwZ=2~V|`(oNWW zR*7+Es_RS&GG3ojmS!$)wII3|x%|NvWr`H|j(6Hyj@7$NE?A7$J^Kf(>XMmD4%gys zi{1LRivxM9vFkaTuJ6I*pI-``7?yx7X~AOvRl;TXg1BqE#0TlwCotF%1X?@YqbhNB ziqGc_vDuE%e8vQb;r}lUNVhNPK10BRAqBp3!kzUz*Wd@#+=d; z#}GqFXL}U0{y1xRsQKD(hmH;iqFm9lJu5^+Y>0hbC$%xE7pwFQ*m}@j6vYKj8Tvt& zA|~uKuRg$1HQt<~k4P6`Fo=_|t?ff5N-G1TpXu{0tJlgxz~gx6$Sn4E#gXdhZO`vz zBd`@HM=ZvldBpylceO>2`%nu1f%q~!xakGn5KM!R-czmLzPkWh9va@GUr=!0DZr(C zON4%Vq!fl;D;UaKYwq_XAZafaQ@#?Tjq~OrzXIpf7~Y6~-&|wFBg`xXMzznw)BGPh z={_|aQKp-nRGL$+^5vLocv_j0?V9Gso&xU=?#20xftGrDK3boo;py#_mm75SfuTz_ zZamz2-ahst`js$??>2$kNV|>Rui9;Er#Fl~=(<~QgND08-3T9S)P8P3)9p8DFa<*T!0`~d%0z07Kw_^mtksX=J#78SG6R<-^Ub?d=KHuSZvLo# z7aoBgK;-$7zJYz-IoxO7awQ(?9m8YOj48I0aF^Ym2}#=+2VtJNDsb7oj5oFZ;j$l- zry4_KM2RlV5pvn84Jn_ERB_?o0rsALNL`APQ+02vt)$7Ub&i{aWw6GCXI;cXJy*oR zz`mS>ZH}LauX<3~vX@Iet!l!L{2=baSt7QwIMQE{=RAa&PVu|g#)D%g?&^8n66TnA ztWg}1ZzM(nb?)V}d~4z;%3bqs|DuoaC!A?!Ho+w?4@>mSzlE3}!2EmfP^ zFSuHJj*^ezwb`qCv!mI0nm2{&n?J$R9%isEwXIFUqf2+Re{igNqdYh60;<3FM_N_u zYvCN5-^e#?^EHuSb38siYABv&tNdJ>{T2Oz>yNf+QO_Wr=uzf;vGbmXyFy(rUc6>m zuqL28sJHi7+iMroXkm8A7V^5wbcH(i@_|Rw2VKDDcGnK}m|^7^-xe7KQ_!%f?9Zu_ zka2$qxL`yLorsx=)cgP+EQ3fRa;#J>MYOR^xHP;VID9N!){#REaj>=1pIfzekuMLP z(J|(l0!J~+AYSKL^prG@*LI<}&VFKT|87S}{RIbvJz7~ya{kBEDB##CiVYCLxO28i zVqM7vF}Hc+5Rm2g`3znGDyG{SAhz~1I#pMDI$DJQKlrv`yyr&SR@5Z%LH&$tP@{Wm z%^!Qlzgu*FK!^ewC7g#SveQ?vYtT7FuKVn3o0YFO_iwo+*V}8Pb94)MY-Z9w)U)t5 zAM@UbAu4cP<3(=0p@rYe(ORQNeV?v??JQS+8jF0ccce%VnVUVC>RcwoJ{(qC%qO04 zR&yU69O;5A!56`FGKrN622M@97TeeKTS-yK`yEyIG{oGImZ`?U7C3-e;Evp#e>e&u z{HwHqH=Gw9Z3tocad1l43JJ5*1DPKH2O2CYFE3vQy<{2zZWDUL#@Th8?$h_6pA#kJ zPKSPF3GxI)xfPZ;V=wBl-zE%iQR2L{5k9!WSNTo4UCiz)_OSaNN;c$SXA9N2GVInC z;0&PAUfX=Arg05Kw3*K<^YOX(CRf6BQS12kvXblLhnS#n_M z91HK*X4^_3;zr)&Rz1C!tc(9@-l}Vv!P`}AcW`+BTDw?Gn=Ku=jdLzwAj@L!8tdwe z9(eMLF}Kpj5xBR-4rvgd36$6~ny8EGE}V@`O7><3Md|@$XnFXEm}q9833LryC80QpOZGQOTD1LvT3G`XnkjLaq1Q06H9gY zb4d@Fk3}b>;>8M|`r-y>!V;U$&K>fvnuV{x;WI-^T-3Td{bq;Bm4`5|&K380?G1+3 z&I)H6&0@>a5vQKJfTeFv?MEzGxhf<4&{i-+7oc1e#n*}5^TJzKKm zTU`-yN9aAe<&9LO^7P<(p|EAbBxz>Eq4UG9`iNK8^{cgQtBSvM_#7BvxK3->YW`Ge zd5-R1p%U*@;;kzBbbxtSU1Y7P9W9h|QJkvdt8BkkFkEM7qVmxG-0;|d9#TJ8qU7t+ z5G_C6X>H}P6otoS4hQ*8+qms?FD}`%`STs!A3*dko3ICcIE8-j;brKfGcuiI<8&3@ z$q^Gx6WuTAe|(=G_4WuKB73H`18cR*S#06kS1h&7w_Do}TI9c2$%@_Uqo*K#-oQ9_ zc|eFyb0n|AszyV9GYsq}NjjYEN0_hD=vDR`_@{)#n}s|g6$q%_u{~5FN;0lhJ+e8J z4O*5q+^FAFMqwqb5`TPAvzjVFKG|&w@|0Tpkq&wq?B7d~&xZ?sG>H}bGBqpJ!TSr8 za#T&PerIH-kX1BBGsHInvbX=egt?pI5pTNfS#drZs&u$r>c0J=|6fp!33;kAL?#nd zdA&gFFPrY7?dXRmiA>uT%*K{NglTj_p{@$Pt`?hRelfOMm-4EkwWsn~ViN78zZE#4wu4Oq)D{bj`h_PE4#>)&8Ne*20?!cSQ#5SgJtN3gYiDw z=APZWYQks(Q$yzsj<(D zToK1p1jY}fy+R%C$ov1p_&NA~B$K@j@Z{EV%*|=g_)o~Jk1E*r-ZUg2D)>=N2nFL- z82@$7IoE^9E4TcxUh;vO6wo_&c~!6 zt?2j5JhT>cv|${$`q+=!vUi8qcE9`$)cJg%EME2EpgW+piBNgw$D)G+htLYK_Rz%e+X0?@^{;+J25gSM%L zjTkW7fa7=#)M?p#yW=;S)ehG1H>9ubf^CB_AVdk@DcZRB$MSpe# zD5QG047Ynvd2jUDeN{Vs$$!Y%xE9iYclFNSK zeO^T1d!P2XFKN?Wjx;H&XXiuWGv=Y!FLqEvAun;aNvci$`j6Yt;@-Il+IfaB6J7&Q zEw_y}<@JM&MH8@r;&1Ca70{I;*8J@m57?eE@OSKh8l$f`(9tr4HRqU-@HdDx@ft2A zcG`L27=VSy;RX`soBWSTjz>85L}r&k=egs_&y2xsA8cgJsZK(|PT}|I10`9Ik}snE zjobKM1NJ+qdG70llVO~XAV+q|jUWoTbxTq26nR^53CuN zx^(!F%5}1m2;g$oXD*soy!q`xYN|n?^o`GQ>f}-jNFj)^8<*BHwvR=11vkvAR8%J$ z7bqkcOpyJ9vi~H5)xi8kk)14Q$OA2K#a(WB_v3*JDB=dmU|n%c7x;^>djS=}<@QxV z&-wrUD^wJR3i_G?|JRlO*L20Vh+K9D)X1=dGH}4UV`mh$Eppe?)a*{WL$coi*hF$T^zwLx z;H>&NJK57Gn`r95^NKMbM=yRs%G;CLbG%}x(#^4{t<6~qJ-gPx%BR3&A0TMn37L_U z`eRcdI6~G_D(`;<%4_%*G=bn`U^d2p(8x$mzY}vTv&Q_#ikt?vg{x?s@nma6`td%liVCyyl7!XsfgtGwpfb~<&;~8>f%nJs zAR8N}r;s*80$IpYd~ zHj}WKQ`ar@W%)w_=8;>Cn=LLw1_3wT5nmGTFOJ9L>h};|t^|$XK79Jb4jS)LGzbRd z@4Wv#|1SWW%GcuL-0&&kWfp@CqRu#R1{~>C6#lqkw`B>@ z+;tOh$C$^=f|9`N_IhWJ$xWeGfua~UEB2_KtSQZ^xM^pq9|~GG_SW;=*Ib&dkuRRI zcf9{SfQ;674>RxZ^P*W}qO||pHVr*8PzK4lyWV1>UT8{jQM@ca)=?!WRSxt4(6%i% zNjn$C3-*W}^Ia)=-5Bv>50@wooCX(_T=U-qar_;mkg%JL`WX=Qnf4*Ig|L`WL=uQ1 z6@VJao)`lRG%911^Pi%wde(UR2_n zSJHab#;VwPDR@67gT@I`|BD}AryuQ$pj-Ki|< zVzmq#enetv8hIi@627E(+VY-5x!%oL9J_$ZVg?v-5ZTFG3V!fkT)xjeE=O%c2>Xh;0PMZ(Y+sev`y`HZEPZM z?Kpm%@?Z-Y0}31%0HLfc zO|L4M8=>!0rHj*h8|1Knv0_gm=<6O)ZlvH_dAKJJisjpU>+>6g!h(1$*?F{nEaxXA z@Xb7ZrxP=aIL!J=LF%?r)wceVvAn=~h!?npkfE@|Fddkt)jSHW_rPqYWeZKT4)8sr z17{{x$?|fqEJ<$e61}!OuP(`AYt5E+e^n{eHE^nynuFs;PFuVL%}|j=2q?Mov3BN+ z?d&CHTN0=h){3{Iwhh^j%MNzzu(^uB+9Vk%&4zM=8kwD7R)k*lfkVt^;o{VX85IIf z=8huEWgM`PQd^!-97n-vMQ?6ekz(N+;H!^OKWN%0*6vwfFjAMQ6Zre!t<@(^8IfEyW>%6hU&J&K186S7s7 z^Xtp!Hr{kFP3v5KXHdPDPg0SN#(H}m5qBGC25X8l+Z8Vkbnv3_1$;&c%Y3 zLnD~)PSbU|0e&QQyA+R%H@utKWdwhBE`?_cbSNkJvDEp^&C%CQObXfWc!Xuf;g1#B z_EN=_0Ev1DPJ0$wc0`=fy|IE6M)DraOkqmN(G&LpvCvs`z47PzT0>Q8|7fw7RGvF1 zzc>pIWNOcAF!0>cw7YmCQF>J|MDoH7$Z&@6=p1i|L`gfLtTko)zP_G!c}%SHldj2| zl1H8~nyvA(oILB;lo0o3{szG}?7XxTsaK+9bVgb-Y$uCO$Fys#pLxSSTMZm*AY1W}Oq>6(Ru-U$3?>;lT zESqb^NdZpP_2m&v3n+=0$1yua-*b4KykkvtAnfL#mM)j)?FbhZS`xD3jhVdAdira1 zRW^CrM2DEzK;%QMUVgh4AA`}D07uG`bp_=|AlFkNTFS;pZ9~n?P-uoL_)}`oEtAu zOuu3rzPrEW3_Lg50bR^(NSC3@y4kiZ>r47f7-bLTixl4D-dnlZ(fWZq&zh$qs|I+X zR#&@xs-lCT!hIsU*4b&fsc+vM4C%f&p8uQT7d%v^9mphrM!pxD*)uhSa`w7PEe& ziWD}H1dIMD;HjT5KOHhJJch{^GnY*W3?PvD8H_e2IG?V9Vk;dvOYydItMzk_zNkyC z(UI8mF1eSrlJq*A-NYZ~4!U%?1jp|HQY3|?F-%GG@?t+)$V+oJ^QMiB4UCwdr1HWd ze0c%#o^d74RT`J7_}_{-{c>VB>!R>Tpo%gB-yZt6I;-Qu85^rut18mS%72Mqv;E2QwgzL#?f*{i39iv#uG zv=cF68>JGi#rA@MA4hu{R9%xqBWVgZ=3@3L9{N>FA9X2IEtMQ$_Z9pp>Vj%ks^LS{ zeTYtzNTi*e9bGh%1i|XD#94l@el$3F&a`8hkAmTf9?<|K^d8^)>doAS+pSSud>q(d zW*Q@XYC@ed$p{5V-OifsG+?O_qWeqCZ`9e8$^n*#_iF+g!BB(NsCIQEa!5bq9pItL zm5BSa*11ih-4hiw&s;ov%h_nWdCQ;h7rH<3{PHL>KlxM_6tuS<>>#EjWah4o{Lrg5 zERu>IU_Mvj9Al%M*kEth@a7Md?#3+<+OveX~@Ll!tN{@`8+Cx#vuC_Vn zdLFvjfiQBlkwi-IS??FhnZ{4BWVjxayLm7wZsI3nijTJUsRmW4X^<5tHk`?@N?6uf z{}qI?ruHj&Ne&=G05J8)#~%KJE4*Oec7M_?kB)%cq+K4laf%B%}>xJqf}1iX!S(^gti&@MCzQQgrg;v>lJWV zc_jlB6i8xIZFMQ8s4t2N4p%=<47kU7Sh?Ojy*`(+I2CxAVJPL?La!22+4$bmerP}t zpY2su@vgMSx_rcoIIbuteJ?H1)7y*)ua(Nep(Sr>3IRpBE6)dXvrMKM=i2cOdC%Ee z_wq1_Ph7{!VPu20cx@^>ek}|}iu8ia*P6?nsGAuHbNpu}TDHkbQEsnR-~uC_onzjB ziFbVxw)-6Pu!(W8jlDGv2yj>S#O&QrW@Tqw&IEe2bK-x-0bJ?t1hM}>vC8?hU z4Z)5?3(4zBwKx2ksoQVr4%{9(b&3v8Nmlxi7)z{yA4T1OqtwjMDI#4pJN2w|ozbM~ zSY-OD^1}1Iw+CptXILm<4&OmUx%N5LBCeQY_!*f#3W93DPbyqu#N?ujtp-9t!h<&> zfdzFq#xqxeqIXjBnrZd!&egRUsw}TzA_?UINzcX}RTmmmv)-6#0?0R;L;b36EyL8K zgmNP1N)GFF4`a465=M2F%QI3i%gkdVn_c>IRFMgdZPR@i?^6o5j|Rbk5*3S20`*_B zCWe};>9p*E)^49)ymc#4oSmcFEf%L3?CfwISQ>JhY4n@BU0xa8-m&uYQY<1BO+M?0 z2+A_jpABUUTIHq6)x%{iIymeBkBu_Sni*&e(5IV3RFN)1>y7 zu74J?$vVR#E@euCD0APm+4m)wB}Q&o?OnPP-Ao}|^vNjLf~|r!06tPzs4d>!oH@-x zl<;OmM^E{-2TY3gh8hO#=`~Y%AbRlf&@2Ic4J30X!YHE~bjj(LKgLVU4komB6>|<5 zR+yXAGQgsdu#Z8`&N_Dl?O)HO+^#Hh7;!}JE1*GJHNwYFX)#^i8If`j;yq2X!F+za#PzQpYBmPemf^z!L69$s-NJ@Bd* zYAF^zSDQXS6v4PTd=<-%x#ypESW|v|;&YA{Cf=gey~c?SbOd%sOo0kwQV?{=IMx zy#RlWMv$nUaeY(IUwiJ*aQEFsujv|s$&QzDL9n|aEct+XvwsNqrc*EJE9wcKxc0r( ze~nmO{;5h2$6gk=`(Z#ee96P!xooznc{O343E(Z&6gQgM+ix})EOAEabT{LwpuMdi zZ__~^5wa1`6$svHdw;W3YBsL?UgXkEan_mkwwnsZ*&o2sd+(cIeUEe6JXe^Q)RL)m z_kmE7e*NDI1Qx*NU+8}OTA9&dbyz{UTO_95g8Vqbb91hmVt+PJxBsW-X-J#04 zW#^ywt%28b^D*mg-jS9;^QdjGWgs!P=Mk1tWM{lQ8IM5Udq|;O+%X?@X`*;wOISfd zFhs+++oOWJW~!+iFu}V}EP`t^3W5SATP5T*wiB8JG-sI~hT`mwz-;S0Cw8xXjAkNO z>`6f?nT-wH@rPHM2-%2#Ml6{hmt-vNgm`H?_D@Gu>xId;;fQ&dC=KH zgcl3wpOqN(1L!MR=`$rS&K_iyi5_@=a-!U|saX42vL1x-}G@4V&} zs67*NWoc$MP9QDgU~fPfbXe%|5gY4R;maHYAXs51O0sd%$KLMOzL-#%oVPN4UK{Tb zAjW=psH$u1vp28fjga6C*&iv%fl^8cHY{HYwcf^ylswSXVXoG-mAG+&#DLRbI4$*lol2FqSW4&h=^X zlif;FS%-vL;<9_gfn9nh2?DSr^dRg6G>3-?IqP%lIr1H{G_DQ&vLf5^m!tMIoGjQB ziobB?<&5&?>oj82If%;Op3e@8oN?{7)A9?u|_y&86t^ zYY!?U{5UElW)`&3!bAm-u3=(D){Tx!q9(g@HBVNnSB@Dz;2&ZM8ol=bl zkahT&oWF`-p42Q#h1p%-pHR;;Upov!?3E5@nHvjWu}U83&mj`({CT)~m}V0z>TDG@ z9uZ@wX908H=~|8tiYraD5G!&zbMlHhO$)l&1zgh4JC8bFtDE0&UDlu6 zY2H3`XnI@~71Q)s>fp*E?DHpOm!WZ@a2ct#>Gg!}lB5x&FpR&?^=e~edZD)g0UQspbag13XQ3|^tvExKR5lUxe0 ztO@(`(Y4Hv4Q|HxyzJSrTepf{H7sa}oZHAQj2JZV&&snkqKjSx9nKjz%ndU@OKt)9 z&f*I1I0>P-8vtzN4p(2(m9Rccw-&O?HL&rYK?Zr}L-Ls>LP%O7$xeuwqWz z&9mle_|uHKro1L|4`fML9rdUnxZ@;D(8elRUGqLovIpuvpufUP!qi#AguP^%@d5{{ zvBQK3yjUdrlgl7@Z7GrDq+KP54Hc>`=Bt8bvilk%k3WcRnNa2c7#lFRFMT--QxJ_Y z64n}mzFS%n7ujE8=f@MAD8C7at3wlp`E7Zi-S^nT3YR=it>vS`m1~Ttq_af69h8M|&X5&o9t( zYv>8Gz1V6ah>-2JaL!~-X+;YF@IDIvT;1s z>{jIEJJnjWUj`xg8&)flr2Gwh=E>Y}p-&1Cw!CMZsHbjTbgq5sBm7nOVKqag{sWkt zw>^2w1bTe357@b^sUs|+PI5n}Ale&LEsA`2mM>8N(erlUV*)J*u{j&gVPax%gx4L^ zbe9~eJ&v3{21F!QbWV(A4fWm?-W+#t+v?C?l&mya9n_Ddw0%{LS=1QgeY%g_-4|mE z_&~qAi!Svt9)RuU}t=o5r)3v$!UPzq`=&vt2l{ zl?V2kfP2JoTf}z6y|59{iY-d05UX!s-M$7>tGwd8w8-SX+4tU5!;hUGeHU|?3G^tz zLmZemWdzE)jbK+}2i)8+T^ma(5MJe-9x8{mkW$hNN5pqWB(v_X_{9wUbf1J3($qq* z#^%KI&r73MO-D{6iOT6aU6UPZ7hQ7wm|fJZ-t zLZ_l?sCC8shM!pOr9F>dd}8+!IGmM}-&T#3tQ-m*y|L`g!TPKP#g6Cft@?ePdFZz` zIRNUEu5+uuie!a7pZ+ou#PmaDWAhN_)N4L|Jy=_DL}4RlSvde1UOqWjt4x9e^bFKxG6 z3B8u_X)tYj9a1Zo!3lQq;M}?#$>Hgj%nlBF4NUgxS7?Q)6>(i3x~-w}lqY8&KS4qPLK|{@m@DM^sIj@=4y5AL z3QVw*9j1HV8IeNPia-%;)DyEtjY(6>P*)l}Z25v`y11pHoFb*ZI#zKDyFLwX)n2~^ znhXbm65e~mB{{lj5?w-AK-XLvWo9nqP_|SGqAUJT(zK!wCwi-u=9IG`>@2An3}h4@ zR2tOcbr)GE!|M^%WOqd7VZ}Qphykp;&HQoAiu}Nw2Y$V9|269=h z_TlMG`W8@wtYvP$d-G%E57ZN2!l`5xO^_|TRwf}kT>OM&G>Y~(5{~C73(1o;?eT9- z<1Sr^@Gw0xhsh0|{c+*ka^Sd-omkbaZ zy-!ou@vY@Pe@xS%zYh=>&2!uwe7>aTC+~hGeN+NW*C!qouajkvTK&6(K~hBG3#qRw z=**F$FgDD3`+2Uh+3Xv{Wf`T7aNhhEc8e>4p|?p?K^1fbj)a7g57;`HJN5tzWdG&R zNS6E_1f0;pJKt|p;siF2fI7>msabqClsj6Mz9mG|GM-FkkQeMoJ`qq^KloL7flu*gR1Td}PxZueXPOKblcXw*^N9QKcT{8k)q%&{Rp{tvw^8@zV?*|5KH^#1dm z3*(N@N3xrZ1$An~yOwh%zqk6z-eKc(MQ=CF5iqsQmc&lGJGM@vD$w z(Ld+{nSjxnw9xQ^?hlX51}CnPJ9oaHuqgw6?@I}ophw80q-V#Ec~k`+^H_?w=s)xM z-+$`+2nV+I$-mn=23sGz!QFyQ=<&%^l28tCNoo_co8ov|a!m$o7~eifyZ@hE%J@;K zRl{v+{~MF#K$nQU{et1DWk!BP9@`Q_HX{gy^?O~^X-%9Z+L{_m}DDwDa|NFo-z{F|n zGOPTaOha-~8pD+a^zo$rx1m5~!6<*^lmR|1xDhEEM3%IGbl~r=hll@$Fo5(;#B}EG mXO0(vF&C9>oOEYzUn+`a(sQq`%cYzG|CHoZWOHQ<{Qd{3t%ULb literal 0 HcmV?d00001 diff --git a/src/img/rancher/search-app-registrations.png b/src/img/rancher/search-app-registrations.png new file mode 100644 index 0000000000000000000000000000000000000000..4ab244da885b5ec7e4e4a0019119fb99ee5ee251 GIT binary patch literal 41997 zcmeFYWmuG57e9)02&f21HwZ{5B|{COgmiaz3k=PGl!yo-T|76sP*8BotR*CrWF#bLm7E-H=fOG(I(l=TT^t2`XS&G=ZU0#THd$j zbv{_e$TVvoSNp5h5`!$|n>I-a_UCgvRZX`Kx$qi zEAlE|+~p|mT>1c+m@#6>Glb9I+pX7}E|^A(JV#Mnz(5@e!w7iG^bL)q1rr@D@_w_I zjUw77;!HjhaT68HUVIV0y(bZomKLpLyw$u|M(cM6F54Y<6w)}}%Ov!MD*1Us=IPa4 zYM&FMBn?9|O&2UQTEW7Y<-@ZtJ3l{6jKHBiz2X<3=JLqJ8h+Mt;xl8sM_DvM)Y)PCADf-x9m4 zT!YhuGXHj`1#K74gYphGnK6CRd)8J-;YcterVRK;7bYVOt0dcJuWVu@*ntkMOLmzE zGbF=Q>yhe5h7MAqh(%)!6MiGyr#T7aazv{SR!J=G@w_{Gmt&${+M$K@1dAeA{zq}^ zs&QE9_)p1A^G&Kv?qd;x5Yu0WPHxW)^>{hSs!2583%#{%sa*7WBT?fdOkMI(phIX8 zZBNe!Q#Pen5OXXPDSm)TMXAm+TvWUBe z7FlwMa?x@neeC3)b7ft!II_%#KUlL^3s`fRhn9JjQJ3jW;g^}0<(XfYcdj6uNu2$i zt(}9NrIw4k!@HJNj+Psj&-QEg)%QtPLJ-*c$=l*Y$A@yf62UtwRDY}Rc=ZRjhZHl*VQUwOv$$D_yH3({0+#?x(|+hX&&*``c-45%2@ zma1qo70MPql~M^y;Ejc^1z(&e!HaO04MTnS(At_Hap`7HkrvNC+tyM&M2 zD85VbOUg)^OA3S=o9deS@7-CVCMpbV3?0fI$)1lfS+_{C*0BUxb@1YG_dd1d_vSOS z^zFNZ9SE)Z@l-!mJvY@p#XSO_qAtxUH?}hQ~(W zgu6Y0AJ4w(XT^+9Wo0?>%*0H@H1cQr^j7tTCC^Xs%@@b&-i3|zSCSVz$7z&yRL>|C zo?jxZ))Rht{BSb!zYaLX2qC#EXf5ajV@ttI(HwC>Y`a;=49vunY#tYC3WJa&Vr=TW67s46pW7=6-y$5sD;$d13 zlqvS;MtI5|JJZ_uj-7v@7-ky|K*T-rk$WlU+IMPF((X+{$W^KxRh{jae?2lTTf(8L z9ap!x={)Vcy&qlr^JmvjhEl^C|Jm2u9+WH&ezT7T1FPdt0(N@l`)R`6KX85Ui(80M zis6nz#MH1m@pd!iKS$=YNGP#+z&4ZhQZMP4xL4lvnAw=wNRZQU@NZQp86?m*RJ?$; zuM>;Vn<}ST8RfL~h_HA5xc;>cc?`AolEp-`cLOnDM(r>LCJrQ;C(>xXDg@Q)I8?rI zT_exp)14IV-5)r&=CI&!w7&rLyCzTI7rW~kmfo4ZSDgXPI_{VaZ<`XG;!BoJR^h)& zGEG&DIdE`UUY*dZoZXzw*zsv9=#B0sT03%dnpL?LS@r&YqOV(2wLNprk(TDy*wT<* zvmi@XvU^TQA{KMWUCUvtJLxvFh2_5BhV6d11)0)TWz>vO=dG|^EY5`&!q4jGx3rtq zbV^;F&J0Ejy660(-bTeiK^JbD7b;0=UU_|ug~rY6*F_g%lnXQn5ro&bCcUDD^vi=! z0W>=rr)s?F>*^$$i(j7=q*8x)KDI}6kvDAjRXxVklcK%iPVaFx&7i;-Z zEfc$j+Bv%FyC5Pg zqcNdb6^nwZU1}XUtvJ4G=DYioAcg9Xa?|I*`SSOBj)?XhWV0XH0Q5Cf=TdG-d+Ys5 zSEBOH@b+3*8e#Lj#srVVlaN`O3q!I7&{5t-8q8GLw5_DQgk}C=le(|>DeS2JcrSgg zb7yo;(WmR?%Vp^*(S>T~TG!wpvj+6LAM2UTY2{J!O?61Lb#yd+ae@#Wm)5EU2M47= z`~uyE7v<0aMfw?!$bLn7Vv}!Di{GzAQ7@e;6t&7b_u}xuD4=Z#DG^?)Vifd@`>VJ{ z?CjQ;5=b14I39y#iwZv0)D)kv<98ksC{4$T3JSc63cf{>VU2{~nTy0ZpVwtpH#=T& z_QqsGmg`aY*RTBUaM@tIdUqTf30$o{xElpU*aHN7wKs2MGB7dzg!!_CL2kY(?m` zl5X=!PNoy{yjDlaAfHy!v(gx(4Qc?06&a(8#ElB0^99 zo6z5%|MF?>Vf_y!2bcee1qjIX`wG`nPHwKh&jzLn{~iS?S$mkyX&e?|dyiQ)=#{Z+jv?#Y-> z5MT{T>z9gZz$fZ&(*Qp$!0+S#eFEQkRKqCamw`_jnU~^f9(Ok3SQW(MwJm!)BkEqI zwD(?N1m$U2d1`r<2E6~EpOx8xYV#h0Q5kG%rFJLrGj{3#!FF${HQ)OY95 zzC}UB{@>eMV%nj_kXr*NsDdou^k|pr7`zv^rr$xO@G$+V7gThRpu21>?OzfA zG2meW|DQdqYYJ>>GzZ@1{L3vsI7amjD$Lnysn+fmU1#m|A%6t}1B1lfN3>`?FNLfb zZ_hC^d<$l|$c=gbkK8DzIZu?9!7SJTDh^)f>shvtbF8aT%Y`Sm=PiFk@mCm_ea(sf zj~?%!r=a*pL@yBE9&(lh2v|BWkp|qRpzs#lDYN_G_K+Y0pj)2mC_M4ox&;)z#OU$r z){uY7ecGY!MBVP-e;JF2cF5^L1N|)xg9othA(s1!mS6la^l!deaPA?V;~3n(WZVyHB{5Gr$d+ohj3cmLSwUhv&QDVR`C~}h0aJHJfzg0c| z!B=#CT|RdN!TqNx5Vm6q+^3|I;+nP=d+ghr7LQ@nv! zK4fE}ze>N^?{qQ5yg!L=e@KFG%4IlgWDp(Ht@i5%POPa%rzmz+VUJkuj?OXfjoWjC z(CME33ghZ|MXGP+B64$i;JnvPN?L{<#qd{$W)I$*r)Pcd+v}v^iq~@vz59q8Y%^I5 z+X3*d}N(m2d~Z4R6$(j~2hlQWj+)v6FYUwBI& zuRQh1H8$$e;^K1k^8)F_SJi;%>0?j4{Y7z zv$ZrX@6A%F&+BwVe;pTWuC>wHl7S$mNZ}2HQZcZxMg9;7uJUzA%@!&Cii(9=bPY|K1pjoh!kT) zPG(i-ymv&%1f8?{U_zP`#ro`9)0NQ$#dWWf1RS?5`%kY!XnZ5NnlDw>#|v0sLhf;c zq8D-oo-4%l>Y+PgY|sRRz|+67jWwz_FtYI ztRz~de&%XAZB5l_@~LecU@vJ<5xu!