From b6ec2f98ab732d06f8ff7ca04b3f525f717935a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20Blanchet?= Date: Fri, 25 Oct 2024 18:07:57 +0200 Subject: [PATCH] add documentation --- compose2manifests.sh | 2 +- documentation/Installation.md | 231 +++ documentation/backup.md | 1078 +++++++++++++ documentation/chrony.md | 389 +++++ documentation/commandes_utiles.md | 381 +++++ documentation/connexion_api.md | 113 ++ documentation/creation_utilisateur.md | 209 +++ documentation/depanner_certificats.md | 286 ++++ documentation/drivers_csi.md | 512 ++++++ .../approbation_des_csr_par_apiserver_okd.png | Bin 0 -> 126921 bytes documentation/files/selection_032.png | Bin 0 -> 19335 bytes documentation/files/selection_304.png | Bin 0 -> 83986 bytes documentation/files/selection_393.png | Bin 0 -> 47879 bytes documentation/files/selection_401.png | Bin 0 -> 6935 bytes documentation/files/selection_422.png | Bin 0 -> 79922 bytes documentation/gestion_groupes.md | 92 ++ documentation/gestion_noeuds_okd.md | 57 + documentation/import_appli_pro.md | 350 +++++ .../import_image_registry_interne.md | 166 ++ documentation/index.md | 43 + documentation/keel.md | 285 ++++ documentation/lien_nfs.md | 211 +++ documentation/odf.md | 1388 +++++++++++++++++ documentation/recuperer_mdp.md | 19 + .../redeploiement_cluster_operator.md | 78 + documentation/registry.md | 506 ++++++ documentation/reparation_etcd.md | 85 + documentation/scaling.md | 123 ++ documentation/snapshot_csi.md | 148 ++ 29 files changed, 6751 insertions(+), 1 deletion(-) create mode 100644 documentation/Installation.md create mode 100644 documentation/backup.md create mode 100644 documentation/chrony.md create mode 100644 documentation/commandes_utiles.md create mode 100644 documentation/connexion_api.md create mode 100644 documentation/creation_utilisateur.md create mode 100644 documentation/depanner_certificats.md create mode 100644 documentation/drivers_csi.md create mode 100644 documentation/files/approbation_des_csr_par_apiserver_okd.png create mode 100644 documentation/files/selection_032.png create mode 100644 documentation/files/selection_304.png create mode 100644 documentation/files/selection_393.png create mode 100644 documentation/files/selection_401.png create mode 100644 documentation/files/selection_422.png create mode 100644 documentation/gestion_groupes.md create mode 100644 documentation/gestion_noeuds_okd.md create mode 100644 documentation/import_appli_pro.md create mode 100644 documentation/import_image_registry_interne.md create mode 100644 documentation/index.md create mode 100644 documentation/keel.md create mode 100644 documentation/lien_nfs.md create mode 100644 documentation/odf.md create mode 100644 documentation/recuperer_mdp.md create mode 100644 documentation/redeploiement_cluster_operator.md create mode 100644 documentation/registry.md create mode 100644 documentation/reparation_etcd.md create mode 100644 documentation/scaling.md create mode 100644 documentation/snapshot_csi.md diff --git a/compose2manifests.sh b/compose2manifests.sh index c214f59..f7e8365 100755 --- a/compose2manifests.sh +++ b/compose2manifests.sh @@ -277,7 +277,7 @@ echo "" ask_testing_ssh() { -echo "${YELLOW}!!! Warning !!!${ENDCOLOR}" +echo -e "${YELLOW}!!! Warning !!!${ENDCOLOR}" read -p "$(italics "?? Do you want to check ssh connectivity? If a host is not reacheable, pub key will be installed.[no]: ")" yn yn=${yn:-n} while true; do diff --git a/documentation/Installation.md b/documentation/Installation.md new file mode 100644 index 0000000..b09aafe --- /dev/null +++ b/documentation/Installation.md @@ -0,0 +1,231 @@ +# Installation de OKD 4 + +## Environnement + +OKD a été installé premièrement sous la plateforme de dev d\'ovirt 4.4 + dans la version 4.7 + +La documentation de base spécifique à ovirt est ici: + + +## Installation + +Il faut d\'abord installer le client `oc` récupéré ici + On l\'installe par exemple +dans `/usr/local/bin` + + $ wget https://github.com/okd-project/okd/releases/download/4.12.0-0.okd-2023-02-18-033438/openshift-client-linux-4.12.0-0.okd-2023-02-18-033438.tar.gz + $ tar xvzf openshift-client-linux-4.12.0-0.okd-2023-02-18-033438.tar.gz + $ mv oc /usr/local/bin/ + +On va chercher la dernière version d\'okd + + $ oc adm release extract --tools quay.io/openshift/okd:4.12.0-0.okd-2023-02-18-033438 + +Ou bien : + + $ https://github.com/okd-project/okd/releases/download/4.12.0-0.okd-2023-02-18-033438/openshift-install-linux-4.12.0-0.okd-2023-02-18-033438.tar.gz + +Avant de lancer l\'installateur, il y a besoin de choisir deux adresses +IP statiques: + + * Internal API virtual + * Ingress virtual + +\... qu\'il faut impérativement renseigner sur lilas dans la zone +`v212.abes.fr` ainsi: + +``` bash +rndc freeze v212.abes.fr in internal +vi /var/named/chroot/var/named/v212.abes.fr.db +... + +$ORIGIN orchidee.okd-dev.abes.fr. +api A 10.34.212.49 +api-int 10.34.212.49 +$ORIGIN apps.orchidee.okd-dev.abes.fr. +*.apps 10.34.212.39 +... +rndc thaw v212.abes.fr in internal +``` + +**Si cette cette étape n\'est pas fonctionnelle au niveau DNS, +l\'installation échouera sur un timeout.** + +Création d\'un fichier de configuration à l\'api d\'ovirt + +``` /bash +tee ~/.ovirt/ovirt-config.yaml < + +L\'installation prend environ 40 minutes et aboutit par défaut sur la +création de 6 VMs dans ovirt: + +![selection_032.png](files/selection_032.png) + +L\'installation terminée, les données de connexion s\'affichent à +l\'écran, et on peut les retrouver à tout moment dans +`.openshift_install.log` + + time="2021-03-11T08:12:35+01:00" level=info msg="Install complete!" + time="2021-03-11T08:12:35+01:00" level=info msg="To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/auth/kubeconfig'" + time="2021-03-11T08:12:35+01:00" level=info msg="Access the OpenShift web-console here: https://console-openshift-console.apps.v212.abes.fr" + time="2021-03-11T08:12:35+01:00" level=info msg="Login to the console with user: \"kubeadmin\", and password: \"my_password\"" + time="2021-03-11T08:12:35+01:00" level=debug msg="Time elapsed per stage:" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Infrastructure: 5m16s" + time="2021-03-11T08:12:35+01:00" level=debug msg="Bootstrap Complete: 16m7s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" API: 1m52s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Bootstrap Destroy: 37s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Cluster Operators: 18m34s" + time="2021-03-11T08:12:35+01:00" level=info msg="Time elapsed: 41m58s" + +## Installation personnalisée + +Il est possible de personnaliser l\'installation: + +- nombre de noeuds +- CPU +- RAM +- etc\... + + + +Il faut créer pour cela un fichier de configuration +`install-config.yaml` + +``` /bash +additionalTrustBundlePolicy: Proxyonly +apiVersion: v1 +baseDomain: okd-prod.abes.fr +compute: + - architecture: amd64 + hyperthreading: Enabled + name: worker + platform: + ovirt: + affinityGroupsNames: + - compute + replicas: 3 +controlPlane: + architecture: amd64 + hyperthreading: Enabled + name: master + platform: + ovirt: + affinityGroupsNames: + - controlplane + replicas: 3 +metadata: + creationTimestamp: null + name: orchidee +networking: + clusterNetwork: + - cidr: 10.128.0.0/14 + hostPrefix: 23 + machineNetwork: + - cidr: 10.35.102.0/23 + networkType: OVNKubernetes + serviceNetwork: + - 172.30.0.0/16 + cidr: 10.34.212.0/23 +platform: + ovirt: + affinityGroups: + - description: AffinityGroup for spreading each compute machine to a different host + enforcing: true + name: compute + priority: 3 + - description: AffinityGroup for spreading each control plane machine to a different host + enforcing: true + name: controlplane + priority: 5 + api_vips: 10.34.212.49 + ingress_vips: + - 10.34.212.39 + ovirt_cluster_id: 71d7ddcf-8a6f-4cc5-82a3-df836b701576 + ovirt_network_name: okd-prod + ovirt_storage_domain_id: 8ade67b3-f232-444a-ad42-5ac43b129b05 + vnicProfileID: fe77d0f4-3697-4ef5-8283-784c1f3cd64e +publish: External +pullSecret: '' +sshKey: | + ssh-rsa +``` + +## Destruction + +**/!\\ DANGER /!\\** + +Attention, cette commande efface tout le cluster sans moyen de +récupération + + openshift-install destroy cluster diff --git a/documentation/backup.md b/documentation/backup.md new file mode 100644 index 0000000..be72e06 --- /dev/null +++ b/documentation/backup.md @@ -0,0 +1,1078 @@ +# Backups OKD + +Le backup au sens `kubernetes` se fait sous forme de manifests. Il faut +alors distinguer deux formes de backup: + +1. Le backup du cluster etcd qui va permettre de frestaurer la + configuration des noeuds master `control plane` +2. le backup des applications hébergées sous le cluster etcd comprenant + deux sous-éléments: + 1. les manifests + 2. les volumes persistants + +## Backup cluster etcd + + + +### Prérequis + +- L\'ensemble des **cluster operators** doit être en parfait + fonctionnement + +``` /bash +oc get co +``` + +Si ce n\'est pas le cas, rétablir les cluster operators défaillants +suivant + + +- il faut impérativement faire la sauvegarde 24h après l\'installation + du cluster +- l\'opération peut être indifférement accomplie sur n\'importe quel + noeud `etcd` + +### Procédure + +``` /bash +oc get nodes +oc debug node/orchidee-7cn9g-master +chroot /host +/usr/local/bin/cluster-backup.sh /home/core/assets/backup +``` + +Cela produit les artefacts suivants + +``` /bash +sh-5.2# ls -hl /home/core/assets/backup/ +total 114M +-rw-------. 1 root root 114M May 3 16:43 snapshot_2023-05-03_164340.db +-rw-------. 1 root root 78K May 3 16:43 static_kuberesources_2023-05-03_164340.tar.gz +``` + +ou bien en une commande: + +``` /bash +oc get nodes +oc debug node/orchidee-ccbm8-master-30 -- chroot /host /usr/local/bin/cluster-backup.sh /home/core/assets/backup +``` + +Il reste alors à sauvegarder les artifacts: + +``` /bash +rsync -av core@orchidee-7cn9g-master-1.v102.abes.fr:/home/core/assets/backup backup-v102 --rsync-path="sudo rsync" +``` + +## Backup d\'une application + +### Grandes étapes + + + +1. Prérequis + 1. Installation de l\'opérateur Data Foundation (namespace + **openshift-storage**) + 2. Installation de l\'opérateur OADP (namespace **openshift-adp**) + 3. Installation des différents CLI +2. Configuration au niveau d\'OKD + 1. Création du **backing store** + 2. Création de la **BucketClass** + 3. Création de l\'**Object Bucket Claim** + 4. Récupération des informations S3 précédemment crées + 5. Création du **secret** contenantles identifiants S3 + 6. Création du fichier **DataProtectionApplication** + +### Pré-requis + +#### Installation des opérateurs ODF (OpenShift Data Foundation) et OADP (OpenShift Data Protection API) + +Depuis l\'UI: Click OperatorHub → Search OADP and ODF. Si les opérateurs +ne sont pas trouvés, étendre la recherche à tous les namespaces. + +#### Récupération du certificat root du routeur openshift + +Il servira à l\'ensemble des commandes CLI des différents logiciels + +``` /bash +oc extract secret/router-certs-default -n openshift-ingress --to=/tmp --keys=tls.crt +# Pour uniquement l'afficher +oc extract secret/router-certs-default -n openshift-ingress --to=- --keys=tls.crt +# ou bien +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt" }}' | base64 --decode +``` + +#### Installation du client Velero + +Velero est le logiciel de sauvegarde exclusivement en mode objet intégré +à OKD. Un serveur S3 compatible doit donc être présent avant tout +backup. Il se décompose en 2 parties: + +1. La sauvegarde de configuration (sous forme de manifests): partie + `BackupLocation` +2. La sauvegardes des volumes persistents soit: + 1. par snapshot CSI si le provider le supporte (Ceph CSI le + supporte mais ce n\'est pas le cas d\'oVirt CSI): partie + `SnapshotLocation` + 2. par le logiciel de snapshot filesystem `Restic` + +``` /bash +wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.0/velero-v1.11.0-linux-amd64.tar.gz | tar xvzf - +mv velero /usr/local/bin && chmod velero +x +# Si le choix de l'installation du serveur velero a été fait en mode non sécurisé +alias velero='velero --insecure-skip-tls-verify' +``` + +#### Installation du CLI Restic + +Restic est le logiciel de sauvegarde par snapshot filesystem quand le +CSI du provider ne supporte pas le snapshot. + +##### Récupération du mot de passe restic lors de l\'installation du serveur Restic + +Ce mot de passe sera demandé à chaque commande restic + +``` /bash +oc extract secret/velero-restic-credentials -n openshift-adp --to=- +# ou +oc get -n openshift-adp secrets velero-restic-credentials -o jsonpath="{.data.repository-password}" | base64 -d +``` + +##### Installation + +``` /bash +wget https://github.com/restic/restic/releases/download/v0.15.2/restic_0.15.2_linux_amd64.bz2 -O restic | bzip2 -d - +mv restic /usr/local/bin && chmod restic +x +``` + +#### Installation du CLI AWS + +##### Installation + +``` /bash +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" | unzip - +mv aws /usr/local/bin && chmod aws +x +``` + +##### Configuration + +``` /bash +export AWS_CA_BUNDLE=/tmp/okd-dev.der +alias aws='aws --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr' +# ou bien en dernier recours si on n a pas récupéré le certificat root du routeur d openshift: +alias aws='aws --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr --no-verify-ssl' +``` + +### Configuration au niveau d\'OKD + +#### Création du **backingstore** + +C\'est la partie qui va physiquement contenir les objets sauvegardés + +- Backups +- Snapshots +- Restic + +**ODF** en a déjà créé un par défaut avec Nooba, sur fond de classe +RADOS Ceph (RGW) + +``` /bash +oc get backingstores.noobaa.io -n openshift-storage +NAME TYPE PHASE AGE +noobaa-default-backing-store s3-compatible Ready 12d +``` + +Pour simplifier la démarche, nous allons utiliser ce backingstore par +défaut (même s\'il est possible d\'en créer d\'autres à partir de +nouveaux buckets claim) + +#### Création de la Bucket Class + +``` /bash +oc apply -f < Data Foundation -\> Bucket Class + +On vérifie: + +``` /bash +oc -n openshift-storage get bucketclasses.noobaa.io +NAME PLACEMENT NAMESPACEPOLICY QUOTA PHASE AGE +noobaa-default-bucket-class {"tiers":[{"backingStores":["noobaa-default-backing-store"]}]} +``` + +#### Création de l\'**Object Bucket Claim** + +``` /bash +oc apply -f - < credential-velero && oc create secret generic cloud-credentials2 -n openshift-adp --from-file cloud=credential-velero && rm -f credential-velero +[default] +aws_access_key_id=key +aws_secret_access_key=key +EOF +``` + +``` /bash +oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero +``` + +##### mode non sécurisé + +Si `insecureSkipTLSVerify=false`, alors SSL/TLS est activé De plus, +contrairement à ce que la documentation officielle velero indique, il +n\'est possible de préciser l\'option `--cacert` en cli, mais il est +quand même possible de renseigner le certificat CA dans la conf velero: + +``` /bash +velero client config set cacert=/tmp/ingress.pem +``` + +``` /bash +oc apply -f - < 8443/TCP 390d +service/openshift-adp-velero-metrics-svc ClusterIP 172.30.210.63 8085/TCP 378d + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/restic 3 3 3 3 3 378d + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/openshift-adp-controller-manager 1/1 1 1 390d +deployment.apps/velero 1/1 1 1 378d + +NAME DESIRED CURRENT READY AGE +replicaset.apps/openshift-adp-controller-manager-5d47dfd7cc 1 1 1 8d +replicaset.apps/openshift-adp-controller-manager-bdc95f5c9 0 0 0 217d +replicaset.apps/velero-5858d6dfcb 0 0 0 217d +replicaset.apps/velero-6984c689f5 1 1 1 8d +replicaset.apps/velero-6c6fcf574b 0 0 0 377d +replicaset.apps/velero-6dfddf4574 0 0 0 252d +replicaset.apps/velero-7887bf7c9c 0 0 0 378d +replicaset.apps/velero-7dbc47ff6d 0 0 0 335d +``` + +On vérifie que la conf est cohérente au niveau des CR + +``` /bash +oc get -n openshift-adp backupstoragelocations.velero.io +oc get -n openshift-adp backupstoragelocations.velero.io velero-sample-1 -o json | jq '.spec' +{ + "config": { + "insecureSkipTLSVerify": "false", + "profile": "default", + "region": "minio", + "s3ForcePathStyle": "true", + "s3Url": "https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr" + }, + "credential": { + "key": "cloud", + "name": "cloud-credentials" + }, + "default": true, + "objectStorage": { + "bucket": "migstorage-588a21b0-edd7-4400-a39b-3508ab083a10", + "caCert": "cert", + "prefix": "velero" + }, + "provider": "aws" +} +``` + +Le client velero se connecte par défaut à l\'environnement k8s défini +par la variable `$KUBECONFIG`. On peut aussi forcer cet environnement +avec l\'option `--kubeconfig` + +``` /bash +oc -n openshift-adp exec velero-6984c689f5-x97z2 -- /velero snapshot-location get +velero backup-location get -n openshift-adp +NAME PROVIDER BUCKET/PREFIX PHASE LAST VALIDATED ACCESS MODE DEFAULT +velero-sample-1 aws migstorage-588a21b0-edd7-4400-a39b-3508ab083a10/velero Available 2024-05-29 18:55:31 +0200 CEST ReadWrite true +``` + +``` /bash +oc get -n openshift-adp volumesnapshotlocations.velero.io velero-sample-1 -o json | jq '.spec' +{ + "config": { + "profile": "default", + "region": "us-west-2" + }, + "provider": "aws" +} +``` + +``` /bash +oc -n openshift-adp exec velero-6984c689f5-x97z2 -- /velero snapshot-location get +velero snapshot-location get -n openshift-adp +NAME PROVIDER +velero-sample-1 aws +``` + +#### Effectuer un backup Velero FSB + +- On sélectionne les objets à sauvegarder au moyen de filtres + appropriés + +Pour rappel, dans cette partie, on n\'utilise uniquement que le mode FSB +défini dans le CR `dpa`, l\'option `--default-volumes-to-fs-backup` est +donc inutile mais est là pour mémoire. + +``` /bash +# par sélection de label +velero backup create movies --selector io.kompose.network/movies-docker-test-default=true -n openshift-adp (--default-volumes-to-fs-backup=true) +# par namespace +velero backup create movies --include-namespaces=movies-docker-ceph -n openshift-adp (--default-volumes-to-fs-backup=true) +``` + +version sans filtres: + +``` /bash +oc apply -f - < + labels: + velero.io/storage-location: default + namespace: openshift-adp +spec: + csiSnapshotTimeout: 10m0s + defaultVolumesToRestic: true + includedNamespaces: + - movies-docker-ceph + itemOperationTimeout: 4h0m0s + storageLocation: velero-sample2-1 + volumeSnapshotLocations: + - velero-sample2-1 +EOF +``` + +version avec `labelSelector` + +``` /bash +oc apply -f - < + labels: + velero.io/storage-location: default + namespace: openshift-adp +spec: + csiSnapshotTimeout: 10m0s + includedNamespaces: + - '*' + labelSelector: + matchLabels: + io.kompose.network/movies-docker-test-default: "true" + itemOperationTimeout: 4h0m0s + storageLocation: velero-sample2-1 + volumeSnapshotLocations: + - velero-sample2-1 +EOF +``` + + * Vérification de l'état de la sauvegarde + +``` /bash +velero backup describe movies -n openshift-adp +velero backup logs movies -n openshift-adp +velero backup get movies +NAME STATUS ERRORS WARNINGS CREATED EXPIRES STORAGE LOCATION SELECTOR +movies Completed 0 0 2024-05-29 19:46:36 +0200 CEST 29d velero-sample-1 io.kompose.network/movies-docker-test-default=true +oc get podvolumebackups.velero.io -n openshift-adp --sort-by='{metadata.creationTimestamp}' +movies60-vvtff Completed 8h movies-docker-ceph movies-wikibase-wdqs-7f65d75f4d-p6jrp movies-wikibase-wdqs-claim0 s3:http://ocs-storagecluster-cephobjectstore-openshift-storage.apps.orchidee.okd-dev.abes.fr/tutu2-3e90e44e-a940-454e-a891-587d13472302/velero/restic/movies-docker-ceph kopia velero-sample-1 8h +``` + +``` /bash +velero backup describe movies62 --details +... +Backup Item Operations: + Operation for volumesnapshots.snapshot.storage.k8s.io movies-docker-ceph/velero-movies-wikibase-mysql-claim3-wpb6x: + Backup Item Action Plugin: velero.io/csi-volumesnapshot-backupper + Operation ID: movies-docker-ceph/velero-movies-wikibase-mysql-claim3-wpb6x/2024-06-14T14:13:52Z + Items to Update: + volumesnapshots.snapshot.storage.k8s.io movies-docker-ceph/velero-movies-wikibase-mysql-claim3-wpb6x + Phase: Completed + Created: 2024-06-14 16:13:52 +0200 CEST + Started: 2024-06-14 16:13:52 +0200 CEST + Operation for volumesnapshotcontents.snapshot.storage.k8s.io /snapcontent-2463af57-dfd2-4a50-8841-42e3e518e8ee: + Backup Item Action Plugin: velero.io/csi-volumesnapshotcontent-backupper + Operation ID: snapcontent-2463af57-dfd2-4a50-8841-42e3e518e8ee/2024-06-14T14:13:52Z + Items to Update: + volumesnapshotcontents.snapshot.storage.k8s.io /snapcontent-2463af57-dfd2-4a50-8841-42e3e518e8ee + Phase: Completed + Created: 2024-06-14 16:13:52 +0200 CEST + Started: 2024-06-14 16:13:52 +0200 CEST +... +``` + +- Vérification du contenu des fichiers + +``` /bash +export AWS_ACCESS_KEY_ID="key"; export AWS_SECRET_ACCESS_KEY="key"; aws s3 ls s3://tutu2-3e90e44e-a940-454e-a891-587d13472302/ --recursive --endpoint http://ocs-storagecluster-cephobjectstore-openshift-storage.apps.orchidee.okd-dev.abes.fr | sort +2024-06-14 12:58:55 1112117 velero/restic/movies-docker-ceph/data/97/9735f40a7d8778f4af65b5f467de2233e0dcada6f9e01aa446f6e8e2f5c6cc5c +2024-06-14 12:58:55 1232 velero/restic/movies-docker-ceph/index/4eca95163a14b77e8d766c3c0d8d8f296ae03729e6e431a499523e947dd79e8c +2024-06-14 12:58:55 27273 velero/restic/movies-docker-ceph/data/e0/e0e87d85179da5f117392afb92f9ca2e08cb3bdd93cd5a288a7dad1306de1027 +2024-06-14 12:58:55 382 velero/restic/movies-docker-ceph/snapshots/ce5ff1181f80b9913d154475105c8585e744aa2fad52aed7e41bbf9581bcefa3 +2024-06-14 12:58:56 10941 velero/backups/movies56/movies56-logs.gz +2024-06-14 12:58:56 27 velero/backups/movies56/movies56-csi-volumesnapshotcontents.json.gz +2024-06-14 12:58:56 29 velero/backups/movies56/movies56-csi-volumesnapshots.json.gz +2024-06-14 12:58:56 9893 velero/backups/movies56/movies56.tar.gz +2024-06-14 12:58:58 29 velero/backups/movies56/movies56-csi-volumesnapshotclasses.json.gz +2024-06-14 12:58:58 49 velero/backups/movies56/movies56-results.gz +2024-06-14 12:58:58 990 velero/backups/movies56/movies56-podvolumebackups.json.gz +2024-06-14 12:59:00 27 velero/backups/movies56/movies56-itemoperations.json.gz +2024-06-14 12:59:00 29 velero/backups/movies56/movies56-volumesnapshots.json.gz +2024-06-14 12:59:00 326 velero/backups/movies56/movies56-resource-list.json.gz +2024-06-14 12:59:01 3238 velero/backups/movies56/velero-backup.json +``` + +On distingue bien deux parties; + +- la partie sauvegarde du volume `restic` + +``` /bash +2024-06-14 12:58:55 1112117 velero/restic/movies-docker-ceph/data/97/9735f40a7d8778f4af65b5f467de2233e0dcada6f9e01aa446f6e8e2f5c6cc5c +2024-06-14 12:58:55 1232 velero/restic/movies-docker-ceph/index/4eca95163a14b77e8d766c3c0d8d8f296ae03729e6e431a499523e947dd79e8c +2024-06-14 12:58:55 27273 velero/restic/movies-docker-ceph/data/e0/e0e87d85179da5f117392afb92f9ca2e08cb3bdd93cd5a288a7dad1306de1027 +2024-06-14 12:58:55 382 velero/restic/movies-docker-ceph/snapshots/ce5ff1181f80b9913d154475105c8585e744aa2fad52aed7e41bbf9581bcefa3 +``` + +- La partie sauvegardes des manifests: + +``` /bash +2024-06-14 12:58:56 10941 velero/backups/movies56/movies56-logs.gz +2024-06-14 12:58:56 27 velero/backups/movies56/movies56-csi-volumesnapshotcontents.json.gz +2024-06-14 12:58:56 29 velero/backups/movies56/movies56-csi-volumesnapshots.json.gz +2024-06-14 12:58:56 9893 velero/backups/movies56/movies56.tar.gz +2024-06-14 12:58:58 29 velero/backups/movies56/movies56-csi-volumesnapshotclasses.json.gz +2024-06-14 12:58:58 49 velero/backups/movies56/movies56-results.gz +2024-06-14 12:58:58 990 velero/backups/movies56/movies56-podvolumebackups.json.gz +2024-06-14 12:59:00 27 velero/backups/movies56/movies56-itemoperations.json.gz +2024-06-14 12:59:00 29 velero/backups/movies56/movies56-volumesnapshots.json.gz +2024-06-14 12:59:00 326 velero/backups/movies56/movies56-resource-list.json.gz +2024-06-14 12:59:01 3238 velero/backups/movies56/velero-backup.json +``` + +#### Effectuer un backup Velero CSI + + + +C\'est le plugin `csi` qui active cette fonctionnalité. Bien que +présent, il n\'était pas activé à cause de l\'option +`defaultVolumesToFsBackup: true` qui forçait le FSB. L\'avantage du +snapshot CSI est de pouvoir capturer une image fixe du volume +contrairement à ne sauvegarde plate qui peut varier entre le début et la +fin de la sauvegarde. + +On peut optionnellement définir un `snapshotLocation` différent de +restic, ainsi qu\'un profil de credential différent. + +La mise en oeuvre est la même que précédemment: + +``` /bash +oc apply -f - < + labels: + velero.io/storage-location: default + namespace: openshift-adp +spec: + defaultVolumesToFsBackup: true + csiSnapshotTimeout: 10m0s + includedNamespaces: + - movies-docker-ceph + itemOperationTimeout: 4h0m0s + storageLocation: velero-sample2-1 + volumeSnapshotLocations: + - velero-sample2-1 +EOF +``` + +On observe les mêmes résultats: + +``` /bash +oc get podvolumebackups.velero.io -n openshift-adp --sort-by='{metadata.creationTimestamp}' +oc get volumesnapshotcontents.snapshot.storage.k8s.io --sort-by='{metadata.creationTimestamp}' -n openshift-adp +``` + +##### Data mover + +C\'est la nouveauté de cette version. Par défaut, les snapshots des +volumes `CSI` sont stockés sur OKD/Openshift dans l\'objet +`volumesnapshotcontents`, ce qui peut rendre la sauvegarde fragile si on +venait à perdre le cluster. Cette fonctionnalité permet de copier les +snapshots sur un backing store de stockage de type objet comme de simple +fichiers. + +Pour ce faire, il faut + +- dans le `dpa`: + + * ''.spec.configuration.nodeAgent.uploaderType: kopia'' + * optionnellement et si on veut que ce soit le comportement par défaut, rajouter l'option ''.spec.configuration.velero.defaultSnapshotMoveData: true'' + +- dans le volumeSnapshotClass: s\'assurer que le label + `metadata.labels.velero.io/csi-volumesnapshot-class: "true"` est + bien renseigné: + +``` /bash +oc get volumesnapshotclasses.snapshot.storage.k8s.io +NAME DRIVER DELETIONPOLICY AGE +csi-nfs-snapclass nfs.csi.k8s.io Delete 32d +ocs-storagecluster-cephfsplugin-snapclass openshift-storage.cephfs.csi.ceph.com Delete 406d +ocs-storagecluster-rbdplugin-snapclass openshift-storage.rbd.csi.ceph.com Delete 406d +oc label volumesnapshotclasses ocs-storagecluster-cephfsplugin-snapclass velero.io/csi-volumesnapshot-class="true" +``` + +``` /bash +velero backup create velero-sample --snapshot-move-data --include-namespaces=movies-docker-ceph -n openshift-adp --snapshot-move-data +``` + +``` /bash +oc apply -f - < + labels: + velero.io/storage-location: default + namespace: openshift-adp +spec: + defaultVolumesToFsBackup: false + snapshotMoveData: true + csiSnapshotTimeout: 10m0s + includedNamespaces: + - movies-docker-ceph + itemOperationTimeout: 4h0m0s + storageLocation: velero-sample2-1 + volumeSnapshotLocations: + - velero-sample2-1 +EOF +``` + +Vérification des snapshots: + + +``` /bash +velero backup describe movies63 --details +... +Backup Item Operations: + Operation for persistentvolumeclaims movies-docker-ceph/movies-wikibase-mysql-claim3: + Backup Item Action Plugin: velero.io/csi-pvc-backupper + Operation ID: du-4cf3c2a8-acae-4074-8ba5-3670eca7f5b1.586aa15f-599c-4e8c70f53 + Items to Update: + datauploads.velero.io openshift-adp/movies63-znfb5 + Phase: Completed + Progress: 1506139247 of 1506139247 complete (Bytes) + Progress description: Completed + Created: 2024-06-14 17:47:20 +0200 CEST + Started: 2024-06-14 17:47:20 +0200 CEST + Updated: 2024-06-14 17:47:37 +0200 CEST +... +``` + +``` /bash +oc get datauploads.velero.io -n openshift-adp movies63-znfb5 -o yaml +apiVersion: velero.io/v2alpha1 +kind: DataUpload +metadata: + creationTimestamp: "2024-06-14T15:47:20Z" + generateName: movies63- + generation: 7 + labels: + velero.io/accepted-by: orchidee-ccbm8-worker-zhgql + velero.io/async-operation-id: du-4cf3c2a8-acae-4074-8ba5-3670eca7f5b1.586aa15f-599c-4e8c70f53 + velero.io/backup-name: movies63 + velero.io/backup-uid: 4cf3c2a8-acae-4074-8ba5-3670eca7f5b1 + velero.io/pvc-uid: 586aa15f-599c-4e8c-83f6-015fd7bf1405 + name: movies63-znfb5 + namespace: openshift-adp + ownerReferences: + - apiVersion: velero.io/v1 + controller: true + kind: Backup + name: movies63 + uid: 4cf3c2a8-acae-4074-8ba5-3670eca7f5b1 + resourceVersion: "613342660" + uid: 783c290b-af60-4029-9674-b34a3d63921a +spec: + backupStorageLocation: velero-sample-1 + csiSnapshot: + snapshotClass: "" + storageClass: ocs-storagecluster-ceph-rbd + volumeSnapshot: velero-movies-wikibase-mysql-claim3-rz8zq + operationTimeout: 10m0s + snapshotType: CSI + sourceNamespace: movies-docker-ceph + sourcePVC: movies-wikibase-mysql-claim3 +status: + completionTimestamp: "2024-06-14T15:47:37Z" + node: orchidee-ccbm8-worker-9pg8j + path: /host_pods/e21766a1-5f51-418f-afb1-489c46099cc4/volumes/kubernetes.io~csi/pvc-75d159f9-8ca3-481d-a3d4-cc3608d56568/mount + phase: Completed + progress: + bytesDone: 1506139247 + totalBytes: 1506139247 + snapshotID: be9bed8e30b21ecb10ce8dc682bfbdc1 + startTimestamp: "2024-06-14T15:47:20Z +``` + +De plus, on voit bien à présent qu\'aucun `volumeSnaphotContents` n\'est +généré: + +``` /bash +oc get volumesnapshotcontents.snapshot.storage.k8s.io --sort-by='{metadata.creationTimestamp}' -n openshift-adp +``` + +Ce qui confirme bien que les fichiers de snapshots ont bien été +transférés sur le bucket cible. + +``` /bash +2024-06-14 17:47:21 11273 velero/backups/movies63/movies63-logs.gz +2024-06-14 17:47:22 29 velero/backups/movies63/movies63-podvolumebackups.json.gz +2024-06-14 17:47:22 29 velero/backups/movies63/movies63-volumesnapshots.json.gz +2024-06-14 17:47:22 49 velero/backups/movies63/movies63-results.gz +2024-06-14 17:47:24 326 velero/backups/movies63/movies63-resource-list.json.gz +2024-06-14 17:47:26 29 velero/backups/movies63/movies63-csi-volumesnapshotcontents.json.gz +2024-06-14 17:47:26 29 velero/backups/movies63/movies63-csi-volumesnapshots.json.gz +2024-06-14 17:47:27 29 velero/backups/movies63/movies63-csi-volumesnapshotclasses.json.gz +2024-06-14 17:47:36 143 velero/kopia/movies-docker-ceph/xn3_1766d77834043d8d3028d5882c0d8596-s3474572057443e35129-c1 +2024-06-14 17:47:36 143 velero/kopia/movies-docker-ceph/xn3_32f90df80df2289d37808d618d88535e-s35fd80c593099092129-c1 +2024-06-14 17:47:36 4298 velero/kopia/movies-docker-ceph/q6f2616dddff33e3387601852c685fcd9-s35fd80c593099092129 +2024-06-14 17:47:36 4298 velero/kopia/movies-docker-ceph/q983c2aa6c38fafbaafde7e3d7f4a8492-s3474572057443e35129 +2024-06-14 17:47:37 2358 velero/kopia/movies-docker-ceph/_log_20240614154736_8bcf_1718380056_1718380057_1_952d78db457628ad35bd9838d3bc9546 +2024-06-14 17:47:41 398 velero/backups/movies63/movies63-itemoperations.json.gz +2024-06-14 17:47:43 10947 velero/backups/movies63/movies63.tar.gz +2024-06-14 17:47:43 3420 velero/backups/movies63/velero-backup.json +``` + +Contrairement à un backup sans l\'option `Data Mover`, on retrouve bien +des fichiers de volumes `kopia`. + +``` /bash +oc get -o json datauploads -n openshift-adp | jq '.items[]|{(.metadata.name): {(.spec.sourcePVC): (.spec.csiSnapshot.storageClass)}}' +{ + "movies21-27zl7": { + "movies-wikibase-mysql-claim6": "nfs-csi3" + } +} +{ + "movies21-c5n25": { + "movies-wikibase-mysql-claim0": "ocs-storagecluster-cephfs" + } +} +{ + "movies21-tbksj": { + "movies-wikibase-mysql-claim5": "nfs-csi3" + } +} +{ + "movies21-v2crv": { + "movies-wikibase-mysql-claim7": "nfs-csi4" + } +} +{ + "movies21-zm7n5": { + "movies-wikibase-mysql-claim1": "ocs-storagecluster-cephfs" + } +} +{ + "movies22-48v7b": { + "movies-wikibase-mysql-claim1": "ocs-storagecluster-cephfs" + } +} +{ + "movies22-dqfqr": { + "movies-wikibase-mysql-claim5": "nfs-csi3" + } +} +{ + "movies22-jll4t": { + "movies-wikibase-mysql-claim0": "ocs-storagecluster-cephfs" + } +} +{ + "movies22-mt5bc": { + "movies-wikibase-mysql-claim7": "nfs-csi4" + } +} +{ + "movies22-pm2kq": { + "movies-wikibase-mysql-claim6": "nfs-csi3" + } +} +``` diff --git a/documentation/chrony.md b/documentation/chrony.md new file mode 100644 index 0000000..56605a3 --- /dev/null +++ b/documentation/chrony.md @@ -0,0 +1,389 @@ +# Configurer le démon chrony dans OKD + +La configuration de chrony dans OKD va se passer par le biais des +fichiers ignitions qui sont préchargés on démarrage des nodes du +cluster. Ignition est tout droit issu de la suite FCOS. + +Ce qui va induire un remdémarrage pour chacune des nodes dont les +workers et masters. Il faut donc avant toutes choses veiller à avoir les +ressources suffisantes pour faire tenir l'ensemble des containers sur +n-1 worker (-1 car 1 worker à la fois se fait redémarrer). + +Pour se faire, nous allons passer par Butane qui est un binaire qui nous +permet de traduire un premier fichier de conf en Objet MachineConfig et +de nous enlever la contrainte d'avoir à choisir la version de ignition +etc ... + +On va créer un premier fichier sous l'extension .bu, qui va rassembler +la configuration des Nodes Masters pour le démon Chrony : + +``` code +╰─> cat 99-master-chrony-conf-override.bu +variant: openshift +version: 4.12.0 +metadata: + name: 99-master-chrony-conf-override + labels: + machineconfiguration.openshift.io/role: master +storage: + files: + - path: /etc/chrony.conf + mode: 0644 + overwrite: true + contents: + inline: | + server ntp.abes.fr iburst + driftfile /var/lib/chrony/drift + makestep 1.0 3 + rtcsync + logdir /var/log/chrony + keyfile /etc/chrony.keys +``` + +idem pour les Workers : + +``` code +╰─> cat 99-worker-chrony-conf-override.bu +variant: openshift +version: 4.12.0 +metadata: + name: 99-worker-chrony-conf-override + labels: + machineconfiguration.openshift.io/role: worker +storage: + files: + - path: /etc/chrony.conf + mode: 0644 + overwrite: true + contents: + inline: | + server ntp.abes.fr iburst + driftfile /var/lib/chrony/drift + makestep 1.0 3 + rtcsync + logdir /var/log/chrony + keyfile /etc/chrony.keys +``` + +Ensuite nous allons générer les objets MachineConfig afin d'apliquer ses +configurations respectives à chaque node du cluster. + +``` code +╰─> butane 99-master-chrony-conf-override.bu -o 99-master-chrony-conf-override.yaml +``` + +``` code +╰─> butane 99-worker-chrony-conf-override.bu -o 99-worker-chrony-conf-override.yaml +``` + +Butane va se charger tout seul de transformer les manifests en +MachineConfig de manière à matcher la dernière version de Ignition +utilisée par les nodes FCOS et de chiffrer la configuration en base64. + +Exemple l'objet généré pour les Masters : + +``` code +# Generated by Butane; do not edit +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + labels: + machineconfiguration.openshift.io/role: master + name: 99-master-chrony-conf-override +spec: + config: + ignition: + version: 3.2.0 + storage: + files: + - contents: + compression: gzip + source: data:;base64,H4sIAAAAAAAC/yzMwa0DIQyE4burcAXwnlIRsGZjQWA1dlai+0gJ1xl9vwluAQ+/QspioYI1v2FOB7R61S4c74TYNcfyxBwrfh96pSbmcvF/+OMHwYutUajP81BsM89tqMn6tcTL3kKTZfQJAAD//y8Bf5KBAAAA + mode: 420 + overwrite: true + path: /etc/chrony.conf +``` + +Il nous reste plus qu'à appliquer les objets MachineConfig au cluster +pour que celui-ci puisse se rafraîchir à la configuration qu'on aura +voulu lui apporter. + +``` code +╰─> oc apply -f 99-master-chrony-conf-override.yaml +╰─> oc apply -f 99-worker-chrony-conf-override.yaml +``` + +Une fois appliquer il va falloir attendre que toutes les machines du +cluster redémarrent pour pouvoir appliquer la nouvelle configuration +Chrony. + +``` code +╰─> oc describe machineconfigpools.machineconfiguration.openshift.io + +Name: master +Namespace: +Labels: machineconfiguration.openshift.io/mco-built-in= + operator.machineconfiguration.openshift.io/required-for-upgrade= + pools.operator.machineconfiguration.openshift.io/master= +Annotations: +API Version: machineconfiguration.openshift.io/v1 +Kind: MachineConfigPool +Degraded Machine Count: 0 + Machine Count: 3 + Observed Generation: 3 + Ready Machine Count: 3 + Unavailable Machine Count: 0 + Updated Machine Count: 3 +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal RenderedConfigGenerated 70m machineconfigcontroller-rendercontroller rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 successfully generated (release version: 4.12.0-0.okd-2023-02-18-033438, controller version: 4099f3c4f4ea9df85a7516a6300a4c6e5504a5cd) + Normal SetDesiredConfig 69m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-master-1 to config rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 69m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-1 now has machineconfiguration.openshift.io/desiredConfig=rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 69m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-1 now has machineconfiguration.openshift.io/state=Working + Normal SetDesiredConfig 63m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-master-2 to config rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 63m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-2 now has machineconfiguration.openshift.io/desiredConfig=rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 63m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-2 now has machineconfiguration.openshift.io/state=Working + Normal SetDesiredConfig 56m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-master-0 to config rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 56m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-0 now has machineconfiguration.openshift.io/desiredConfig=rendered-master-ac69e7d7738d5f3c3f1761e13a7c2325 + Normal AnnotationChange 56m machineconfigcontroller-nodecontroller Node orchidee-hw8b4-master-0 now has machineconfiguration.openshift.io/state=Working + +Name: worker +Namespace: +Labels: machineconfiguration.openshift.io/mco-built-in= + pools.operator.machineconfiguration.openshift.io/worker= +Annotations: +API Version: machineconfiguration.openshift.io/v1 +Kind: MachineConfigPool +Degraded Machine Count: 0 + Machine Count: 3 + Observed Generation: 3 + Ready Machine Count: 3 + Unavailable Machine Count: 0 + Updated Machine Count: 3 +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal RenderedConfigGenerated 69m machineconfigcontroller-rendercontroller rendered-worker-2dbc01a01c8c8224b9ef5e7b8e5034b0 successfully generated (release version: 4.12.0-0.okd-2023-02-18-033438, controller version: 4099f3c4f4ea9df85a7516a6300a4c6e5504a5cd) + Normal SetDesiredConfig 69m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-worker-nvcjf to config rendered-worker-2dbc01a01c8c8224b9ef5e7b8e5034b0 + Normal SetDesiredConfig 64m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-worker-png59 to config rendered-worker-2dbc01a01c8c8224b9ef5e7b8e5034b0 + Normal SetDesiredConfig 59m machineconfigcontroller-nodecontroller Targeted node orchidee-hw8b4-worker-mwr49 to config rendered-worker-2dbc01a01c8c8224b9ef5e7b8e5034b0 +``` + +En faisant une description d'état sur la ressouce MachineConfigPool, +nous pouvons voir où en est la progression du rendu de la nouvelle +configuration qu'on a apporté à nos Masters et Workers. + +Il nous reste plus qu'à vérifer le bon déploiement de la nouvelle +configuration et à changer de timezone. + +``` code +╰─> for node in $(oc get nodes | tail -n +2 | awk '{print $1}'); +do cat < for node in $(oc get nodes | tail -n +2 | awk '{print $1}'); +do cat < ll +drwxr-xr-x. 3 root root 4096 Mar 1 15:52 orchidee-dev-v1212 +drwxr-xr-x. 3 root root 48 Mar 2 16:24 orchidee-test +``` + +Les installations des clusters OKD ont étés faites dans le répertoire +"/root" comme on peut l'aperçevoir sur block de code ci-dessus. + +**Correction : Les installations été déplacées dans le répertoire +/data/root** + +Afin de s'y connecter, nous devons exporter par variabale +d'environnement le fichier de configuration kubeconfig du cluster auquel +on veut se connecter. Ce fichier est pourvu d'un certificat qui est +utilisé pour l'authetification aux clusters par le biais de l'api. + +> Le client oc de okd (correspond à kubelet sous kubernetes) est +> indispensable à l'authentification aux clusters. + +``` bash +2023/03/07 09:36:43: root@chopine:/root/orchidee-dev-v1212/okd_install/auth +> ll +total 732 +drwxr-x---. 2 root root 73 Feb 27 15:36 . +drwxr-xr-x. 4 root root 4096 Feb 23 15:54 .. +-rw-r-----. 1 root root 23 Feb 23 15:23 kubeadmin-password +-rw-------. 1 root root 24872 Mar 1 17:04 kubeconfig +-rw-r--r--. 1 root root 709759 Feb 23 16:31 oc_bash_completion +``` + +Pour obtenir ce fichier, il suffit de suivre le chemin suivant et de se +rendre dans le répertoire "auth". + +Ensuite, on a plus qu'a exporter le fichier kubeconfig dans la variable +d'environnement KUBECONFIG qui sera utile à notre client okd (binaire : +oc). + +``` bash +2023/03/07 09:41:43: root@chopine:/root/orchidee-dev-v1212/okd_install/auth +> export KUBECONFIG=/root/orchidee-dev-v1212/okd_install/auth/kubeconfig +``` + +On procède à la vérification de l'accessibilité de notre cluster comme +suit : + +``` bash +2023/03/07 09:44:34: root@chopine:/root/orchidee-dev-v1212/okd_install/auth +> oc get nodes +NAME STATUS ROLES AGE VERSION +orchidee-ccbm8-master-0 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-master-1 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-master-2 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-9pg8j Ready worker 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-v55b4 Ready worker 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-zhgql Ready worker 11d v1.25.4+a34b9e9 +``` + +## Commandes + +``` bash +> oc get nodes -o wide +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +orchidee-ccbm8-master-0 Ready control-plane,master 11d v1.25.4+a34b9e9 10.35.212.53 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +orchidee-ccbm8-master-1 Ready control-plane,master 11d v1.25.4+a34b9e9 10.35.212.52 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +orchidee-ccbm8-master-2 Ready control-plane,master 11d v1.25.4+a34b9e9 10.35.212.153 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +orchidee-ccbm8-worker-9pg8j Ready worker 11d v1.25.4+a34b9e9 10.35.212.55 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +orchidee-ccbm8-worker-v55b4 Ready worker 11d v1.25.4+a34b9e9 10.35.212.56 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +orchidee-ccbm8-worker-zhgql Ready worker 11d v1.25.4+a34b9e9 10.35.212.57 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.25.1 +``` + +Obtenir les noeuds d'un cluster et tout un éventail d'information. + +``` bash +> oc get nodes +NAME STATUS ROLES AGE VERSION +orchidee-ccbm8-master-0 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-master-1 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-master-2 Ready control-plane,master 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-9pg8j Ready worker 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-v55b4 Ready worker 11d v1.25.4+a34b9e9 +orchidee-ccbm8-worker-zhgql Ready worker 11d v1.25.4+a34b9e9 +``` + +Sans le -o wide, la sortie est un peu plus pauvre. + +``` bash +> oc get pods -A -o wide +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +awx awx-c467cf964-k8phg 4/4 Running 0 5d16h 10.129.2.53 orchidee-ccbm8-worker-zhgql +awx awx-operator-controller-manager-56f98985c8-mmksz 2/2 Running 0 5d16h 10.129.2.52 orchidee-ccbm8-worker-zhgql +awx awx-postgres-13-0 1/1 Running 0 5d16h 10.131.0.116 orchidee-ccbm8-worker-9pg8j +awx2 awx-c467cf964-vgqk9 4/4 Running 0 6d13h 10.128.2.38 orchidee-ccbm8-worker-v55b4 +awx2 awx-operator-controller-manager-56f98985c8-hbxz5 2/2 Running 0 6d14h 10.128.2.36 orchidee-ccbm8-worker-v55b4 +awx2 awx-postgres-13-0 1/1 Running 0 6d14h 10.128.2.37 orchidee-ccbm8-worker-v55b4 +awx3 awx-c467cf964-jm44p 4/4 Running 0 5d17h 10.129.2.51 orchidee-ccbm8-worker-zhgql +awx3 awx-operator-controller-manager-56f98985c8-hvf7r 2/2 Running 0 5d17h 10.129.2.50 orchidee-ccbm8-worker-zhgql +awx3 awx-postgres-13-0 1/1 Running 0 5d17h 10.131.0.111 orchidee-ccbm8-worker-9pg8j +openshift-apiserver-operator openshift-apiserver-operator-6d5d696655-jq8cm 1/1 Running 2 (11d ago) 11d 10.130.0.15 orchidee-ccbm8-master-1 +openshift-apiserver apiserver-859d577579-5fj29 2/2 Running 0 11d 10.129.0.28 orchidee-ccbm8-master-2 +openshift-apiserver apiserver-859d577579-j7952 2/2 Running 0 11d 10.130.0.44 orchidee-ccbm8-master-1 +openshift-apiserver apiserver-859d577579-t8kcn 2/2 Running 0 11d 10.128.0.17 orchidee-ccbm8-master-0 +openshift-authentication-operator authentication-operator-68c75f854d-rqp2x 1/1 Running 2 (11d ago) 11d 10.130.0.28 orchidee-ccbm8-master-1 +openshift-authentication oauth-openshift-867cc47559-2vdfp 1/1 Running 0 11d 10.130.0.47 orchidee-ccbm8-master-1 +openshift-authentication oauth-openshift-867cc47559-5pkbd 1/1 Running 0 11d 10.129.0.35 orchidee-ccbm8-master-2 +openshift-authentication oauth-openshift-867cc47559-hmf94 1/1 Running 0 11d 10.128.0.31 orchidee-ccbm8-master-0 +openshift-cloud-controller-manager-operator cluster-cloud-controller-manager-operator-8d876c5cd-98h85 2/2 Running 2 (11d ago) 11d 10.35.212.52 orchidee-ccbm8-master-1 +openshift-cloud-credential-operator cloud-credential-operator-5c588fc678-mnvhg 2/2 Running 0 11d 10.130.0.20 orchidee-ccbm8-master-1 +openshift-cluster-csi-drivers ovirt-csi-driver-controller-7548ffcb77-hnt9p 7/7 Running 6 (3d9h ago) 11d 10.35.212.153 orchidee-ccbm8-master-2 +openshift-cluster-csi-drivers ovirt-csi-driver-controller-7548ffcb77-vc8zp 7/7 Running 3 (3d9h ago) 11d 10.35.212.52 orchidee-ccbm8-master-1 +openshift-cluster-csi-drivers ovirt-csi-driver-node-g89k6 3/3 Running 3 (3d9h ago) 11d 10.35.212.57 orchidee-ccbm8-worker-zhgql +openshift-cluster-csi-drivers ovirt-csi-driver-node-jj98q 3/3 Running 2 (3d9h ago) 11d 10.35.212.52 orchidee-ccbm8-master-1 +openshift-cluster-csi-drivers ovirt-csi-driver-node-tp7gq 3/3 Running 4 (3d9h ago) 11d 10.35.212.56 orchidee-ccbm8-worker-v55b4 +openshift-cluster-csi-drivers ovirt-csi-driver-node-xrgfd 3/3 Running 3 (3d9h ago) 11d 10.35.212.55 orchidee-ccbm8-worker-9pg8j +openshift-cluster-csi-drivers ovirt-csi-driver-node-zglsb 3/3 Running 2 (3d9h ago) 11d 10.35.212.53 orchidee-ccbm8-master-0 +openshift-cluster-csi-drivers ovirt-csi-driver-node-zl2r9 3/3 Running 2 (3d9h ago) 11d 10.35.212.153 orchidee-ccbm8-master-2 +openshift-cluster-csi-drivers ovirt-csi-driver-operator-757955c497-cgprt 1/1 Running 4 (11d ago) 11d 10.129.0.10 orchidee-ccbm8-master-2 +openshift-cluster-machine-approver machine-approver-59d8d57687-xlfph 2/2 Running 3 (11d ago) 11d 10.35.212.52 orchidee-ccbm8-master-1 +openshift-cluster-node-tuning-operator cluster-node-tuning-operator-7557b68c99-g5fwv 1/1 Running 1 (11d ago) 11d 10.130.0.11 orchidee-ccbm8-master-1 +openshift-cluster-node-tuning-operator tuned-98x28 1/1 Running 0 11d 10.35.212.52 orchidee-ccbm8-master-1 +openshift-cluster-node-tuning-operator tuned-ctcxl 1/1 Running 0 11d 10.35.212.57 orchidee-ccbm8-worker-zhgql +openshift-cluster-node-tuning-operator tuned-f8jzc 1/1 Running 0 11d 10.35.212.53 orchidee-ccbm8-master-0 +openshift-cluster-node-tuning-operator tuned-lk476 1/1 Running 0 11d 10.35.212.55 orchidee-ccbm8-worker-9pg8j +openshift-cluster-node-tuning-operator tuned-lpclj 1/1 Running 0 11d 10.35.212.153 orchidee-ccbm8-m +... +``` + +Avoir tous les pods tournant dans le cluster de tous les namespaces +(-A). + +> Si l'on ne spécifie pas le -A, il affichera par défaut les pods du +> namespace "default". + +Les adresses que l'on voit pour chacun de ses pods nous permettent de +juger leur degré d'exposition. (Réseau des noeuds ou réseau des pods) + +``` bash +> oc get +Display all 196 possibilities? (y or n) +alertmanagerconfigs.monitoring.coreos.com kubecontrollermanagers.operator.openshift.io +alertmanagers.monitoring.coreos.com kubeletconfigs.machineconfiguration.openshift.io +apirequestcounts.apiserver.openshift.io kubeschedulers.operator.openshift.io +apiservers.config.openshift.io kubestorageversionmigrators.operator.openshift.io +apiservices.apiregistration.k8s.io leases.coordination.k8s.io +appliedclusterresourcequotas.quota.openshift.io limitranges +authentications.config.openshift.io localvolumediscoveries.local.storage.openshift.io +authentications.operator.openshift.io localvolumediscoveryresults.local.storage.openshift.io +awxbackups.awx.ansible.com localvolumesets.local.storage.openshift.io +awxrestores.awx.ansible.com localvolumes.local.storage.openshift.io +awxs.awx.ansible.com machineautoscalers.autoscaling.openshift.io +baremetalhosts.metal3.io machineconfigpools.machineconfiguration.openshift.io +bmceventsubscriptions.metal3.io machineconfigs.machineconfiguration.openshift.io +brokertemplateinstances.template.openshift.io machinehealthchecks.machine.openshift.io +buildconfigs.build.openshift.io machinesets.machine.openshift.io +builds.build.openshift.io machines.machine.openshift.io +builds.config.openshift.io mutatingwebhookconfigurations.admissionregistration.k8s.io +catalogsources.operators.coreos.com namespaces +certificatesigningrequests.certificates.k8s.io network-attachment-definitions.k8s.cni.cncf.io +cloudcredentials.operator.openshift.io networkpolicies.networking.k8s.io +clusterautoscalers.autoscaling.openshift.io networks.config.openshift.io +clustercsidrivers.operator.openshift.io networks.operator.openshift.io +clusteroperators.config.openshift.io nodes +``` + +En sachant que l'autocomplétion a été mise en place sur chopine, vous +pouvez avoir le listing des ressources d'un namespace donné en tapant +"oc get" suivi d'une tabulation (Pas besoin de connaître les commande +sur le bout des doigts) puis all. + +``` bash +> oc get all -n awx -o wide +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +pod/awx-c467cf964-k8phg 4/4 Running 0 5d17h 10.129.2.53 orchidee-ccbm8-worker-zhgql +pod/awx-operator-controller-manager-56f98985c8-mmksz 2/2 Running 0 5d17h 10.129.2.52 orchidee-ccbm8-worker-zhgql +pod/awx-postgres-13-0 1/1 Running 0 5d17h 10.131.0.116 orchidee-ccbm8-worker-9pg8j + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR +service/awx-operator-controller-manager-metrics-service ClusterIP 172.30.159.168 8443/TCP 5d17h control-plane=controller-manager,helm.sh/chart=awx-operator +service/awx-postgres-13 ClusterIP None 5432/TCP 5d17h app.kubernetes.io/component=database,app.kubernetes.io/instance=postgres-13-awx,app.kubernetes.io/managed-by=awx-operator,app.kubernetes.io/name=postgres-13,app.kubernetes.io/part-of=awx +service/awx-service ClusterIP 172.30.92.222 80/TCP 5d17h app.kubernetes.io/component=awx,app.kubernetes.io/managed-by=awx-operator,app.kubernetes.io/name=awx + +NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR +deployment.apps/awx 1/1 1 1 5d17h redis,awx-web,awx-task,awx-ee docker.io/redis:7,quay.io/ansible/awx:21.12.0,quay.io/ansible/awx:21.12.0,quay.io/ansible/awx-ee:latest app.kubernetes.io/component=awx,app.kubernetes.io/managed-by=awx-operator,app.kubernetes.io/name=awx +deployment.apps/awx-operator-controller-manager 1/1 1 1 5d17h kube-rbac-proxy,awx-manager gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0,quay.io/ansible/awx-operator:1.2.0 control-plane=controller-manager,helm.sh/chart=awx-operator + +NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR +replicaset.apps/awx-c467cf964 1 1 1 5d17h redis,awx-web,awx-task,awx-ee docker.io/redis:7,quay.io/ansible/awx:21.12.0,quay.io/ansible/awx:21.12.0,quay.io/ansible/awx-ee:latest app.kubernetes.io/component=awx,app.kubernetes.io/managed-by=awx-operator,app.kubernetes.io/name=awx,pod-template-hash=c467cf964 +replicaset.apps/awx-operator-controller-manager-56f98985c8 1 1 1 5d17h kube-rbac-proxy,awx-manager gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0,quay.io/ansible/awx-operator:1.2.0 control-plane=controller-manager,helm.sh/chart=awx-operator,pod-template-hash=56f98985c8 + +NAME READY AGE CONTAINERS IMAGES +statefulset.apps/awx-postgres-13 1/1 5d17h postgres postgres:13 + +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +route.route.openshift.io/awx awx-awx.apps.orchidee.okd-dev.abes.fr awx-service http edge/Redirect None +``` + +L'argument all suivit du namespace nous permet de connaître toutes les +ressources créées dans le namespace (-n : namespace). + +``` bash +> oc get -n awx deployment awx -o yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io/name":"awx","app.kubernetes.io/operator-version":"1.2.0","app.kubernetes.io/part-of":"awx","app.kubernetes.io/version":"21.12.0"},"name":"awx","namespace":"awx"},"spec":{"replicas":1,"selector":{"matchLabels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io/name":"awx"}},"template":{"metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io/name":"awx","app.kubernetes.io/operator-version":"1.2.0","app.kubernetes.io/part-of":"awx","app.kubernetes.io/version":"21.12.0"}},"spec":{"containers":[{"args":["redis-server","/etc/redis.conf"],"image":"docker.io/redis:7","imagePullPolicy":"IfNotPresent","name":"redis","resources":{"requests":{"cpu":"50m","memory":"64Mi"}},"volumeMounts":[{"mountPath":"/etc/redis.conf","name":"awx-redis-config","readOnly":true,"subPath":"redis.conf"},{"mountPath":"/var/run/redis","name":"awx-redis-socket"},{"mountPath":"/data","name":"awx-redis-data"}]},{"args":["/usr/bin/launch_awx.sh"],"env":[{"name":"MY_POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"UWSGI_MOUNT_PATH","value":"/"}],"image":"quay.io/ansible/awx:21.12.0","imagePullPolicy":"IfNotPresent","name":"awx-web","ports":[{"containerPort":8052}],"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"volumeMounts":[{"mountPath":"/etc/tower/conf.d/execution_environments.py","name":"awx-application-credentials","readOnly":true,"subPath":"execution_environments.py"},{"mountPath":"/etc/tower/conf.d/credentials.py","name":"awx-application-credentials","readOnly":true,"subPath":"credentials.py"} +... +``` + +On extrait la description de la ressource de déploiement sous forme yaml +du deploiement awx dans le namespace awx. Autrement dit, c'est un +manifest qui implémente la ressource déploiement par laquelle on peut +créer des pods/containers et spécifier le stockage des données et bien +d'autres fonctionnalités. + +> À savoir que l'on peut faire de même pour les pods, routes, services, +> ... + +``` bash +> oc describe pods -n awx awx-c467cf964-k8phg +Name: awx-c467cf964-k8phg +Namespace: awx +Priority: 0 +Node: orchidee-ccbm8-worker-zhgql/10.35.212.57 +Start Time: Wed, 01 Mar 2023 16:59:10 +0100 +Labels: app.kubernetes.io/component=awx + app.kubernetes.io/managed-by=awx-operator + app.kubernetes.io/name=awx + app.kubernetes.io/operator-version=1.2.0 + app.kubernetes.io/part-of=awx + app.kubernetes.io/version=21.12.0 + pod-template-hash=c467cf964 +Annotations: k8s.ovn.org/pod-networks: + {"default":{"ip_addresses":["10.129.2.53/23"],"mac_address":"0a:58:0a:81:02:35","gateway_ips":["10.129.2.1"],"ip_address":"10.129.2.53/23"... + k8s.v1.cni.cncf.io/network-status: + [{ + "name": "ovn-kubernetes", + "interface": "eth0", + "ips": [ + "10.129.2.53" + ], + "mac": "0a:58:0a:81:02:35", + "default": true, + "dns": {} + }] + k8s.v1.cni.cncf.io/networks-status: + [{ + "name": "ovn-kubernetes", + "interface": "eth0", + "ips": [ + "10.129.2.53" + ], + "mac": "0a:58:0a:81:02:35", + "default": true, + "dns": {} + }] + openshift.io/scc: privileged +Status: Running +IP: 10.129.2.53 +IPs: + IP: 10.129.2.53 +Controlled By: ReplicaSet/awx-c467cf964 +Init Containers: + init: + Container ID: cri-o://fd955213a2f674ca5225bf0e23ac6a60ad071979fcf76205eb2d4ed8fc51036b + Image: quay.io/ansible/awx-ee:latest + Image ID: quay.io/ansible/awx-ee@sha256:73f3d4ec9b79f40710d4c332b64b8becd7b8a5e7c8676cacfb96affba57663b0 + Port: + Host Port: + Command: + /bin/sh + -c + hostname=$MY_POD_NAME + receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key + receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes + + State: Terminated + Reason: Completed + Exit Code: 0 + Started: Wed, 01 Mar 2023 16:59:11 +0100 + Finished: Wed, 01 Mar 2023 16:59:12 +0100 + Ready: True + Restart Count: 0 + Requests: + cpu: 100m + memory: 128Mi + Environment: + MY_POD_NAME: awx-c467cf964-k8phg (v1:metadata.name) + Mounts: + /etc/receptor/tls/ from awx-receptor-tls (rw) + /etc/receptor/tls/ca/receptor-ca.crt from awx-receptor-ca (ro,path="tls.crt") + /etc/receptor/tls/ca/receptor-ca.key from awx-receptor-ca (ro,path="tls.key") + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5l4td (ro) +Containers: + redis: + Container ID: cri-o://abc54a5550dd582419c8be2af151bf1570f728e40bec1a863e691143a08a412a + Image: docker.io/redis:7 + Image ID: docker.io/library/redis@sha256:6a59f1cbb8d28ac484176d52c473494859a512ddba3ea62a547258cf16c9b3ae + Port: + Host Port: + Args: + redis-server + /etc/redis.conf + State: Running + Started: Wed, 01 Mar 2023 16:59:13 +0100 + Ready: True + Restart Count: 0 + Requests: + cpu: 50m + memory: 64Mi + Environment: + Mounts: + /data from awx-redis-data (rw) + /etc/redis.conf from awx-redis-config (ro,path="redis.conf") + /var/run/redis from awx-redis-socket (rw) + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5l4td (ro) +``` + +Describe est un outil qui peut s'avérer intéressant pour débuguer, on +aura toutes les informations concernant le pod et ses events. Si ce pod +plante, on pourra avoir des informations complémentaires dans l'encart +"event", qui indiquera si le pod est redémarré ou alors recréé (mode +liveness et readiness). + +> La description d'état peut se faire sur n'importe quelle ressource. + +``` bash +> oc logs --tail=20 -n awx awx-operator-controller-manager-56f98985c8-mmksz +------------------------------------------------------------------------------- +{"level":"info","ts":1677686543.7269216,"logger":"proxy","msg":"Read object from cache","resource":{"IsResourceRequest":true,"Path":"/api/v1/namespaces/awx/secrets/awx-receptor-work-signing","Verb":"get","APIPrefix":"api","APIGroup":"","APIVersion":"v1","Namespace":"awx","Resource":"secrets","Subresource":"","Name":"awx-receptor-work-signing","Parts":["secrets","awx-receptor-work-signing"]}} + +--------------------------- Ansible Task StdOut ------------------------------- + + TASK [Remove ownerReferences reference] ******************************** +ok: [localhost] => (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false} + +------------------------------------------------------------------------------- +{"level":"info","ts":1677686544.3118424,"logger":"runner","msg":"Ansible-runner exited successfully","job":"221828814128904738","name":"awx","namespace":"awx"} + +----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) ----- + + +PLAY RECAP ********************************************************************* +localhost : ok=77 changed=0 unreachable=0 failed=0 skipped=71 rescued=0 ignored=1 + + +---------- +{"level":"info","ts":1677686544.3551552,"logger":"KubeAPIWarningLogger","msg":"unknown field \"status.conditions[1].ansibleResult\""} +``` + +On peut se procurer les logs d'un pod dans un namespace donné de la +manière présentée ci-dessus (l'option -f est possible pour le realtime). + +Utile pour débuguer le déploiement d'une app par un opérateur (en +l'occurence awx) et pour tout autre cas. + +> Si le namespace n'est pas précisé, il va attaquer celui par défaut + +TODO : + +- create +- apply +- replace +- delete diff --git a/documentation/connexion_api.md b/documentation/connexion_api.md new file mode 100644 index 0000000..89f0aca --- /dev/null +++ b/documentation/connexion_api.md @@ -0,0 +1,113 @@ +# Connexion à OKD 4 + +### Fichier de log par défaut + +Les informations d\'installation et de connexion générées par +l\'installateur se situent dans le fichier de log: + + time="2021-03-11T08:12:35+01:00" level=info msg="Install complete!" + time="2021-03-11T08:12:35+01:00" level=info msg="To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/auth/kubeconfig'" + time="2021-03-11T08:12:35+01:00" level=info msg="Access the OpenShift web-console here: https://console-openshift-console.apps.v212.abes.fr" + time="2021-03-11T08:12:35+01:00" level=info msg="Login to the console with user: \"kubeadmin\", and password: \"my_password\"" + time="2021-03-11T08:12:35+01:00" level=debug msg="Time elapsed per stage:" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Infrastructure: 5m16s" + time="2021-03-11T08:12:35+01:00" level=debug msg="Bootstrap Complete: 16m7s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" API: 1m52s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Bootstrap Destroy: 37s" + time="2021-03-11T08:12:35+01:00" level=debug msg=" Cluster Operators: 18m34s" + time="2021-03-11T08:12:35+01:00" level=info msg="Time elapsed: 41m58s" + +L\'utilisateur `kubeadmin` est un utilisateur d\'administration +temporaire qui possède tous les droits. Une fois les utilisateurs +configurés, il faudra le supprimer telle que l\'interface nous le +propose. (voir - [](/okd/création d'un utilisateur)) + +On se connecte donc à la console web + avec ces +identifiants par défaut. + +Pour \"OKD-Prod\" (et le projet guacamole) : + + +Pour se connecter à l\'API avec le client `oc`, il faut d\'abord +importer le fichier `kubeconfig` généré par l\'installateur, qui +contient l\'ensemble des éléments nécessaires à la connexion (url, +utilisateur, certificats, \...) Ce fichier contient également un token +qui a été généré par l\'installateur. + + export KUBECONFIG=/root/auth/kubeconfig + oc login + +** !!!ATTENTION!!!