|NfdO+<+YzyivX>E;Vzixv=5|7|I(S4=4<2r zB$?kn31JC`$scSyHY(DoEc~=RkXOIYpOkN&$x|ND0hCftWULZUcG(*W|2OK=pP! zJb5Sr`H-5lQOA5WIuBp^B<66i;aCB^ICkEuoO~UKiJz&xwYJlAp)lvQ!IAjfDYHZ2_G4fcwsi3<4J?a^;6?ipCFU0H+hbxxT_nX@_h_Raw5h zi+$OQN}9l&fqXe#mm+>Rj!y5NyGK~Q`eSw2g}DajkS|G5ELp+a2$bMEVRUtV{CSk(w zV9@WHCqqtb2bq^f4NBnS^~a%ZEiBd_-s#Up{hkp*omAH6cXKg6!5&+}GvR#r<|w=V zx=6PglS;@nBYX8uHxZ*zwG{rkZ(v*LfoCZhQXTbT!^QBifI{M>teYZB6dk?n%^zhYL;I?EcRo;Hc-!j6VZO8oYBva(^Nv?UQ|2h=cCDWen%l8T zKUfGPd}nS;b*^19`tb{fMK+Hx=~WTp74phyYeW+P*}n&uz}Q380DT zmDYz15NX{!K?f;((EQ&4^jH?P6c19NnhWEF_Cpd_!TwWTAnw7@?)VBuR4OX?(C~XE z**M0rJeZ`w^n#v^^lAmZC8IBkL7b!po64nHF{>GV!`uFKYb^9dRO z{o#Y2G8VN5EkrqheEGFv8k zQ;=gc9G%a0;z?Roon&C?H>J71p}qIzHjyON=5-{3~!L;kUkb zWd2iMzL!Lt{IhF51kAJqaw6ZX8Tf`NTsI(b!`m_(F}<%5Nkcy>om1C(FV%3bBJFbK1`@Hfh&gNB*(1b;3=8aG z0t}+Zg5>J)3B%DUB7yZb3+jb8G@m%eKP<7&(tZ#q7b8MBPFtW9V@s(q|xiB#~r_T zG_8=5qql@*>c}>!`D)7%#}%nVZC|}@lRFC66UtmoTz6~6xvBo8IOvirZbcDAmA_qG zAfWDhbMnx>yx67gXhOHm)_F2l+@S1!v)R@!p}!ugfLe+JiNX+U_wR8_U%D}b;Cn!x zHu=>Y0P+mhD-^j=X3dy{e{_kxy5540x4P9-`so*X!C#ZZSx0t$MaVoHjWZ5{xNCc`K zd?ahe@%J=P7#Y4VzkF9^e9M>U+Ob_grZTRVuf>pX6^pKTPHmL(YF?Fh$jN-ewf=?# z=9oJy7$5&<>jcvRB49)GI$s->yP63NIq9<5uJKNt-*d+YL?~%@wW%EaqUs+-HGRi* z=FtVr6p+9M6cx87shsJ`QqT)s1D*Rqw^N$Vw>bNFyi%eKcE<8mujt!O$QkPtAQjhg zTex^<`QZ*aiE&Fi&)4KsFrFo@?@c~NPK*yrpwYPF52w?q!Uy=hn)O8S3uh18ts2j# zP9TsabE|P>q=iGCij~x-TBR?JAoyx&UkJ^C zDp{v8NPP2r`VyWRdwU%sK9`7qFm_jy9SKHXZYYj(o?IqdQOq6~XRg#3flKJ799;9) zomMVR{tJr-tW0h&Fe`dd}EaGr>u8tLxmXAw8*8?NqPuA-rE? z+z`wUbu=qr-6Q){e0{$xakk@Qo%FA|GAP4+#x66t^WNJ>9YP()!bfGE&R9WmY zogoqOMw1v7+2!!sf`<3Md z_4UZ(HiyYt%T&*f)DtP;!v;~vNTqDvnP3419?7zIf+a6lW`a|{IrC2M!uP+-(;?j&s7gC89)@%Uz#wj%+BdvcC97M0g<`b!Kwxl??qM6+q^e0O-$CpTREJpLrkskM@(^B%tWCP|^D?){pb zRIl~?-=Sd5fCn#l_rQ8>ddp{RUFI0r?vv(eT&3gYZa6`ePqgbVgU@{pZW?Fqey^NQ z(^(xkJ7Lxq;Vfxlp7CjoC4z=yg8sAYn?;Hp;NptSpC;~KQ9|Dqth%etj}#3%iPz3s z#B=F{TnPJ|zL^yMn=1Q1WBARmTjp<*T>&Q3$#rP+2I95lji7Z14|L$8fht6;!_~(1 z<%>K|xW`iX+5Uz`Q+dCOH4y6|5LV%0mEEo{DpiHuHh)@8d`yF5tLMUpE80q^^fl9N zzPfHCQBvuLQhSMX7eYWYzuLo8-Fl)cWu+c@oovG@@ayoBDeOb5#3xB!&1~dOF%_^R z8A{EbA8#cqy^G6ZU^&;Ls?K;(_PGM$TEEqj)l96}ygfh)xBIRia*lN5m|Dz5Co!Ak zYwjm!tlz(yWQcf9KP1ok7Ygz(dmNb;&JRmQrSbIitD;LiAREq)U; z*nVb&O7axuePIc@P{~t(#k40X6eUy&W+D%vK+^r{AX%ZJU$xQ8b;^6EF?v;ifo-G- z>iv`f-Q=3Ep~8ApQjSHd&jLI1Bts?V^+>i1(S@k>9qr2zIT<1%gbZ-9wilv3us;DJ z*w|7`_o7&K&A91GTUj6xdRem3#qjB2xqd~$FcxyE+_J-&*FPx{MIz88xyhi>tBMNw ztRNoeQPJ>r{Z8srXj$2BVBp*`Kr~;YC@BGjNxRHvp19hfoU?n*wvsoPD)QtlI9YBAr2 zgyDNLhXC>*Gaz{1jLG~v-2Ge!`C<&8~OOI)~X>QS!@>jUq3`bgV#BPeuez#l9 zYpGgh`6Nbsa^9}^2(DYu%;N|EQgS-PjjR^N1g)id7dKpN*E<8CN|&+}m3dwba_sQ| zCEZh7xfgr~k%|BSV0fA+@aNzKkR&r%0BO>VV(npdNMD*LtKkE&ehnR;Bu6BK6OB}L z3!|tXDo$R$`5P(%K%G4xpmM`%f{+ z>Qp;W$v@~Fw8#@2t`ztrc3q<{w<9njOd;7wc{t zO$>od!=}Hg<(s&3ut$@=$odC(>WKm5O{~-BCHXrSP(3a^I9>G~)5tA0-vUV{?GUSK zby&y0@GWrwp~B64N&e?d{%yF&s(|v%*WHG-{x$j@ASE6n9e5jXGk^USoF@n8BoDhi zigEw3bGm9|t1M4H3Yk*UxT?UP{rWd76q5-&i1n8$-@gVwf-}%yQPz^jvQ)roxd>LF z|JP+4K+DgZlCAy)JU*19wM2up(nkJEdgtFZtlnnP{1>MHgcy=`=k_y~0i;o30ItG` zeOq_fkW>7B>1_Z2`<7=pRswFh88}_qf8hOnhUKPjTcy8F|DPL8n3NFU zH2}qn_}}tdBHe26gT`oM>1CF#sNNzOwg^8~n!@uKq8u zKt~&s@x<&JT`{bx%RuJGd4!jK=a$>jz6GoO7ott&V89Nr()N-3vjYFi3>`R~C~OAI za9al2WK@u_YIX*hB&5uf;xXQBEtIhWK&rfa&uxs_UkjVtm4l?(U-Do2;m5#+l;z84 z-)83?9$+r5Sxj>O+io%S5CC0sna%0`f`b6xPXGrraiXw7zpWlKRltPFNio5oTRg+=U zD13ysD;ItWK*uXIH>V;00Z;|kD6NOm#dDve{0-261?T@BtbhRm0O`2T3{pJ+hDo31 zckS7llL{G;abC~Q>rvO#XHqZFkbh1ZPdHO$A00s@)Dwh5WEZU0?e%0|xK3lhdd`@5wx`726l}lIM%LC_S;6V5jA3HSRK#rM*SQ{y7+_rQC zFL&F_CknNV8B%@Etp%4p@?=YflUtl}D*}TISyG?kbRBA6F)OA%0WhMwqaAzwJ+bWe zLL2fqj5u2Bja%lBPSiAF1x3^5P zq`BkE5OC+L20rEC&~V6eN)YiDpm>7h{aKg6Zb!e1nOz>oeQGhi9Ff&FhygvAvP|pl)f`I93}4b7f|3M3fS|2poH^1@SOJDC#!u!(5+1hd|!Ru1< zUJ^1sn;89_a+`6sVdZbYDb~|YYM3(eTENW%Fr4{pjZ>y4L?Q@{;5j$~2#9P|G~7xL zs60OX+1($igVA87A^mZKt9DNy={&yMl4OTd&WUw)1x449jRie0mQ5zC@sg+#!8%Mt zMrrTLc&M#eNPc_H_T#C zW{~{&?apVzDu-`F_3k@CK0r5WBLq3ZWc)QX4IJ12M1Id_TZ{l$CR1qOO!eaOP{ivH zNIKs!ZoWJLxXPaWNw>X`a%sCH@@I`ja@@g(fJFGDI{K!K&>}Pk9iPAnWtu5p9L$2e zLT4|!_p|#S?aeTc94(|x9>^IssYiG~a^d%AlQR07#?3DIP(4lJwN`mv=5lp3*_-uAbX_xk_quY@Ao_Pv;Zh+j%wZsd#u^p1YFOMJJnE-@H4_XFIXHS*^I@-NRc5KoH z(ht!KZK=euQ85CML#1KM`%r+~L>{AC@hD0J+Mh6`EB9@410BW6x?5k-4T$H-`m)9N z%IDEz8PKz=(09J2D#e~IpXL1~ZpLD~`_5r26mHTdq-)&)l`}ayIl|iec_b?3HWJ^W%>72SFk$im(weQ)Q`7AOaXiJf*U3@s^V2 zagq8|#66MSDcqR|V@uu`_Wo&l5p2klw!xbp97Dr#$it$mllhx9Nv|Dh-&12Dlkypd zGtyw>m)>zrL#kZgqj639x0#b)vgpYl)=1@Th}V`ke`; zcs+X4j*q2zgF-vPoIS>e;0V`5(BBJK#*^QT&`K#c%+;alTQ77lhQ})KG#-;*1W;=EC2zN_p^3Gh=loqxYZ}S=Gf4?9 z8*)kU{W>%-jocaad2X9hD*MFIJnh!10e9buK1?AH{XrJlXBmO7NLVYUP_c( zT$iyG6=85Z&f2UFgnVm`u;V%{(8cG z>OSQe;;whojewooH|v=J?k%tA<1Dg`Ex{tw#c6wEs>Hb``pqKT z_1~x5T**WyGlOq7ct-s9kus$dWlY6{h@1!1S2}( z-vwKtq+g2t&MdA!R)OMlDNUBG8HC3_D+1Kxa5o(XQhIeTD8}V?eUN7F<@Y*4Y&~;y z7Q&_l`C&Dj`D)~wu|%@w&7M@y<=QnOi5#v4&U=SkjNkf%IGxY?I!dxTDh7fM=ok3r zY@%0@&0I7(JOPFMk`t68-@Dt( z|6NL}@CI53(#PbE6h$xq9=- z=GTu(xq?!0#x5h^S+jDKpdE@G{}J5*dsO{(6t zj$dkY-HQxA=7aO>N%u2d$pWmr8CS95yBy7DvM2G4-kIle*dfOmifG z*wFCd!D_#3yzo}-*})o?MHuoMe1O}YS>Z1_BgmNk{e>(MIAwQivqktl&yYOo;m?~``~o$I*t74F<%|A8 ztA*3#5HDx9-Rr}&-ZyKPla|bzHX#!yTdnfPF;x-*!f(vu^T1MR&$Fq1zMzpT9`bxm zA2_47ke`&e#{4m5l2H zG!D5fHqGb=jf0YcK8it4fkm_ev?h^4Ny2BybvC~0*Socrd+N=pnSTOMkG_hh@lWO_ z2E9yWa>kS=dBlj#zS1|5o(svY3p?n1K$JDz32OU$Z`VCafJM6GSmrvd=Kq5xdT$O&}4Z z&Clj{bjzbSBqk3KZo_!zmG|Ig;9jwDyE|8N6-WFf#YjPm8<8LAf~$_nSKHxXNz&CC zVq!*PzQ`+{!NTun>7Sx5=7dYyKT5(UZA5pAMZZH48fgN1v|qbK=26D`lC0+o-9(<*Joqksa$&#LuG>w4EV z6gUS*opLMClEVPBVN@Zd!pY6k8khL#htAq;O;eyz2<3WVLEc@its=i-tXB8sBcTcY0o@|AUj@_b48ku~iK0lou4p<%mdUZ-E~ zrx`K@w9LIp-q;VhR-}jos^U=xpM{=?qXMy6^~jS|6UgH{S{c93yu+3J#n5hpeuTn{ zWC$z_SuwLA6E_E4b9|YOak^ptyRHz6PX*%5h=8bekHj|GO_c?)niWH@3+6TS8M2eH zPS>IvPXy?Pj>Ni0YIY!K7(6=5oZ)|qb?LJ>2p%Vkl38+}W{At~Qj-055*}iX(TveS z-o|SV?P}Y=0yWP=K@jIwAF(d3T9aX%LU?kWT^NVy^?HDqdnXqI=^QD@#EELIMz3MJ zFxUTO9l=$srU6-kB|O`%EHNqWoAujzNhqH#FV=7+?=|X`)ox7T1D>2GbRN>xiQwF_ zer)AkpoNMtW^LLw)s?6LsEy*t4;=!H5VA=I2XL>ABAgBAp_iWL@Z=pdOmudQLg~k8 zgtq{%AIh|OsafStOOo1+UX=*QQ;|cu)H>#Nk&mOkiK{f_2!lROdt)yk83W?&>~3YR zyb4$yfz%{9@<_eJKp$wwiZ2sSn%ktbOhYr1EX%eT|5^s5+`*IUmSfg_=Pl~}SyF(D z*-c@%9`^qFn}Ps{T@GEOs=tCYiVDl0yyQ2G_d^kY+I&xfNd5)tJq0kq4>;0pf70aN zVC4HW0B*h9#^LxErf7nD5Al#Fa`TpmwD-gSOz#vLoXKj8O0 zFs(0uRPWWZRQwCV{Q!WMs&e46f0_^hobeLC8GpGeTK#RC`_27B0B6igcx(1AxaJf9 ze1Ghu4$IU9VF?w3&<2F_E`W4sM+`;P#y zFe|?6`fd2#{{hf<&8lpG`!B=(|MJeqr2YfbSp;#!Ycvc(?j=bN4&L@sf5w0g#PoBJ z=g4KT@WSG%*AI`&8h!h-t!*1`ipKnqquFbx5B?;=ztfJ_2I+d}ATbi!w}M0H+!*rJ znY!K-i0pb19crxG-W3x8t_9FA^GErDUFgi@Erq-ce8`B_Y*|f$wST$hGJ4Oebe{Q- z2s@i5N1b*H5$f2Lyz1UZh=!2Q*`r}rxw;4S zwhuqvzR?<^M=IT=m#pk*+xvm<@nRNeuoeB891M23x(W=Ze+wk{TcC2s0ZK$g-LI$G zHUTN-WT>##Z1&Q6$?vzY1@wH-_p}^)NgvLsiVsLd|%^_n<_otWIyDE zml+Dg6R!dZ%1Z2y;j7r~GQYelrV^7>pS?-0;0`TrK7IU4<(LVK(r?dji-g? zu9G@*(viNKBa$Q#hvd?R3Y-sboU6U+yTkDuVm_#|PtR_U6i0`Ui!n|cuRLygOM|e} zuO7z)&G0+0t9%E6#;PoJ6ZhusY70WmKleOV$c=;R_C(kVnXSLi$7$!a8V46AdW7Rc zeq7qUtE6HMyDooBhfnjzpZxXi{dRIcZ}-?rtQ}AiyJu-s~Y1X zb+c!MJX}){v*e>1ClzW=C|51?Z5lFM)vpANzm)3xs#Zcjf3+oaW`odt_4PCokKi+p z;d50+#pQz#vH0OeDboCuOtY_3HMxf=BcldwQ9E&6LlY82ABIs1XLcP_*4~0L*XEm6 zw}KA-Nz*ce8#x#yo0pKLj=2itk z9U;FW1aDPOy=L52a`gwdcu* z`nnReFM8supVGJnAwJB8quXh*E9AR8A&Mh<9@C`8q0+9_RYZosH@2hdR zVRv>XbMVAzeEcp#YzuCR&vH`z-L{~`e$uMOo7rs+8gnd|fFyzA54p@MuuV z??T$G5WcwPq8Qc7(tGBZ#$~TyYkHBC67^)NzHFsFq$&DU8b_4D;9*quGGnh%#==wI;H^>fGy~@F>mli$oS10GoeK?L-($<ON(x2Xj+pj&a=~P_YWr*2cP!$ylD$=Mrq=Um5%B1v)vp6$Y!$c8lHY=a^^= z_A;QI)5q(qtI0KMw#k!MSb78GZgG@zYj5(k8cnVl4$}6H$7fdZSbQIR!^vH!9yv_N zbv_QWlnu}2+dK&r<+}DM^?7rKr94lzZZlh1dNq**u{Y6PG?3Jhy!LL|XXu_z4Azxn z1f%}%rDTN~*dQJ}5cW}qNf{y6lwX}qLJRSNAD2A=9Y|~YtSUSC2d&u7e#@kESL4ui z*ypk?bCAfTHB@Gjo5pe=drWMr_K<5b`a3>W@1i9QC)5CGn*3APv0Qj^vG&U1sph9tn-bZ&(^~$*e?~b;rwQAF&o;y!gSaI@uL1)$?IT6isz0Qh<%u-i$vM7nqB!#o#e1=f^w{E=^Aoo67&q!ePQPmYIryRr^MUWzUd<3ytT z@AZR4i8*K>o5H($qH2!=WJ&ml4sYPO3Q3Y-!}4l@a!~_hM+fL_`9i5|Hq`@HIh!SA zvNYHEaRqIBzMsT^;TJ5WbF{=p=G2O9tNf_OGhOYA!FPpI!_D)|O3E60Fyhc~-0-Ww z)3^un7Qe82Ta)r_v)e;C(EU6oAEumAyBs_nv9;oY+I_l*<1&}XaL@3YQMQ^)x1Ym0 z^q^2+%W#VUH%M>HMqSpyz{BN-8M#JQQCQXM#^a;qSg|Jh0_LJ9zrNFuO6Q+!a#vxZ zhK$y|BiT#sR5`C3eZn3F%`eGQ#~+3x`E|or`Ih6_t4~Q--e=VA^v52`BS)?qjz2$< z!yzVqya`y#Z@tZe{(4Y^$Z7NwpIFIf*XF`PvP;RQ1FqFX-SaWYOj$Q-3- z#40OMF}5^{%h$YlS4K3lwb_S@IqJc#6EUdc&_zLGIQG8Zhm7B6XI*AruJ|c#VKZ- zZ{wKGj?S@_b!TR)X77RYpJfO}4W|2T=}pnjt}15NrG3O+^Pu^wY6-KIVG9#77P|Q) zRgm=fMt!ewr$7{LY-+9r;@&8*I`B5 znI~Lj(e8Se=MyFS-wnmyTQNV+c=z~`>-J;q=N1`hgC7#}!V~;+I>vSs*aBZ*ZL5^P zj*|>YOt9j}-V123i zQH|V!2LItuM!e(E)kSG z^I4O^_}saP8+O|A(spYfFClut+rP{EC`PmBz3YMTlOuu>mXaIf5jLraW@O9P1COOn zs4Qindv!@I{DU-cy93N&X8WS`N;e+P#;3bnKO3xVA5n{Zm%S=9SoY+gzt+{vX$Qdbk3KzO_TSP3Z4D zp#AU5|0Q+|PDV6#WWc`0HeA6*6!I>{@$=4C4JBVK*QzV;l+EiWelN6?t`}Sik7~?^ zIoy7cr;Jr0hFh=sDCsfc;#iVI?=L=BRkmD4nrslZk!==S?(B|hi)ENvS z(Bf&)$qU$_+IFApuN!c73jV0EUbQ9a9&G+ifg_Azmg(lr3e6^mrgW`o$2nWgSS`** z&=@Mxm&Ku$yL5ZvyUQP?+<71!1WvpM8Xeqbwhr&l7E}OjwL7UOHRX!vb|G0pN=QRh zE1?yq&4#i$okYofnY4PH++;6X(JAnT;OL~>#OO4MuV%^(l2^psSSq)dM+U#Gp*twX z`#IHCuK!4CQ1BfoG$-Tc)EYCm;Ixp${)l+mS_ccZm~|N?erOzR@;?5W{X$oOLyMrP zVM(^TyD#+1GXWk=FR{s)x-ZC|3j=Nk)O$p>@CR&8iFGf2Y{h%eS3bxP8x2v6A9TDH z&W-&JYp6d$pa9!?^*6fkcQ3VIylK?;v+ryKlDk@)64PgO=*3yQP`Z=GwOZ4{WqN*UdKZzGTazf*wq(|!GTidd_wd2_@3 z+3NJus5;(pj)B{XOZct0rR!^!sh_#Zde5Odp7OXoldB&)R62X3B;+cJCcHCk+Ka}7 zX9c~Bd`hA9%bbd_MCX3mO2_ZlwzD4+-aE4CZRN=Pytyzix*nr(?e$PIo3>e3bj}c| zU!Yvr%}!r+wQE(Qv+0ztB2C6W4B1Icq#3`yN=yxU@q_Q_0^$jPD?#^ApOooo$%5aeqT|zR+o>Ep zI_v|Y2aqGwWc4^+9JEqsL^`ULJZ#2EnIlvovGS*00;tNt44JMSo*C|5<1W(T}6_H#S`u%FYE5WO@M6aRh(Hr|joPx(n=z~jY>lKV)zk*o|%DX*OLM4UT zT%)6UW0rM;iH=sMOOQJ%@qPwu`qU5J5nYwg*Mq&01ob170^D{2NQad44vW-|Dw|qR zEqaUAXPaYws8qMdHB)!v|g1vB_hdNiYQZ@ubw^Mctgme&Dty4#ZeUS!iw+o!7bUZ?MnoM7F)#R zctI|Tv+!|yhwT=uwY2bgUGki!8E0U{M*2uyXS{vdvu})`o~&shZAndhMFi#h}Qk_g1TThkjHi*~&kK&=ECZhx(Io z%7-Kj^4bZG#w!hfOo$_TvH95^(tDm~tF5nA!ftP}3i}GXaA1R*RT-^M-A1j^X?ER_ zuyI_9M9^Vy2;1w(%H}*gd_)j%@d{|#)Du}t@$xMTB5JLSJuA50K1ZBDEwXCkUP1_D zMYs68lbbuqcvBsjKGgb5!KQVl$*g`Rdd%vT1_m)YU5KKnvG#u5kU1-|E;3*|B<7EaH;A6F1Z)|m#ctnNB;O26Ki ztyrW62g;jyK|N*f#d?QAc1SJQ>JmvZ?;ks`>G9I7oCmj(YYp68r|1S9)&3sNiO$xcUrdKfAN@rC_oyS33D@g4w)KcwGe~@O-aui6PsnbZZTvH8x`cgKpx`@_RnZT5?YR)Pfl~B`P^U-K zwIVGzkHL~p9o1^$_OTSLNN^GlBAoBL7VPLS6E@D`T=-g5K=;fcDVO5HX8jXiVNP3r zv)<_g*QUNB<&DqyNI|Im3(IK&aIr}~FBLXOo5i{9`{-#3?1RR+CTj^>>Q?9ME6zu3 zS%eMdrbOhOg;OUYvA1ft-VHrT%H9m? z!w#zZ#6k@fRo$APxQX1`v#_R4ve9|2d;fat`p`PA51f}(8A4-+DR!IZk4`>&=s6q) z^-y!|@E_%II-&6%VbmT+N$tzS zM1yep8hDGf$qU^`o|IebiAZp$;9mzj)EI?mKMALx9;0_~h}0@n1h3?TuEltl*o@rw!S9I?Q^XSfrJGoU=1{9>0LE17g zprlY}#j~7B9Gm#pgO|Fg0(;=BwB`2RwxjGB+!m~~Om9BdXETzW`8o~dx6N(p{XVWI zkBuOjL#=hmN(I`AxS?8aCa``SwGoxR&$+JM*@?$odfb3gpFkb2_fdWo5@R$~-6sO8 z*uDvSF~2+OSibViKDR0()=W7Z9-_ffYZHQ&h=( zvGa;~RyxS9y^|1-;oumRtoHqvh6GQ&;aW|!|Y=*X#7P#duu9EMta*mR;sPvM46!e zdRQSCgrs}^1D;LZE9ke>C-QHMe6fT!R#sOe{gF^|MsfDGP5Li&8W@p@2|M~MHfqg} znAISjd8n?9jy=k}6%!dwbCMm2?$8VT>PqJUFNrlT9Q>|Z|Ls}t0sxHkq3_QBVSNAlps)#g zKDth&_kP5Gi_JeD6gKt=|L@5AZ}33t2uJH6HOH{}?)Te)&$K|E^J}O4=jYK7@UG z)n1U2!AMe{J)^@#PVwX6;P`hh`Cs!|?o);v!byvW(9j`GcYn@m4W_!EN^$cooT9Mr*%!nIFq&r^y)+i*q`^ zOz=m$!-ab85Jxmdp5`6gp2IdB`~to%Wt=>XXIH#?zc#7=4Ll=Ej`~JHH&#N!D>!I! z8)Z!yv6BC;g}+`0|DWwmMv9ioD5sJz46=Ro)h$^R8@esDEp*KKNAvF?Ma#hCNNu!m z?%*wd;_9l&+p+%girMQLZFV~TuaTF+^?pg=Knk4L^b5aEO-%R*!6T}^Yk~jm4RnTNwqrIICHABy ztItJ2=$`Ji({$wi@y9kcNYQUH>~|p%Ss%^SC|E-&C!pBx=U(Urc^^3{#o8~MJ+Ilh+|c5FjV~IJHx`S-yDwjCnfU55Uz{wodK8*P z(u{Ih#aK^Rms_v;QzSjg8#)JSfqzVdzI~Ia1J)^YcyHWqm6jx#z>PDUS}= ze;?{*A06KrMbJIGUa6Qq&PW4=Rm`kZNEO?iGqPxqoS#m zXjQw4>$;X;V&S#deCui6k*8T(Rw;gcJSu+(TyriAT6;iB5Z#@T7f@_+QR`zN&J1Ts z^r2Ct%L|;mHl3+r%KLo_fV{jPQlMVCK5+H71pT z_?bUn+r@jBwBsTO4@*7QMaw;Ds6zQPjLOkWplh$s%`DZuCxfLnEEbxyLV>nJt{UB3 zdNW(R_G>Rbpb?9>AA_#%1$I!`uX5$=#uO!{?6Sl^M%LP|PhSC5PBh5gmXm}0$o_no zmzM`^WTc|%Q2*$(H_rsdr3pvX77m)d;zB!hMtu&7VA@MklaMTL!tyu2_t{j#f zXw2hZeA$>as=fgOTANmQAJPYUNIupeFY{%VIBFj)6BASBLd_F)!+;%UkfCL116R{S z7OAG%#zP~QOsnH@5;KToZa_N8+<5$QCRBsD+w}Z!^$;XH&Xj?C`6z=>-cEKi;A+KG zW%FIcyi&d5O$3e?4*hG4g6d6R%BE3B%w3Zqn497RL=_{HOSRe{rm#9w|3MHA!}j%abb&Fuu4)|VfD4>`zhCoMisL>@tD$NOCS&W% zX8BWlsGD|X^9OGC`M$NY&i9PPXDdqciVKXA8{C|ZXP)TPEG&Z@QObP>z+LXBth`)+ zBcW+4=_6zOfH{><0#2+fK0o*!;Fr_r(@(#cTG=A?s1%tW@9ohc!Kxdtku|QS)r|fln>9=y-brvPkR4 z-F7FxC4LGpsbOvF7(L6swh!x^UT+@#F`CB04NWGpfop(ED1YbllCT55GjFlUVCs#%Ozg)kHBnc~dR7qx zcqPj8BH1J^SM!OYlPw7?J<~QnB+n-}uzJ@`zzD1XxbwMDOQocdEVEhJVUB-!)5?KJ zW?*{QbbUG#P%5JNuKAO$yRHQz<2<_H6^0_3<0ksjm})@-5OvHn=PpCtK2mjY02z|~ z@tiD%@Wn&N%x&;r<_io>m;r(~5DYf@2NBLdf9N!ep#^-%PKI=liQ||DCI5|md&%#% zVP=hWSKp9sSJSBVIqS7O3;{3gh@F%8CN{FtSC2$YCQJ03%7T&d)UuYnoJqW{N(Cjk ziY#wD&O|#NP}jt77wK3(Sf!L1VUvXRl<|E>m0Q$t-{H*7HlewUFUex`1V(Qb?e>=S zB_ivI{S}zXT;xwW6aE}h8FFc%ED?zbXb?};(t8xNA+YAbwe^~qjVk;c1NJ-q~ix$&Y4 zkbsG6xM_mStEfjHzfp5NME~vaW3PuL0q_f>b&gwCwl(_0M)~{-xqMbNm%@G>(#&C` zUtLyzhWwh~y;$CUexWyKNz;jcfpL*@}xKAK-Ll;B@-Z5n+N*A!bJ`0?=+7P2{ z+H|SnXDmZi@V~<_#N4#r?*i-UT(##9d>6|9!c!38l9F{~V$UrxI~1`hCwGa!$q9=f z_^h+!+wEMWs0t&Ws%+Feygb{prpW_tC0{;}Q1^q_;fSVG4+_Ub(zoP`4uOi!q$nhP zlr-?Xq~`&D&kuG%C&pH{F-P>X@tlWkKY+(!)wwUsi%VjM6MKYxAhVq;6V8C$>JDaU z+Td`6_en*#T(4S3X10`1%en#zz>_MkkdB4MJ!G!(;V(NnjJ8`U+sQ3uIl$Dz=T(d4 z$KM0#mLsW{A@8KbqOXdI*iK`d5VIa6KK<(fq*oIXwdFfuL$*vz5Z;f@qM}s=1qA_n zul?oX5l2FH{iZ8vH{b-cOJK(`BHDdmgl5o!kSr$z>O5>FW=O-#BUlNur}d|~_YuVn zM@=@IZM4Fw@|M2s5Nb}#O#VO=eg}U`EmMVn`AMIQXTWEAbRCE?RV!F_C$(;NJ*tU( z(9(;1=7XWd5(T%mzE~U8ev6NO3qZkHA^LF!w&n+HYMWziJ-^T(l7a=^wM(3)#VL}E zENpd|7kag9mrZ^*tOrm@^Pvuz4)LMQ@1EWHD#fRL^+ig%a01YaCu1Dlq6Z?E@uGV` z{9LR)9@0Q4E4lqG`*KC`1jQ_eUaYo0)f<(7J)E;(2JbpGs?{r%yfK=z$5r;P+zN zwGgxnbD&~i`~U)(i)|m=P+j68T4ZE+9Kv|R5B|9C&Et@95a}&M@_JGfzB0*u<=(O< z`hMzHcYyLf4O-<$Azw{2P;EK0cBesNA;}Nx4)!ppNSoF!;H014OD7c;NNn>9oqx_N zDqDP`aiYnl7iS=arb z7Tmwj_<}iCw-LTFcTmw<5s^6LtH%Py+eMT<3{g~=hy2Gw&r{X&bq_}Q?}Eb<^tNHt zI-!hZPh$T6PR_K!aBn*@i$oy@qVWbbqUjK@HN^%Eg&D8H6 z^_B|-Jj@hE__(?){kiK_i#|^T+!Dq7`oaA=e z@vv>R3^GL!zJJyu7;&3h2F51aI_JJ8TX4kKdNp?bYI>wEV-q~o+akB>HmW|@t6u3= zj$GTd^&;%)*)8PClkhz_ru!CyX0+Jr&(&5Sqn@j7?W0UqbEoU!2*RE{jAhYzq7L4} z47mnu@RtyTYIaoY(6j8G>phE$;~#E(OZW_tkEeZO5Reu`hT6XD!S223i)F%eJoNc( z|0DONd^pW0gU3Pe)Se2HgDr}osHQEo{x<%F_DF-P{cSAWS{hz;6p3>%fEix$ig#f| zSs2Uxe9poxkJi%{O~#}jgT~^VzMDAIefW)IFaT4=4j38)Aqg@WFEOq5#$cCMNhESv z(#Oy%A@77Hv;>#Z1|~d3888Q)t>XIum}OjEKpBy(m?fTJKl2EiN&4I4d%%6#8qSLtO&ZeESsqF1Ff>@fA0b~A zXt=&aF9`21_fom)s&F{gEJzZ!bu5t8s+)(}a${p7t4Bsf zVH2Po{ejvD$-pRYw7{EzF!SY*U%5`Rr+ypyOs`bX&~QXCYmu43$l=`7>x~xKov_t% zL!m4i6&5Cq)5aEcp?uZ&Eg%v3HfXR4k%8oZYBDRYgQxKfnN35$i!av zsE${F;1IX`HYEPqegzz)B;P!u?v1aonp2lKW={}sKfSM$l~rWF@w5O!eV71rxV%Uo zy%YY6(eH4kbXG8>?;L|Gq3Q3Yyu`kVM`3PJk($X&s@I1~FaWRs>o*$VA1Le*_g%L# z6#~D9o5a97pJX88y?wFV`4OJ%9SM-26F?l^h%V4MklXD4HmCl%8$M=<2*P#ibTT-c z;nkS~++DmQj7)z1K{mK4-2kyQ6x-df=0yTgH;f+*VX z>n;8#{G%0zBlinEMe#-$86Djz+P>4S0jH!*3P~xcvh_!hXIQDf;`9Htg99c*ghrc$ z&S7czJIAjx-9I4bk`Mqnc^csV!1M3=>ji)_AJNGvi~kBD?w((P2msEHK2*0n`};0* z0MI1w=;{3n)eC|J-!JXsP9pquXL2e4jArww{f$-Hl7jDv=3y@XhPtx>P#yG$hJoV0 zF!+BRf_C@)R}Ec~zwaD<&tEQL$v1dmzc^p7+9j6J|g$n4UnCz>_cKi z(vGPAYQq7If|>uo+T2tb6@>&^vDTCqieS+kSsJtKN%2=XyF>ogy$$j46&A~_7vs?@ zB^C`5e~oVlQZ#)=RB8$h34wY4(%8cuc73r|qh@p?WyVzJw*6?0IF7S1DGYfDypb{W z)w2nOW<5B>grcjfsDF*`l5F}IB5^^jtNr|^cxKZB?XR&R7E`GSgo&#3HbqG*1Cv;TEWu*5$~BA07^?b^N)xZqcSW)mHa^#dA6EZZUf#i> zJ-oww7pqRw=<>7PaEy`FR;6Eyb1(X>n_XTFf&E}*{M7zxPubavm^ z%BslF(C`J=@+^Mw1+PBIMBIUMYXd3fm##fjaoxcCgAQ1+B*~;eltTG-d4N0G z@-qxt0Wne-!OLw92Dsa+bwO!=WE`o%MINkwpT+y7M7k&nv8Y;7y^-^nbPuaA0yM`& zY;GZqP)TOrr-^#(ShC-2Tb@(Vh|Ts2ciXFz}X47j?{1HZ;{^3QH3 zo0#XlBk+C;t8qG3A3~gGs;w8wp1uu@`8Re+_rs(u6`_gkzJHrS-8TJ6YpS^~-=#uA z+Egv;O##;Lc(x8G0ALK(>W#gTJy<1EGqW!^7QjZ|ZkC$x=^IiIJ;wnz$FBY}cR?9> z`MBM=dK5o`3%KDsBb%uP*K&u=u^v2#OBJXIk*ApT#(#HDphvE>fF~7ochU?2` z1_w}Hff+c&2lsv@{59njG!dg;WcUi$YsXiTMeC*7<~{G;5cS1yC_GG=RX$6r8u*@f z*6YmY?hjp<-_AR-F0YnTq^uEh+?|~&MvgL_&DUve@+ziG5voZBwpL|8pV~YFK={Z} zIX+o{;8JT;SwsNaE44efrOO5$MB?KNu+3HproBB3O!hdP@?5Y5+lq@C@RF=BpODjC zrR)CzppzKj*)S1$G-KWTv8)Oh=Sx1j`DqZm2#yyq;Ht64L_~!DE-FGuGz#SY1Cu#< zhojTPiW}v2M~1$oE8Bh3$>v-9uL`K`!CRx4Bzk>(1oLD0Ic2i>c?~8gLYmx+p>gC46q*^)X zc8G(lFBQUlL}YBQ#Xa#ciyljIo$VSSr&Xmm`X0WO9&tR$7&|_XSXgKyLz3O&nXM;E zf^kkbUJ>6lj+ma^vg4+pb(WP2ngY`oyOjtDWT@A_aJ{*}yYWRZmk#ju_T&i>$_nHn zhu46s2T3ik!la_36SV2@-j>L;Y*h!ylexx2Xhj*3&AmMU^*+Id(|6e_td?rOls@+0 z_>Yhjnj%v$^Fx~*cQRhZ{kg_md{U9D=uy#M%}|~At&jg@o$~p!idp9$CQ_F{966rn zC#SqcWKKaM8@d_pd-IK!jW%f@u1;(oB7}yb5kve=k(kBul?%(ZBtQWNS`8~u0>ZPR z1Ox`X;LvQM)$N0$d))!5IndM5(Lv2B+|R6B!9W$Zv~gs=k{1{kCqXH1hua!8pSVT| zz7Pb~S01=#kEgbPbJ?RE?1E=DbiO%c7P9EmAEY$_j%2BDKcKVK7h#4|2%z%i-f(yP zO`ptV16b7h&_qC(^bN0M5n65{FH8dFveDM7c?==oR4~4Dg9+scfU)t?wvl7Oo$b@&b#6{h z4=_4cxlL-TPXQ6#TX0mosm>t!?zC3Kc>zkNSe$EEH;${XEQ*|uy^>eUfGu?!;9W<| zT&-OQn;-T3VGCMtdcA!403Gq-lWbD2QJj|X<$G(E_~_D59LC$T=G&>mjUzC23;-A6L_{@bS%X#KOCyR^1tXeY+^GU3;8l-5pMrdcIY! zBfb#)L>7*FQ06JcW&*c$YQHsgS*n`*()Z8jb6J6mYhZn3$h2q(20r~Q#a%Mn%SInB zw*hgqzh!&5oJwe}@|xJX;ov=!iD>K@U_IIkz6L;=w?XiV#Q_pm0heZ>y=tlX@Vd-R z9|phO5V49T*~Z5bcHP*!8TY87xzi2rBsAP~eIP{}6#cN6(ydpAiWVM)B&oIIr+S>K z&Ai8K!#vaSaV-70Lt4i`8#d)E_w5f7jt;b&_ro&`-AkL3H6Rt2aGJ+?;+jP5Q6lON? zHlM~mum-+rr$lGRXTT3ieC!+;{G1PlBSbA>Qi!WkcSbG?+IJa}&$)uFt#FWNb^i*) z>IWf4U0?Y`MoRMnO1S$4U5c(-hyB#6h?)WOgczz`%MjX&grnqo$5~(noBn)pVb?YJsj5g zoxlO%37rFL37$#eS%)0C2!g)JC5t5%E?)^;#`c)wc~nzd%f}drTdXjo+Dkku?BU)t zjK>pcLrc5a7+xpb!uQAz_1J@YD5*cTBIU`wb`&u^6$zvb4rD2iyx`~Q3GHrJhryOl z2@!efFFX6SxAtr{P+%IZd|G#;;2K%ZWv)k%x+hUC(>dQwLvf7)4Z92x`xcRzS2cp>FaUI-rYcnX>a07p|^w>(-SRi7@z97(D zmG|t)ja%5W@43oIXSJ#I%yy%>@)I+ueA=okK0SV7r?n5@gZtWzavW)`tBL%gPtP{< zi_vi4ODr5g#i%tDWY`^RM(tfbn;EgR3dU*lAg&$zhOD3;x@iiX1-_-%sGf1^X=TW< z{$i4@et}}qUDZT=G4cdi+U1=RNk?HNO{Uj+d)(=t_!AzM-4iUX3s){;(VQliA<%iwG}&N!_p>;IEI+x^hpODxwAm1JP5VXE1JZTf|P*vcmk!hnI?ww&;k43^(o?cfas%*ZbaL^Bgu_TlT zc(b3(X7HXHl$Sy`2%zE$*XeqkuLId#bk2aGdt>@M#cG6;zxB}H5^uqBlFx2t@i*X@ z)*Fk-!2v_3@Ws*1-un3bxDI0w79)INpJLq8%C(xV6mdBCLWo;R^$~*Qvy3dcO;*#d z7a#687I(0Z>mVsEL2HLqMwO-Vlog|Hc%Af+xTK36gFH7>S zDK1~o&QdtBg0l}nl@=v(&5HIu&WB*ny2!-X>riUi=w3vzkvnze;%LHAx96NUlN%jrZ%4 zx{I$hGqCfUOFILdDl7vq5fgRo#8Nz8AzHj!gc%gPZ9ri2xhzs0hBy=iA`(wz;_W4g z5>jV7-~Fhek7AqH^w#wkxphBIC=UyA7RJ|8|I_h6T&}U7kpDZ8`_0ahN(j1qVqE=N zn)U#2T=WmdWBSlT`|x z)Mea#jHMd*v^MHOb;~{cj@GU6P?dkW6br?4dJB>+u5TXri>lr%3Z%TvYE&IwQ+N$;`lwDfK}^a-OUx_69;ie&eW=jfwU6fmSM7BnuSEyu8kx3xu_Y;mi-qvg- zctq;kH#8BC@|#;B4w*zmaj{_&I;*(JGW9Z=%F|9@1-p*#hj5y=v&}EL?^wrA3Q<`p z1nGKJS`?JlDQB~8sTVl1zfoZ_FBOe0Lq65$Yi+}+5=VBVFdg#IJ!kDar#igN8L~Cq zPyY8UO)r6yY8Xl=ztPYc`&?6d;2V3>m@htl_~hrI;ofMi{2B*PEvg!27I1c!MOAy2 zlwRR`W3QDN7YJWQfg|l!u(z(uoNi+gZCmzGO35Z@r-w7FOd%|`EDpUeN}$|pMO-Ue zJ$;mnNTmu&tnt3NhDZ7)z0q{jIYY~lRMJ;(jF<@#Yf3y@#bnN6k<=5B6R)yhdzom7 zG^zb@AVnq5b=s)U?h;xC*?3A-*kA_q^xDB$O0wCaq#6FBQd*Ymgc;0(-D=Ej?9_aW zK&ti_rIG^kyekke?lh~6<@KOa+K$R{i>(9}TWoUPyGL<;=LK+LRl(>V8o3zpZ#R%) z!cb{%=%Nm^lxn@zGte4;=xwB7^79OUv{wD=WtS6gB4Fbxd_3*zsoOZ|iwPg|DkExF zhs&w55jYh-fY7~W`#&mZ@|BnvS}MW>|Awei-xKFq+j&sm&9eN*k00~E{PYURN!TmJ z`7+3U+ar@%MqThC=$Ykw!_@8>tS#*Qdwsa=;S3nFwtAT#U+9&nlG)+A)Gj{;6}3c< zdg)_hU=u2D(rs)K9w~36KXcsssyeKr>Ka~ROofj~O8XF(Nqxos0fI$rP$j1e!XW=q z$n8T%giDPfRYwn;UJ->ikN9fn>mK@gh%8iEMTD;VLau3QPWI4~}*VgquFwBIKGoJ@BgMUKHA0 zvPZ_{WD}K-4^EoVZm^em&xZ66g%v}209A8QoMKdxY%}QW>kYH;1Xs%EPKMmUPqNZ) z2T5hj_CWST&GpEIZX72um%A4G$z~eF*fYtLUVJ(8 zH4s~vLzUpvnPi(>@afzXr$xz^-}65)1uTr>)!f_O-p1U$`%9>2l{czgCE=T;_~vsM z5c-j}`G~dU{|5XWoaX;V9Bp=V%n~)0h*H(fp&tytSINZW?I)o=*@qDZeM~&S5_hOp z?#c&y!X;+I5Fh)6qt2@g-|(>#hc}J8wjlLRQUBh~hA2)Zij{2jf~WiIb5LsXEAvIz zM6pk*FlCDSZmpuDISE*B-&%vJYlGIhq*YsHE50Gw zVBn?;_rVt$e1=`x25V;MCd&n~Gru2NS3FtE7=5OtL4hvqJYtZ{xu)>=FJ_H(Kscct>j^)>aTiX|1()|K#D zQ5tD|+33|}^9f}*POr}9DjGEgG5U&t24{>SA3$a?*8noBk@mQqJAx~oJMCV(e7)1ow%-EC zJTt&7Yx92lJDd*CO^}0CA$#%Y+DH!sWCM@9Rb|6usb<@6}JaD>sb41PEP_AHvCQgl< z;wvmrCyPz4&I~X;05G~2n5zflG8J4-0Xy#wQNE}g>9}bT>Ttie!1W#K!BU4i|4UDI zAM0l$BFN}Ca=%Y+b)v5|P@?zsiW3re99Co=I24qo;xE^rNgb3N{|?USqg2D&x4+XN z3deWML+Xz`^{l`{Dr0*&w&5B$b3rUg>dlyc$f+?#wur_WaT-h)?*?OQQnrlL4pH{I z+7=T0oS1{zUbi=PAm`OiOAe0UH>p~SH-%7!{i13))vw_FAFc*g^qt81J#S-+7W06&2c%Bk^t+Ag>Qj}T}N8pa#0=YIm@ zHj9AsA>x5r{GPu9I3key`l9amOU!(295m`H-|H$_=JEEETRzasEnKS94@S@OZRcb7>+Rzt`=e@ZD;X4;EZbW zvKGq7O8+f!>VJ$;6z!rLsul8h0yAa7WMFOg+uaS{9Uz;=3t*eKS<} zrQvv2&(2}%suH4^h3y@P_t&U(1PF}`1|K!_4W_c7tnb8jh4f7)c$i5zSRbD8t&qeq zM?y||`?|0pQekqdJNAGJl==U1fdlnARcBenrX(s%gVBO%JRd|Py!U_Crrfc1+eo5_ zDb>#`X^87z2W}h(86_OXJ$VGdRB#dgbF38#?s&hgiLV2Hky_g*;AQg2=w$!98Hs>R zEAU2sbm98d zmBXF89K&~adZ*Y}8ysxiW48a(6aH`5-(kH-teieN&SdRk?vJ$KLQZKL(tq;TT=5l7 zA45suoH;byzIvKa%lt|iR9F6DIaM}&Rb{eFm;H^DeI_8Wt3O(1SNvo#k4@lv+kMKIC?9wC|Z76GSwS8r(RNp4-&TA3>Z%FyS zY*gI^#Ay17N^WDTD8A03xQY;dI+KE@j`S+w47Wp~^s(}>R2t4b>%m-vzM&=$c_g83 zu$O4~s!oZ}0!F$X$&mtMvD)-kO0^gG>dvP-NBV!tYj}9zq&|Y|%p}>v z{fVUPw{~UG+{h0k0#cTfCL#?I$15CY80BNcl16u2o3IHT!e~(QRU(xu=_SpN@)hZ* zHf0Un2o8q`I5T&T{+`bVly{6Bahg>`hM-k=v>gVoWaneph%9}Hm2Ib!oKj4V1YXy} z)usN(Dn5zF%7wI+o650koD6Eg^1{U?8p?GKZ|rw`$_{>m1MZeSAvRJFNDhPt@)_Q| z*L1y{IDyVRB+qTI<@<_`OH9O&8y#iO_cRr-x-2At58gG5>YALDB@P`&x7uOevLs zw6axSH0N41A5E8E0@qUK6}f0ArU1RuH1}sx4l7eaC3Ne*_Jv1)OHtmC(P-4T2$PKA zn1+@=ZC0-ni?x_C@<-Dg+g2yGw|JEsG)0)}MtdO3S8mvuxD#oTy0+pLX}(n4>SG{R z2rtngTUEMZxVolZ8fBUqR#%abyg=9FNL$g$?!Ymz-^}jZ2R@#FB#1e zRN(Z(Z|^ke{ksR!{JBP-(8wi!;bdy@q26N4>U=tYI3O9hGYB?VF8BTT%KpVUE{RcO zL<++XhU)D67MmX$063(Da88JSCCK@pElxzt7Y{@J?n^koR*&uLm^Eh9pyIh|?28^C0 zpc<~3pCc}6OWG$*gK|JbfH7uw-qqxb1$kUOh1K))paNucbo8SHfCxT(!msMIJF8~l zk0!bfxJ9F`P~y9CKT9&Q&4f!>?C`fvJ}c6No-EMh;SP}V&b!rPpWmRw_wZ2CbQa9l8%MM2qe_= zN^lWGz)8zBZ5*srJg4uQY~D$`oCftMSpHEFX>K91PW?|sBuXTBzJl$I17`|k7>65K zVNyenVaV9**JOAPyD4@OQ?S@rog#mG$TR&O2t`*eTDRxQ0w{c&H z77?dd!s6&!6LYU73c-%k$HjGWGQ8kz&*U<7?_@r|9F`pUe4#y&lcr+Qb7C-JI9jA> zKAfk-s|KBSuhCEvSugR?9YI$q1{qh~pawnta#vU!NU}u4?TGX1xP<5ia1=Dt4HTJ9 ztNeEAeh1h4;EpTUD)ZyEXEWPke9dsm8nu1A-1y3xJ5 z0i;JM>wYJ|nyo5ox-bJG5V;bUZ{{i+pd7mNV^9{I!@29vf?X^i_+w2T?sF2V}G3Z*Reay`cvvD9Y5E}pLjIVFjtAA9kfT7gv<({UnF?xXSA}+dJc2cN;|qwhG6NBU zXtB1$g8ZU7`Y{1aS5VWAPxxIBsMS5qzR?v(lS+G6NO5uQPo-XDOTl<*T=(E>lrRpepV| zFvY#iYp$!iDa)39tf%Q7FF?i2RLsY*%X%M(*NjX|+>L##i(5}4B%TDSZE;R$8XTb# zu($syNm?RO9BgnsvhXx;JqS7J{;GIXFTvq@7NQ$SOSso2s&=$hyO9~(5E2sNGDVS^ z1M-f=7tdGcJQuHkKp^DHpr~m1`A3`{Q0GcjbP5=xe{JTn^2W6M;U9>$p5Q3Tm3GLz z^`YTTu;dQPEJYcggn`rAVaU(pEwoeYy|1#J^mrUBy^n3zjL)j9<~9?$9oYK(PUtdW zemf%FLlVWHjlfNb_8O@4Mts&#kxI1CV3QG4Op>x(|0yBRSd?Ab9&UKNaUHeZILf z5R-ttNVF&hL`msvP& zVbtY9^UM&QD1$HoW#hqA%RYVn#1Ns7l9G%x#3}_KwlnvxJ)3v$KqRgOlfV*Fbl4Y1 zd^Ae_8C@5#b29Ndu(vm`UT$o)n*fQvfR`EuVn@?70$Un9owuc0>u~1dfc$3^-mhi9j&D1zE}Pnd|AxS2*^IGTl*u)(N|@QM2}3nZb%ji-sv$|O`1b!A8R|ItMqx!{SD{#>nS zz=TUh62d5t=bP^$@tWn(?;Av6h*NiC4F#0i`Jg5W7XE`m`QnDdpoO@SQxccO`WFkp|C#}U(Pi4;&I**zAk~Q{qYaA&fYfi%!gC5P>ed>_ruvD z^;om{1oIj0uMB^1*hVHL1zwvDwJ!u76aU@WIcn!A`D)#LRO^9b?_U?6@8GR znpy|Vn`|9cWoQ6}ibSJr=DOr~zQb)b;YGA+3Q@ihDB6nUYhwMbcY1u#2S0aDOVJjj z#-Gd9EjuODwzc=~;XO=_KjHM8DQ(|G<(}0&+PDlG&lMVP_>HE)dht#u&_S#ICd-lC zPCfB8>-QW!?$4AIgL%}b=A!jUtBDxH25U4uKRa9_QzIBwfv!m z$3(e&Qow$(30fpvb}X3T6IfTpZFM4_UuM)cBK0yy%$cH*XU87YAva^xvR2%kD~MWMm|AThCi)O@-`ZIDULi zRkSs|(i2sfuPnOi&b(;m|H4MxVP~|7dr}@@*LWk1Is}2)3^DzkA#|;qt&7NDZWP0G z7sRH~K$zWc<%>khp0dUbrCMN;*P0k=E?GoayR5#Cvxsb5pdD)f^4TosuxaEf?%%iZ zF57Iw?Q@g`nGw&f(Dr!Q$iLOWE*)+aH&?kMWe6tHD}AA4Y1sF1lz7#&kyO`DwvaCD zyR9lc?I{Hj|80_`^MK_|#AJoV^f2sfLaO6%b!GAs=W4dHS$GO5>qi->@WO zIb(?!!&u7}&B-#d7G}yGN2U?UWY3tg3`vq@q=X`a85He|VMKOg%f40&*^_l_QREo; zzs{HH~q6seX8URopaAip7Wc6L@G z%6ua)*C^@0|M=tNd4ch|lmU@HP!=qzVWW?Cd)Voqb?1%SOlhZG!KX?+Zf(zeM;2pAVEi?h4)wv9Lh67tmA#%3$5xd)${I{M8 zgt(#8GL8nFgS-zVeo;_RYTdieN^2dzKZ!56#PNVP($9j8p2WUtF(ch!Q%eMqV3-?g>IPxzhTW0E5Ms{9kAlO8Ld37?7X1!?1TxZ z3|<}rBp!B=#+eZlQ7^5$0k z(Y=T!?hSeX=E7;)j1fhzk}h$6O0Y*8C=daOOu^kU58kl}Rp4Aen?F=YsB-MG2rGa` z7|P!??cLqRm)*~L>{D<;NT+D#)nFtFlnWwdn=?yEZsgg*EoCWB`m)bp+`(fO^#p}_ zy&^eJU|4X;4`UiD09){~%ZVl!y*j#B$X4aDZ7sDaHvv&Fv3|{Wc_Wy#iv?A{Ax_n& z$Ha`k=CrZm(q{3+-evH?Mm_|)((53NNGD9cUTxIBv$4e3qr^E)gL80B(Eg&ngbO2a@0?~ByD}wdlN?7o7#W_qX}q< z0hHwdW1+LCpaWr_Tm{9sxNbjbAVbuioe3ZcjC@|T5})@yG8oN0Ab%Kh2ndMJPr58E zY{s$8i4~+2#ry>Fs)mfBh+JsFn=MQX9Dl{IC#^vUaVWwW{4 zQ$RfInfh7;zM;G-X#VrqJq+^;AGB;mC~eS7xwW&v8_?F?;y8fG90Sr{czhqt5c|2& zG8fm~ z`C+@9g?-WS)iZ+djSG|=yui+iM&Zt``lcS(Ws)FK+`uvlD%e~(Th|_{ZTbtZ9ma&u(!S{#)i&tgTn#8(7wM>R@NwMMlGdy!8>#EID&eO#f^!V6 zd{jQkkaU3(YQDX<90Qa;i-C(uPq*n48UDQM9g|I9c*3lwh-D8Z2`ByL#XC)k%fI1T zDXVdY*X33DoW0F_7AbB`X?`u#J73W>=Xr_AFU-4$mirP@X?ty$LN+#2Pb}uZnOB|) z12_iTWCl5u-WK7_gV!k(#tQqT^IXlzp}G;%PG3A0cnvU)xP*f#T4YX#0G=OPRN>;` z@|G>XjfMUWO?=>6%T@*;e(Iq%eg%s6E%|D#<}D!PGSu^fJp=DXTx(1a_oObDhuZuC zm_4#i-F-Wke)o;RPNTq(yFAtK>xVT%k`$dJg$Zt#j2A%9PK>a}*~!m+65K;~i^wm^5;noFr1sES9O>}F5jMtxDCqCkf- zzz%+obP7JksZ{*<9RL0O$;xA4G!#f;_2-SvWtfM=8b3t@TzossQ$|L2{#gpOBZJan z7_#56JW^!DV7Wq)Z@8u>@OR_~!gbK$#tY~+a{<}0lf5OwR_(W}2%(*yzO-Hq-R#<2 zfOOdGcN_9qv#lk(oK~=`MkF2k{)sF@HF(_lN$N_!#71~!sQ}i#cVdMxjvt?ugXn1N z!r6*^7jjs8eldQ!nkpMb5=zMz#H~a%d?ns*PD*1@ksfmCA9MG!B6+zdBqAp_Ejt=j z-A3}FP*X0F`=&Dp2s?sLR?!v6COw@15%yAtlE)3nz1?F##H@Tfc_$R-L`OIfG^3+6 z_O}4W3l&K_fy`XDDB~ZS-_`D{Ay2H0u2guuP4Quga8L1m zN~v6_YFY|I+Rm<0JO2TE*b3ZZWuEpJ?O~qi$m}b*;UR+8>%lAEOF&*-aB;#L%8l@q zyxiI!Y#W~#o6z0fo(x74o7hsd!ABZuuTh`@u1w}DJ5!;Zzr+q4MxFK4%Slh5U&)n8vIy@vk#{{AWB1_%^^gFtcho+r$JcpTT*q9MInvbI}< zWD&Pql=Q&oCsqLQtDaJ{JY@*6^J2m$b=Q`!HdPe`Ur+jl>a=t2@ujQ9E@ZN5$j!IL z8pVbz8oHb7a20c!;KKOJ}#Va=jU@e zuZ!(b#;M~!bd&)tVDix*p&`FZCNfIzrTaPFy$wJHZi9=$fB$ro zPd)j_3nSJB`H~Dy9&tErb2i1VDzKn6vd+#oaV8KY(9|6Y^KB)x43O+UiFJ=!uyk$D z0AwSIy!1P${K%d2IeM-f?y;~is^PPBETiOdnc7IEO8(pF){XnlQ!SnY&z~J`^H4r(G!amwNfi)K=_sKF5CM@c(xi8h5_(VQAkw8vFM>$#HK9uAy@%dH z?}QG2xXbgt$NwGAcYilWAXhfm?##}dbMEZyMX<7>%zc8#1Q-|?_hsL{d5?jCmx_Ub zZGwk`ZV|+gM>i0ZSx8DM%SuWzDBFX~EUZj1Fy02o#^HV-oqP=6?a8LN!|c!a^eEi% z&f8+l7(Hu$|A+5FebS92P3-QD`F_QFey;{EbN<&Ot$RkzEsW{DUz@sLQNZAK=6VHhtC)0Gy;AVv5&xlLfyw)WR6@r&=VTcTxY~NOh{f^Xp z)5?#KXcircL`lOw@9lJK?yl#rWEx~gSF}!`1!AIC74g7AcR2VdpOYAtY?8ct_6X_4>cB9$DzwE;Zi+}7!M%6pLR z=lx~OPp7TpY8PwG?@}d~XptA=MV;SMrMUa{YDw^YxY7wh$_lm*z&x(}TMMJPpejk} zr?_F&*H_3@*SCj8vR^7zu}iCusE3D;pO@^Av$0W+R)sYrV=Cw%4Y~0zxd`L?C`@bQ zM5Xd19FB9(-yW_fW(=A04czDN?$l{a7ffSVKgUp-zk6pOAo-eYM(tk(%h`2>}B;!T!Rh5zRTaBUBxtxFR}^U!OC79j&qD^ z4z&Vg7~coM8S=^9>ohpt z29ymL#`B^H-VAueDo=#62`$9yB6&>kOP`o`+#~RQo&Jf9{GGplB=$#K>p+5Z#-ERV zd4JAG%NQQGyY_elYsL>JLuKv$5tXz7L67&Sfv796Cve8VOMp<1fVJht0=odkEKYn= z?4C*uJ`7{dd$$Q|@183SCLWa`FUE(ax)UXz_Y*~Mrx()nz-z^)By@@ zMJ=m_A*G`e(p#omv|HRLQKBH@#Unds0ezj9oK)518efFHEt@JA+-)Um>_q5_Ljmo= z3t0O)o;X0_Mq;l=UUYLI^zB~Ek@%0X<$M880vVW>NxtIC;34s#{^tJpnd~a@YvP2= z2f>zK5WzuT3fq#}3>UFw!?Ts_83Ure$tJyhn(aPhIwU!y&6`*tRmF-MeRtW)9{)_> z?73UyWiX=>Po}GKoHBEabxdmvf0t;N_Vd_ZGEP6*mHB=mepZfzjKD`Ccpa(usKN>L z&9dYZ<)h_`dtN+_%8_%(;>a=`{A$5!0kGgQ4K8ypqbt*yykBNomTP)p3SU{XC%5;p zx3CYemsu|A4C`20IbMb?pB>a5s2xzO1g+ueChbTd2LZ#xgIvQwR04rOzt*>AkGR8m z>L`r~4hY5w9uVY{bv^2PPRRWrhc3ER-qglC)d0mK_TtyGx@YY#Y}5)gw$v`uUn+H~ zJ=1%ppC_>%K4fkhR~B#o^+0jOY(?fdB^gt!L9E(yTs6-8hGcjGQXm4rX@Oh;kAj+lzCy5BfLZ*ie;iD`Mm=2JZ;Z+M8^5-&gh#b=Jt`qQulaQ0p ziBoW$)eQ3tw2rop{^;nK@wjU3)n?e*i*<*i@}tco`p3%mbqLiTe|S92-$qq-UzL!U z(wVwhnqOL0+Ef}4W@xN!?6Z%#L`PZ>3=JO09?G7JG1@TuZt>Av=u`X4d)(bTmi!