** Le token utilisé n\'étant valide qu\'un laps de +temps, kubeconfig ne suffira plus par la suite à se connecter sans +authentification. Il faudra alors demander un nouveau token à +l\'adresse: + où on +s'authentifie en web avec l\'utilisateur voulu le token généré est +propre à cet utilisateur et permettra uniquement de se connecter sous +les droits de cet utilisateur. + +Si cette étape est omise, on pourra quand même se connecter mais avec +des paramètres manuels à rajouter à la ligne de commande + + oc login -u kubeadmin https://api.v212.abes.fr:6443 + oc login --token=sha256~token https://api.v212.abes.fr:6443 + +On vérifie qu\'on est bien sous l\'utilisateur voulu avec la commande + + oc whoami + +On peut afficher le token en cours de validité de cet utilisateur: + + oc whoami -t + +Par défaut on se retrouve dans le projet `default`, mais on peut changer +de projet ainsi + + oc project + +On peut changer à tout moment d\'utilisateur avec + + oc login -u b -n + +ou se déconnecter avec + + oc logout + +### Modification de l\'expiration du token + + + +Un token est valable 24 heures par défaut. Pour modifier cette valeur, +deux façons: + + oc edit oauth.config.openshift.io/cluster + oc edit oauth cluster + +ou + + apiVersion: config.openshift.io/v1 + kind: OAuth + metadata: + name: cluster + spec: + tokenConfig: + accessTokenMaxAgeSeconds: 172800 + + oc apply -f + +### Modification du timeout du token + + oc edit oauth cluster + + apiVersion: config.openshift.io/v1 + kind: OAuth + metadata: + ... + spec: + tokenConfig: + accessTokenInactivityTimeout: 400s + +Vérifier que les pods du serveur d\'OAuth ont bien redémarré + + oc get clusteroperators authentication diff --git a/documentation/creation_utilisateur.md b/documentation/creation_utilisateur.md new file mode 100644 index 0000000..d215c5d --- /dev/null +++ b/documentation/creation_utilisateur.md @@ -0,0 +1,209 @@ +# Création d\'utilisateurs OKD 4 + +L\'installation d\'OKD fournit un utilisateur par défaut `kubeamin` qui +ne possède pas tous les droits mais qui permet de créer des utilisateurs +avec des droits. Cet utilisateur doit rester temporaire et doit être +détruit une fois que les comptes admin ont été créés et validés. + +## IDPs + + + +Parmi la liste des Identity Providers qui permettent de se connecter à +OKD, nous avons comme objectif final d\'utiliser le type LDAP sur Active +directory. Après plusieurs essais infructueux et dans un but +pragmatique, nous allons utiliser le provider Htpasswd qui est plus +simple à mettre en œuvre. + +### AD + + + +Créer un `secret` LDAP `ldap-bind-password-676wf` + + oc create secret generic ldap-bind-password-676wf --from-literal=bindPassword=levant_passwd -n openshift-config + +#### Méthode d\'édition + +Éditer l\'objet `Oauth` en mode vi pour rajouter un IDP + + oc edit oauth.config.openshift.io/cluster + oc edit oauth cluster + +Ajouter l\'IDP sous la partie `spec`: + +``` /yaml +spec: + identityProviders: + - ldap: + attributes: + email: + - mail + id: + - sAMAccountName + name: + - displayName + preferredUsername: + - sAMAccountName + bindDN: CN=acces_ldap_okd,OU=applicatif,OU=Utilisateurs,DC=levant,DC=abes,DC=fr + bindPassword: + name: ldap-bind-password-676wf + insecure: false + url: ldaps://ldap-win.abes.fr/OU=personnels,OU=Utilisateurs,DC=levant,DC=abes,DC=fr?sAMAccountName?sub? + mappingMethod: claim + name: ldap-win + type: LDAP +``` + +#### Méthode `Custom Resource` + +Créer l\'objet yaml ldap_cr.yaml `OAuth` + +``` /yaml +apiVersion:config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - ldap: + attributes: + email: + - mail + id: + - sAMAccountName + name: + - displayName + preferredUsername: + - sAMAccountName + bindDN: CN=acces_ldap_okd,OU=applicatif,OU=Utilisateurs,DC=levant,DC=abes,DC=fr + bindPassword: + name: ldap-bind-password-676wf + insecure: false + url: ldaps://ldap-win.abes.fr/OU=personnels,OU=Utilisateurs,DC=levant,DC=abes,DC=fr?sAMAccountName?sub? + mappingMethod: claim + name: ldap-win + type: LDAP +``` + +Il reste à appliquer la ressource au système + + oc apply -f ldap_cr.yaml + +### Htpassword + +#### Création + + + +Htpassword n\'est autre qu\'un fichier plat utilisé par apache pour +générer des mots de passes hashés. L\'utilisation est donc statique. + +- Installer htpasswd + + yum install -y httpd-tools + +- créer un utilisateur + + htpasswd -c -B -b /tmp/users.htpasswd user1 + +- On peut par la suite ajouter des utilisateurs sans l\'option de + création `-c` + + htpasswd -B -b /tmp/users.htpasswd user2 + +- créer un objet `secret` OKD à partir de ce fichier dans le namespace + openshift-config + + oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n openshift-config + oc get secrets -n openshift-config + +- créer un fichier `Custom Ressource` yaml + +``` /yaml +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - name: my_htpasswd_provider + mappingMethod: claim + type: HTPasswd + htpasswd: + fileData: + name: htpass-secret + +``` + +- Appliquer la CR + + oc apply -f + +Ou directement éditer l\'objet cluster + + oc edit oauth cluster + +#### Ajout/Modification d\'un utilisateur + + + +- Récupérer le fichier htpassword hashé + + oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd + +- Effectuer la mise à jour + +``` /bash + htpasswd -D users.htpasswd + htpasswd -Bb /tmp/users.htpasswd user2 +``` + +- Remplacer le fichier htpassword existant + +``` /bash + oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f - +``` + +- Si suppression d\'un utilisateur + +``` /bash + oc delete user + oc delete identity my_htpasswd_provider: +``` + +- vérifications + +``` /bash + oc get users + oc get identity + oc get secrets -n openshift-config +``` + +- On peut aussi directement éditer l\'objet Oauth en mode vi + + oc edit oauth.config.openshift.io/cluster + oc edit oauth cluster + +#### Ajout de droits + + + +- devenir admin d\'un projet et l\'avoir à disposition au login + + oc adm policy add-role-to-user admin -n + oc describe rolebinding.rbac -n openshift-config + +- devenir administrateur global (pour remplacer kubeadmin) + + oc adm policy add-cluster-role-to-user cluster-admin --rolebinding-name=cluster-admin + oc describe clusterrolebinding.rbac -n openshift-config + +On peut désormais se connecter avec `oc` tel que décrit ici - +[](connexion_api) + +Une fois qu\'on a validé que les utilisateurs créés ont les mêmes droits +que `kubeadmin` avec les droits `cluster-admin`, on peut effacer cet +utilisateur: + + oc delete secrets kubeadmin -n kube-system diff --git a/documentation/depanner_certificats.md b/documentation/depanner_certificats.md new file mode 100644 index 0000000..1c50be4 --- /dev/null +++ b/documentation/depanner_certificats.md @@ -0,0 +1,286 @@ +# Diagnostiquer et dépanner des certificats dans OKD + +## Introduction + +OKD est un système dont l'architecture est assez atypique à ce que l'on +connait acctuellement, tout est pensé et philosophé pour que celui-ci +soit résiliant, robuste, hautement disponnible, et évolutif. + +Et par dessus l'ensemble de ces points attractifs, nous avons tout plein +de notion traitant de la sécurité en ce qui concerne l'échange sécurisé +au travers des différents services et des machines sur lequels se +trouvent ses services afin de s'assurer d'une conformité identitaire. + +## Diagnostiquer l'ensemble des certificats du cluster + +Il existe des tas de moyens mis à disposition par Redhat pour analyser +l'état des certificats sur un cluster. En fonction de l'incident survenu +sur le cluster, qu'il s'agisse d'un soucis d'intégration d'un noeud ou +encore d'un service non fonctionnel dans la liste de Cluster Opérator, +la résolution ne se fera pas de la même manière. Toutes les méthodes +sont bonnes à prendre. + +Une première consiste à consulter les logs (de la colonne MESSAGE) +écrits par les opérateurs : + +``` code +╰─> oc get co +NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE +authentication 4.12.0-0.okd-2023-02-18-033438 True False False 4h16m +baremetal 4.12.0-0.okd-2023-02-18-033438 True False False 98d +cloud-controller-manager 4.12.0-0.okd-2023-02-18-033438 True False False 98d +cloud-credential 4.12.0-0.okd-2023-02-18-033438 True False False 98d +cluster-autoscaler 4.12.0-0.okd-2023-02-18-033438 True False False 98d +config-operator 4.12.0-0.okd-2023-02-18-033438 True False False 98d +console 4.12.0-0.okd-2023-02-18-033438 True False False 5d14h +control-plane-machine-set 4.12.0-0.okd-2023-02-18-033438 True False False 98d +csi-snapshot-controller 4.12.0-0.okd-2023-02-18-033438 True False False 98d +dns 4.12.0-0.okd-2023-02-18-033438 True False False 98d +etcd 4.12.0-0.okd-2023-02-18-033438 True False False 98d +image-registry 4.12.0-0.okd-2023-02-18-033438 True False False 98d +ingress 4.12.0-0.okd-2023-02-18-033438 True False False 23h +insights 4.12.0-0.okd-2023-02-18-033438 True False False 45d +kube-apiserver 4.12.0-0.okd-2023-02-18-033438 True False False 98d +kube-controller-manager 4.12.0-0.okd-2023-02-18-033438 True False False 98d +kube-scheduler 4.12.0-0.okd-2023-02-18-033438 True False False 98d +kube-storage-version-migrator 4.12.0-0.okd-2023-02-18-033438 True False False 5d15h +machine-api 4.12.0-0.okd-2023-02-18-033438 True False False 98d +machine-approver 4.12.0-0.okd-2023-02-18-033438 True False False 98d +machine-config 4.12.0-0.okd-2023-02-18-033438 True False False 4h8m +marketplace 4.12.0-0.okd-2023-02-18-033438 True False False 98d +monitoring 4.12.0-0.okd-2023-02-18-033438 True False False 5d17h +network 4.12.0-0.okd-2023-02-18-033438 True False False 98d +node-tuning 4.12.0-0.okd-2023-02-18-033438 True False False 98d +openshift-apiserver 4.12.0-0.okd-2023-02-18-033438 True False False 4h8m +openshift-controller-manager 4.12.0-0.okd-2023-02-18-033438 True False False 98d +openshift-samples 4.12.0-0.okd-2023-02-18-033438 True False False 98d +operator-lifecycle-manager 4.12.0-0.okd-2023-02-18-033438 True False False 98d +operator-lifecycle-manager-catalog 4.12.0-0.okd-2023-02-18-033438 True False False 98d +operator-lifecycle-manager-packageserver 4.12.0-0.okd-2023-02-18-033438 True False False 4h12m +service-ca 4.12.0-0.okd-2023-02-18-033438 True False False 98d +storage 4.12.0-0.okd-2023-02-18-033438 True False False 98d +``` + +Ne pas hésiter à faire des describe sur les nodes en erreur (il peut y +avoir des pistes sur des certificat erronés ou non approuvés) : + +``` code +╰─> oc describe node/orchidee-hw8b4-master-0 +... +Conditions: + Type Status LastHeartbeatTime LastTransitionTime Reason Message + ---- ------ ----------------- ------------------ ------ ------- + MemoryPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasSufficientMemory kubelet has sufficient memory available + DiskPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasNoDiskPressure kubelet has no disk pressure + PIDPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasSufficientPID kubelet has sufficient PID available + Ready True Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletReady kubelet is posting ready status +``` + +Une solution tout en un pour récupérer la date d'expiration des +certificats : + +``` code +╰─> echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t + +NAMESPACE NAME EXPIRY +openshift-apiserver-operator openshift-apiserver-operator-serving-cert notAfter=Mar 1 16:05:28 2025 GMT +openshift-apiserver etcd-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-apiserver serving-cert notAfter=Mar 1 16:05:26 2025 GMT +openshift-authentication-operator serving-cert notAfter=Mar 1 16:05:36 2025 GMT +openshift-authentication v4-0-config-system-serving-cert notAfter=Mar 1 16:05:42 2025 GMT +openshift-cloud-credential-operator cloud-credential-operator-serving-cert notAfter=Mar 1 16:05:40 2025 GMT +openshift-cluster-csi-drivers ovirt-csi-driver-controller-metrics-serving-cert notAfter=Mar 1 16:06:30 2025 GMT +openshift-cluster-machine-approver machine-approver-tls notAfter=Mar 1 16:05:35 2025 GMT +openshift-cluster-node-tuning-operator node-tuning-operator-tls notAfter=Mar 1 16:05:36 2025 GMT +openshift-cluster-node-tuning-operator performance-addon-operator-webhook-cert notAfter=Mar 1 16:05:33 2025 GMT +openshift-cluster-samples-operator samples-operator-tls notAfter=Mar 1 16:09:09 2025 GMT +openshift-cluster-storage-operator cluster-storage-operator-serving-cert notAfter=Mar 1 16:05:41 2025 GMT +openshift-cluster-storage-operator csi-snapshot-webhook-secret notAfter=Mar 1 16:05:34 2025 GMT +openshift-cluster-storage-operator serving-cert notAfter=Mar 1 16:05:26 2025 GMT +openshift-cluster-version cluster-version-operator-serving-cert notAfter=Mar 1 16:05:26 2025 GMT +openshift-config-managed kube-controller-manager-client-cert-key notAfter=Jul 2 03:33:44 2023 GMT +openshift-config-managed kube-scheduler-client-cert-key notAfter=Jul 2 03:33:45 2023 GMT +openshift-config-operator config-operator-serving-cert notAfter=Mar 1 16:05:27 2025 GMT +openshift-config etcd-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-config etcd-metric-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-config etcd-metric-signer notAfter=Feb 27 15:47:59 2033 GMT +openshift-config etcd-signer notAfter=Feb 27 15:47:59 2033 GMT +openshift-console-operator serving-cert notAfter=Mar 1 16:16:16 2025 GMT +openshift-console-operator webhook-serving-cert notAfter=Mar 1 16:16:16 2025 GMT +openshift-console console-serving-cert notAfter=Mar 1 16:16:44 2025 GMT +openshift-controller-manager-operator openshift-controller-manager-operator-serving-cert notAfter=Mar 1 16:05:37 2025 GMT +openshift-controller-manager serving-cert notAfter=Mar 1 16:05:38 2025 GMT +openshift-dns-operator metrics-tls notAfter=Mar 1 16:05:29 2025 GMT +openshift-dns dns-default-metrics-tls notAfter=Mar 1 16:06:09 2025 GMT +openshift-etcd-operator etcd-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-etcd-operator etcd-operator-serving-cert notAfter=Mar 1 16:05:40 2025 GMT +openshift-etcd etcd-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-etcd etcd-peer-orchidee-hw8b4-master-0 notAfter=Mar 1 16:05:26 2026 GMT +openshift-etcd etcd-peer-orchidee-hw8b4-master-1 notAfter=Mar 1 16:05:27 2026 GMT +openshift-etcd etcd-peer-orchidee-hw8b4-master-2 notAfter=Mar 1 16:05:26 2026 GMT +openshift-etcd etcd-serving-metrics-orchidee-hw8b4-master-0 notAfter=Mar 1 16:05:27 2026 GMT +openshift-etcd etcd-serving-metrics-orchidee-hw8b4-master-1 notAfter=Mar 1 16:05:27 2026 GMT +openshift-etcd etcd-serving-metrics-orchidee-hw8b4-master-2 notAfter=Mar 1 16:05:26 2026 GMT +openshift-etcd etcd-serving-orchidee-hw8b4-master-0 notAfter=Mar 1 16:05:27 2026 GMT +openshift-etcd etcd-serving-orchidee-hw8b4-master-1 notAfter=Mar 1 16:05:27 2026 GMT +openshift-etcd etcd-serving-orchidee-hw8b4-master-2 notAfter=Mar 1 16:05:26 2026 GMT +openshift-etcd serving-cert notAfter=Mar 1 16:05:39 2025 GMT +openshift-image-registry image-registry-operator-tls notAfter=Mar 1 16:05:31 2025 GMT +openshift-image-registry image-registry-tls notAfter=Mar 1 16:16:25 2025 GMT +openshift-ingress-operator metrics-tls notAfter=Mar 1 16:05:26 2025 GMT +openshift-ingress-operator router-ca notAfter=Mar 1 16:06:53 2025 GMT +openshift-ingress router-certs-default notAfter=Mar 1 16:06:54 2025 GMT +openshift-ingress router-metrics-certs-default notAfter=Mar 1 16:06:53 2025 GMT +openshift-insights openshift-insights-serving-cert notAfter=Mar 1 16:05:27 2025 GMT +openshift-kube-apiserver-operator aggregator-client-signer notAfter=Jul 1 10:47:09 2023 GMT +openshift-kube-apiserver-operator kube-apiserver-operator-serving-cert notAfter=Mar 1 16:05:33 2025 GMT +openshift-kube-apiserver-operator kube-apiserver-to-kubelet-signer notAfter=Mar 1 15:33:06 2024 GMT +openshift-kube-apiserver-operator kube-control-plane-signer notAfter=Jul 30 15:33:34 2023 GMT +openshift-kube-apiserver-operator loadbalancer-serving-signer notAfter=Feb 27 15:32:58 2033 GMT +openshift-kube-apiserver-operator localhost-recovery-serving-signer notAfter=Feb 27 16:05:06 2033 GMT +openshift-kube-apiserver-operator localhost-serving-signer notAfter=Feb 27 15:32:56 2033 GMT +openshift-kube-apiserver-operator node-system-admin-client notAfter=Sep 28 16:05:41 2023 GMT +openshift-kube-apiserver-operator node-system-admin-signer notAfter=Mar 1 16:05:06 2024 GMT +openshift-kube-apiserver-operator service-network-serving-signer notAfter=Feb 27 15:32:57 2033 GMT +openshift-kube-apiserver aggregator-client notAfter=Jul 1 10:47:09 2023 GMT +openshift-kube-apiserver check-endpoints-client-cert-key notAfter=Jul 2 03:33:44 2023 GMT +openshift-kube-apiserver control-plane-node-admin-client-cert-key notAfter=Jul 2 03:33:44 2023 GMT +openshift-kube-apiserver etcd-client notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-17 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-18 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-19 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-20 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-21 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-22 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-23 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-24 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-25 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-26 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-27 notAfter=Feb 27 15:47:59 2033 GMT +openshift-kube-apiserver etcd-client-28 notAfter=Feb 27 15:47:59 2033 GMT +... +``` + +(source : ) + +On peut venir récupérer l'ensemble de ces certificats dans un fichier +Certificates pour les comparer. + +``` code +╰─> oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo " "; echo -en "Namespace: $namespace\t\nCertificateName: $name\t\n";echo " "; echo $cert | base64 -d; done &> Certificates.txt +``` + +## Exemple de résolution d'un soucis de certificat (kubelet et kubeapiserver) + +Si, comme dans le cas que j'ai rencontré, un des 3 noeuds Master à rendu +l'âme (qu'elle n'est pas prête) : + +``` code +╰─> oc get nodes +NAME STATUS ROLES AGE VERSION +orchidee-hw8b4-master-0 Ready control-plane,master 98d v1.25.4+a34b9e9 +orchidee-hw8b4-master-1 Ready control-plane,master 98d v1.25.4+a34b9e9 +orchidee-hw8b4-master-2 Ready control-plane,master 98d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-mwr49 Ready worker 98d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-nvcjf Ready worker 98d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-png59 Ready worker 98d v1.25.4+a34b9e9 +``` + +``` code +╰─> oc describe node/orchidee-hw8b4-master-0 +... +Conditions: + Type Status LastHeartbeatTime LastTransitionTime Reason Message + ---- ------ ----------------- ------------------ ------ ------- + MemoryPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasSufficientMemory kubelet has sufficient memory available + DiskPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasNoDiskPressure kubelet has no disk pressure + PIDPressure False Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletHasSufficientPID kubelet has sufficient PID available + Ready True Fri, 09 Jun 2023 16:13:54 +0200 Fri, 09 Jun 2023 12:00:45 +0200 KubeletReady kubelet is posting ready status +... +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 2199m (62%) 0 (0%) + memory 7572Mi (51%) 0 (0%) + ephemeral-storage 0 (0%) 0 (0%) + hugepages-1Gi 0 (0%) 0 (0%) + hugepages-2Mi 0 (0%) 0 (0%) +Events: +``` + +Kubelet n'était pas ready et ne postait plus de status. Ce qui fait que +kubelet était la cause principale de l'incident. + +``` code +[core@orchidee-hw8b4-master-0 ~]$ journalctl -u kubelet -f +Jun 09 08:37:42 orchidee-hw8b4-master-0 kubenswrapper[835105]: E0609 08:37:42.146757 835105 kubelet_node_status.go:94] "Unable to register node with API server" err="nodes is forbidden: User \"system:anonymous\" cannot create resource \"nodes\" in API group \"\" at the cluster scope" node="orchidee-hw8b4-master-0" +``` + +Kubelet n'arrivait pas à intéragir avec l'api à cause de ses +certificats. + +``` code +╰─> oc get csr +NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION +csr-2g5dz 10h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-2qkm4 7h46m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-2tknl 17h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-4r7zf 3h38m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-4zbdx 14h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-52jts 13h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-5568x 25m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-55t65 10h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-575dc 11h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-5lpx4 13h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-5rm5j 16h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-66c6v 11h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-6wsbv 12h kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +csr-7tvkk 4h25m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending +``` + +En faisant la commande de ce bloc de code, on s'apperçevait que de +nombreux certificats attendaient de se faire approuver. Pour se faire il +fallait simplement les approuver comme suit. + +``` code +╰─> for cert in $(oc get csr| awk '{print $1}'); do + oc adm certificate approve $cert +done +``` + +## Fonctionnement global de l'approbation de certificat par OKD + +Les certficats dans OKD contribuent à sécuriser les services entre eux +et de veiller à ce qu'ils ne s'empiètent pas les uns sur les autres. Ils +nous permettent de nous prémunir contre les attaquants mais aussi de +sécuriser les canals de communication. + +Le schéma plus bas, est tiré de l'incident rencontré au point précédent. + +![Schéma d\'approbation des certificats OKD](files/approbation_des_csr_par_apiserver_okd.png) + +Kubelet est le client qui s'addonne à l'authentification des noeuds +Master/Worker sur le cluster. Il génère les premiers certificats en vue +d'initialiser la communication vers l'api Kubernetes/OKD et enregistre +les noeuds dans le cluster. Sans passer par Kubelet, les noeuds ne +pourront pas devenir Ready. (**oc get node** → pour la description des +états des noeuds) + +[Descriptif du schéma :]{.underline} + +Le Cluster Opérateur posant problème dans le cluster était +"kube-apiserver". (directement lié à kubelet) + +Pour chacune de nos nodes, Kubelet va créer un certificat et va tenter +d'intéragir avec le signataire (soit l'authorité de certification) de +façon à signer/approuver les certificats, pour les intégrer aux cluster. + +Le signataire sera le Cluster Opérator lui même. (pas sûr) + +On doit avoir un CA par service. (pas sûr, à vérifier) + +/ ! \\ A savoir que les certificats sont générés par cluster opérateur +et par machine. Dans le cas du cluster opérator kube-apiserver, nous +retrouverons 3 certificats : 1 pour "Master 0", 1 pour "Master 1", puis +un autre pour "Master 2". diff --git a/documentation/drivers_csi.md b/documentation/drivers_csi.md new file mode 100644 index 0000000..cdc5d66 --- /dev/null +++ b/documentation/drivers_csi.md @@ -0,0 +1,512 @@ +# Drivers CSI + +## Présentation + +CSI= Container Storage Interface + +Les CSI sont les éléments principaux du storage sous OKD. Il n\'y a pas +si longtemps, les drivers de storage étaient inclus directement dans le +code OKD, puis dans un soucis de simplification et d\'entretien du code, +les développeurs ont laissé les fournisseurs d\'espace disque écrire +leur propre code pour faire intéragir leurs solutions de stockage avec +Kubernetes. Les driver CSI sont donc un standard qui sert d\'interface +indépendamment de la nature du stockage. Ces fournisseurs peuvent être +de différentes nature: + +- cloud +- on premise +- distribués +- block +- filesystem + +Une liste non exhaustive de ces drivers peut être trouvée ici: + + +Chaque driver présente des caractéristiques d\'accès aux données +différentes: RWO/RWX, snapshots, expansion, stockage éphémère, etc\... + +Dans notre cas de figure, nous avons installé OKD avec le provider +`ovirt` fourni avec l\'installateur `IPI`. Notre driver par défaut est +donc `csi.ovirt.org`. + +On retrouve toute les parties nécessaires au fonctionnement de ce driver +dans le namespace `openshift-cluster-csi-drivers` + +``` /bash +oc get all -n openshift-cluster-csi-drivers +NAME READY STATUS RESTARTS AGE +pod/ovirt-csi-driver-controller-7548ffcb77-8wgnd 7/7 Running 506 (4d1h ago) 336d +pod/ovirt-csi-driver-controller-7548ffcb77-jdnnb 7/7 Running 574 (28h ago) 375d +pod/ovirt-csi-driver-node-4chgv 3/3 Running 536 (4d1h ago) 376d +pod/ovirt-csi-driver-node-7bvnv 3/3 Running 1724 (4d1h ago) 368d +pod/ovirt-csi-driver-node-g89k6 3/3 Running 1672 (4d1h ago) 439d +pod/ovirt-csi-driver-node-jj98q 3/3 Running 536 (4d1h ago) 439d +pod/ovirt-csi-driver-node-jthsw 3/3 Running 1658 (4d1h ago) 368d +pod/ovirt-csi-driver-node-tp7gq 3/3 Running 1762 (4d1h ago) 439d +pod/ovirt-csi-driver-node-xrgfd 3/3 Running 1781 (3d ago) 439d +pod/ovirt-csi-driver-node-xz7qs 3/3 Running 1638 (4d1h ago) 368d +pod/ovirt-csi-driver-node-zglsb 3/3 Running 1763 (4d1h ago) 439d +pod/ovirt-csi-driver-node-zl2r9 3/3 Running 1763 (4d1h ago) 439d +pod/ovirt-csi-driver-operator-757955c497-h9fhk 1/1 Running 56 375d + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/ovirt-csi-driver-controller-metrics ClusterIP 172.30.145.96 443/TCP,444/TCP 439d + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/ovirt-csi-driver-node 10 10 10 10 10 439d + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/ovirt-csi-driver-controller 2/2 2 2 439d +deployment.apps/ovirt-csi-driver-operator 1/1 1 1 439d + +NAME DESIRED CURRENT READY AGE +replicaset.apps/ovirt-csi-driver-controller-5479cb9f94 0 0 0 361d +replicaset.apps/ovirt-csi-driver-controller-674f5b5d67 0 0 0 439d +replicaset.apps/ovirt-csi-driver-controller-7548ffcb77 2 2 2 439d +replicaset.apps/ovirt-csi-driver-operator-556577958d 0 0 0 361d +replicaset.apps/ovirt-csi-driver-operator-757955c497 1 1 1 439d +``` + +De plus, on retrouve les paramètres d\'accès à l\'api d\'ovirt sous +forme de secret déclaré dans le deployment `ovirt-csi-driver-controller` + +``` /bash +oc describe secrets -n openshift-cluster-csi-drivers ovirt-credentials +``` + +Pour utiliser ce driver, Kubernetes a besoin de la défintion d\'une +`storageClass` + +``` /bash +NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE +nfs-csi nfs.csi.k8s.io Delete Immediate false 146m +nfs-csi3 nfs.csi.k8s.io Delete Immediate false 58m +ocs-storagecluster-ceph-rbd openshift-storage.rbd.csi.ceph.com Delete Immediate true 368d +ocs-storagecluster-ceph-rgw openshift-storage.ceph.rook.io/bucket Delete Immediate false 368d +ocs-storagecluster-cephfs (default) openshift-storage.cephfs.csi.ceph.com Delete Immediate true 368d +openshift-storage.noobaa.io openshift-storage.noobaa.io/obc Delete Immediate false 368d +ovirt-csi-sc csi.ovirt.org Delete Immediate true 33d +ovirt-csi2-sc csi.ovirt.org Delete Immediate true 67d +``` + +`ovirt-csi-sc` est la storageClass par défaut. Pour en définir une +autre, il faut rajouter l\'annotation +**storageclass.kubernetes.io/is-default-class: \"true\"** à la classe +choisie. + +``` /yaml +metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "true" +``` + +Dès lors, lors de la création d\'un pvc, on pourra choisir la storage +class de son choix: + +``` /yaml +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: ocs-storagecluster-cephfs +``` + +### Limites du driver csi.ovirt.org + +Le driver fonctionne très bien pour les activités courantes, notamment +en ce qui concerne les pvc \"persistent volume claim\" + +Il peut manquer certaines fonctions: + +- RWX: l\'accès multiple à un pvc par différents pods/containers. + Cependant cette fonction est difficilement utilisable puisqu\'elle + met en concurrence en écriture plusieurs pods, pouvant conduire à + des défauts d\'écriture. Cette fonctionnalité est donc à bannir