*C z^vxkXmnnzBt6qH7JW8*`Os<<=&$je4!ZSw~!+u0P?Jw&&s3IHfLVV6r3mLVvG~RUG z^c!=rUgN)KT{TgG@T{yXCqs-O!l%|Jeot*zZ<_N>NNl}Esd*GY>#w9Q_)uvyR@?*@?*3R(!-r94l@N!IEs?GqCsuK84FtNUCxwdQmEfo{HT zS}j%G(|TGbj}@C8PG^wg&HTcA>1Hg7v&&k%ow-bVs=g00_g)1p*x=7Jg!&E5Lp>a?u(1-s9J#t>)7<`w6e>ZRnB+*KMj<=rn>A1PYyU6Jp6JhhG5VO+>u z6({MypC&tHdn@+Ibbzb5Ww*IX}sn9EnLuU>KU zG0HLA-_~MkUf8|te3~b){-a4!`MGP#R+3KY<&&q}E4E!GpG`hXK7PW%zg?lMm%!Li z@f!SlgG`jsSS9t7!H?E1(HHQx>%|R6Hn4@e91fPXv(QtVZ@bKXiG7KtiS!y$1wyqS zZ7OY@kdL!oX^)F^AM~ADaF}s`tS^Lmos!1x7rAKbmtszlRA+#*Q0>!Ut&_mXS4nS^ z-t%95H%?WJIka(DULDh^oZgzw*!6_vcSm=UB9B3K)9$5JP|Grb|b&RL&t-rwTDLKn_k7w^A+aL?_578o{eTo+!5(ah7YiLSYqz;p^5 z(k~AqeCc=9Pd~g=+fXCdSop=8pGx;tU}T^4B6sR@?1t|~aZo@I?&sH^IY*~P$LLf< z%b-L>(Ia7Wy7m`y~i6U)j8%&XIwQo2O}Zoth;*QB4@D*j*-37V$A(5Gq;I?mlpOEFe4ZY};@%sTf7rUvmiO*yVd z?WgafmOtXJ?;JE02?Is)M2}qN5p$5`eXG02+J&;(>;%IRuti@qBJL&Q}GeQ9m#XvpAdZDr#i)U27MutCb zakLa=)KpMrkObMAGQ8q^$;r(KBw%1*5V1Eg6MFwf`mgTjPoj*U935?ixVT(gTsU3$ zI6?O2Ts(q;f?V9ZT)ey-=sP$Z+-w{TT{&zVnEo8(?{VIkIvCqq*g9H(Y#46GH8cV_ zIf^ne-U|B9&!2jlx?22?BpZjnriGp$*X=i4Je=HI{}~(IRpho+NZG>G)JpS>g|(@T z16l@*)n8pjxNfKLzozu3z5ZxL8w^Mw z!u22H0}1XrTa=>xL1Xbo=>z)x&aHFMZ@lO~Y=6F^ukWy9EtYtoKZ|3?zLEIgin*17 zTY)VVdmR$W{6Iqe&0P&GeBVq)ue;bWYS>baJPhmviz+0KMA){z#gQ=+yn7$as3QIi z`zexL0^fI;?TbmIz|BRhXSvIUnv2p&PXmB&H{W4)Gj*rvmxq_r3&-Q_4XTgizP@;0 zy#L*6gqhoqM(Ojz;T1-PJOAnxewpl=St>)6kJz%TU>^8v}fc||S-TZv=8 z`B$&>2bhAXFI#fn{#zyOMWXKiTSLBNWPnFYPdt+Smr9CfRqaPcpGXFb=k)Ungf%ESiCXW61LFAGwlhs$|e}_dzZoem= z@csTB^wAz3d5U&gU7I8HU-lGdPFLFQAosl+EKUi<9}9LTo&Fl_{}Q6<-e@Qh zG_95VZEkTMG)f+o4^sUzwh|Q4nCDG-r(O5;Ptc2}-D;x55F7gUX#YJJLIu!rLR~T6 zdHy9Rf#6naf{iZKe-78c2(;FL#q!Kie+eQKMUO@ZejqFU|Dg7xTS1R{y59UHs67Nd zT6@08kFbAM`{gY>bCw?|{na<;)?D&SE%6)w%xLpy>$Eiw6#Xql+~t-tXjyfi{&Q$8 zDWX|vNv~z-Z^1a?=msqBU(EmPV*~74Fk#6WsqKl|G$ezzWPK2ZCAa4`4t z+kklf^r_(A)BS>Wxycs-$;^LNy6Mp^Up#8j82d|Y?q9c~{d&q;`_C>;Z@h()e(F1g zzj1l@7MCGLao_%9g#UV>EQ@wh>=#F${{ZtHy5ZS_EAoFv$NFvG;qvJpm49_UdV_8d zT~Iao=Rl;SzQeTZ+JdWZtjhTQ&tNq8Nb;%jBU2&k#hl8xarQllmcJnT--+Z)6A200 za3qg>-~8#`1PHeDjG-i2t$wo~rGL-qzYnmC7aF$I`BSW^n=Cy1PgsW1``Fn{P*RAt z_qSyK%`yKM7s_+qTALHJ!tzIqaQEVehP1ZVtnu{rs%-o<195#kk&|f$!*(ij!t#Eg zhyIW%<9~BW)@_Josp)w!2TywsW-+Iu^MIWbQ-^n6dv83!0(=CBZ`)KvM zWf7`&y<+%Y5QU!W6RWC8vxR0{dP0w_QW;Ip{olEyb?D|{dY{7gN!l~}{p`v5|~oTr1x$qz2@Ga9E66`nr-5M0;vf>a`IM3nr; z?W<)n#9ay<66ZPa$zBFAn9Zts#yMJ#i$!VJOfXCvN{a$kC-FnIWS_^e4)lA_r0tY! z8;dxcujdAZ0cHgXps1- zi(T4I7=>`OJkKu}qHcN+IwL10ka&U@ojCsCQPz3U`G`ki|Ar9Y;!W>cT-AyIvAcgk zoAU0Rr6EvQ2%Q?g19~yyTlm@zh)oq$%pev#pi zM!`>w5((?C~sI4nhwA+(x>hccUb(Iy;$L;4# zq7{r1J_RF6$wkA@AYiw=2(O9b+yy zM;edEw2K33+b(wMi{Er#r*1d_^R+FcXN~HcW)PBO(M zGtsd^b?frlK(~VNgCM;KNfwWK``5fRvOkvaDS>Cp(WFIr4&HUds%|4ujr!xL7EFMZ z92eBlQ(WC;C`12%*iuMJ=juMYfMB8vfk%GmDaI4DDwdL-2wF zGy1Kka*$n$@D0*i zwmRD}&W-uZN4Ei+k072_Kk>NBbMNxUZ7bI5E2fWxC>l5Ck zDW+nP3DUE9>_Fo#hy$|bZ9s#&T=ohLSJ2fWMdKHpa*7dww=+R`BA>s^Rm*uS%(D`0 zC<+}Z_&ibg`DGLBixHvK1mjFvrK&?LVx<`!J^ODhpL z9#Or@^V!mfbx{$e{ld+Zx+YM0GE?E_$6oZjo+c=GR_|18pQ_Sb`$zwWlUiuSIy9zy z(fQ#TQdH5rtMxc!DRKS0$xicK7Md)6PTHs?P0LY*eY_b7DN3Uy&yJu__$(r z%C~5C<||ky%m+6=@J^HY9v&^KGew>zN*(81LruMkJ<2VRYWwh)Y*Mqk56qrdeK_wq zsB8F5yiJ#NauHQ73i1ol{Jh?TmOAhpNXD=8+k9lhIu@wfJb{$;P!(Rw`{bpJEs&ZR zZag5tqgHo}M_8snS9zUBS9`4^I%-^U{b{iAgY+K=ywdq!2oy9+3ia^s?8*0fwUPGh z*eL5N?uY(*^B}gd(}-|G2Y-bE+o zp|8M2H8t1zlA&?4s6I2rZ^=X?GJ9tjoC&2Mf-I)*WVa5ee+A-?-5Uo6M=Id-k?W-L zT@k+HZ%LrNY$k?~AQHL2>vBw^>g8#Pp|Ux@7{yj%R2d~3EDpEI`_*-4?PjYFz0kZU z)OUYTM$L`bQj``uL~oepZ>t=ULZfT_?Th(`ici%%r3+`(*N3@m6o%J-D1g4_E-L8X zfr{8B!A7#(#PI*JOPWr-g5@u`!AzH+)_B+-^ygMz=O8}dBGibDRlo6r{^$hH4-#y~ zd${2OK6D_8=Bb_rojI(dG2q!JA9}HxpFn<)$i;+=iM>WaaO33$SQbs2%YK5!$ z&*X380cAYIQs-#zhs$PRb>MFbeG$5{ehvR2h?w@-ABv&NuA zi4R-*0ZRewd}G`7WX{X0=4eRH5B!a73wE)yf2yu+O%|sQIWxf8*h@WWU}Z1w;oUzy zL#EMNO}3RRf0GM5X}r1Gep!MQh|XLLO^my7;SPL#0>&k{l?&ba*Y*kKscu3=jaMi{ zD|%@s@7ZTgr%;is28wJYq0*?h- zWQq%pLoxwts;iNBq6E3W667G-5PCdz@30q;*8hCseeHrI{kbwmKI27RmWRyZT`^^w z$ou?~XIq%Ar|ke(RHgn@&wDuzvN$x4eS*X3Jgm~g8m^CviRUg?0j)A(=Y#lyEu2N@ z)M*cWJ5M?Uo#f15+Huuym1*86Qy6Ghxl0!m1AQ1T4xFxy=`S=jKV<}XR@6jTD#N!8 zm1~fx9*aC9DQfEIBgD$Fj|;sZh=Z_V^-5Tse;s-)R0_OJf!bw6FVDvt>GaUa+^3sQ zek2XEY3C!kcMv|qk^Asm_s|eU($}aZBBl&`p zi>-2{k^ARhRC(I{@?L&znTJkJTVIkd_s%I|g{NLuR1T10nuhcGhE3)oT5RgK$q{@< zeDf=<=wygQQFyz;c1V`Ba`QJDh&u*z*J0Z~8p$sTC_ZWL<01t1ny`!opIDDrIykSd zX$(jsm=#aY`n~8j8HOgkZmwD{5BupO#k$D0^FXZ~qrewrn{-nNH`lv2(j%I?XjoNF z^f9GEf0G{GMBJQ4aHCa)TMl{syjX(|q*6?>EIMk>!ct%JkL04=0jRoKD_4dCrfpj_ zckPcc+(r#|x4psF5nh)|25Gck!6s92660ABK%ogFl2Ln4#^Y{%M<*8b>qe*j-xP3r zajne8n;vsubYZ-cNq^;uhMt>g1^!w9kHp8ICR_*3$j;=L7VX)CID@p>mIY_;0?P4p zu$1>qmZ*$qXF#3M`OA$8ztA9oPcEJ_cQisd22i=ixb5B6^_6lLJzC4bA_K$;(drYH z#ZaThfb&4$y!PC=dR4zMOm*_aUHIk{E;c)8t^$l%y3L~DAy%w)D}1BJRfy|+ZE)SX z0}tv7jT+KE(UWOs;j1DS=!>a^E@%4r3+zz%fV!UDZ?gT5-0+0QOS{$3ZEJR4fgPKv zoN7`x>s(pUeRt!~W4PEg4|>s}vm?ACEaOpgwwi<+I=2y6xBVvNeDOjcRC~ag)~@Zr z!a@)|5nHs^MYUJR)s&7yFBv?%w(4=iKu$XNavoQVa;ZeWZ)QpPM#$M)zzLzT+RD*| zhr*_{w-#}1cO}ETl6Nl-u)~_-8lj5e8InlMOnZey3gAeImR8SZ6;8dwGyD;&{`D%k zTCJw)VP^K>!8s*|x&H%(?(h$snub*G&g zkCMVrC(whc!VWD#rhyB7C9bwsrGQ#DkPr6|TMP5PSSI#5ZQX|n0MOQCUE77@tx*r= zA_!{sxm?7Q;Z>c`K26~B{i#MsuTv9j+d*#On;hqQ4d}P%40@L|xs&!iw7H=H(ufcN zCp*%w`0N9gpO?8!5bjX(nEOLUa6>Z&xtM4xv~Ot)k((4=yp8E*r4-3!(kg;6g&CSM z7?kCeM_rflqT>gmn}%_9fCzXxuPGD7f9}}xB=g$)=@zl|O-_={RNoZhh+%3}h+iN1 zapXeiP}M^0i`$qZgy3XhU6fS(%)@^=8KWp~IDGy*b3j24+7myrzEo!#y00&`8rPX^ zLmwIbpgxh4<*_xp6h*?1S2R&lc-oNTX_nnp{|+S$~u#JP%^R3{aq z-g^V-Q0RqXw_40WqJR77@ijj($(asC@+t>JyfFnY!4h-@+uU<|uXUCq-9`0c%nIE% zVBO74$e-<0rF!~1x5*gP)|+-pGQEYjJjjP5N!&o)&XSbMI;nS3Nq0v0VgF@G&~Ctr zuYG^)eQO-#Rx{Yp)4}=kWbX%=qE&2?Vz{}M6>k-HkwR*P6=MaHO%(V{2t*t$yf_~; z^Pzg~PS<4Fc&VZrB3nG;vIEY-KXtAO@(T4`te-}cpNrgZS#T-&(NXiJb+`gYl6PMY zrf>zdGyN+_<5+drvv?YrG>ijjQKhAQfEB`vsX8wl*zY*EnHD`x$Ns1b>C|87YD7$g zxWaQf&~_k_{cTaIHz5fdLvw6QFSSk&K5x5J{TKK7VTF^tcr;yB{z^IFHzo2XUH*;P zUt;z9yUw^zRZO z$NBnXaY{v;Z^L;_YK%M!YxX-ByEARfQWu9EbnLa3`*bW z=t+oSKW_oac~>YJ(a4jJHkR}QN<)Rbk?jy23eG-H;MctY~xb!~Hl;!lL) zNFf(2f)96^sCN5_Wp}dw5|2KA-sS4sfpC}AMDzCHt@vRNn&bjw+#0(4s8MVE2VD29 zLJWj!0fD`Sm4!iqQciD9_*bnFjq6Z!Vp_FSuCOweOdvGW8o}azzpGDEk5VR)^i2@m zb?VO|u!@DpJR*vv);6iC&}nzFGr)8yeh;q62W8FF(FQ@CV(uBYdF(;~bSxnw&WUJZ z(Hpx-WP*5DDbcbS+i2%1NPC9rUY;gRUy=71B7r4d?>5DXS}DKm4_~CPR4MGtgs(hf zHCZ3m!ENswc~&hoX?*!b*@aNrZP+?RWVq%Uu)NqsT~qv4BVx~~g+_^G8h65Ps%i%Y zoK-u7^+Xg8(m$GE@+%f(btQX#az!bk0W49~i4N3TB{9?&yIdefSPgl0(!f=MJoor# z`kgDod&g_Z%K(XK2Ui9&XU|aGwSqn@+h34rJMk-{o1U^Mz#^ihUxK(|@zNf07o4`A zrf^Srj3%dj(OF+D62hl@1YM0Bvy+X!;AByT&vqZI|7Z*%MAt;NZz`!C*?g$BI>LD> z7CJpU^$ChDqJ#~srnt<;K?6uwEe0{~%ejuSjO$l*(p*BnCBCI57xai)lHC-K(Dm3J z!{`6vy0D(>A^Qttr(coO6mR8?wZrCTc+UjKCSuMFSrW|Z_Qv4jLrTZSS6a$&DdPSR z!2KGk-~OPPdC<#F_^hX;AtMp#hUcev#f=^4$t=h8{PmiQ*k|H_OKg(mx2)+=snAh6 z`t129!iP&^O5dIUappyWlHSV~y(SXDTiE{qQmon&sX~An!8*Q&xnfrq!gS%oD)8Ar z%Sl8pZS)F?+>-_{nKYwf*5M~UyRPsYckwNSpQ}7%ikg%oTT;u`*hhi`%T$3iu&29@ z7S|LLx-im;YjtfFU_oY`6hpm|IX$7yV{#3(-8);rfBJB=$>E+95RM8nG&@@i5WAZB=he$GpoM-#JGuMlJ)mb*c-XSp~19e_J3e|IT)KZ){KF?iARZQQhSqdKn z4x(JC{dz1CMUDm}X}1h^QE^J$>NOh!vBXtunjg6)#L{PuOhY?8r(V$!`X+L{5HRu1 zC`>0y$%%yYp`MUVxrwkDoH33Z?tRWVasVl%ihWgin-({A`cc@Pjh46rhsYGb3r6{4L>dxXN#GKfdve75o! zIycTYII}9daN7E2&E5S-8>J1Sm4kyjTq)1>K*);NM+8o9guP2`Xo0QDp#1YA$5uPVy{~67~ktR{i#PB8KzHzF(0OHnY$wy7mn?;j06a zU%==VC(qmFCEj?S8*bd^yI*o_Y&;Pv7UUi;bYGd@X0xJmof6;p(TM5ZNx>6I_uUSZ z519H84!v)R+UD*9R9f4c*Uf~kM5WOyp@hbpd8H?fAOz0eXU8YIz#aU3PaHkC9y2|< z%#Svgc(~nK;U>1*9$n+|M0@RI-jDd;!?e9;NKKW!q)6NpQP8CsRq9pY!Iv}oIvss9LH-PE~fW);oq z0qLrqiOjMP_N|ffaVmVyRpBzzhySFw4y;4lewCoDxM>#+^yUw@u6C%ETJc_DzbBB8 zRRG?z#)H#ei=e2)wv#p{JhXuFY3^A&&cZoL2tsyTfgvA~^Fr+8cLIA=E2-KwXBZ-v zlSAgEJ^`czLb-VaT#b9LH~aYw&chUlcD^(xT?h}bWOG)?Y6-jvm2>T3sZL*_8^Z&F zNFV#*bu0l;Rb#=MMF`(vY0ml6rznyK_O7cFH?jAPiYtQb`bANioEzEnOneA}r}dHXJ# zw4F7n?(m+?(|fv}*`gD)bHmL3xVtAROOo~-Uk+!43(mh;^c8npHBMDOlDTgMxe#*w<|K zfWixwa$*hoXih?m6kNwnspD|i(E2bN6U%G&3S&8V{$l*dx`Sm4?8c;2VGhjh<6K85 zqt=W0#VWc99bfw1m&ko7g5E*X2D!(k@Q2zjV0{qV@9Qy;)A7Nql0#DH_wRAHi*diE z5$b3r=RONk){yCnM5tH#SqT1c_IY{Lx>5mIIXHsxm3`YF{!N4(7husz zSnsH81+|HS>Jd%7`_AdqGkWqIsHzL9-){Wr5DPSks@lEIpqPSI&@q8a3>xuvD5ED> zEfbtPHtF4SOk2*sl>Hpexv&ou9V=uVp|%@@7|_i7#R~#h4#w>p6@?d8idFUBU&zgg zpAaL5Az1dAAhWAuWA&+EvB1sEDa>wCH%A1FF->RBSamLN>Eo{JmxiJE2Mwf=yYW9+ z7Y#0b>(c4Y#ujt1+9MuD{S9e`Z&RKnywUNZ1b2qZc(5kB7bAL zJURsAa!Ejh3J!gVSYsfl-9sWCl)bf%cbh*Ka+)reoUSuo!uMsxWdjXP3>KB0@?gXUBzh(ln54yJ2-$7Y zPv=<6j8YabW%NX_xS4$m4)VPCJ~c^%Vvkq}EOZgal@Ul^tZ`}CaPka0QZD**4_u<8 zUS%qw0<(;3Cp{UHhCvSTTTVh$}74MUwH1Hn_=%=M;VRFm z<7=$bmJc0HWQ5vf_lh?t}ptcG)NOlj@$qQ;JJ0GWj=qK4s(eYfm`l7>}HWx)H>j1#`3E zc{0U9yeZRTo4eLM#mkc^t_BtNW zAVaL?()?(Dte=ZqEpskPICp$?y_OK}iw!6{kQV9s>gYfia$b7k)_?gp4)r*|}QP)7t7PlK$#^&+_u{@V8m)r_N8u ziOvCq-CMn0Hat%9?A?uBoOv&{7)-x98d4Mx>s=eJdq7h>wD;wIG9A6$Zur{&VGJR3 zMR8m>6vXa%v9l@EzNmKm-Hpups?FvjOOKca`P+zw;X~*c>8iE~@_NC)`jC;pz2(rXCtKRD?2<_1fMEK^^OkgSEq(qoN=D!;X3xu=)bJw3J-|lyy)d0=^?T% z+z}P7J#~f)hvZn(wo5v`;N&QtK&$q7(@_h)!>v|I$d~cr8)38abQ3&}`vj zzt|sIPDO0}nXa=c1N|0fc7$D&UaouH^Kiq0+$&0bie6ks{f)o_MYuvtejh(T1H&V` z)s@TP%X};(GqLQfipQGoC)46d`Jci6L$Q|Qd>7KID(jSkR-yoy+iEGm-lp2!#f&3S+V4oY~KQNZxHAw#*RsV*TnMPb=C4*cn;ti zVn_-HOnsX;nHbtXK_oe8AnY4#-%-W*wVSLbu1d0gl~{MGL6|2HDsmmltpf@5e z?4UtJ_b%XtKO&yA?>Lz%Tc7W<%&A-oo@qjSZXq-8#l|&*rG@pNIa%3SX zu$c#qwAQRO+wTE-A@lu*Ggepg8~|>q$B<{Q2^X&q;v3t7cwM>u#HN=IqDg7qGU^Hi zo>ph7CfbueOwe4!c(iU9thoA{V^)3Mk7=#1nzN2-o^Lxw3t;B}z|~{z@KIBmCkX{e za&sel`6l<=(QI%6`Zcc*hu+u6s(ilPvGJzs{N$1X5J?d}Gax1E=${+m<*;#!UUPH1 zI4tAR-Y37ifvGOkoXdRs&_E^Y%}^50RA}|^OR(7b7AvtE){2wj(qdqI-v@|M z*h)e>hf#Y2x7`-~o9wd{$oMl*npf9X3srJ`8L)@OSk7s%MSp`LEHyC#m-_crwAY?Q zV*QM}hxp{#Kz=x|5M2>k*d)-BL>?_X8h)EX&sMDuq)IcWLm$5jPkok8PIg@k-mY6X zJwUlt>|V=3-cLg@jg* zQ0SBEoZbH6*(P3H*%i`T>eB1SX>6S;qb{-u$5;JE-U>Z+lIJjcbqk@bAxRnlmIzkBb;%%GFlWEX$*~+;WlN z2A1PCc(F0klzpRu^p+yLf9M|%cCR1;NfiY$zywzSjZQ`S&%=tIDMgmJ3W)J4??l=; z^F2df`pssZr2K3Zjbd|mFF8>t^ukJ1zlt8Z_6kqfuVIAAX&{|bVLN0!r;k>C9Hc^I zwW%zoq7D=L4H-m}MD~if4AaC(+RY`>*_kqHk@EVzIZ4-+HN}HOnJH&(70?{8C_>{U ze_+`D^@~xTbqeceAkNh4#?13DN5g2xN2oGBpksS3YX{*{dNL<;!a0#HGOA1*XY47> zF1qG3WYpC9DHJ&`fP;WT87UcdW6J57T%G0f5$Nhq$k35f$GBYkl{beJ!6~v zlZUD>z2l*9SK1+P)o&@c*vT*StPDUa5+BoP1^W0d)gU{S3*>M%`z#T-LGRqV%)JYO za5%RAaRE!|>K#AlZ>v5A(#Dxi(T|s&lzDy~$|ZzZ?>A`Sz_v;4r^k|`QgsY?Nb_@Pfq|vY-iP$#x_FXZ6oskmQnXYTf$4sT{$*yNgQ8xU;rAXc zQ6d>SnnR2E`c&8QU}Dci>B+dVbH}eJC}B)Keyg5eKbxFT^X~A8`|0V(q}a>j{hEG}28D7O@Z_RLSfi1oFkZREB zh$SmFPJA^QwZ2@X=cT`+!#_G_ge38N7Do=a&{}4i&obkt7{F zE~!Wc%kP|v2daEux^WY)G1a5^a28kZ93NF}6=#Wbqr2!ACUiZ~rRN9N;R zH@Ns7@**8umWAofc$K)@B#GsR&IX7l^N5F6y69m&SIj@t5||yjv?@)7)nsJ4)GCgX z6Jd>Uq4^t6>Ee)dB4-u$7xHt6n8t8Zf7!|DcdiiL@$P=d{Dj2@t`})8HjOrOn`b#y zEk}9AibNYKZ9)7m*^kME$d2^|G=30kxq^9=I_!HY$=(7e_VC%Jn3r-974ivQMeLEd zXl}^U7S0C zMcILb@JdF}wR^HLoztekZZHY4Qyv@l+=rmdO}7SiI@7-O&eMrZ@JFw!}g@oL;hgqz67%}wwM@)0;|0|mY|rY7KwuGPD;YveZUm|j@TiA0R#b$8#F;mv{9TzlFy z?&$cWQOjSjrNJ7*%Ung@2T9V8>&M55SqoKCwIki^*$`#AQqzANCuQrpgoX-?WW}F7 z>;D<=jD7IvZdK4NiQo;%BX9Q^=wLAJ_vi0AsxcLG70&K6-R57^IL0(RVUs#sh{y@0y-*UkP1_4t0mQ-EK6fb1E2;F53xM-x7y2JKahCKtine zBKm=i(Dmu5ftT_NFZnVTUq>rS1NQv=qdX z=zYc3j8JNW)tp0{dC>Pjbj_o@;~|mIEGCjTh-S#_@-?r;)Jv}4q&_Ol-q&~jEP&_} z9jUiBRdi~fLiU`|&q|$TBQARUF1xBc#dmP0q~Htb(O{3G@q{gYHqZ34Upn{4E0ckjuREC%cm-O_%2*gXg#~5_3!|-*3;C`rV?UEtU(XnZZ{kz0RSE~mY=XAGb)h_Eo{pjFf*S3b88NK=_oyL#oZff|~ zuE_E7(92f#)TKBJSK*9lQxUhKU;XAlg>$|Brzw22pa@`mlFEeQ(xax zD}LspR79Cbr!zbs*Qn>aQ0(9i_%@@6DU_%1>Z>l660u7@d2bttr4KQ~<`1#sLU`D= z_&q%u?SMNNpO2LHon}$o9$SyJdZqda86nzWm!hr@=+lB4XX7mgVU6aj6mvTa)?QxC zfFUTBZCx4FVq`$IE{*vuKTN7sa@3ac9264707hx|*9@=_0ZYp;l)&bk9|1yp;|;kFw|ssS5{>9sRwr+J{%c zv&_@R#BGq<(q?$YkM=#61_jid1?YzSu7L4;Id5b6N6H;3i+lX6%(|aBG%65DEN1EN znN|t0omndw;QGPwGOC8LNAhFv&AW5joLXmP_aA zom-A*Om!OCXu~gRHaQzs5~Ecjn*^!OfFTfiQr6S02M2I^V3t2MH;xyuFsOnG7SJgG z@n|e;Xs;+u=EM?|L^_UQ=q+uAq=j-khclWXCKCWF-6HmgoR#fEB`qHMjqS~!=KiwP zWley&62?c}ok;BujUfqV4LfZD$Cdn1rmGsNd*iDp3t~Nh-gthvJZm+_P};#V-D@6N zvB~)r^uw^_2pOQ zQh%?$oZDB&=E{-r+`$+ymB#W)KSiuUtRmOMJo{B$e}?S3WASKx%u>`4rU&BULv{8c+}srgcYir&T7aJ|Ms+RF zn;jUM?mT(8wBlH3iF@@)|5?P`;vrQD$I;W%0(v_3B>=r%^Ywt?*wwl{uciRq!r?1+_AV!&MJ@!sSK${v;I|8j?oe1kI?H-0gTL_*FAzMTI{es;c+Tp@*IVbt3$Y0)C2D-~ z%*hD$GalB{U|d<9B6MP!Dx>AKJIqzCurXm$l#Z^d7UQZPu@k^R^5_y)PEtjF9*vU~ zY-=jV*rY>Jw0p`;j4LWB?clfzVKVHIA43X3PT6v4BtjX{zWq=gu^E6au8gc?q9Ru2 zw@VQ2tJ~0@#NJoSufr{OguFt_4t~>k^>q&|!$K@#Cxwgl&$8v~2ZMzotCjkTeE}1! z`XkQX+LW}{=MMz%=a>ui7RP!c!dZpC&)QPDO*RbF-?z0r?RDR*OnDF)cq2SXcaXg< zYC-z$`nw~2A9hVUu7LKuP;z}I41aB@DKYa3pMm<3PVFv?7I{_qg_xBbTPW4wX_&B; zeViiUwfk0@Z*}Di79p30Op8k&+k#M#D$}B?d_6q(K^CbjN6~sc?>PKJ5ZSTM zuIoI{>%89Y*QsyqTgWmeqfK+yyy5AepZG&)7TUhJ^)1Km-NTWTQ>@2%VaFF@WA8!G z!2aklTxem-sT{#-W`+6~Jc!#*?wC6G9dVpeGtf{v_d#`3l1)**UfSRTa2ne^qW{pq zuCv=K3ccAIY0f4Zqo=*^_S^Ntg2dNdO}vk*AwLE2q(~zOH2{PnpkhBhO3+U3gVY}K zvfu+RvxbDD`jF6j!|>l|B9Hz*FaG=h6HKq8@6wh~P32_)r(n_5?6gmJ@Apk61lTjY z`78dU$6c+_ZSG@tfQiqm_K7U`J5RN@mWns)3BOdTX^g#DqzZ1?bDy7(V@hkpyHdYh zUrmaB0r|16cvZm%*3tbO%v?dWqS3-R%vf*B)x~g3CH_MRTLS4?nZ=1YC7V;PwC`3z z1Q+y%>Q1kV^hMUZ>qERi<3+spn=pBy`j2@EQs4%!XdHORBRNLZcNmPhONf<@?t@v> zkNuUy^UMhZr;jdJkRt$2$l6 z>3I?lRV8Q|=_ky$puw4_&a*YtO7LiDGH>0eXq2eg(#i|9`k;yHi~8ktkx^waSB~dX z?hMG@)wAn(V#{pww!mw?ux~|cl;Ui^7FDPxAkjMws2#N!`n<1Pw)fkWu$Qj?HDQt4 zik~z~wR1hGaX*#R#!2%;!|HK)Z$XRNqjh6?Kfsxgw51lfp8jES(#}G~5sDddG&f6Q zDETi7Ab^>vD}v((FVs5d@6dz&#_#xd;Cb>(2h({HQWJE-lMau8iS3W_fjdFD_iULi zucY+7)lkB1hl4#GCb z9?z4)=roAlZyFm#i@>_T$xuuVZMho!XfR?vb5WlQEa35acU{?bgFlgzQik@-bb}9`5dAQRI}MdX)7TTLZ8HJ zhSj1v8t!7ZqBN}0&4Khbc@3g)3>I$viuYX=F~?6?O5-KI?+HJRdd5S+egU$w$wN=R5EkI{j5A zUc?h6v+haMFP7V3U*Rx*2hF+4MAf&X>ED?ZeC-Bp7g2-CJod?zjnm-TQEO9iEJXlg z*Cw?a-K98ql^o^v`+|y0K!_|7VDARkcHmIXtMaLtFqs4&_a$jVUV)Zi$meglhm~*B zXX#cXF%v<5+r4?$-kKri!i6G)T-CvnhPvkxqe0*!1Lk}qW_gd3 z25;90ZxnM4?O#FaPmd(`jsh!;*APvrlcOMA^65v?&BQNqgB`j-Mv9%}+kt?19KE?Lj|ZVs-qnJDrqn$dh$zfOsF8gg0BGaI4t+vnZA)6G-LJ3 zonKnVc@DeSPI|U@SZhl@y<^OFQ5z-xekBt7MJ~p`tZMQ-s%jzRY=!Rq^OTm-TKF-& zRJ-$pd6r5f0vEn07P5P^3tggG!9Ako!`=`jXs!PW*|p0YO|L&*45_bNcu~9BZf}Qq zh{tPZcwD#7B#PS_p^J0XHLU(kyu|C`Yw{jOg!^=|<+J}VpC=dyX1%-G%k6@KD;ggV zU%Oym*G?G{jkY2bhN_n(8L?E5u1bP0Ms*?r89k*~Yt+#1WM$i)PWZq+ihfmgQwc~t zpmW`x<5)FR5sivS>Ewn9#AHf|ZaMOE!V3$VE8jSb-M|#+Oy$l$v)ZRIQDsq$0#^dc z$~j;6u}><$3t8nd8%5q`RrOHW^l4yTvU6@0! zqiUQxbDw}8hidxh;zfl7^p!tEPeMCo#RsZ-7FJxqf?(+?1$4PCSYie=pzhXhdCPGm zgb8RTBR^l3&8xdK)%9x7?SP$|us{`U-kY7-sEEw!OjBqS>>Lf)RnNAXagW`KaSt~X#57`TxEW)%PpV*y#$l){a($S3=E8ZM zVLGx=D!)t@nhZ3SQ*c5AMet*Q($=&U+IiWZ@YS{9DU9DVs~wynj+;`#;hwHZ=RGGe zmO&3Vmek$#N7fipk+chentCiYe~#!+((x~&6y2&<9rdV=M~jcG3;h@)=00>QAG;3A zi_UkkPGym2xD+#`k_EM8NyA<_oK)!1%`7AmuXS^sR!tXzf6y1KyjX#XApRu6Yq~2B zD%R_AwcP^5q~SMu7p$%T0;yr>j6_KfU3UZzPlwmxxaQ%b1VE%GDnQ^}t}-Ns{d7LX z%;*VfVb_XJS`i~`M-oEcBjHSbApGqm{#~mjR;&9Y4BQoWZm8ecMsB%GIyYSZ6IV|t zlhSKx%=#3TtRF{0n}J|G`lEDjqjqlqb!PLr9j?Su5WhV!E2g+xu-m&PcZY)ZkF5{f z^Y_}Qt>KQZ(mk6`Z-~LPzR%}4Uy;V{#s8d{-X=jjJhHk?44%R!eVv`%$yP*^`K~CL zAxd@JU6SiMSSS-sXWzYM8gpEe8yMOqacnx9O^m$hSsoBykx46?tWzbzayjkweNDy& z{d%c5qc`J~nRaAvLo;{wIGCczS}uj27zRmFCyM{or|Y<)pq1#p)3Gi2)SAuqSHL>~ z=QQ_<@Yx-toSTDoSs(?orp!I_O#`Il_R2%&uj$@K-KO6JrTznt(a<0Byy**})DF6x8^ zyiymFlVu>OdD@pCnJ90<{+-&_CEa&7?7IB%r&r%Vm4o(d+EoxOYiYaVJs6qWLPH7A ztS+B+wd|%a>3PGJs63;qBGs|6sLcBkMn3_FdvL?Rr0Str zo1bnGlb8YWxlW%t$)CzS$yX}EuDb3?zICP0^y?$BI^Ot{H zP)Vcf9?`lAat%egvS z?6-e$$lHZ8GmGQ%A#%I`SuKj#StVAfy3J88il6bB|X9WR#KhS4>-8lt` zUmAqBDuy5)Qp<4HV!4 zNE+bxp}5$dol(QDb}9eBiYQzw(Uo!gqI@M~I_=yrJNFTm8uHXqMO3ag3{+yE6MPa_ znYb)+zvP~ zcJ-~ozvCY5IPKRvpwj>%PTwKEuiG61qvnZ59>Myiq!o2fco#nOqONgjFS#}_NMHK; z!VNccbFL2CCzUADfzH-_Xy+p+?<`(?qyA@GoA6ycU#DLw3|>@^Zi2HGci&M9~0US&tUr_fQBD3%L zx`>~7@VK1V58#Iu-+9z5EtT18`qUj^-}(SbkV33w`ptyqw?hWsB*ezdlE+FmPTgUr z(}=b1@O}P(Wr^m?AN!Hp8B9XC1BMAefMo0v6j#E>qjG^WBgPVrj}JV~v0oo5Wqg2{ zjE0!R$1uZEIq?!((;C*jmH4}FN=PHh3sFECi{Cw*be z+FYqul#FAkf8+U_>NCp3*H!~Nw2p&;YjzxNFA-?#`r0H4b;cEz-^VF{Q%;xs%1YDI zFS&&c*XQ2QZ>e3`bp8&zQ~a@V`93k@;IL%pfdAmtc^#9a&-a|Uhk0rX*2|s5T(%}G zS#?}P;PT-MPB=+YMIq1fQ+M(t*)t1Pn?RRFmT#~*cejf6(z}9Aj0jumd#mmwo$AkAIz)nqWAsGyG@d96P%=_^^WDFdSKFvB@pnYjGp75(RNFq-S78G_ zE<8UeL?pagO|Ztl{=$4K%U6(x`Kobjy4>JSJ-q5`5dE|1q0_a%gTXV~W^H?}(87xO zK*or`$_|=B(gXaDA!WH&dSvc#0_B88%KdG@G&*OEVo9y1$cG=}NOzUXHLWW!ztblJ z|LnLd(j9a@7=Csr3V&AH?UAs&;h=Dc$J`bkckaeq9hfDj=%a;f%P_Jyx!+$(6%wO3 zmDflB$}4_Tw&tO4Aucvu-w2rt>HUWUca+bB#N{ik4dECp~?TO@gXZ*rrgoX^7bmK z@H|+JAfY?V&ghl_vOZq4h_{GKu0Z7>tx_)p$9C!~-j?xWwDXN^@5MHsgEvf9Fc0H={-Z8peQfc^;9XTnr1TyhCp#*+qPpsdiV2nG^CJM{c zcew#+#D+>tBPLowF|1a097SczBi5Hx<(VQ%djZ2JJr1e1buim&vNEQ^x(?O6)vvG|0^p4Mrji3=dqi?Ejj;X0B{3wX={5rEGg%`ycv`@&z2}gYt?XT+mz7G0b;;OwdzBDQ z%=;Ft>3#a-nL5`;<8Wzgw9b5H&~!XWgftBwyqv_6iv1>B{^6=+4IL?R{S9$n#!1F#6h0ICM&+IuXoIcm zxlPoq#H{J$8EJv9+&4Vb?zSzI$@%umaUTAJ^aqNZ7X@(WR6a2i1uF|Dhxwxhqh1zO z1=oA{@uR<&z-kv~pyIAkX1BJt4Ll%g`Z<Dl3Mqd#=tX1|4tDk(DE#hK!LT)Nng}h=G#~I4 zbCL=rdQpEm%+teSc9OO9z6im0ngcXY^3$lNbhOCXM&Fp{R8dCM&xGm$Cv|;$=Qq18 zCTZ`B39^ruYXZ(UnhTuRipKqSFRk5@HPkTdo)l+Rj z?Yx3n6D8KkFd0h5uAPDb=6#M)f5WEhN{XeMlP#Vqq9Dc;`nv59H5jlHQ&R&9k0VcxUA9{k~!dnfdxDC3# z2c8Z0FIb|oR0OKX8lJ*BfwGj$uc+x?XZ6}J&3@pTR@|;zJ zM0SSQ1(xzwc}98Bs;uBbB)qJaLF!OwsUIA0x@_-v1(lXP=+R2n;;lA(Eo1gI{tlgbT3Gt;il+%kyO!}#<$!kcPmZ%eraFfJQ8|24LynWn@m*)6E*{$ z1hXRLvKFgF_rZiFLB-6<>9fVHLktvj%8k+-9rv`T$2XA*PCeIyQn1dQG*jHnf@A6Z zw!=rup|vl%3I2jDmhK+(`fvx$Wn$*#ucs|jP60?d!7qi0E~d^)tPYUXjDe zIc>qoTZ?e6y845*N1w`!N{gRSI0L+A6xqiwcerhH3xpLv*uf#-+^;)N+ zsc7x1%jI!=iI8L$mUI<|*+ojFYv{sXO3rJt;5&7$gk!_DkESbMn|60OYi!2;WG1lu zk*vM_jUViRW}M5~bT?C2lIRl`i&h80KXW0 zk0yt5q^*pQYsibsou;aThRNl14oxqFwss^4w|NfGElODD1vCw{j(`{IP34QOr!6HLe#A%3rnfHOQ(HXeJ3NZg-?mS3ME{g@$T-ip zmf})Oa=0*d-Hl*0rB#W9l?C=gWWHikOO*ko{~Q<8Mc%Nsw2zepW_@ij@;2`@vcK)C zqc7vybAF^J;aEy-D(IEK5vj0YAK>tk4GYbWj#bRbnM%`>Vja7&dUGd-(yHnHk9^;d zG2*4qtiBes>)u*csvkE#D~Ce|FC~;FEPWP*b@Ry@YDMHcvX}h$N~3hs#3Xr8v<$M9 zGw886z$xl~W*`+tjT*G1U)g9@N z!a@+g^thua4byXE2MVvZ@11YQsT5u5>f>?Ov*P@cC2V86Riy&N1W;^zf3o^rj!FDH zptSd^F7oThZjLq1>uxb&PH;UX4{nmEGKPrP1N;r!?-nZp(6yo);+<_1(_j{CGMwM) ziJ*W0D`E=(_(+WTq7KCMbU#)>BElsm1cROU1ijqQIv8!i^VBugW>kuD{i2AC1O)jq z@NkhW<^l*X=TPXT8}7=8HY`-!kap|%CFMm#xMURhWR?3*K1|;qJPGC*u0vlQ6oEPA zXcf(|z@%!sAG|U<-BWVoPU}75iK<_AO8VDaI-G=jyD#an_?dQ-ry<|UgFQrh&y9cL z_Tp5R`h$A`&x?9gp(VHGT0h;FE}TyS6inQD832~6Dd73vqpU^>MMV(0yd0r z>%#m=cG6pxY3l=2!iINYpNjisij)t(tbrtI7$K4{bxq@isOHN+;gnoXu{Q}peM8(8 z2IPoVRy$b|e!}Z1(IC%ftWo$2G>Z?c+vf^(H#&vF=J!#wF!%3{R(&Z}gf*jb!}PSg96CK9hVx^gi+V&Hya%W4{Gk*)W3$5Sd6{i%PWQy+2pld4VkfL+D3OC zx%38i*%!mxu5vC$Pl2ENlBf1gTjX9MP39RRzPEh3Y6)7kxoxb#XlC$8*8L1S2lTFP zZel*CZN>Rg+z<$~$Xapw<2-Nv*|X}-tm0MXiWdv-7B$~H7MOdO*LbXiXXega(CFU1 zzV9IRw2IqFY{~h1wGtXYah=G|+Ej0w{}o^5btwGQjux zFVHI`KmGybHH_V9*u7sv><#b$f6lql_ku($5 z9wDyDW7walrLZfuWKqfjHQMKYXWrJEJ&RrNR0#2=(rL(B_3}oxzYnrz`bt+%>!+BeO!-i*|TNT6an-db^iP zzkWV&i$=RYoedyQeho$_vtGvAjd{U3Iv0h^y7h)ds9{SD$j7tTc z3ofbN0v7~u^-nhdtiC5$3s#hvQ_+(gEG8_iFz)$(`IXrZy~@vvOEj$)$ZFt(H`+va z8MjI*4uJ_XIjlvVn)zzYKaj6rexlPv?V>(L8R}WDok}0G>a=w1g*G{x5=m=#oEJ`U zRl-9em-%fh?2W=rZ4&pvc5n)1C?B(R&s@6SnpH=hGmaPUw$MteeQ-T$1ktv*tn683 zlIvQk2PD6di<3lX(l!o?#pdgNb5DcIGOVl{&irsY2$yAPsoW@Po>)SbZ>sZ)na*4? z5%Wx3sue?H1k?243)IQ%lj<4Yz6vsWx_1k%PD#hl+H}g$w+d+hgt;#@4@Ms_AIph> z;MU;nmg}P*7_+~BTWSZH7Zhoma0vy|2y%kqtP#~n?4Bfs< znKIRSVtq5kw(Du6>P?geje*o}$`y&vGv7Yk@?Mdy= z*{MdlKJU=C1y+3~Gm$$fBP0}Vk%ihpW9V+%;#5V)H=Re7-rWZNxrAhW_Z3&L?`4e8u{F>Pu5gW%LvlIp|s5ariv>hY$&re3VPTlq7Ig-bg zuM*|P8)Q(zSiW(@o$W45oMU@z^DK4%AxFz53>zVGL_g#-3!kpUOH3qu+U2hL?7S8r zktoW@#0Q!qp4m-y-blkhnbir%^TtQLTb9~QOEkMbULCc)82uuM5u_U28i4fy4vr<* zB5IT2;nA>AojFHCw~1aSS;fY0YV~WO6Hau4!y*-LWnB|(AB3KN>5EYo<>Evw#^VMj z8_f(%V{O}xe(@_-2kwk~O!^Z~3?j>dmb_s*p`rjc6N}#+Aq*Eb4d@@gom(&! z@rK&eA27E3yWI#nWh6R?qcL>TlxfU0HhTBV9i;W_HxSPX>RHPBsFkZKnFNYvs%IFx zQy$y@vg;w%(50q8QL6;n_jIHgJ><0}Sw1#z4yemkM^ypsbiHSrtG3ivFrpb?+`JfI_<*|-9%Wb6zRe~1tUlg?r>3u zIyx@HQJK)bsbmyCHGeM(M7D#FlYg`$YVCQI^fkOo; z5!(m|PcwWhl9pq|=ra+napa4_6kk zp&$(mad-%Ky%;Be1Kd8j`1s^_Rzq59o?SaSvnU(>#Pq9I-0AGY@6_Cadt1Cm)~78L z465#1w)k!PbCT+(6&=<$YA9A-oZ(DnS{RZSH4TW8JFQp#P%{9+ zSi7J9f;&biI`|&|uS{?QfL>!j2rtHt%}DK;Z#wf^D6z6V2ShaWoTVC~wzRs|y^Qsq zJvl9m8)NuG@k1-objS3qdctTCWY?6S8F~2NR!EBSg^YmIL zZ0tRB-AO1kR*-=KHoH8axcpW74iQJjk4f4hLF!5i`3*avNrt+eP9lybcjw&vCX4FL z5`f!Zijf3&jOQhMu0O+bA{EZ|@<|A)OVXH{t*vKSHt*gERX*ptntpB2^c^OFb zoag+uN~Sov0aIJ^gRu1fW~12mml>FWm*FrR`DjKC@NG{cJJY)V=eeE8UxJIBoSNgD z`2&?$d5MLt>KsQPzvLcZcr2+mbpW#L0189n5xBIm+ZWo)A#C72SY z(Iax?q#1JghgTF|)td;8Qce?!hsa;bcQTZi%ulwuc?gWm)rqFq4vW^nlK{Gc+r`B|?R zEEYcP(#)w__wir|e(0y6=g!xbG+qD20JYafIC?}i2X z?47qdB(C>)KL?PD#3ovCaOPX(-Z_5f*sDL*c?>; zC`qAqB{+^`k#2hpzzLTpI)D0_n>=>NI@gjC#(F6$p>}ri(_B|p^1Utdv=W;>Kiamw zo!NLr!d_NU!*}^;-2&J{-VqX(W<#vC_EYoQ+9B+;oxKYMJR$;jU8xrGvHyMO|J&c2 zfe!;1r?6t|91I)Q(-#CzyOtyL+#)@1)nMDGET; zXgVJ+G@qCu8BLQc3sS-reZDq)`1i%xtzNqPw}$zDW3L;8ZeP4O_Ji|)2``DB>%sW% z66MWy$y5nfGC8V-beNMe?mU+aJ`>C0>JK1r3!=pj#5DM`%Bo`5IwZU zR?`hvRvjW>GCBqD2n~UIB+FW?* zXWQjUA!+mvz&Ecp`fa~$C0#*RFncq|4^kQKF zOnxPyxi3Y%B5PzO`n=f$*AJbhk$+l*e3Tjhke9X4PWvNbH1anVcvBQXK%E@$md>-m z1?C6TxIkyj%mQraBYu>M|TNQLT-^-F<1ROn&^S`TKQCRvXhyJ+kJ@S=wu=4+bAD=c&23lVu z1M)nKXzBx*YzehWC`bwr=M_hR*$X!hE^B)~$+V=Lo|1_hSOb__D7HfJBXc}{(-Zmr z>}J^b*6f9mSfz6-QDQ=c_ZvT>b~sN6*Rdtcvci|tb1qkHUAmyX-K$pT~OJ)k_K zN)r&^tb!h2Ai4{37wJY~c2-`5s}wiu?XSz8G33fJxuj2Jj{OY5x67C-JS0LrYvxzt zSmWtxyQ~wlvl8z_oB{_uhQ&mf64D+EcSo55xYpr7){yItw6;Ih#pdXL zXg*m~_B>IIHHrRMMX9NAF-V}{7Ue7^T@(IkOuhcz2T$>qR=(2IB!IhXST?L4lp79k zuf-|V-#iQWc1hb6VC7<$gbDll=Vkdp`XTeA5=W9_fE@s{R0IR!8Jb#U8Xy7&0ND0o z?4E=c9E(7NOKEU9htft(v@rU9z0*N@eUtAH*}lPq{AoGlehDH8QWO=8pVUY6Q^ zjERx=Nqm4%LBmgX&Fwz`S9T=JG5+NThJRvd_Qi0J8!tt;{z>2X$A1Ux03L0LMk|iw zFCqw5aFWLct>Wy#vrv!B7its?wX3{pcE8-~xBPg%7$JmZDD`V;(&vFVLw3d6(Der& z)yv1PqhInk&ZDhR13C@OCx$m_mq&t_LL~^!Ucbl_MR^O324d=l~TY-fDRG$)*CznRzQ2HQ9bcSRZLvo`xRxd>agrW zI@0Q6ERsRlE+fV0pA__)8EC<*fMhcs{_}oxZ~vW=n`z^b229b{w^d>r_Q`}Lg@d7$ zZo-53obN!hmQ+fX8E$V-`*vXvdhuN7o?K2GVlJyQh@=bk%>&@N7DdX-Em6XRvn7cD z;N*~IS*GW@lCgY0m|EPwe>(mCa%-y@1kyj981;dxvlgTuRE^eh!-j_#E^PYE zsX^TLo-z9k-?q{BqSmsmI|hhUE;fI?+gL_rnI4L)OcdeSsI}$=#n*5gXoB6gu3E_~ zYPln?kkQ^*Eq}TBxl+P9;d@orcDlS#zsbLE*sEboDEawsU6p^fhe7AHWmQpC|2kfy zO=q9$+Zli!1KcgN4s>z4B0YB^kipR5OpxrB|H=w*bdiYK8SnEDxJbv8JC#6MYkmNn zYkMbj#?yJtbsg|ELexPqcAAl4pCSQishNcIJb45d82}Rb-&Nv+4tPB_inQr(?aX zSDL{52`q6O0KE2!X@v;dIlY$icsUK=qaSsW`CrqNVW8A1sI1H4Qs z=Fi;#CznVb+Xvi`5P>W-bRE=mwC>K{_siJ55SO43T|D*fM?jR)`b_C8cZiuGT$nz| zw|B3!)4QuoJHK0y5*&3+cv^zbEvRDmur>njPRNh|tb5|)QH9!px~xW|V6>74FdD+h zLvsQT`t zCVd-xP#oGiqj;_hloE3(0Zf4_fYJD$Y+F`-1U zX$+aUkB}i3US7gpfT+PWz-Ku#c{@v~*0|*ZsA$Fv3BP#2aY`h7oU-vM zGXrQLxC6RPikn=ew<3ZuiTUTioPpqdAc-x3y12@9#(?LB*{8uhPVE0J@BmUeyv!2~ z^!X9?_)rmu9y_Sh{6a*JyT1CgB9-wYe18~D!+1J-dO@=uxgANq`WIe18y%&gcNg~q zf&CVfV-2Xf?>9@+>QZ4oZ8bw9n=kOy61cx4Ql0vdpn}b^sh6jS18P*L`&N1T!=Nt! zoBcsF*Mx@-v1qCo5r>KM4YPyL&$jJ8Ol>3S0oj?FmaPG71P|skr zihq%GX{fnwo+?x|+Q#E0eQ?0{q9wp-$%A?$aemyFrq}L%jz0ut-)twvlUSj%d>yG4 zj)zp0TMvkFr$FV#upl#22GpD+V}DMk59`=YFPP^Tn`NRUZ=LMHHYW_J_X@Dbsejt< z?i4Yulx=QdH4*f1u(ZN}Bk15#vJisbJKs<&@PLbUOPFFze9x<=8Nur>GBEsav4&#yTaBavq8k;Dl6~svSdA1Yj`?UT zR^_|}uH%Th4gfrV$Vw{35#Q*CP;yn473ff_^@;v;d3sGvh@n^*th7KCm^AAPGyC{?pkA#^*yQ*a zwk*pHRIr~hHoQ_VPyN96kiD%HRd48CSH37t(L#5v$}jKm4R=N7 z9VQ3ynlpjpp^|Sq*$K5S0BN@yl{`eNoe*X{P7)A0Q38!YTjC_&tZjOpyP<^>!Ym;` z=`>y%mdvFx2{r=}MCK=a+njq@Y_zL4sw_`Mct8g|+dm#LdEVD^m;gJVNXPhQF6sp-LFV%I>GQ}8F0ay*t z2f0IaJ?42Ppzs@o0fd8>MM)l0j4-`#=4rhXQUJR%Y?vWx-ergw_HIS!9H; zdJ};q6q~PbY1suulY%DukPOH?8rn=Fvh`&FeKn;IrqNS(5Z=ibpWTRieRM zqhAiV-(BtSNR4tM^R^tzzOMo9Rg3{8(`ofw_v9b-h$OC+%vW5&K7u*Ebky}@!D|ab zlmz3_5G5W9sM)w_R*ekNuXa+&idNSg8;do6>JJM6qlv@bOo?1q2X<5)d=JjH(?%yS z+;=WR?=8&4jF2E4(UHQ)D)|cP)&Dw6{neZ4xi%X@|DQX+Y-umSy|Rbo$F0-bUrxpo zjJVt=*}>QLA_Om(xB&tth?^eo$tlHAt8eV7jscn`zhUa*q_IU3?gekM1C(div=$`4 zW~UQ(gu3^pOa1q9*maP$yO@H^ydh`OB^!!uUcnuI>Kx+@{B}yz z%(dzPDg1ohk~2^vwNkxPItS|QVZgXuFZzHRfnPV1u$1`PZhRMHco_kDz4c>edLUH5 zFQBEHGNN8t0&g#ReT=aWzU9jt95HCqP&~{qZ+kwQ)mt`Il*X7v=^iX!S)_=||5hOF zFg`7o{4VAYIOz*KS~qz3+=1=VBL(|ZigB|CT1Ctgf}Mk-(r&5}NHdkDU_BpZvxwSVJAqFyFAah>AK+T+e89KE*(Z;HFWXP2e_; zZM|vQ2bzJP0|s8022iZ{n)0Hk{Xgjf;#ysnF=&Kq2brq)>^d<4m8ur7uBWU`&E8o8 zg#WUSSro9G{AT|xFIq@R=+fYn%Tkgy>b+VJg`*IuM-J9#)mSyFXZJWo{}(l}mIQu9 z8RI%Dwi*HgG@y}uCvV2wf65o|Y?&X!`PqXaEal&s!R!6uW49&@Mc^l-)W8-Tux=lb4UBS;rB)_i5F#cVgcgt62VY31u7Mf(-GF4JjT+DnqHy^W z=<0*D-+O#$ucKBTQivf<(Q`_}+{YLSy?lUwPQ~{IBVMY^_Gpa6{(;fhjT45eZrZhQ z3R{Di&pcZObVgKTcNwB>89Tc~O;hq4Vo6Q>tD4?9<$ZN_==$nnn|K|6-!o}jc(5HZ zDB=sgNrC$uQRC50TYvkVo+_U}cgJSvFwQgAij$F4AfHsx3WZ>Fz3NfldqlVG?(!=? zzlt^&BU7wwB;G2(C_lQO6Em#4_@VpkfpU3@_4x=SVNj7^KjuAI;aM_Fj>VTTqZ>Yg z7Wx%|y!T*+MPR5)D8C>-Off=a9O4;Ae>43!l^lH}=u~LNacyVkyl)!b@KGfR#O%3z zUst;7J;{~eC^nhmHae+bYAMdbw(s?Y_vD@P&mU)h0)8YzWT{ciyXIGI=~t ze)-ycuS=J&eR%8D5b<`qnD6he9aI~vxuf3W@QUR5$SE?E$ZCi&{C?WnUgNi`;4x!C zd@88>EJSEZ;DvDrBE0uF9dt%)xY2;Mow5ANfj_Q5Op_%TW#&=1&YyP4mQ&CqaTPRzhT#8Z~Hvq!@|v5-G6T6?{BFNKH> z73f_t<|vsyzo4#!fkArB>Jg#{HBUQN~fxIeiS0ah5{Uv>2?$j$<-_umg) zP6yKj--evN>XX+8!R0JWtCZoh7AB>xt5U)Vd$GR*7OS`?rU{y%dI_ZnRMPQlH<~T) zt0y)sEc!E_>*85PU-TW&;;yVNe6UH&4+1-Hdw;aWrAS(#@}oNnxYQTZHJ){%6er7C zBj4y_i@zWb}z;-$33=btzB zcZk&c*IuE{&ZIc^gAdx$H_dwDqk2vc$1otSpGw@ zc5%&xIw=*2Bvj{|_gY|%_m4d^h9E)akLm#ff^0pqFYXyDzA_g=C637Jwk;f?K9^^xB?%t=3(fwJm4^}=l6fa9JmNjiT+>FZXD#YZ3cK)kz30K2=J|cC!(2g69PLKk zD9!mT@Jd@2zN&ZT%UgCQ9Y#nTw7eofFM0!z?Y${iDJ>7IC>e8XtvgAGB*YfMb8@WzSfl=M)6=?J%GAHBc4*`+Rt4UuIc&T{INL?LPC61aYVH|lqf?P*lPX7p{4*^v_$Oc`;Eh3|3tM81E(h-n^?}JRSr}P-WJ4+cD{RGfQ9#TX- z4P`cRZwtP=@^D#7Q}ik`&=uXYlR#BYe;v_>oVu>{2+_MX#_$zPt|(BNo)zE1mnF`; zc6(A>qD4P`qJy)HO8QRyFAHF$q?TK^s?@48@~L6$O}Mk6xYd!-tMWsTxWl!amBB1l zQ*F5k_x10q<`|2QyTa2u`If~?CDvv{A8E3~zeZ}!F*~mb7YH`uw=>a55Sv_8fiWf^ z|Cf<=sP?HtDY;-qSE=k3xSG7E##vdbdv0zw!M$kboCzbD6sC2uml!v;F8LX8h+BPSAPLN&uab+Lvx+ii=_q_d4=!b0W z0X_)YZ{t_2WwJG`1{0ST9C6ggtPc{+WTz4+yZ=<~8FxO{ubML4{Q3)BAl_p>!}laZ zu5f>xCcH4003*|3!xJ+x{rZCT>nL=l4W9#LTsI3y8Q}-OX(xC`|b6mw)dSM}L_9 z?4j=D@b*UU9)`+o+O?~qfdwO*n3X@Mfm9yqE)2@8XXNlmg66sxY}av$AUDmzGJDj^ zS1Tw^H?>4wD@{_Feb3FSnyz+Hb`#1)M?PW4EM4cFox3SVV16 ztmy2lY;5$&O6>6Sx{y?KO5Y=E@XRKnm;9X^k!