de + services tels que les bases de données. +- les snapshots qui sont utilisés pour les sauvegardes velero + +## Openshift Data Foundation + +Redhat propose de faciliter l\'accès au stockage de données en déployant +une couche d\'abstraction à base de Ceph qui permet de combler les +limitations des drivers CSI classiques tels que `csi.ovirt.org`. +L\'installation se fait à partir de l\'opérateur du même nom dans +`Operator Hub`. + +**Personnalisation:** + + + +- `infra` node-role label + +``` /bash +oc label node node-role.kubernetes.io/infra="" +oc label node cluster.ocs.openshift.io/openshift-storage="" +``` + +- `tainted` + +``` /bash +oc adm taint node node.ocs.openshift.io/storage="true":NoSchedule +``` + +- Result + +``` /bash +oc get nodes +NAME STATUS ROLES AGE VERSION +orchidee-ccbm8-master-0 Ready control-plane,master 446d v1.25.7+eab9cc9 +orchidee-ccbm8-master-1 Ready control-plane,master 446d v1.25.7+eab9cc9 +orchidee-ccbm8-master-2 Ready control-plane,master 446d v1.25.7+eab9cc9 +orchidee-ccbm8-master-30 Ready control-plane,master 383d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-9pg8j Ready worker 446d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-cb2lg Ready infra,worker 375d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-hqwhs Ready infra,worker 375d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-hxmn4 Ready infra,worker 375d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-v55b4 Ready worker 446d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-zhgql Ready worker 446d v1.25.7+eab9cc9 + +oc get node -l cluster.ocs.openshift.io/openshift-storage= +NAME STATUS ROLES AGE VERSION +orchidee-ccbm8-worker-cb2lg Ready infra,worker 375d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-hqwhs Ready infra,worker 375d v1.25.7+eab9cc9 +orchidee-ccbm8-worker-hxmn4 Ready infra,worker 375d v1.25.7+eab9cc9 +``` + + + +``` /bash +oc describe storagecluster -n openshift-storage ocs-storagecluster +--- + Storage Device Sets: + Config: + Count: 1 + Data PVC Template: + Metadata: + Spec: + Access Modes: + ReadWriteOnce + Resources: + Requests: + Storage: 512Gi + Storage Class Name: ovirt-csi-sc + Volume Mode: Block + Status: + Name: ocs-deviceset-ovirt-csi-sc + Placement: + Portable: true + Prepare Placement: + Replica: 3 + Resources: +--- +``` + +Toutes les commandes suivantes affirment que le `clusterStorage` ODF est +composé de 3 pods **rook-ceph-osd** qui résident sur les 3 noeuds +`infra` et qui distribuent chacun un stockage distribué de 512GB + +``` /bash +oc describe cephcluster -n openshift-storage +oc -n openshift-storage get pvc +NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE +db-noobaa-db-pg-0 Bound pvc-fb2177aa-acb9-4c22-bead-1b381a44d2b6 50Gi RWO ocs-storagecluster-ceph-rbd 375d +ocs-deviceset-ovirt-csi-sc-0-data-0c5vkf Bound pvc-9d92b4a5-02d8-454e-abc2-db33e0cb6561 512Gi RWO ovirt-csi-sc 375d +ocs-deviceset-ovirt-csi-sc-1-data-06r66g Bound pvc-f48003e0-c8cc-4ea0-8e32-66ad74696681 512Gi RWO ovirt-csi-sc 375d +ocs-deviceset-ovirt-csi-sc-2-data-0xfnsv Bound pvc-16e0f284-3aea-400c-a348-3786a43838c0 512Gi RWO ovirt-csi-sc 375d +rook-ceph-mon-a Bound pvc-2e4e7fe8-a50c-493e-b114-bc4f3e955727 50Gi RWO ovirt-csi-sc 375d +rook-ceph-mon-b Bound pvc-31520f0b-7e84-4c31-9af4-de3207471f65 50Gi RWO ovirt-csi-sc 375d +rook-ceph-mon-c Bound pvc-b0e2dcb0-dd4b-4ec5-92f8-58afb82ff00e 50Gi RWO ovirt-csi-sc 375d + +oc describe pvc ocs-deviceset-ovirt-csi-sc-0-data-0c5vkf -n openshift-storage +--- +Capacity: 512Gi +Access Modes: RWO +VolumeMode: Block +Used By: rook-ceph-osd-1-78d5dffbd6-f7vv7 + rook-ceph-osd-prepare-eceee02de04785a62dca72ad574a0dc6-wx4xs +--- +``` + +L\'opérateur installe 2 nouveaux drivers csi: + +``` /bash +oc get csidrivers.storage.k8s.io +NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY TOKENREQUESTS REQUIRESREPUBLISH MODES AGE +csi.ovirt.org true false false false Persistent 439d +openshift-storage.cephfs.csi.ceph.com true false false false Persistent 368d +openshift-storage.rbd.csi.ceph.com true false false false Persistent 368d +``` + +avec deux nouvelles classes associées: + +``` /bash +oc get sc +NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE +ocs-storagecluster-ceph-rbd openshift-storage.rbd.csi.ceph.com Delete Immediate true 368d +ocs-storagecluster-ceph-rgw openshift-storage.ceph.rook.io/bucket Delete Immediate false 368d +ocs-storagecluster-cephfs (default) openshift-storage.cephfs.csi.ceph.com Delete Immediate true 368d +openshift-storage.noobaa.io openshift-storage.noobaa.io/obc Delete Immediate false 368d +ovirt-csi-sc csi.ovirt.org Delete Immediate true 33d +``` + +A noter qu\'en plus de **ocs-storagecluster-ceph-rbd** et de +**ocs-storagecluster-cephfs**, deux autres storageClass sont installées +mais elles ne concernent uniquement que le stockage objet (bucket). + +### Résumé + +ODF nous offre la possibilité de contourner les limites des drivers CSI +traditionnels en installant un serveur intégré `rook.io` et `nooba.io` +compatible `Ceph` qui propose 3 modes d\'utilisation: + +- file (Cephfs) =\> ocs-storagecluster-cephfs (csi) sur base de CephFS + (Rook) +- block (RADOS) =\> ocs-storagecluster-ceph-rbd (csi) sur base de Ceph + (Rook) +- object (RGW) backs the persistent volume, gestion pv, pvc =\> + ocs-storagecluster-ceph-rgw (Nooba) + +Usage: + +- Block storage for databases +- Shared file storage for continuous integration, messaging, and data + aggregation +- Object storage for archival, backup, and media storage + +## Drivers CSI Dell + +Dell fournit des drivers CSI pour utiliser ses baies de disques depuis +k8s. Il y a plusieurs générations de drivers CSI, et jusqu\'à la version +1.6, l\'opérator dans okd permettait de gérer les différents types de +baies directement depuis l\'interface ainsi que d\'installer +automatiquement des storageClass associées. + +Depuis la version 1.7, il faut passer comme étape préalable par +l\'installation de l\'opérateur `ContainerStorageModule` CSM. + +Puis suivre les étapes suivantes: + + +Créer un namespace + +``` /bash +kubectl create namespace unity +``` + +Ajouter l\'authentification Dockerhub: + +``` /bash +oc create secret docker-registry docker.io --docker-server=docker.io --docker-username= --docker-password= +oc secrets link unity-controller docker.io --for=pull +oc secrets link unity-node docker.io --for=pull +``` + +Créer un fichier secret.yaml + +``` /bash + storageArrayList: + - arrayId: "CKM00164400884" # unique array id of the Unisphere array + username: "admin" # username for connecting to API + password: "password" # password for connecting to API + endpoint: "https://sanpedro.v106.abes.fr/" # full URL path to the Unity XT API + skipCertificateValidation: true # indicates if client side validation of (management)server's certificate can be skipped + isDefault: true # treat current array as a default (would be used by storage classes without arrayID parameter) +``` + +Créer le secret à partir de secret.yaml + +``` /bash +kubectl create secret generic unity-creds -n unity --from-file=config=secret.yaml +kubectl create secret generic unity-creds -n unity --from-file=config=secret.yaml -o yaml --dry-run | kubectl replace -f - +``` + +Choisir sa version driver à partir de la page + + +``` /bash +curl https://raw.githubusercontent.com/dell/csm-operator/main/samples/storage_csm_unity_v2100.yaml | kubectl create -f - +``` + +On vérifie que le déploiement du driver: + +``` /bash +kubectl get all -n unity +kubectl get csm -n unity +``` + +Vérification de la présence du driver **csi-unity.dellemc.com** + +``` /bash +oc get csidrivers.storage.k8s.io +NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY TOKENREQUESTS REQUIRESREPUBLISH MODES AGE +csi-unity.dellemc.com true true true false Persistent,Ephemeral 6d19h +``` + +Il reste à installer les storageClass à partir de + exemple pour le +fc: + +``` /bash +curl https://raw.githubusercontent.com/dell/csi-unity/main/samples/storageclass/unity-fc.yaml | kubectl apply -f - +``` + +### Remarque + +Les drivers Dell permettent au cluster k8s d\'intéragir avec les baies +de diques (cher nous unity et powerstore) à partir de protocoles tout à +fait traditionnels tels que FC ou iSCSI. De ce fait, notre installation +virtuelle ne pourra utiliser ce driver puisqu\'elle nécessite que les +noeuds possèdent physiquement un accès de bas niveau aux contrôleurs +HBA. Ce driver Dell est donc l\'illustration que le choix du driver CSI +se fait en fonction du type d\'installation choisi. Ce qui nous fait +rebondir sur une installation mixte virtuelle/physique décrite dans ce +document: + + +## Drivers CSI NFS + +### Installation + +Ce driver a pour avantage d\'être universel et de proposer un accès +multiple + + + +``` /bash +curl -skSL https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/v4.7.0/deploy/install-driver.sh | bash -s v4.7.0 -- +``` + +On vérifie: + +``` /bash +kubectl -n kube-system get pod -o wide -l app=csi-nfs-controller +kubectl -n kube-system get pod -o wide -l app=csi-nfs-node +``` + +On crée une storage Class: + +``` /bash +curl https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/deploy/v4.7.0/storageclass.yaml | kubectl apply -f - +``` + +ou + +``` /bash +cat < false Persistent 6d1h +``` + +### Exemple d\'utilisation + +Contrairement à un type de driver CSI en mode block comme **ovirt-csi**, +le driver NFS de mode filesystem prend en compte la notion de droits de +fichier. La plupart du temps, définir un partage de fichiers NFS en +`root_squash` suffit à donner assez de droits pour que le client NFS +puisse agir avec des droits root. + +- Partage sur methana: + +``` /bash +cat /etc/exports +/pool_SAS_2/OKD *(rw,root_squash) +``` + +- Création de la StorageClass + +``` /bash +oc apply -f - <_W$%jN|B+;n-SBzvQ%kA4mKfa@ZwtOEjmd_XV4Zrp&}P?nd`L6~l& z5|@dmy7a|a(|kM7F0D5< z0llKR<7u`>-*P{u)DKNg4|#~gJ^C9PwlDIL7pm*XFj*s`%mMQRA$- z*cz)*gO6w51U9+fr@c?|$oTA!e&Z{?I;?EpAD;Gz)1z%i|MNwr&C9dxN~TL}sHfwC zlGH9)?fx&7&4R+BQY9wehucSyE~^iwAD-4R6c%?OMG?+HCsR3LhALb&ulIIqTk|aDiDn-J>~pou{6OrEJ`uo z<29tl+hZ8)r)%8GdQ*kZdI#-`>sN&HhH^C=hhw;ls+wVNjJfpXPAt){hSpTbht2w< z8Pjuvdav@UJ$xzbO`{Ua;QHO4+_h6V^79M(LmHL+{+D~!_sy5J(SN3@%SyD)T9_`) zjVj#w6Md3PSmvHaLx+5fwh?a z<=O1j#ILU^o50(+Hg)h1!Kmvj@ER;!$Weq*dX*Fbb>#2N6ZGo}jB({3|2;m5f{&Lt zq}N(}R(g`HW-kvbJ$AoLSj9?ic+Z|?xNT01G@LKOuHF!RH}24uiP+_r{A&$C;o%JwpB86(XtGHl?#Xu8#b# zY&~XuD`|o`!#&}kUh&;dmQ7&Q(IrjH-@#dt#C*Y5zN3b=p0PYXdy<7V`^2~R8MU$` z_6Ou(jx!SCXB%a7AjLam~^#2(=k@^Fv*rt zA|ue;ZM*(x0vHiI^K5DrevF+rJ@z^n(f2*0<~7EEm>9LELT8)bH43#OT2N+pBs>9_}r znr^;j^!h2f+jXi%az0>st9mtKMqPIDb?qh$a5O`?NwDkAGuHFach3#@rM|D_=Vm;$ z2^7DW-05I)WV-mRbdmJUq;_<&=Ue5>tDzh(2oPyJ-avpT7ey5%8vIdgPk=j4*6eG?gl&;jYB4kpVl2RKU z689ASvz6o-Eu;P2iuQ@|LVdnQ#RmrHAK1JzAh`aicaVeDB|bX&6htC;DPB#)p_()| zrqbG@X+U$Fx6{VwHy9(b0Fsu@Cl$BmVZqmTmD&^E2v{YYDMWd8y)m$UWrRw|&G0JN z*500}zYq&?xVYH%?-#LUv84*eR2U>O{PiN~5q^#Y{d$U|Txn->3@R9gDlHxq6 zWJO!Bq)=y_s9z+30m!ml_x>va0C509gcGJ>cJfpIJS5;SiROOJF|vxU$II>21HU#$oA`rT9y> zOsq1@4#Wq#(|9($eeO2@HABtB!QtEN9JFYoe9Y9e&N8Ue|MpFS91zJl;EZRpenOaB z4JJPN0i{c!FdBF>7!QMZeeN&W^2NWbHWupvwG-V91ZF`n^8!45~n;z4)E_ z-`SD(+9j8Cf`ku4>-ihO8fHE_3RbrWDK>6u^m-fy&(Dsn_7UR1j!=FfB*KG42RHkTCCqk=2Z`UH6&w(caGra<{A6Mi`UuT7*_m5ZIcZkp>K$gv!^pghBJ|djQwy=*>mlmaNAS3lzM2RK z-DozXPr%HuxNE1~zf?+Kd;aHC7Hg5W^Jt{%7-TEHr^t?m>Hb_xl0xv4i6#U(1oC#T zQgxGSM*vYqJ`zUe0n_}N!wd;Mr4kG`Xm{*5nmzXU&PqnxnEn} z(Sicz-H+(m^OJu6!v#D#r>9_K9@9MApZh_=6cX9YM5^PEQp2bfA}f{?AQcZg;_ftL zJMqCznj+bw7&7qqe{in{67kwSL6EG@;nAE@PjonrYbwT%;7>kQZB}764!RLU(^liQ zey=B(?-=g7BTv|M;=dc8dE9IDFjRM;JsLJhdK#rKw~zZB5~I+uM>l&MLL&oK05{88 zOkt8NTE2_xhKp}uc$&%RM(q59#u$$3fM8cIeEYEV0MQ&A*nxizb^^b8Mup`4!|YGL z2!20Y7LX%_ykFOiIbOU7?2LF!&x6QCuibH>oqQaY!`sdsMtIIXVywI(n(%;?e@9GW z#?H+0DkxV6%vHq)3x_EA%gI!QX#BPP_@-ovIv;aY5dP3^B5%zO#?Pq(X{4lvoez=rR5%7 zN71iueD`T;Y>x2>^m?5JMy&tail)fsA|EpH!gz!WI!aIu0Giy=zN z7)T3Dphw`l@J}|79)b%QPnw^I=96cE1%}xxdKB6`OO^u6rDvFh z1_sB}6?!LpJp;h7iX)4}!2{v^KiX4zIc7+@+F@gXx=BJ7L5%l8^hr`(WT{UYTXB@& zVdS`!NaLra|8EoE`^N+_!Vpgc9X~@;!^dU;i00=@FcUx6=)Z0>yPN$GM{^xcNd>1i~0E^H$AxOsJekiWxi;jg96o|2`mf+9fGS+`oK;@YwMW(`YG=e*Qvcdu7&;7ts{FZX30>}^h_k*y>G>tD7BRXt2W&%b z#iGU>|BpiCoiNTkTc(;6qp0&!t|me#XUZ6>&&g}9T%9R3GgzQ5LaQV7ZSm!x>@m3o z*%~f)b2_3+X&9PIl$v5U&n-EFV-b}0o2<1Q31OyJkXsA<(R!Ps1l$)m)^Rp-Bz46B z;}~vY7kF+boPh&^K!-WbC4Hzm%I@@syKWNEy|+69smOm41(2xkOe$nJ`1CVfvnp<( z(|hxWQGydRu(18Obxs*{^I|x<)=p-M5a$_}c#P0imc!Z#uBragS{8(vj4)gYFPkAN zo3DQVnVe~{>j6JCydZwus%tJfcKHHpX;$t|&ml}3NBXkSbTfr%MC5g~pr{)YR zENexk6J#E&L@^^Z*eoG4N0{Y*&Jz|m=*Hq~(mz~L72_sqA_I@`I%G5L7VDc(F<`>s z&-VN--B{a-??L?ZK=qSa6u#*XM6!UAoCstwI!P(qN`GxM zF=yke=!Hq3uFE}#1KodW7|1H_@vA->$L7M6pC$2#J)J-*OHzVPIRa0$l!*sUzJNc% z0;w*ng}|`qgAKvPviZ2&ro+lF)bj48vcCC>ha@9k!o{V29*$%{jYB?9l9e9LBo zKY7xrPVxoJoYZ6V03NbHsHZlr$VFOcLWNq05@)7OU2Wx0QDui@$Sron9$E53eZx%Q zaP0(FE9whk_vRJh_<E;UJAQ}!hsiQ2e z;2RWlLP?`oWyK=c_N8`3@Qt6x3nnSN8oFGJ2qrT2E=LNNXTjR9;tBM+WQ*l^`Q)W0 z68^Xj4}8@5>qWNuX%Z1{shjWZz^qXON+i{{7BL9`z_a<7j9b_vvc~mKcDqUT;qVrc3?lnd6?ZfYOCdvx#+7S>` zxv&|O(6ZcN9v^dtL417G*$l`=138o}XZQ@7k9L-x0a&=IMVP3?>`4qgYSxbdxven zmP-rd3p5hQnivDT!0p^{yjntsw;VIdXd=)2(gSpa&=!FybOb$SUUn2X#Be$FNh3t(uS7NPt#(ZSI8V9%G|BF4cbbAUex`%Fv8XlXHEC` zw?}!u@iMIu9r$2QMZ*2V6nn@D7Zq?7)g=J}05|>lTX1~REKuIM`-LVii$^5^{(wq1o)}u7&HR z>#_Ox|5`a^2#5^cuu}>>QeUunPvaPBK_~sGjbJIcKw!wYM=5f%;!nz>e zKElRnfq_G3FvsZ+d85(;mQ^*eCa$!+_MD^_^J`DRRv38})nE!@vVQPg%yBL`3be(>yyD{D`7e-`PPks2^Ez#IA~sKI7}dq^jD_$W4lb@}JE%8@ zyQJMvH2R$S5Lawh!#PUAf^YE9nb1H7edk0~_Kdu(XaJ_Zvw+KU8hwGpib^bCqaxYg zX}CXyFoH0*O|=KLape3`e<#@jlg;3<;r!$6P4V=i;7VFcmidQa{;b?2^Dsm%>+8p~ z6v$K^ywr{$5>mx>C{oGUaRnqAg06Imps{3kx&KGGIV8ourHn*er7}zPk-q!Ehacvd zGE;XhTH`}J13nROtO(%q%;8bs8o~y`3R$z+aU+ocG$rg5qo{@X4&j? z0Q~b)h(ED$L82Bmk@%V-Hy;|);1<3c18+Ya6&h8zNDtOeWMbj>X7q-Fw4Gh7)+V z?RJpbtNpLZ#i!qcv5>kTOwaDG*dzr`<%gmk3+*Aqlz}9vh-OBt;?smgq5y)D0RFo$ z5!M{VcUCNFez~r>xTSG6i}iMc%#F$l8?xV_G^D8vNTTM>z_Gi5cNV~OOi54-6oDp_ z`}EcuoNz3DFfco2>fOr@uq7HeFSI)v=c%Z1<6KkY!4*#$?$&+a#ELJyle-t3JIH?e zqaHI*0%dtAVi65`fapd$fAvMgKnt99>6i&GIPgiB!4Jl7w7joV26=`V_>?I92qfBk z%Wc7-Wf3U`t^^l?>B!W_HOsnMgz!^AsXcJK!m35}Sz_+%i$6JRh2VmfVSDh-?YWN?xQi3}%0G+tVJ&I&nzTz`7gD z`~-!QDLw$jdY@O^+Pzlalu~Ya1Ef_(3sy-pr+4suzDZXL*Lcsw$ti*3Q5HmA=fYJnWd#esV8*m5Odk^H?mJQ*Mid z{5P|u6O+2s;>5ewkLwh|uyZ;~8osG8ad_Cc@fR+5D;P&)oLC^_P*Ym=W;2LUb4u7S z%Xc47AUx4up0@SjpBF=|ieP8_LBbN8xENx}Y+OJV0xvMlyMY+92J~BH>gcf_EXr^w zBr?Il*^JNC9Mmxg=0maxMVYy`1eVXSoJ3Gh^jAp`(Rb1ScEht{x=q3{wBcuy{Q!O@ z+56)g?|m3!abaFlO#QT{tu}&M=xhg&4)%prmjVA4a)qC9aG(>8$Gt`6F*V-GA{#>| z+!v}isE~E2 zweK;Mw~^P}AW9|52v>99jPFeVu!kMZ;%yG3P%E(rSxPXCIw+m>dz`Z(%G!^`rX--9 zm#lnexM`+@PJRi9Qz0&3lwf-7K6kultDEy^QO?Tig_QW;7E~Q1zrOh+rXU5D+^FQR z0hBeU1N!~LtdJgZs8nxvHaWh>WwhdV%7<|C;KvL|dI=oc-jtEN@UGDVRe0o6@B&zY zEZ-nCnFzIx^6ZJtA+)~*jR5_aig!!o7eo5P=}bWqVaH*wQPxQ2-JT!z5szX?*-532 zKlw8vNy)loaTYPoIrf_D?rmPZUa1f6h{u>bDsOn$R#Sa`jo)cs9%%oA-yh>XefJmx zSxkN#YN(CZ^p==R*@hNz&qatHOz zBBCEpofyD3^}QoP-{KZ7&_-Im4#zFDWMn8;`}YV_L<6emUI47Xl=<*Q9eJ2I)852g zUDICxlbW!Pr9$lh3QNdyVe)^_?7s=9zh^p;z^zp|*Y5qtxc~FgfIzZ$=DPgDHF5ul zNB;!#|B_lCvjb1EmQ^16*XM`KnnTsG#8N9b_S0XBJ3r6{(2~x)=+3P(u&ICcA8!gw zZ8Y%YXLJJP`qwWL@%D$stnaVq<=fA3d9)~YW#&fc`unQwbWKbgt}EzkqV{mS-*0rZ z$Rss3Cs84NbF#7$pz(VF_J8A-3SW6R1&7UW@imuF(Jys|(NbctPK7!A{4Kofu9b!y za4wprQcoB6s4#k6-B#ni`D(jvFXm$Q>LSx&rp{BpV8WqM3+L?o6KTZ}z~N5%0i4#- zD*OFcy_M6e*+Kxyu3Rsw?JFoK*l_eeOTE}lZ0u1eFJQSH0B929vsafM-pBKyn}9ZD z8fEt9moWurtCuq%HcY(CO}C*j^C_tZD46OkS-k^g^iRS}zX#XiVsGr@Rg1I9om>oCMyzwf2R)osVZZ4`` zxwnXS08suly~#oxi(607g8iGZ{^y^k{jV+#0ZoaYr&eUlMgp{Lf+@9Dxfb;54cbBg z1*yLR&`O7k>JKLrb)m1EpN#@?D*hyJ&D7-5g%^R|iA>LF$GIOc{5np}&i5L%{R+}v zM_Ue!fRqM5-Cr~PEqSp&RBsMwAF)f>UL$c(z@ljbxqes&8}NZcPx3JJ-X3yw&&yxw z-t_u7&I1_84i^{8KfM6|9ir=$0A2hfRkjGPFpfoO0+?8%T7Yrh9BaHR$LDO~s%A*{ z`jhXDu?QWvPBgLM)-Q^(hLfWrl+dR?^&2cDz4pyWdn0hR>m)wmw#zd4*`k&tw9)WzQOw^H*#JZMHdP*QWlsjQt&_ z!HAk~SEu)vXEnHDB-8!NthMN@Th-Jk#16D|agph&YGh<2;fr~jVgcB~9jRWb42X_K z@SvaN=DK-O9b0xOOs(Tl9o4Wzhp177<2DXJh-AkroPI=2j@o^+TU$J1i9VYiJ6myH zHAc|@=WMyJwM)kG+TFB%v%-q89{dk1u@b+$VZ6pw{Iiwad49k;So~7>S0h5eW5K3B z33PqrpUBzykE zTG%u|YIT7(UL2OiFo;j2JhI;aM8pcfL5{?i{eIM6x@4ZE0T*A60y8nYa&^8cEp>pGR)FWmV`KVN<-7<7WNIn+N(kL+EF&mf6on9Iw_gup zI{!rWszs8ZeEt%d7fjy1b~x!+*%nDN>A9M2%dLk(3-wC~eYK9gE7060vUrE?(W?(` zzXzK1icK9H>kmF2F{i*Bo`0UT7IVK=4kTFGBL(h?yQ8)j0ZnLG6>50&HTY!e& zz=!-G$SVUPPIcahp5jI`N%>SY9**dn9aK9ts~`%Zz0*pb;Dvf;xQ!ZC0CRNeY}VjY zT@N%INC}UZT6drKW4~uhXANkGJhJv5uOK~3mGrJ4m28V?kD|50bbYw5UB|(yDyK|| zk~-LTV05c|HS)7R{HT80*Dw9YmQ7F6{HoEz zFFc0oDS*dKy6+Dvon3t<8D$tv1Y~O3#UEl+uqqJwU-7eUYostyS5I#u5Rd3w>;Q1g zk^W>IHZ%83BERpV@#Wc$vkfy=i3d9eV`hK58D=8mO8kM|g*uN>Q}4~?F@X#klr@$k z*VuKs*VR|GO|Z{6Vs9hNs$cCJP5wlmaZ|{gqPlX1Mdgf_eai$x#vt|_P?+J!gEBqr zd#R}n zdn>(r{T+7mh8+|ANtXCoFKVS$7OUIO(?wl!ju>0LQx32{xr_I+io&-QvzW}zCdM|9 z6zbS*D3D+dvbMrSw-HjiY4fzI^Nc-2B8n>P{hysA$C^L5Aq99tn41djD#|!q=gEb`Wm%5t^j$w+OQaaz?^x-}Dw^mF&lTFt z*??X!!QeQuly-9{H+J>|ixi~vS~F>2B=6Z<=lpMSE)?UucO+sJ_sUD49Yb-{mSf&pg%)Mu0|nl<3TA-#l*-H%!suR}zVEwy zGbq&_d2;L4-In(|(pTqu-_%lJm(oFVNzvxPbIny~GDUimM!$MuMhQ%0dlWbQF9L4o zmFH>1eg)3mqldC2cVTfD23V(r!d>$ia*|#f!B@G1#J`0bPt?Q#U#d%IsY7eos>#(^ zs=tqqj+PESAP~1`2ssEjc^iG*^#BKt#UDHZET5-Q#2&B08IYaNR&TCz2jXRS+e+=x zHn#6p-XanCLB!wlXw+890DaSzMLoPsDyKAA#O1!(VcP5ZCnK+0nJ!~jq4p&GyrZw> zIWoq2uCP&x<}0*aE*_&O!;nuw>AODW4z~3b#2moT<#VeP& zMrBXK0E|X{4|OLsMWZPqTAc3_AoN>)X3e;+pRD6|fS}(`WHuNW3gUBx1~?b+`mc)5 z?lgB$Xh_Vr1!!V6u!7-vkL{?JldNKP%w#;9mcC{*29v`Q!g1&Waru_vmt>=y^F;Rp zDMSrr2~zD_sq4}^Jz5iWOy@Y%Qih!v=;&dV@U0!nPq;hy8h1_2<+2?2GI9AvjRzfZ8X}$igEy|M^TxUtE_V)Ym_7ghBM{qkig4A=S^Evz(3byff$v%TG zmMvB2n=kgFu+)Urh|ZUIbaio@h-d-nY!309vPR?Yv1%|n@j8mRdxUhKGB5XYqg#jJ zxZEpJreXWGi|x_GM_I-2(rW!0IlP6Qa$}Gl5R#iID>4xU3^=?CyadN&JmVntJ@i85 za9ow*yi9QKyH5;sIS|gW@y5A8qI=0uOS%3G$&2S;BvM|yH*wmwo3HOVSq9U7Tr4vp z_?bbdg__L64*Pe_69GIdUvM>QMb@nfsu^v0m%B5DzR`3|L?2NcB84A32<$NId=x&1 ztTZ!MWsvB;md`@|7<3r)BY1auTH1FamJP$5s0eY0W!d}baRmrX9YE!v6$z#0@FpKs znJ)`+at~*%|J&H^Vx!t7B`_Qhun~%?ZT2F6#(&my-A@jXTks0Vqm(j++Oa&>x{JR8 z_3!YGIU!s1q-^I|(*5FK@%n4Zt>9x10=?i*DDS^eiuSt3Pz*XT)!)5uu+tpOi8QC; z0Zhy^1yRz{0y+Jq>Wkn-@2uD_T{p~q2%-SU`YctMhaf&%pRY?b^7_7}I6F?}d%ZM+ z^0B<~5Q$QRz-n7MUm7Ao)A2hvr6Y&DBw`)gAWN@8U5X4P3{=dEPc$&Kp)g}5Ah4tu zXz)F|y~Bc(*-dx|CzKV>Bi+vU!4id!Bg<~4OLo-R_~Ce2!uiHR3@X)Jt#CgnEyN&$U!y36UP4mO(GB~Cj$T3#y3xT zg7$tLw>cGEriVNr9K?&`r9>`3oN!Z#{ex)jm6Cv#g$^CKP`b*=_f^+*g;MvufKXCN zt=M`eh72D-mcEJCjxb^iS+wZJJY;ewZ|Rpc3DcoO+W%27SoC~?;cuqwS6XrSj$Hj& zM5s4j6no-Rv||x`6apq!Z`^Th-xJ)qVDs4s6hEgJi^Qgdd%ePsLHvMTl2vqVgF6L% z8H2?P^p8I&iZC;8Z}F0&+>b!NFRwwXrsZ|rig{~2Fy%w22Pem9vPD1uOMp3r2kKi^ zVjC8S+zYNdW=uQxz&u%gxObaZns48@8Nv5C3%n4j^t8Z7q$voWlzW$TUT;=sD^1f@ zyG8z(G8JUHL{^I>c|zHP*jdICL9BzfLOZl;0&_{tCR-5l^&-D6NMiBiStpul+?xdn z0+_e;9xAC$l~@g_7~He48fZJ^h*Dl?m)tU7 zU8GRIQ0XAK8RjJV6ripXF05a1=NDPUt0}+eX|xam6(IYcmF}RKDM5T(NPc+GRm%`K zt0JG=wuo%>19uY_-6YXQQfhcs3{*l8IiCZxdw$b`tA3WX1(T3v6O3DGhj%IzrRF@9 z+Q{&>5%*X`QCaX(6h+g#{606XoWz=~`W-?DNkZCcr5y-NR)5g&RzIkFI$~4z?$|tF zAapLV0Jpts^cQ3U_vS}2#3%%fR*zSTh~*q4-|gNJ2y_z{IHDXQZx8=b&K;=BJG$*7 zHDJQs_}ObyT>d<6o~?< zJoB;%>QB4@ac+Ffd!n1>crGEX$~jh?x(gBFBZ%Nqh@Vg@R_Fmiv)6D7bq*8rzkMlX zlg}fjgB@!Yw8{#)$|}%mBRhcj{wG8r)kxwST7l4W7PJ`^(#2lE(q}C9wkN?nA$s#` zYATfe1K13fd@aMjf1(GFpn+8WEJ%thYEo5+NX!N^y^ub+KhrmECU=dC@xEyhdxe?< zLSS5>f!9puY0{>#EJoupC#^vOr`tO*(FO^M&oM_H+{DyGG^Pt*{6{U>0OyBFqhRi?;Q zRlyLg4ChRx`ATTd!<0#(gmlVkAV>?Zp<4%?jc>ei1Cy5jqFv>0>Nk1rVY@{5QY*%HCoH&TyXId+5B z$0^?ju_lL7(OHlq@S7s0sOo-)I90o%+!fFfqe^};w@4)hA|XC6Ni9{TO1j;L=u9`r zB0Gbqc(P&r$9!h0)HjnfTwihBMXk8>Z zQ=z2F4}Hgp??VnI;OMaSJ0qp505wg&`P@TbnB;SaeiN4=wmf;(u!@G%#t0iNCx zt}NJmT9$Io{AROfHnd#Js5f+aHP9@roS7z27x1HziR3lopShA9RH(pEUG1zIXFynK zl@#D(oC4?WRNM*FwR05Q{v<~t+RCK(KHR)*FXYQ&R)+Dn*kGR`XFm0p@|`5r#02_OoH$Lmy~-ZRpgV62MvK!4v&o%VHr2TT~^^jy>zb=|Bh=KD9 zSnfkM_MWePyAe$fklTQc7z`USZDw!jigxbcH5!D}VJM`!64&hr%(h#);9YM{T4^I+ z9ENbV+{STie8(w0jc6xB<#9|NYT>8CWzC-KGXYwvakJ2!SaIaElYUTUM~0+Nzda>>GoxzUjkE*KrQuEz<#n zY{`^$yx9%-NeI1jNE$72Gnkx%l|PNKZ6zgf)J_t?w&Uo-(>}zkOAtsUnu5(E6t#JR z{MjXmY{w(bb)|dz?#`pZNuvJu*Nyap_jQ_FxV;t_Hm%BH@rn3?)AoZaNwcY;RD%>q zgz}325FZTp1C~vEXWbQ4HkSf1hzkw#E;C$Zlrfi^YZ=K*d=48#hPF|me&1^37>*yx zkR{+dTpG#h1=ey>%@I+OTl}5p9{asFORVe-HgfVfmQMlt!rC4~0ev6NAx%~kJ{P7* zA_dN&&cI)g4Ed9C#8?)f+Xcur~)bJbR>$< z(?4KS93Z`L4k`BCD4{VNnqBI+Mo!Az{kcJ15FpmCR0AZa@0%-4OxQwi5N9uY>dD7w z^R^}ukRMjT9O(NpP|)a9SxQkw{|q*<{+r^e!KejPZ2pQ@TJ;A$?-*_avWzeew(2DV zmLLvBd+OXG#j)4w18s6-&V0|WM+NClxdIyQk5zUGT2muW`taXlWkAJB@81fMX7{_S z5G)YlGs)v|k7`f!+@sBSG|V6cR>%wi8H z`5wnQvee!z7fdW@rgVQlF7aj2a^xevgfMFO*0|l9g1dNep;Rzc>gi(m)`j=Wg=FIn>mSUGQxt)1r zxH&#D8lSG|dYi-LWfU15NM66rtXWwL>Ol;RTFS9hB}0(OQwZ}oJFw}VVP3fWVoRkJ ziQ~)^ki*Q+f}fSJJ(@S{1Ep9RmNU#fp)MgqV>>$Bn`gh4Q|7>74`NZ0Lzv$^qL zbntNsuQDR7ntHc^pD9UYKNjd>_^r8p5ayJ;LD|Ro8SW6vI+V81Rnsc+%N7qD33M++*1(^9yUgy)+BP(xQ1$g`|h3(qWkSVbzS)YjMde z*3%u^*mXorg)-pVkytosE6ap2pO@;9S<+MWmzgvYT^JL&Dc#se82|&^wMkR%Ux>IO;-CI2wwfOdM`j#Mz<0f|$0(AwV0w@0N4r9Ac$^^uE zA!@z3=2Ws@K%qZUSwCO}(~82wIYxKBQU`?72*N_)A3ejD?VX3aISkW*WmjRB1@pNh z`N%F?y9MZaG*c#SK%7d(6+yC^mY-wn+Q;TwH6aam%0$iOdLucHtcHF9p+1Hd$+_DH zvDuj=g8}lSI-6Gv0D^jWf!$awLxG9zMJ%m>4LiS>Vn}nP;jhV2lDTMq3I>o4Z)&hxW+}@is*$Scu#e|3_inB zFdl-18sf7spTH|G_Lu(L=ZXIZB_vD(S!g(p)cf@x&xC?akPd1Vbk;+&A}MRPAEc7Q zs5celql~yObcLWcj|@}BaN!W*aQDC3YMS_Q`h?EFk*vs532|{S=G#{YWTu*cF!c-L z?t3^MBo8fKhX&n|mA_&XYJWM~#`$BOD``we!hYBh={VaYh zFu@PP5pP0cxiR8E8CLz04T_i@sg!$rdMjj-Px{s^C3 z*5VfWQ0QI!t=ep^tG4mCHCszY=zEf0-{bf=41ev*4t_A#<@{BnQ9?1mUW-wBvdK+_ zlcG}1aGyZ0dYQHoR=0>9U{;MEx)=EsC>K7)X^LMSz8FgFRWc(ZM!^Ag{W`Vk|J=^o6`PFvG-|uHg#16JN zEDXoT+Oruf2NnFGyk=|#*#XA({B|WckV?rqo;0AfZ0R$^RuLMBTPXW$v_2yFEo{6^ zLhO~%eX{F!w*!*X=(9MQSY!V+b>kRq+oB=>-*dk&P`Xb3DFlG-wJbaU0GFS! zDPFAqY#0Qb^_>PV>$}SOZjsko5iPL0P1i4o3wV6Hj^w|!*nnriuG4~HCCyEm>jC0W z0GFB1;Z>#M7UDb}<++}Xe-2B4BcUQn^Cn)L3bV?~BKtGWPl`QKx#%_CGr;I>UU1Z-_Qx{rwMe zTpUi8R(GFT4rr}TWD7Hvx~bT#9!L%TEPVCK;dcp*q43z)$IV*9iwUZVrRiLUpT5$S zy@iR(CxQEPA5Cq0qrp+g8KuL~634T*F$I zqgviN-^a_Qb`Zl@%zFPC?MZ#Hc^2DMYd+%8a|WNP7GBap7oc9vw^s2~06U$(=nY+U z0-NCC8(wPz{}Q3sXMZ%r-YZ7Buia;b1Gd^VJNd=`l9Pj)qlt^-u5S2$wD3G8Apiyi zRn=v?9!_t-V<>Lnc>vOJjL}Qf4L48}E`y zYS<{JQ3jjFf38~ytFSo1G1_Q8v5|OFHsWYJrfHV2XZgqbI5&Ol7cd*uvB`U*6KHr$ zum759>cKI?3MJd*SzRis`!~zI^7-ZUel*pP*}>JQZ?P5p2brybLuQb_B3jh_pfS3+kO7r8>^5x9IhlSQ|pU=U^ssDtMR#!M=wPp zgXLre{FQ50R-&|>?l=3X?bs*x5p5+31bWVPYtR4jlIvtE3+%_!1^uiEy`Gg1WC5}S zdLs^E_nL=>W~HWJ#b(oCb2rs{vU+^CUeg_fbJG#%$@DybwCZ5=8~OQLs<1(5z#?j_ zfvKXVtACPP*ta69XfW5rp`KJ^oVwvnBgH4v!>bwVRvBK~;X&BZS}lBGwz%SOtMY>6 z;>*=V)YZ(3!c~pZntZVi0Y zVS2W#y8pcTCU=H1zW=&Z>i*I8*|{Ezw4VY?)2pQp-pa!Z#mT}(vHl9U!4S6AdG&mX zNUQ(qH>**ZdBoMxk=a=U%_q~-@wMm>hht?k7e@X1bdRyGmyE2&OmCVK?*-$&hg`nn zW-R^cC~e_5<)yqhn|ZFb?%$fbd63HI>hJ&SYV)0=wB0xHLo{t4H@t?T;a37|`ZlI1 zaoUl{tgeH7%5z*jk;FM1gU{e?(I*RKGe|f?>0bReVv_%~e+?w-1+*itxf=6Ia?TIt z3cshC60gQ!wXF+$m;1vZQlxIpT31KuFZ+$1zmRqSbp-jmP8GjoAwQk#{s|02AXz-? z6GxNGsbsoW=itI<&~M@$;qcVukEvi&!PUGi1{>?wGE=?&#%Q-sJNorx(U=pR|2z+D zbxph;tq6@Ob^~@gf3QEw(N*~sV{zu^eHR)qIIHB(KX+j}i6-@Lo2j{o+*)c5Evo>w z_8GG1;Qd#C_!}lf0mRDH@mM$guZ@ad+i3juNeQv&mL;8Q58mMvuzTK~Mtx5-hvck} zrQ*$s(c#Lb8M+}fttQ@Fce-Zuwm;Tqy=E1^E>R~~2kCb;j+u1w`sgM(4M3hI)KrBOG#Q!f32 zL~?pHqX2HWsPuZg)wa%dxQ4Cl;z}JDt>~f>Z^tMBY}_;On~BJywXj8oidToo+f4X--*Z3HBn_QycKm`CN_;d81 zQ(t{O^<(n7nSZBVG(eV6@6*(3_T;yU4v6-aNmjp;yH`L&xOD(d=|$DWJs5iiO&w+gOA*_(*RR@xScO~8hG9si7~T>>qt@nNn3 z{~5^xfJn~8?=-FcSFuljoP}3tdgkAHC~|>6lWI3*TU_bce>KE@wRbO8Knwk65t*Zv z>)U^E5ehr&l71*#zs=^44b)+`aAnb`o;qc8Pw7t&4%HC^HeV>-t!vB{Ui={KlC6Ew zUQT>PuY_JuI`dsqw;%IHN_viGMXQsua*SE%OKz#NPW=Y>YD%EA`;;g4Zzlx0Wt9Qe zg7;+s?{)OGyNyf8W1w4}SJG1K_cM4}Z70i*?{dki;?-8IGG1ZPXOhbLzN>^@&)p-~ zTBh`?yV0g+8RjhN)jb9F6O+hU|2FD|)3HukS&5Cq5) z>6z2{o{o%qU&T9Y26i1z#j4LhXINQHirqYz?<28OA;C9dN6B(Dt ziJ5dsiS5NOo1XuSjr4(%(czYm`w#uA*N=G3hGjVnzNH8c05B6kI2mXhn}i;+r?2O{Ga@>T$5t$l3CsDsq?K;eajTN?wqOb?^bkm zQ3Nnycv~(zo1+#3GrZ7qii-AdSBDzX?~L9|w)QI;rHOu*`HC6(<4K8tFZ^Ds{7+vv zfdIb1q@$br_l*StrlAI8Kb4*^5%k$g`zbwbije-kE&ekk^PHGZ!eP3!>rYOdd74O- z^9VWJx-4OB&C(xkoBEf<=ew%*hLhvB8GJL`Xnm{7w+5!eRg4^3c0Ffq5os0rEsFW` zwSJcDuN$q266=8#8@-Iba*pQl;&aqJs*fqTsg!0>?yKn4WM6-Fk*&X7X&5_WbFg)p z)p~$l@Bld>><=(!2KM6(sVb1hsnzb3Er}u^kEaW9$D1bzeJFVH?_ydWq69D&%b+g> zWYI{z%KyC0?v|s_@9~b3Hm+pzdpADEni&JMenN&0(F(|#NWIB?}GpT zV(-7AqS~4;P*ed4l0k42MG#SSs!xD3edd&cY6P?^#1=$_nyBd0C81g#y%>x=}#+0+RV-7E;}=Yfa~gQr;#l= z7mJwGk(7;2H2q8)`krJzs1Dt{eC6^EgwY0p^k$vp^d>XYY-Z9ZZ80fbB?b1{zEf-d zh9d`y4FXp@8a7MTk#5BhFmE7!*asp2GjjV$I1;xKZW8fMuaBM?stMzv@ zLdOT?%_n2!mp6w$9+_6_?5IW~qYg$V;3;flBT zqwyfZv$EOPrh!4r3QvgC!uxlTN{Bd88ys(5R;a2i4B@!8omMPRlrMmS# zlc>Vk;!l0?CQk`L()A@p2w$&!E>DPg&UCm7SZl+I&S6hS|8$jJ|8OE!r@m)#o;&my zHBk(n~=fL43o2H#_>L~sF5B6;}mLJWW@Sy>+w=V`PyhNN_fv| z&*z!#i4!61sR1S@m>BJlN?D*M{K>K$kx|@8dHD-s_ z0%x<;{OFANgYbGe06 zQ9N505ThTVg?ynz>$-FaIvzf+Apn7l4co^+8Q2vCcYbgbu-6I=y~)pWFXEyxn3OTA z)<@pHpOBJhS0?P|?#8CdUNdnjl39-SQA}~^!qGoY#{-XkJ=LxFdO8`~wmdc%np&a% zVr?%oVB`cTf%=(Wg<8DSy)2SK>WTVfXW(@xqy%gsW~;p1RS}Q1>*L4W`Gg@JXr@rt zkCueBQOtSE_Ox#%;>SkI>84vwea*k&z{VDT2AKeU`riWOzxkk>sx6l@Sqmltvc>RK9R)6ooz zFFHi@p@bZhNC;vtWnBdUKYlE2+q*MU&cCw_`DA$yU-0Xd)0NNwTD0Mts|*{=+2{L^ z#a>XU%~pJ?Ap_!USTB+EC%+6u<0J|`W3yrKXfif*g^xB@A~)vA#FHg29=(jAQ2i*v zl$5KL4wPr3D{c~shb9K--Iil3{gS!6U~4y8BEHDisn*t@vNagPHPw+$v12ri3MM{j zt+O+z82_13zdUBEB=W`<*9~dNMuIZy>$czZTtCPs=l)OvQ@$GC=xDkHc4soqqFX_f z6LaGvT$hBnTu4@gmNN_vR9Jp3t#D?gq+2>>INF%AB^*G=R)a=P!e&M~J)CVFXN<-s z=C69Kcx42&U7wssVB0JV9`;7sL>&I=XR=V;f|sBNM?_T=4MazTrFia$#R`a=$^P6p z3^(p2M3gIETq+W0xjjUUmPB^>9AoxoL>&*SyWnSz*imHt2z}HknbJsmbrf1_`umZJ?Bh zv6mx6R`y$M&W9-~0w(}T<5s`w{hqREYB|0}9rm!2jB_PTbA#f;X!MqiH5RAvS;OgOqP69s!cZ$j6bxq`8s;`q5fR#Se#$v-nzqc(hNn*<-;PuFswyZ z7D?UdE<%J^?nvPbM&g|ODXYp^?A}YD!^DI@Y%A&IzB|nIeBGduu~E(preM8-(@M+M z+EeWmi*P*&REI_v7S*aST6JBmh%IcVky{rYo$o?67WcKe(DrC9KXds!2wH)c3QlHa zjayclFX<_q9k#p^ml^fW(#xX4M}=YAwrqmHt1BaQ=8VhBon@%~vk3&hVZTl(~)9Pq#6_ z<3nS2jEcLQ^90fzfe|XMuBPlJ8?rE186jpfICWY0VmPwE5@g#ng;AL@T$b$@xR}%r z-J71$Q@1F!cid?8VjU6=b(lSQ&gNS!(k@vs5I($N4tI639j#F|rP;6pFf+!^KYc|X z=w9~>qQ&zcD@>O1otqHEF{@*O-8(sCi`C-+s$CLKiG>0+YOw4*lr_sXY>aK7jW(tF4Yt+&&<`JAKD$iQ2^RGMxUk&3{s2S|JqAHo5>XW zv)bVUrt(})!*@6KuG`p$*uJ+_2NPE8p;Rw$0&z^VG@r1z4fs2?{hGvSV7I#$;%!#b z7gV-tq#_f(s2@n^O+CG{|D>u%B6x_pXGuAEuXL2wW8}vn=J>a=-o$Y`bom63gPOs?e}BKgs$$0!^>Z48%R~s6pyA9)C_@UeEK$7;D}0h zvJb4Q{I2j{S$(-_+G&)nUkzOxm+8~}!`^ioL)SQmTw1P+5uQecOfdgvD{lmVDd4-! z`3xiDgtTJ1dj@FtS($Qv^k6B(Bj%=;^O8ksQRtg1b zB_1D^Z?_R4J=~OCXXv8ha!D)S!d3Sf1j-!G$OQT*i`;v?zPultzzDZvYJbwWp}#0H z&Xj1=(d`G~!91GpH61!#TvV;4XJOJdW_OqK(tk5o?M%(7PoS zb)TIG{f39<+x^Ryo*k;jGV}9!mwO2`6=j>RO~oboD(}A*sh`!Xm>E&lx3x|M!_yZx zxtWFdAAsGAQ#jHdQF1}K3gEI8BOuX|(i9GT+wC2;(R*0o(^F*&LDz*{ z!{n?6HI4t$G-B6V_v`+g$)d%YGek9G$8sA?8OMCRaZie>{HzR&f{r5yuTr-5fBrmO zCEKX<>nm$|DUniDKWV6%1!>9mOTCd;$mu)>ap9)tjD}z~?u-^*cna*V;vcU%HZrZ8 zV5+5%5tDcV$4~^!yJY(OHM_OAHhg4peXXfsX z<7DDy2(SfHs6%n5_%7n%@s(}8Et&T&L!e(|{dpEj1<|+-7OjW&m0}v!t{$D*!uI#y zsbGk#ENt;y%0MdZS!yd&l1f(XFlrk~39kN_3eUZBX!3b2>j*xn@&%R?8;YVdRyzO+|~^ z{Fvd7ben0Wda&DyBTci#I$H)^)pWbC?6%1McUeWgS;HKs=vhUih;`!1XWz;*fT)|e zF#SUP4-;_B0`NUVDh6U`6Dz%D?maxE=YL@JP?+CCKSAz=XQM4pBCEHz&%7ebU;bK= zz>?Otnf?mWPF=_rdEU_Gq7HBg|-IVyf8FLqdz8Q8S1HmqiSs9YA2GWq) zE2pTjU_LqV9*P~+)w_XKn(+1(to{-w>x>T>=uu&>)TPZ&vD^>(`{IhhwHBClH}#e2 z2vp3uO47tzGWhb9PXWSNxGM{w<)8?LC!_0vcExKu9L7bgl2&iLUAQjf321 zA?zv9rd|PO5u>TcOGc_m%u>es=DrUr z(B!0Bc$=+Z9d4k+gDFk{4#0%+4;TGEfe~3iJdW!tq~3aS{zvglLMMFx0DBMF@l!G z;D%HA))E#_#aM~8eFjEQ2TrEY@dp;2;QskHGdk0$pQkY4ofPn7UlaB<&!G0(e&G=VXNZu>14I8^OJvJ=c}O$He0^* zF^wSK@=L#hNz~grv zI7`ku69%^ao=ePoT>I)~5&ddPJUqk7Tu~awstOI2kOzt61l^PeQnG$2?h{5DuSTUM zvX{6=$CwkX;rSFVXrC1i02fspxBRO>7}NxT2aiCn@ltEU3R3UVu+amL398&yWdYoo zqF4LqK89ub^vC(r5py*l)uT+4a|V=95ivo>SbrCM4;%bZMt~)M$E?$kzttZ-0-#Vs z{QG-PQ+#e4tG$=z@)`3m6Bo(7X}OiBGP2V>aG7@^(-1LKXFjtk7SG(MU8G@v|HF6M z$Bv_hWmkvh^w5V+43uT4{(k1uxp$6etwYo1mZ1u8ir*$mwqAl%S|?}tUi6-()rOXD z8ZJ=O*UwA$>K(gu)bq@AB~%aL+^y2MHAEGwAGb*BNV3Orr*Eb7E21&@!L4hw1R&JP zl^;AY6`(@WQeV-A5oM$CeiDJj>yU>qH^sOM?8^ z5)}4|NPlrse_ulRpIU%)2&OTOTb_B(Is2>P!`UuYC|l<7xuhzpe8?4v?>afTbXM?= zd8s=EHAycV9pdeC?<#|EJ9%CeUy0LJUg*rFDl;qhf}d4KOS9_zvC-6|p0lNGshuZB zwm*Ff$cWZG7mrJd2fo8SJru~NAd(9RsjeNpLU=Y z?nmeUL!w=ZU{MK~g=yfxBF)#W_vnfgcUL2JNx4FB&+)Mx*}Be9At$O;6lA4#~^ z+_e)^y`ZEFL@zY6AWI~-O6x45P_A~^iWEE0ZJGK`YUs#}t-)mFxqu?$JK-wENp9pP zXRon}ql3(#t~B}4hog8Zq)H&N8lmw*tv&(6GQ9#@N_A zv=;i{-U6-d;o2zfdXQO{g4>|s-Fp<3KOI-V#}LyU^c&mfH4mmDiyH(4yNx#9OP7Lx zSTgFMaDGv&SyqJwxFYwpFIV0(W$cMtIl`&Y;sV_R+S;swo)M?NJGa|r*g0*&djxbU zG8k$t_wpBQ80;fw+hiWg;e2Yt2hjQkqL4z{NrN3*`{@tRbX8a(|40Xe5Tw`A@e~N< z@IU6;i1dmB{*kKJH^dhc{s{rQIG<6k7>If$Utw2PA(=uydjl_5wC7vp^bdD zG7+_A;*-|npf{H+n0QiGQk_{|5GRfU1pO4vA zj2Dj<9tdswPTk-kQ+ugdyE8;PNqvzDtT`5bd{`vL~zl zHR~=o_n4Av>uA&D0Z5LCm+hsEVO;~LN@k%eBY7vbaa7O%NcS#Xs?Vw5ZFsxekA`e- zmmw2?{`LYHk7|3<=7E^F)sR1o(OvDwMfrMm3##2C2Iyq;rMmjb%bJ4SJUvMZDA&o3 zjrBA5R~Jch|DJcb^o35$Ku@lt`@PFaXabjwb+LG%>FC``&o;ZBMJQ^sc$}EgVc@Bv z5{dzcc-$XQ!sp8n<#bnt@<*j3*ptG0rJbQ3c7~_{!gvlNqg2P<$6_YCC=(?iXtd)` zHd6GH?^Hb8C0sDtNh;e1!{tp4;)s!pkSoL2;5Ev+xX-?buI!LD@K3iSe9$o6iwmJA zkntf=v5&EPUBhw*Tsi|NrLAE$u$#$Ds{Sl$o7FxeeG#Fmd z<6vk)x15-}B1=P>fljy|@Mhj2L=t1h`T_`)!ih9Lm;;XJreflM^W}H0+wahuKHMQ^ zyERe-JMNg1ZfJTFMkrh0a3#F7o@h`xeDr>somtK9y25rcY``8>rH{C#0I?EM_;RdIh69pB~~v^W4Q6ONv$zoTdAvu<`Swj<~3!$7+fceM?Xyu z@cciIMTManS!%BvF*Xo{xw4H{y?=#r91ww>&0;0GS-xW2&SRJT;(i@Uq!+hqD*}vr zQzff!fBp>kY65^cFb=TN z>pa*;aiF$#{23>T7WnYWWLTc~pXAtoKekc~ygwos_JAAM4T`33a({&T92lmdK$o~e zgyT9u9S3S_q2f&@FsVST;;68R|9*-^Z6r{u%Z^`Qac~cGJjks7>o{Llcp|B+xImeZ z&b>njW~FQ9Warg3(gy~|`-BS=^sTYLFUAT54wDmY4my=BCsW*QvE%MeRbG?|wQ-GN zKiS8_n+)-=wpos{Uq-J#+@RZs?tuofI%BkQveBlBbk2K1utHl)>s&-xRYjeteuZ7n z&lPlG^YzZ`-BcR%{=cBv0C`k<;H2Dvvv&iOZ@lAls^|==M^SKlncBkj%mxPrWC`?& zG(yJL!@CgMI{O%}ZQ17n`9C68TL<)SYnj|e0lDt{md9E$2i9|OQ4OlM>$0=6 zU9RYpLw25XFFBb3rQNkE4CY}V!ku*ULpqes#*8iEI9F~g_RL~py&_SNNWrB#L144w z!sf`^?y;%Y$X^2(FoL%)e5$qME7)GT&c5Dz~`etz?+he z;M1$zy`l~P|E&}N?RNoy)ODeI0f4Kd)_DJ%4l%kZOL%FZKsu{rza~LY+Eo1ff<5Ly3*5kWWMESeIq$@ zc5?ZN8kwGSw~xP$ykkQxCUb6WocjO}J_+?n`D(n={z961_phG7o(7-9 zJJW}4^P^l$YY|C07LixansEI*YHW2&^E1Idee{-FaxTRk+T!+y8yjvPEX;tcN`n-T z=Tb=V>3SdHSCm&!)(d2KNW5H1snhh6sx+18s0&M%`g(y1KThl6Q5zkN*Q?SSjFVf& zht)2<&n!cTtG)due|(mA(xK|a^(Nt9`_Nl?>9XN^&eT>Ickrd4jaUFJ=h@62*{{`1_}n(we4L;;m)q&T`2fOdJ*RbsXH^k7eCB4%nSFghV6h>8B6^V zBLx<8emlxtQ#GEZ`CMM_(rsb0p9o< z5Zu4En;G|kWA%UX%Y32@1qCClPux1PV0zl)5i8VVAuSsS**4HMIerc2mn#@s>~6%)Z6SWR_pwOVP{e=yeNl%(^|0nsaSzewR3g z9=rxmgfE`?UgX?G!