>=Zh!fqi^Z22V7y|5%5F z`su+^PrtbpiW@E;N;Ag4ua{pd&h?gd)RjL0&+q<3IC31&?LcUp#560hby;eQnmOIV zaeXM7&++yQ7Es8EQ!If^ww`|Nkgpc}S@dKLF*0)iXh8&O9$r*R_q|>&T)8HeQ}aOh zugdBEyCssnP-ncx+lcAsB?Tg-i zq%Ddkv*S#Wm=HQ7vP>1FQM>YKs_*|W_U7?Wx8MKx-9{x;ijb`ZS<4z(6S520mxQcC zWXWKpLXstG$iA;*ok0d=-}iNFWjFRQW9NHK+@H_q{rTK?zu!Oi?r{u`BI2mghh!3c~%b|6mHu@sRzcIJ%nhef{cDU;gElMKj-|3puhSb;d zAjbsV>40oIQw*%M47BvK3_XfOuRSAoCAx4exG0@|G@j17E-q5DJ;jI@y)*aHT2pJq z+NskCA(F{Lrw1pqA065?8D@~x9M3QsaT^yvh;s%J-KbZh+?wq`cO}dET7Q_ChNHTc zJj&hahv)E`%tq}Nm6}FI%u18KM1|$?AjZPP${j7+4Xd#4-j2tVU)pSOLwl;JhUBV1 z`+j~61Q6FJYh+)S;r_kPVL@C-darelV4H?-ODqG~bl5Q-y&;an6oJic?J-U9DlS_F z=bSAk`++Ad+-U1WpvJWjce)3*6b-tQ;*exY^eW z!{ODcIaz>cW4sn&BpE{%5p-6#bV48e@l7clAas;HxT(Ogdvzc z1f;RKN3uO$RcP?eU3fQc28|B%wSgZHBpm2=S2us~0yCubQ#GA^Cs}km5Nmpf*4WKs zxn4V&imT0dO^kT-+h+O8>*VQ0^4*gHnQLrL+tJdIR z?hfE`)4lS3SYmu`C8C|&@1mBi5xmqDt%bMwt84+Dw)yiHVzi&#TsS^>6S?*Ie=5Q}UTx(9NQWvpNHwv#;$ zX;KHrLV|O1-6j3EFLW;z^|dkZZV%49qQgsx-R|RTuZ`rNFHg4&LG3;(u##Al^A* zP`ZF!E(j)6Ke+`}G%gVNR1M7{M7g`I*~rggIexIBkX?1~_!prQxfI**=4?twnnh(_ zmu(%rl(X#>tY{k&S!U{nYxuZ?{PLqsuXR;!@XJJRi{=4TdzcGXTkF3;yih2lD$%4~madkh9#ql+J+S4Fq|N&&?^Wsu9I;8-pP;MMPIn8)mGlB)5rNzEZ_Dz=pCZ7OX)DFz@Up+OQ+XW zLD^%{r&}V^8Dxg<{T#ql%v|zNO=&*6 zTYcW7A)KCyAoJd~=G!|a!{VLU?bdO9eR_l3rntoQ#i63y*H;a5=|UFtjNkR1w9}X? zshv$1E&bvj8xK2sy^6tebgjN}$$iWoJY*ew0*!MNWe>k>&?A=%&STgqMB zzHSmOM7}uuxs5fGV<@mDLlUuR6}MqfJ~&y{X&n~Pu@LG=m;0$`I(PQf#@B%1TduM_ z^KOURsjgJm?T8M37TfXi)=F+nWr-k*=)k@yCREWwHx~X|cW1S37B^pK4;NyApl{iE zqBa_S8UbGVhRZF|%Af;LTTJr6x&JQ--jE46U{Ad>pXLKk9)06KcFj*OPq1%s;O$PQ zV_P)8SoTJR=e4V-CovdiL$xUEkX`v-w#<3-wodIsDNFvGLCc+ozZ5(OJgAq8I^?XC zs?Im%g4(EgUu-?qnGJ1@g#bU@lY*l>fFVdEx_uZKOlx$YnIQR{7pgcL)4%8#Z@=4vodA7@&+UHb??EUHyA(Jn33I#0{=(;?hu{gJCt2O; z#XO2P>EiRUW|jsL7x9$4xJB z=FkrfcWt(ZY8Yildg5H&9w>w^={~pI%brP}^^JIndG_515pOY6VLx)fzfua>HxDx; z4q+y#Z`#zxZ|lNk#Oy@JbHSjimPuGm7^jpNdTYb`D{@=gYH0DA!j73U!hNs2w0v+j z+bA7<#UX$j&&#Sc>MoSEP$bnszO=-qhpvy>D%^Qx5V?EDQZHU+w&Xei%zh|T%poQ* z$e?0>;zJ!!y@-JIp-3|645!8yG`UsqWO01b{7idn%on7Nxpj~QtWNk5c5P*8uXl&V zfWiYBiv)(V?UCX9p@nJBfY1S>n)(+>v#wk zj6l+#8p_#tHGUA+c=bc>bXIc*(q`Z~?}y4ALr|pLui#D6tsV>5SZUU<(&m%adsAqR z`Bx9--J;>Li4F2*?Q&>D@XE;p-VV=(B19LCvH}BtP(DU5n9=JWkCkjV6>BbwO!y`v z@sS&Ou~Dkpwsz)oasREZ7|!7~TLkD0%F6=1$!1yR**Wzsng0rE4ZmdP`Cztfc8*jZ zEtc7eCt=8K0bzTSCiaTLzo!jC;Z?u!8ww$H8Zn5k1Eiznp(Oi z#wI=1S+`vOK+-GXwk;s?$4Egv6{$k{#TU15a8CncDiHYf?4I`P?^*b@xx|}~^X})L z2UU^LD|-7IkwN`=1oqk<^SmoYvT?k(7cvGYZ;mwLMNr&AAt1fnM?FUNAa)0;4xZwh zSmIM6XQS6}g*-BCOUxy?4EJ9?d(M5%J4{Gx$YHd$ξu<$x;4G3aYh8t(Bqxa~}9 zlqH2yXjs*_OpA%+Fz*T4f60bS=P|WUCU+!Q>U@2m~h0qi5rN}MOtxvpNOOx$R@$mKr zNOn9#H*${8{#Wfr!F&*|jBD`5vX=!2cltw;X>CiH4C--CR`yRhi8lO#`l#_9 z>d=Ye+lGyhz_K5BP8YJ?GwlsKSP;;3_8gmEFEz>GnU&Osl{1Ln4!=EMKL@^;YJI=- z%cPFd`EB~F=^}*6PDSpgSCyJOI*GgRB<&exBI3i&JUkKp1J+Sd_xA(O-jSA zt`@aVD$(XPm~T99UxiDH?YCQ<`2Mp#TJ%}BNa%v`ZVN8@x5V#n6Nl)=m(qGiYubI$ zS)qwu&PWbqE1IBL3ejQsE5jRq@~7P`=5RDVe#2@hdAHj)e*2=_4+N6~ckZ^)zs0mE&_N}FNJ&=Zj=MtSqNhATpU_|h%Bnuzqf=gCLE1{Iaf@OBrcZ6OrA9jh8O|F zJn9B>HIH1wgT8?$XyI{dKe4$!hY@gee+pYP_z<0+JK*Ow@=Zak?ruV6TfP+MG8jsU z8}Vf*wiGxo4PVSpFk3wgS>N1UpI&p#!mj?T;a$fzya!mt*znVqBfO0hzY1pyfyL9QR7vDBTr+C34g69Z5+mUlJD$EQh~}>x>|k`--1W=W zbJF+CB}Szf1+YX7-uu}RI#)n}Tmorl8UoL%->e!)iEnN|Q&7a9G@$qVWDl|m5#_<% zy^;VO9q`%EE7A9NVFFkmzi^Zj0{_8QJx7W!e$I{Ezdtp&V|>mv((%((H~L%Cvn_UJK@tCX z!Zv5&bPI7yG}AriyA_=MLPqQ@MlHctv==$|ao>V}pEOuJY%D%`2l?61*Ri{*ZHXoo zKcwgZ6E>n-(pmD|L4ISfJ#&$DsAMn<-+jFMFh8l`uT=Yk$DGW1R9l72|5kOJ2k=_})%3*!Dr~?W*9wo)W2%?6-TD zQJ2Dt^^yC4*%eXw-Nsf9-W8LKSBRT)U{^=*0Nz21&}KG@$tIwhg46EabOF?goPv@u z(Rrx+u#fl}w1%}wJCdp!rs-3v<#93TJLeES6|=z{J=XbAxxaGf<#(hMU#us5d&@}b z1sW+H2r-hIcRG7B=Db`sdW*JHZW|LYVj)@-D;RB8;MC@9Xi+I_hDM5gP|EV<3ZfSu zt{m#d2s40w&zU%;z%%(_k!+iX_-9YBy-Q1yQIPp}x_nCdD%`eX=Ev zse=510*^mY+?$Ge5{ z86AV<*<6I|Mxu>=%v@p0jxH(*UZ<~6p`<3X=NjBg8D3^PSHd>n)DzjpK>Os>;lX!e zhE`WdmwPfnyoKRree@dcu1VN~Z<69aT@YOC6>% z%BS?y$d~`IREH3x!-AZ%yy_N(XP#b=Vf2`aJ=%)##m3;;3b4~#KdlHXWRfp?(8O-W z2YJJ^aujKw&g_;U{o1XgK&_PW^SDp_dcMqE7%fL0%v_0JbbA&2)4L89VIzR8go{GQ z%pTN#6e2I2Hg|f=rXbdkIDN^ZL?jtvxw7wKIg03<9KuJg@XPnGc%)CD_{PRT(!(E0X`()}sBwO!k46Rt!{kFhEzudtrjI-* z;>^pTthGU-E0Y_@R*tnlqd3t1>#uHHJ=XsBPwXa-aAx6(b}rV?r=dW35tmZMVVOG zoq#nzC65=d6&t{NM>MR|jN7{M zc_HA%c%A@UG{gc4QMrSA?OU%{QCfCTGK$EZMw- z#4=mfa}0~Y80~?HOK#5=JM^-H#P*QJL%)2yGXkv*1^iR6YAqR6*92HZiAeVQED{GU ziwba+O@$0%V(?kdP!FTb)bup!oNg``RYOHOo%>7>oy0o!u2$R>!?6c|9Y?p`YwesE zO2j-^Qrmu;Js#l|Ul^-mPZ0BnD#PTZL8QZ=OQOy8obUq{de^B-EnNH2m|gYCfvpr1 zQS@x?)f;-F97<0OeM@2&zn2od-Xewokq@<*Ef4QO;2NS2c*KUChkc-}ptW`ERWTNR zZqh&@z=q{%AFv318<#8>Uu8dTz}_PxH{OAJg(fzrr89XEx{>AD5NooKJZ_o1WU_73 zw&H{60HCh>!La@1{cpDi?rF}s2D6Lj28Gu#6lr$22TCbmjQqD@`g3bGyDghE;Tuse zwzmcz#yX+(HHT~b42a`i|2kLo?JL$BR(bVRn;hGF*vdyk|BW4fhpEOwSL}?pwZ_KE zehNs&S+GC?ODF~NymGwfyr?FdoAQg@idMXVgs)@CWJjgc9KR;k4G=%29>^RD__1fh zU~w;hoMS@GXw8wI+PhaRa(o`b!u!Od`MG0cJbZCmg;h(E;k6=yhc`BzVy!KO1vkiqN6x^C9Id!(Xuz=GZCG_H|M1k z@V&0K2Dm1KrmGsc$!(_^zFxgiB--|YWlx$?pB8JliPdXrInlFW%u3OZt#Qba`gRnElk2A7w0gS^(Fr?+`!KS0lglW2ZMjXb3dZVUO+S>D*HnbV!wa zNA$fyJze?vz_0_(sgwVWT zX=Rx%DT$b6d*u{X!@v%O*mNaH=Qo#dk1BWYehXaK9w~Ri)V6W#_ls~-kQ80jv}v=B z)0FLK(NKMQe|+gR{G-**q?9;vy(}VyzVLnF;O1r27{%L6#z;|B;n6|Re z^c6YL&R~ts^kN8FU?s^i&YzO=eEfL%lLceva05N{@9?DU>>?QVATV$!KnJzdV64Es z8n~84B{a8>XAZ|R|LTsGSY1xXCXLaexoV|Tb{6I(TeTb^)kz`|3+TkM_c+c#lE;hG z$cbtMpmd$DIy{%_%+eZS)B09!?g&u}ZX=pz33f)<#=c0NVjV|M2Zt!x##aB1^YVyL zy2`!X0?0?F{H0LC5;7pV%+sL|*Qc?>L-?Nq)32`YYzV{2K-eCSri6;15wHiM@T75e zP6H-*-F+6F)VHm-uC7vwMQ%hVd+J@`xr*J^Y~^RkRD>#G#vwZ@;_)QgHpx9I-nvNCAI0?IkZge>rgn?}%hYR7>RvsU|8O%GC;Zv(QA zZ#Cd>bAhD!H-y@=gj}&YL#iy3swuy}PWG`RphVpP0irus4>=e+cd86@?hwsUAT40Y zO!Ru*Q*hBM>*8b5mW!1xR)#ch8~`A#C5@Q!0 za`lD3kNF#k*sH)UYZnl`Dtp9=culw{i+b`7T|f>_=hADdoVCs#FXzc@1HSZn|42Xt zW{&M*hgaMnB;Dg`ONv-5M!-Rr8Wku7)JcFgNqk$yCk+6cuj1N4EX`9}%kXSMA zLjIp8y>dAvCYt&w%{`B{DC`ZG)a}j>8b_>(|9r)NeRIZ1upe1}edahCI>Q>sVQ&d# zdgbvx|M!~xkN=aX07I{FaU4(Givv7l`rY_%!}MtD{>Q&3%w5%&pz)*vl%5`IJT}6M zJ6H`QT6D zmrpp|oRqCc+xtc$4!mjVoHWlLUsMZ(;LaLR8uVyqG zKNnRw#FG`8r$eSf3b1T>d(ftqSzM@pLu;rUiI&#mBH8qr^#+q~Pqo`m9`8tSuesf} zubqw#_4Plk9?*T-gctSF3Ns3AeQe>lvlxHZsyHLylHWJ zvSUTdScv5KSih;J2>j=D`up5_Ie_&#EAmtS=m;k~I{_8B^W_ui-+%v4PkV)2VO)J* z9U3B%pLyl?-rxuujH;Xp{JrS^@}FMH->=H#Y+#%ItqL+Ef$;Pu)F-h1Y5vuMtUwSr z&xzy0W z_48k}y#O(@GGGi{c3moIh+ID?=6xL7L(B*$d=AaZSQ|srQZjum&r?);k8;8B-M+#fk9l4l6&k+$;Sta zovMcJ1(EI;y|%)%YzVs+e2nAUiWukVI14)S_7NrBk{dwSOKwg}|K-(95PU~;MD($m z`{&nrpY7eL4uwjw)b_g!Zk9JPiR!f^y3}ueNTLnjH}>qJS2v6*Dtt&!5Ut^x&4Twp zZ7ek*OwRVaf%QaPF4FmPoM=o6R4|j9f+bH5=e#Z_quN|*kDBU~(n~|$@s6T0)V__K z$qhAdfv}w-MzDIbJt4%45=_As-HA#|x$&p1mq;aSq_G#va8HvLar<$!R+b!NdQDjoQPFCXc!zE8%JRCc|yGenBX`Euy`J-)7q6$tw z&6U@M_xQ8gnS5I>l8SZB`>{Y%e9)GmxcqW#`)!9YSCWU(3fvHG!LdOhYpCY2mc2?C z-}{E^|5lR!p+ZZHz&WIPU8oewqf?Y;Xwhf)JR^3%$cU5py6PCZ=?qnIDB2dohHLf@ zeVqasRHa0?VsiPDP;rXUy@DzG9iUAln%-GkVZQfHB~_T^xE+_c%{#W@Du)V4P1>+-?l&itAhF0X2GZ&Cn3q#ujdP$QcrW$5k*T zvv?0S+jLar-XsIN>BgK{l3AzRrhUH-+84rsU7M^5QxPA%=uSjxW$=At)McPC?2dKn z)9f9>+4#JJgS4y<%*Gp0F92VLg8FWP>x}&GUHV^^-9ITD@Mj-@y%%y`Bx-A3ejXte z#b>9hLJ7aPz4hwzi3f;~wb@PomrqyFB;5LpHNM>E9z+S3z&DoAd~muz>LUHX2e!(O zcUL?&$-J0O5rq-wgMtWD05zgxo0>eO$(QiZciwU^Uu0+r$^Dsxi*-f%cDZpRSAgk{ z_Xg5NkZ3WF+>Lo&CFjA!#JNrhmRP<4&8E+?h!8)DfyQ5Tw9|9Rdg*T;L0_CM)&9W_ z-+Kf*-0gVy@&hTgBYp^LR{J6KvKBF^hS1(Bxmo*HT!eHzW(nz{ggf2C#jzWIxczv! z9D`MzvFzFL_R#)S$n$vx=92b_7RknOxLPxsBIOHbQuEWy8{u$U;^$nPor!tS(wVpf zQ76Quyo3oRTC6RM?QibOKc1(QGYgIrO+T_XBPe81+-5kz6iLSyCRx}|_1%x+M6Jm! zhe{>u%NN{Dyjb25m4w_gaaJaNJ2gC;qk~D&f@d;C5yAEr&C%&@l3fWQchq-$#vZ$i ztyCR`FIMgn8+T0xZ9c|nsEMU?DV3%c4-BS>QOMJx zTezn}RnCwoP;u!(7ts3gA{v@8@AQ|;%+q^S@1uvZRu@i5fo3lQ8!tuVyjZmK*Ze>Ryty&j zbKly0du&rT72Ct)L?-f5W-ifmqM9-@P7&I&K257GwGu`g`6URlx>&?MO)UP!%x-$1 zYMFIFzvtfm0o-$6zg=|m=6qMOJ=>e~cs}b0lf~qXh*pA5OeKh?C6c>D>QCm^`c=YB zJZYXA2EAAC7bxX>0}{<22J9wt?Zt8_UZGbTraA}#*oTNuwMJD!mdHSdHJ9?b+^j+~ zn%9LLVhoMNmewR>B3%$rl)79oZtv-}1sONu?Ws`G%tW&>@@arEDm(N&rRz2`KtYQZ zzpZTKb2C`jtYIvCkS?m2l%g)d`j`I}3#MQ8x6G?|d8 zPX&J1s^Hm0+J0Hzav^N%cA{Xog$kR!7Yl=Dg=D!iCp?ndt=u6qs)50X>m6~&IZ6KE znr1v&Fsw%%&}kdsQW3 zIjP~`1WUvce5Q7WlYjm3Vv+nWyYP-LunR5VEWTq=LZ=mn81RunS~-#I2mId(h;<&9iRri`LdTqW8 z=~E((-Nvtkoxfh6VR)Sovlo9@1o<*>$iZ5>kkXQ-V#MyTqu8TUwmsAC@XHTkR^y}b zvnsB*b*1tfGrwc!*Zf+jDu8y(GT+3NCEA8EjrC3YSTUH&)TQ#7pyn=jpy*D-7z1%8R zA3t&-3dK>RbtQEeiAAi(+;ooE$z0YLJFp4Q(XG;f4JJb>o?qp_p{%dayykJk3lF)@ zuKz{Lkh0dTkUjNnJeFF1v!3=_3RK#Xe#WWvI_cdtRM3{8`g*3a+JxU3=p$?=(@S9| zww27<$a`FjwTJ)`k%BQr4y8OT_8v(0SJ zOc5v{#KEAJ4%_Dxjk73ovWRhBqS0*pv043GYQch>&6nZ8_$O{LU8TQ~=s8F!+;EId+IXNcHL0xus=TcDIkB zIig%M;~K%^@e*bOVn7FZopt2={fjI-I=x^s;U~0VH~vr=GoU=oZ+(k_%YYMwwC3WC z%ni59WDFyXL0tG*$bV7=*!PxfbH*^%;nkl8>QdvNFIU56Sa+eBN7Vg-pp8Wxu}=Xn zOuthYl=Fq?6gh_iO`3ZBRqNv2sZT3)Qoh+j8=d6R@3eg`Sh6R}IFV0xR)@?LTZX=8 za<(ZWEeXvwzlf21gp2{!icOJ{$NZRwd}IA)%}XRryL!Y z-=8KZ6uL`5p#<{r_5BfqaX8z%T}^=%%C&nSl;x)9>b%UOgJS9vl`$Qr@nUI-fP@&h z#Ig~NAn6Sd;1cW39*AHJdHneY+C1Lij`-I1oV%X$sY}!Kv=7X0?M}Qa=|-*;=P#y4 zLYv-^!bhBdV$+psNHryrQ!}}6CP3ar^HQv;+^r8xVUsD z^+|H;e%+b4!OG&hL1M!Opf>8BuQ>E@A8xuiDt=Z{aKLC>s4u38CGmphKsdW#%fYTn zc>H5Bv{JxV`N9H#s@`>-tz zr8k#*6UE3s>HB4^WfDrVjWH6BeAThfdaEb#g=1q>sU@&_s8LzkcOT~g9xOM;t8O-? z7+zXULE1h)et3%DI9hOX4cD~b(OTDs&AXBUx>MvtEzt-`sFw9WL=$XRDH3?T^4z;P z_=9Ht0Y}9uD))fLw;QDX0F?4?Yi8#a&5F{iKS3 z?G>T5+943j_~>Y2`LZ@M-IhI9m;Ws4t;Ixxk|1YD1HE3HGPagNR85i<(!H|ZT0`#1 zl>U{68^wC(%a6^{BtKtL4C`!sJdIC=fs{_siz3Asgg{?%b5ieJA#3&Tv>rV*OII$x z=JD9k1-V)k#FV4HMA^X2(GqsdxHfc&>U9$O(YseNLCbf>5AXtNRWMPVa>rzm{f+a4 zOP9y^2N%yXiC3eyL=8M}>6sFtDm^R7mY{%>^tF$Tmn}Lttg3&5j=^_;B1j`%`6G%^ z&ZdevrE(rp8XA9a*Eux$^6Mn;o{3QFJRR1m{iUSA!X0nnTOCCm_>fa%jTiD)EsHmU z0_j-Nsmy4TUhHjgPj^a925_7r)py;V9+N&3XF<*ZR9fO3%(47fr==Rsus$%3#fe=e zJldnJsm97j7b+wQ;g~7zF=({1KV38njgk_xW%0R zI3G$A$5Po4<#^-8Z|z3FLFjB8vp)TcV*4$?wPy*JoOlIFb!(DZ{hluI2&yE~7WPn4Es4(b~>&%ziEMsDH_0KM$}KP+rgL0z>7kjk`QfR^x*| zEp5;`Mg2`?ksg=78I6tuw*y4`qqQBnHc(I{QmJtZ6;{~m7{?oe*g=z)sg%$epWAj7 z1qxPMFF(8 zniNjoS;y^(l(^-y)*u)kd!Kc4^Ie;+usi!HIz_D_?$8;6zf(?7@dgmrg+Hoz)AL{v zC~^;qQ;nJ$GySKNpJKXcfXS;w+aGy?POlN)Mw8lOyF^VI(aB`0i?Crdf|be92;{KD zJ`hw!Y1+v}a161sYucQz*|kXUB`fQxaNS=Rwe%{3gA^tb${ZD3rJ9NWge{bkljiX* zzVCwiGio^k_!X7}(4Ex5tlqy#OaCZ=tojMcL~+-8*csp#POut5MmV~vLp83yTSR!g zn(sqo-k!aB>;_j-0;Emqk1+%Z34(LycQR)zUneg1o1&O@xeTntQwwC~q;{j6D2CEK zNDNSYX;9qQsMYRs*}8Lcs}Fn9H`#4X5D$S>F0TmCkIUAoS?~TNR#)z*&Yn{F=$O6U z26T!;H(N(A2>h_zmI7+Ej-Xb5)hEyWQLSDjV1(XZOpkys2?N4~lvm7$`{RXF2mtAj zQQwl|kuTl^yMN)l|39wkaS*~w_&?8ygc(5#<}jj083G2!c0U*!vq~{L9PgN`}7| zON;;{MB1OSiOR_Rk|`~})h$w5fv^Zpy=LGNQ_W<5u8=P>EP4?@pcwKzuRU7^stis6 zLO?hmQq(R_f(mjG1TG^r#(B_~I7-Z;oWrP6BnJ!{Jpy984)xULrYVzuSDW~!WeTe# zeARe;@5SHp?8Qcvq2R@$5W(>o5I(gCSv)y`ptWPf?|STIuV!=Rt$s9vk9`t&|JMh{ zC!lsX=lpn;=MJh3P{??BEIJw8Vqhgey@6^ciS6Y-B1!-oA~ulvXd(YmDp)dVE+2{B&!yD-ti?$rnH`QF?i=Zp zzD(Qz@pFKV8fji*dyMRJ62{GSNu?=9-2f>gBr8i*fLYVT4O=7W+K+=SfKx5UGL%KL zw$tHxpbkiR!mfaVHWgzVLv!LG(?2fm?{Ci_0xO(#BAnyM%3yW!QUkttLa5g%;xxCN zPDHPvA}GvDKR*CBvgzT{&X)j$aWbK$;+_<{@yY^AME%31R8v3|2nTeYr_i|=U;xRl zjG?3o;8h1ZU!_PP0XtXAgFwl0J(*9}E(zRRO;Hu?{`bQi91mn}Tj=xoV-@;U;tl|8 z2omnTwdx2Vl(K6C1%o+om;n{;>`Y$kfxK`~>zDg*if0hmAYoP$O}i^q+}~Cz-E?)`gaB4v)V*T8(+cDx#q;oh zY4wrsspxwqK7?9H(pU9-yXMDGZi9#`CsiCX5>n``Kc0O4r||SypkZDz{%xv$Kbd;% zwVI|TGaxvm0i13B`{Z15Py|c7yBdvvjds4u2$Aq!8)*7=aebvTQR*z2&_YJ?6kvFV z1G1CcJ0emx8w7~?gOJ9jIcqcmG7Zwy!^~PDyxr>qXsNmnI}Z1Pifu=A#SXSiw%1#@ zr@y{xmz#YBY5+c-ZI3m>&a@HK6eyW#@&op3y)VF~48Oeo)0d%{P}*<3d;b6wYzhSn z?N5Z9b6a{M-LejfF#Gb2@AM;0gGBLXvG#|SWAKXgk0NWe6hGr>GIAqUK7bxDM554* z#z99w@8Yrl^~e>_&!%w$MvC&BXJN)ZPA_0HtHJnkr^Ugp5bWQ{FaKA+OUMzt@yl(GZy%kM z!E(ah6k2p8eMgI|jIJOd8mtF!Ib?md50zdlDRz7g2rGEwcd4tB!#&6O&Va+If?Ku@|# zq?pIf`=>Nhpd(G>mg)R9z?&qLMb;j5O~j-$MN0Kptnh-8g*L)3Z&`l(d{egBGCelJ zP}HiIRS2|V=vfJUkwXSU5q-^g)!kcYrr`S1o9f3)nJzxv22djT5hb_bb%Su2Cn%H+ zaA&EWl|N{;ge!!wj<;qC+0g>on0cvP5a}Ab&-YS-h4gJ_96K8t-2@nMQ|~F10r;8Z zYW-Iu$eH2bHE(a#&Xbx{j1v*sut}PC)cxiRIqT3lEqpo{Z}D98by)hvu4hD~P}WFI8uEKB-V2YKj&Q5m#s3v9r^B{dS$3T~yyWymyO+McVVKKFb~ zo6aVjsQuBqhs9dqSJ^ciK@$s$rXLtkIE@ozEvP`F@B+yz9-V&pjKUVKZy%Or-Nd`@ zG_l5B0;HyYvl@CI0(EI+oczS}=+>&VB&^Yz7g?l%a}=Q>Y50rEwR+lVu*oX3$zE55 zM*_A{pbnt%SxOS^QV=V6@zG(Jm5*DUKh)z!4#_lA<;brME1PydeaVlYwBB1j4>XWi&u z$HpIuh&p~E+f8gfkh>xw zWM#>y(!2j2&Qz5Lx-m@6T8-*xVG$v3&L~^Fd6=mQm%GLF9#O2k~R7$6A+k&!R8uX}@Dv zHHCtRbw9^^U$)lkn5mzq6p~P`a|QOG)O|C^<6>B!1HyIoJ-EmMmTq7$wSE+4;5mm* zN#eRRH&8i!`pqe_vzR0=M#Oi(8)L2UB`3GzKWh$%*@&m}18p&az8>1}Tbm=Vg1$QS z>&)W>ifo1oJ6rs5_mh_rQ27?3gghR{Al|Mx4I8(=^OF7nS!aDpFnUVNGO3QPu0B@P zk6tWdkC|v5J-ILq`V?siftS>z(KIG}r=6L>_EdWlYNU?x`jYFfdfh5-Yy5n3y0}Lf z8w2uqHvsAhGI2g7x^Wb!L|%Cv!kJOK-V{+!oM*9**q=Im7M=+CAQq20_HE8~?b>S64 z2wvKn-yQ?}TVT z8ut0hM)CTWuXeXU`AX$(w-m+pa{=3t`#D8ps_xu(2aG&D>MzROl=*ZPVkL#!a{qF~ zc>ISAkVxnyXu=Z8RIy`Cc;*C29BXPd#rOjmvr{U)b>zJ2k3%a!hN8ouv9Gt%I_a%~ zJ*?77&r_`+7O~Y7?G8d_;pr)now?+7P4cp3ry`EdXQAwQr8iPOkY$_3 z5SrTpES*JuAkP4Di4Z*a7jGr(E3k`h52R?EJ+j3Ys95W&L&3eE2x{4HrAfE!m$MbpFq^8J5r<9KG)phi(zCL1#+oUCg0_pyERkb<3mlF~IE{W_}N|Yj@ z1C1ODAbFCHtG3(h2=}1(vd_l9PoS4TEVXi{cp`ChzOCXU?hwW8ZGtc)!G3#Y%~*4M zYNdZ#KWmUArn^P6n9u{f7%pP^*9lV#OfNvzxWincuRQRlemILs+=_p8Ene)-H7Q>F zd=~p^EwP6PQ0wcU@V9Rre4!uug&2q*|?UOBn_-RbnfnQ~o(<2C`8D8nJ ztNGtNpku%F*j)X660C~AUX_&LSdWQp1 zOCwp;1J2+1Drm0`Zhn9(J@Ly(hfXNJYBR+<-8%T|fdAfc$`e zmgL3SMM#NYs-8UDuR3I@0-XkWB-z-t^1=xH(nK9Qp2*VO-W>PzoQu5~-2nL3(;&a6 zfWYiFE@jYLd3QJDz#mox3~UVr8bi?T)l~=-EqZ5$pjRnwwaQXggYya( zcYsFP(|#;*XXp7oOqb2ZkwB;@OAm{cN&+6ZEPwrJ54wam1OJ(Y;BMDyz74Q(GMS^!*t0j zgc7c2Uv^2;JhBH@wmbkreq=A}wZy7amc5ndJJh#y@AOU^mj~(<#fFg<;>3GfM z3as)Fz**jHo}tob1i3WlF^>1+30-IA9fgy3MGm$m-;II_?vy^~L7Qf4sb~wvz%!