~*f%#F%3Sv@OH2yJ@)XbQwnPFt0dzTSDKU4rZzH{v{in zyrdlAn*!8OU_h1LG608LoB-C>uQ0`{q?d&nJ|ACgrt1VsIbgG3bBwJXT1-w6J{WG9 zcC=#|Ms@(EIEQl6NU%~i6qr93rE|DUH(bnjGMO`HQ^Sz#EVjaf%N-jDY*QVZT<>!w zKxCtlrE>aP$Y|6c!KaP1FY0rr)5be?prN9)yITnoPe(^nxHjJSycL`Z&nd@@BumHu z_ar861X2xJUrca;>RZEARldPp5565V)WWmSjX4*an2;&Uuo|Dlxp#NudYQH-9;1jAN5u(d3|RK-@XAvp}>)o3E>P|T#@$-%5G*Z={nV-VzXgMxRYd_l8UEQ5NJU< z-<;*AT(P8b2R}RNAer_@O%9O19P={rV66UO9Q^C)*>VM)Olbnx%BDZ@xTJ?eVB)8> z(cz&vv(7-@#HTcyR%QFKka5x0sKw0>E1oM=)HQLy&HAm@DrEVP+(e_7g-{X03jeX8 z6z7`T++VP@@sXVKAFMo$Z@NT&8t0U<$#koErt*!2i`LQ}W_}d#hhR#qqquym3J;Ew zG5v)qp+8aSY$PSJ+=7_>+~p);M|)&7D!5CT|3ZY#L{`Ob(_4*aWA9S~YRcm!kR{G3 z!tQ(YzV9sw2gN$+$%I6&Xm3xXWX)tdr&sEeei6|kSe0AN2IcnXPsHK;K0t<7r{-!u za&JBqH~qFy-kKmGBD$TNyW#Yl={2%b3R;lWj<4jm`!MD5dz9=5JOA&CHvhxZUxdkl zO~fEMj@<4m>D!EO*>Can`bbDjMM`Sa9cS61GZds1T%F-119V zm&st5vmchiXUMd|H}4PwuxfEk7y0na((UBK6awOOW5)>^9M~)ET8RGW&dYT}Ag|n1 zB+~COD8z#}exD8GA(m(O9dnWB%ay2NRFLRcytN^Ui`%>SRYPa6Nwf^7lPv+W_NwW| zOu4{ntYbB&&f&>V{GF$QTWIan4b-wbTBt@XtnL zu-Er)TVhKg70PakHR2jR8A*_M)|W6PIK-+w+v|x*QL%BEQ66|fab!Fz{N2k$*^N;* z{!JiNCQMv~ep9ADALY3pjk9H-`uRa-cGq;r$H+_ZX*Q>O&K-sl#-fJW?pOtP@Br-4 z@|5JnCK#yB9Mqcr(TBF-yEuM)X_&Ags^Mg0oTw@mhA9B9!{97ilD>gK*=&~7tg7ME40o3cMK1K)*rmD|D_i7=Ndl;7(O|lgX5)_zS+i6Wc@1kxQ6ryWb@8?0qWn1%w>4Sw=65f&d6jFF|&o?OrLdP&N znvQpP>31p?SK1tPe0SiS0fd*cBIeYu%3~bt2JcwE$8KP~V=!W)>*W;kydGO&RU{OC z@3N}&?HaodYiaxEHj}UHKdR>0YaOE~vI^^X>~6t|XCo8t7QA)1{Tef3pB;dH{YhKo zBG%m@U@`RZ{hjk2S5%$ryHOKDeX6b0@enF{ERT)8+^kX_$S20;omU?ZnW^7C_)_5&vZS&ES5KJ=;Nd-aId{dL(%3DsYPnusxv;%|Kyc^8)P-3yz z^%zyNCtK3Qw-Ig&0T^!M<##&|sB4Kh{at*9Hzk@n@w}7_8jR9;cNB3r zlA?87&jeP8I8YOhX+R9A#w|A|OCAg4h{M=Hz&!i$czq4yUQ$LN9b1KJ|=3U2(*z$GpLiMsM1~f-q*(camPCWUDAu zg2fIy-Z^D3b3sqFJ2@Ui(BXz__P#B-*PGM1%t@W8k`HG1;qKqP!sf#55JkL0g7QfP zV2y~Vn7;go+l|>jtF2$!xKh>AY`sg#Z&E0HT;nP1=JZYJc48teE90kaF=KmptCrts zJT7~6Ti=5rhM{P{Z0oQhy4BKW-74d(F1u0RpYBP^lmv1lXxtf9#2Pp2ftIrmS1l*^ zRKFo-Mf5s*g(S^r7}a0{O5GX%+yhTND}R1FCM^dir<9dHGWT4#4tp*2W?~DC123^g zj!9=MXVERed)YWsUEidV>hcP^H3%PFEP5As{?IU^_=Z!Ko1y-kSL^jm;vWA)oeqgk z-_y+HD;8KAacg3Z+8lpsT4=UDmd_IJoJ)*dUuaOk4SfH9p0^p##|S_s73_7!Pzn;R zgsgx9M&A7^72OQ!hueGw7aP9oD+a8^H#*;!wEuj&J~Q5We{=c{x$&1(kG=RBfk<3y z;b&`?sySQR?P9ebd4I+1-Xw8IEWBg-AzVGWQ{Bd9U%pa@a+&~?zWv&;Xo^s{*%M51 z=-}3W!@^oup0j4k^oC#yu#qlpq^Ld>VdQg0fELn(M7% zb}sh|eoYrT7Bd}mGj~Fy8fsurG)my{%1hyp4Ab(*aYyt`m0IKq4{JIkJda)3(`@tG zmXNDd($PcM;^gr8yE$qNqY00v1(!)vEI*4vDH6XGYd?EYY(>I<9Alx=Q68+#tzB7B zr{1$t%5h>iP({EAZ*kH#AYHMDG6NO=`s8=QtMEqutFvK}TScr=4duu zsQj>4G^!h3BicI`$9AJ?S!88TdaLEP=oX>PGB3?qQPi3t; zSU_av@VqDEB<2k@iR=`Y`P1RnB(3Rt75!ufpWGf9ze1Z3*m%KI@_9f%2r6%bnC&3J z5;x@|*>GU}MQken@t>J0K({LnS)v~wx0JT0UjA4!-LJRBrr$RhQns}peVoRy9$N?- zjuYM3X^yf34y zZ(=c^JgHqDn|d-(+cp|b{B+?PR>WhK#pAZTVV`elExgp|?rJ>GuV-p&QRzS^fa58#p!0HyS!Q3@ZNzyXHeKXKt3~6ek!*p!D*pb7GFJvOn0k zUZhd|N1ivy@QJTw|5as-^?LlbAvbV1dg2=`=sqP=8Dwu670GJHmStoL@dZCZ2O zEGt5Vg;>I(5q^_6jmbUxHFDdt)g75B?zr`0*A7NA&l;D^vPIve)*zt(??{7V6^L z0x@lO1jX6|p$Asm&(wTkK3R2tZPfBe{Dj6OMiTW#2uR@k2W0&qxQP!+S8L?|8_6%= zFzKxAn0-v_#yk8?&OCG62mWLUx7L!Dq6Jm{^(2(IPsEOjFg%H6r@9JXeaOkw+V)17XK zRnJl?85$8Q-@*~sAVKinissH-fu~YUW4zQwEsqfSAHR$f2q^Azwbp0X3w$nrEvmfF zrt*8=a>#86yCW#~Iu#BybjwWUZYKagCH(JC-v$FKL1dvim>6E6JJV8w6^} z;Pl2V$(yORW~Mi-8+moUGw6g*MJ;jfD3lY8IE-omB68oke&0Wj7!#mJ*e@$_{??;F zf5uy|U`dH&n;>fTdaqDbMe!ZQ$j6puxD1ykuCz}{&wkF-)r=chu_s887cC3x;IbaD zzoYGf_>fwFlTKhmGE`!=4q>^ZCjZqie}5K0E!^+@{ni@hCwCp2V0ckr`XqYU>kw)k z_C%ux+w0*pvj|7R?IQ8OF#eci$*t_nWr?DDU$q+8bDjibl`eGD)Q)dF^EkL^G^{BC z8!qH1CZcB57ury0hUe!H(dJ1tPRLfy7rmn{qVMNti0J zi;qRtz`6;n`hNEFjx{zyamu^CHQd(073ZQW{0}AuUmu~3{dtFLP5j}7RYxsoJ~5{m z2z~rmeGML=6qdCvxs%zDJRYvK?~S+(YMJ#N3UB(S7QjIEO=)NHWh8Vu{ zba(W<+3pj4+@&*}|0?&K>VZml|!=o<42i3(kcPFFM7t{R?)k;!j~{Xht{?3M19Fq`e+lYY?>bsouwSvn3Wd zdfnBfHEi_MGYxIB%&K;pe{x4VRVL&ui>{|!UOhZc&j_}3CH_f^Un@jwo_sC7&XG}e zrTO*yr-31pc==v#bmjFLs;)=P`Dbq4=Cj5qnf=T2VyxF1NxYB1+7!dvwPyXz2~sSa zL6?stwh8`h5-lrm=)VRxpsrQrISdEuzMW9|ba_+fU#3}su*A4G+L%ih$-~l*3uto= zomYZ!VVc6+7fDD95Xs)<`p=ElgXW4>cO76fM75e?|-GcaB(O{)O6NE$Vw{ zT_0TFTM^0W!_t{BMF6s7>;1Y}8u6! z+v;+s_sK>DOo}`B#G1#ymdf#+l^M8#B8L!~Odi_dsK>cP0*BGA;BZ^Da-!r=B6V)g z|GJ$t3P2r(8s~rS-47nD0BS+{Td)cFqt|m#jzvZil5*8ut}lf#$@zO7O`XRper{ZQ_+ka;Jt`%{x@|?u2I+DqM!E_NDOIqI z7WRrjXsX#IY4o=lY_R6>m~U>ag*|%?-!{6y>y6|g{i>QT>Q}Vs+q`_qZ(IS-YC~U% znLQC~kQ1iwtqW^`%|9SqVw;>&p`k~~I=mDOEq4;~qQWbO%|lzvAz<=#j1qj$>CeLO zfsen!U*zkJas2jV{?Cy(9BZB>#FLMFrAka@VW&-OHraH$`4BB2&@CycRRsfqCiUgd zwx$&ZTTEAi?J z^`siA<9Uy=3jsvRUSoC3#k>DyPao*fED2tNRVu$e?z06Tvx-!=?CjRSt*&e;$n?^z zp_p5D2>nER_QXsL`zri9^}jan`FA$J*q-39*kN63-kda(P9T(wx(nQP78T!c@|q>} zOw(n@j=Ja}I(3-6JEtk)@S%uv8|qbX>Q!y|og`{$Ji8PBSdiIZ4G(uRYHZNOWtUBV z`ZkF7kY{N%)lzb{v_5V9((@XE%Rh1|CyH>#h!b@|ew}L*uw9?k-%tOwP4tAb_x|>I zz7NPa8?1on0bnnrn;3%P(f4EC^*(<6?#sH6^R#)XaGE=y94_rIsHS9>(7#zL;XUWw z1g?1ZHxHMDD2ZYAp zdx8{eo_L3Xu9%0K?=l)fle%}GA0L>}hU9vhW%ADfG`y%tWmuYOLP(h( z{wza8`0N#!x4dX^5|;0z$ijc&#z(3EK1t-xY-Sl`BLKC!Q!=10q}d{k-w!;Ge9#o( zl;7!B9t8NA{GT}(KAllTsNa})zEIAu_C11teQE6m_QOhpPT`9934zhq8<7~5jKl-7 zt9sLqUf*wVSn5R}HT+~rwIp}*j|}UI8S)bv;Kg5#8fDhdCHwJG)%ts#j-3$bxQy8r zlE?~GIri5dB=CXU9}=v6^S8VK%&SKZe>2qD{F1%Om_O-PMmgyYUBx_&$NX&8y?Z?g z4Jrj5Z)bmABC1 zDc;msUKj}V=GkiYi1%@QN?cCz=*8!#3_3~4B<$&DdG$3Z*A!1%v3t%S-Kg4~NK=NL z;ZNm#3R^qMVU|w$nHv`J*60uStbc5Jh>qL3^6uDV=HzxluNZDC+62%5Ml~^)s31XV z4c(dE$oqEranRv{25yw*jHUWR61}vA{ugtrV=RBRe>E0BbKnH3(BA<3io8D=!pf$s z*EDp-Z79=Zi!CO+OPTHT3Y}CU2xZ5LdphwFoBrL*ksf0IqK5FU`l0mHef|-tvQ@tk zjts=v*-a9sjJ}Ll>S!eH*y(6DgN9XGoC3eOA(mOH`txGe@Hb&5pMq``% z13Vzy8C#_Z@3pm+X+!7tKqx$5g0bMrizdoB+BG3~{aqOmcL!3Pdo4J8~>4Y@_AgCshwS8>Psvl)4SYnTK7ZK8K0fQ>0~2ySixbY7X1|Bz$o zE<@0g^!yV>n|Is^4H4Xw4BOx1rAVJFQ2cR>pD6*u?$j7c`a8V+1)S~d`eapSomcNM zd8`hfrRVew3v$wZwoXNnP2rkdU*4DVs8pzD3MNQV7d4B7Jq|+q$~p-BGhP4_FaXtq zU3bpwIlgBH#?I8M%0K1;cn?n+Rs6;5+aNLJ;;lmwGd+k9XEBj^vDuSJ!Y&9nCVY!fAkUiHXn-)u~yh;oU83K}v^WUoY_Q$G`77wx&_|J4$T~0_1jq z@yN=_LVjQeCCrdh!`Ab+dOR-}#v&<&RcH)4HE@k-equ3l|LYC`088c%;m33T_2~CP zue~DxP)!JG%!NC=pO-&wAC!DCeXm^oAQE~iy348ZO%K;;9?mC;QMlDX&Hl2aB)DI0 z|JkV7G6{zcuEkB-dpG~_v^N5t0>)>T{qMQD1E?9QUHM|(B;Rs?pF;;;vga$0xjXq0 zigv4by)YCiJx>%c_3f*fTHpksP#(A$*8CQ*-Ua#E%`k#4rW_*N5f&+bN8dALkNSpP5u4zIt@95GQ>#@_2xLI34npe!EOB z)_AXzSBKSj>of0Pr#v_R@OMA%0`ol&q!Rosor`PySU*v~AN6CK{p_<1Rm05pI%)F) z4|ksNt(T<7-`0hh4Lq!A7QY-Rl!kXcHS4Er{vR&@fM})<*AeSilZCwN-Ty%djO;D- zTL0Jqp8xeN#>g@UEq@&6^1T2-Z0#*r2-tBH5w$0T22QmXQC$eczwQCW;{WQRKd?nq zWZmxg*UMiGz24{Vh*#ecs@3lP_0Q-xw}8>J)AS&0*E1!f07MxqlTkI-4p>g zCTl~Z^x3YHY4Vn}ZVg4(moV++``D3@nO!$T@&2e*5+L5>a5CS&Q%yf)0Oh(g#2-yQ z(ms4Nu9X$06Uue2dXc8f!KTg?R7F2lC**VbI0zV?%7%tM#7vE2srfg<@jD>*ehK`X z)Oa5BTLL721lEc=^DK9*X&Y>9W1Uzva23@NnyDt4=Q13AeR8<`n%%}J<|v|(qrdXP z4+@)kA4zRR`N);LFd*`MT8#a#WHSKCE>V7{B=~)_NNKnbL#(ckoa?_wZa(Dt$j$3w;%%+MyM`WH+CFSqVvD`sD}$0E)J2En zS=i&b*x5g{-f91K&<2EW>raL6XncN|<4zeq+cP297>9qBZ*9$TxV__is?-}y_{ar} z(vL=w(-BvYs`aJ2uDe$R*hr6j{2`vAT#(Sfi6Y{D(*?P&k4s1ak8c?V)S)-zkp%WX zq2`xs4z$eh{wC@5jQQjsp!ty2UjHp2%3V|r5a;$(J3nRRRA8M%LQgxZ-+puY{GnJb z!t6dfyLbX;ZIkA4MUV<5u0~8(cB+$NhX};@H7rd|BqYq8(^ylEh_$etsmgxH2|9e@ z+w==ptD(S4n?tv|X<;_;rbp}hmk}8mN}nDN@C^^EY90G#ZOZR(a1W~JItp~ocf(rN zKMN^nkFVrso3f`pl5rVaz?} zv!u#f9dADHvNy&Kx zV%ZQgQjD+g+{4PXJ3O{ zN}88z$mGL_urHqj-4z}wXMT=-5W%7F0LVw$z(dMv)feuh0^jD*5LYZI1JZ}DN9DQ5 zU}Bu@m1a)@a*5u}K$U1X=f52NdUWm8!%GX-JwIr68BuW>zETtA3}S3-HT%~bmOi}E zU^TM3`&&h>Euth=wjd&NbyEo71AtC<{!Y)yjrks>sq3yJsB0?lX-Srao|2|OMODlQ zKJ-TC#@ZvkWwuHbppP|5SR5=tRJ*R75TA;Gb=^w98)$JF0$y-xETk8uOLgPkzs~CO zbv#f*|L-gqDcfru?q|chvRZS6c&w6DI3t)M<~#hGqAnO`MU5>BV&yS=QY`$E`cDxM zR>|%uO(hz-mDhippP;tBhTv_2yo836{I43ggjE|>54#}GCULq%AT-UQxBfAR08a@Z zgT6a%IREo)(-dJGuX3`iwfpf`UTIyr3hLr<+4Uu(?kAS?JzemAV%goc5Su0@4u1x^Y)SeL9f1Qc(|A(%x0IG6}+LjJ!Js{GZf`A}hf}}KuZjh9a1_cR~ z5Rf<^-64lA=@b!=?k?$+ZvK7n-ur#?&HOWrGkCA>*=OyQ&wAE+6{%^v#1A-hrGjO$ z*d*3bU?NY3N0k}zlp>bz9Q_=A@X&@dZL(>HY&VDd%cq!|5r+Fs%+l*!8)8;Dkwp?^ zPRANxeBV+#JCdtcN+h*x@9-qp+7~!AQxWz?`|SPc+73jBJAPdB$u|O&9a|o3;DDb4 zCUYxs@SIeHLbdWOR8ZLo%N|?wH}SU4{9{z&%82~oYr=mX0QK`bb0vo2o{Y76j}ZCr zmo#1Spt_u<7K2;AG>pO>Jyfn9u?to{?1K%F8* zwjGoBGq#1l3MWTTAa6!81vD|z8m4i&)B3Re$o}bDhzEiA1zAMDg0#(}QqF&a^b_D?{TRbn|EK#Q{($I9v<0{ z@`Hk9PHlA8bG7+@y8-ivHex;Te-5LZj(|`ia$PmXZBbZWFHXn@ACbo3xvOq=k31RX zeq86hq;4Y7JQLI6Z_XzDkdcZiwxz^_!BO^~ukiqMeX%)F{s|oKnzyh%1w%=hASzv| z6ZbMkg2KG;U0>&F;^IC%>ASu@H6JHGxBKc1YigNFy;dzG- zlr?5{&(rq z_r5%@*nqFCD8X4D+DYX?3{xiv_a?cm_*BeNBk|l5@`%*YEiouk|2d`~HKHDrI`w#R zn`*QA{m#&gX|yxTv!}X9@fUaRG2AGcQD~bfEVs;>M5!5KZBHNS5;V>B*{QHuQiQjl z2SLj*J}LkBvPHkB2~C34m*E^g(5dEDg@kHR1b~|6#lP|>M0A;suuXgs*Ph0OY<)K( zr*h6i+pMnD?TvJr>j}K#Vj*$GO$f_WIW)(m6oWFE$A>eqy*C49uIrSmiL&MA9Pml` zE|ONaG13%T=*touKBqBFfmMCr?cD$EHdg?@46E7jQUrA~trA->JN(~@Y%aPz6g)eRCB$DBl`R%(MA>C8-oN{? zQtxc;mAT_RlaZeEE#4V)o5gxiuKywaM^oPMA(FC}1|@8_`4KxJKYA3_$F~BgA8wf; zP^J~tkY~9t1Hr<4sfzp@zjMmeZL+7xNHp{2q>4){0SF|ZLd~>drqE*qxF4^oyQ6N- zW3b-_@t(K7A^soVK)nVu6s-Yu{8nKD5y@ZvBFy{Q=AH3vdgN?N!`(xXR4k}jhNg?x zlWfXVnXjA99jRvEhWs|{Z9Ic{3OBq}Aq0DO{j$~uumUz>BmijcPx`lD2S;y06kH?) z)hq}tSc`iHH?CZY&{FA0e|0Y6_#kPk!u$AKx#Z!!Li!MdJDGk`;T*=>x)9?-&pk#b9I0QbxTl#7>+R{w9*oJUlP*RvQ+ccFM0nm@44V#-9l z$uq)u3eRhX^23A*(Kn3ohv%lU8}13{qLbv7TRiTRJOk)+vC8=0KD78a!pj{O-?@YE zkMGz7#JRN{i5!%}^Ks#YwP#mdGR%$eMH;E7AHo@n2+A z5HjQ$Gy?0wATN)-G1{O+0U3Dh;Nc5t`6vD!S8sB{-5gTxB!azWV#Ul*Ok_S^iO_lxqSig?B)~j zq_Y(3lHCVZEnTV=@}e9cx%qx2iZ@fRqJ&s!woqvOtiV35Bi!jb8RZ`Df0ef4Q;PF& zg4@d9;_!d1_z#~T40uzvE_aNxiowj zwXR0wVOs4ZTF}-I+x}%Xv;C|c15!U1PH$Ul1p z6qK2*@BjXe=rdi<1{mK3XSa}#RDzQe7XoQWRUnGP*wq2+?53y6Moe7`!Tu9}prFhd z7cf`(j)=lzLhpwD2Km!i5Dn+{zt13UO&oD+>&4%70W$(|MuC{#8t8_aVBy2>l-kl) zu$NbmJ4}NRB$@8{)+cNb=UG^8Y|B1q-1JJ&=`4^Ak9hmF{e7&5GC14GuRSb;XTr1v zqBzv@Da3?^XJ}%FLP_nV;Ed}P`5U7~gpRZZLWt>+Ik-%)~DcKc{YEVLkMr?9GrS;WC_rJb$!;Nqf4Z zh-%fEmz891{tHBiqgHMB&D?sbe`@#o*)%8`o6G>~HvdkA;Oqn?b29W5r>44*fM8)g zhoESh0J2i71fC7af{kuB^{N5yNtiBRtmOL%l>%r}U#FA?an%10^c;)Erdh$wD5G}% z!82M4PD5O%Ygm-t*k*9fhNE;p7WJhWX~8BJGgRW1)KG%+VHqCq3;`~@+d&wift(Zd ztsppoAg-6mKGoS8l)NS?%o^H2we+4henwTvnxSd=cn^4+`KQQos(cA?zynQiSJSsi z0_^eEYRU0>4h~;;j6`oO>u#V$zr*{Mu)j8s4D3Wx{P7YE!fMi}5W1+Ya73R@t^GAa z)BN@QZ1Tis>r5*VB$7E8c*D*)BW%3G5lVm|mc}0`Db5~Hg9WvyHU6qdde{tzEb8d^ zRc+isT7N}N{REMi_SBk;As$Zf1U%gT!>j{79^}?X$*IyyY*{n?{-aSj&}>auh)#Bq z_nxPaTK8;Qvn7mIoVv?6x1OF1P^(xTK^gB(=FVu+x$AdoDWv+Hj-lRq4q%s(AY+Ap zW`XcwBfQ`w$kXM?T=$kaB;`ufq}eiqpdBxrb4P@)17_ywbt@ZxNo;-mY`xs=j(YN6 zIJx5|jtE{>iyoA>sTMyFGmWA6(Yshs7002>w?S z4LfoO!Xv*ykhnORZ8j;>nYCF^CvYFc-+#fS z%*z!Q9_fd{_8tNgB;O9!MRtUy6tCzA4`;@rf9%%L_QI=XbGfmokc#DZ=UbnIkMK$9A^f))HtJ^}iaV`%{h5-`l7}RP{6TL;rcjhw9f=A* zB=8T(Z~0l2V4$yQVqbJjdzwCl<>;gqvmjHdTp*(zILeNwTJ( z)Q!M{XE(EAG~7KeGY69o=Phg3YMyZ=+$$Je3GY7{J?UlEex&rRUpag?-LgBW?=czW ztj|kUpV?WAvA<{`D(H2<=N&uLZ%<>6u#kzt7d1`>n26M?Yd|38M?Ca7*4cuE<$z6I zw(l^d2f?xURYOaQm}-Uf@bPH(XhY(hqMBd?eaE_9F+CfFR`}*c$MImo7Gdqi`}@le zU4ws|kJltuvWy#{ta4=3MT4lCv z62nvLaNt&%$=??}e$^9p1yx41Q%bnbJokd3{XE(9;4$0$ok3IU^+N1w>q_dSS*EiG zl>ips24zTE@{34$(Xn?H8AUC=LVtT0m1ll>HaAaOB8#}fR=Yj6T$T{3hs zC#zNzT^S>tPenQP>=jC8hC04)4*!Ha(?QCGj&a@cHodf6r0e#ik6@{ztmo{VQ0v{X zFl>!g4)QdJ4soro4Ed{~U`E1EN~@L>eg32B7^ZoXc50|}gj?k8Y45Fxb$|3Vc}#pK z)z!Yt=OP0f6;rPI%^1oMONs3l#9yW8qx*__NYi^RcTaXdX&uv&nhchXbo50Xxa^-f zFTQfo?Igg}3G&%{$(zINKY zGrq~kJhhb>)-HV37=K35Et$F(*Ee_aXU*`Rbb96a9siN((}khiSm1V>OZ~1TD##KJ zv4Ti{m5D$rP5hCA@jCQ}Y&SJ;lP*X$xBSk%qXXP&dF`(1ikZ~uFg_RmtmuEl{w_$H zAp^FwuTc`!7xdWWA~<^6g;v|5T=qaXl)=}MOWMG)hbp6(azHs^H+b1TPt|YPzPFi( zaP#Bz+4A_A^L@SZ#$eu694jjln z9b{mas(Gnh6C$CmgKSW&p1SQN28(kk8hPCj9TY%IFPAfR%{O#9(Pv(|RtCE|98+Gb zrnA+sN(@QeELWbtF!)v#VYq@`d;1|v%dl=Sr{8#A2# zkb>VQF66ErVr@+yl9z(Vj@jf{8hIN_ELqpmt8}^52?^L42!67+)Jv+Bs+SF|9C$iG z%uFoodZt!VyV8C?8!l%sIN&mcB@*Jg>qKmbT@$@Q!d@MOtGwk~w5i4ZQf?I%BvGa@ zu;!~1Gug8kvvj^$W1ul-mZmrUfw_CkA7<`)R1VvjDrOWC(fZC^iXEao!ZV7s;^F5a zBfU39D|%5#=ADGfuZ#xYEpv3wGJoBWk~PjsF-9_;;W4`?A>DkBMj29&RW2`BOde{-oF}VxCw0(oeAd*?L4!yl~ojq>kjc`CYx0;G3Yp z!nqEUO~$I}tG*Tbhc1{?vGY56e21(w^Wg^18i@*|d>a-lR_*D5MdM=n7Bhy-I%DFw zKWb-6nxI#J6g0Mt{$Q-)6Xfv4hDJR-+8p|2|0t%&8>YyKB^dY4z4W@WJm}@}yTePV zO?ti5T>lZO>JPMc@>`Raco<~1a*p0EotftwFSDw2S%So5FOFOWWLcO9s)@D)!C6iM&8Fe1#vl?l~l0SVh>?yb!RfHyuRo zh_ukJ1d&JjT8uUr^D^qj6J;G;fw{v|GW1qjq zJrFUM!j8%yJ=MX4+9m4Gpxs%{(AL$8JUnLPRwb~)puLWnqEh{_ogIrmZtrAUIDPl& zR8nC8iPPxt*)K1^;?%w8P71Y=87meLzM;b#_-MR5X2dd0j!>c`P&u^Ty)_)_c?h@w z!v*Z%&^Ad#Vo1vpFAe_`js25AgjHAC5w+LYS*)_LS7K|e0z23pdN+~%#d68fJsq5l zCxa1lq`0*12G89_u67ht$VpfhHd#XW4=XjV5K&_0+K`sQ@yl!X^$?``KE^0w9cH!3AJfe|t6@K%Zs~JQ%KrxH60sGz58O0++4}>Z9yx$H z^X1?#bghw?vKtB8G0nDP#|MW^H0N!{9_MMIHkUqgzj2Dp1VR;BXE!GRjWUNLpO0)k z_8Zfe&^!jeRia)FqyzlzhZejLu`v<*`3v8G)TJ(+9Mst!+Kh3uV#|x=&#tEO)a-t` zr;ol<0_hwgppIF#PY1V9M+C^i_PJDWr#ZmHyNO7wHSDzppGAtkIH78$fJna8$i5fv z(T+q84Bb$n$3X&DugO71xS^X=Rs9i`VcebL4xI;He;jcNe?3(F4k4^f8K+Wco91;f z@5O{L=*UWygmBPdL`1kfV{pb8rs~_sNHGcEJ}a*2OLMXHq|<(6VFGfcW5*LU)P|p} zTDDD*SqJh`<)SH%nUl2)o@F*+%wj@qs?K82wyc{BH# ztG90I@n6`I?!J9g9*I-r9baCs`$wv&Qg}c)@ax-4#m=HAg5x>g`^sYcRdLc10o)C{ znK`m}=1ku%^-q{3cEp5>K7NOuD!Im(&V354U^{_8eHX>AdU!LDHrGl9FN+!ZFhO-l z2Q0)zLy;T}p_ffVl62){weZ8 z&|zme&3?W5Y?Q56N51G|)_l_I-9zD!@G2LUnq}2RPJ1f%K6^LTLKI(oIBgaGP_57%YL=0SdiA`myPpXVJ zU%Sa#Wr- zYMPo|?uYp3w)ep}%2|m|Q}_wsF7RLm6~QL-Y7Q|kXN@4|jy~6j{VmyE0--oDwrEJU zdUxvy!Jj=(Vp8{~$}XQJO0a8;wCuq27Ih#ZonKfq*}RR^I6z+h5;IMGI6^I55*6}> ziJkFKH1iNHme1P-*f`(t)TYRIhp(`>3okEL7IqN-=I_sAUSO{tLO{yk=bz~?8Yd@h zYy=M17Y}9EMG!Eb2SI86G@3^L_wN=ESK={DntR)LO+~b~cw!Q2RL8Lav^0{S*dNV9gXX5CAh_hEnG8^oXg-+FD-9~NK*s}Ky})~VqBAvlRbqiemU*$(}C zKJaI25C~Y0S^2_mYw$+IAP~v@O4o=Ik^+E6yHsI3{}J|qT_JZw_JW{t|FC&y=4Zv= zXkzFs0s}r70Ne2ZX%o>RvAo5W#1NP_MxI0?11h`}dGE0K=P9$iesXU-z*`}!{njHt zB(@x06I^fvK_z?){+vE$BIp^q4DsABF^STQXSJH2oB9exy;01;gu0V`ZS0VR>V0Wz z`*T}yeFuIKyVT#L?)Hl85LaY?G$%&o4?|JEMj87)qbX<0Eh|{~+qYYdyYT)%h)|&$ z%~02g1I-R5atdLPc?&CN%X0vGuv#ntUnhyy36&43h{n_?f|riThBct)ubD4&*=6Vw z7f+(&d~X{3r?vJFbi(A9&{~fXQWLiYiH&t3t@9i{DjUg%e5>|&XxE{53VmJ(lx~|= zcO=Twa&x+62@f37nf5cenN}dYfS(OimTGck?^hUfSzf!i`42rTk#dZK`RQJKasgBb zK!qDA^%xNnei1sF}kM25S@o4#pAP(2+|Gwp9b2n0oj+d%z1jQudDk5hOsUhgCRGj~*B* z*)3-C3em6HKL7R7ouD8meT5oWLzHq(AoKF#z`7s1Zi9jHOVIoB+}}2TqMMHD&p|m*QER|^jMyE(A=yJ`DwBS_%CI}=4XJhkivo(0AB%rLq`}6L( z-3}uq(9A2h*i4Y@rqv&je4gP}OmqJ{p(#2mGBvi=g zKmLfKZQ5E>!GNlTat%pN9~oJK!I*oTMQnhlJ57LV4V z7a&fJNiRLc5|NATWlFk57M#Y2XXCJtcKl4(qU1weQT{1BwJG9nH+CKYLSD8(+;1tX zGenqy#ui1hF9zIXUo%DsV~pARDE@vlpYmYo*W$_#8*>*- zymlA(?iQsTW_An^_T0sxqV(U3bj;kMu!5_X8wJzSu;OVM5nK$Gua0OGR}`xp#o=Xz z6-%>hFrf#ZBH39DdKV`I?k5^HXT-kuBJ0j`J6Ia7Sjzsh`rDyCF!s$gbn;IJ8?)^) zX-wUslvU(#_n&~Y}kj+iSy@ztAqBdm3p%%*@2KB+}kb;A07M7)9WMD5Xdg7_t%C^3!D@IYvUBB?tmENJ>3)XU{HU7SLgr18mJC?`8Y0G;MUfaqe-z zgut%CfhJ4<0tXP?EI~&l!pHufU`7C5(%a41n{DQM%C6aTMk08)Rh)DjSGt9&`?lw8 z#in2J(7u9w?)9-C6L_01&$A$>wW?lqP;JU2U7#$qF z8g9>kN=XHlMN}}5hIkh?^vpZ(oU)rsf16oPyUPPYyE#4gr8yQZ_sFsn6XJ&b z(YN8T2Io8v*X^?(-MEY5p165w-n%U^rrYzaDuu(!lsIY42Biot96P8ho7#?>w;%aU z;irHBHPE1#_>*a%HTX(1$~4<_r@re`d1Ol%WwtJQqF0zp8dzG)pVtuH&Ia#sm}ZSv%?0~F8v(~Gp|9gjGhxeE-K$N^X@ zot&7A%I2O+j3hTYX-kzhEZy-r$YeC#hp2m|^}yb3qc$NVK?tbWm{0d{9 z__raMyL|cuf!V(Mdtt+67rfbdf@*rO-d<3uXOSt+x49MR53Sd_JCBiNlLXaUALM?s7p zb)YW2XZjbORs`KZ$SlEa`v@!+K$S0vlJjGlKI3rR@{My7dlOyO;o0%lFV<&)sRC9P z<3-jrjSU^7(exU{jj6H{k!Hvu^gc=IJ?Xs>`TzpUspZ!sxcaGY|t@QXmKLm+5*!Ter2Sza+JaKg>nq(ZynNjPq|x>w`k3sP}bWMrTf+a(~HK zZ>tk4P6D&Jtc(mFM{nk>xnIX>Kvreq1uEW{muS_v{dxaQ<@Ero8XDNOVy@2(NpfUa zE)Ymu9QR?i&H83=W_L6d5q{vxq@CJ4wRh2a55z)b$>srWW>2m6aw&k8 zTm#0!0kZ@}ja3-Two?Zp63BE@6F9n%(6ewkQ3nG87hid51i68SXc$^mvbURXl32p==yi0?P$LaiW*YXv6Bh zj!9p+1XGmimnc#eNrbYEvkl2%UzC`pukr4h?+)~eg}Eu$+$(^--KOl)_pIeEEO|9& z^&_@cu~g2SVu$P-v1AE${Frwy8DyY~z$`6mc|GRG5K5*RxfEQ9xN!Ep6|d#bY9!1+ zOuye&y>*KPY-jr(U1>I?Pn^df?tnY_fVTYyAGo0ZJ4Fh{z_M)fPY-SLivJMc#_L&) z1vu#g`Vf&ye4@KZ$cWG z$>YJvP0D%ixc&?Gx3TZxNZQCp7n}3P=J{5zYWCzoW%v7qOpVZs#@0{Fk8`Qn0rz0v-CQ3`e~9wMhNte!r(Zi zw(Nkl4Z%g8)ySF8Jur|>&>Q6FMu4e+oDYV|QYoe>Ue2csf zb+R(xWc6jJ`_W4B?s`Oa8C{Ati%kjH%!jQ04DS!HM-QC?oq>UK5i#jZ;(fwpW?@{iSaz3tI6DajrT$9qv@Gv zRV2-ZEe92(UDU_q@}Qis;QI%w$I>r!(sLqGb44O%ghR2Ft}#*BQjL>b?nzfHD#8P^ zzq0E>R5cQ8@afB3aGi1>%J`ReB(|>8BkKI$9b?g#S*X+&{Z^A!*lP%(BOO2c@654CHqD%GzM6GR2U@`-%^&kRlRNtn&c z$Nu#!;4nta_qg2Uda=FY_w~is>?SeUx-ZwIvmoQTz!~nh&3a}>TCmQiM&Wye)5e|G zxoD~m?i?FP&4Un8CI2rBiVGFq947}UTqJQK06f{6ASky$$(2D6)UWu{!My__BC9^$ zvHpw7N|)ZI8;X+cpBJUpEy%SV>uS1*(a)?)ONT|CNV$rL9JVgB9j<{@bem6T<#iQt zwwK?^Br3Xec<&B4RJ}UroNbdUsr|E-X>H~sYH+j|I?T(zcF*U!zEht)V9-@_%#5B5 z-@o}54S0m;j%C{zb0Xp~0W#v|#UtydX;IlY{m$0*od#@7xGhpxGGNaLyiW*%twu^o zhfv-IdPBcqeK3YSfJjH!O-eD5kf`7M#C-L#v|!XO$DBAlytgNNG3LIFS?NaEYD(s# zqn){k&9S0vA!WhfS4M963w@Mldu`?1TL=#B8MuwZ6Ij3Fy$u0z8)>nbkpCoPHDI8II@r6%Dc4e4LH zH$Um@g$k<-d<2%icMLgChaE{bUSBe$X1UwgtmyZs5Eo>GJ%3oHyZVbd#-19ndFOXG z;L@3r+NlLh0(;L^Gb^S}LvWW}^mNH@2Nf>C$TiHj8vURMoKr6KfK)p$Xub-wozf%L znV>G)GDxs`DBsyRKv~e--+Qp%yY`#ECg6|F@$bu?BkP@oL`Pc(qD8&k-ac&ZO+Gwq z3E)BIZ^#O~cD+8UsH=(ZJzW)p_0{Rk88jJ|!mqXh@U6Tv56nApFRxY`_t3mdZ+y$+0aC@~2CRn7-2cQYi2)NOImF1nv*NqWxgz@y!>Uk*2#Xe;nbQg%L`6V$T5jtSDU^%{IDCRRggB9?1X-mj3z{wm%_r9naqwXFOn^^ zz4CM}3&VZ;wd9^Faomn6*>YHMLymbMNFnV-kF}$UBeb)k@T#kS%GO>6(aF|+>wOui z04Z#2u&22CeYylIs#?XPP(#g+K5gLl9iU|>xL&kO!AiLEC|08MuKXB`NgchN8#GZq z3WW)q5X81jTq-T{0BM#3#M0(?YftVrJSg0TGdE1=!y~uMpO2LZM{e=ByC^bp&gT8WE zbbEGd7Cr0v64h6CkMYfbe3Q*6r^<~!UuYm@{00-Wk?Npv$8~&6<7wRIld+~l2CwM% zu+Zy+)ITQx(ECxP??&2Qf|;v?btwIDT$ z|NSn(I&(>|cuYbH-dor+Op^gA5I|x{cVw|;1nZga zLx1dNsw0bh&n&Xle>sW#u)JhX9f+jT#Er;3_|Z~0kLzHD4Mt26-`7ZX&>9b9BuujRScaSnP2Hs!3w|ROPhVY^ z{l3Vc{DY6rerK0!ab1v_LXGp5Sn7?i$WP*d#5ph995vL#)qIPRcaH+1+%=Qz(s8N? zAM(HKb9Dt9#o_}d8Fn{RJ_hHTBgO}i3P~u@krxo;%W92>tG5jsDun##K0mC*MPNb_Xoe0x22NNap$WkFW@;sSrwuCu0H@`Tvkt)cy9y01njyql~M@D;>%>!10ao|@%ePlvE%tr~S~zM{=eNg5Jc@;QBl~?uup7)3K8D?L0~`^xHJ-b#D8wHow%&U^i;iWw zss#U4E>#htWp7S(udr4Mz=;RY}uF+w)n%k_37 zwVT~UJ38HFx3(#Fde2zhSKoxbkL@rBB<{G7y;Fl4Eu@sAjxv?&JxgsV70kS3qvLY< zDG;V$Ra2*wAv9s{A#ztC1rz$s>FMax8ZwY8_-!04>vx~&)9ME|a3vg+g|FhUmhyPD zxeK<)ryODGku8&k?lc);{fJwC7s2fyb1|<$0p-yl@oi7v(b|h?jo(V0ttZi~9v$G; zZl%x~^hE1UBW4W{dH1dn@nzlLIte1Y@}2-lKSgC89+CmbzzZv9=G~w*Z)z?EaLtOn zQn|27%fQ;I$`X;1aA`Jp6+U4`9k7RUwovL-$Hr(E?S_>ogBYTFnSpt5i5c|;f~l18 z6Pvoa_0tZ@L^W+S=cvY;A7qECGj%K?e6hzRYuw+@v<5YQ7o{)L?j%HAvK;ZKZ!chw z_j7pa?Qj>QEMDeDdwQj@Y8TE^pY<4>VPCyJ*%O%!UGnl60xuj@ZU-O!`tq`-UW+i+ zr_7V*>N+#xCs`vHyiDZh*;MWAt=-9vV-A~;;~TNOIpUmb1=RZl*0v1{a^#!O-GLHV zo^g&>O{HtDyvpjAbLvXza}IM#VxA`kOpLV6()+IESi@so#h<}ETM$^CkXwo)KWx~2 z8Y98G+4Xb61f3Ey4R+6j3ix1M#GFa@NXslDZx;^$IfHcxv-30&Vo3!~a|fLwp*(^2 zIVsxx#JD_R)h$0-U9dM7%3Zice2KQUspdhao!qhb%SbzG;@6qNs@T!+sf$SG%kz`> zB!i|qjk+CvTUT^+L-y*etTwdTR6cFKz*4gZ;PhF(lo{JucuSbmsI8E%&g#J>_FHum}farSHTZRLW05 zf&u2(F=a4{8)6L?*jc_h(I|`S_ozdb-Q^9yawbKG%P+a8Aw9dpO*e0+1*?N<-ZVpd z<2+gC<5J(o9;6akJx!hYMYFXj@O!p&YUhF--N*9EOYkGgir6C0$8-6hvY~n@HlE)S zNYk#oVm*@YFL$4}{f@3FM{EMveas$^eobk7Lp`sIXj{pVocyKi-ELaR0J zqMN*KSYhM+F<@K<@Y~B0@{LD+F82F&cTLagqJEMQsMp)FyG`#wW<0wvot=wMne~A9 zIX%7&1xDx%NQ&2X3iT|fQ-b&r*%sJ@d=JIqbqZ=8leEmxz?)QLVx=xY!L?BGNdp1m z0uI05+_-zPczVStjC2azMf95+!%bJOx^Nf-I=V@W3bu44`;9DAnP5WS>1E%rVN@xQ z!~@2f3H{A_-ZXd(UM>;nQ!GZfSa+uMy_`z6U5#S9!~5Hyc5wEkJ&K(k`+~RZUR{s{ znNE!D#^yl?Li}3`Cw6b|>lxEJUs1R}>%67_$P|NE-FuTpQNttYDQ} zp+2S!=}auanDlxyZOt%*GC|4jugGSksR1d-sY}HajQjNBO(^$6*cJoUD)E3ccP3t0 zH9c_|6F&K#jh|k6hXD&=fC#KCnC`yO{`DfF~Zm#bRcwdH4S-2(AMiaYKgX0>( z+vS?ooVOo>UYHhM+-xOdyou4AY)?I$r4GD9BYtOH4OL22N`kP&WH+S2!CA}wWXg4H zM$=tO%V2X7GBr6Bf>uCHJ?Q;W<(b!Rr+e>FtP|B%k(( ztqS1RElsTOPNc?QejIL4&-sbd{7ts`%cDD7H~LkIi%9O2iCk?i)n>Uuc!D9W z%S|2G>n=n}%!56XuFDItowQ0hN_*=w~ju(bP*#YATkue{u~p&FKf#WFXm~s zVZAfxy_)L4A%dmEEGa&M%it8Lii&LKh|`r7gFv}VJmfz~TmQga>ZIvh$4yqN8pmUo4&2I!UM z{W5%dxnHqe-XUWb2#T9Gyk||r&O^S=dWX#BJK0lP$y~BuD8j1*f8vI3hh3PD%|^eQ z+ZJ_HDOmW%R>rj||D7)@K|oZCAv1~jL>gpxmV|?S#dre$BC6%>9j*1XCwUA3*JpNX z`5H);5EbL)0yVFs+fT@Urz-9TyAi>}E_mahj8(W+A)g>;1$jl>e3>k7t_vyn8Dl37 zPr$}CJ!wcDA%!Dfe--zZN9U3EH+LqMM_;c;uFr=a#8ljpx< zosRUDx^JsA_?EfknhB(=(=PzuwgqSOL5pK>eYqp zDWhp~Th$aPb{b3a%1glMS+j@*EMAQ1YjHmaLPwGKDRoz})3_uS=X}*H9j=C^s{u|g zN)A2^AubM`ZE8?DOS>7?6^^dm^O2`VeKGVv<9%f5xmZw6~6o;swX&}Yj2Xc$j z7j-H@W=kEPTo%1Lrx{ zk=yT7p$C55j_tKo)-YbK)LT0Ij#IHgf(y1w(W=>Xp14>kEgClL*uQud~$$xiA|}n%lN^3 zx2(lg(xi?=c(O@;Nkf!GEqQl7#H}qUp1e7T`QCg0siq47yfg zgtG}2hp-_B>SzmUAZa!~Md()IMNT;s2uw3=2#9RNdeD382X=ulMCa~N=nUD>TtY9o^P0IAb|;ev6YF4T~bra(sHTLfNHgcsngHx z&aiP78L%aml_jh{xc89t=_d-da&+7%i9dgcNQr1I_#Kpe8ri2S6(|iF^ z9DnTTwW9d(Le=j8Z^377!3Y25G;^z~`(Wek!Dy%S$KiwmHaAkmfK3}?N!VfgT!4Q< zUo|R2K%mw~g?BFvPdI=vv4;A9wDW;n2Y@&#< z+~Z9qvpdaI%fEk;Iy5lEGcc?O-_?FJ)npXAC|VV;8YU+nHNan7Qm_AVp&mCrejBFQ z7l156Ym@bqT&p(*XC=Mc_(LqthI1zNX(0GIZ%h+iqHc}IBLe(dZ^=2$dk+n|qc(U^ z^vtTgtU0B8XujGe5X#Fi5~XYf441XK$i<@=*`y>irY&*_KeOC#WP7QjJ2h8PLZ(K) zW`8LnQQ#}%;RXX|swZRZuyl9LZav*xRxa6uulMDj{Y|;(-{}_Jza2tJo=$}{CAmaR zd;Q|tf1nRNd2{pjp7GHMgF>J$Ij*g!QER&Ez{T!G8?pQO!~VybUYXt0H(5V4!NNkD zbrL;>f%Hluf_@h-9J6nnq|;gt%ngUqj+N%*li#r#1Cz?e_y4Pf?-a0^OJ2)yr1ER~ z!IbUPFPMV){6Q!VUKl5p=nAvMhHmk~4X?AE?oNcyDW|YE2_9?5 zAFU)3eb{X9y*}IDuXWuIpoSWNxW}$6`yxU~tVF@G<*I> zzA@^XwHE6kMNe%VO_*?v>3b&$18&p6Bz#8+50|#w)Pz?h)b~xElNG4dvI^XTh6okEob=XtL`MIS$|$OhRJAwh%lP7Qj0!>7wU_L#{q z)ZdAB!*tx99#xLvR4l!T)pvy<1+b4zg%An1KHBJss<#zAlM?-&r29|{h4uQb-|mfH zY}3`bZJg*Ks`jtqbCG!}iCCUCQe$c3>XWLe-*-kuSI$v7G_GdRzLj5}kaZPW%myM(V?K&55xEc`ABhikK5}3{e z8E+mltX0C$#k*f~w2tJN*gi z@20b^rgxd%+9xrg>#UWZ>haP)IekwLC8IOr)>)B^|i%e;= zz$_{TeaCyqaeJBuR(I`!TnNRJw%2>N%|HBlsker#%uo?a7vQ8z?Di{GJg}~ix>V%V zw0$2{O*t2+++`h3n*hYw<(^L$klq^Vam$|X3kPMdTWHpNhGmhuz*Qwxp534)?w8PT z@NH}J1r8CFkyj4wHHH|}TRs~C&Vo!Pwd9vbw;($p!!3W#frdWL``jK>Q)EvU!VbEP z{9a1!7HCZTZ!Z9yE31|<)6$V=YBFy&0>#+rMA* zJ?$&C|X z>uB2QJ|y6vt^H#L{xAq?{Q2^*tCZQl6?Vg!=hV2Q$t?5joNm)}kG;ls;!`UyHUiX(k!0mGLt5)W} z>;XfeWm3g(2LPsq2nCIg|Cf(Sp7T*UfUAIfG#iFeCgCY1TfvRY>!&`E4^gSj*ziO7 z#IgNj0Unjc=AGMxrdV2IB_}+z)CfI|_4s5j2z}$4$MQ$-AJ$xR^FOh-(H&=0WTJ$X zIV|Sv{gYNwiY8pv&Hp}J6S~VgE_zKhCZm+LPdBNue{fGf(8Nko?`Y(g@je@+&-WDG zTwUqj=o?o|@{CD8?~M{|MksZAkd3Df?%sH_I%AIMRMijOp~_+TzGk$pRV7?q_m6nf zt9YT+I;sI#JyE?(uLdQu>MuhEXGkk}`wjd^C|yEk=gv8~AyaH}*eHoZN9b)|Ga zvXbJ8c4o^x$Aa0@z9U>>CRG*H4Y$Va$aexX;)KXG(DJKonzfR(N?(ZFB|nCBW_QiI zUMY>V$RP-fnV7bf+RAfLQFs zAEDzo>+)39l#v-yN=Q9+)|;yKgB@3&;!;cm@>q`@&~?>pyChA8h=%?|+dy;E5KGAt zyk65-_OLbdav?Mi2M+v(Q@6F9rR5vSTv~4?1yz5Ft}*RQojlwL>kgZ$@}D+u{TGZH z+|Um`5@%X8K5x=|Oc79JC*uA1;2Z6RlrBUf(3|#2T|=&$LQ~HVuT4t1L<)1M4mF}d zBy&c~0Djwk?N#PoKFkxkbEy5?mAxu}u?7JrW8&|J86kJpR z_XA4hPws+U`vTg`s2EbHGy&%=Mn??PE&F21F)al-Q}zLH;=Q-rdPv~%n{1Ql`ot3XqOih@}bqGSN;@ zmmB@9E5;I!>_S~Q(eqN5Dh}7lW(hSieI9GkK7=W}23fsByHZU5y;9>rBMRpRQ)Bux z)3H%wI;-LNTe!a!_e+mI$Sh6Oy&@dA%+%|UN;N5_D6{v=1WF&imljKb=d|I~eLg5m z9iS+hCyAM9+GB{jcF{Gyt!Y8Y)5MbIe1jGV4LBFupbi}5MoAaYXZ5oju0&RM491Ar zG9R|7i60ql+xE>J-ysPs&O|UL%YF&|Bp0xfTbnxyiT0H zM_*%`6>|6L5h$>kjP6UO&5}*?{%hJhMBPgT-6@w=x8KALyv;W=a4hYQB9T#n0hX`0 zs(Eui+Qa)|3ejkt?ySE2N2mF)e=9=-3;+cbta5&OdGO?7qh&N-@+$yVnZF^NN_bXSZ_ z+b^0%x4F3W!?C~WC8m~sa7z_*PxNqgJ+9~rw(5WrF~-~z@Z@?RdP<&_bOFfWa4~WP zbODQPP(dLB02m~2?8go%KbM~zD!|8=*1@R-Ik0|tiJNUxl57Y`ntH^BA0$6P1)~tS zgFN%OmL9VSghq%%22~YhD9E_T_Fq0XU4DCa}*DLp%W0#gzUS;}R=L^Gy5VTBIeIF%hi>|0c+S+`V zYMc$P_kNNp%edj43rVeB=Dk#xa*|kL4>@8;l2=mKS`79%uCA@qSCKl0d{nQF7nl5) zBwR)FB!rc_;R@dOyEWz7H;npNQ_~&F{>h z9Y_`lxmKCWjcA!U7hxGq59!h(NxZ|8!bvGz$#*l;|9SbCv(o;0}jY^%3<5-5Vxsa1w5@6`gB({KTgdnCgz42IY(nAO}1c!PZ;UdG0l$$fBQp}(A?;2PI{ zSoI7quQnswu)DlAng05EQ55%706X6cLrnB#=fARqQ2{vhxa@8rUw?w_8!66TBMyQU zZmi=VVxd z@+Py5sT}KeWJxg%wZ4JQEI|d+5hEnyx0gvt%3V?;4J2EvQcR}on;$AAd;21NgpYDA zmuwkptk5<8&8oZhn1iT~>iwe2y}i$`hLmCTCY2q1EhVwuc81wujWdkJ7@XnfMA z*iNT-Ou{cookKIiZO~yxpb9dtmt`nSppXKvW+gf$d`(3NcSv*?EUa_8%5HJw z{vFlN5qmSHg$|QYHMmkcO_&8m)}#;$ApTRoNy3&5R z6ih7=W)Fvtl*>^GW))71Eb0Kma8X9df8tytb8@sRAWx9R-&S>J99&^UhaYdiJH0Ux zNXrFAP2<_Z&FAiYA7Ky?HCU9~q1l36*Yc8qSty3NgqsVeoueY@cg3xzO-Fg-)09H@ zG6Mx%kd99aNs45puzrU6 z;&=2jpfWQ!ZOmGG?S!dseYH1uDeB%BWoZOWbjPdPU(q$&(2gZv#$y4f9N<<b}yJFMG7eV^KxaePW$iEOx4%FQ6hgAZMA*hS(;Cd%}iGS1T1aL~;=+590 zu@L5E**-%X0smPoE)=&q#385`hUHXjC)NT-Tgv5A4E25aGRy!~ zQ_k*KiCBiGsF;x4iE6fhsQ~@s?yK%O8>k)#k*T?rTZa)L=pf5}@yI6oYM!dLdF4Ww z2-G{LuSbGP;A|jI^k~j*b-BtvhO+hnLpA9#D!lSOL#-?bm-G}tP5A{_*VM_b&k(P= zv3dY5=6q9~>FiU9uPU&$4zlzj(*Lu$Pq)>h2s*%E+A1#8y+YSM=WnZck9|0aQr2IR z|JgFb#M_VRVt*EY7w(M+5MvTju>*NHSIGT?gMXhXZ1Yurj!A;a7m4dxpoqv z?lRP@iK=T>nM?ZHM&*DZ#McB)&6KKWp|Kn-V3d&xWr0ZqVDRzOSb8ptqj6;*4mep> z#_E+;!vyL!$aDB3Bxw&3c62^=r;s}2V`seu&;%=@+7ah-Nzbu#`id$>sh}) zvJ{IIOb|){0M1MxSe<$_8&9;jkXAvlEI{vyz-uQGZszeqy_mi9%*);h@j1L2#r@tl zCaZwTQ7XUhF=xwa?{ZC-n&2E;a4aXZv|to~vljTv5rBrw{2W0smkq?et(GoR`48Xb zjy8}`&+)uVo@nv~O})ft)-B^{^$Oz;TKAYMcZCnUHij@q04^wocf-$Lx1_6Vo8szP zzh?xEjvd!4C;!qtfUZ^}Ps;|8Oe+QbLbkKyqk&fYkm~bmVkyIv`H6u?c&rP@D~LfZn50JZ9R6Fh+=U;lx%8xdb#T8AnFA zD#|H!tf#bugx9xAekS(cB33cexDr0cyhVB}@TzWpa524gpC%I^T*<-JoqrpdQ9ocM z-UAL~LqPdKtss#_I#uS<9DRuG3_KM8O z{xU96DI8C;@k2kbG#=IwdeQ`G{rdbdj@<8B?MhvgWy1l07u={}VO<#GcNJ+g8={qzb+Ma=+U3 z`%40uX%^(Ka(#+=ok}g+6g4nA0zJWoAz!*-&660@BE|<&$*YRxRjF!GGW(CMpCjIB z>D5=T=6PgfqEDvFkFQmhNy0T23Acnxof;%d&?Jn#MZHZh)~*twpf*^QOWH1|6#8I) z1@E@86WeKn%j4kCfhK@B!u+am_0M|V$xGZjEK8Eq@{n96hF)i3k~Qj_^vLNc}U0=$3)^R!5% zK<(;3+|FDV~df-}nsi0&& zX@ltE{gAhx_V~VKce1_9}c^V;rF@ z$cHL-5l|iLXuulX^_@5#8TqTay1L({&fB@^D%IReapU{7mQf0_u?C7i5X>bgLs2m$ zFUvn^HJV2WA9rJK9!*Z$bz@dDh#HjNTp3^Q$uRT*q(2=izh?dBdauDtHi^DJ8R}Cb zc$KnY-{V^%g%lJ>ImKdga`LiTbrZ??sj%5}=mB1vq`c2_fz#}}F27ZB-tXVChK5-w z!#;dA@eJyvu$N<#r(b@b?K5>G^D9TnC?p=@;>K$DWcsk{F_UubHH+8B8}ZPv$$P^` z1Yd3&ZC)-WvYl)lwZ{=m>7(;WSEb#}T5jI4e29#fQdZ&LN_Wj;m;_QCDi_X-o)-V6 zV?6Q0_3hCLVex0p7jifP3>GQhJ5Jjow6sp5=;TILtbDrdzx?}mGR`yA8<4zrM=rFk z$dJLfrgWj9t`+J~`0nJ^wnGxRUY9tWhaI7`ntbV#!Dj2NO`(W^hcN`E|19+Nwmd1a z+FujicTxxOchU!Bg=(o0+v!=mW)D!cAPmCzyA;EM zFRS0`TN%drnW6kiAN_!WTBP7IVY*6WutVdehV0?VyV&cLN58Q?CZ>}ipfGIjl5i&$ zU(?FZ=fYDmJKP?P4ewAy{MN@@JZ?(oD?^|wln;TN{JS`)W)#uG1E)UlIy1|9=WH}4 z8SsweJ(20>uxoUVHnmUPUF%H~P*c(&hM!G@ms@qih@Y>Gmfkw{^?>}@;c-07PtCMc z9%ui0->(mL2K;I2xZZ^l9?5^M-40`+ePQYTWkIlykvSI7gd8SDrR1EXzonh+LVFwf zTv19Dw&yh7@;`oMLMZYeX;MeFKSX>NA`4y~Lmi2N4KcU1e7>@C-#r`OShJp^C5G)T ziQb#|PP+3y1Xmej>b6|h3=azD+AT?H=zpp8Z1+AuU0HFMC{ji#i%f6?wGkdHSVnH> zPU-oyeXaB4?7(*d5tGfA$(m&e+kL8#MXf)e(j=lq9~HOz*RI4ghULF_rFk`KGvRTU;(neIXE6ix zcjuz_aR2tMwv85Oujl>n@F}cx)lHGZaNFD8^w!&P_{NdQuZUp}KIdPP-@M2%-OM!9n0PNq=!#KoUi?2JdSgu=}0B2vSA z%}@=oz>`2h$Cotk(?eeUaBP(FZ!=Zi=HE*YsbG2e_4idDJb5b4NyofGQRU zL;>%srmy!hv70>}y7GG$$y{R>5I@a6YbQe^5y5B_<# zMSK{~0PgS03JyedD83H^cJGnG(vBTZMY3se_EU(T6jGer)k zqka7`R#7o-JI2}Q01`wHTXPm|!cpqjdeuz?W|+9NBX5K28TATJg)@Xp{2wZQ6`*+g zjiY2xWk*Xp@me@mVm;7Cg7UwxVM@U)dj9aym^8f~a=$$=E5!Yo=C9J!sVG7>W9NC$ zyg|qW5BkAnn_-XH#AQRlH^kq0D3wAZ2b%k_CTEv=@6ZYNRT+yj%ZhSd_J#h}s=hDd zuNxYc6&w*tA25;e7v$^LtjPw(Ivx~-jr!3Jka@7XC?6aj4;o09on*a=vk^TkHr00N8qdGyWFUCRWUv+MD=oEa*xsmCc^}biw}k3fDgd2%7l{~80bw?OQoiw z7V+^wgPkEe+>lHVMcZf}ai1y~ml=JzepO&rd}J;IVJRgFj%8_vCB66=@akv#id4$_ zm<4DI$}x<3BdXXEjjo#jwv?%{%;7v5W(=_s5~Ce;c1X?nI*J|uN^q%)dEE_kLFR$f9l7d z?{jU~S!0^1SDkSZY&bzdUW7Tdhotdus?{P*BPT0eHLG-^X7mh}yA+qj@C!d&gj=t!wKLUU1s<_G&4(4iwD@zC! zpt^k$`VebK1nr;T0SoC?fsPUoJM;)!`ra3-XUR8l081Rlgbeq7ztx0 z+X$e^a4+b~K0s7gkG>Lw6?x*$E{+)z>wCA+gyy>sHV6_cTMy>b)b~N~5`5`Q(WZSt^gB!}0DdQO{jC2k(sL1#I^~K6U-~ z^=YcE20*m>pgA9wGmePlAi3L2^t!!M5=zq;EV3vzsmv0_ad(uLdoovLXqpP5Tu32{ z-?4XLjEi%!Xuf@i+{r@>1a*SQsPW#Db3*a|a8AtIJv%2Z{{sAmDg$u}AZSHWNh{v9s@?mIyGnyF-c1>Kh+aW7v9Efz2n}r?e;EmP8A^$)3xVw9lqVgA_(7j} zeoD8cebZQ5ki&7AwMvZMY_X+t&mUBq3@QH08Wg;ay}gRL*1Q%!0{E$hd8arqkNS*J zYFv>h6@J?;!^NR>*KkU99eQQhR8i6JcZ)qirrzEkScXn4^YVcz4e*?8NH7!ZQnz{S zz;qv^kcoU3ESBJcBgvhN+*mPl-~UlDqKDj7;VlCVt(~N+bh6-}^)4z)M`37{CY;3V zOkFJIvPdb;&O~}hGt_q2x*Dh;gPya}Xlh>#c_9>}+yKL57o7bt>ojsGz2@^^J=D^Q8`bl_&i7r$&cW_RocgC1Qw z9qlvEJfZf4Y~LYVpH2$(zcml(zgf+#(Ee73z6Y0%b@pQPrHc)tAW!b1RKJCb0KJ=1 zEWfYA3$U=Mc_hPMLoVGbv;Ax=mRyLpw+(scq6z|%<)qvNGTV(cw-TR!SHDk0(LZ~* z{o_l}NpzaG?NS|L;pF)`x~&anao{|af;RwGd^=;(tZJu+)GWk|suq$^BLwYnCP2)Q zu*m0wC9u#1q|k}01U#~zMHau_!u8cM&Xh;)TU=KBl_~Xt z38#4E$jSo>O*R7Jd=w*&SfKE59uFEQG0|w>e>@_LN8v?^YVl+vcW%o^Q8#y=PqA$a zB0Rb!u^BjYrR)TsAqN)eY&c|q)Ug#(>8G-O9v#UgCW}r|m1+lyxh2ALeN3|{NgCqs zj>oDF9CZQcOy=tH$(+`aQ8z3FuJX8i&y90aSK%Qz^}(Ob``y^&E~s}Wv2rG4Tm>kl zyyoVq1Kecy05|<^tLm={JQT6_FUfdKA%;ZJSACIEnpV%3EBiDt==GH1M=uOK`sRoG zD;)?mUo(0$2(o5qX8KJi563M^5o~{aqWT0YlARL>4d^g*8zd&Jw-TdbI~~-PT>|Eq zQAX`~|Jl=5dW|kBUGs`yU{clw7@8jzSIq19B~sQ7~zCC~2ci;D#>>r&w1N_G}c(E=OLH}YWF+9PFO$x7C zKgRKq81~$^f9GGo!eHNww%e3Fdami{fBtVTKx}J1in!tjBB7(#ASS`OV8golZENvOWl3=B#w%Zt7BP<&?%M6kV8TF8B`x`ABYc9aXh!@L5H_ zN9g9x3@1l3r%CgIqav?qN*B1ry}-@uVavA+3#HDgO)Y2xTzy9+h;oS4ZLTMTQt!&q-0zN7+T5?O zC-@xdc5!fMeDkzDIRWhl3kM%7f`E@9s2tRn?;YWSKCwhVv z2v65vbUqV!ebbchP>OM73jVPI;pidOJJeEJxnCz;{!fh31A8(1Kd&T$?BVnt3YH$Q z{^-g(v0r#i$Vu!8@RE|4EeEKEzrq>7WcQnmYbHos`LQ7A2~MSg`9!xb+g%~gcJs|I zz%c|^A1XZ!c$#kyBn_`Ub?SS4K(S#gI!ovhS$m+sVEEo&)V}G6ey!hp+i`G^shyt5 zyo`(ZN{j1Tbw@jjMZ+>g6ro&bm+P~rU)T?jmXD?oiie5u-F^~0-L%0$ zq#5dsYZVoqv;ThF-jQQAqD8|hsZigQL++;EhX$T9)6$prjeTc9*4l?i5&&G1M*jtY z++RcfTB~e=sA5dm`K|)nFl$07$9TS>wXtUX@LoQ;os8e1ulSrzyB6R$GU`Wlev-w^ z@lnuA5~}(VxTxBjM^S%K_BEzok6PU?Y+md)8R<3;LRaW)eA?OjPC zco*=+W1KWLtN!>NkQHE{xB9m{<4y}Uo!8~Eb91fJf3KCrz1#en zZW~2&A}?=vJ$tT``JogUYT>Inc`F~;Ezl``74XvNlaoc|_;R@AD^p{aZ_~V~&buZe zy+=>=`=w4Py4sW571oBvIB!>xv1rG$plUmfD4Go4K8S#XEN%CdvH20K8}ZSqx1d_x zoJ`{`LHMyp1vc{A_RZJuj@k-w5hGKxCbEnUxiH?18$ZtGz(jn0B)`2(UAOG@T(y5e zJeKP?vT#u!h&LdNFHHK@@exu_MF2LGd6^jT1HF1b`HOJn>iH(}TcWPFwt9i_Y9#~x z+(HK}8W6*c7SBR%ji=`W{M<^7qfFJFX9dlL6bTIjdh?CtDCM7UM&1g81vErxx#$W~ zumYb*kNeaKQ;13>Ge9vm)(q@SO%MvBg10-whNg&oOWZaMsC&}{3@+L9tw4#-GEEvB z6XRMcddS2w!d7*m@aq>3)vFWdxF-Y>(*sZfO?L@ngZ2VA7K25R^p@vBAU(^sD?$Nh zp}XO)$ay79@BGAy_1lkVST9v584<(37ap=|+NVSQk?Yih%)^W^-I@D|s|W6S5OKYR z=bxv5P~mH-N;y}=#!r*Pf9^gHYngGmHO3+!ufo()yPEplvF1kFZjx@9KHTszVCIJ1 zkM-_1+o0u{qh#mAghJ*EEu*wB)f6wY|i%*eEb}z)-@i zjEoT@whL|D*x3e>WBzLb+VG!eUqSIXz_Kivp8&*#-sNAwG)Ssp(lv8UdWYjgxR1+( z8n@g?vMBFQ^Nvg*>9~ZsL&c$Ei9;Y9+hZ-(N#QwL{HJaIXARPAt9@R_ha%rD%*Q#% zGbE`n!1czYLcj_B#+-zqxZ#)SLP^ zY!?Mb??fH}_inX|)KZdRkxAZz6`Vbn8D;CF0X>@k#v;VLGyWB9v9~MUX_28|;0* zV=o(qAQ>WSZ5pv&F`O9ixUlOeH-`F*OqZc(t=OTG9LTHp{IU)@0Z}ZA3pS-qT2BUah9x1yCs|y?`;*m>?NOEw{fZ}U+s4V&4JxH zeucQWSc_^jF_S3pAdtZTn1Ct}zzNqkV-x>UBtX(dFxTKjdG)9VVcRr(HxPjSH z;P`CyhlSuD^EJlUS#ii@#L*)^w8)=mkh{z&1YUfL_Uj;FXd2*NA8DCeaM4rL?OnR~ z`+{VLM+6Gf>mg^j%YFAOCIT<}Y-@L_RRn8fOWYpjm^(`%>U!1VYdZfbd_PtCB!a?l z8AnF#Xs%nuV>z=6_ub9X`=-Z|-SCDx= zjvSK@@L`E4C?@Wh8Jl#LJ8C=XLWm9#MwRW z4532Q~(F1iJO8H*_pVG*R;gKmA};iK-1WGw&in_!7$OB z-pqeS)pQmWkc>4ui|gWIXBDqV=^98Dc0f|HesQK?yeht1yD zLt46l^Hj2ZUnz9`u5t;+ZCM*{M6k%9-K;1V)B8|`M?^>q2})3@=F#Blm=EvJNFFb{ zp0ioXC{)I4YH^pz6RK|nc8=U}($ejN-}1DQ3<8D%e|eHxlA28CZ&s$oH1mwM*%OQ6 zvQBgG@K$|`S=E_@DlKJHdff7+oUupzB*b<``jUdaOyE%?8jUWIg1CO z(ZYdMQ}`M(ZWWB7LiL4y@GXyR+CT>koiLAfvpgI=>C`)}mw9s6ou8OyAm5CcMJjV& zk+&66Xa(y3WkU;G6FBraWkf~!*=@s(VuxBDb}Yd3+tDDvhoO}V1ohhdO+Piok!myZ zw(T49h$+GIn|u7f-W*X~JcfE~Ym6GjU^uRg!