*5 zcR!J376WVa{ZD9dWH`9g(t?5>`dn{jyf$ei-fEXUrBW<-om8_~z><0#whIB6m^H#Q=im7R3H|4Q zBZi6obn*xzSZyQe^{%FP3V<%9xzCT>gbNIner@<(puP+(zrQu{4uqLxu7*?q3p;U^ zgw*y!4By>pf`<&--!aRh1Q807$0T<#TCbFthSkR#4Laxpy^{QWdzEQ?R|%q#9)lS=rs9^`<$Bs4jY? zyoz;sp}B;2we2UAlBEv6IuBd=H8cX}m|J{zsKXRwrv$uca{G5Y%nC)gSt`$E9$N`| zM%DD?m`*MyGu`}WUK|GH8pZ7ZB)s57EL_|I9A*|^She{Z|NP<2bYIeUXb8CbXT#L7@*P1Q(24_PVf@4H1yvy$)g&`@DbntF;51%qXTHP0 zuUBX)ced2BKPL(>&p2&j!o+O10f=UbUmPlI6F|RDhyiUy#V}%#oO+at3j=U&(CnC5 z=@DAamjmp+5boMgzOfW*GSPN10FEZsU!aLGe~@TPfnSIm;-^7KQo-45}g05AAe`e5TdOF;&&kb{k}h@CtNrSDG>yb~;{EGJb!eZ`x=&H0+`ygUT_ zRBd3r#6MuVbF@Mk?+DZQE|cDTv>N|>txJ58h&?OPWvBq0Hg@1E#e+Ut)b}n-`$upC z^|@3M*%~9L0&1184=bGiJI_x8fY~WY=M?^ZCkRm+R@HSc7Me%hC^wL;TV7)EOb#(m zaQ_HEE|1ON-7?Uzspz&D-I2lJqzm>ycyv$W-`xYCxE_;)xli~J1rxwyLcUfL1IUMQ ztV`wvy4i4U$rR*QU5>Q__aWc8zms?;tbqx6|H_}f^~7n7gsD?1j-_9>v9q(+h0Q@L zi!ixR<|g3UN&C(i6GA57c`s8iQV2x*k3o~(+g>4LA_R2py32^Y1E_}Gvb8ozfqv@t z5U>vw9MTk8pRwnF$ROY~t9^cmyHx?8_2|rc%k?SvR4%d~DBHGFqpCFN6-z?Av7VL+ z1b_J>LF1<6UbvB?rp@mZCe?QYmaJrerwwP%8pak^r4e zR1F!a*+}VF_(J%t@^^jNf-TG6R7kv7q7Pf6zR6{4hLeL0NHZ_Ny)JzD(???r2i$s} zt_6+VU9%Pe5E!uu0}N)3-O9le;Hy;C2}^m0Q&Q;9OR1S)3MgV9ra-OT&!8vSV@KB5 z(k7o@LjYKt0+4;E0A#rKHhQ52&_^*ZcOq+NVAM(^BhaJ=M%E-gH(T z1neWPLoHf11j1th?)H?&ZcKQ{X&{Z~7b4Anh=~~Tgf-Vt> zQfMlJ{^tUKFC-0EZ6xoyTDUjUWFwzn90Dm{R;h$lE*xUz`{OE46IK~y0}29T2li`K zXqcqg&}}LFeBPHxnv*YzEjn2Ejl1KN31q->R)9hh00ZZ%Cu#U5e$B*)hZ-F?7(dRI z`l%Q@tWxd_2^&K&w`#ad_<;b*N@b6F&57KrCBlb$&Uz)FxpWod1#ic0IRdU$uB8{m zrB|Z1cmbTEMk#R2MS>q6WoP}1+X_tGkP9LOaf)POThFM)VeU4(x%mfFeoB*6 z%b*RKpJ@7)V|dhfexf4T{bxQExc=ziHVT!E$E3(m6jemk-t?>Os>99X;Dc@jbW4Ds zbDrX*EO+z*naEIuj@pSw42@GwMoptGE3D@6D39;~COx0Oxsg1kkM&%)elDxQ4gViw zZygn7+rEt|AfS{Af`EV^oq~jffFK|$A>AV-4T3ZbAtkL0-6h=&T}m@_cS*<4%>etF z=l8zfUi;hod)8iS{$MQ@thulII{P?|vvTC0q~m|%l>HyRwTg5qJutS@|A(>Np+T;o z3x-G0OdJEL!~~ymcha2oJfRN2=i2Ffc`aOntSl15BzG?fI&tMOQ<_(qr3lCa9Bo$3 zl21MW0aU)nrPah|!JnO|*4Z9vY`6Tg@J+x`X;&q3yf}Beyq~}F<Gx>LcUtPpM<<+_x$F+7g&ys49}oG$Xlrx?-FgC4&J z+uMxG+|Q)}ju+Wn*&So^j$j4;6yGJ&(Gz9p;%2tjRoYQ0JKkp8&5kxs9uUJKKPW3b z_&=vN|A=xkkU1N?W&liA`8#*n!`lXVFSw@dLE@kN?Iq(c4E{>_fxzgMW<0Xay~Xzu zrCIVwHt1zEj*SspcG2*{Ps8vest6!*(_joBu=>~AdZ%1RXp${<~9gsLUwLeV%!22y(7R(=X;_g(bexQVz;&H0zA}ViuRe1v34gx_WjaIulpV z`-GvH?_)SxNJ1%&{SsX_MF8|yE-#T|rT&mKv+AOSMkqi}9!(F?TQ%XmWqOUW@mnBk zN^}87lp2X{LH!!bAX%?2Z8j$9&9n&~ zg9`4mZ<-Y^7s1p33V@Vt*Uy(Pw#a1H`a;XGlPy2ASv+yuE>H<)V3V}vtSe~H@r173 zw@+_KJ=(qT?uk>L>+UMir&`%-(MAmYqFm`>ipkcA4oD3Hb62B@5(VQGgdCtbLww!g z>>!VD%$-w2C>fj5O9oUDy=n(C>a#H?J7@^e`RuM}6dytQ9~sRZu)aFIH*7PpL4B5 zPj08Re;oXuhmfFaqWVnH&YKBzoZjDI?1=&W@t{63A*k|eCNzfYHBK+?E3ZU*C2g=w zeuwt{vy_9a5?(aGAIswGDJ*m0L3erVZ5iTL*1$%1wO|*!mq4LTk*szO)oR z{=Pq1PJ#k&;pN5pSZ?aiWZIIY`a{tO;Oq`d^a4nRXw4~jnYp5f9=iMuqz2*A3Zd?P z)r9R~zdgZB^)y|Q;CNT;6;|^M^fXLACnH5DU<;t1L^pb|(mf+fPVixh*FoK+Ro4JqddbrCa#e)bJ0U?LS&PV{vp{-`sv_FGIq26d#*WmB? z!3?)7Ow-EDPiVR`vmCmUUap(_@ATRnaoIb`;5L_{bpQ&m(Z1){i(6p|-nA{;@=ZQs z%%m57PwnE?y)CLtkK|_+XI9WXzvK4BnDg|Dr{V7YQ~Mi-ckc~CH5a-T{#Y5^Txn;z zy&qhN|Cmv0f|X?IicA85gGGok3x{T#5wLjF;`!c(LWo~5+?j2qkCIEE$Dhn-$O63o zi;`j)>T?M_H!BANaB{vNj6gO9Xgy}0z2JoR{zY`4X|AdK=n^?WE4b`mOQBIFMIM0q zjNu|95Rr`stch2er3QZZl>8rx8ZS0Oj6~PpxV@YF+W+dsm`$jFv2ny^p|KP$c;E%CkC27RZ-+27gaaoaYqtvshPAdoAuW~3?IU{7{94mSKhtTQlX$@ed z&=^~8&C?T95bN$#4Z6Hw+@oi00R=F#1Ny}^_~p|4TORZyMZ62Jr}K-jf7$QO=^~T{ zsRrld%_Rl`qh|fBx<^=1lxRmskWKcEA!86V9} z6Fg{dwIO~SQ2-2M%TfKAfsNS|ZzCCTufs9 zi~d9|0E!*q|2gYq!x->nNaEteiV@&!@n3Te-XdnJ!j2RhfspP2T!Pd3-dksk=nW@B9*>1bKtR_i(V!V?8&AjprZ)(L5m7rVezpmF&d|w`}@bi(}+xdAb}Be;6u}MFQ2Oc z-Z0~AxMr_JL&A-wG7LOzVC?~^BL!%=Z9w{W(QynW|7rSSP6;(2;^E?&5lfCILe7&} zC~~CeBzU>a(GYH`*pc&bme`GWe{%A^8sTtOVN~7j9Cy^siN_0&J#sBa zDz64&N3ZXRBd7R!G>TuP{loOR*ciS9N}DTh)pm4lGmO2LE4mdGl5~L9ZD78QzP+gr zaxwnx_A1`NV4!h+I6f^ahc8rGS^poRVzV|uwDbRflY1>4+PBsRyI0PZ)-q!NI5`2d zn_gb&`G`n|Xi$990Lc%NZk_eUhT-97Su0`f_AuQCLujM;=b87O|2>PyA}&eaQJP?)xOWc&gC8f2sZsJ!}I1OioMoVI+yZ3%cZ z@D7*{VLX^SX1r=ORp9mj+cj4J?dq3g00(FYtY=7)XhMVTiq!lKQdst<6vf+7&N_kt z`HF62cQfk7WLIRNkhw_A!&K?b>&OYdPk|F`6xtyij%}n{VnGH$K|!-`?hw~8pL{0> z<#P;eIGwnU%S?)e^+4P5!E40juFYP-T3^C!UEOJ;!z#z@|A(mk+MNAijIJSDn)uK9AnIQVv#m@`FACf@BlP7W7K z=EzPK>Sg(r0I46;bdv#bdqGr z`>uA%re}uj?nE{KQzQjuH!DeHh_n3{vxJO$PB6LJcU9I%qxKLN>$Qj$!pnilsvsuk z)VeUR#~jCHJ?)Wk%?jy{jp4OUE{{R(h$SX$#SZ`p!jLqCA1QY-wS}2&k0BNjHdSiZ zl5E54;S4BVh4-m$!%N)H7K!9(JLdJy&?mC&;9@I=bHpcO~t?gzUeG5_D$>uNC_F z$44ysMc>&(HD|-DWqA>R5U~kMJyh-4d-PKD#yt$RslMADM5B0*oZnK@Ww#-2D7#<# z7j-;DG1cYjSakpAOXpu5D~~PGdA$AzZPhc-xbOKub$1(c{&oRyLqkE$>NLakxkps} zG7 zuTLf{aWPWiOQyVF`MBQf%4U9yld!Kw-Ann;1F5<4f-RzAi@t5Z(%jw%r+@hJjyyy9 z_-Dn~#m3tdV)--XDb*ENXa5RdQ?i7KwpV}{RrZY6oB2{NF(4VIOI24vuGn_ zM6c|_lv&Rg16+nGEQCQYE!6Qi&$gSfrD;=3+XJNto3zZRePGH)uSrVp&*G-!t+3WV z`+T!?F|0N@4fW$@!=LLizI?$N_=Z;*)kbQOG9H`?Z9Px0S*>+KPFMYuBD3O35~{d6 zH5%~U5MbPl#tK{p2L-7z8<_5eJ&xzg@4NCIr3+RGxZQlSn&5J9b$Xa7M^87DWiejK zN?MG5AVnBfjyR|tFP8Fbsl7ME@hrCKS?BhoL)m^i9s&ce=SH`6w?|^Y;K%Pt6D|g(B>0;> zDw+uJB;p+R!RzD5q+9ye7xzD}HHtV#u#I>YiKQMJoobIE7|a}y^Y`vdb{w5Y_IZcX z3fdWnJevZ~V>$^=Y^ZEFdBb5EzBJl6m3H{rF zc(f1a`^CTX?mw4Ll}@}3#_DZ}VS{c}zcBgxz42rSG(8!Ac)dnH^8e@Ow>!p*&pkgX zt)|~)%O`#J{m1lE@1XBCp1eqq{D1zpoK$KBOR|PB!E>9idz3Vus8SI?Gc6lYdfyeT zZB5=o0pL#wXz;{-9niUwCKO!0k48-yZI0xY0gwVH+FmW4)|;JUaWX zp<+l=G))>~*q;~uBG1TlzIe0OZI_{2+O|psfx|w3VB!o|8e*i`0kwM|#>0T4`De&l z_4d|$$)`P_^i?x2jD*A3OMYXtVVXUSF>DX{Ij-j>$3JEIOw+1jl!7_ZeGcercMF<+ zzc!A(){lU%QxZOTInY22csFP{tS<9%=eZ}tl}gX!u{$Z%A#9)V+GuRY{qkh| z%iW;bb2K&-jF-E>#$zsk2QsVvtrgo}kU+utC*nebfXra{5(QRxyuG=;S}ClWvug%U zNfbCGfsU*0teBG8hhOB=YDFj!Rqqf6T2zydk&X;y0wf9-(+J#=!TI$yQb=84C(0F*F33ntYLUsrp~NFUSPiO}e?U1}eNv1mOGnzwk8e&?vR zYTiTGqY+FAM*)!uYOPFf@mZ*E!iRE%9`-E1&iX%=6Y5 z-GKjK5J%@1o7b&e^_y~(#s~>$ahBl55=Zvz3s5fJ==1g z+;03|F}YJt9LKkYs`5ULhGHf0F$LsiY64TL^Z5F57l(z~e&F@K7Zd<07#!^fFwZk| zgv|mS@z3*S!y%Zok+EIH^%7$O^yOmqNzGb+%VAT)-_R(U0GDH;lR3 zd^-=;Q1x77a<`bjV$o=b&H6>O)$up6g0uBa0a8Gt4QA@(|M#}a`opUP)6*!|Mhym{ zktK-dmBTCH&@1sv{U2*!3|#2CXLi+M=RJ9C_*K(hj&)dbh`-B9kWlVi4}FkXAN;b2 zgmdMGFE9=3vz~PD@uk7J?HI~lr&;y#jaxnnVj3LZ-`Bx781}tOtTb3^{jN=Uusc&! zO)8mRxx=)sA|x%z4d7d6+{e-Ah|jFH4y{AHoI{l|!rV3IBGWfTVJb&$OsN~o;ZE*u zY4frUMurvBQJvI5L@7VPHBk}idLMEk``@(SuWX>!8*lGh*j{Q~%K+M33@`?3o6=!V zG*8b!k0!}wHLg$or?;*F45n5eBXTe1<$u&h}^o0TA`-0}aM`aAC|f-0S)v5}?f ztY0t0j_eGV-x*nQ1TjtQkFc_&_ceiq>&pN8X*)i+1{cgGOGypFF1J)~CA>=aQIxy5 zV^%#sg|jg{UjEv-ql)YzNkxWVtxh*^JMCs@trjS@w8_JBSB8=8s-2 zH=9eHZ3>Q+MLI>~B+IxDJjJ3Y7d7iCp}Dxe{h36c89rbp8xZ1jTBbuxw)ZYMl2|Q%31`f#NT`SK9BA#z>Cfgd9B5 zoJ=+rA4TGTOkcv~fXn@mUR!ou)3xWuSuQXK*u&hpikg$sJhGM)_aS#*p}zTwQzq>S zr);ytDin!>x*HZHlQg2P(^=-wagMi0t%vnzgBH&~%9vd0iCT!3lPk~3eMFo_#4xy_y{$2ed{S#PqVMMv$C&aQ!4tu7<<&tAUc7 zW_5{{T)cyWke5x~UEj_2tP^*Oe~dM+A=3Qpv9T=8Sa{p;>#b%w;?g!rj$OOIt${^N z!%C#jRcJ9FMIg;6bjPBc^p}tKF;QkaK;IGP|JR9VX`#=9mHb%@tg3=JS;zD0xCr^? z)e9gmTumi6O&;Q)Tr;DLYCszH#=Xd{mf`sQt8fVno2N18i^9Igx4TTAtcnz?Q}Oh6 zlgTlKI2}Z{WfeUu++N2S{vmEiZ0d6><25}`GtNt)0Pt$B>9P`KTrsK!13VP1FriK6z{-*s(=V(5P`pg0#O&^O{8a~U_{(*4RD7q0xN~ce65h^ z?JZ@)^1`5JV3jnxj>k%7(`p6shn>ljX&WxE#4HEE$%x82>4H1an)DNpncutX8c&(< zjK2MojH3Ik$*7I+M2ENMUt>n*lZJs#Sg9gSb-rL1kSb)3itTYXruO5(R?veVJl6G z!ipK1gI2%+*_iN|^ry6D{%N3MAOgKPI{od9xia*gE9z}-N2yfu8@=z9b53f253q^~ z4f~?RbX+tj*vvTxu*nKfVpP>Mf%L}m{TQ(=!MDy{yplB%deg33h3^kSg#sI^Ve28b z>eRe8Tf)`hjN(+Dk=!V0k6HU+IWRHz_*Q+!sGzA*)tPXES`%9VW)XINv#H(`aeZ~! z4YWu94pFS!Hzqvi&F@NJTHtbidLs(ZZDFqtBrIX<0`z!cN>qb)D-w=29QBMiO&N_FReZzvDIYz{zm?bn@$1>+PY)9 zPP*eJ`_nkBG{-461I6ML&xkVg#w%x6<(df9#mYvA%>^tP0&5>4t?cR369HSG?|i?5 zW_N;Cp`f&#qR6TZFI3<{9fY`KY*jlcZA{X5qGx`PNnmwoc>E8=`9JNH(3;}L3&g1L zIu3i|*R-ruCrBL5P8@m%OY2E4tmr}vOO-Z<3E zy0!L!OTqPl*D#xdNN>8tgGe(mtMY0j;92R|AOYkMG?AIaf_4Ok9=en2IWJbHP?dcb z#ov@0(Osw9jFm;wg-Zup^wGdqv>cCKT?`0ei%-gs|8~B$A}qu?e4I8=Ecq&^-j5sm zf@wYcQa?Av<jc(iVra29~$O4=Gu<&c@JZobF1 zpvveY+6~g_t@f`%)Ptgfpsd^)Vh)xu-BlcqrhKN|bf5YFcZdWV`Cv-y$V}pDb3K+* z0K3JRM+N5_cl*>^oRCnI5RXDi``BoXFc{w5bb=&)_h1f`sH^RX>s6_}MOlH4wo!8Y zldWw;hQd9M3d;M0iW>jegwRTYWn&2vhUxW&dm>l8BKtB^DsI%0EjBs48n6EQ9b9~bNxQ+DVN3=NSyZ3sm6TB zCVwtL#{|jJk!kjpGpGElni45&vlH&9-O{UUlS_GHZd_%^H!;lftrkoFeCdRJWg=_? z$c|HNAJVaha!o1sRBcV*A#DcFAD_J+#=w0O=j;F9Ah9|?yo6j)mv=}eoZYLLnKMpcJm&oIc`oLx)7ruGK~f2Ie2rR30iY305h z^o=6`DsVw*Z5wjGv9e9A*7+K6f3yc@puC@g!ka%syW z(-8O)8~ad(2Dnml+|Ql@9&jYDj_w)_$h9|I;k1q2dqzRRaB;_lqYe$O9JOZNHZ|z4 z31ob{h1OF}b<5O*zf5_me^z>xegoi+1Q&Sc8Fy+I)SnDu$s~$dYHdP!7atJ5+=J`r z`4IPZFcY0a_$pcqxYv`@y7D$ju-O@YY6z+Y^)34gE3>i zJUegAGS0MA3gB0BIUhH*8^bFtlAor6%eqVlWEQVm&cPk3v6Cy3y{<%#KiAZoPwR#{ z!KL^n`kcDhG?*3SEKYxcGikD)w95oLU{VASKiZ#a=Br=!&mbxIAt5D^W+HN~?kM zW_lGHKkaQUZ*9gj&_Pk9cAZ?U!W<1B8!cVaZ@z$jW(Uvo^JD4_e9yu^)vD82O@tw& z2k%hjhHyG4MPdG6G$^x?3?BI*)zU%jYOO)L8F!E`3*L53oM!`6L@7kU%u7q)+&HiE zalMYm>16_|WQ~Pnuc2u*;I~b6NF;}d`hFkoSjC)?K`1%=l*kMsh6FD+P1r6-FOhS| zkL%jDJz_XWrAcK}fNF5|T0x_ofP--G^pJBZ>NJp9imEEcbTYG2niISenG1J$wS1>L z-xQj?FIT&|5tC1&IVD_?;5aIROE?(tgu!JXI#@AIu_}%KiT;%12o0qQ+6BC&OqLS} z^-OksKkHk>Dtu5syN|VKQ}PF!yX9?H-ZFH|&hip&ijy8rFKI9`+4vIi>cg)??mpsc zixVt!n{d?U@I;LN^pnK9nNpK3qiJ9%2B~<8gX(?`8n;*twwL*Y<{z&c41Q!{|I>R4 z!J$WxsDD^Z0%KZ-!I&8NyR;XzEYyz|UU?WEY=bp=xxtS6U()@tNe4MG`ikTYTCCtN ze3d)Bl&~3xhZsk;pWe34;9}WKFTSml_=V&_@?@8E)NP*)06@zjoIW)8giBfy+ys(| zwk}F&g;GF9=(fbOZT)mS+ZH1M>=)0kn>kSJPm!Q46LuvPi>8v7hkFi=yX*_&7yKYq zlppl_$mX=oyx5*n;uV4Y*Z&UhtK=?1ievI-DnLM`BIU@KeQ)6M`;WXlokp)G;x4h} zp!!SjAodP}MVzJD__30Bcz4ss56KdLWAnT=d(+Y~N@Hr6KA1&i6w=6C9NZYhX`2m; zl;v4Jgx6;|@)FVNBt4fFEiuMD#U(~LD9s!MK%@}qV&v3NS+xMEob|1x+V!pch?m;u zDkpG@IT3v(@1LJL#X7&n*8i#5ip2_Vq?W}SYUthqNt(ac0Xj+Jy-6$hv`7P*1+Nq+ zJ{Kx1R233&duJV!3{e*Fq3EkMTfSYccb`VM`|yxJ)3y$ZAgdY0k73^mPDMtnKhY7M zKZ2F>H_;VO1*X!WDm=vFf*ql(xv+wpO8hiVB68uu5a-{i^5w@*rYP7;(zj`wEJR!q#xQt8x#`fw>F8#+)smC`d(PoDSeaD@0fB-xeNfr=DWctD7_eL*}(1}}Q$m-3v# zrcUGAnnyx_JFXw~vRlHO7WIO3XuG!NlIxUNcFmF*dJoD=g8e5B@`A9c9r;5pmO^)9 zCZtm;mAF_(`<>J4^nBxQN75Ih8;8+LDw!WFras$Vf~2+0R%#BHTs!9SieO%JlhZgL z(7{5H%qOZbys^2ecx%r6u=gy9m4I=DBhuFM_P}oVxeLX9_fYsSPr9A?+}>8Z2y{ph zs%kb}yk|L$8JFhkW9QG`TFK$OHZF%4_bl>Q$`e6d6yeSn7z*y8M;I|2$S7%v1*cU;cy*o z{D$t+)>5|Ewn^b`A`Z*V z!BO|3+}H^xL+6<)Gf`I5UG4CE?Ir^CeydlzRVJHbtH0o1tTabN{CP_b@%TlWX8W{l z%$`W7N6ofV>TCzxYm{)GvkUPkD3etR8WGg~B0jAedLFCjeqM0?05q=;-xI%k^PlE* zZ?cyoXF@|N`5ibWFIC8AdkXEA1&x|dgSf$O$0npaE~S1Ez8$ez&o?^DfCb1xw16w3 z5G74p5EHsQ!)TAs^d`byb}Zu;y6zDAdKx>>kwW3?<1Gc}%Mi6w7xvm`k}26sgG6k! z`Z-vx_@IPx)Px;*F!WnKl_@nHw0zTt_vUIjsiP`=nj&K6h+2sjztJ#~W@ONdP&!x} zwEEiu`H7k~P0yhbPMtF!EjfsXl2>N9Zmc&Xwlne-A$&Na6GFt6rnLg z$?udX1!IM})n4Mf86S}V-U9+sL|LrJ^~BL@R9Pfn=Z~t8i7&r-;M4MhyzJ^J6L-P~ zmT{{u&e;OL)|8-}FX~i(Ln7IFl{LE`%$y_rQy>olK5`Vq-buEAs@?v)`NkBN&1$D9*6 zud5w-+(9??0$x1dQg?ECqCTLC6EeIWQQ5K zcfsf;?BZCprjkjavFsq)g6N7@t?~M60_SEEWd6}&LY3uo8EM`yySlbCZ4)9%fXXU% zWeWQY33MjA{NPWepkGhH8@-IQy`s7q-ybjd&6Fa~e@17f zm00ldDa$)OEV0P@79AqlWDeOfkiIQ1tl)#jKer^CKDWmZo7;68FZ~b^He%honIigv z6G`r6XJ*Ld{cKasZf#IVlmuI-?a-Owp7Ix;8RPF-LAA|XILSyI*@t*2mGXQkJaKvGDZH_)fRWGJS(o?5pxftaYMyiMchXhR`}1kLD0sDZ z;Adk^>#EyP#X1+ilgGk;h>ciF4l1@(99s{fa?4g4rUGr)WTN3mOS#8+(6E=E&1ftq zw5raajJ*l`3Qr5_kFjRx<1$@|Px#zhyAT#vL-th;zQ)^JbJ|rW-J;q>R@He}7PDz` zAEg+zsSByxirxQ|M)2SA$b;|~D(=8h{*kRJq`h0B3eYgwGsVf*bL``5z1^T*s5A?% zj{ItIsi7snf(hm@a$ljlke_2`7ms^>&u~td&$S4n^!3%EDy*nqQx&wY7An$o)|R_; zpIAujEHteWEWelzR~Fo_*MbhQAFKX!H(rVxp`LPVFHVRozR@`cvDuQmY;kqbBF=B%>R! zR3L$U92@;!Sgpc6?M%#UD06~(d#hUZ3hu&TlOlbHjXJ(m*b|e>m22sDtB_GUvn>^7 z^}F~MFK~4
    @Y^Q>28X#T@tRp}}>1#53X)5~~vBg=V>?oSNoTqORY)~cDr%#$@P#m$K*i4U_D8Bb@F{G6j ze(n+3AAT!1SWJJRj4oWOVBc_a(5BbvHT2M$+_OwBc5L`nmaoJZRxKs67f^3@nf<-E zx6b8)PpDl|aDRC6q}U-@vPPV+slRZ>rH}v(3<M*$DinMxc?kJX8tFfu{p@ai|2{SPwXq=oM!i79!;9pU-@ONSrDtVByO zRiG*M71#bG(F=X@Mw{tDR}XJPRz9VV0wKO3{SMqv1=2W6EvCtFca!0vT1n?vtTH@$ z{vE0A^pylPLWf{mwiJS<8R(cu8f^DFSF;4Q#LPjw$TbOvMSMqD^n-+CS-fzmE#<8$ zNc(TXbG1YEBIcNtMm+@sJx=z7m@6)~!jy?c3FCLHWMiT`RvyP>_X>2AaLdj|5mbMP zP7zHrob0ZaVaGJVLW-uZ6ZaURdaH1W`jHYyt^dIk*eP z312}0u+p3^Et}>>|J`z>rZ1|RmW?GlLsPew)qCesHN@%6Z|5iftH@nOxkr84b7#tCjXI$zyHz;Ma`frO+n8^G15!E zD;3SW2vjytK#>}?)o?*W`Y|nPz?~#-3C_`0Cvqr0)}QH^mYC#k4GZdHnShrdmOq&d zH@yY6SQcAwbx@Dg)tWHdS940^@pjteACX>YC|tX$Rh?ywvaMFQr+yf_JLYdPZAFm( zw&9MTd&aeX6*UqwjXkY#FG_x)(p0d$n(F#*zxsz^A?hVDg7Wx7ZjZ$CI+uU4+jm6o zB>$7$a(wf0WY_jBA@_a5q)|07>g|SYQu;{PS&`pNT{!I*=EI39%yBNKU)3~_{M9pL;)CgxTZAYCM{W9=KzgP^j$YMi_uCt(jsNP}rzG$40 zZ7T0HYLP7~UYvrz(Mjev$<4>d#K!*;Tuz~`WA)ga3z=v9vFS{*I_)kWLCe%3liP^= zdc1(b)7{C8qWd_V{x9OWCt;(@`!a{`D7c{68_Jm>6TAoAxBnW?TR5Ak%Sp~#b=pjP zT*28|1MO|?nBz0Lv)hI%_cYqcr~D;Do|%Qb(9#W9Y-gk3pJ}8O>*N$a5G3|viM_{ExGE!y+1we zk9J2)>#Z6G&ct`%{I~EP)F${Lxy-9$+5OXPJJ*}z`q_;H6lSUHY*Nf-EUOjQhur8^fw!xnD7*Q;HrD*C0wEb~Cq`r0i@SV5>+Y?hY3i>kSD zkugdpYEX}Rm0Hx@S?9)gNPvT*0ODG_58uexWp4szc>?&|T1+tn^X8Y=l2k|`8ZTHtaQiSP1EzT?5_s?5yM_Un`DA~bl^qt&Xtp9$3nE#;B^+_ zFT_DKJ#7sg9!DVgImnI&O;`2BW)YF|s5Q;QpNOUG3Pk2E^akcJU5h|irc9qPoExTS zPY$6};<_hG&xieC_B7_Op$nL-RRki&UUiJW(R{o;_boL0nqK$tr2DYaNp|sXO}ns7 zT#2=$71rD|{G|I0!=kzCnVE4*xl1E3&2v}?!urs1s{T!9qr=vG{>a%y>%roeAgpez9iLlEj0rIi~TCA!*XT3vp zSb*h8w=9l}EYHN+3d&D+s|xYUg)y`W8Uue+71ibsBf%jMh*amE^ycEXtgh}Tx_5EM zPwvIM-g;HE6akqFu8UyTx@H^gdBhA!FY$L6r;65OX-QmVw;z{`nrBcXU$-#J?#01` z`~CRpDvv2=rdbOLx+hyztHxsPsCFYAQ*WSMt|?bj5@}K+1Wy#Bb%D?BZHdfVn<@?a ztA}~k@DgymlfX{iHi{WGxF_}llDcLL<)m|Pblcl&wGQ?>37*Sz4 zYgdYz=#3s(7+)jvn#MYMemRTrLsVUGVGcnyg$-$W`!3sV|Fos#Nk!k$w7r~ywv5*2 zm4irx4t#E8?