`fo?Yqg$*r!R!SaAe4*EOs|XkP#n; zj0*mc2>lqJUFe}og4uC^&g@P989Om^$lFD_rf}>x^RYu^?G4}KzpXRQxGXuqX96A- z7fk$k?E??Dguk$|PZ7zu3$z-%tZo%iVY%DlG@R`~; zh-g>ZaszE7q;i`vj?tPdBvTz$TKoAjQ)ry^car42n1N%tEd8{pQaSpkj(S08hixtT ze=-UFOGv|t0p;?~=>(f`L<`1zJ9i(;*^~spu$((AaWf$REiIM>lzZZ(K$e+3t zOqYj$cWF6mV)-Z|=a=Gw_S9!9e#;W1X$Vnjnd$>~hhK;W$4mj-V0joB4#PrWp|smD zW1tpz5l(kTsJs-N*sV^aBHOC6I!iZ@60^BN7wF;ONVT?!pm^#%EMt5+x3_MMXaw_~ zu5CX=S(bNe@?rg%nMiu6|G^)ntQuc}B$Y;X9XJ|)ItwMTsYZ)9Qh`UB6MZaHHuj9h<@^@zwoW{`n6?sVQ#V$}X;keU0 z>oBZ>s7~Q#a~@mH1XGzpiU0WlQ#QKDuZl6L%vBfHa3%p=TVwN7r#e?GtbRSmigUOT z54B>qA4#X;>G8`CqA1FM$CrPOJFi!||BtP)T+v5}D?}fFyIm5Lm00b50vPhX&G(5lkM%Ptd(#;lW~M^A8NY=B3^mtA=F z);4;5jRI&;BFl_AI{P(u0w}%9O%rnU2H@uMF4a%84u)y(F}}wXy{-D~4ix`oT~Iy5 z-(HaF8nONwS=uc6ta5QUaN@!UN9w^6rO1=1;{BQVH_uGC|LgG~teic?XkK3l=aBk5 zj6!TT@Of>1`uwLw@t}WPw^=Pp>G3bmUIQ{$RN-$9FyVN_S*!sg=c`kZ*!%OhMo0wW ze~IEpqnbz2jqvT=&No~bpoCVqh5H~+h0UXa~iZQ6b9o~=Ki@7 zA49|}0Td7Gp6jB!*3Hx9`6$sMg~FXI3;uvg8(=I!hqqCPpiFm*_9U$4m1NmRsj!nW zzs_xzb9Z6lN^`Kc2_oWC$z%+r7?ZbPvHbYidncnSSV#xPjGSU6Pe~QC+{l@hMCE5B zZg-n4v@v(Sz$B!AmUM_uL}u~>?>(mJjG?fg>8n#_MijD&`d_dM5*SqFE0U}W%suF& za|~YcxBdBEXx#dtOb^feBS6EUJZ}F7pMbFungY48r#---PwS|rn3?!5p-oI=66tk3 zA9{A?Wj0vYxI$W@h5u0azYW)=(^L{e<&&8&v39x~GxwR!Dq+>MmS<@T2F>ZyJ=B#Y zgB6?$w?wc0bY|^<8=?}GVBf7Tb59M7@_$mKe{RMnv>i@3+fpXfG?@8WUDWO^$kd!Y0Q5oGl)w zxzUx4d~wusx8O_523Nt)Gpv1X*^k^W^SWgk3@o5~S-I|5BW%@M``}G?W0~*3$=r69-4eR=qP5`jBJK=JBPopwkYw*U)|eK&>8uf16v$% znkra3U%h>yi$KrJi@eNi#L5j{wR`1x-vKiv7!%R`gi^8G9wr-+pzX`@7vsbS3)xSf z*q4Aun58vp-tjL2Y6)iaw^=H9C?K|&=bn*4o(d{hf7|ULvzpz}!nwsm=`;Le@$n{c zvVKPFZeo6s!K8h?Ub12jan>@1H1aq*j#_$K?X8s9eVvys$qhM3@btPu60(;sW$62_ zfuNx?bMp^85Bor9f&Jf~C)0nEgY8`OrxuNVO}!dl1=R-=H;PMXKx~4T z=)y&LwMyimrhI7{fBrs0Nk?s0tx0#+`_K?0MNK$3&335^g^@4s(hD0_Xmb#In|EzbhrjXKn z|M`8q+M_6Z!tyEiQOafC_d$DSobtoE4k4GtXfo%fTJU zfiU@BQ_62q$7sdBMpaZN<`R5_`xBo*U)u81k2wxM2ZM5)RHy0oP zdKH}uL$c7H_apWHwI5}0EZ&(P_-blXSE6?am_kHn*k;0aWy@Bhc9<5HRnUID+_W%( zC$Q;#jYYqy1X<7ee*A^sl(Sj>kWOUyBX_=6%WY3jWEvs;FvMU zr@1Y{QYTgbNso}~A!=#=KB@g48V^>u-H5RNl@` zZm?!aU(P*D)$^zGZQxf5Vh)K5)3Blr_Havs)V6F&0%QXf!G3{~-y+edY2hGn{9Lf2 zhs-*+;TxgHK1-ry{Eyo|9RmhM;s0eU^LR&Ix$5Um!U}O5_1=a!ky7jw!JAtf(6tLn z53$Gv&sp1s!z}D1{8>|lH1vT{fQMJB;q@H5>$o~L%`#!k%tm5x5b_1qzHHvWMqoyJPC78?SNQG@ouA5lEVK=wfD%c2e}=xdc8WxQasN_Pe#sm z9LDdiPbLfG0shu6!86~PfVuJV(1XWE9X4Su=a(QVirLKj%p3@3iD?9rQbdolu+I=& z{9TNAZ>(ac`wgSr)4#89_Vh|S>Eab9r;>^-Md*A1k)tYPzBWUah76O=DG?QOhL0TpT=r2$^0X+%}#J-|21$;3lBh{uVkj#MT+52X^ zN(XgPpwHV&;{SHnjSwscBb%J=%DDgnYeIyH#h5m`rLjz^`_gZ}_3xxiAOZ)lufn~p z&}`$;#UICezQ@51SwWErC)7O8(A<(dyrwTfDvht@(3JbN0@CQ`jKEOVbyFVVO3ENw zDtNR%a74`+uYDRglSPDiW}SZS?{{)Z1gaR3L}=+1+*Q_ldrc11Zv@Z3TnE0?dX)UP zG5mon{546%3r$kS7&lur)6%>0tPbG@w;(v^(Bc`plaFH4MOwmfYxcXK=&GsQC|P%B z=hQ-HI$)FsFIwsBS1VmX7^G-hiSEdjv81cScn*BBH7wB=dbn2nxz{iQh)ACac4+fOjT9OTGqtgxVs*JnslwMwFs`*lBckONKS6oYWBP0_pXE40@)`6 zfh$~uu&~^^5og6tL`5-Q7g4ph9-oLVW{8(p%Qu?#yfZus()6~L3KSAjdm>Z~H^ey2 z>wrFy{qfCtd!W+ZDlY*VA74Ee_h-fb!(sh@V-Oq_*);IlWakcbHo0e{4+xTB7E1%E zCdZWYvhE*>_rJQCdU8zcx5B;|hQ3?&7#sAaH}u&O)sQ8~!jO`q^F!@<_0vn?hY586 z+Y2qLNvgYD*Lz0ztVSs^1ceDk(oZN~$!TAmgSojt#p)$2$BL~Qa*;nf)_DBsDKs#9 zUbdY66W-&2PaT;VYqec|!H-ui>8c4*sQ8lmzEA8m(O|MO0Uo8r$y!c`D|ZC)K61MD z-#nyCCP^mKe+9Zsv#|^vWP<8fLE|JqVZ7#f9vj8pC{}M~K0s{S!4`;v&e8HQL%&JI z8<@}_UvP5U7q_7SXf-v9UsV$+_zf3nDw!EMl4|S^?-?>#87>Z3RysSY-*T%S>eWgE z-mJNGlH9o1^{F`ezPz_ywDfP(xWd9sS29FSVA!I`9YWk)cK35VQAv)Gg0eTie-cFl z<^jbFgPITeOTLG3yk~Y>Ku2PI8d=l9>2Q$2Dxih43Hw-o2u@jA^#a7u9mek6($0X5 z4`R5xcrOU)L!wpBu7}c3u$@c>tC-x;5uKXPla1HAjJorDbko$j{?*|Acnf%FTN@DF ztI z|jqjzKcD*?USR8f&83B@&rOk z4pBYF2;oMj;=!e=cMndhp|33gW zpYo+%>ob5Yf9jcV{?mH@-RM%0H+^G&psv+xv3ziNF+wdkGQ1^In<3!v{k9;Pm=L8d z9l=a*riBq_a{7#Nedm?+LdVwr!`Q*kx79}ze=z;7*~~P-HyDl1@qwK&wYQ;lD#2Ju zWKOn-xx^qn`HAzx0&Q3^Nn^U8Cy^538a`OhM7#7SQ0$JvugS~g-e=8)8-6dZ$%zn9 zsRXBUxaN3%y0_aHD4=NsCPDwAOOmFR7*|9N>_^}yo~to$@g?96oCKS&BEKO{a~ z$VH7*aKCqk2lLa@%x$MT4)bJfZq!-QL2K1MTx=UTd~^7BSzOU(wk)r+md`zm@1Gad zU>$b^{)r-nVjKyN&_c<%l6lVQH#Ot17J>9_r1K2#unCVd#BiO$H|H~`=1cO@@0;rx zcxZSCb`pc4=t61eNHNi}iQA_f9C|BcegPm7BW@!-Z#D(CdYSHT`cg^xNRnToGJbG# z#_&b&oTd?d_?*ZCy3_|Vo(^sPall(%6ly%AfMLQV`M|L*AV#0&T&|ADgub`h2S#T>vGAJVZMpaT*7nHN$=$|pbeeud1XldL zl0az;KE1vSzTru&<~5&}&PN73X@L4@Pa=4dKHKnz4Ei<+GiJNUjyB|fdjX6VOornu z^Y4^G&xAd*5PFaX9^7?4?xg3&d>%jG00?GBY0K?o|)g;iH1gF`_Bw~~Cva-O8hTfW<7d^KP7TdmP_ zF+eBSCRb;reHEzAZU3auFu<4Q0dtDu)jN4LM2DnY@D`+8SARI&jX+Mxn%72SKA8XD zK^fa#B*tRoTNQnL9m$H`KjP=S=y}A$KZ5du7nuIR8Wg_E+L&#HTp?b>g+J9BGQMN5 zO(8|)z zB1Z<@hW!_Py4QF7(C6s$usQQWRL^ijvLQA2ZorSwh`H_lDU#e?9#NeB3CkIE7SpMc1BY zv@`yq#vU)0h~8b4JP{~7emL-0j%Q+bmdKt~ z=d?BpVm-<5_!1Fp5M~8Cz?lsYkGe!G&4x*ZzFksBmh*9J)y8R8=D{gX#s{QEOq@fU z(UJng&?V4?+;&XeE5r-U5HoZ-P0!t_9@8y$&4fx za8VOAjHZ=(J)yY$!vsYt4JGS4=j*|$%{Pt}?PqSNl*WW6zT*ko^EiUT$0ENykv!48 zSr{b8co2FQqv~Jz2Yy{+c#^jm*~x@eXEn?v*T2%YSB8Q=C!tmigV`jNq+WVvxdol$qym zJ@YFTg`MNu+XK|M|6sLFHBt43`k(!O#`DK-ZAgh+ETC!u}3TE=`z~1_3?`}DPxA`j^h7yF&@}5;t zj$|7aGZiJYt8MbreL%9Nqn%_F!||_HbRp&oEUbfp6>%qzDQ!lU&)6+Zws@L61Ql=( zM1t9M=4oofgaz^EwJ-?A`3mN>BGNEp!f*5vAy#pBnjaDzhS7@b7g0Jt)uQQ*pAjK^ zCNL5wX59MNZW#oQKtk5Y+MNsdzAct^9g}XZ6Wd^d_&LF$qT(X`$*csuMrqhIN&e%B^l= zB;-ltML!cpUi`^Z_?dbFl|e5GRP&g&WST|`04Wxlh%TLliYzc;D`qJ4gK!Jfat>sk?R)B*&GEBhN90P&vRW~}?zBGGPV z$iiX%*|3o4i&ZNTed^K&+wX%w+y4#pSSX3K#F;QKe1GCU z>;tvKZ^GxV3?6ae5eCtZB8$BQF3`}u-sLs}G^1%bg5wti35}e;N1Wr#2gERvXn`~^ zhaSf!VQZim6vdQeq;K!zGx@U7`S<3$nT2d<{Q-BgxL7I9Wr+O7ngAk>GIq2ZZ(^>Rr9r z;Q+!2E59<^4VKDhFRWCOk5(^ij@W~KLwL!9MN3yV1*t}f2D#n>VS0MpNqzk38=>ph zE1=MM$^^_~RtAoM^O55;0PKuWRFg?FB2J~l>c{>1_Cu*!HXYwoRxs1eH^T5$HSDgP z*D~I{Q?$KhVj_#wFDu~hFfG|Bb(nUr7?FG<#kUPOL}c9>^-PX%;-&8-&LHfGzt5aB zHombRa0PAgq-R1jb`)xRKrNy>MH*yrdLh+E`u(g=x@yRuoj72AZaFXLt$RTmG3%6? zl$|XT@TpY)?_dWdT zdvEw8>6>XZ|9Yq0=2Es5CvPLcH_zf%^9BZIBC}0gxNlPqdZ`G*xAfp^1vh6--o*Ve z$J*yzs_N$(0o#B61iD25H~>NT>s$5NPya9?{s10mO!${53RD^!v+^fy7L%P*OMvsZ zt@Ch~nG9)w7O0IvcQYwfV?YAASXZ#Gz(oh5yM#|{$RJ5PISitMj-?0tzLX#qw1)$_ z0M!FUht0?nj51l~qUg99F{M)%UAF zf;eA)2{>;-qcX#Cv_ZdNcIt*~`9g7>zd*eNG)3kKD(#g00kJt9#yqa}{in$NTv|Vv zJ~|w=9fJUcqaRGTbi127uu+0$qTl@^R?`HPf?z7LKc5V_WC7?S&H%07qL~1EZp@UV z38$(09iTupJsOQzdigt8p!x#n{zbvG0fxxEl|n#*7D}J+j~+R36opg55+hWd15U|2 z69+K4X0W`9Z59?vL@J0hUY(NR8-#Rmm74s+?1@M@o-zmGS_3xHDTdT!kexuIsNon) z^xNG_;%`K67HxlCeC&R6s21RulU@DWi6g5r`R?rY-MjFZtNJW_%n!BJi0OT+tvyEpm}lsTF!r*+Zx{YqGk(iqC`C)23IvFW+t{gaEErj8RY}R_?kPan=Z7^%k!)~6L zQ{98+uxLvk-4x|l|?Iz;xGs>{=WsY~& z^1~mVyunDfoS6f_`@c93m}ae&eSaADUV@mJI|uNIEW?DjI`#DTu_~MVhDdMj7z_I> zK$2H;0Z%1Fn=*=UWo1FkD+i>ONmWA^@lV*fGYIFkW9c$y=G+EZUp{xxcyKjq9bt<& z+ytD%&yHcP4^cVO{ZE7R8JUgG{g zb)g#<)Z-WQ=X2)$>`!9ob*BW>1$LdhiP-YQEZ+*ls+>4-)#hXQ0^ z|E&2hipcI)>@?qFNmvc#@DbHE8vGa4X6vJC2?JM`#O+`OPKSe|(Cb3e!V5|U?lJpK zQ24-2589RjpOv=`Uq>P9ol)y}v{l3mLlM$-g6)%nc7%KbY(n|%Pu<*oEIy0+n08+s za>dQbpQJ!)Hoc(R7JWj!8vLQP69`>at@o zy*gIfth+rkO9K2C_;~ZE?FQxK*5Gl71$Lw}@U(6Uf75nvwtUEdsMdIxFa1=JVN)y#>!K?6I1L zAhVlpG|1eIsHdC%N2x%b>vIwN5bydGP4AUQ#4&%;Y1JaFBECR_hiKNtvQ1y(`mYQG zoz}_^Jf4oE)~XzD4#e($<;h>i`M|xX`E7Iqz{@I7;d!+E`kyydoN#nFe}hT~6l59&Xz1uEQ%wo=@ zv8i>+`KNVoV3kVkLsrTT^ z)Ds%1P6b3UE;?VGNhkZ~FJW>dn&4K$UD~(MBsXJe4w@cBxR`Oj5n&*|a9DY`DzH$% zvTVj5i{glIWNT`omL*%oWmtq-Kf>BvWVD54{-w29;s7rG_Z7$Pm)jp-sQbf7C4O8) z{3b{we%EoOcttG#JG@h)ML^ZAB-MJ8vj4rqsM}-duiaiaQ0+3hF-~j7<;?Xn>M=}y#Coe zsvo2Y^}~bV{mkopFTI2QEq(Gqia$=>aH-@qGAc3})bZhW|F@%+o#K8>G^Jic;~L_Hl}oYAyJ>u>D;kx%r~8J{qJIQyM3@= z#JQ z2T`JfJBe#z?<R>vW%PCxMJG$Do~TrJq8F7*s0A!sUpi-=06;_qLQ$KdDXL zIp~wMAI=AK!ua`~!1ceM_#WZL(+{$rQnm)cYe_)dd)CdwDzB`Kswg%eMDJ<;7&c8g zV2INN&}FlKBj6&4mIz+WpIpV!ed+S8_}4hF9MN>EmjxWiKpHr{cLNc6u)W0^-FN zKfXrvZxkho*pR2!WMC{3$c0OjKSCW{=kWAGay=X3NFM;B{Kb@Rnc1OkEd(c!D*YLK z0@;G$BI&ToGG_9e)O|Vnk!$EovZPB~c`Mpfi@x~bA^t~MUBhL zyU?4qJ2wDBUlG7UU=ehXQ&v$QBP4l8(gWwaCh-V;WdrVoA|l)iX*G=MZVn>~VLg~A z1f8bvV(%S&M({**(@ojtJ!lWT7H)Tk3tj>C&E z+X~hXwlr{YIbFP+M)lPL6m)sO96PNSqkM&xEN_|1Ekqk;e$WQlqSBIeu3l8i*gbI2 zegWnuqv*8I1hqj>`H$lR2ySD>)#1q#?%vIrddOMUOQ$du`O?N+To3t<~@3_@1Nn%r@{c_y~#+fXzI zi5q2l`U05ejz-s&Lvb+cSw7lb69@WCqo|BQVe+FgyC0gq3|L_}iOc212AsG29?N;Z zbG{qb1ujpGISa06h z;$=bDUMyOOh_Ou@^c6ls&(&lmIt0WFhCX2;q<6$#!%cWfkjebDVfD%ZiCh;Ot&}0< zntT$u7HV~UPOee!`~06dRh$0UDBPil>56Mk>d9WG)pWNlI|34&HwEL|rA(A}=iId9 zJkOOjO$C5?Jx>gE4-Y?68U-Df-1LC2wm&2d(vxwjzOg|lHDL?m`u=kSOE;4hMQ5a_ zr1y~@kcG+pkEMwE9~?Z^Z{ESDS3i*GZDz47Fh-&R_8ZIjgt{3M%wnn?z*0c3D>VQ` z&WKhj;f%53SyG&NgRN&Im@@_4sW~BNKnCr8#=z_Ge8_=4O2pk|=K~>p2 z=Re`T@x5D0H+jJ0M8wwn%VRgH1O^E1G_1X{6*}r@D$ID*6gM65GwqNLGL08H!cJv%0Wk=*6~tgE1V8q@Y`5c67@d1H z>Rt&G<)~V$eMU@ZI+B57p#YS74oc8*kSb4p@1OFpt(~q6;S@%Io$8U3E%v znA=1VAbQ`#UJ@g1c^xM@Mb6v25fsxv~I$B4CZnW=2r0iI~Y zdicH%R(9DAgBZN9QGky+FpyupWO14L%HV(vx%ld1agxbip) z?yf#^?u{^emp}G0pZk6yY@Hu(qu<+3eX0ysb24zpb0IlUzy#|xUbznwUeuP1S?oP@Qrjma^p?3 zm0`Z&_bk+kJK#0NSLqT^V~9#c(v*4sx=F#58_~U!J%1`g7zVVWo#(23&ut`zQ`7yr zb44wFt;?mAwJ&&o_~tuLj}MNbRJ{uHpe8f3wR0d)*d7$Ex1guf-F`(L-z(iYwd_=| zm198DYt#$w-~E#K(((&k*wEa1OLFlqUZ^h(nc?4*fZDZl&K!wwFDEDH)19dhI`~Am zSgh&!=%=T*hBQ>JOS0Cs53aTm2vL~urMr~L(nmqzEX)RZAf<97nE1q&>$5MNHZEP5 zW5V0K+jCH@jllQFGk9V7V6}t--+j?^vMC`}Y}dHctY_v$v(^jFRX}hr!Q!4b!DD#W zIoxT;B$xtdQ{z<)pot>#>p#hI9k0~b3r#O%8cXNt`;c1Cn?nX8$1{n1iIgv)3m&{a zNATS}^~M#WN5dOP5tp581ZfK6i;V#4sx~LD+cyOV5B?la9krI&PqQjkTQ>HA`LIw4 z^=a|2o(6z=o=%O)%LO7KVA8vH~>6Io7uzr z?)yEz4Yy0A(6^86;W)**Pb>B@DWiLH?uus(XxS~=kmWO;+iVYJE>}-|LVY$zY=ng| zrh>b$W!BC`y-5BMRQluqu|Vi)Z!e#$OZ7{fKt_qKUy-pK*K06koL_U;U7y_IiaVKN znHB2)gOViwCF~3pEpfSU7)_GJLU3JhP<~o#vf~2as^lodTXIgSUn72w)$L5RvZGP0 z5F8HXdS)SO;kz28%Y_NHfSPaCf=G`*tZD_|NFlX`7|J@c+)q=Wx!g=yd}+2sx*lbi zn*qRIid&FYA!f?E+?}uDL($PRD735qLWSleBr_j?d6$T-0CcqHS4n>BsX8kU$t|e7 zZVMNcVdj&_PS)C-&ny(bp`Qt*A=cp+sY8!+S-Az`PhOg!kC;M?5hsT5?C@ zZtoi5V%4(%XUMRP{O8gmhf6L9QBkB(+)#VNV6|Y4qiGPLLCe2M(zpZh!fqOe7e_-+ zQ~1#T8+USR(t;89~H#HxFj+s8xa(#UetC##Dt9KWLQ;2o@)sjPg@521z<8fFE zzpb!5@Hgbr0ENQ>`nT0;X5O-sHaqc%{l)+z>wIs2%=M9x^>-PKED%ECBrnrexjItC zZj=6#EA2*R78GYstr)W-n69xqxm4))x9IjiLdM+PsR7XkHGo{^P4)MBFahjf9$_B9 z4kv|DMT9bm{_UWu?u$3}DgVO)gnlXgFETU5n4_e_bluxa?fA=dW~5fZLRd-s8=pn|_H9-$~g~kA2J+K5rQ-Q=4XPmHu~LfHCKSzH1|NEEu6%XBrU4Jy~nW zxv*2W0t(#e{7QO4?O-A7I-GecG(l`floq?rZ#R!5=f9j7U?~pQzvf`=XziWnpiBGL zYiQS1G>n-1GX^nmpDD_2i+Q0q+Nw4eY?>Ta%7bp7sY~2*wcg1rx~h$Cb|ia;QDJzF zIDp#xn%69*IqDuT;r*BiZJu?Ya#tClkTuENd3X0>>|mJv=}(8p;#RUa3UCFu_<4l2 zlK#7SgCvH975{!x7N+GVL@fJyB*BI;TPJ~z1&s0;fYwvT{~}6W5StS&jCaI+Es>^a z9DHZjZbR5q4c#n99C4{9Vr7euqXTP1gw~X($smXz35)EtoFro%ANMcE&vHE`D5gnZ zIbx=vbLg*ANZvme!=i7PQSyK0!iC0@*g^~4B57`n%ezLUt# zP+dsjrCXR$T{>Buf$F*y81^MJw}X{#cuQjnOO5B7k|9rsM!V&oUGy8tiLD*oJusCrTv$Zk4 zbvMOO?Xwp0pCo;bV$2<-NWwU0c7@;Jts3dtP_0BoMltQRKo@5nlJH??-bP9RURo+# zYQoX+?{Hz=jD~+Jm;YUPa#VKbv%o(i8c465O!@D1QiSML2Aj4WbEHW0hLRf^QAnBk zi0Q1_S8X_W^32%cSp^+(%k@t40{W19RZm%vDrvy}DGjwU!AdUeyVu5H)` zUjbJN7(rhcXZ>$e^1Z~NSO2x%|K5fcM10SXN_VZGVY5Q?9>zh5gR!eF`zHq?#a)DKn(vR`X@)}D$Mvz3}R znFXHlqs&09e-3|7-?1Qc+ABPW;WqRIv3wy1y+~h!(a};%U@*hnH78^<7@yiIX+GtU z=}(rbH;pjs`$eG_N=(K704 zlDoud(g=<*XW(WMoyZTD544s_j{X%h#@l%#xMTdS5A6*&&c%k5X6i-3rvN?AiYFHI zsFr6xt`{P!JCd@)o_um-34~wbH)GL*ssYdNaagNf14Zi5zwT-Ojhz4OFQgcTQn7^d z%IxTXJg}PF|8$nP`-Gbm@#{IE@mloFdn26riFM9K-3MSupwcYLYI$L9iG;%E4t1Ui zJxVK^ppteuu|t?H@9ew^^9b`Mw!*AMVV=KzXmDlOU&#eE6c=@bw!+5UmpzJR%Ib34 zNg?@FFM_MDE4kMsQ$9>o67@KPRSQB8bg$PK6rQk#b>qHkdJWU~Q zo-+gH{OKTjCxQAubGD&^R{YOE0FN7l$$yF_!d0O#4mm{({#s!#RxjRO%9#M^qPWi$ z26=Xij+q=g^*t$Ln_oQQ_)}rwjY*XCVNzSyLE(==5^ZjHREf(h#ORN21~mruO}Ftj zfz4J*IV>05Va;Dhew9NI$z9mjP$mlNbVM=q@%9T;fE3rtSY(?j-pE<)EZqV#jO5yovx*}6_ z_MJj25Z^T_ijV&dR?w!E3E0;4=cxF}&`uvev#R`+2Y#Zu<+FsAIl7~7LVpM7GR6ta z+*}HsUCSQ-nN5f2`Uxs~Y9kd+qcD)XXn5AOPIE^Xsx5*q#o_a9^raA}!kzYFUo2X( zMLa~e-;fB!J+R~%qod61w`~{3R0B*>Y1wH{st1tvbJ@F)MlESqg?vx5khxE0@tvfR zsO1sn59siYfS8{mlT5;@^$JeynL|*h!N0RrL1?OUK;0#rk;>8m!@yK}P)nYti_SPr zhrFwQ=CguDRiR@czx?k$ZH`+w-i(yq^$5RJwb|qme2zNO|55ho2s{JsqA{3YW?q>W^G#5XgTr6>N57Q* zrLoP3e15JT3(?tV$-*eS{+_=Msa|8tMjdg_1#5(B?{fAHmF7?H>~f0&|MxD@|>H3q8(8YT|K(t%s?61hQyN4Mba&t?t%=QTp^?Z+>b3z+TT4d2) zY~spy?~^k^v_sw+ZT}?wN==P}ab?3Eu|(;$_(9oydTizR%!4$AC2Zu8*Bd~l)sFC{ zv-&&AE_VZfqd4U6tFU6*G>vV2@#^!R1)~?yR33v@j%2v-xH;(szDN|6vz3&xi~PNa zrH|SJ$NimXZb`&$le7c0Z@*3pKYH32UCc4awC}}{ zm)ppVd$lZei>yn(Ex6gQDg%{d758QuraRP<8Y+6YVHL=+6VBRgb{aeR=Bc9_xg|*f ztb_S^8TKzyEKPQOLpC}mEpP{`RVJuJZ$);O8%u3Vi1)=8O-YSawwMw{ihN(A41R?S zi^0veWF5oZMFA#De6lA=ynBA@Uy++yZ!Qmtc1r*Hm39bbLNloFw2cQ1r{u;-6JI6L z%0Svk7fMQ~)$OW_zbz#Y8NlBYLiDhL@5_JD`S}@LfJvKU`=JnFuM%mNdG_agga93u zp=v`&Kj^#Clq>JfR46Kcy{MY=2xC#F9j~rj^k4pNi5M}Uioo=V*gjly*vb^lEbmbG zJztxF430Yx!a%W!4I0D%2C)`bO`3w(E<1O*ub-vsvS&jp3BT74bqw^b6+z|a2bdTk z##AWUQO;2%>QhOci!zp*YTqI#gG%>*a-5eSuEW_9N(M1X?RwL-r$${7IS#sD0VXVT zo2PC*c|I46WS)(hGC|&oG10RrUuu|QDlkvqmmqj)yAE`sDh)?=6k~33R%1nRgj)es z;g`t#JIoI?wA!zQ_n!IP2OGH83FQkdh<`Tn6m`CdNkELT+6+?}bW!aNtWQaUl3;ufsR z{b&58IaaWx?47QxpKon}EK!b$k2|c4TLXu`GFMZOMu_pZyQ=Y<68d7`z;24g1ZcGg zn-E4qa&4(IG{I)Yy?;K_dc@LxIFa6QQSR1^#Fj$O+(j&rm4Drgt3pY&OLVbl%qHS;<|J%Rv|#^J6-pM0yo-S#r^{vZy!YANj6O{noV$Y$ zUq2P_vBfGR{DN3;<0ZvT264JLfwC~8N{IPOWJZuno9r<2*Q-&B^?#TSpq8x(3$QG! zW^xAXPwS4xPJpKyykKc>+vzjXR6+V~{S1=b|D<_hwlGhH3(EOfE>@G)EmWoiw2kyXMVp<@$1ti z`kQI~WImy3AXLK6y zH7CJ|fn;maRRee>QtD=5c5^s0j?iNYR#Tt7$WAN7R@>*!0+6zv z&}h*4#zQF1YQFZxZqz8Y^sYT3mZC0=`W8$Q`+=@^!zcVuy2jb8Zd9OP8g%hpC2 zs2fF4h+*hKB-ACk8!uKUEAgd9Q8r!sm;r7_WFyT2Cr?Lv?`N@!AED0KcliUoim`e?a)=3!#NIGXL@O_DvstusQpFuWMe6%nlDKfN z{i!*7PL9(z&!mZ3Fre}>!0@x&s49?xR?8uv#_)044_XFaGRF&-1~hMKJ@V+=vDpXT&YyJPqEqx>kv_7+!xuc zN4U(6I4?3#Sr<0!9RiHSZu{%Z^M8fJ>AyE=f9sQwm(gT#1>+j{9oBW|Q3qy6soebP z>lKc!o1kPqs+OBonl=ZrkxKUub@l5#FGxi5-4cY9d$hOcg0+udWw(||PTX;)Yx^`Q z^?((T58fHlTETR9W7=ax8H82q6i!^r3Q7Ti@V_a!wPb*IJ9Z#rJRb@N4@t$5w$rQe zD#=-*fGNE&k3g&<8oG_LPA7#mXL4BhpKYIZJX7=lj2|>I;%P&=#}BV@7}`!+yb@=J zT+J^DuIi~yxNyH?cUAKw5pGMUXt&r0%*PL9<{UJVdua_{O;}75bM+Z z_rJ3Wt&_OwNhFE}J{>4CX5~&`>*{af`l>!@LJ*l{lWg{R!A}{WPRGogfBE4?DK%O4a)XjigDQSNmCt@HyRc@k$E0a) z9q`u_=;ObkX55mrrD>~X&Sb}wfyasXDc5mE!}jZVzR0_lTs{*$tFmxR$Q8oE8VmtM z@D*Y9co-_t{KXB%P_?p>NH~o@@jErN{n0V6Z4c-7$tW_j^X6jZ;AsRt-ye(fk1Ub z`+DOlr$?^vJEmoLSM&H<;VM)Q1#kK*#nT2B3d_bV0w&Whn~P)15|ZSSRkZm;;yI%iC9|K2|zc z4KX9!c9D{wrJH{w71cA9G25)AC}$jdPO+?s(NypOB(j@q{#it@Kp!iwx*ueud9Bvr zqBy?OIaGYnSTMr#M+20~2mjeeH&iTfweV3ud#L%glkqbn!r_^ep+O^OIw&+)6Zs=l zd3=6|g-N93^iO<17ib1HuNkb>I=0EMWG#C~*`dU~9blwJA$9o~w;aAYC$if>-sN+8 z!OE5ZYEmjLh?)l?+4P}ph3w4MRnAMHscaDdji?oCq|Vy zl_eRKn9CrKUkavuqII+D+nB{ZTZoLtM9#W5g0gu?^V*$0-d5bREC}*;#c4ny-#!J- zy7&Om?BVIgdGE=comVl3!4Gy*##h4EaDK6#x{ii!1foXPcHjHbB}BW8rsJYQGB_5gM)AR2$yeSJs@o zN;ndA?szLAmP4r6dkAPB*t!3j&HeZO;Q8ylQu7r&bD9b;6nT!YZ}vDcbcbdeD%lV# zu0uVX(mKV>oo3%_n0PrL#o8If<3Tj zZ~*uN?QWrgk^Tm4;{Qv!h76hmba3ndEBdVwyCSa24{D_;eX$+ML)r{@Tqg-8_Zh!uy~Gij{!&RU343R!IVTELjzZw*qUBA(xF8E>Fl z_|0^=dLoFgB5TXuQT50t3}=PYoD-QXhl3~w*JwAqC&X(JPZEcS(x#-lHALZLKWOgo zI7iifcDA}(dI&@;verqm8|kyqwD`r+oOB~->bwbH^V91(zrVw2+`^;%95n`UK$=kFtKXt!RM1(<0eSR5OD+R6ht_`sq|J*lDgqzGLC$V=Ik+ zObyFgH!qq3YK9APCUNg?e37G%$`)vs=Al~f()jQ}@-AgPa4qZgTJrw;a^+i(XQuBZ zU`;+MAE$n_s3|0AlQ)3(uN3bjdo54%9Wf^D3jP(lNCELyX~24RxT1>XiX`GT5h3ubGe?*GtRFFfNdGyyEHT%MOv$3#cqg5zw4A7+ zzhkks;UObZj~*^U2iQXy_R)lwh4zAU^BR{gT!TVXhafo}s&QmfDzI9R6-&ANY9dgA zD_3n%H=|{7Rn$X#MbW7fJXBK4!+;cAQEB%}X6UC8o4R2mncyzOLoF-NiL533{0%Gs7ez^)M)77WgPm}7w7|>HYmh0L8#K_3lSC^LnO;(;+L%uf zL$`P>^5fa{TEyNynp}6xPk`DqF5T@Kd9~7eVM9$a8^gw#B<6AyC4~U~Gkl`TyQ^f+ z@&s^E3Aln8W#YOsW(~#E;yU2LQ?BXmbn$OrxJ1AxI$Ugx)M}60bf^VvlY9AMqji~m zs(`&+NbLo4r^)Pd_`|c{+Swc*aKKF0_q0+xM>r{i4|;weP$Rko8IOnXX!3DjDX<$z z>V?4E+L?q7s9*Um8}Ip3kCc!I(eZn}tQinQ^LU#*wT$dBjiPPd=^EHqyYKyzNC8pk z#i7tevBx$%>hY*1vOx$_luZSz$vO5VVx`P+D_r=nM%$Gt+~2$>xlQ(7z_AUaP)@$(`?oWa=Vmr*Of^ktT4SN|T$&zy(M4+K z-}c?2JXkUE#-#Lg8qwSr*9xth>L`{Cc8@0~YYn(GCazg&n}7Y{9!8*Fypd$NKsdpZ zQ5S4GAAnNP=YQSLrAWHlQu4j9rOhoOpMUt4Hp0|iLbZ#^@5BpV=LH`eHiUALrnk@XC;FQU&<~qmyIT@VcZ`)yw6TFoK}-C> z)Ug~t!-AO7P)$zWNxOra=f?3bH|6UwaOoQ`hn;NAtDBsKA^Wmu+Alz&4lcRq#pv`H z73N%v`VIZ`1#d!p1)$+&$lPZL^=Wk zhPzk|Y6G*==vRaty*taQb)p-B=e9 zzpbleGbw&)dYo*ny2gU)H@2ff+E0ogG2uq{N!rq&X^D2GrqXrnHa>g_FN7%4)RA); z_s!g(eWz$6RJ8)W4E6Ah@)C@`VRW5B$@!+^YqJs1%3WP<>3XN^azT7n)ZyPK=njt` z(Rg%C5FiTnz}dwI=(FroUF2;XLWgQ|3p>WWIDq)GmqxKX#9Zt%2W1z96F zR;QR|Hf@y&9OPFv6WPWMPQD2l~H@*@#%5=ajv)_{j$DfI7q zuMZ1_G*Fm?jnSR$t(1p|yRO9wQARp4F{;Yda1oQu}08ctJkY_b8Ox3VOXl={G6K+|>U1K;K-fv)+ zn}O{2#2a5Sw+hLQjkBjpcaK34bD^6~uTIXCnOm!oRoHQiWryw;rcrdk9s9WL{rTlB z+$P+%bFGM_++iinkNVNHB!6FgKBXo0sRs56p54{rm2{eMRn-116`etR8RN;t&h$f~ zOJ17aD;#j!2$$oMJ-Uh4SX!%O5ca*pKkF#`N>tWpX+TWTj#Vv`3_{ooDJ`MF^^ew7 zymdKnnW*V^M%hiZ3v=InerSD6l%a`rXRXVJR0yE)jWy$(mAxYD2dvKvNP|cGYcx$n zU4FI~VM~QUcWXe26U9nRQw_&0yyy&&89uZV8Z1SVD71=bPnzK5E2O5PxoKP)U#zF^ zBE-%)K=>J2zN%(n-c7yJyYTA|Thv^tsOJF6ZZ(PcZ%NatT%2mY7;vkHhI|>dk8YK# z9B`{-pI;xL0U2U*SB*QYZ}?@p?i=h;)im}G2X=42PMW^fMa~9almiF?yraQusnpYw z_j6C9wq1})6;hd%)dXcd8N!@?x$i9l7%In;1gtXV2px=s}rwG5*4iu!LnkIL(4`J zQmgG;r&$!`-;>q*FjDGtcWDKypSXNhDM^f_jGP))a7pXY;PHZG^F$35MC5G{Oe zBbQ8BG_j^IwD?^%{`iY&3%UZ}i@Tr`Wsj|!K0sXGadU+Za0Nd0OJOd_NGM%C`l9FVp)o4y#QuY%If(U$gs_uLq^QW1>Q}@%in24=8b)=Ie$$o@$Ah1n@?Z zlPiEP$jx$>CNa~+TQ$-SqC$?V>O>ewc&@G7j5v<5!y6I0Gn7d^>N-{GDOoELJ43Xq z@80OCI35wdLrd4TOOxww+EvjCuml%DYa~tbgiMeg;~iEfZxo}oQdP|xKn^wOI3o&p zUGF7JFz`MF8)*j5$3_&()r&m*QgxrUe&?g(LbC4mjTE8`)<<(N0x&=&amUXG|lrw;;}^8;Jc)2{z2G9iDzCp(#}n%QU) z3lauNM(u>|^<-U?Q1Z1Mkj~)Dg5R0W+1jpiux{>^cSJHNvbxtV;LRK-v@%ene{_h0 z#K_?mV_F6y-cyx@+J`^g9ZD%dOXoB}ATxA|A7hkeurkyvz>qYbeCfN793v<`OO!>_ z{0m>{R|FBMO*n>x?yQ!%x%H|}3(m8AzgV;ilBA)k+#fjuF$o=J6z`mdQ_SRaGf3DL zd7FyRiDHklpB=_wB zuo9x#p+L-pTLiVU@8@Hl!+iXAv_@LUT2AWtav6c0Q8D|ZAaDiQd!x~Go{`=Z;23(f zXI&o)7p9oNF(e1RA^S}P9D_*~B-yyXgR{6XN1W+%lA`1s^Wg1*m91*%R1{Wr!s#Kh z(aK?JrTfxprIe*dq2}ck|0aV-Wb_d?|C7R;P%RWr9fTyCX$0CKlw?kbruwWFRl3$; zhYSbUwkIXsKKxrWRP2kyybiL8^gtbH*zgb8q%(XKvffQBG;^CnbIY5q^af)EP_f>z z?kAjRMZAPIM3~*Hz+Ps|jpib~nZ2M-BWPmXV?Rgmn*%ftcRjGON+|OE^^a4wNMvx7 zO#-xWSPQ;{KVF!5Po`2dN`b$0^=gS1km^jdtY;H z1MZnIwIfd<1_xYhET|2tlr0E2Qb@_T?asANfC<&hD)FJYYxOBj`+^lvX0@n^QUNS+ zSr3uYyy)+{Ls^_#zT;6}po;ifbo;61jE-oEx2Jc~V%;spIt_&%5P6Yeu#-D*SjBi0 z6tbTmfLDKYm^znERbW)QO0z0Fs2%qzaUqU+2F)V47NN6+;w7tOc@?2q`90voEAqfI zepdfp=$j@~GfgaIF5UTOa^Zgio4GibsYlcQ!`E9!MfpYV;xIG_5&|M!0z)YwB`wm; z3?N-1-Q9?wAl;2L!_Y{Vgfs|9cQ*(~*L?>+-`{WDb?>_W`K~4Jyyu*K_IdW+&wfrm zSve*d*Qaa`Gc^~poF^zyf$2pG`aPUpd_%}^RSDq-NFZ&N#&KjFk*=zcEgK8^J0T)mF(Wfg*uQ6c|y4>#uIhZ%CI{ zi>lUJpU+ILr@r^An^2b(wb_Ip7_I=dpTW`fTg|VIMRSe6wrW_>FH8+RiFGw_kj17) z>{#@}a4*tw31_htsF4eIe)2k3i>_n|KH`J$=|ZmFrFl)taby4mNnKrtFw;X)c@%L~ z2G3`~{>IFa1cQ5~d1?C~%~MKw?Hcz!mmPeRGdKFy;i3dQb9cs(Ef3>2I-y)-uz z676k8%G|R{BZ~U&g3OZ4(3xoaSg`B@OQZ^5_tiZ%XcT_MF5eerB~}of23kK*MafIz zm7*CBs%*K+j@oYdsg(BI4ttGRd-91>(9BXy_Ub3Rr|93foh*M1+ggv{I|mjqXQ@qU zIPNB}>&!YV^V=Aq6mI3x-RNRtjLS7GRI)O(lGeb5Elnbw%J%CrPQz5C?r)(E{>=C}Dr-9#`GtNaVRF ztM_sVx;!2{itXA7Z7Fb;xW7k>KY7vo#XjIWC@lYgvskBo5TIts1=8B#?x{WzQMBTpGIkf8R{AiUZqa@R?GU50;CvQ-^^D1L}^P}CkO zdSi;SB4~$}WhSs_5oh`xiLM%1?bOrZcGVmjBI2URnEl??hA34E@|byCmkdk6K!Yr9 zRFL-twTJ2j48X>jQP{%yi{D}uNBr&39)B(=eU<;H__^8E~j8S|-bWdn_@^t#Z z>n2nxxRv>s7z&9ZI7(8De;MhNFelAJm`1-v8f|&wE4X+8RmMk>=J=igg8GC6ywbG} z?JjcoeQKf&%G-i^!Cb9o7w-agUo6mc7H~&uYh?H@H5h-%oaZk}k{Zvu^b_#>zGcyc zxaw4&^gpH-79uZ0n_Ov0uQvvNR~n}O{J6CzN-B3nf~(t?pf2(J`i9*J zZi@kLC=e(SeCB$Tp66rMqe)M}Yvx^dw^hC(!((TOKM0zdKW1qBOH2Kkb}L9d2rC*0 zph83h3wW%-hn#ZynxE`dwUuD`g<+ObiVV4#gWwfhefgl{rqW>h!J}tFsA4Wpv^56u zR?Y$Ea#;vC7jIpc|Cr+W2nWjYIbm6Ogm>@{n%vP}T^A{}a9e*fD;0FDjc2phJtKux zJBDRJKIIVuZ8S~UC;sB?k1Q6aw)lpM)!II}cLaT}8l!R4IYW83|7AnZrJVPAK*0lD zV?>f68z{EmBB?qh@uIzeL>`N{ZWp6nm_GlNWCeZ}q#w29BVytwD2*Sa^rEYY<)mDe zucdo{M*XL>7+|P$+~YRKQpg+U6(gv60CHqEHuS{R(-1FezgI?=zMScD6iK*x`Qnye zPXkFq8VTmk&b6u#0**RFpvH4nvEc{ma{wyh@XJ!su1+qsAYq^2DcFIr#`X0-%Uj95 zs^Ahka76vFBkae|E{UOv&M#SRxl*L{C)A9abb|H}`;R4W%TKF$z?r`7H%lU|E}M^bfPhi=?RU~YC!7$dyu|du zTr?K|2mEGswQU(q%%h!1c5@h5`HGo^IVX>#d?_g9w#bE=N2FHKNc{uSB#uI*r_pqG z@tt^*rs@i=Cc2@%jVQAn0pl8F{ddU?goYLfVHgG%2Fj4%yKBTUr65VKjkEiaDUe!wc$e)d2Fgc*`m4JJ& z`_)t*_rfM$LtfgIxh?f>N=?Ldmmba~{+qch6!lVC?&{+3P5-6)8EP^??GyPcy7{Yy zC4Jf#FBpBMf(6ufQu-pS%xd2ER*ur~Uu@-q-Ds<+lfCOla{pbK8aj3o0!i9n1% zm&?2_?r()WwcJ%OGA9-;orik#C~yMg*?2fvc9(uI6bt~D%`#%jnQOL65sR~A=6WZ; zf1MCT_{L)?cL#|g@8b@p-0jrsYz!m_g0sm`iikYFkFq};0zFm_k>~LP^#7SbU<6su zV@A<6V2U{APKGR~OZr3D{UO4H$ELnWaRHij4!IwVI3&V=8iRY6+Dr2^rH{}Mb`bUg z&AX*gJ&f_e7fzF}B@4)b21|Q6ZSk$WQFAjzfv@!p9+MiJY2bn!TNV%)U8A<6WCf!- zbS+(K>B(|{;Qo8t!Kz!Cpxh?gOT+p_-KL+vq`p6jvg9b$*<=XVZrboh(g?~&Vcs>7 z5d>PF0pS?as0KtzCn*Kd5|W=PBL9$4YC_a~57_HVEe=YGT;2|W`O+YYY86Iwa0#-d zF?;C#ZnQl~8|(|KsaZF^#>**p;p5UNo2Y=<1bU`30cbCc(-%zm(+Q=?@t1Ql#~W(W zmQOy{<wR0A-^{@S~)Ko-G5LKj7}inpk$Kw@-rPF4(7W7PPfm2HC8EdJDD zLc?-`JM*la4P2aKU~^Q+7Ub0jK3zQ(nl_}l`b=#Lh7moHspV3*kZaW2( zWGtI`+4sV^jm34_r06{ZYPuNMWAZmm8Vk@t>TC1kt!7(1#wuz?C2^6P8!UE}T`1W-LLDyWB!3i<_4AJX|52s-H7<_U}E z`-827McR@v+$=d9z3qC4QHSBAoYen@EcYP)j$6F9s zBuSVTx`V+45z>WVH=KH^qm7mUd*iPaT>4?#(=Z__;za%Y2Mo@NPF9L!FnwRyW(^xS zsX1hMs@Fp&IPZKKN;Ws29$OBsg}(F~3g#filK^~g)J*=d`O%nne!g=O2aGuv7D687 z9~!W|cc6*w25I^sAH@MKE;hiS@C{Lw8(@Rw_-pKmzz~JW_fQ~r&Rtwf^^ZIY2Xdru zCphMFi6(gm(|KLu02+eHM-6K@k+};k1!wf}6FYJv;yxrd7ugT|=V_4oszA@@2=7IS z25)mt_#6L?Eot3{)rwB8D)5yq z#PAAOv6PnJ28@RlJC=A@u>oMkD)P_N3N&a#dL z94CvM$$V@B^qlJdbkUQO|u4nAD!~U#OSc``x>o#lu)v= zV?%%3hq2Q8!^nPYuYWqy(}3Td(!NO7yM4MoDG(Up`$!%kFmp!t%V5y=3)~;*jT`t1 z_=xv!&4vF3)!Jpi)`A)u6*k-NkXf@>=?Uo_*d?nyTJ61 z87lm-89LmU=8B1fn(O3xmZ@LC@W>g1`-9dB5l%iAz$i_f-A(XX51h%GYc6>coJ~7u zr@bCMS@x%|hNNI`*P)MITF>!>a8Y|!QM1^6xaAM(=`SZO(s=bPgnoz zw2DebK#KvF5$%5zDhC7!p^h>6EXY~0fPEQ$0JQwYRl0oN!knTxxLSE>9^X1f-#q+X z?p`Sl`8_5)TZOt6C}o4HvjJwwD#ztQ7~|N)p|CxOUCjTOG=rIZRx=-|*xf12t^K!| zq`KIGpF!7G^EKU_nk_$ZJb zMXq~WoH?BG3gyOvjj?d&jo1|ye<2=s70C5Ta?-17^ z_B*LiuC+~xhQWfVVf=XZ;G_VZ&v32mVuTXbV>6}q5Mn_mpX&|Z>9KVly?WT63!1)_ zDIY7r)gjGCNlJdnnDCWB_Jw-ijZpFWauI%3AkgQf@;D_tgj0A4?v@S@>Y-s)Z)Y1z zi*Bg$CIp9n>~mxz)bAo^TV377lE3x#*C;@z3)lt<_7irA;){RvtsFHSgt;L!hy-W+ z^lnbozl@*>!ehLYkFNZ(m6ET}M>Zc_@{5+($}-ndJ(iz5wDYGR*&_qZPHkQ>^KrxX zamer5n=JA)7pg~19P_qfmhSKEr7NsOUWu5%>cI^6?)(0)?R(fo7truYx#6SroOj;_ z>H_NY_NK;{ql7Y9i299A=l2=&e{Y7fzQ#1fqgSaH)3isSS zFkP=YLX(C3{Pvf$C-F{7Y;|_Oq#C&lf-;+6)8<3n9~s|kuiqbV26}ah)KF&(TP1p| zJDQq}OIR%|)EeohMiM_WPv!M>w#r0CnOMTT7xGo-wFoBGWA_V+dF!g2iv^oc1nw@AyRc)3F)`oJ&w6;3=BB&x1 zIH_#@&;{7`6$qb9e&%LWplqiMCH-a*ilQus?Mbx3`pLV-wdh_+uLTcG^3vVv2<9Gk zMST4TaaOqLXT2V&x6-in%aQ;`37@$5Q=?P(9eg=yd$I0 z5T$s6$`1&~bjT*c#iK4w{CQCPSrZ43`sH4477=mOW4!2pmO016V1)#^vma%@ZlpwC z0a^n`juyQ_*J^tlS7<&ol5@NSC3^aoEK;#?ap0i~x30DmICb2N3=*q-PCe+|Ai;rS z{)B=+&15u@X5ou-YJugOAe4ZG$X^#7c5issn6w^AOit2I?&L7*tqF+O zcZT1vlN;)(*tQ*A|7lhhh1&Ylbo1Hn@NF)mC``?)1Qrh=W4;8}iqi}3iyX<+SL0?P zTeDoR|DrSt2YD+#Wj*aUl$Vs9(p3)9Xrh|_OtV0vaf$-rIW?e2Xj@W{5&nRLED(@xCO7>%C6EJ6`KvBiK4_D8j1#TxLdI2`6591vEns=~ zOlC2`mCU_DJrL!NWnU;=xw3sCQxHuhsN5leqb!^ampd1`p(Znc&Kwbk%uFivFs`D(pRR?J#a-F=4=@!>bbho@M}zLooDcERw{vwfE#rq#lCF3MqtrMoah`3CgsNVyJvTM`;c#Z# zCb)59&j5mNxf@YURu$+S@0YB8Jl;OOy0f}car}_j>cO*;P~|_~c-ZA&ELVy7Tnpqu z-6!lP_-#(zZ_r5{*}OW3nwHql@8ViflUDBwG4pL0-&S_^?C{6MVS=Vy7Z3b6Jj?+# zQ3)_e-S*+a)nmjpsFxK(o(T_Uq=HU>b2~1MR(M2kp3`Q>@o1|b&w)42o@@P8SY%jL zE@66rwFL$=oLrxtwB@AuxTkxv|AYPeG}iU7iQb<=ca)o=V4K-PA_Kcr4Gw)yNIxg3 zfkEo)^Km{o!(6|a-CoLECq;EG@%b;RZRlPK+j4C%MW@c@tiK9mhMAh^D(F-95{;-= z<{MWEuCng2SM2;=4GyuF(IKoqZF#m)uMUb;1%thy30Ut8>EqihvpYhZ?wOIs-y*@z zf0%XRZ#3Fch!vjHe>+#!=ZLv}Od5e)%+Bm&f~B`tXI3;Ehjx5@BOnb9AQr-_yg3Y0 zPU!WG6V9;WNeEgCXQpIGGp54tFEb87+r4Oh;~zgR`=Tc8g{z;lLB;Pwy>n=?9g)_{ zu+PuBBczzUnob&!Jun$R-QSH~cvqU1vCfNd6Vp&Ib~0qGm~i;kYHf5&(^Ej4wYtci zA06}h+p+|%j(v1hU+{V|ZSAaqE7h;aeFArZ0@EIa*dTf8dh-vrT8lA2rT>Qu020U* z6I>2PgI`4+#vRueuk{Wa&?65|8+E#n>ND*wIMqH%n_^tY;ZP7Ne|HqD+;?NOn5m0 zearGrffxa24s9%BPd=HzU%fX$i}wFsf#ncDD+wP#jKfsFoQOBL}cqwrWV2v@h;G* z*(>igqX}iLetEcThxk1&(eY((^gEjln%MIu&vQ~7cC)^{yd*9c*i&nQOTfy~=%sM_ zzmA1|6oB~X%;wqYgp@P9P{&9YcGe`wPP3x$k6k%jqFCW4E%y|XJD9qSKwkY~s>KL` zx1fiNQ`CtqxKUGRZaO#&JTI@Lfco8QB=1RnzBKIs1s%CMmVosrM>17Dh+V5CV zVmGrK9_u&!Z_8G)GLrSrU^1Tt)eTz>t`o z`)L4j=3n}%4MfuEYp+WRM|944q?`yllQyPkQR%@e?ceNCYHz)!Zjdovc%&UY{ zZ7*!LMehhHRL_$R?cDFrb3NDNSLHxB$o-`^?UJM4uN|f@?Wms>q(f??|4e+p##*k? zyq%}Vw0_(Zh8cS(aN#ZSu6y>we&&7H@3Lmq8t>akia&d8ZldRK{3gH3%T#ae=Cj`v4sj=!8V*H1GYz7ygi z>C{_(uC*=6FVwIsOzEKK5SLRt#b-wqC4rQvWq8`5bDfK#gbR9RrHkh8bluev^SNWk z(HZLo5WQD=O*Lo)e^=CMg<-VAR4YOszlkV9IwZEcmfLVCTA*|)n$J*#Ss8yF|}@q2Nf&al_+@IR%mOSZmrbT(J`}HN-|%Xyn1&tN!7wYAW<qwcjH!T;Wo+LtUcr5&y@kLM|7U$dhH36I8nnY-4ppL?`t}>e&HiNfd$(`>QnP0}sc!vA&dq{@__Z8m8sBnfrduaAa2HO$U!F z`C5j;ztgD|-VVK1B57)F#E~&Wyy?fi8`ne*g9$vEGQ@@u778d@=?AiCwBwg;D&gfW3+2AnC&}ffU;5=khFa;QLrZoK-LpphlQ{LcKfIg2_qL1PL$8CO z!Hqt<3$^|3vbX6<=z1yoMP<7d1KSKU{dg*XgUpZ^$Hvu#UxDd$%Jfs7p{4>Y{Mdhs z2x1*NiPZF1!)0x9MCH4C^Ev8|TDsNUlgPwyv`yCXz9G_=4S%&(x-kNNQ{3p6v^{f5 z-wt%1UXcXf9aQcz%ztLv%~6k;BqK)5POP;PR&eP;9M?INjk7E__%A~kx_2XK1KJq8-ze+K<6e-ek`uGGgEWW*X zah#FpdogKpsX^L&ZlKtkSzC){<{K%`nWj8{ohg+t{-+KSjsb@@pB|bXMWsqbfuiMbe^#3$LMu;jl+yA5>?GZX^sxg-;-kVnspgS{gty>{4OTRIGdkLGqQ3Q7RQwdJ6u$&(&=e0A z(8WOZ?GaA3B}YB5nXGyb5n;nv0~*mUZJ(8B1M16t{tm9dpHTxyR|3^v z*za?!_QH|Was3~mVg{+A+Oe%)b*@W3ciK9~G-blib=vJnY?BSXJ$1)k8#3=(qx&F8 zpmj8b>W=#UM(!MUc^t=v<8s`$tv%_66Aik3RU&umOX;tYcQMb>o`c?MFc?o;)grID zqZ#lXH8va|MA@sn{FSM4^^~jd;@Yix*a-Byglp#au-17YqOTl5((u-C5H@(o-sTqq zi~IA9;kffQb?;8?qD5s^!;;e`+Vc_!XX88={pv0T2bejx#AsF3~&d zD#C_r%_sOQCSU$eCdrN%2fo#k;xtWeI+RyN8k|hJbh%8E268_LFu1P@x}nNZdu`~l zY-1q4FmAQpW_LG@`n{WcV9A(C5=ZMhZKLI+vPg2=v8&q`xX+}h{2lg`$qJbA&k;VtiA(!PEo)IuHC|Hb? z*oa>Ih0rzcw_In&szOVN{HC}i@B)qhGtwkH&G{CNMhcWHL99A*9JVU8r|H!IrZj~E z>0d5a3uog8h-sPt+72Qo3W%TAW|+KLjeXvBvwnZ^R1TFo;fK1{Pp+Kjf^b-(Ua;6P zbvFGH5LQKsyjH4Xto4>5>F@yN!kEvVBwlv>xZi9c-j8nlVy5P_wsKcgRG6jw-Dv`6 z&m8N5Wkknnx|IU4mV?qGElvwvIxpWdvY?*D%!DvnAmUBH+WeywM)JlGa&(McA#DWd zA&UE+)3lLvp%yd`EvyK|Z!=3CJ0rgud}>6pWCgvFn3%IUGIDH(tEx=RJ{e z7kNO`Qy`OnY2!RL(&hHle}`F4UMSdxd2w8=72eG3yz>94LdX}u0Na4ISp(5a-Almy zUURz7ips5CX?}}4K*@jef`nfY73#$4l>_&j73~Qy@X=O!eH81!WpndOIk(cIBe$(@ zrYjN?A_KDIsO^7w*@^JT!q5d{>=*G|+kC5Rte(RDjT$xJQ5k_~ysPi$!B)Zow} zO1NQkH0Sl$Msc>Xz)5lJ)i%YP!?Jf9I1V|X1fCGsE<L+WiR{Wdaq? zKqh;n4zDB9yjQvb#BM;QUT3jt^?*$yvK^;SS0l*_2qniz7jHzSkHc%j3U)iEYE0T- zo~5tPdgTYtCtD92)v9(ZJ#NNQ8Meq?EIMiO^g#Ts%P#?~OYf2k)jRX>4b6FuFgx!u z>*niW)1|2)mUz@s_c3#o_KSkb6AU*RgWZa1efDkLv1+B)-L3~P_Lz1L#yX|pwbD;F zv_~0KF=C02*J0&?K$;y0j0_3UD3<1=*iKP$jim=K*Q4A1<}sfZOTUUo5e?(J7?l9J zTwYLefKkt@iWgO#Ppu?lQ36^2#a9FQh*F5Uk8sUHZVhOT0KETeLn({WtGSPAT0)QY z&hLoy&JQTmt?0@t8$;LnhDDhp+6e`&ez_6kFIe{7Xo20A_zbv{H36i~9k5ToH3h(e zd+B!M$ZDD@%iP_#DZNi>VQ}UIRI2}=UXlrc>xk<3-O4Sq?3`8L@U5h9C4kaj)vns4RqOj9udkA<+941E!)fBoMgtK2ZO_;hWUiS0#cP^ws!MUX z(lqB%3%TcoLjUP&elA98Jd1xLf4f7F(TXa*{Yb$;i|S3AueVrNX>@=p61cALVoS_W zuw#^L!4Eahw|PN!2gL>Vfp(q52%Lt4F@HR@9vo(+B9KxE@AZeA3?3$KXx_(LUtZ~$ zE&;c{2N3(Ih}gxm`E?ZJS}&m4=UymowxYD&!7k7R&Grqv_s#%S^&lnqRxfKz(>v_x=wCcow1BbJfI_Z(`Szr7nwUg^zj~(Jw>_v59 zdT?olpts2H6_d-IMUY?{@t;fu^fZ`HO{Nh|)a5BjKzyBtJ~DXpL|20(%a~6g0qGy7 zfkqusxhP`IIRRuNfOxwDQMoX}i3!{WDi>mJ=KpcF0ntb-()jU_vKn^{5_;xzBcKFQ z>=<%nBzuE`fm|4jVk~#tfS=?`!RQ;ZoNHWUK&lIQ_9ZbNZEPL}Y`{LmZ#c@jggkuc z8eo2Wj&^!3io?zMuc{|u4RBdGjzWAllcFhIS1eqNu0~aK5z8)BDWM3`$n3 z8Xnxz?T{6LRMDO$9Ymn#164Gvp(5g~t=dN%u=<|7lmV%(HfQRkxDXG3V4VK;F3v%9 z`3InLTa2g|0EjpoQC9m2854Nu?R|lRAQ+>KjCsrGjrF3rPLlRExs?!VDn_HCd#?y^ z(R_=};_uT{YpRymlfokt;AJlGYtjrvDd&14Jx;7RdeQJ6%OjAhu2BahEFzY#ic}=Q z(pV0)wr#AQ_tNmpjEGBc)M|rmei>V33L>PD{-h(Psgb;S+Wd>Qq?JEuqgcWXQMmwU z+pz)L%$p{Lo{T{GW284S&sQF)$nt5Dh%8(K31Duj9F2tR70DPjpm2a2s~^uYAi3xL z3)iiI>KdTFnDtM6F@Q`BXuWxaCHygDgg2bCrg@4bOr%;#H{N!8&Re2^T8KU8B`*(J z1jxdD(70&kHv@e)`r5_4*ED}7wk`nTFZ&txaQjB=4xeIFx-)1heq+07d)CGjx9RPX zimF{jgaSYF-Px`qs!S9dJel)1mp)veT~P1fc8}lshOo7G>|avrL18e|C>Z|Z4doH> z?@yvE2>?)kT(p9_njQLH)gxMH9G%$(6AzqlRk2pKSl|zi-_5;7D4hI1x{1R%wddJ! z^3GB`Mz0l$t8dSGavO#KhAtWI*AyEGN#rS~M4w$2+)<#Z~oq%Iu3R#jqA&Kiv7$TV- z@-g(smZWb(Azf6cwg&qJA9BJ!WeG=ZAX!`A)Zl6RVEMTS>I2IYZb{cXKqZDY!S_9V zWkH(bpUfIE{P?XUrv%?KLaejvwXIs$EH->zA*@Hm4E9_h@yO6JRN(TQ78Wd1iwDh$ z9$mC4feEuP=L1&MTo@-_PA4b8ZRK6HLX*2+!EGoE%wax3$y&)FLRiDgupP{nvrFrC zoBzz36Jgeg@e?Nx?L~$u2(!-jC%bUg8>=GiQr(U*%WUXeQ>Sdb&db#-Ir=`R<^qXD zy}BK3%~M2w{1=cm1k$Lni)I;*wO;aBjZp4(>W8LIH0sBR)$(n7Y!e~Ywi$aWn%4|1 zKM|xh$b!==hnmkF1|u-@1IQv(GgCMPPxLefaxBRz`vVSuGEF*Q&hZHhF_o7)^>DJV4v{=jEKV_$QL*{hcNkL4g z`vVOdJrjo62fwmMO;Zlgns_vLLsTNKZCll})$I7!Nv^3vX`*?EK%wD-R?dqtd zsQ=NF27l`txm4CXdx!cboNPp1-z3}1)t!Yu)0{I6JEKF|0N`t6*I zm;-LKt(us|KRXPtFjPQKt35x5TK;z9hbn|i)=;pj5VS0lOzl*lMDMplQ&o6H;Ycxm zi_ZJPXT~Z==%Jvdfheez7H7mi9QrJX?)yH*^i#?mU|LZJzP&rUl<%56h^Akh%BbW8 zi#4lkhsqWC=~ZouxZhwjnlfN#J!i#&1HSs%;x9Hm<@AK1MN0W;U1w>8r>q0v#a$7o z5TmG!@O}q;5UNH$Oj1pqf{@9V%C1d|MFc&6b>#5-x7f`22TMSqyt_ft5_~v*RnUe2 zyvEur@!u06V)i7s%*Nj~#@QFQsTv-`2r2W5VWxMD z98pyK`7=3`m`sD^f$~;I7?Yp9l!_>>ClfopJefy2wpPk{CWp6fC<&(7rT`#ny@N@I0ywihpA zyJ~w^b-(Hl&6%NNJNG3x{rca45&NYS_|?Dd576#^ry2e<;2^j3PPzB|$Zs`2T3aGH zb0|z_w3z(F6g_Klu|Wp*>QzL41FYUQ0}wjE*H&-Fv|bcF5O_^EuXS>7{T=^Z`duap zrs3gh&hiy>MLT_PJUMypt($c2X3+$^;iq%ugJ*g;@3OEJAb`J8hbU$K1I`%;hVeOx z?xgcEugk=fzNT5IoRP_wpeAv#LJ=%n^iI`-gcZj1=VCsFnu*mnH(6h=2%sO0oTkhc zgf!)PkL6C%qHk{rw@&1qmNJ{?;gCVcjX7O=mijTB@27pMAAgM_Ne8Z&$gKKXez{7X z+on$wayY~Bqoq?G-{}xG&iw#M9x4F=-iW5r7I<|=!GrmZ0X;E4dC&&h3IMO*rMmSQ zHl@P3zPr<@r^!%5*BBHGTCpKdXkn-1sxHI$WzjAYB?NI$rOZ%g{p2M7C~M{Uw{J9D zh3I*HUImX1cBsyCPmoz{bzRUvQv_2Yb+v$V>0Wr$l;SKmT`K0Hs&&v(Z;&Cl9^+LL zZ~A+CfCaaA(v~7hI&+23QiIlfCxHIbai@dk-2VF=)0UGRUovr~ zwn!U}%p%DhhllmjEK`rqT7-hX5rL4bLgtJJSB9b0OV4-XoWBu>%|;F@F>Q_JMv zr@OBzknwfOdco+}Y+J8cQ(c#9!%T>tA&W>y+&SKUZkpPN!-%XK^bQ-TKg`hl(e>GK z-s>@O%7GWVq-%1Wo?K^WRqPk1wdVj)hs2;ztmS@%tT3T;b=UVF?-K*@F&*Gt0l>ik z#t%Y#j9BNR*-xbw!R()vqyg>cw&Fzhb$};hwBWn>SyANJzN^{=<{Yw4RTt25qfpfJ zdwGD_kl4=lNXh-B;JME>F$y3ZrsG@Z^d4C?+bQi#VjJ(@z?~4kb%~bsPlj168#s4l zG>Z17l@KlAa^@+m*xrZ41f)e*HTOtt$ggTb z@^ptRy~c*aaQimPp2Za?HLM*G*~o^Nc8sFohDPyoZ?~FB?ld6ENZ4uFj`Hi z9-YTdp7xdEh0I+lBx}ufQC)@kF>@aPm)Q${pzkVD|y^8#48p#dIh&O&`F3yk3$dZDOH?Zhye`>85O6Y6UApTl04P zpIR9;P#lPVTnyhtI&S5$^ew=d_Svo=EQ$aUpRp9~JL%U)Us?0DF)z&ZA$uB2PGXI6v>h#a26PXc z6vf(ZBdK5;-xGCAYqy-|?PBDiitVe4!8okDH*G&Wddh!3PfGu%jBHb(d*a2$(8=~G ziHwP?maXm{k%7vZ9aTx20EvQNH|>ozUAZyGRAMP*l!S(!i2D?KL6*6stc*U|tzOcw zC^F5#M-mF%$j7>`t%nL=_8JGmT9}4Vn$+^Uxx2^y35y=IRqcOHNudw;!5P6+n#bO~ z`?p645Zvq@iJxh~r546kmQJ&IrrLQ=*qMnO(j3B3JzsM*l_}roWpujc>Hz)y%!Z#z z9wVXNo=Os^yh;2;4s~B=;w0_84e1UkW5R~>qoD`iV;L$pJz~AP0ZPDq5oa=QL-O+tf)|BE z3z&s#A_d*9Um0Dp)HFVxRen_q)FoEqQGd=xlrlCX8V|>JSNy$V*zj{~%%#JOG{YWNLIe3XC=KRst=~Z@s2E@u1&{;FGM<-kZtM>C-&7$aC>qfO*Il->PRn@ zU$qmt>;0(1ZrgE1DyBkei+rui5%7nM=91mNPc7*1{_+qUTNmi8{x5zv01mO~)?iQc zhof!aGZ1dRf3ra*{JC`da{W0RtOsF)XbwcT=Nng4K*)nzC+Tm8-DDQe@UZYMhFj_9 zC5UCz0(25Q*C|Oo*Cv@MuLa~r`7wPC8Y&j+qD5-zz2~UZ(cls1v+HA#;fv?g$o3Zbf* z|ANPJey%Eai+bE2&Td<->1_pYfV)4tj$5aU;>DEM&J~VhMhE}d4sg0?na#&+2R%F{ zQ39qk5OJ{m8dkbpKhADH{Rj?QK-J)`qo zZA^;mMl5f>nC`hFsqA-e`diMunlN(NnCiikjGj!1s%`v|)|*g}j7fF%iy&3f}2@?$wQke4(71`812lf(fH zib#f#`w7?W*$IvSUl*uZZ(fGWSQ9`<22Cip?f)GtSrzX$bGrGt|0K1wlSqNM+;b;R z{$SeG*3b+sNYtgBan85$h!8X-fC>Mg)U+CKq?F@~!Wx_~7F|QR?rtEdy-@#i7V4$& zOQ2(n8dYpJSduMhuEfKP*5f|dNR~t^{c!5=O)_m&5#}i7Z?=%}a|5=7?ubm5RDe3+ z(%K?u1dKrD8-NSdnDY?k=+u{$v>JEnf#Meec*~jQ%t{P+SZ3#@GH`GpM00F$0vie159A( za;e+uy+tTS;h#<|ovyl>0*HLD_ODkrj?o%~t~yq346v0_H`Of0ZTPG$W5*q(3#8&8 zKNdxCPhu+gEm#N9?hQ|_?j_XZ+Y3z zc9Ls?-oHc@uJIngetVD9cQBvDA$oo>y>7dQ^uYyl z?e%*cpvW>%jtvs?SqeB>|2)w3PMtcavDc{j?zyg^&d9eza-E+-74WQU(*WYgTVaY+ zjuLk==)M15=|*2x(|L;=3gx&_9w*L&AL+bogu`G!d_BtgkW4{_06jg-bNpp*v}*%O zw}Ti_Qo--kIKFER#jXI9-Ud44-5=k?P@y*a_@aU+p?B+XE|Z?G6sNFt%t_ns7Z;Md z-+E@A-!AJ?IP!NmdF)$0j%j4wO<*hG5PG{x5};b(@(yD=;BJJ+75g{ZTwAz~km55T zaTOlil%FqEs7ojtEk^RC2&$EyQI}KdR5J7@z~ie)>vbJHGCS&(&pZ}r&nXV@>Yau+ z1JLIvhnfx#&pj4yB@MhY4~Lad*r1JpBh?X)e2tlCZb_-b`wfJnW0ZY3nKy0u*AEV@ z?5_Ejc5aY%ijb2wXDO>?n(+!4>DBT>CLa_zGS4`OnB9FrU9+b;^mgP zetB?W5Pl&EG6i&;ZqSDY2^o`zAGtFe-Oez2eQb<8tB^L&NjDub94Tk0kPh(_%!0g% zN$A-vuDlx!%+*u}L%%_J7h8j_W=0MzrmhUL@M~HqSov>4stYK3Gta zn>)^o@ItR5#g`ChwGR_P0Y1CUQ%GgBT3wePw3y{-vwENNf*1YA->s@>kO|uco}$ zY>j;qQ}<#gO}?kog@QkIhqir0b^rF!hj7&%rE1hpmjuSoU)QF2*$FYx4oS^9%5;^T zhcl%slr7%$XT_?&|6~X;xX07RMWs=pM#YEkJH)}n2cGIyOM~-02RF4F;x+U(`o8<<%xRcs4K&q z4&}=$cazk&Pznf*OTn$7T+6xgY#(m@($D)Ff)frWd{K*ytr{EF1V^jJb(UNvAFGgaoC05_IsvKy0b0>YY_K(tu~Ob zx6XF;yi#!7mKeUbu%Uasbc^NT%+E?|r=Q(-T>>e)8FunbjwI;>v!WLJ+^R2k08s*g3Xc)o4%jVT=rJrxn9(<|^S3xgbe4Kh%#*jbnAWn*H@ zY^D8FfA_986k(sh-vRF#BLLphkWfjBc#fy_uTv!}1wLAMd;n%5zU?<@wEcRT-L|#c zLYgBZ{tvm(5G=3Gdea^{ek`!QfbWllig;D^b7a)wi9MmlVBopj4)mG)`YrU_;KOOg zRivwcF=R<&*rfuT9ACmWVS0igh+g+p5)QjANJ5i9d;{<|zu>@fr+ly4!$EvgGFEj% zo$C8E7l(T2fyH&SKRwhX{eal5JE9649lfQqTWM=N-Xu``6a^lJ5ij*H5X4JjfS0_h z+_!!Pyrk_8tGcqT!tY)9Q8;wJ$e;@>gj=rO1-2`gw1A4l&k_`qFz}KldcT@{s%RRI zKlRan@;m#PyPJD$*Wm(*rjA8U$@Km!+4nOHrQh~R<|1tS>CqqN>^q&mA%yjKjui2w z9|=A{9CCilRF|#S7%Sg~H0B=G8*O_^x7G={r9rmgokKQ#S7A6YY2iJtHP!bOi=@^f zj{>lX?6)lv_rVIuV&mVK&ce}89ATWStHRm>gnhD!Wfx91AqM#;V3i`7c(nja+Lag_ za;oIf$@p>|I!_oS+P|eML<8phoyukgVgjEul5(=3g#*^Jbc7dX~{zQVnL-k)&SgOWo(tU=U|K&Max5R%z8b7S7Aw)N> zLQ}R9*HGx`0=T9(u>hJ3jLqaas#vN zd4Om25g5ISH0nF4xkCCiVgotWztuj>G{PHj&ktg+_0Y`Y)9*-AH7a(laR^%}683pa z{E7Xh>co3dXJ%$PXA>sdoN?tfUs{SuUk`}8jJ^R=UhW=k@`^QItXG0nx->qAn!lMK z;z*u8E|ghMC{m2HW|)7Lr6i)$8@}}MVXLS(fiR)GcE~sn`{pU?JMp;>UzOtQ;s+PT z&VJx^YZH6Ra2GdtqgBX#FS>~P0&ybDoQv^J8AIwnf8&t%kr0@9wER>Vv$B!Ww6vW` z)z*Wwua<_MVvDTMd{J$c2B+-I`oiA=F5*sw15z#!ry}Dks{d^6g9h;1;WGjgxPT32 z^`WNd%@uMDHPq>Gpa15YVrd?JB)_%ndxVN(91pR!RDaddTDa<;8ly}L9q;-$l^yoS zlBU7zezwThhth-TqoqW;1``jDkJ$aeh}fyI*(NB7-^@dUym!9MIWkuEdxAaACVKT2 zN>|N;iO~Wp@Z1`#gIEz2EYKjEtwx|Gy>8Y2s_nZUno7FAUF)i=YkAOJSuAvdKmvp+ zMHHm>P(uqO2uN?zMMMPzq=Y8DhJ@awgMf4t2uKm6OAwIW<$E)6%liks{E&O^%$YOo zl+QVHNpw9Z^s46MVx~*(>$`s>GifR55~rt=Sy(; zw72ZH#NQ#tJMAp}6?0uXtlf~)Jut~X!${S)UFHWP2U=5UJ*I#Tn8ym=BTwlPn+DOe58Rm zB-;6d`WzV`$rnhEmFg>qwkS(1`+YlOZrG4*mPBNzy=z zPQ_conKbW_-aOy=d%leU-lo^0Z1Qc+DUOqRT~fzGWJ`&@^U;E%4tEnYBPi)-vNU)8 z?v+ah>b3b=w+nTt|B93>4xm3Z^FeXkDl>6+7nLKzcUw&5w?I)Hp>rQ#;-qdE9SK9p zX=iE8vCNz+H{8Vd&NIN2hXTBBF)WCt-kN7s54O5OE(kdoS`Nft*W%!y%kGrMvh8u* zA9XN1*2fiOd5hvQmi2SWxr$Kd_^O^UYUkhlB>4j9_ddC3_>}0nQx?_~wqoznk)AhQ zuDo852rs1gO9v$CYZnG~5;MJHNY%pmShac1^B0N><;G8Oej-WTUzMZ(>~9mazaxw{ET1R3dyHggC!lUQ zYq?d~ULeh;!nC+#*R7qkn)$eT)yi}^j?ShQ)jK(=op2hpP3L6G+H;JP!{gH^gfrhR z#@KKZooeBfs|w|9;j=0Rn)a0NKuzs3J2e#12u*byM~=t&LFUtOJUx#e0f<3rBc(iZvz6AaJ0%|bwMCJ%# z{Is*$IRdGDfxC9#Rq$@CWCk~p%UP|92*+|0gG4Chmt2Dm5`P*o$uCQg{aosPsRCT) zlS>bs?EP5Bl#|0eD5u>r=CUu&dt0h{iVYqch&ZdJTaKs~9MsIg{PudT*6FBC!qi&j znOKd@qJ0jwAbFK_(d+H<1vT5%V`a6A6$H)XK$2?dUyg0*kZ}oueN+1wc$?T;RnJD< zQ>eSa(>HZi_(8vta>uXfjCZJ$i7Tzd*{ks=rxm(VdKC#VH z5NP?s_^f#E-dNFF!lTZfc+Fczh9ShD_TxmvS;ggcQPU^Quq<6oxwDGezOdA%{qfJ! zlZ^T8^6YUc3hEiWYRzL|`6BxADX8&kgXzV26Y?);MPB#~+Q#JpeEnJ^Vs466yZ zi%028=;HtCh9yoj95oy)W4iDBSo&BmSvuo943Yq!&Al}YqgG-2Cj!;9ggLb-RzPoC z$UQh1SYQ6Hk~u?*k9xu9>Py9F-;ak>FD$no+}JODK7NY+)0_IY5<6UPcWVyyTwjht zKkX&f%OlqF>ZK3-W)YJ>j85r_--*+8Av!2mCDQ8CN4))iX(}66on!IK>nbeRcHRCegb|sZ{12!%BzdK`Amm2BGztZ3PbBYM zdi?dqKK-BGb9?j-i??^Xk6$r5kZ{=Kypb=en0KCzbX}{EGH+sWW9ff`AxKs%hO9uz z;Vpzo;ZUEEd1uZ#9PR6p&R|64S7wF?Q_VOz!m%j(4i!A=jR`ykTyOm zDp*e!$<(^UE!Neucsx^u^ahrbwXX&s1f-GuHz3K}T{z7NylMII>YByg!!f4Gg+;;$ zvZ%oC;>-QVx&q!6o&`MGU-YdPZRkk5>C3v8Nk?H?bhAhJ7C0W{oLO)$)_;kjlQhzf zUaufam-11ruFfQ^)M^|E3twq(CxjgApekTmQAqr#y;`$odeLjAvx?=niT;F+w(P$> z&jo@l1S&Q@-_SZm1r>R}zVg{W-9)UU$huuEUJcgOJ!nyM<8g<6{dEW3yCIphPSTl? z_$#u^z#JcldXo=**$$bm?NP>gJ8W(5ug6`A36Dl?3;2wFRnR_#Klt|XqlBX#9VzFG zCZZ!%9bw7!k+p9^>I#{~StFN3`WxLzCKp07iqxvp;iBqB+{IsCZM1&;T|%dL&vB~# z@=K-X*x5C6PMM+7x4X_=E}Nsx3f785g-U~64UPk6H; z6DWfj`5%pMQLWXx-MJ^V+BvJcF73+eebJX=^13-3)eKaxl2Kh5yc7S9!X7e`NSkFH zVd^M|mm~{_u%)=soPno!;q1z#UDdS&FZQU`tfo#yAu~19f*x_+H^lA!qW#M7@Lv7R~Gc99u5BHFq>R- z`M`Z-%|TOTjlTFcu{Qp&(Wt_9J>yC!_EDGSjf)7Fm7Oj;c zq=E3FnqWQDa%e6zbU8zNCbyJ^(=LhQ7YhbyIk-H^uQ1mHLgM#(n}N-e7FSynhokzC&iKW1a!IOTmWtBEu)O%SDhyUvgNDSU z$mk}>Dj4z^P zo&FzN3(K9Nll}J2YQdx+OGyLN6@p<7uK*?MC`z%J@DisI3wJg=K@768(N(Bu_Ex$3 zGyQSIR~@oHc&UIMNaP{sWN_T6@A>K_g1_-h9S{34n3i*5?cE%CVlm}gT+SPv(mx^= zZ(~qyqF!61p+Ax!fXS*lWW^ujiq>Si4Ht{VC(mj?F>PbdBT|q&gC?sw9-aqeX=H801LP>)wdF_oJeMj&g6&tt1+~i@?88)@34b8dQ~RF@ z6I^5tq!wL&g;Ru z$3~Xb?zY#a;}k7~(isSb4FzI^r8p((Y}`F(wFJ#sg8WyHfBPjcL;cG4&J2ToUrLrj zdM%~3rJpUMa*zho5);h9pvECbFG|9Y-<}(KY;Sl;8~XLW_Wkt7sCY`rZ5Xmh7y6Qt zbMk_|6dhNs^A=Akg>wT@Eiwl#5F9}|vpizNpUfo5mL@u#7T(6%{4e^aL6Q6tLfvM` zzqgr8-R56!!03JDxB4Y6*);=CWYZ_(Mz8x7HCO+lckMagzls+o z?C+l0E@PPMzn>(Mt(jb@;+Xw(*RYWHD$1P=Y%bD=k~#}Xp-eN8P)Yg+bKX?tgjBke zvBwL<@PGKq2hpE$&hVTAAR^_QE=uGC%JDkr9MO_!}JN1w;`7eyI~?shBVDl zPL`JoEt6FGZHz0i%CWM@Oa1jukR>Ztt5emgJaDyBv!GVc9qlvV&AvN7=iF~A@-2)@ zY$o*YaO23)4Os|kU$1J6qb_*=EnoQndglsql&(69`>^<@6w@bZmmU{rdp2x7)hVsv zTFK@bf&$y#lNeNhO3YirFe<+24lz0Li)+8VnguI9WHGYmZo5lA-xXnv{5nWrMlPRV&~x71tGtj z^ct*a;dz0|(Tn`re6B4kM!2f)*j%5Q_N)w-Ny$=_~#<18)u=Ih$pp1 zIgpYyafp(k(C_TE7$`%hnI0EZkud%bjFn6dqe3Q!Egey+ErVTR&#F*s#yXNjFR*K? zcpanUxXUDW>GiM_uVY?38MIdmh>&(B^d0RxYcdZ-QRlvnTmP>> zXUI1&>K^te{%t1I_i>mg*_LbK68(vEpgF)e7gJGElycGU041@ia@(ghc1*AC-Bb;M zawP}7q;BFD(_@q8=y*vvmx?JlyNNih1fvMgqEh_-9My&hNf0zlVI&hyWRirOrSA1{ zMZ@~N=jxp<6D~o?pd8+2< zGx>TfW(T0e%$>6xeDyELMQrSnrODqK&Z3SS zp}Qb=|E^|Dgmgxl_Y3|vmihJTIVUogU+vH!(e$LU@vcKB*KE;0DE)~fCw1Qb+{F(7 zF1u-$KPmHPlDJy&p`{nJrXud3KJoiFrhg+e?e0F)c zK>~`Y_n;{kgAe&-*y73D0L!=(2JfHZvC%IM;lTT_vx*;xYPJ1Tr*|*CMy3axpn+n^k&!-#ls1e^F_Jgb&jtSE1lQ#w>n?1 z-^s?HdNw+V)72rrcpJSxGCrnSNOU_kFoH@h(w20t^zDwXBtU*S{&KvH@BC~DOzY2t zSNx|S+@=W~VPy&;;RXzv0!vW-@n1vvq`r&lBN+eo5vMK+%2$5Beq&gnVD(vbNOAkf zOa!OV9nQ8`zW|iWh&x?Q$YI|D>D3WuHXU7pdyj@+@4MDk?8o)ww9o?m)sn4 z=bNbedKFbwnNjIE;&4AfW6I0_4snkk{&|d3Ygqg}M=7T|SGFUi7YgeWmduy_LE(_O zHl~J#cNnM(c2o6|ult3ZJH8Bs@@o;e!#;f|zg}y-m?g3CDt+*h!_Jmb-Mp)BfQ|63 z!tZVEMxCvca$LfAtTA4}47+*O9Q*x%jTt`1#O-X&aurjwKi79DX}EI!+ETLi$uWlO-1AXoLKN@*}QGIvlLyC~{dlKVuP8BAt&N?G+}xWL%vY6idJ*--r0^i*i(>g3 zzE*6z8zd`A#feO->*QyZ*}I|+aVS(Zy{@C$;;UWj3^b;(-;H4nO7JLe7pqDB4a}*& ziyvBy4Esq9>T>8M)_XSvJJeT_O=dPdrfYu}V~;XG?#-05Oq4HVkeN*3Lp+v%ywFI!oO7fpVdNBg;`r&X-xDFL%qLm-(0`&p$TX3>rL9f_aJ> z_c-72VJ{@;w5mRANmiLb^m0w_hHO$(w=E@c%pvcy@BmlZwc*5(*4Ex6B{_k(uqM2$ z@ar*`V08~mk7YNEY$e$MI~8Ls>S!B9UzUeKtp_99TCNEex0jikdRJxb20P8nm>Jy) zqC6AHe!AFfpt<`}7N=iK==J}wo)J??7;x@adB30e?s@=a@4xcd0D)wNSM=jlKl{Pq zxICR;`-xeZ2Fpza+qREB>#w&%kDD!#=HlbiYb@)Y;vY1}kZrr$+Xv0_40;=z9(a38 z3HVenpY?HQbMx7rV~w{L>cCeb_&WMNb5GT+RxoQ%I?V9-cV_FK;2i1L&ac%_=^lwB z8M*CcX8c}rSh1eHK%qpBMZHYSF?ZhW>yfoY7+z)a6>$I4Gsnn%{eC@tGjUyBeZa5+ z7ADAVY#?1K!|A9dd=&4h@4j)oZtp2f+2RU5;hSL2Q+)6*S4fbGhR>#|L#a!)?Jj-e z%1VM_I&VX}^8P>hLujLy5{^72*YHiB0lWTGGWR&Aqu5NJTVa?u{rDR#wN{xQn?%1~ zwXS;aVcVqhg1EWGek@Mci8Bq^$+I3VhQ{kB>^n2ucx5)zes!#3ao~l|kI3W78?DVM zb>D=7p%Z5)k`GHsVu=^u8LN&KDlz$?pVESJNs$Yo`&pb+w5y_TvZy!(e zo!^0uA~yAc%7vFWE)%$kP$ufXVEl>X4&=k}NgUeGsQVgu+>%A-PeoB@n}fZxaW|ar z^TzG*9}Eqms?|vfVZ-^xEHJZ}4^CFWKHpBWk>*F)3@>!pitMyyEe#KL_3|KRii@Kt(oW+pOF^(Hd z^nW>)neR-Xg4xQ05eFzrRZ51EiE0OqAh&v2QTr51^8_*d2me*FKhnc(+Olc!SvF9{ zpV$D;0%0%RS~LUI7xi5r;Gr+yQ*7&;>y~#HgU-f6+rRfD+BqcWS$=gF_wfka@IFC8 z!#FiWxry{|oF~&lg{8W7RI1sppL4r$IHw}(AWk&-roH*i!a-p2SBvt~T6K2n?$>Wb z&K!zz$#r?bVBt-U;T3wVL}KZ?c4+0v_q>$Fqfazdxx}Ng$xn;hpH42QLbIsRXOb>t|D z8Jd>#r%|dYl4QCJO^fbLug0oo!Eo-x?;#4y5$|B}x7#NV6RXe7Cq5<58w&6KexqVB zQu3^J-S$ZSs0)LmPOPf)j|iSX|B$5K%O|+BEh*!N+j-X2sDf*|^)c(&+m5KUaz^vP zrQHL)Gg^*D!dVzp9h8-yBCEi52UQF~O}Ss3PxmzW&X}cv7ID z-64+Ko09QH<~J_Vd?Z%KIupA(zG$X%K;oNR%_gjf=2KoycHNpve6p3Pu?lIJdlG%v zL>+>aG+qPaG^!d(!R}o=;7O_!pVU!ku$BnDZrkl$j7`tnobF1Q}W||#E#$3J4`)!3M zq8_bq^g&;Bdg5o44Z&h9Xa~uG2If6f8**NfI$!-t(XaT+H{2A9Gpc#_lE%Y7HFsHw zUfZMVN>n%RZyxv5U9CFvOy+#THd`o#!_NQ`KNtBgy@Q$9gDS_tyo>ISB+nlv^a;ML zcz!q=vo0>m$T=PpMz-xV+{+0-35fqOXb&a!VP>kIVLEP7hOyh*5zw2wX7VTC9n-_P z_m*o^b`RSx#{L+k504KJu}%81UL0v<&y;3lnW>({)WGy!!t0<#QIgwefGbgROgaci zk2=eC>iTZ1DR1&oRp<-Ghx!ZeYFFvIJ5^hYMn`|RcdTf4<4@fk++Dk(n;U2mwmj?T zChiw3;x!y&KhFQTo&9ci$2xZR_k7`7%US|g9z#$eP;ffpJ4qotCgi35;V2XlJ?_t- zIqe}mt@1Nkn}$DquR^=9iLIK7c&D6kwZ6&({p;=Ns7_C{_t#yWq6mGKa z+L|4THft6zdcrqeVZ;pf26C7>o&P#3(inFdbrBnTT6<6zItFy1%eo!fuKe8*t?3>& zewtx}{`5@3#d=JJbyPZ}KGfqaUE^K1a|-2ZbvrK=dfg}gIUuFtu0seFQtBS$T%hW| z!3Ba~LwoYG>k`Z_d?q5(k-vHBNpoJ-8NOrf@HL;I@AA@aQ{PNP&KWLxk?t#QRw!2S z&Ga0iPHAc?o}6vuGrY4zmJrV}S(@q$vQBKx;_uIs|w z`PCoh!Z=s*kA3_)T-wdmdD+4SqJ>eOupl{m-3| z%aa4&9rZgp=km=TtE3M(NK>e!@&qAT#N)|>AH*paufzGS;yU-vA+)!9kS&sb*wfKZm{Q~+6t=vK>8GT z8OqEHVQfG~LHJiq{Q}GLmK!xedRtC{@EVO1#4n}wPIQERIV5pn{ui%0ogspe<$G$v z-Jd|ROHHc19o;_mUunGd29ie8tx)nksx)5n)eE9WjXXU2nJ_G7ZDn=YRo~E`onc;+ z4RW+0L_a9))#6^%o9|PuR*!+w`gPCFsGaUg9agL~(^6UGgWhPcic`wC9RDBaBzc({ zou}f8zstZv~Z7!;S)#6U$fs5JfRdNl&ep>c5arzp7N|V!~)9H*HrYDN)$goU^kSR~FUmMEB1p zPT^dzx-NSxE4owQs(U*t_4If{`Q%gcAn2(VnJ zh)#6xl+HLxJ$UhQdz)Vcr?{d|Kxy=vV||W9gT<4X4^ZiPuZWTv=ZR9rl^r{Ozm^3g z^g2U-Ocl<@1x@Q3>_l9>aM@@ij-q!=U(VD*4(VqRuoW=Z6@NWeH3# z7JUmYmZ?lU2c2FP>DsBq%3^)~yA(I=IH_z;|IOALdKrbg{e`9c7aK81-0DtdmM_E@ zwU#dmWwq>S5_+jIRy0uodaK9HYb0L1ijgee&vKP32zsaLGU?Ir*Z(G~pqJ$mAY{Gb z2_zgkonK{lzUU!kUc=pONKtIlgP7el7zc911XI$Q3Xd^w`7!zA>+dIceFIl$xrO%JIt zkvn9Zi0|V>sb>7)LnuHx_qjGTs66rd-uHXGH$q$QSvm67^7D9QS6t3C%z4z`)3QG) z(t8zk7dkC~lIDc*)Q|)0>PyY8t;hnVe}=3|4{<7;=r#aJ%fFzc?Q^RkgR76k#8woR zUz^Xe&Ae^qSTW}-_hKVK*|@0d+9{S?W2}9Y#3DqU!h+3^BJ?l0+O7YA9Fkuop^=_{ z7R&=iDhBcI8gyKkZ!@~XvRvzaxBIri#Vr@ZcnF@UW=rDxlY$WC@%qjkC%V#jAK?A} zADnrCz)wvhU!L8iu0z~2NJS#}SD#x8G5Owbm%Of*6#f3Hc{)?n>(ZH$P8);Y6^&FX zu_H(Slaz%Fmu48$jLyUnoU#Q|U%&~g()L`e65E*L?Zqq0V_0ExKRVLyBcWe7qZ&P$ zI6sl(g0MO{TzrfArsoIhoURdcS-A0uQNIR;{+*SfvWLPJ6gkZC9(7HF<&M~=A@*Fd zPGYC4E2R!_?K(w#KeIkBIVS;;^z$51E7J)#cW>yB{yyO z$N3~x-sER}`}L=FhhAnp3oS2ho_UWdy{abA+pKga(S99$eb*%CqW%%RBS%>vn+iL9 z`39JdFJ|(j=CveAzE)}aXjhJzewsI-8kYKbrXVVoAy7mIvo2m6c{NJwy|J*ac;Qwd0^@pc~$ds7b zM_%`j9QiZfNm|Fr#Ln)Kg{g^?g{=*bi;WpK_OYqSBMUPJ6IV`4M_ZdC9*izn2S=!u zQG^k}c$*PxV`^(=VPg(GVjP_usCTy+O>M319I%d#STjZuCkJQjPcrHwF%x{ zD)y}H-#z$rA5@tXm<_FhYF+`tLt?a4c*bi`!7sQJ+}gTs3m$N28-M)Qyv6+e;)2O> zcN;PG7fW6352|YBUL+)wn+!f2*7Q-H8y>b=(%P1a9`3)Fm{bumB&~ess9O@;$MrW% z{RplD)q-f7x{bp(70O>d!bYld_713}aNN3Ub9DIq^zx;0pLkMpkoDrmuC_GGP{D~z=x=B+jF3C(V&i3_R&2utqnIx?T~th5L%R#N8`XP zLXlPiDEK6GAH5j&0VOz1aKR`&0arNq6#7;Gu7b9<_`SRptJN@MM`&oyQ0}0q$6`ou zi71PKWos^)@lXJenT#qlQg7gb?jv?v_;$ap0kqS2gxzcenH`M=BtU`?rdxYc;~2ln z#iG40>YA2q1l)5t2DB8|Tew>sRaQE-YFP*x2yT}D_+ekY2WoLcvEMx#G^6IyB;d4_ zM9#sB=R)fiJUwawIUfaM@-V}TQ`AZX;-w3X zP2VftG};{+ldaQUv`-TT1e=uXySudrK#crcX7HA!V~o4*)n?ixphln_nw-T#HJkXv z011vCFN4O27f*%O&3TH_6oVJkAlM`0KokB@Y+wc`GEI`7WCvvedg`D*IPYPY!%Bz* z52)uuJIRNEJAT@8RIMnu!KNxqrf~QQ`@Q(ex%&F`of_x*dzv)mW3@_DMDUce!brd#m$ z&EH=)4$?*}6tui#twSiSvH#f#pv7wDDI`_xEsCz`darCbv`USBy4({V5;tzz!-twGj`ISbXFUv=^lMC0@YixUU+#nfK$a|g|(&su+r*U-xb+yucVMkt?S zF=u>qGzWlr#6j%?daNIHvAvnIBDu zahu_wDSwsfkA%ht7C*X*EOu_AajZ2PXs0*N<${IVLA@z+wRh#-;_Q0a@Fpk_`c}TM zr9Qu=*IgLU&_*-DaGF~Ev;hf;%!%J=!vUWdKc@7X&#k(_1HXw(#_b^AIlzn0%wZRe zvy)2wAY9K3N^pGp%`Xdf#`Lp1))(A2wyV(SEonJJ$4@s?7H9-L?dHDYR<=eK%e!A# zbwsP9id>kh0c+%UGXo!@wPzq8G%3i;w|vkgpXRPAu2b(;S7I|L;OAGf7WM2M3J?fG zzwBC8_pYb8uEi|$37-;8Cj~$qO@xu}Ex;3PcDTb;N9rRSYY#5`h>7h^4seT1pWtt5 z=9EOETYt2I62acRN3lGhBREaXg@(DtOevy@F48|mDmhrXib{(>irMO-hT8i1V?+6r z&}b1c(zjdpB*g+erDwm)1>2Zrl|Kj#+9MCx^bZ+D#66k@jWE?^G(kmzN3%%#JQ_3b zDbzBhxM9-yfu;+{9-1%1z5!MM&MSh|M&lF+G}5FsbCl)#NE|j*`wO)Mjwq0kzlp}J z>kDR$ZZ{_!^vo2C7>uKFTd+M~JP@WfwKdKT`+%6Yw+CD?0rH925wWSVfT@|;Pfy{p zuh0%g2*)CCg@gy*`ceT1O#JSFX2>$VQX1+q9j2+P(CqtH-BAso7Hk88S6m*O30esX z-cJHII9l~VwI(qh%niY7K?F6X2;5FOflV_+ts9nNzHBw}%_~d)?$m7J+le9nJ6zr= z+HaR>O2Z!lzv(OQZ}L99fZ%WX0&FTmD3vB0LReNbZu<5cz>_~#YXEeJ-5Idvop1() z$ZoR?4-Ub6nClyFY*nACZGvuXG6wi)grK_S>md^&8i$ILu(5P_S75R*7L6_(8Uajb%}mxk zt+apoeK0Oe5Q|HF&8qI4nc(=t5^J$1;i2r-{Igr{7SXgt<$nq2_-Lvjr1%EyfLF}^ z=CX|KLo=dn%tpG>`X^Pl?-&AGj4<;O*V;>1oJ5Z7mK18R)_gbK0^K8JSlJS3w`R~! zhOzYIRXCV}8h$j+d0WMAa=SdzmK~IsEIw>U=z?zfn`Kg3U!_H%am{W3_8|~}L`YCw zj%HM_fKKpEw8ATmm`T*jm0N%S{^~B8u~HBBxrH~?*b>lSnU(WQY0i!}VEB8$h6b>F z2ot-E)q)kgp5~xp`gmda8Udyn$iAMB<<0(P{5@%;5~RSW8d7Vw636vL*lyAXbjOmg9Wo)QjAR{)zPdXzxK+!IP;-IezzPL8WxxN zl+@*(odSPw%jS0aD&T8I!_IJ|>&sLr8dl@Og|GG3^U6-hf@VmxO&ST%@|MvquRjlM z^nSIhe{R1{i0uH4;QTv)7(Q=o-^IN1QBn5O<_qIuJ7yzSiEU|n0 z!K?O=X8Btsa_r3`71V`NRw&aQorq%ChDBd$wqxfSt2OfH+ z#`P3(cRp5~7P*s3twxyI3lY7#040)%0E%!Lv9!sMg;KV zr-_9LLg2;g+b-KbXh;D8Gy`Gk$YJK)f)M9cOOstfW8^9lKpTNvcxe9=j#36Xxy;YN{F1gLQSyjj{4|FHj`yax<{#xXDy&XdZ8We_*i>~QJ>(vKynfA z+dAord9*ddqJbL1dHs9hfSrINTz-V`-cjRx+z;CDjTR08R;DR3LukgteuZfE-qo~Q zQbU;*Xs0w#C4hE%?*gdd$r9j-Vc{4y^S1E~|H&S^r$J-V&`eu;{=m+he423)R1GW< z^YFsnVW!z~nuuf24#=+-G4F>E%#9ignP2WjyQFWW*h&m}t(2i{Kqp93a1k{A3V6f! z#b_FZSA(pr+hX}NGIXcHzf>iuU8G%Gim&HM zabr{2xI?lK*e$pKJ|Ha-7SFumx3t<>v@q?qeNQ;p;8v8pJ_z6ty!;c<{*U)*W5du4 zgmCNLR+14RxcR*`Q#?A()mUa~)YmR`x21#%DxVT4UGpfI)arHuhZ0};FW-WpvtjP|XMT7}HgnaCW#!ij!ggadog^Yi!4mx&nx6;r6e@V$=$Foq{L{0drO757W(GDhqRAK}i>FM;$rH}>$kkX(GDQ}r; z9Znk__~Z@1cB+;o2oTV?Pxn77qXt*AwBVB2&fZG=x58!N_mpfc%oNG@bd48`+G`y` z;!q>6WB@1Lq5`x{e)rGxkx8)pIw;0P0=5XurrOt)n;p(M8BN{ce9!$PA-YD)ct;{ws>2Mr>tT<_$ zGQfp~Y54&I%mFA8cq5VU6jGS{G-L3LeeJlBG3g_r{$OdTP8m>QMVk{wC-)u$ z8vgN3+8)3s?5s_hWfbJyb{F6=i{ZFrp?CeDji4(HAtBzIb_zwB<#5LfjkD8$n*cd` zrOe($`4a>^Y={RufSwO9HUTq)3yh0@L^~Ow8lG7{OPnXcdI1SdSIu}$f2yuh7eADx z{jr_4GbJ%$3@`fvOavU0GT!1kE0EU6qf|9SI^0gvc<9PQX`n?!f<8P`bu^QNI}F-a zo-FMKyfFvnA$Qo|Q8Bkf-#=bYwe@5M<1xJx6dN(lj5iePZGXJa=P@SLZ!>SX)|4Ax z8n^X8|Gm@3!Xk=hB;he+n%@)<;0trXab~qe4ZHwMglRi&`fXiIiZ*nU%#2nXjxr+A zV~#^R^&(&-|J#5RaSMz_kjv~Dcs8+IU&t|huU7Td{O1PtBqnO3ZKP=NIp)6qs?nYo zAjN=BK`()CObx}7i)&1nbn?&03L&RL194dYhNn4o{D);Ur4{_{Hx??lCr&)L2*NG9u4y>%}_X z019!qCnM=4%W|9#_wAo~^UIPy-1A#a<7)za;Y?`L5!@EEn$lh@0EHM=&&RJU1-!Qh k)O_|1-Yp-3QbCCdct4|;)d5NR2=pf>t$aUE%J}L30WWVuc>n+a literal 0 HcmV?d00001 diff --git a/documentation/files/selection_032.png b/documentation/files/selection_032.png new file mode 100644 index 0000000000000000000000000000000000000000..f80fe3a56f6fb4a0dcf7697169003da252cd8765 GIT binary patch literal 19335 zcmZ_01ymdD;_V%*K+!_6;_gt~rNyC0aZhn~*B~tvFYZ#@-MzTGyITnEK`y=L{Lg*w z`R=z?Rx;15nMu~H%w+H1-cLf56r|AJes~K20MKNl#gzd7n4Q<mL&?_r3av?P$yIi8@*;HPxrkD4kdK)r0~;}hOK zB$dhBdyPn|Y2m@nia zXKaCT&40J}sfmpQ59|Mv%l~yyMT7Y|cxMIsIta&E%du*%_?E;JnZKAx0PwK&E3>4kqqqT^R&77{V%!7aJmqsgO(qAOeL-OkkbW)RDpNEE%OG#t!w5s(7_a@!zM#vyu+WpX67abGKW zRd~=@bhFOb0YX^*J?i6_va4$^sG;D=wRgPdcK)G}BdyLT?{WGBu3NNzZX*>ND<(&+llWbT(U+-*|L}3EgIUnh%~OOa?^&edIdkuZ(5T`9 z*J?CiT+~rv%PLIoX{O5M z*{~K=4?Q5Ebl}; zSb=Z!lAb+RD1^VFb%{+Ll`~|ld$AT#xC^PxGtB$U=IfmZAn!gr_wa9)6qIc3j(aEH zHT(by>9*WLJWx7^D_YskhY!OoMRs!agOj!#8bN=XAZ_+v;-Fr4$bP0KbEM-)SwWqn<}fE zgMe(6s3o4i7%x8VCn({Re;{&ARVjVzVb>mo@3;D}USPM6-$MRPUASyS>Fg8qahU1W zzww>HR42O*Hi<*k^J1cdnw&A9L6C)R^SCP(Wn8|s$p^zLoMIa4dw<&wNn8h+ek()l zs;McG?~Txj{{*nrpPjBrR3NQvkOB2$VG+IsAgL+9So=9OcJtb<9sN|oP|zGOT=SId z_$&fmSfX!3{)KYt`eJ@-T`{hJQEpQNg|rVX4i3+w3U_wStrEnH-=w$kyIGu&<++mn zvFA7_Xc|X0px3)4Em+fwc0N#}=f6&^d3JEN-TJ@=i*wXa-y`A9XY1?Bd41|OSDNa0 z?fiB1IDQ`&3C1h-M|SV0z*4TYg*3b6vm-gir(-j8qE&D1g9R*lzijLmB)x{mr4Cf? ztX0+hUF^->rtcE)$d2LZN>I#nFQUp?+YU*S*21|9B4AqKouH$35D|}65Gx@ahPzb+ zMZihZy}ZPc$kII1c~MLLvhAfvEjiiyRbUz&RIWmEUGHKoVPVNmHV0#*VDsCHK!;_E z@E$Y5n0Fp@MZ?3o>8GvL7a{H2-muMa^np$;f+c2{PrqZUf&HF==Z7_lKCzfcp|HGJ zylM{qDcOy|_BMxgZZA@Hke7opgW*O5&joFa?>`r#x2lgy023GYXh%(&hX9_krDr#@ zrRoWv!UPbG7AgxEA9RU?OZ!v1+BT1P(x3mJ$EE9jrVFsXZ$cE-_~vT05a)xJ{a{Ey0F< z*@xMXPgGH}iTpYg>Lc-v6L50%k#&K{)frFC&BE;A2Q1)aQ7h)xJGn@NO(%vA0QV8u zx{VQLMj~QRQ6BJtHX1+6#|LyY?J)H*tFg`oDxz!Q)Ej&GJeWiQRx``6)n!8T%OL6e zLE@Lqq&TdO(?{&_a4enzJ~+3|wf5dV@q4gMCQ%0e*(h)y1NZFnkL+n=o`KbC+LlIo;1AQ!OVh zyx=k57|eC){KkEkUfD9ZV|5bAA*~bQp;i!8$~*a1DQvE-(u*5l>9>Zy;u@C!baX%5 zQl7#D;2*`!#1z16{&r|vQF7{gmIx6J4d-&oh(~kG$gdx34g<2Zp78zDd!!T)4Saib ze$&`qZoUbM=YrW<9A+uU{7Ibdvpu?YnCnBA?HGlu{PlaUs`0H)!b!XKY1(tnSCTin4=RFAhqnQ1PbsW)?V@`fn{#*_ zk5L{Tyn0gEtXRETgwdei(g5Y|gUK}8_sm-}f22P$A61TOb>%*}%PO>3tiGMOYKwd5 z%lC21Sgv%=lTyPueKNBI*{=X6&Jw|8K;0)*$hjKrv(fsZ3#&B(bq2AUdAYCN+7Aw$ zEnJU?mFD#*M-aKs?P|?wv4-jQGm3;#1|9Z=xM;hB#fr>z=Rww6U}nk~;?UUGr68@0 zVrJQ@ke9-2FRRL}58=68&6}V{L(+-~1jTgEF_2OtT4%{^pt6^3aJ`-257&7$7sF;e zfR~z)MqyW2;fhhffQZ;?+JlToBnD2Q@?-E;c}Q8#GORGb>lz|&(zTLXc_`?%MgYK} zvsYh!fOn3Ip&U$_o?@LFqiHd-Q}N=FSK;hM%k5=t%hl!+zdxQMmI9~lNwyXwwel#O zM3ZScyBc^T@z`qGx1mv&(Xr*^;^djeX)8^IVqxb#7Iq=z{P=ALJb~UmjhduCMPFm) zxdzX|H9%o)Za$4yiW#Z-o6N5Uj?}T4$TsEUPROi`>7d!cO)Xr!4Jq< zR-fm85LA1fw%AL%WOnV;2PUY9>^52KoNO5dLN0Yw`@$v>ec2&xS`=<+ALw@H3HX@- z6Hav_%KJBTE!_&2upWNhzO^HUFo1S-YPyH|GIT)mxVM$&%=&1FLv9T{)H}2RWf!V7{RNpo5|PcJrfeL5f^Oq|(j(NPO5l zK`lQgb0Da!>)#nQ0J=>9h}rYql5;*sg0k#8pD5HHXTV){=R2S~7{A@4yoO@!uh)nB z(3O@p9&6vp%f^9U&w>t{)`6GDq_?&%AX8PomnQc~(I09r=G}{|8joIs$2h~T;h=}byc)*mr{abF(*ijP zGa!OresQ+^%dF+**V@FLyxiVt7}RR+o3=XQj?sJPmR{uc+iV=U^;90&KtUU2-7bGt zyk{@GRw}DGX5R$(xhRY{S@Yom`e)|eJdf7Jqlt#SFgQxFDN9QYkRj@OrQZf?HLJGy zF)yX1t`d=-n64fUMeaw-;r%8^>Dg0Uz>XitFh|toOnIU-t4V<`WyL8x!t@yL9W8+8 z6zezote5&!AIqVcV>Gn+CGn^9jR3dF?6cip{pWSIl581uG%cci_{e!X7vGG5${48!urqdE72CZ&F`##$H_^jhk}b z<2J3&YydB)ok$6WR{3+@Y0t9B;-kT(lZb{8wDIb)aa^dM(u{Zm8;aTT<+|e*6XpX( z@yoh~G_Bwp)#NmP1K4pr{@`xd3`tSX-LIHn#H0uN%Tv(f{?{9HsPuKv5*iG>f~t3%0)FEH@MahxP6!65)JZ!x-M0*Kg^F zH`MnUy%-aC5p3tK(ldzzu8pf%>MJhh4c$%KoR|3I9niO{rt8vANWU3Up)E<#Zv9O6 zL+Exobf#oY!U^&4z0Pu+)*+Adv!>kMyq@d})W(Mbzi)}nsJKi~aJA@spG}+*2_rF> zC!p_ZX#tL)9u6yLE3BuQ6m)G5S!>v52C#Nq^!4zh$2(1*9bX+|0{p76g>uw0)X_5Q{S}ySm$p{Gw9jr(NK|1>%DU}q^c>aLV0x=%%g(^qw}T2DQ_|) zONJsg;UWX3-B6tZuvszWEh?EuLxP!#SPPY@g}dw4@E)}}Fb>cZCHExJbWvww9t~>P zV^mfqOe&k>QZ_ivs;l`=q~Cg-q5v_D>5H_+`{f>7;aa( z+bW~-6pe&pzVq8s=D^OGLS3*jH|Ie>poakrVUlJM9uTbkwrZIv{xjV3fVg8RpYlfQ zoIP_5Uiyh!O34>hq`}-Cf-bidjSIOLnE7*A=U>*c@75%BB~euzP}q`SQ}6m7+W)@i za&nTWqr`KW!evqpRa50c%I(6iAkR~bgydOt?R0b}yy ziL`B3f5RJ}m~?-3be7F`>ZqOqP`Rt-7)yzmb`)8EMWL}bz2&6oa)(I6tgjy0l(kv}5T^wrdc>;C0ciXXk5`J0`wJ0yNR|*~Lc=$|YR+hJ^>rQhFSkxm^Gc@SP$GG3<#k`jkW@ z0|$tbiNtvyr@eVFQ1*MemV&%eR$uJaHZEl*>7$dk*@TLquMTXE8) z+Z(rI=5NA$q&5Rz5c^S89_*9Du^j%rfEQ@hWW-L<8=ZU67B{Ha(*7V4FYzxgBrU!@ zBpQNvm`LoVRPe*tZiOD+vjG~Xo@2-3Zz}W-GZ1-0%ejr?m*fG*r7~2eFuTWR-hGvj z=_%)EDl0Afm>04(ZcU%XQCL)7$LP-OhijK1xY0MFAFvJZ>>vd07ZTC1A=<^Ea>+rSt4F|tQ@^@BwrRy?eYqrF?@S<5unT|Cq z3!bCaMv^Fw@b8@qc=T%fxclB$fAfQDeA)JMgkb^jY{BsrZ0pKNPJ_=iS67I&FygG; zj=Ia{Pay3P4t@%uyR_=sVUuHp-9i^bueYi>!i>-XmGhIlnFtxFrC5!U7$ITuQMuFc zoTN9pyH1P(mvSA~bm`MS^r#US^UVS&Baj(Gx%x>fSlzXv2f|mHsS3X_x7h$8^=E}l z1R7-#rgcU__tw3TT*9sZ7lRKO0^|opSs}=yQOGPU<#K{kxoc#E_!n{#f_bKvTCMg< zjS=l}l$cn>&;}(6lPHn3XDyBtY^R|b>Nr8=Dmj<=tJO&xSP(o<&Q5L3$P#TBUJ2>FVZ4|p;kL@6Ya*{?}00Qry zeOO&*0RVcg_wznVbEbgE)VquY9}mG}5_~NT)%|ve!)P!arOz&6#Ik5!c|J_1!6?78 z4iBv$>k-MNPkkQWVI#Fg9m6Q-4*tEEinUxK%r6Wq2X4mwdS@Hs6dvb9viP%I@;^<{ zID-Yuy^K9m@3hU#WsjIw>qbiXrhe6ut9pqjm{$vErqJ%gpnI*kgdrOO@^KU5KRS|V z5HQ7b|3Riufv!G=gc>iIS$!gA=cGXsda86|Y|4Se{{ucx2*O-*ehnM!BH$ zCJC0-ZP6t>wOA{4k+a^1&u%h+PSvHe)aCR>pUYUvlhpubdXWo37WSloiX#QiW(99& zNMZ)Q-b2IHS&#qQlDD!QrPIfpmUt371t#67VX6>Fl&LmVVn! zm$96|hlF)qnqpQx8+Ywfl+UpD3Wg}0HuUjI@Nz0F8u!9WP=BJen zSkCmGS_7CT#(tR-N--@)b%0!rleN5XRyc=mdp)T2VL0OFmmIHL)>jc~Ff|1VbXcmj zz@Atu(`lf||4rIB3cn??gD7nJixcU;dHX-4t|&f7)LCZg<$ZUncS5$HTn2CY*vW~l zW5DYhyaNZ9&LCoBkhYC1)uH^<$42_zALyVMh$IKZK8bpLF#16JnJWcw^WNB>ZQTDQ z@E?4t^t~2+PaT8$7K6V?Zf$&*N}0oj_$OSP^5IGwKVcdjxvlYW_jR4NIvv-|tA~TU zSA8xVx914Cb7H&iJWn+lfQ!(2)|~e9dswTkqcey<0ARI0b{PRGh8X@)`;Ks|&lK`k z%pS|Y#bfdxd@!0?PX?7judfXVCH@Dz=M=PN^KEDE#t?JL7xXADlE~@p@kY>kWP^A)w^x?v*mz|CIbYa%;eDb-W>(*B%6Dg?5 zb;MB5V7skd7Ke5(1vMh1KV@r9QHIP>-kt96XNfcvx;(B?J9mU6GQLzDgaupOwhP(8 zxZlU~(6k>mV9em-1)thi9IwuBLf_w%qddl&+346hCpDDL*uv*-$nHGfR|UjM9bL7# z5Hwx6jK^#|!pCon?%96xo2pBh%LF&t)>)vnCM$mT#_WYlqaEiap^8*=dLGBK~TGx7FfRMy%F&w5Wybq5d!_!IN7I9mnBt&I_a331J-_Ty z8s=0*xl(yq`63hQ^>>;w=5yLguXNB=rESnjAT6P<1{g33EZl>Gz5Nu-xR{99gssoi z{LrdnAi#0MBk@FKoiotv+rjtchuj-PD{ypSzzqwgEX;y{TL$~{;0AzMv*x3FO8}zh z%)2YP(Cew`kbi@5^Sxvf>M(^b{{zNP5XOXh*Fb%GU>M1{aS6v5Mt<^JSS97fPf~9% zbb;gMwaIXg?*V`xx=6f$`7?CAb>cjH!B6M0C%)M}?SDGVt15Y5rtb2mZ)52!Uw-vY zmd=gRjyNSM$P)+x2^X5Zd>dZAZz_MW_wCW6U9x06M-yrFLoA_puzN~HdHqaqxa=zhXfd>pNZr=Mg1N9*4W%wE6Bwii%Hj_4VZ<``#|s zwRML3gRynsu;gq$PCqBSR2;bi?o#~4X>9>H_b;J8%~!SqdSe_SpipBIqH&MftecvF zqUBw>B9ivwSBk)DJ5VX}78uR2!K%G;JI=pGWLI@S{ z9B%8pUtMWy_5hY4es+%2R9^Od2UrN4O{*)0DOj=`Y~1pEl9?2mf5$V+Wm_lRAf=o$ zHdac2r(41LemKZ`-2?;`kM+?XaJ}D{=BahrU#z(n@G$*l zKXEwur0sG8em!_dOamG@y3H4en8;8zG*s);Yp(!tUpQx+uIeDB@$1@b00x7g#HOWU zL;xP~-iuc+9h?7CjuURLcZY}gHVJ8!>9ufIvLImQ3tvO)D4XnJ%gTsDd9#25rMi1Q zaLs@+fe2+p8;2C&ezk=EJopwja_p%tAVSey2BuFjjiR2IYeOJ>eUMN~q2J^MB{!ba3icXP zffb@|bz|IhPvvMaTDlGU@xZz94s%3aWI44=ahMI+hl=-UFv}orhDUEZM&ccSK=mzWVoy2;AWITJk<@(I(B`tSBEh2E+xUz=R)+(38Xc zsMu@!uyOe!aaR^e=~#b~5&Y^$0#+2>L^`>i%Pu)owVRn9(=~9OxN;OsD*Qn9(v#~< z4A*oteyBiyQeb)aYBFfS$81Xi4J3u0(@v@*PFL=Rb8J!TgN$=8&WpBm+)`nu`)C4-C#pUV452XcX z-5nuu@SZz!z3ulU@Gl+{XZaM?USvF;k=ZU|nu@|YCf-$X!mZlEvHJ>0p4CbmIRU~U zZ|PXuVx6;@Ez@5*e*r0W=uHR8S@7S-9ZV)V!tZ>_d-=d=FP$!^bzA?D4&;v~27lu4 znQF0|TL>ijLd&L+AJb9NX!UU7oboAR!!$13HDTEkq1Gxc25veh5G$O<>|=q8#{YBy zKyrO+UgUkQh|F2|p^P~a6}jI_iMJmA>OhUs*&oBU|8M;~xSp7j$;UPI&Tx$n3K(_a zPj{1=gPU!#^ZF*7TQL{-`8U>ZWNkaL?a*6c05AW#uxaV+_v1E=?*sKI`hq5UO@hWb z>u1PxlA={MtCFJJ(mfD6(vPz0KWyHA0-}asP{$%3tIw8;SUu5vq9Xq75|p1yk?Dr# zHX<_F%FbuL_5@$C#}b^5JLvA01N~Msi~0_rQnJdDZz5R!xo=>?h}4)lTTM8Ik{LRy zqWsus&wIrk`B^Y@U0^(;3>1r(L`oZn<>IyS4MW|rp&~Vfo$M3cW!{zN9DMtGAw0P< z&!1BE9BZF(UPcKao7>Y-v zUlF4K3%ig|6I_TIA)dZ(cHjtD!-n%Ksy=kPcAe1x?Hw|&l~_>RC;kSfn?QUBxDS-HTfBxZJTqpR+4cZe8Yj<;=;#5)&s! zOY-~H>rA+jLVoc@u=@0EIjhr5IPCO_(tB#KepT&k_Z6<#y$0rg`hNW3cxB9UcBfl? zqx~fur7UN6$S9w0A}Qv|^24o;U1ol`lXUHj=-~_R&`WkvqTnza^FWFgzBu5M*x7!W zKtvI*9>|(6K?}pE9WuAoOqy?vUj6cp@x^C4y+=qs>;7^^_%h|M!)}6kFoSvn*_$eOWdXJ?regAYP{5YW=+T^Z&o3Gif(Jc+LV3Uf$&5*zdyiIj) zDFwTw&RM_Jy8jD~gP*peYtYX^sIf%Jz9=v(rLiNd$F4f^j$|2g9>z<3DkZfZ`_LIl z43~YXjQ(ID;%kx^lPNZ1a*@{ z57+Q$x^0Xm*W{yS)dHA=|0BQut;K!Gu0)!p9s*w1(=b2r;G2!5@xegiI+d=(hY{|^p)74@114Xq{WYjgTHPpe7Z?>_0~?On&|6^Dzg;&v=)gl25X z%?`%HMi`5Ja{B)=;I^dnGMk~&D>+ocGis~B$7Z=hP)C`fBM}0vfv=8Y54U~ z+Jj*qtxvh?C|svnNv>nfC;*^qQCYh2gZ|tZM9V=AlgxHPZFtxt-8Zqsc~|!r0`It?5G+p-y%@NZ6X3UB3#-+dp0p%uvz>9RuQrha70X;sxv0(X zXycpVmTzir8Qoj}rCd<^WXIPN2<5>JTas^68Otq!EC$=k)(qEZ2XVknsLk|sfb`lg zbw&-wa}9E}?H4X=z4ENSqjnBFPCqd>)d`91V_*06U{nmRcNFod0?qfYK*=ikqfPWr z+iD6o4Izn|_^B%6Noas0@V3(sC!a|QMg_;qtvU(HYTm`&bc98wdfzFd%IWle{S~HG z3K^tDJ7<)B+Sfh(ep}7dOv_X#6vfVxbrBjvxU{w-x#-e%(`^@j3QXLe+3^(Y$#5&x zZMxLi4UR90f6|KFl)X_dO9U;MUU*mLgAOu+v|~g{2boGkUK*9523m%{`(yuT*I>lc zyXkBAY9?zzNbtH*XZxwD_3b&!EkjT@68aJ3q03!5BEmd>Bu^KjMfwa02xKr?uXFKj zm6LJEDFD5BrZkdy1iZkfuqm03|jBiJ_cfBommAsdgNMgk@}TCuyAO9 zh*cDr0;WVWIlLz-k#1*Vm}3{Syf!j%sTGB2{Yfmi$#G_0RYFTr7f{+weoSe2pN3TpyQi2hKX#aOQBd#8LeBN3f_M#`lZ@H#bbTy+j zXEK_*q}*f@ZLe7$)cmkk?}LYL0tkwB+L){A@t{(8ebe@pi-^TjB}R^Fbi8H5mnygw zxNOW3A(?Z#c1VhblBC5^rJBJ+pkne*=;#P|i0=y+Sd<(Y##*nAziT}%S-o)FAUFa4 z74JNLLsRO%lM%6D)TWr~O3)aT*BAOWdG;?bjk4ucPH9_QHe3t8(-*$<@-Hx*c{jv% z$MSYL*`;Sd7$+Ksofi{-sk!FNS-#%ba?{%Mr_fQ+=V^jen9q87YC=+dxXGbp>O8fn z0R@G`^)?NMwI&qw0Fu~z981zysaqXpz`L?_c$p`Fr9KU?gdY)+0*RZ zGZ*Gn!#&$qTD>22=Z-$8b}pzN5G&#L!M$El%7Lfv0rt*^rTRteEC3J8K(H&ecM!{G z8(RfN(`w*NG%St%4g-)G1CU$n*Ml9@6-idd^L6?h*D6(ED`yjC!y=%_rY!QSv*ZzL z3@kt+=i+m8poE)&iAL+3A~N7Hmk+BKk20PJrE5p}wZZbmv6QT2CiJ6*En0g0S1N>! z(^LkwJsvWdYx67cQ^<9=ks=RE0-UHK#>Qt1(XR;wCLC|K%4svwrT^2MJ3r2j7bMXj z+nDCeG`Qnr&LU{{8{a-J6frf6l3T`-VONRQz+kQ@^E)3t9j2*)93nLZA5_@Mpu;6V%J(_jX}AETK&s0#oV_7Q^hd|Oyc+<`gc}4E!+2!63F)v zw?gIacCdJk_g7WJir-VuTzvHO+cS$W6m#1VnbJ1gIMwYkU)&~b3M47(+6n%-%q-sULXWC)DFiPB{mS2VK@M zE>B3)vTO$QC*~}7b_qd^%T{Tk6IW~&vhKVK36$R{7A0%rvJz=Z^Hi!!7oMzthSusI zR>oCLd;}1glqr~e1QK&~c6rKLo^k_Z0S9azL8P(m;)VBC$#YSx*SEtu?9M-gy04cP zTj_s%eMFUK~&x@)qE0?gC0cd@yG3BJ)i!+m>^T;(!JYu1Dc24a?>{MS-XeMXU z#Cy$JW&#?=N}r7D2^ zmW~VOKN`AQ9lBvPFmze`VAD37U|5=o0f@@NFP8|bG9_vj&)vWgf)qoYW>i1#Uq5TK_!{!8 zD5qP0x4;*DXT?Asizt;AwxQQ2Pl%l07gJHTJ1jRb9gPmkMf<()mB1?HVnlc_CZif0fq*4LgIq!jtD{dJUuU3wzx*n6s(D8AFtoG7Yj@t@SjiC z0X+?!57(!<5rvhz3j?ND!JGmSOA_zyIV3~inwAQ>V{T`2)x;sy81tT)x&KH24Bix! zp_y49o_Kja3x}8wpj@iMy#n}TWw%oGn(0AhBKa?xC#cVwBLiV?hjixRT@RL>OHc$q zZDpUe66Cn!@%V;N95yO6O(Uns=>7ikAx3>aq(;M;hLkm4pivnlqns;>2oO?6j(4l1 zirQiqjAZ{(Z{?u`WYTx-c3(JR60mn71Y~IJ9i6$`oBjxU8?`!O?NUwQFjow4baVKe zHAAr+l-_G0$kM%SVI=0X-FuPrYh+0KwZN#LA{*ZTEghuXwV1c!5$f!HaUCK;h9 z_SlI(z>%wS$F-?Mzuw&Mw_{R(RI{xUhj$&D%Jo|IQZQ*s|3dpHYMb3=EszBZ#I;G6 zMZ<00|B*0EwprJuA?Ibq*{tz`3vbxeXIkdbEC95@Qy`nDS6kmC;;hZ>qx2BG7i^e# z-|JTV{D6PWagXxq=>i8ws<9*o!SeD;y~?zP!H2(#I(XxPFT-Y@SS2$CI}r$q<5w5n1>41&`d%=Q(*ND(f*<`qmWbn%v-Ig#uhze%aoa4x*Sdk{%0es-5N$d9?=bHDqX?+bKL1bZ z@!wwQZ?^GY<(u&EcFl@5>kc!p>UGoc1Ubb?6j2RHodh^197om5W|omWyk(|=rqx~_r)n$kUK1WTje80+2sI{oq> z!1kgBjlOQz$(&iRu_G-jet|TgjRjlEDh_(2uRqgVXtatL2cgdn_Pc>3jvg!2 z(?SHO4m@~IarQ6o5iug`*S231mFAWfT3NT|VUMjgdh*HEjEk-1kbNc;ji0Y28v1e| za5R%|gDb+iWwrd5Pi&|3WZO%n?=+ghZ_^2vA7ysS+RQRY#AkV{4=pIGZ`WUoG%?$P z_q*vi+nHYl&$*MPdu&JBMERMy#yl|2o-eP#5x2ZlE*Z^z3#o~uV^ z1a`g8n{D>1QZ`l}8gznR&6EZKmXqC&)1oO{cN#Rx*?>SH&GA|Y ziTSumQ@3KYEOf99$7y5i6C(ip@N}&+&Laqtu2`+`s#@^8a1`76y>$1)H4Z#6hUsj2 zsXW0;Bm@eorrs4Pcom-K)^&i^9;+{#5DW>TOA!lw<_Whj4z_OBFQ6|&Pd5kkACw&1 zY1$iGSexFhr>?wGKJ1PT2AW&-JO7|35{yG(cV*I=0tQnMgtfTk0i9oWu>Jc$`dN3v z8dv&jNYPU8`!!}Etj}=s3OKpHBvA}%bJ}Oq8_CdNgIYBlt!^78{eDOipOaIhRcDTd zS-EJ;N;XS~XX0o3Bl|Qa(BG$gk?t1RcC!?UNCFhW8n+g-p)>pQ!(k5p5V-F%I8+)oQgt8|z?4qp^5 zr#B7yGtH#jQRS(ia)W*@FHtv~{fS|X;o(dWjv(M+sb$36Mh`T0e{^JF)jJkTYc-F@ zA>njDUiVP7Xl3DByFafo**=rGl%{0gZ%n?_u#)APE8cV7sZCruU=vc-!}E9sOH!KO z({^pgqV&Ez-@p#o(Q#jsR76h!(4&p;l_&``KA`8T0D>agn*CrrS@f-$LXd@zjh@oX zj|0052OImIe5%6xLnPHZG6i5^~S z42e&naJ3<^R?@^TGQ{A3u>WKp=?Dne`7;Crh$+i<;Z@#}K_>l?E*R<+IXOKsln}g4 zE{x+pmSao1aPag0JNEF2Kgf`SO*#6|pq)!99?5@OufxI8s1GDhFgVkTV}UNyYC|qR zHw+^xh6mN32zu4~zBbXny%FlkI8f^I&fp4|)To*KAaWxMmH3$*!CfOrw)E%OtnJ&j zA?vHVYCA`+Xb3CI$4B1C?uPZP*oZI=YOh}{eXGs*MwEKwY{`4BI8zKmWf*(B`OEu) zifwb4;JWMZ+0RQjyXLFFMFQe&YV31Q(1#lJUO2!zA(bz~D<$>QBf6w!O=y@f8$CsB zCVC19``RcFSOz|Ta z(QzZ4W>*~)f8qc-UxPt(sAF!7k-t{S)@!XupRgO$5+L!@3RL#ZC^YfCUnZ}_isy`9 ze5h0o@Kmuh^YLP_uh$W9a0sJ&07Ex)QF}bt)q~=IfNk-gJT*hFHl~03ExdQi9tUb> zJ_2Vq-kFCW$#wtnv4e%qagC(XZ8FSd;Y}>;IjyhHlI1Y(6oVG8%XS+(&{{>#@%QDm z+Qn=30|C3O^BuwWwEv*@H-M{YHcN#lelLBGRs<<-TdT!hi5JVa{%69H_RoZ+Q2de! zf=4_e0mo|KkAzc}N$7d}Q0@`UnFf(OGj8J_Lh?{f?MC{zfvVJJF!E8G=wT`dUlFit z_@n*!mv&HJk{AsoSqN&GmZ(hnSi9V>w&7l+CZoDv{i{{{2RSGa=Xko8oYihz8Ej04 zc<^I>kao=w#@|Bo-1)39jtTNIsH&JAK9zT#5_N8AHDMZ4kzvFBWCb*%Ryb-PpUls^|Al=2h&eQk;8mm}mr20IxwriX&Bkv%FAwDSrwSyHxo$Eh8%XPJm-b_`whh>kh?blUq@kW1M!8)1z_ z-{_lroKYj3nXw~RP82L$$4}?R_V^G08lZI40Bef96ZL9L$_v4vk^qZbkxk6ill@`)R!^sLP@s8@HdXkd$t(+yo^K{dY z(Y^5$fe0ug`-{L}8fApPOkC?{NLLu?Gz!g9weIL`o$|d4tX?U!#co*cg9mXL=+dluEq3T!~oVt-; zy3t}(+Ym)y#YOH#c`})4U2@o~G8aEA#{GZ>Vl#t(zdUCHZyYGT@_Yl6W309y`R=Os z*PRl(N2jeCyPYN9<9?*uXusrNLCfu0<_t6T{EOfG%;~HP0BV z4hqT6k^YZcpzsTb5l|6;5V1c0-VR`C8J%ABCbOGj=bAZ(CALSAP3cm)W zUeKjvi$3|+PKOK6mUmO{WYI%t*_k zFn4o->>}g$^w*nhCu7iv<`~c=Fft4vUlazD&70$_1B36dL7HPrYZwN{dt+BRU@N4 zPw6QBqIU|awR|RT+xN$-iO@Od2;@C?gK1xDR0c6Mrv5L3tX5{3`x5{<->xotdWtE= zzpbh+szBtp6CVTi)>F}1w`n7ncrqTd|El?SVSIms?| zNhwJ|z8l=wKVN>4-X(pSBKxn#*1xAd|0n19XD_R3fNoD*&&LtfE)5l(UT>e(>%dgd z`}=8u{IdAk!_ChvJZCO0x`$}DF2rui$GJ8eMMVOeQw=wo3EV%`v|`n!Uc>Zw%a#fv zuF%Tf8ZlfFZRT2mm13emHyL%09(kMZ-v1Xi{5vCkmOa!sO2wc0Us_}g zMt$aiB^RrP>u2rEnTfRyeJ(Dcp8;(g(8iM}wA<&Bx7tjL_2L;!IU5Hnu34t6S}|#7 z8~FUHq_kBTd{B@G>w`H|149bGUPy>q87OS&fAD(m*UoaSrvYiIoa~5?hcM|U2{+eK_kVS))ZWw8ny?!ap^qtE1!FL%PSs2BLR?5%jN8W2t0Q5 z2OdaENr@SA=)GxV7HiYFyqzN@KlgEJ#I)6v;b|_zyqBQ(+15p2iblb_by@=UVu$U4 zJ+&7yMoW!4!=b!)Tg_zp-34Fe*ZW|JA=Y_$sHxG_I zMHBB*V2L=7dw;CG3v_OEJlzNxeVvT#+uEHD82v;c$CrIs%R*kiPBUQHYdkUXgQ`?)=Gt(+jIUJW7^}81r>)z4@{LH|PKQ&{j zblU1hFhN`619x#!Bw40TDYS4%6P3ySN_GMVV8_^-oL~55KgsWYQn{!dSaI8~jL(@U z3^mKa^jl!{isaxZcnpvA^i@-JJSeDFgiqEUAF#3bhLjNm{2yyp$hX#atB5Agkll5u)J?H6?si9fo=G0Q> z=oA0!r?^>vH5oDZE(+uI>s2!5>#E;0xCXoCkk+aAXTsCXx8sZLL+mNPZIdn%%FwBd z6qQ{zGFqt??Pb9}(uOqo^VWNMhOCyG0EJtJ0JXd0%L$L}~&hl}m~#Iik%h%?-<_ur*q)Ax0lAyA6=@xeWbhsv+n zdCxD8?7bMc4ApHHoB&|1X)ahMj~6u|+y@o64_g7a^w*mU7X<=DJDx@Si!ITmbrm0bYfwCCOE z%8U`AmXjK8-}RBr44}0w*DOm4#^IVrqhIe&tYc&US6RFq0D5`=7kU7SvOFz|b!@qD z?cIsAd*7b70KELl8_zCU$>VVa0zOUi8HP{O0-E6q_&gqu`eSzXxU_9C=dlsV!Sxp$ zzKLvWQfr^KdcU()W;%Uq_r22ibWl+KGG5lFx34(?NDgdKCh-7sllG$q-N3Bwk}1rE z>cc~Cqj8j);B>h1*}+PESL;krP?jG|mz{1+jD9kz_-QYor{LJlpHy0kB)(e8rVZ{Y zIAcMKEGd{%prVUPJHhjnqubD{?sjXpNyL)_EL;X_mwjY2d2l*Czope$CXvR|ro(ogb}Cg|+(krnytt39rk>OU zXU5P{05l`DS{P7r+Nrbl`ZjAfjaYIls@7xbbp(^u$Q6kXYF_tle;!5BU(h=>(km(EN1j9pkBhV! ziN|iH!(}S1)!vX4E)Q9@uht`E!?td2Ogw1c_Hx*^nu^~vy2>w9cwOk*XDw(6j*s!x z+D+MZ2UF9X9_fo9d%;uY8uz<04TK|rEBOeuN-J0WU*7z9e3jY|Mt!=w5cnOAksoNUKe$Roq(Jaz0P@;RpA3fA@F3=bYa;hZC=S z(PAR67-(2-SCj&xTm;mBv7vU!S4wGYkU|1-oTP7}mfLuZzA^^mv!js~|7ptzC$aIQ zlaYz2ZWJ#JwX#-^MF6V(?Y^ETw()y6C7{#vun&O53RKtAAFW=;a%Ew!ssqqd&z_BH zfCm7huC^#hf>>sYdG8O*rENH^dReh<@BJdSrxDRSHl)ROVX>_-MSBzm$00F>tJP`mjCGaMIRpwzpXeaD-8lQZYD zYl}rukkrj}1|VG};;OTb_S`RjpXbrhha9(P{ZgvP_x-^r$g*?mpR6xRkFs(A#R`I1i5)GmoL&$EH&O9v$5+gGx*R zK)tQ44H>5&J-sd&k4 zeWQcPCZRlL)fw^VIhHHCha#)fc2T)$3A)Z^n;N0zG;;Q7CW22mRpY3&&VQYUq@bC4 z_u)o=u)qPTraFDTl-^-teJ}DYA}_EJH_Pc3ZO`i-J8-nn=EZ$y9sqRRdp#x%Ob6}n zFBK2Qe*EjJwbrj}hudrhh3zw|cS%qm+s-8dD-490xv@TT*kuR>?|v9vXZ|Qp|DKvS z)#=@T$EjND?N5i-%mYWtLLcR<*9t;)+1fa$8M{&ffb6^<`|PPg3;^UnAYndX3cDz^ zB!_RM98vLQ+!&7kV-M7MhYpT4)IcoxgUoPr9kG^!*OR{E=7fuaP^5oLT&~v813iWh z8mO+}ZZ`mN!84h-$lS9xo9Ht=dXy9KS^LtKM>)*!gD1K@yC^lEAHDJ@24L=?J!GaG zJ+vgHm{*Sf6FVDi=r5c-ggA&(?nM{gtbC_>w#y#DdaG)f|QskRKzqL zXT80qu*;a^7wAwn)C~a1Ka!)Z<|)@+2&GVj3$;Giaz)`KGZOElPg_{NT+HPC8SSzp z75qiRl(XJQAskKE85xiQ0mgiyJ?v8HmB`Iy96!&dx5+5`*|lEV;-;8a+l}`h7Z}M! z7+aQ(K8ue^R<@n2pXdEYEbe^Deq(_Hplba7)V{=I?3*mMe$H=wR()Xqkpr(Q)YWLm zzigQ}$6Veiao%Pp7&rG^B4Nj%=xU}|rnGeEL8;V3WJx__V<4d>Voe~t`ow%9n6|xZ zx%E!D2tX|PuP4cA^$miAnus-lu$ttJJBMD*QkcsO|CAvS+XS{usON{z&F`q`A;~QQ kfj}T)O&|~mg#Uqm0f&5m{QchLDgXcg07*qoM6N<$g2PdPQ~&?