@xD`k|*$4(`W1I6)RJ>wy15#i~sWJR96L0@z2nI9t&&e*K*PpNV`<5 zX61VMYlZ6aIO71mk$cXAG~Y5MsKRARn75jmeEC1dSb?BhFaDEL{~a=_tLpc3j61tO48P*A+77clqHOKDmPa49W14ZSVFTG8N1fRs@xAFt)hso{WP?T{>K!j4w9A$-R~E% zeg>wPlA)TYDEji7Jy6JV@C4YbC7vJAq>U+Og=m93v80Mt8~@``BML)=u#refwr9nl z4e^pUKD$6EgT}v|kL~Mx!&RY!Vua=OS7d)K4aK;kt1-EcNv{PiS1wIP+1Ypj^oxVK zJ-R^raMku0V}-HH)MMcKdsbkIqimDa_4|96{i@WyJ{R2r7osdrZfXjN3VS@LvNqQ1 zh_0k5Q)x_cQaTf44=q-jtzf zdWnJAm30L&2U3+cO}98D^0@<>UnF6TuPG)$cyE&aN^R0gPfp1ao>*`NcLN3DzT5Yz zW3JpMYKEeWEIaOVB4})+OD5*8|A5=QNu|VvQ#szP^E7Wd#(Yl@TVP%qLE@$p_XsH} zwmqCLi+2;9~@!NVa6H0kW4mg*J}*XAvRuHgR2sVnaTOkBVx&yV={uDwoEDg zp}W8sL0j-ZL*CIVZx>dyX%mkEsz{;6V=uk}MCJaOW=-H!X35nWKVg~_&V)jD{w7T$ zSsT=3xL6O9t-APr2EYD!LQi;>ty)L`O&BXkXQwP$~{J>fb7($;XH_uYzG4c_ARc*c=9 z`8_6Nx~J1NV(Nr&&Y>>bM?=X>NtK;dEbpV7;v7pS1>S|U7X{QAy>~>oO0e0ZeZjdJ_V2J;1nSYrM@@5^UcTbFd}59 zS>HuX37d7%Xma|0#mPf{-iX>Ih#I$}iE)#(v;-*F|1O-3_i)>;*@?(+1Bo#dgYh-!m?C<-WjxpXJ&fXu;oD>X-5DBcioePhwyNQJs z(4@JAX3No3m`setL#By_>*J#J%nbL;j|8rqH+I|OJ4|zUl|6^s?^pJXWN@%`c_KLN zRb3)Tci3`?_-JTT&XKY|OIeoH#fA?)3kpZuB%i;UW>ozOib<(qI+Ch)Tfzh_O;gto zhH_a}U+~VkbYuNZx3-$KUNYTsX|h(Wl4_Pi7^2Pba7-IqRktXrx>&TNnQa0A;g3H8 zQIUqsyWS5Da30h3uYdfMlQM+=m?SA&_Aq8QJ{jG$5hY;0{U0b3{3V9a?ZLlT3J)H` zLMgaD{Qi{sqa(*(NNC1|F&l&RPcAYK!%yCR zY!k;!zm6JMjm{1x1B(aJGoo5N7-%9gW?tZbKYIJ?e((>sm1JY?xpt{0(+ZCZOrFc4 znKuSXLYiU{r@;KuLyZf}3eO*!xdPmQUwz+IPx~L5k$e-!e78&E?~PUJojI5~3A?<# z2a#>;`xU_(nuiJuF3s(aPMJ+&kH%bC`-_;yis?NqMLU(pBAudnFa#|{2T-3^S{g3m zm~XQez+UVqwMsy zuKuc;K8!WC(9JR_b60Yl-8yKQjZy((CbRN(t4Z@TtvYpP<8NT$Zb4nWyDDcxR+JT` ze2)D4B`ta?+V|1+CGX5My91D9zK*m5;aG~Kh|t@SR7I>drXl#EQ#ZH`>YgQ?1v2=P z_Lc4*nd*UJpDm?V*$Nx}^xnaVnS?_HB75A7YqJl5sERrNu@yGuT2x4`CW#Bb+x5q! zHvny33R;Q}|JxMh#)1=18esJ?uY>xC(&-0xwew1px{~f+Hf;RlPxdlIC4eSr@o-i@ zU&8|KvrF{0fNEyT_x;dsbzpLLZ$ruMJp+x=@OQsk-2{y(sA2<1OOEjPOZHbJ&x8ia zv`{71+~Q>rElue&!~>YWIm)|Qv}xfRo(@HTMh=x*MF-6S8)5pfXtL)PWjD6 z0Cq`b>N*|a=_eF}o~du>^9PX5`$5A1?MOLJ)aXvj@2tkF;0}a){?vbFsz<(&QaW=% zv1pBf(Wvpa!qGoMEQC@+idXXa3W}bePVda8diaQ(9d>8gsC&lb*L~rQyogf?NKaNG z?R1ho*J&BaucX|gfeZ(1nrP2Y6uXy?Ft~2xq7?E@Eh!&p>69W85wyIrK|-pJi1l}Y z1l71{w9e0%eFlh{GA9uK91E8$!!6fSR_P8F9pa3x#lpy5idyq(SJz<43alteOu)Q4}5f7a>}Yf=)D zOUD5(#{BH~fSzUUQ#xZ{Tw~R^2tZzt)e`vyyQd(q^tqw+L;iyi|qFn(NGjk;F&~ z+WDzku-(gf2S!*|Y#bHZ&cNh#X8?Jt166KUfY{?1Cl4O^ww&L!q-r?gI zS9?$&AsTv6dS39Rb6rL$-rzK`0Q$Bw2k%E3e6IyA!!RYamU$u4|G1vwN)Dojs)UYY zidH*hJJ_1Kn|H`~OsPbC=6Ao*yON@A>63g5Xt>iS1RY^iTYBmdHw8D>4Tz-<2=Y-O z(W2hrgTI?qOwrI}m#4=s3OTzBvMH<{PMk3o${iptnvj3%kpa!rLy$ur=hebpRLPOR z=Ig=~Nn|F~*Qt}IHg4IAens&(Xrul0F8s?S0G*B>UZ)3h25ot=iLt9av{s_Vt6;-r zvuU^^U?y!mZWkxq|+hsXo`PJN~xesX~0Tj8_m72UjmM z_kSWHui$OuTmG7-s-(A)Y(Km-MSW?*B4Pw01gOJWusNo#4Hutu(5%AVp%QuxqfOuQ|NgC-}w8=HGNc8Tb5Vx5V?QdbZ z_s23$G=GHmnp>Y?hjlikxF5*QI*jYCq41$;#U5wlOW|Uot6oQg2R_Ag_7ajU!%hqM z?Vajpo9_>wlA2cZOuDPW+39F#Em5>0Nv)C>1T>-|9&6oe9fQ}E8_`S(pD^4rLiz2E zv4`+hZXI_4V6LHH*|N_+ZCw`x?t})TtSxiA|DIT(=pPK?q1z73q}lgPI&Fppa`BsO z<}>~7)K#Kr6<*uoo|75lI{5b<%0kR9_5W5?QpQ7ms>A!Cgbr5gl9q`M^~M5Vjgpwa?@ba!`1ZQ#yz(DQxwyvK9i`@8?} z+iP#;T62v#=9puQImh!5*@#X!x;q#Jx*?o5QCyHeZ@hX};pnNHa$SB36a-H$eW)Ff z>*HqBsdX{u&-4;M{dg>1$g_n9vQc&)vt;A#bK!Z|0<#6$>uaY%8e@eo^u4^>H(mS> zy;2`Mj=jS?8ZN^`P2{Zo5M;g%-&)`U&v^jgm(Ie2D#X_mVV)=kFzXV#8R6A?8*6dI zpK+n>(EAN#0$m+jITF1NWvz~;4XQ{Q`$K9^@wfIp8M@9)D#Ds?UvcD=9lhOnNWHJU z#@B{TL_NlX@02d|_Kb=_>W%mLG3~MBTu@Qe(P&j;4=7@y#?LoRdpI{!nOof2E5{(0 zzZ;{LRJ^$^e1acA=&iZRJLZ+?!I+j+!`O3seAiz{;v|{J`iGuo)6}b^R)!>F_3m%= zC%G#xcQf{+A+$d!?=K3UGmhD50z_0?`*w{ZPq5A{M8tK@1oD=LRnPX<+(X0BdAsC$ zdD<(^7&r$KR1`9}d%e_`s!CG#A}bX-6H3dOEb$OOWU6JYeBWb5JPGr@a1kN&!ewoJzQ$Zm zo&POoS1$GV_Gu)>>b)#txlT$@ND>#V9uxEPux1ka)s1alVxNx;*YOAB0pyU2_`^A( zniIe4EJrWbM@){AieJwLT8~(rmCOVn;|EDhX`Y^7Tq95UwvQsRynGtO$Kx@+7O$Xw zf2z{Jd(0=i<2eAk9hx)de~N(X=d>2?z11p5aNEQE#Qn?bTSOis%*dhJ`V+4TY7(Bn zRxw7to1D-3cC3kN%=Gn1LG!)vRkA~KI?m15!E~0#*=aPDM9ynGE0Y-TX!vLQN}Z1^onugG9%tsoT z;I2o7OmvVsow4ub3EnBP3)tLaN{x{r&nFM=ua(%#2`!zZ-Z)sBQ>@$I9FwPJ-I#w{ zzBCm;cfLOV&SvTyqa1UzaC^+5EBP(7YAa<;A}SPp$%v07Kjhh>$rcd zI!bHNH=F;1g>wwE|L{jrNV?J zeV1chj8bAju7*m7Wm+q`Wyos*Q`G91wJ)c5VR&#rJykL3nXSg${F2g|`d0q9lpxi6 z-TG&Bg-=aW5>$CVgqTmkPX35K)#Tl+LR>>K%#0V%CURjSf)~6UDyABJR6pknTqLcb zwcOM_^Z2^$-YMaBWgD0>vbi!P!}pHldg&;~X`)rbM~@RS4s?|hT=cT^Q!DFbZt8=Y zEoAtVl+h?mq3}>Ik@Wj`_0M@V_HdMdYvUNQlcr7he~=lYeUrMhmqR3~v=Tk#RgARy~tPc`i2Tf>vQ zHf^CKdtJ+~J(|Y($W9X`t-)J^wdEaKu(g4w?_+UPHQHS%pLC*M-&pUZ6zG%SB~ftx zY&!F%#t#ctPfR1kTH+Vz7rd}zIXDu^x`Cj1o8iWEF2d0%K=rR)qCCcWRk%Kf8F2?3 z_>rQIJ<6XE!;sz7_LJc8v?&CY5d|{57QCIp_?eE(CTrxI#V!G)w*61UyDI%iQSWRM z3Aq%xFR>%6J{g{Jd~jB_GVfhp;3TebK%n19sc>pH!|TMhvsZlLzx4K~k+hFUJO0^H zq7d@f^Ud}c#DqEdljVa8@h zpq;RMxx=b3ZNUv=@xkf%4)K~OV7$MO8lpO%XSE=58svDkXZOBa>EbzS)GMl$i`$ls*$X-*XYn(}N0t`p^ZrxVk&$7PeOQKHeasj7$R zp7-k1Q2PfjcvyFYxSE395UuRnKsk1p@(Xu4ZFf0y@~9J%g%d8#HPp7`%E^Adj5jub zbB1=O7^i)qPuH2Flmrw{5QN;n>ANtCJ`$DiVf=?y)@H@#hNo7Q)B(tJCF zy=AN{$`(pJJ3S=qRVNP1Pkv>38ojDmR;nobZ4MR7BrDiP{H9~kDSWS|wf41t%N^Ha ze8w>|M=hcu>F>83DQ{C04vR8SJ{dyW=nTLQ_G~yI4sP>0Lxb7UP@LdaRT^Az)Yweo zd8l5g$kbHT)FQD3m=Q>Lkriv*Bc8x)E9#SmKk|Ce%O5CKwTr|c#7CW%tF4W#X>uX-M4Y!0Ds^Nw z?5)$!Vxe0ow%d?Sbz=^Uj}=z6_Vj0~)mD$R%d->vAhAcc*f0}sv-`Dm*vkRGSz46k z+*%943d=*a$n<}}DkwO800JdnZT?&0TcoWNy&2&EF;_1mtQ3HMDM6KLEBzl-mB6VC=P8HQN8nJRFs1X+6#avt0a z2$MM6oXFO$v_61`()H4gA`CY3_a(%G(js{Q=S`g+z2&P3fR;<0N&-0$nT3sHifon~ zU7bXu&A03Y3+1&$YJaRiWSdRLvIr_r@^oFZ3ywB(zuReJw3_R&WpT6b3K6U7BL}YN zxhp-H?T<`E?ZwayZ^>q$lEsHdssmOohmkrorD-;z^ct7Xq`MOUMOH5|W*hT7!?LN+ z&WI_g(bh-_plo@@!GSEzt0j;9bz)oa(u3wv=N)65Z@2mI`Dy5>d`S~B>gtFt4|&YH zuo;~7RLj$M-~Y{>>BMY#h3LDiERF$nVFI{T*H`&;;vYXl^-NhKk~5TYFfPfZw}q-* z1z}1LpD3~goseSFC_i>MV1tLoNGY#PM4Z<3lv%$JWc8NVt$&qF>)CG|X%Pue#KqX9 zJO4H%HlB%;LX+#u%|JEL1XYr{4G&!<$*+F>hHR16b;ux4Ba>k;O{4Wb z>NBQjot|)7x##v-*RG%iw7B+fX9k+JVtKxxa^&k^?qD6gdUTa6cK&`Wb5HrBiIi6F z@|)eS*-v<0Zz;>L#wOVGht{i?qCNJG-eiUr)!DPv+``S(I#VBAs^%e@yITEwua;Z6 zxn58mOP|`@R(LX=Z6qqtEl-twZOHl|`BhL($fB&^(aB)LUu0dn9~~UCA-z`ScB^~) ziY+L2H5WSne(qN0mzY=5!PJdn<;~$jpncENuOTArSbXJ{cDIY46K&^heyujUjl3Ub z-}FDW+!mJlYJO-YK0`5O;Gw$0$2;#FX~KXh(K3xbF!fTX%^saUT8E+(&&l>S3 z^hNThMNtn?V(N?Ir;GWRo`+H}r4}XU3@Gp5LU6TWxnePGMU zbg^gVL(UQ>3lgJ(p*ecx=;1M#Gy*@yy9n_aad~fKImT*Rfif zC#cI*uh_1PIoJJJac|0ppuR(6b~S%SJg2A2U+mEiO}J<Q1*gnG8a?^b_DALU6#f z%W?^Kniw&L%yqO?>KuA+1Z`OIGAkU*uvI^RDo&S__755!)TXI!GJ5{n!ntzQ>T~|A zR3i~NH|5nlbg`yGP?cy$-u6JUxDyn$etU_1cljM1aDLy(Uwx(U>u^K_NQr4Z$xt%< zBPHgOL;?OG=}}7%^}Xikpj&;{uo);{uj040*a zGy?b^KAwLs{ks4^<>hP`y<93T?qxZBdMqSZW|{4m%gQ@6SJB9$#V`eV@YFR972dXD?Ueztjn3XzK{Z#A;@HXC!{Q#i&;m(o@KE$}C)_@s` z5CFKYw}Z+#W>5p^3Qzt8D57YEF#1YmCu`J@c@I-Ec&?3vq`4N9*77%7k>H#TYTHzM zIT|&5ca))rqKH)Am|ykiNiU$>;uQfunoGbVpV#0z0bT4$5It1Um^==Ee})V}V9>&c5Q?^2y2(1!1z}-Ltbn5ej-er~uHKr2H(Yq_}gXjS` z(Y=og5b2V&_L-`Tht$vU!^8f@^CpNM&o{5cejUxF@hVEp5p<%U-8k7weK$l@iyk<2 zW!(-Yc|WlU(y5@+YS+n0f8wu*Jw*Um>QQ?2Zm10mL;#VR1=I=qpJjZGlL1{n>LZb+ zmvA!STgi%s=;83J1IF$4uFw{~dBL>XM8EE42bcgmKsmE|b?g3H&0AIAJem>U%!&my zm7M?>I~$PbbxAiY(tX|Q5#4g)tp-rAYk@p2+fM+s;tQ7Ye&vJ7onMv@ZW`vN7 zA=xY7`A&Bt6I)UMDuj4IxK_)duu@|T?OGZ~Mcw)dhU3#h4Mw5Gpey2kmbgDuhUise zo@S|G_Z$8akZt9Wy|N#RsKwv|ur_aWpo9$#aP$GD6?`J%Ai1Anq*0VZ;48uQMEvnK zSE`%`4s^#Vi`wAc&!0o3K^7`BDB0(~fcYtffC`M0xo|^%#h2`mUp-a!*6^oa{SSaT z-x45roP;t${GaKr{_CJ||08h@qJM9!ND2N|^?F42uc79~2J^;3*0Ck=f9ewdBB?(w zS0O|jPdX3rKPB=CC~(J>S&LuTJHH3=GNpxjEsdSj`%C%Fp(k^j^|AjKjjN%?cHhII zeraShG~J`$nl%3VD}T#_R6>&$#s8N|#NC4uhSVtxwEu$!@Fy(5Up{bgK_kQU^yHT{ z<3BX(Z3@b0Z<`Tp{MdcE%#OIHaYOz z>d4+-GvP1&{NI=TG>}3VmT)Nll+L#zNPa~gD}w*t=Q3RITr);S3I1OyLI}y4QyMMk z&vE~~cFIB0k-MID@7F-dK&l>>WEYeC@A~yo1~eX6ked3bap`IhzEtibpg07G~ljjgBZmi z?58Y1*u!DJC<_4f0wAW0z5?Ca5<>v{hyj4jC5_(t9@Cv781E=^^OtrJ zK|pET?*!&#|6M^2Q2SrbwgaRndcfisTRG{LOY;ga{zd~Fsq*>63+nkFCZeZ_A>^WZ z_?m{drUbnI9Qp@9RG%#WL*xF&+Fn86e(T~(D$N6!+yGmJtklO;z$?Q6P+Ou*&cgw_ zk9x)Mv*4&!RRHnaME>&zis3+*tCTa>{)5Bw!1hx?CciYB9R>j+#ON?%-#^-LxniY z`1GNog^!|A&E5am?dOn`LjFrBWxLFhm-}58UzrE2n~@-9oiPclKAH_)0Ia)guCK_Y z1XBTotoH6#&Yrel_67!huj6d{%5UN~+X40`D}*ZoqV2a|3c>c_y?62{OaRL)5)eH~ zssq2f8ZZzU0d`mrach`3gM%2c0ILMW*$5yblFvi%5P+jh3t*y=ZY`F4<>+jK`0a>o z>TIQ4exN+o@jMuSxNnbk((m~}=rVRf)4cN#5w#J3kqg~e?yB8tV6Ggu3$6o9E1OCH zK?bRW4D5FFWlCa}w=n-PZN->r6?22=Z6*lI4{}7Q)9Md2ndLMe0;`{1j;Hp5j~TFYGARmiAcyD0LWJdfQwriNxi_a#M0nqhrvrA zP?r;xj_LpjhJMSEcDiEX$xAa*CW27@(Z#O$qeh#Fjmk>a!GdW^0^*}a>=(Q3X)R~% zBD2E3f88snG}sU>;uqWw+@&}6VGuVu+bozh6>k9R1ua&p%PeY+tZx9I77T~XLfe$tyUcO=> zmsfKy;&kk!AQLkXRC^+csta(65d35E7J>g94YuJ$D=_36?9iMfcIHl+P{^wcf}RD` zUHVO?YKZ1)JBE*vDcMLB3I*%cvgxU1AR8q8;vhY0I`;Qgkb>DKNmb|=5E4_XypxS2 zbsBE6ZM3EVl$&-ps9j#@3Ihf*_G*x~9Y2*MbNxc1xXKAgbU_HVft^*TAlim~6|M58LJisKW=ee$9|PbiI{=FxL2ZjQEd;r@K1f!% z2VPt-QT_2#|KWzoaqugG5$^3=muG2n6VVDHjNp7bt+j!lfy?vpFd{V}ACB%@k|dNG zI=24q$90S4nLu2%mhNSWc17tb+wyeHMWTyeEfd-Q>zimfEOK<6?1m$ zb5roHG^Pvr2mexx2f{YZ=)mMBxAKboYi;c0cT4jVC>d%c#Gksg>)OPUTs@w40x+{0X|SC;CEbh zB5snWhoJHr*p!4IazumXTO`CUNmWNHZOF%((GB&?vSVjWh~9a>QG{?N`&ATT0THJ_ z?Y7C+gu5kxJF9BSOUD4y^|C1B8`E`DcjV?~Esk^F-1CBLJ`Of$@xr1?52DlBTG@)w z6`}rpxI=MOCjA|rLeb|oB8$9Rtpq`2z@%60Z;XN3+BMcg62UkzsmwRCfH-D~)f+xX zE)gsHOra~ZFytw)XATh0DAAZQHl5yk?CYB*T}iZ1t$QAYp9!UbvrzF2I;nsvGCGlJ zPhjDbjHlvFh9Dv6&_R1Zf<$&?i~e|q`cff@piItUbXBwhAtmRDYzM7ke5E&AXPToT z8*dqK9~8$BReN6s(U+%mhy31i<3jXFQWr|(wMn%EfM(G0#OI`V-q_3S21kqG0honk zW`I665c_qZsx1VT24IvPhl@HXX_|k?22>kQH&cL~`sz5182OS)y{WXSK1EgELnfRB{25GrF$<2jgk)N6UAVPnEbFm73<)ECH?ux(=M!24^L z{y4MYSw6y$II)+jbJg)EuhzlaYeUD{6hyG;6_9sS@jbryw`1e;ibnB!5d9Tr!1M)i zx%#33J@d+`@`+bR{lXM+B>0lV_RFnJ(^T4coxWp!faTWfzJ|db%#;fGNhkX&bMRJJ zCp&DMu|aGHaS;%Z$AH-~Izi8vI?eFbzMH>wr1$~=VEfFr1H3VUEyQchvB2Wp1K5mK zDXoW(pF@(63Bw4|-@SwaN?(NfycnHu3q;1IMv#x%f&HeJ_IJwV!-W0b6<}cpU>a3| zwVaRkrrP2oWucuk7;pk0R;Gi8fFDQA`2jkas?5$jaAY6`&rbiRcrskyekKRsyKULV z^Z=W`mP+jfd4zyb`f*BiF3eq~FN|I)h?zEZ2jy~I&xHaw_2m5!K2$CSpVZs~hjZ`q zA4|%-g$4IMXDnrd{wjC)!T!@>{_~p>9H_tPx52g>8oO`t( z7%A~($`i4J1frz1N6yAy7eZJ-PcR4ayqyBf*wpa|08b?pbjkx9fg@+YEvcN_-f3id z_t@FRc|KCI17gDlfPJkBU@g-ygbt=0o+#icY!eG+y@6OQq&ETNm0N8ynB|{I_ew!7 zu*3Hz+wHN1pIWs>6}eq~^%oWZG-c8z`Fv5{4Tkq?dQJ@(<-oRR?2Wr4ok&O9U$Z`J zqc;#S8$@;3wnypg89YjSl%=sVkX1OJ6j~5jE&A1Jkb?lvx>uitNf2{NQ^0YJ#=wT0 znf=X~xNxC>(;CC+WMv@>?0A>TY7zFTul*odpM4^3jV_r47Wg$;P$5-h!_4(!=5Vcg z$!`@3e;xVy2!6YSn1&*1`OgLx3i-bD0!4#{KmcLig`{@oLDn)F0$dY0+gC9m5X^eg z8i_$F&;}g5*(DcE*5+tnP?UH8;@#s4be`cx#&+2^e7*jJu-Ddkv+WSDVQyZDv~c1% z028b^5=U+3Ro{VdxBGH63bC0X%4I`<9SC8eP-ITG!`42g%pA>TPYyt7#qgtmu`r;iHsU5^Ez>-Y^v8LN5n|t_&fPERA zf~wgYON%9)Y&h_WmREsGOoxC-d16Nxz%LgM`W-3?72EznIzDFQt>b}O!{GV;>FReB zz>o`qEBZ6Sx|1C=t=Y>s#3$(wJD*&qzVaa3^7=xwJ{d8iht9T2+FbLVUJSjwhqxb0 z^$(r$9Qf0H@+_;n?-5w^mxtuBt7I(;9i>>npp_);4th!y#^SZA0N|}hY$&HQP z45@FtPF6N6&jn{*;sE@6Oh+$I;5R~%&-ECI=MOML)E+};b|IfaDQ8o_aaC2*rv6}- zRQh>Vw|Q><;-p-fh%Pb)2?JnWlnhJ;jLcmdd?gT#*AnE2j{{VjzKRXFKZy`v!p>R; zb`&8o&j%ZgFCTyu?ihG45!Ag9{|bnTmvOb81&dBTIgAC|O6>Cd&97F*=4>uk=g~h# zEwSOFL*L40T4}^L)#DByDt4s;KS|>dzJKI?41t3UMot&jNXDBkrloX4^)$Fvc1m>KS561?Za)_ z5iErzZ#aSP1n;DUp2`;J>`6D>6$&-0;I|L_0hBT`tLMn$*5Ew8_ zkWY8l1RTl}w)~3kHG!k{#-5=ggqT+z!ck0j<}+RfFsn|jH=Yh904DKTSh|tOWvUni z9-u$)s4=D#7U#u#90$u|Zz4L;#w11Hd)I-)Q1KLk7JRfucd`tJk{=O#5q&6$`ZOnk zXJfQYvd}}dggU6_nU)wOs#Dy>z^;6;Q6Fb?f9J#cQC&@AFK!h!os&;dE?gh)px?d? z5n{od5NGM9U_G%#KH{W`)flA5Mu7(@YLJp(S=_zUKW%rB}!@WUSduuOYW7T zOXK*2S_0QZX&-0f%q{Q`Z;pPpf+i6J?2*(EZLI*N)@~U6+P=P|Q?(NT0p_~6U9-7H z+tQq950ddWNxxZxfOmC#5(Q)XH9DKbpLZvnH&{KLw&r|&XWNm2^(lr^vIo)d6wFyA z2>%4Y|BvpQ3PD*jp}|n>K0u(2B#E>EvAxu0J~@mMy*Tc%I~WkPvhZF^H0fZ>dDF*W zcNgoYhC*4;#pqPZY@A0XU_q@N?Vuk}7HW!Qs=Y99Hmej9bjIzm_jZ?Wa5=m=a{MvH zXe2b=v4`@4R|OU+8Rq(6()-909wHY=!dPo`i6H3qy605ofwEHk4AW%kGl58qiM%(mx(wRxx3KsvhWd(CT2g}5j4 zTIqyDnl>5{T(?BFtrHIp@`lm-CKe|uHpV)>7MgU7Im1{nNzWBC$#HOR#?8D6q9>&2 z1z`2Ru#f-x;b%fuYxDE3wTZxowQ?MwZ+ki(18nkzim^qT%EG&!i-iqZ!(sst@GAAs zfbbCo*hsBvopoeQq_lcfwS085sEa#Hk^)ZE>6%wSJi zW-@z+Ku^c`1FekhTl{W2bp#86IBC}f0-~BDx5!p-Wu7#Vedx0&afo}PHw zO4rs?dE}b++}C8V&SR!?_i+}>+jkGbUd*;X%VnXvIQ(*fii?0PH@~^^Jr$p!{(Vz7 zjW@}jq>qOgvNXEF+3^Q#<~6dKg7y8wlv%#mx_z&C5cNh$Tr8am`d{zKJz9bVoN1E@ zFDe}p2Vn-(+a|CyEY9w@Um)Kgz$8C@4nJya#f+KMK6HYac=KwX^PYK^wA~2)vSs4Q zDI>rpq~ApCwLI}2ZLpA^bEyp&(Rk}lM|(?KxO`NihQX*tmoD-d57dTYV6azKaW<`7?j}*8#qQ%H<6ifpfDM zO>vg<4d5T{f_x0;0D6pks_P=*3OHdJH}fIx_}5Mg0nH?-Td-&`lZj#CetbdZa4~tyVyfL;XcigE&bDWX~6=T zy~VG=&eTekRmMs}t}Eck)ea6B!NJWISe)pGc7 z2T_`SOuxnxeuLM(A&q)Nu$;a9roQ)4xz707ta0^TAXC!O4Hw$T*Rr1$Kfd!&P}8e`5!j;yb~y3?@>67`CLx?!OL(0B!~lYK19& zhbbrveTXxpy+IzC^Kl((cS?h;_y*#+U{wG|>m0oZ+eO3j6qISL$u!IR)OzXZeH9fc zdVrw-(kStmkw!dPboi)1v&qiWLtxHzEY;mnC7tE9ZB+H%qwUuu2Xw0T{pBgIN)yw2 z*!nsw_cbwQ);-_6xqC)1RZFdb;k7v(MfyNbh<9{@R=^2m@zCa6FYfUveKr}%XS*rN z!}c-fdRD$olTMhGX2#dI9k&&I8BDy~du%3d@fFuIG-O`f9VHd@Gte(eZpHVjd@k83 zBsi~0Flg*O$x?AXb$G$dYw7AYW@|8UwYPvp>-Uv_svVY*Mi>((`m`pqg& z;RB0A_`0E{Yfh~037=#n%ai?PLH$Rk-5a_du+#n8bl^f!YVI|1lcKC+Wk}vW+nT#* z&ukT04Qo7hnQ!&YbdSPSNLS_BuJ_qt6NtFFNiMKU=`7oWZNW+jJ6|izHc3n6SYP_A zlT;Kyfs@832-?#{|lX~;#nFS7TS`MULQdp{{eO=#tXZvZ|X`tOhswCsRjBKze*_9i; z#tYK}4g{_7i2Xq7Zh(^a>sYjPHhifd`tGjfHo3BGOit%PoodtSV8jkA^KA@4-|1xn z?r;*k4L7@XxUND`a5J=)Ov#_B>(}P0#JREy2rNs&)K-vNclr3eJuvv+?qBi8t2P1V0Mw-vcHV=dg)B~HtnPc4Z zp0&rsziV?$)*%o)oXQoy&a!UXNmg>wklX5XzjgZyyLX+YZ7rUzknNjj?(40a*3Uls z)Yor~YM-o6w(_Ie!WYu@J1Xv1hSrw_J#u-SVxFFmaf8Q8$RI$@<9>5Ao%|K#Uwi%k z83VE=fQ>7y=d(%|Zyz~tirbTj<4fohR3n%5-K?jGO_^#d-`mNhh_5_k$ zQ=nw;uie}a&~EOBHWSRsw|EL3v^TxuQJ6n?zX=m&YV|(cdU_Ej8SdII;CvWR@0Gw( zJsGu^Mob$(vw(7O+$A{4vLy=l681jZRtrSLuN1Igz9%&1XsOYY;+bw;@=8-avIziA zH%u*rS%B?OsH_BH+kBjs#zi{2A8xn`X8^NiZ+VFO>w;d5c9 z;PHhmv%;vR