~ literal 0 HcmV?d00001 diff --git a/documentation/files/selection_304.png b/documentation/files/selection_304.png new file mode 100644 index 0000000000000000000000000000000000000000..106f5a94c17aea334839a2cc4ea57769bc74d669 GIT binary patch literal 83986 zcmc$FWl)<<+ctHy4!Yj>|b&vVZ`j$=dLsmS3!rGAQogM+Ui4^qd$c|eMT zb2s7fUF;J|RiPN{&po%d3Yw1}Kb~Du{f+%g?EK!nwn#ar-YK*)ipp-Yna;*&}|*B zvzq-5b`;q1hEQng!QWM!-i&`9#t7g0`_Xf^hksYztmFM%`8Y`RPwQ0RKNVivJx{x@FpIiHd-k8tZ6vI36x;NkxUE z-p?-VHS#ujg3aceWN$_1qvpf9urgPx~6DkWCX58uDQA#{PQ{JI|dtH%#Rz2 zCk?Fmp6<=J2i{(t9}V>P>n0r^9nk=-BGxBlG>gKm2#;IAOaYO;&;s4I`sg$o7PE2tn)7kZ5^%c|k$J#l;0EkE$KX zt=#i{XKQO~Vqzj!E}CA*`8x`Qnw|CC8iV^uWOXh*cldktK8CQmO++BHSrZFYGMoI) zU8SWvccyEk-@fGw)G8ULqlgz>*vz2cpQH?$5 zny8rn?iJw03m`AAcDdo^`nrJYs(ijWyf2k1cr!zQRIMk*9@|D8{`T!#Gc&U!cD=Z) zEE6p)naSY5e+){DDHRyfiCta=1qJVeZVEzrv5loAMxw`*!NZ1vRzAOC-x}!YrKYFL z$;tV8d#|mny-rm8w_W|o-WWZ~&`WZ#w;!9FTx<_)kBuEJQp@E#74sBbZgSHuZKN$z zhr|31`y6KL^7Hb}E-&qpcCRvuFQpRy%ny7EBwX~wnEVi0j#saI{>Yy{f6mU%K7YOoaCLV6b8zqkAHTKaI-|{Mh&Od-46ZSd#E~xS zR-g`Fb!|+0Bx*Neo@B}2S;s#gG*mBcw_u^?u{n~@;Ez%B@;bvB)`Po0I1smMq6@BP zplb(=4%;B#Jh9e7TeNI@mf&&V?JVE$#!1r=Us?I?NCfM&oSae6&tJaG&(HHa%}h@p8xOqVy#90L$#cm0 zqXUs~K1_j|;aIOR#QK!$hR$?_e|!Kl(f&3ya2Xw$kvt(9xuF^KIzG_*JUv)udyz8t zs3_Rj$LAuA->#{p(Y%KM8IDgQ@Qj?i?R3G{-%(S4WwQMODRcC|#E-A@Gw@eHX%l8= zUy>YovA65uXZ4ZdN901_?R6ARi-Alwr|4yms-^0c6I6FBt;PGeVA;i~O%$0Voo5R# z(b!7a!X4JVgY*5~YY`Ej?TIpM5c>A*8`kSUnnp%+WMpLY^lcV>ale26zDyM^(Jb!o zSCq(-bXy;cDnVvuv5yN|@5v`(eIP1Ir6)u$$q4J=q^e@EF)`d8J5!?58wFpHN0N$_ zfd||BPJ#}>&3RHP46>ucv}s$Qqd6!vYHj2|43IOw$ybZ&9;z=add-xep?Jq15(Qx0 z{N=^_YeN;mQ)jrc zd=X3niI=!bM=lkjDtTR7VKSyF^PQsE$2Wb7hC5Azpr_r?fdBRqEza{ByXn#Q)_Qja z}+kf#E$CTe!~VsS!HEqFc|6JRMm7fh+DD4N_Dg~lpG9o-ofK$0I4Z5 z%dqF{vyA$ArtPaNf>}H@06DP&^?$_ik|S#SI$~J7hZk(}6bttiFMJL573jH%;_&I{ z=&)`)UZOKQJ1Z(Aq^b2+3GH6~{rf#K-G9S#o0^K|ud-?5M%C8)?ug;u?q!P5i^yiO zv|8`+Vy%ON13@~oKdQ(;eopYB+eEKa(34PpN|>7@Mu*s$LyptSwje}88q}qjp7%-x z>)p>4@<+-H>OJz1B%u~qBQmIWOq6Fz`|8~tMrKfFAFG(}X};?(vSw&tFgr5BYd=*P z9Q^R!y)Q$aymp*YS)!hMk%9~Iii)W2qzt z*fMPm<9!;M?ex}WpGsszv6*7T`GG@J0r*_AJGUn!&g?naFYG48A3sYPi;cLFb2fbf za{lM~hQF-iOX?g%V{NJ|=7H-6fgxE+eMt%YPwelmi`{BM%d9}J*pQ;FzLN)ETl%%< zrCu2tKg^N9m49omUKlq002v^s~gFa zOynz_G#?d=`k$NE1CB)lHy0bDBdPm7R{LV^H@1lH!kFn~D@vCA=^GtokKCI|JuWfH zZnbbm^|8FHo6D~5+Ki5V?cwa-L0s%lxmQSHnHLBetLFcz#+tY3OQFAdRE~s9QP&Zd;GHK%NE6|YdfIm4yQnlMs$A!JMP#ob`91d+<5<1^IR{NZ`+FrLCuELcVS{f2OXdpJ< z8T0z$=z2W)dZN^OE?63r$0>~YajB5orYmlo=(W5LZHQ>ep-zmQ?XpCns1}ZIPCn_~ zzdYTi2=4|x!x}CK8%vdvIa?FCHrgIPJCH1&>NPlD!8H~GsITpKt<)^{1bDfXa!Thp z%HP@z4E3%qlV3A3e#)`Ce3OW{jzq}RwE2pH0?c+rXGbhpPi~W7jBU65krfY2e+l5= zh;esxcJA)%@Y%R&X^j_V1r$?(&o>LR%8i<}-7MvS_6A2c{=FG1%gZgTtys5_kqK&R z3rL<#;ph7Lma&stDT$p*+y?_hiFI;E#K&tS@59T>$wNWdWDO37*Vj~S&9qD0oOQDO ztk??(`20h%6;Q{xw5ZzFuJzI#X+03k`#^NUA)_(Q(`JB_(=aaIF{{PPdZo*9TcBw> z$?$A{CfcfM(b&&{+vllg=bn4o))-7cb!J#X|1#8nw-K{z{-Gho))pQt&z_%4#>XEc z!IzC;!}LEnG**nipFpk3pgrP*+Z(^3Nq$g4H^~ggv_5L3SKPYmb0D_snuo^Yqf^jl zklTMatjKY3dAIdiP?$644gL7)u=&!eXxL3{VYQ#nB^N79C2KamDdd=hm@S`BWpv84 zb~IuxG(bXmv3O%NbrqSv;!?ZcW;_EgF1|QNXBp`07Z(@vof>a#Y?SIF6ptqV+7g^R z^-ol^yzH;D>OLK52Tjj7KaFNmd;|{Ia`A2b+29~~RkgYLo6uU>=Z87&tnz88Mp2^hI!q5p(ul&4LV7d&vM-Or8Z}u z_wU;U$XDU|p4>Ch&^t*L7tLSwj;}SQKD~?{QBV~-TE~?5-qvpy@;~`0@PZ+5uk2Tz z!|iOVct5)JwOO!3Ut@+8JuoZXsmzG@cssiNYKi+S^1XC%m|;6-hx2*!;v=ewo|~J% zSu!_CU*X=5HUsmQi(JcesN0sX&mNfISCg+g6PrEqt}Vn}qY0 zQ9eEN+4MmuFIpz*F7Srvi{wfiHA{pYN@qOrW#Fu&=}n7{_4b6}!qI@!_I>g!E;;}c zK-Zc% zWy$T{K9td&a^{b5a0ufX8XDjlg|^1l78dMAO`4-Kb+xr1IXS!PwJP(T1=L_;ON(C@ zlo)$nXdR^JUpXLW*Znm!)8w(MkJNQU=+7T`BQ0$c6`6@1A08cXaBw(zE9uG1B%u}- zO^|5#jRfqvs=f!I@Nw*Q;8ks#DQ1X{jX}^18vJmE|K*?%#$aX#A#EpcyBLKbzEwOk z3%(c9i<&n|-M?8|8f9C+8}Iluc^gJ;)8^~@R2&uAmaYr}z5L)Q(n{v&%HqMvqCa7;*}6g-4@E13QS&r zsf2?-AU5e&W^B7``ELwn{8PuIH4lQ%O8%FZ#dAr1Rn7@K(iXzVa{nG;;;R0*6&eAwkJ#z(eI?FV zz>6#SgG$S7mS!8$*h`FXZcbY?(rDGnV`(2Z>|^pRf2UFiV|9k4`0*f0P<+iyXgxJC zTJ$J%r_k&68uIB@luM<4on%^>{^Ydaii9lGJ3{Jvwaz_0hWZR)OWiXDJ(=S7(sj>) zI@}lpjvHgh;Psb~{VSfb&52&v z6Y?Ww$q=wSqY}6o1h1n7R2!avwzk`|l;X}KN7`HPL_f!W9(XKdp@b|hsT3(vQ%;l;^>CGHgyuYCWKLF-6KG6-+8GJi*`@4Q~z z9liS`p;+sc8?7ac)n#wX7vA+{`@DxDW2TKPaxu9&F$^>h?%k^DaUHTsfJ8p!H0eci zcdg+Dy`4j2!2&|cP*9FA12}W&U14EiNJvQg&Bb=wZCYBIEz8_q#a^w|j;^!wBCI#B zq{Kj1w@4ix5gFMGh6TMf_3)_6%{5n2Qo`oAf0jDOZ4v8D?&$QKva&KR!-jV{I+KlT zi)ajLkJdCj;|liFvTQ@Ha-@OQnn53W0aQAs=YqSoU?nx zE0-Mn7@qw}mrb#h5k)-aV%obHJVmRh6OUhid2HJ@y_j=dKD(?~49s>3zE|{4#A<)r z{&;H~n_{=BnvGf0N>k{B2Ue%l6=PD|szRyaiktea5SAK1rIwtGyKC7!V$JC&)g;7i zPb*bNjAt-4H>gYC8HJ$Ykzm_NN5M%;OPS2tYzJ$&EAy(z4{5YECo}Kc%oEWn;U*su zS`G&X_=)6LHL*;qzg(~PTSy3FLP`=bxUbE(GR*|YJw`Q8r{L*Sjxwo!0E8S zoAc2^RXZ#Y^AKVuQR;2#IPM8c+EFY^;rrd7McHA1Jz)-%k_;S;ceI26dh)f3Id2nuxf{eo~bOWRKe3eftfN#C-gQHN3yS-~aLi;_ZfoN3da4L`0-Sr(zG4 zSap2R9#GdfwQ?Zrrp;MbBz!j1lbUv_msHg3=D3x%(aK}|jZwL){Ld4Hp}MuWH_v}l z29@g95AHT?K7N**SUg0^J|}zaGC%z_YBdjV5rVih__8k1<{Vt3u(z($X2S$9QoB+Twybz`i*Q7&bZk_4mtGhHBrYfK8)SzHu-iO$; zscyX^U3AZOZx#QGda|c75C{Sr7TX9EY1-~8+TmttE7v+)E@*o3v;_>j zm+=>vwEL#M(mZU1l(mfB!4LVw7OYDi-vJR~9^Myy+qS9*-@c!45PO+L>5V0*pxne9Q;9aJheD6G~z zBrN1+d$y?J*&eD8`8DjUd1fO5gYB%I^8h%3kBg;1_eZ2 z?K|bJU-4~N;ORC`J%F^EY1CKe^kQ>564LMQ4qa3rI16!E0@a)$rWa;@q8+4kG;0+CpuBX z+<_EyvIDyZ-ko6tJ1x2>*WI6}Lr005ql&_sl6;P18J(ysMF*=;J5kqC^Uh6a&`qSpL~W~|FreI^ABKl4BxqOMN+*{Y5pqPACmR&zJMmw`lN z9)9-wVwdLugkvP_YARPv*i~H%l?{sBVy~bYIyl2jNIZs^PY~udNI{oVHripc3A;mWjfDYwMWHqZjU-h z!;4Fvnt5LP<#h%0TM*tv`p&!V4B|jA>x(aHSc?aERctZSK-Tg77CJ*l1iIQtJOP_FE$Ch9{=_07YY@PLNBVU z&rwa@bT0gIQldVB&D(oR*FZ`-;P9K~LHi=?_jicjxg^k2 z@>XMG;Fy8)#BJ08sTvWw929`~5c82TR=!t&+^FA?8eJaJ+;K4wWCqBoW%b!*0z+&A z(Yl;L1Uafb3mvDm3ca594!kUEl)vR}Y7z3X0CIS4YBBdYX5SVR@J%MeigQ^2%Q5wI zGA~C5AIBZO?#-MaXzW`F5Pn$u{cGDzxcVyJSm;S4i)b)Zen&Z^0b|Mz7F7!V$rt#r z)k02Lb-R@Z@@%9BxS9JwzcJlC!bS}TDZ=x+|HJLgHORuri7Qr~i9{ipn9DOkI6cy! z>ACMp`Kigg-QJdw4`(P8HvWv+y(FL>e z70g;R+0DtQLB*zS^8>H}cg@wT7}!?Or{i~LyWe4d05+dn+Mazh+i#7xK@8XTJ6qoIdV80Oz4rA!>I)2+Ri{A&<>&m zU6#FaP-w#h=W@%n$xc!)hW0ACt=+k_!F&P-__Cz<&%O?t?}MJN_{q=+++#ko(+uw_ z>oO+r!}bk>j*}Cap6~tklOLr^yQllSENyq{L#u03p5FIVW{fIoCRK0o5ABpI%@TFqIcrL%k>L&M|AGaBe& zRQp1u*KkDg}AxK-bF|YHs>%*NpIKQPBNkWr2 zjhe8mL6d;AE?T%2OQ;HBp=-15FoOV?48vuUf1~F+xMu&_Vf;%~YAPyAOG|HW@ALC> zn>gzx4=p_)vo3mamktM!Hn6rgTOZxIq@2QSI$8imNnDm%M2#ZRiZH%3=MjN5X;9Y9S?j_gf;GV?tVruWTBau%*Y~zL)y>xc@74)O%93i z&PYsZtiby~3wfrvNvucLSr5O%Laycx2Rr)IHugM- zu^hJ8a!zh;z5O(ngdn1&Ep6mc1m5$&28SNE;yr`)(%K?#>VIniv`e&DwXjrxz5UK| zclcz5$?e5<1rTrayxL6_x0>BRN5}K`_fHRS$^DLyf-65Gaq;k054`H*gztUdJzWvK z)nOtzUP*XD$YwdSUlK6sb9_rKgqTzh%ZseI>5{nZ#5KNpRMyoDc`2OEYIjLv7jET$ zdeT78i{{T7tXqG+v1j(zfIn)o;u8`^hlj_@GyUbd``g>T^%W0~ZEEXS6g*s9g#9lt zsX%M&22Daja`)~`*5?@>YhCnLy&5QsxCCTNQ%0tn!o-i5mX?;1a*8k)aVOj9msC4G ztu*PEnVLdUmYIvt2V>e)?RKgyQoZf-XRln|{M9cW4j}dwJNwShZwa1SCP3?8Q+IcF znD1UAov4R}wY9aCRonH+EImE_%)g5J?jbKRglSM6URzfuz{$CHx!-Qm;Jozt0WOwU z5+PiDh(ifYt$}QWq4Syv%JmRI4R|(s1T?1?fh^5WtNx{Bpx5)KE}K8UqiKt1%E?*Y zZ@;}co;2x+q_H+PADx*Iab4~G{yh+O_Zcy9Y)VS+nkyI#u6LZjSPth>$rRCgPV|A^ z7_zdG{g0f2{%kN+1bM%}n>!H%n69;Kp{!uXGCJGO%9Wn%*nNF4)iP2Y-l{s8r90y(>Qw&to z5?Eu+6bl?;zi(BQ3$_72KmQK@)cn5&iSy_CQUGRHuD&T^T@Q(!9+pkUQiyNAy<;N5 zDg&^RffVT1x8Jb%No#9sU7ZIO$ba*^va<4h`49SkruhhWG&=b+4-?JbFZ_?5MNI$y zpW3COHiz2x4xgV#s@Y3Cz5`Xj+kctIp6B}D+F>OH&O>(4tG|Z(-M>e3Qs6z;-$Td2 zeC=8Kt^JS0<|FJc`^Pr^yZmQfa|C$f|8Gj2|GetIN`C(LbV1Q9#`}Tff4ueIN_28h zY2cg^4^)@A%A~)Y=2{GHc=*Qf9?oZK9LLw?POeBQVq9(_ZoFLP)zis(#_~HvlQ6F`RZy!;N16#k!AUHp6h7AtMw|2LAP|7N29BW=_FsL_7} zQ2(Re{%fNRu9iEM_{BftuJk`4zUb1d-5~@t8p2{?Vz9)No}K~->kmUiLkkNFZ@&?V zq6J=Ug)xBvqN3(fx7vL8-QI||269ys;%E5P#h>E@%;oI-Ir~ZJ!S-%?D#GS#7K~<< zK%B^9X(jDcojI#5i`?5+Mq$#Vw~u>{Tag(CZ0hD*`AYq4+p}K_2s%IiJQLn>gO_oi zY{;xs7D|^o@$YDsfjRPW3n9L8<;B0de%^b{!A{I0_Dvo&)juAn98<%%jN>S!uRnv` z54y~%>g(&<+9Zhi1q2H6^O>2LzJC4c<>e*T)qcG^0YS5k8*M);gtO7R?SE@hm#3Mz z{}2$cPq(+Tk*hZpPVs>9)GoRi+xwK|fuV1e0wFQsT8Nq`hf zblH#RQ+UYyvF4;RcbT%2&1;{d1Zl5CY+qBy5qFOmA*9>om+WP zb*%Xe{fuTtPhfS8|Kfu3{oGT$jD|Mr)S6;Gf#tA{>na&ix>_ido!#EZZ#+Y^Uv0dM zSJ*cMJcVn&(LDtq>3bO3pmMCadc@A%&@ewGp~0VpsB_vm`Ddh^+#{!yoSAo4y&|jZA;`O z+}2%H@*@hJmblqJBp_D5?@cKNrPWn5cR|IlpME&%1)GuxjX!gJagg=D|0n2KW!yOJ1vG8DSISJLFzN$F(g0MOQsBZ6=Ww=4bx z)_UOLJ#iQKO&rUL-nby0qvBF_S;cAr*tbqw`R|~_c{I~4;Ew{3bk$QOj9bcPRcgI8 zHFIYp%U?H+UdQ#bAj*-yhF9d8C=ccJvfOyK%w%0!)#Y}${RV{?*f;9OU9 ziFKioCHpDQbzactpd}RK<%z<(Gf`GpO(o<$hmq)JVoVItvuBtOyJ>r$-@?2tG`zG+ z!o)8+C*>OJRGs5Cm$}Px}bogs+Qho1-L_zpBc!ah&cjvTrg-45b%+yu%UYPUs zdS2aUU@N27Db!O|OLr0A6(}hUz^5{DKzI*N>`X1T;O=G{IOHgd_c3Y zCqSe>xJ?L|s#H8@E@?s@61m2lrP|Mt{IslvMTO30)>8K2apb}5xi!X+%pKp_>G&Ku zxt~MqQ@pqJiDsKAM6Vtr5wvGja$}0nDnj6+Ua<hFR^cQQ#=C3&{o@bXg&;}HAn4T>648mFVZ8>z_lmA&&U-~2& z$KF96$%l6KGPFED_YYi8i^ew+>wTj}9w>Iz%lsus$_lGlazlYMrwOx2tW3>j98iX3 zAK+{)B#CoOCy+5~dA)#d=@qG%F@!ohUJj>{qEmz z)YG7JLcwT1kDo+$I@f?@dehw&XhHAV&}_!zv0>6!tBGh|s86|!K2TMTSIYb?db5wY z>SZpW+!j~*dd|EXUNzW8&QoqoBqFozyNZ&&*P4BK8ha>oDmWqjXCPnW5 zczlW()b(G6<95nL!-%uT6a4qO;GJTf`78EkV`&ssm(VWz)zz1om^I7S=-jnZb6?2@ zR>Ai14m-c>)F^iJVC?8i(y}bfw)u+%hXLG=KQD%QZEf|>07g=T;>JLLS-N^u@ND#B z+FRZC*NJ~fiL0Vc;%U$FUWwPAzA3IlbqQ;L$Fx#;hQXyar{cGJ~Y)eXthp?U}o!LEJH*(`hC_DpWwUcyKd{hP+W4+cs(TGShYr_E1v-`?e9Am&P%tUWWa3U^f+oLLg5JJlVbJz7f$p9Z z>8^=xBW0Z?l`Q(zQW=o!opn%NxpI@{d+J)TUsB0X_u$Aw<#`u`{E``C{Ofa;;ES2J z-%g%8k#-^dwez%F1}e5CS!Se}CjgteiYb>Id3|GI;6W+)siyHfsAUwLHx- z;#zL%B`8U|L<}UJg})5-FATa!;RRWUNfbG2fMh?-b%V!8x0LPFmk)zrM=aj@2TlmRiFWc^NVKX;W?sElmod%>x(CL%tD zQj-V$H1}hM_smidO+~|O7H?(-CYf(g)rt?OaL@d0x|;30@BGqTRMF8d(|q-eHL<0N z{d%X{%&7jQy?2?gxF<}{JS%n7AD;@Kl*M?E>aB$={Sqt2B?0gAu%CKGVHDge#GTFF z+E9Ku4ykWw%4vwOmK+$5LB)Iv5Anwgcd(AXzZ~LdFBTJ2wc2xHejb&YiO(fmm~EL7 zg4LQu-z)5)|6FO8eCfKQ<(e+;{gp1Ox68W!Y-=&P%j#@4`Y$UKjxl&nvsDh>DxPc6 zo_!PpBOOQ$e(_eAA|f=frx&k0wT$dmQ6@iQ&?j>-gji3no^V4`J5h^gLgHl7 zA*;Bqz*vp8)$+R0&Z+iw>FQJ2MSu4diWHL>rrDd!uN)f$`s>CO zc}HrP^2Z~Q$BK=S%HXjh9<0n?4)%(Ve_R7SE?8BZ1k*0mQ8TWvM1L6CW_fT*y^9j-e~yMHN}6ZH_*MnHoQ$m2JXf>U_X z?6c-HYriD?)PLnC*BRYm>zkjJ*JNBZ{H z{58C>iuy^JNvS%TYA+pZ-#xJ?W8Yj<^tnrz?wcsQ9p2rs9#(BNu_ds7gr;l=;zY2a z6u=RZRUAKjI$EgcA5NBiLZMxhuhuyT_*w%V2sWN|u008Q`>nMi3w+U-QUa@)mk|#n zo3F%|hBBLpWZ}Q31e_#Uotf&H2^p<(nt6#uefREn8+A%){2}7JH~NK{O5sV>rJxDb z!PMNaz~hn2?!m#*s;a6}6rX^A$DGSS?}quiqV3VBop3cgDl*C)Yq$>m!2shlM=1#Y z4xyU(YjkVO7LvRdSg4`%^d7p3pj6IQkqyhh-eZW(#uy@Fyu_uP1Nu9SiGtl$ZJB=%rfHcEd1x{RQ?y^rSbgpC)|r%$x4-E+Kgd?Kf^&t^te z`fJYoCsQ<5!LF&Zwl46>4t0HS-56EJD>t$w04nL}FRZ8Uh`f&9F2uE@ls#hUnH!fu zzj0JcFHtZyt|`mnSLm-04p!wa z6IZni!=Ki@maK^564>7x=I#&6;m!Y)sw+<`{o-C-af>2E`g_&!W-@QBUqK{|qf;p| zU!^B7i{_vl>!;M)H^OQjC7ISgzfXO%9bglsZZ#Opnf{r8tAk|WG;X@uw1ye;z4%@} z(DG($D`QS}4mg_pu<~w3!=eT~5P}{$gWUX~So-^mJD! z)O>vlz&gZMj6^wA)9hr+fU0)}bY|vQzz0+oEX%;L6+&#n`U;z{igI<-;8XAaD7b<= z=jAEPtF9Je+nXwvJTWPLM~qb$sQ2p6=mKQr*eA+SiY@wj26{2hVq%SIZc`=O8mjcI zF{u_wH|5meVT=j&QgAT$_r6Fa4J{+M=|l>FXkS#lCd)T`U0lY2 z6!Tp*R3rS>Md^Dc0>>f?JxaFJG$pv@8KHggJQvbe^Np#*JuA4|mWN3*9jjmGWRq6A zDWYJ??4^mX6FK$ zyj^8tj$Om0ffiz6dSN?&kPYozt9GcSLGi=wM$JhMOK51=YI34Y%88@@ zRIeOYiN^Y z!@Q$D8ARl#JA?IDJvt5#YFtP+=md9>&`;<(t0jNc6R1^ zvY6D>COf1l!(T_MK< zYPc{_urtGNWp{MAg`a68QgCDm`jWw+6(lU|En1d4X(JvER%w=Q`L!wAbQbRomKFrxZ{T>G(`>+ z@e5>~`8&_qkF*3R3NYn7}YQkEvPS|nBHR19t5IWeIp294X`=8>>Cb7eV_TOu8z98yVQeWmJi|Q23jBw;oP;lgR zBPTZ&@|S1?SuTk>6jua&+;o7@ire{0r!w(#p1Arbq=%v&kA{&%g(tVtN23IuF_}aO zdkU~1GWNwh)IT~D7DSZ|gbuJ+OH!B*K`KJ0l5$qZ9s(=AY2PY)O!;3Oew|CY${Tpl z!bq>JFRuCEuA|_R-#llvTTQ)3Llyn6Wp}vr?;iqxmeYpoXf3+ShExJW2C&w{^FX-xB4qp5eygTs63O-({{$kiJV&(W zzadtiSokt&8~?a^bnS81Nzz<#Y1h;gTO;BwI`+%>G=71EqgBfghZQQ^j>=h)D?`|G z^DrNKwW9l{u}VLDw3^DI+~(_aQ$o>{RbiFX3Ein0@NR6*D@HBbrL``$t#5~$`60g$ zjjQQ+uEh20KfAHkz!baXtDGV6^I)cl(qT6VQn4qHXdCVsmLI1;S3aqTKP&G>c2t2}qnIL;< z=`ZV`Nvs$`MDoMl5I-LRGjJ;Q(FHkSG*iVt;C+yTV_vK9$Jx7bS>K5I__EFR7TpoN zl$!tXCpGrlU{Qx@s_t|#r`iWuP%T7)kw`7q!uy#pn<2qgqA|C%FZ6epFBZD_%XRP0 z5fc&;T3e&B0Q1+c_mOj_f5YTh%_I3!9)B7fu?Xi$ob0M#gF@Ekw6f}Sn}WuqA!o=S zJNQ0rk}vKPE>?zy3YW-1s^2P4f;zIZvv2%IM6gs#c2z)%v-`1o+K9TVIM@i|ooC-G z?#n4>J!LMCQu~NLp+WYa`_Y~h<~!mL#qH@S@phP%Fy500+F)cFup=y5{2t*TPsC-$ z9r|Ytkf%5~6r1b@>xzi9q_)AfIka`_Jv@!ws=CJbDk)AqK!MGssJ zp3w%g1qih4t}7L7@kRxlR#XY-(*_U2TFVaBm3nbeSBDGLp~hd>@gTMM><_)ch9@@_ zXhpJDkdFZq>Ru<&gvsC&NDXj&oP^4t@!^oqQoFClmS!tQUO9N~xbH9&7G>ol;F}9e;K2$#IqURX9I!YBbRFKU&H)} zQ_AK)t&3dRMV00_7a!qH2`7iv_rx=Aj7;qMPompqJvp}q^XGhm3Xa!OB#u1$3f@Vn zQn~H@;5XTYhDrD{=ISpj7~3Id^j$tw1vt^2CxE%w&rYLie{#~<2Agjj&#C&h`;I6; zJ3=0Tr8Sh={Z!k3BAV8hZ;kbD_F&33lY4xf^{{HI{V2gN5h*kj@%dLRs|S+=t98cp z&vJLgPD7*v#a7B8@dyE#io>ikhl0<{fFD!)H7|5#OmXm^V~@mi4`1Va_Q`(0AIs}> z8a9o(Ntzk-uql6ed-@#~c)1OHCH`??`NG&!!176R+x7A9^9(zi&zMp1e`^7bkZ@i? z|J$R5(M{~-FJvDu048bKeNrpSFBjO0Nxr>2in{gGXOPu!9*>`F;EaPa zC#==Cl>C;ZrB1XaXc&@qHG*#66ZP2Y`o>|>E`pRvHYH+uS(+;hRB~WxgY>d3?u(N7ulMdV1UGKR<*arEcEA>mA`T32TAL>)GsqrT6Lu#R zL!o2cfo-QJdw%2Ka^aEzPCAKnF6&UJ1623&kgG3jp+cAq*hY`OU2n7^A<(<&iDf{G zUb~sKlx z4umc)7*E1{EHM}c;Ea$5icVpgvN-zg{SBV-eTa4ZKDX77U!=E22-T_SF|E>V&pLvO zcNVp5rG(YLES~SY1r9)E%cgHN(6y=1`*px}(MARv;G5gu1OYCAXZ212-m7PVnWI(! zGrYTt=gWF8Ib)0e{Q9JnY0dlI?&iv8REv3lC*yjWqDC}`Z_;OPk|AgdSPED{L*%G^ zbPKQgleq#i$NDK%4X%qNDJ*e*-R^N?*A6Ex^JXt(po~3N{Gt^yP?3)Wby2Ds9-ZHH zBY=l__|=dmXWsEaDlt?q=5o%R&W8H%yJW(ycVs;8Jf-|yZieyK38-T2%}!SvecP_^ z<0maZOGZ`}{V6jt_R$M!-DN0)uTS0C#Tw;6rKJWwmHK3+n0rBE^D!d7)b}9Vi)!9&Mxo++1$4cS{ojdfY zgL)k2Zl20)N@A0Z;c{EqUU&Aacg-x!dWmA28sXs57R9A1lxN|!e*?RB`cr}-7w4| zn6X2C5fm|I4ox(IHazbfy6dIMi%vQV?{i>xDPsxpIegcIa~hwMQ>qW{`qM>TK*t~1 z1b9&+3+_VDY%L%YZDn_sOn)${Ygt%LcqoKxO-r_4^)<4Pc(pX$%;Pu!^3_9I@qR7t zJ;yG^$2cQouMV*b-n_Vd^X8>pGd^UQxT?B@>VelAvhOeAgxM;L6>LmHmwdgNAc`4! zDQMREP)Nb9|wa$glS+RF(gr?j*lX)j+7J`*P{Z|=R+lOXaH~)vZ zw~C6h+x9+5cta8h5D2ab1h?Q0NpOeYTEX4jV|akz4#C~s3U{gCPT}r_Yp?8m_UZ9m zeBFI&aNbsbXMK4eVwukB z@W^U#oUF4S98LLel}GZ3i4(^~JGY3PZsvO}4=Y2_K_87|w=94`$Dn!NcQu&RW7Oq<3FB8uHVXUQPNh2v=$jw7!=VEh;LBc=Z)O-G9!i8{Sts-G5IZ0ee}KVz^nS{wi6N95@1g>pu# z!NYJ>3|z%S)89UeED!JFQxd#gpp7uojRaFu3{HB45G4~MEd_=6?<|#r&gq|#71$!8 zR{B04%yV_luY1RNNx{69`$cM_y;5(1HZFVH+uaVEJC*URSJrlth~H= zDM^ipvOp>daWPfDHxveAu;D}>3eD~b@(Oq30E^xsB*=^@J{^+E6-GsH0h@^EUXrEk z`ndDRT!WgpF0#s6ZsM2g{RQIW9a663g#)$lhl8{jE1Kb3YeTr9<`rg%Kri_uzM;?~ zD38(~|3@7d-I9TYaNo_;2=T-4b0dxdb30lY`hmXw*oc#-n+HZSn!IcjD`sXEcHsFA zIOdW`MYHWNNuZC*yg-#@tTdCY_(ergv*awP_?b(DL{3CTL@t@>>E(lvv~a29qa_JC zOAqBq^5K#pJQHL5N>LJ3Idq{!w52J@VT)PL7(#k#D70MP-LG_G&7h0lr6r4&@1#0< zyx#5Z5%jJ3N`86s#=<}>Yk$ocrtP8bW`_+YY`Qa0g7uT8flkIxC*i$lnr^E8K!TD8 zDM9A)ZPOZ(usCd`#Rb3pJ-paP)pGcbyh~w_Wcg;q=@{}mZ-Ul`DVED3iYH&lk<{Ux z8WG311K5VIvW*ZQ4k71!LQ3MII+U*rqdDLE`II2KyevH#gd!OEFU3B(JDRc6ThPD2 zDi`zn_+kp>GGn@^(XkOzkU;h0JfC1~n$}3uJbxr1lOq}_a|DObmN75<34@H!F@>CT z=SbzdvCn}ScKoqYRl&|i<9`I_gQ*2m7g1g$Mf-hYj% z%-vaVqi-?ld>FEmw-{yQWh1b#BxEGe3;Oi)~tDk zpZo~=1x61p3Cm7yu8M65TS{-SKJC1Xkac-%P61WZKqaxpQAyPB(ciJ|cK#hj3qe@3 zbx?=)pKkxtV{AR-#SlUufT2osG9p-ZwXNn&_l(9~$NStUH@GJuUQG zdZ8F(OZ1wG?knau_QkM_*e`y&&p0iGIo|lkqYCNoj{a#$CLTuMqG?(AID2M1vS~#cKf^zJ0#;}--I(A+ zNg`jDPnZ`e_w|ReD4owm zGmTMu=N#6(y0v>{@OLZ^^bN+|*XEbv4$eQgUyobPlyOb^bE@L1S`y7xkwR}T$8rPy zP(IDWR?I>YCN238ZoMe9ITgBVWt)|mlc%E#&$w#6x@q=?QE(x9eY5o#B1F0;SH0xm zLi!B~@5IoL*rzyAc>aRUz)J}^~|M7!g{|zVmA38w#|Nau`JMlW7UWsRg4BTnE zWQ8jj;f1JO`@bc`f_^=I62sN-R&Wn&?g`y!mV!1wkZk}?& zsn~iL4<6OsZA@PznVSv&T?H_^24cM1ycwfs(grqrv+hjdCze$fTVJIPd>8uNYgGe= zgm1LY&uU5CE$)BR>tSJ2sNs0I%t1Y4Y@%`flHuhKA0mrR)B(T_>F*O-3NdtSu7%C) zGF-1PFbAIr)ws()Y;egt9z;ja=qxSQ-_7yyb8d5dz7CVvwsjEJzTDXxO()eQO_@7O zD7!alXR&(}qde5RI0E%?KDd~Fe%v7@Hz+5gi7piVRzwb*q}8=s#xH0{&Hnn0^ zGhMXCyR&s)0PP|aF<1DCRi}h@V`DLj`!>TdMs_xoU~b?e)8_fkwyEWi#-U9c4TS-M z+$!FqW_X?x`6ol2NxxY=M$*2P10|yBu*IAYv6!7(eUrRpsv9N4={cBoRfI?jNNZqm zbo1E88#A8k6?eWA-Oput=J9T4sn}kAVR2^4R^isGrxS5q>7!ofeY=4e%~3QB?6=ei z-AnQvs{74tdH0f?3=1pC(etc|;S8^2C!5S?bM%a+E#lam0ylF5x#xvN(GXQ66-0yM zFn{$Vd%+p*o;cbhc_^da3~36M8OGn@bRphf`~+Fv&kf`_8;L+uC-cjZtY)0M7s|-3 z-njV?hfC!~{;;`H*(+P1Zv?-(_{#JGhe4?M%^=G!)yk35{A|D0zh&#HD16jNM-QK= z+UJXW*HLA9I4b=aONi3=*cYqV z%rTF_EFUJTorzH{t5faWYq62iNcd1D3G~~So_8dv0E_rI?S}e;{m>1JWMXl0`cISf zQ;E>i=}U@OrAk`^rjv^ZiOtBPRz)%G0FN~HaAt{~{PGW%3Er+z!P#Q@(5HBZ=lGlJ zYvs}|%v=fT=V>9>(lTt{6_^*iYH7J?YU$_g1}e@L7Hv@}=xg-}(LGHo1s*obKT#N< zK`xsMmdAU)4483{@wrR#H(pm)J6kt8mzfw+VAJ!{{Wh9#J?R~mr*4?79-4DC&%%D7 z-`KZakqwQ_q;YX&o1EY@7jpX&@-eUWuyI6_#N*5$vn zG8uvTRzLNiIAxC{$(6WyXQeRX1j2*H-u7+A*q2h{U6P@`f8sx&r=|1}=tEh0XyYWT zvQffM;XaNXs;lwpMyH^Nq^4?Ominp5chH|iMMYt6JqF^l2;9yqLAR|7wi9O;wcxC* zNt%VRK_xXMuS#58Rby&-4biNE*+13GUps^%keLP(wpu^ibVQt8rQN+4l<;7LY1fn} zRQl12m)ucfSYB`aj-==q*}s^&J~iGAsMZ-6bKN`c2^sYdMZ#JUao&E(^6&;)_htoDr%+V@TcP` zOi%Q!kx_08P9mNp!^3-8DNOghJC4^J%!2&I@74HQzEFw%?Qx4eNO(W>8}CVW)Ht-)blau*|%-4V08i3{SdHWOe*e5g;r_OCG*w<3o$4wQtWREu-+IDzM zC?nt;=YKX8#Ji$PlxAipZs9QX9Tm(<&+VQAMb zFrJSoch8J>eTeQ+X#{Trvj;BbSbcoejm_+Hih@Fek?P^Rhs@<@)tLO(Enl)NY*TZJ zUJIv1t41eCCuMx|Hy*c28N!5kr;f|eOt4gWWFC0vP?+!BG5Mxo*Pm|lmRa5rDc#Um z_ZC{kO_Q`VGn~_CojW-uU3wM|RyxK-3sWb8<>Y1D#ldDUxHA#SUMIYBDSPcyF}?+wv(cc^7)vhR^?P}ihP%;{Ovm$Bk3T{J**ioAi0si zaHQzi({)CAl_lA`WOpY6^5L>EYGa+SQschTbZ~{=T<<}m!+eTUMHb_QtT#WK&h@PD z>t>II28$TIqmnXxLQZ~D#Lw2&EX4;!ISCp;5a?}8CcM5AdUeCeIia-S<3why+5g=U zQO%gs5dDduINq%m}LA%y(#|*Hs6Vx3N>)qw&q3;#Z#os8s?ns;>UjhR^#B zZL{lnJm6N}JD_|a$IM*$Q=Kvyk~s&vY#DxqmnGo_@kyqoT5;eNdyX~2+de<_72h@W z1%2~!OwVdXdy~L(Ec+^piLAQcU&fpEioB%O=dj{A?W3P8HsVF=ADE?UTvdEh(*NM& z1C<<%)KK}A22p(b#sJ~2N^ZE&eKEfN64&pp(rcgap)RZLiz7qs zzN`(qzT%a-oFOXYAVg2+ocksNzXu0;TgsICd7`9Re(#Dj;4q+@svBBYZQHY6b-l0U zvxjnkN(>^DEvtwf*Xv;!^jvW;WGFD=Xyn2IdtYwk`Y+DAo=PnST-dVfki`X~ortm- z)Cn*rVd2Jp()fk7?S1-Zzk)kwz`=_}=O|PT=0@t~a}gAm$i&Z^$7T$XEBUYs-$N_e zpY_~S6;FRh)Ales6!!!-$JTtlt=!vWul|bd4JGAqS9UexqFb}xnR7kkH+a5FH|=KD zNSD(8bT^w0DGE63^!Cdne5#&3BjqCs)P$;*Mp(O$XbJDvG^9Ht;3!oxvn**y!G)Gn z8V{58-rTzQE(MyIQgE{SIe|@CW!7z0Z&1J*W9<)bosg& zHITTTW>J)D;M~i5ipE6(ueW^IMDw@Y%@OJvN^322!lRu- zLp18NKdkl^@Y>pihMotTsiy3ZanFlLU2_ua5U#OJXKrP$hl!#^qdfsWpVN~X_W;y? zIA1U&o!b@gJP@BJu(O#Cq~?3Jk9O`{*I1kGrOo#cwEc}>pxo3nrDc)AmU(oUp-2UR z^IpsNnlJ_RsmQn+YEL7~qxeacm^S^#d6r1;m5^KGN-cj*f+3&GL3bN7JzAfRYVa>` zt{3TFPqV{7?8(gbn@!9`TJzbq59t3o0}>SbFIY&}%1*wqQvV=`Lzkvj%6kZRgbbV> z>8N^1$n*<2icQMn_qv%Sj}*s|j&yg3fUWxbQzRt%?`!|n75L?U`rxl~{O?y<_=PoB zRAORqjXxwdENoces!4I`O9M#J{mxSwM{1GOMfh~4pddN1At5=VBhgxXu|@gsEBt>q zT)S%2ucYwy%5<1^^`Vo(^xPm%g8B3;&b(c>!IHJ z_ef#?Abqh-OQ!nJ*n>fIvgv1}nZOh8Bp~%*pA*)aBhRF!%j7&-Ye1@ z^0$5WW0fwDi}#lsEfp_p!=GoW>v%I=&Ex)e^wsqSO*N2X)^cO%EAmqe5)QMYqw**d z7P$Meam`-RAqqpk6b$R`Mc13)MyU13yt^a5jR3jQ(fRXo^QpxOnNx9YXUh(O!TbX%o@0cx~G66b+X?~qcG#OSX(Wi>q*Be7Zi zwP0N7o}tEhAHMJ+k4Itnr8VjXzuc{7LC9k%y}gvG9kuNxyws~d=xBT@3ib65VclQE zdHER%&6BRz<0vQ><(G;p12MaN^# zX`NhL?(Z((yvc`(6yRB@sHp70TZAzPF5g^UUu$V=-&|gD*e>2Gf7}CzZcxb$0IiLm z+r9yQo=@dnGPi9i0RBq8MSbyNzR|T5zz+ewi)x_7?bzVzWE}t>!otD;>o!lXnNQF1 z@_8hCZjI(0iEzs)v#t{Xg#mk-Fs#TlgH*dKacy@^uI6Zcq}UWSQ7&y+=Wf9E>yT%S z>8h%a>BSR6XWnD(ivx{X8RN4-HO^lt%fzClUn>#|_%aLhgFaeb#kZA6o1%vr_4%>#T(eUBoFgG z67pQtkTp}3MfVND@bkT<(ow@@B$=4e7O6^z-t}f@3Vx|yfAvt(8R2Y44pBhh^aazY z=6`AdzV#AIgy~&`53EjEEzLVhrit_2x;Ct|<4dTM%G;3&XBwK*q$t^PSj42f|IqqU zDKxd22(C^3lG$Rt;0GlMblaR}XeTi`4bqAo!837jy3CH*q1{&U-sl; zQvTRkb42LwXn9w^8pSqoR`dCVV2SG`UX>B6MiJ?`-#sQ`$Ld0^UMyqliyO7$ACYfF68twVu* zb4b#XLfYt^EC`A9(m#&;QKL*Gnp(eoL!Y8N2d%s*lSfw}h@^s_9M$PI!;{m`Eo^0~ z-=3DUtgkZ~((| zaA=5$k{mpu*q~4-V2WRak@6Gx*V`?(FEqNMp`n4U^Z*Rff|3$> zQNZl~OaJbRq5*3Rx6OQfT%7CiN|$=69-xTx^7H>~WQT3OQgU)S1@j94^QEPw0|N)v ztbT-y z0*GE4r`uzc5@EOJjZ87pnl%-bt3dsr0Mc^*`@{D@v&ANN&_E4%8(dsmZe7ckm$8{i z)7Uj7-&J!;A$&5OCc+mo)lPX5E2HlTwqHrdE{G37>b*WHpSK+#W5O|vjnKT$J?3-7 zk#mPh7vjCW{_JWB$%sadzlN)%Y#`?_Us-+-{yx3R4-=OP3>@;^sK0kAK}4f_y4WVq zjB06q=mW_9A!Xq{P*aP2Oi8>h00dv6vk)LH4gI^!ON-{*0XtgqA*}jnyinx`xhSa*u9p}=;zkLaP0)apT1qA_|159gh>|Q(3 z)kXFC^?QnlXy&mzB}(Qv&$V7GVc`})$t}^W^zT`XY3B3*lLZ9@1+fV$)oZ>692~%X z0$@c>V99_hG7t4m3JeYjnJUsW)YmTuj@t2R4+AYNXou(F;W08cX40(aY-?-l=r9C+ z9AKmc1qahN1^~VXsAN1z8yXx$MMG0oRu;Z{ZUcud^!1tdMFK7d7w}+Y6clJOfRP6F z6|6Ac;C&k#8{o)f4*)nszZwd9L6t!u}s?F6DR8(O%)ViZQq~1QmU83 zA|vwwW)}RS^>kU=@bE!L`XL|;fRp>)9`~&EMFGK(HHK0%YjUolTkf;nsZGSy^7681 zbV5SkvYoW85(YXtCpY(|Lp^SFL0TF-RnQaV1wolR!UU9Lf<-JuG^4`v63oh{m}Igk ze7NOT0UN8UhBh|xqM(>qNJuD#g#-u3$iyTk=X~Q+Bp@9qD*oYK)K6D*+Z;~$@&$>8 zCb!?U`ZTx-_+$wQGa>ja{o6eOKb~9b`gL1Opni~1X$J(C(`|2ax z57rTnrLFUg*`1wPJl*+3yW3Q8sp&z9II;%@P>X|C!@F_NsDE*F{VL3B5;n5^&{A#AdyNJc)76Ld+AtG{_VY-K8HJU=uQh3nt&w{(7YVFw5cLlErE9-q+kqH{R zO}t1JkC=MjQgwAv=<8W@eiwOagP+K4Tf`L7;w+?CdJ#{CzH63eK4CjiYaRNV=1td0 zm!n%4rMRoZyZpl9c$bU8?~&ad)Td4b>V>gNs|U@x&OGaJC^Dj*Ao*(&W?^e-Wwu!J zJyYDn$_q>8f6YGk;hWZ9>vo548)=t@K~-R>#kEaZ5Q87YE}+<;1FpL zZ3@-z-D$mjwb?a)Ca?|BQBy6^+Ar@;Ci4oVniUG+GE5v17^0ajt(j+YKcxg zo6S5AGBPqytN1(C|M@3+gW1s$0m2ZFMSZCR5NCj8SX5YO31(WEzQ~n_UW-o(@RswH zX#fj}S}rlKprF6jd3%(KpTF^Zf37e;UsFS4dTvhG{UpojqSL@0*eCNeJ@ECzhc^ri zyJKm;8yh{NsO5md5BujImc?z{_ zOZ@!&l9G}DyhDZl?$keK_1Nw2B2-0=jcs6RO7rp=n4#D3-8yb$EakJnZuii(OrB%VFmFC-6w^8T=) z5};WEa3S1tb61E>OcEZuwcdz076_o-gf%yNuQzHHYgLavsDUMQ9$`lEzvl4`k%iC> z=WN21-q~91yY~r?sg4Lw6r?14xrJ{VQ9l**I@%Kx{V49DC6#Xe^>he>4YgnTM4m1) zqo5t>$I>E6@ITL0gYTs*m}Zzhd5sc11`L%dCex)e-s+xHks=C!0>-m`hDfV{;8XC@FPKhBU@Q77GU!ZfRh?wE+=yw_yQC|#2jO(*h1i+=&t5cMQLhXl^eO|$P3urCCY*P; zNO%fucN1lgGdrUr%P1YYJ(_tLyTDLu$BqSEPD3cv)obgFVIjer@h&y=o<(YkM2z{M zBu7*1c&LKDpkFq*EKu^S1xjcyLxW?Wa*A#tnU-tPFIk@)6(l>vWk|iYCwxAYMX6(5 zX(HIj_w<4C&ecMMYXQbxuBSX_v93x|Yg5?Pv3Iu5XnBmFDA`}!EB~rl(d4Qd7A6D7 z@}ICKBFe+*S`;pGpVBJ7PSjWH#}Mf@BH@Le`6Zr}MKITMPxfjl6eW3iv((F0jTE#w znH7{RYwDDGh!ZG0hD0dRzIguJd@LtagK-j2QbtCO&&~i=W&?2rf^y)H15*fut4J_< z=H~?{D83ob0BabhD`I0)a(e(D9cXs|?ldrIK+gp@%O?amrKP1MB|e9X&BH1DAi$?! zVF5$TLlg&alW}o5O$G_Bkb$>MpGF>Ntm%LC6V_CL?*qDF)*@arGY^lBR%C4d0noTZ zcndiofu*MEX=uV3#gOvzMiKeC|Y0NLl z$s|{>uC6XXJPQsE26!ymQ1aP29m zvaP86?4Ch^j3Ha2hC}%?#l!x)+(r1w6kUW&S}JnmWGPm)@2G#%30hVa*N^m`hgm$u zTp4(Y;q|uEK}oW^4D?6AzO8j(sX(><0bzuSV(!S+^OPOCK-_2lBwH}$T9a7Z59ek~ zOPoXy)AnEe#QVFw(nD!bz}t{W*1VB4-mIqfIX+QW;to^T!ChRi`~02ST7|CXoY1uE ztz7Be3u-WHW0A-s`Y8U}yg^)4(XIp%)TniEqrx&xoZnJ#ZMJQ^Ly!q_PX8X%kxL>Xp(s$R z6!)>J`T4Am5K3|7H4FZ?*)3p{Mo6&Wg8|&=0u0dL)KsngYB!L>1HiMu$x=vZ!F5EG z25_ccU}7GQ<-$P95SGGE(_%HSiQsqMaROl|hhfb`u2zOJgHLxPPxS_)}d zSy=(To1vj0bDX7_nTAv$Jsn*r5of{tqjJ~7#p=pR89BLTr|nM{2Z4mb@5sr?V~y8q zp#y!eZ>m*IH8tlQ0hlrmNeKy>SHHi9NHrejq`b~(pvTkQ{dp~Xp$6ooG&N_2hOB|Z z%gV}n^2#D+&tm2cP0S(ve|FzUaF58nZoINTPxi8Hx6kk(#7(|cjJ*3_w!N^uIR+}8 z2;rCFa+2~kM5UzXJPwc^W6{3cTjPuol2I$sZL#lwu;1`oAOZuGSW8Nyh)Hm6^d6Ej zbsMRP$w_JMFN`K6YLkh{Vh6d4)B{91^Jciq2Tv~)g53$J%c@JY<-=n~^7KMwM1P7K z)(%&9z)~=9Dmq7OKfet`_lg*R)&h^Zkm_l(MWp~Wnn!^Z|}!nB_1!P^u{GnI}d9>mCih=WyOdyV%xq6|BQo!o1drH3w1Z_9g2!> z`J`!~;T9X5o<2#_MBYD2wh;cOqGHsiv54^vy;^~;cH_66*o6#PiU`)nPlON$rJCg$ z?X@4a(-$utKfDj_cyn-a^ zG*B-BqHfYXMgSN3926AguL&MeWvD{j-krm+6#BiwC*#Uhm z|AvNZ8ZIkM5S;;p{MWBv1;`YXmB-rKDFDisp1!}m{iDzGk_@$C_0rUq7T@~a@sSZi zewV#pZ$yTH?qfv6*PY7`<%~DCpxMCnVzj}<(UBpg{kINaE`kdM%XYRc8h|h2GI`Mq z4X~S(-g&kLlP|iTyx)ivur$HbdOP@9h5q1aX}bAlF{*=!aH*~B)Q$x zchd6s_-CC|!YgE8pJnq>uWpGrDfO7|==R_h3#Yb=gQ77Q;?>p$DOb0%cc0Bg0>WQp ztnF0qj{S6ZTCr&Qp=7@`E5F+{vTu3|*?f*RO4-CBEFX=1JjCb1DlgD@m)280)80N9 zpBr~5hW85V*iA<*K91&%fgelQEwAOox+^t?q1Z?qS5Y(V{yY1uN)IIvsoLm4pK*(} zyS9&;ooKT!Qo?lAzbPa9-1}H;A!h@ZN63lFxnlU9LA9GD11vz2=IuYa{9d!dkow!v zyggmnLN&QyG*ro0{EE&uaG7kwkR3F*xR=}`BN84l^K?w%;^2&fCdtu% zsfw7H_44QFFxP@;9AxJhnVDlT34ogexak63mt`$2EsC^10|RM2Qwpq5jS0FzCQn!x zJ~wv*@@ClyHFb5Kro+o;|A2G` zWd@L?>+I=COf0s~HR0RJ^kgHqn2$1oG6aq~l7D!H3767%XkK=$l zX#(3Q^78WH;^J0TMYkCqnqUD3zcSq0>vny*4ZMHP)2(B`tslN&?$FTE0uht05Sj`& zqop>GQ$QdP0Ak7l^3-$tn46gz`!2?*%uZ|%U$|QF^{9MCGP-hR4Z|tncEKqMN`Ha z;g{b0CUQ!XoUYpfzqNxUoYvE@3PNuhpB|oS39TET8#byf+;B?qusnR%%B%^Mx6 zPrS|ik^8Bq<|f`gWmnyn&4r9q*u#CUN#w~lBL7%9PaZ6+T=@X0DAbEI9;iiXofdK& zGcv#F-q5X`qZcBU`P1Qoj7zqC71OM2+SJ0{zB&)RcB7W3O`v)mz#Y4*H>O zZ_i6xL^8WvS60vIj4nEyd0@nnJ4<3MRhePK-h$tSTnM_+#u@amVQsz2x2?|2@^esi zyn3J2Rg%X2Z43@RZjj1i=#GG@^#o37sG|TCQGmoQD7DytfkBlZb= z=I}~9rUtOt5SqUHQxqvCf>PI$?&`JoeP^MG%Qy21Zhl4BQ{IZzNy*_3%+Uk z_S3kw)nQ}1y)8SMGbOeUe_Ezk>bmKy*=r@IYx zb&L>b6UhE&yJ7>+Uk(KCi`K;;tqrD|uug7H&IU-<1OLizn*8#~`KK|VYDXG8tJ>cPiO-ZseSZ!IEoxQ!1+Wkf20^kG(ydbRbys$}E z+yW^l&~JTFv$eGJr^>`R8|An(sYb8k-gXMtA=t z1eXIs^~C!6E1)A8P9{hX@d0vPAnBOEYUmH%1y>ozq^)*6Z)jk!F`P1&B^3qcKEkHK!=VzX!5uUs(| zZs(glT|r*c*5fs9l?4cHKw8gpZ<>{bg#`eV0m?aF<$CdM@jD87BC8<^bZ_(NI>--N zSQLP~$TcyLTm~<4@-!55B9+rTKz|-g;w}Y`6|7bZV1=8}tm`lMcgYFEzB~93D=RAy zG2t=mXpFD{p(Y?i2&u7}=?*0ZBAPOA1th5SQ||v%c|6!DNG00&%uJr9q6KiP7zf7S zyq%wg-sV}gZp;*qw|t6IKAm0-7om?56z9ZQ3j9_|%MG~{n?z7fp5ar;K+DV)m3wey z8mHQRAbn}L_W`*Pke2zoXAHdT1X(;n!g{Njijho-0hY(URA6kRaF|Da|1P3x_7x4E zS-|JEZk{;zk=WgUuLiP8eZ&1#L+EIyX}EGI3FErD2|;RsjW@D0bNIzss=1Vk+s|Nc zL-tOSFXX5p)JT^lU}p-bO|9eq;3WwIn<8L%R~GFAh}7*9I#XXP^D1zx>t}*nsk07x_Idiv`kUTV!RP z#?M-$F9kb*_htG!>9kldE>%xvg4Yad=i|N73XXxlw>Obui zOZWl*(=|!|UF7tC7AO68l@bIG^KTac5)xeFJ-xM;G*A${b5Elb880D|vzD#ldstrv z{CIZu%CfST5@_%1K@e;)o|m4N7x?e16gIUw@cOA%Ljkkt)c2Xqr8C@KLfi5B$$as! zcf^Ptw6eMi(l}rj$i5XRnt_IfMo4I}wRLIkhbbr#t3YTFS@gR}{XPE@8j(k;)&!Mn z5@ep z85v+#Kt4C|wgpJlGile1PfnI3dfqIQ@>UY|_-ku7lFPBAlt2>gJiL^5T@W^=UREd% zkww#GWu3Q&yd%O%_+D4NXLieR+J;gmtH>b|XJ+e0mWJ@E-6OF8FSaaOB5_c)puu=| zXi7Bd4I`_%Ed&#eGRLW|Q*HsYe&2xo*sR zy-{)1uLB?dr7k9oWcrM&?zh-#M#`a;Mz|isM#3WFcN_1aSl{J|RU)Rnw*I^k6l?}w zxEwIpK%EFA{%Pcs^D6Mu3g^xCKRz%i#|lo8HtOqJ7LzX-#WOB<*Kh`SBa9#>&SGzF zdKyBfx0tH8d5>YZi1{SCD;pBdE4z7o&1PT>8#r@6QbCLq+$Skr-ARRg_WqPqI|lFs z9~P7H8aV!bcKG+XA5~8`{25@y*^&>?e#sr_)1vSs=G4=HE;xJgOj06+Fh?%EG`5aS&JpNLl^k@LxqXX5yX+mt3MfzSuFi0ImA zMU1{uPkAovQo(Giy{GZ-HF}|Yk*O-b#fXTdXM$x?`<#9hXU08?%z8_`Vkn(<@j04H z1sw>104fZ)F5klo!1D*SJcmHZ8FzlO;MC<4PKD=eJ25@-RLNe+&4zqrXCTqS=CT?9B=cJ^nRv9`eGc6-RLU zrBT^5@5-mH)&{n_^FBuzt8bn#D)psY$t8=E!WexTs{HEn^C!OCJ!hlH$k+-g>^ZYp zHL`>^ZFVwUM8OZ5*3R}rS3PU(Yh0}s&o0c9O2kp&q^7C97fZ)miOr@8Zm*I+d3ayh z*Hi;uy2~qwb@6P`sps6wic9aiVk>G0!y5_;uEVa8Cn60Tt`)8}Q=X?QB0}5dxjp>+ zuqGuPFYAg>pg}xThj;?Y`+dr$R+bmE`DXd557cvxJ25vJ`CyGnS1Vf?`lQKw5^4QK zUXo1)f`+>CHXhwcO3G<-k4ML8JU7q}XBr|5qr&cJiuj1tj$9mL$dD?2+#y@t9EM8Q zHJe9jJKmfZrpW|K;&>V&e!gj`cBpVR8?hYC(LV0Ng??MFQAI&{2dtrr`zJzHflt3K z_SnpqH7n+%TmsBpp5bB#t>%rmOUM1G+c)z0-YMEMJW}?q;UZe=FlSj`RJ2@)V~;lB zFe`_~+?B15AEnf=?~a^p;X{dD)e3G**huW!Xa>TlB`R5AWa749^x1RM4U8LvK`@AO zlv{k_Ri|BC@1F!41**i4>qf94t`*DbPu2N;48Iuv>~g0u(4sr>MP}n z%T8Bv?g>;$SYsThYxe5jKq`jE4cRF@{H)Z^&<^P)8LZhBw(V%38+z+H8JchcOX7FW zw%2=gEz8SdEo2g_Ef_t*l)BLza7|SgxlXjy2k5Mxo$CZS16e^M)10T-O_PxL_M>!Oi{ec;8zPHt+`3@_ z`-A!VC^RklS4kIc6RmJ=|4HJq(?f6KZjH`8675+x(Teu64)$D6Tt4))TBB&0YH0{I zm++b~qqeew`uo!vrdE?hJr1`uJV=a7)RdKuz&PLLZ4+GL@cCWmT+sCR4FgRPYTn)4 znxA7sk^|LYPB{fIHKUbaj<+#m%M-CV0UPOA2OC6=?^!RRDq2a9e zn@FUUgRofs+18#S-(2Jh`3NMall!-4id2XMS>~3zWn_3DnvXnLJx3!NQ-K8C@;Cy6 z(<%E##5{^_zgaXcI1qOv!?JVw&+78pOrV7WT;P{c)j7sQ)o&5O-t1o+LSTz;1jm_? zar~7CIRBD zD|qbw@%|`wV|1py;CF%jY!FkB07u8FEPWbHy(gtnM#@5NfJE5(kB(Hz7hq17#3uic zAHX2><+U>rkv|xcBU9M@DG0SMdY%@z$M}zZiU|o+aHiUm6Z8WjM_HYdr>$o7zr^bM zA!_vo=Dgd+8_GdQk)V1oHcX7Hw^5!mK@f3RG7)!mcW#?>kS8nZ!Zk7G<0$OKnm+ap zSviWY01%n-Z7tM7L_{mHqIU1YtaxtrAa_o@qDI<~+X94trh-JNnK%~9M=EM%e<%CV z&0pD}j&T=hQcBX&%*xu3i-*)YrNqk<YzCb2IItNlIaxAeMZDdMnamk0oSUHK<{0>qU)tWz zCiMv*o4pXN=M0}V{k{{ONX9yCAhh0NuhpMBB`zd8l8L;i7acFkXLWXk*B^hpNU@nE z7cQri!(iOJe6X0zQ|GSJAZh?s80VA*<+kl^i(*#Ykna-iL*gIaFY73dqu) zX5E0?Oy>LI;;mn3bl3|Qx$lrY=6{U`N`{-nkHo82Nrp$eb-tuKlG?VOq7RjMsLDnm zp&%?ircyRdw32+GB*#F6{c-bEz9UnAWR{`Sh&MC!(J))yBr>mT+G4|olh4k)w zr%NII6dNJecLEpnux4g{$Bn^!IM7fCz_2jS9DJ#IZjI&QPAZKZjSOu2M1d+0c)B%f zI|n5=LqkIYrilYR?52Iqx=HO87z-7~zoiBbo_Ol{v?&X#6&C1?*nTSK8%CFnuRH4L z6IfqBe>TibrgmDxq@VU_Wdq9fiH?H-s>EA& zY&)uSX+zgnIY*MCJI=Dxrr~M64HI~2E`m#B>Qj|Ueofzmap@A`RfmGzuxY5S8d7a= z$x8@%owb)LPqCSQ(WJUjT%V`3KjG9B{OPDLOaNWmYOd4K?1>V8qU)2svu2)4OD}2Z zBR0mDXqzT(g5&eOc(TIs6_aN3x3y)W2QHA#Fh86!Jw2JzBE{d+8tHm}w9fn58`S$z z9ge4meo(5-QE4%>q#W7*J!d>urn6WsgTLC2{knnJO;Ed~-Zm4HJR;8F=|HSH7(9v? z{Z#9bT<{vI`54`TcT}z&s+JF>5kvW{r#I* z>zD;}xxyq-zT+r-TX<5n&Hgq@k3_CV35zvlW;R*RTv1OE7Gq-c z)V8W<%`TNS_qv5<=%^l{J`Yk=#Tl5FZ>z4*-m>$q94jp?dmH(PPE4e@y26y3+nk3<)ULO`O@QrTe)6vJS5JIqxP@wh;h@ zJGI=gW=oAE?{sEZ;&7yv_ipNVuBz8lP_wiM;KMngj>(-IPn@=A*7Ro<#y>54la zdRg<2Iol%=7sn!n!(%01+H|wzy9f2 z>IIX?ghD0uBj!v$Mu30!e4QEE^F7DJh4UJ%bd0xKsL7I6Ap999>)mNyMRcD?uiAL& z_t0++ue8OK$KqqWLdirGA3F?Gj{}7Jvj*pz=1MW?pmqxC%$K{dA&+(+515F!i`#j9 zcIDLG$wn$jYD(lSw)#hF=!zFD#2o}ji6?)Wl%m4S3X#z08ZmpkbyZa+TlCU>gy2U~ zFD>l$lj$_U4QgcDF7o`x1V>f{ZD<vP0-(?*&N# z#!YvfyO^Y8=-P#&$SZw}X;;@t$!6zMrAe-aoCwc+gC4>#7G_-!rf@_UagG)<^Zgz4 zV|D~nOJv?S1r0gQK3AN!QJWY~^#wbtUe2$fHPlfB7P0ROv<(3ZR2J@j8F~zb0KYtQ=13G# z@=TJs8&YXrgaFY>(^Bc%+ljGN+oEz~@Kxh^TUeey*H*h zk%;&RXfwUZ=Zp5niaeJseU;cu@8~;$68M1ffme-M7qU3!#3*^I!@InGN0;%%oZNzT)7OX}) zpUw9?E*+>Ow4$MZ9J1!Ftg1N2>kpC*jzf`&ss4P8Tu-itW}zq68sw!Xw&cZ4Pzw(>R@Ob;ESYG zvn&QK&mq&5b?r74=;=mOV2q15!5=iXR_JQWvOz8;&GjLj0PX00z7de-em*kd#c(zV z`H^2MV_AxNSzhjZep8j%pjwi84NecfSs7Nr!<7-RpYVEfIj7tO(kC)g2EhB)UZB5p zxz{dXeQ&2!RO@{5`vaa8yW)C-^#SafXv4>1F+revuIuRNYKu*Or5U>t<`p47!;&s% zzyN}mL6)P+aBcU^xw>`W(oWyyM*VcsohWcGiP8b}6~IYw87$dax|+D9IFVFZ#2kMRS(WX zaav`QwT;zUP1v=aZrr$5UrehOP8JyOrzWFmy;j@-iXN^;})>8)}ofEW+Yx0j( zM(fy?OpjCaU&VWy6-xW{Yqjgq0y2=YMWty$Fb{kTMyxgU0^qo~05=-@J~-3eq4^Fk zv(Z?QeJka4_o1!r6=V4!zt;%w9sSYe*L1NdyAY489iXB%ul7S_v#Y~=^|h^QBQsNr z{PGiR+pPmDDOncZG^kk`AZ_&qy`!d#rF~@EJqyCmIX>C?Fvh+2(2*c!vuAC~a~M&) zOLqSJFDwnDi9<*Ch-j`FVK@ z(2H|+>qp$Xo!Zwn);rkFTJ6uq%<*UKTrBIsIDPDsaU=INwRqfJvs<_r0~qLp9rg6J z0PWgrJ1w}loMX#Nf2-Pvl~YPH-jsnksvC)1IKiLeE30;QOw24aS4Q0?mrtjyrUx?fEG?}pHWs~ik9RP$cKT}6q4Jk@ zQ`5@}wR-t#FHBF`l4;jGvLNVbn?H~19zzQvK#ULDjOcYOOQ4RVQ~mfCaZRgNNWBY7 zYi;O6eov?7o1So!Q8U!eH*S$T9$C_8OMFH@#pQQAuXNMg2-@hsYN-s7B&7c1f7I#5 zE>qu?ub7C)%b|CVYe)%l8!X z-)B3M&x$2sWKVQ>;3o`^>Bn`ulH%e5ATYNWC4rfVNmf+!)xR$D7$n9sUhsW^@IGD8 zW7~a!P%8epMM4jrpSrX(!`uX5@&7V;l{BB}6<8m)gT zQ0B1z*Wpk9mC*RFSndDs(<99w@}IKY|9+u=o9KUTlz`qnDd>B1OmhAf*$}zGWx|Fm zv!gSRq3u}Ze;qnClY)$VDWCm!44IbXU$#e{{2zM%{D1Zszy818^#6Hp|J|~;dVdfe zsP0)i+)*3ci~r8r(4r-oXeOE9Z_{KR3!V!nf1_=#*rr2Km% z4ta=#{^wpl@g#5jXFn%H`2X^~{ZE$r@6Ymm^ZhBqV05$77h3X67QE24DRN=vrRdRq zn>*E$RlHTqp64%mFu50nei`=Ko#>-R$vhOIj#B;6YrQ=sxlxu!?cj4Br`nbpJJ3$H zZ6AW0(4*7yk?$aiHv=E5Vpa3MnJF(P11#n+$zZwtY=~1n>JR$+Mm8&Eb|VkW>EZLs zqm8gx^Y<}+5|un8y>Sb}SL(A`Vla|k?a2Zdh9wXY3{E)-Nnj}mum zi{Z*szSEs4v3M}K=|eaeaB?9xP<6e7`R0SY<&X5KAE zo|nCIw%c}KBH?^aT&mkmHm#aM=KM)o_bEx5RC0p5Q{Ikw9|4;>qZ67+<8#%5f87~o zxNJFNi*9`^erc9Xtk%($P-bF{P8EG4liA9ra~?^Pc-Eh4!1otfxmq1-cH{9ID7rJ5 zOypg`L?qiD_t0aQRFF~t;Tp_K0KH2UO;-EpnRL#s#c-H=MCe(6mfdj)BzMErc38m+(&A=T^*?>_dZ_U-d?g~|Gmu{`WTYY!E%>TW(5k|T4VP46T9()%kJ%1@1I$D z@~^v%UubXl`;1_CA8UuX*aZ+i|4tk>+ z{HXHiEU84h0O0yME7OLw))|6TawyZ}NY$Jr3?zDX<0}*0OOuJe;=2HZGz{dGIW0sB zVD=}LWdSojX}yQ}ad7W;$I8}u;v=?u~5Tijr?V?IA=*i9<6>PS5RF%upA&D3hzk{g4P$ei1oM8nf5 zFi?6}uzAo*JvgfDz5C9%`DLDH9cS&YzM<*0J@C+9Lg>T7EYs3(>dOdctpu!RQPOYG zb~-kNNP7~7>uWqKg{jePl(sr-UuxVZc}HYkw)`6@eTh-MtE|W7;iOs>3n%`8ZJ8KomD7)Lamt2xp-^*S2+#S z(|E9HnS?*n<|y4Y%aOMBXLq7JAM3cmZtRY_di4I`@#gNb&oc0~74(}y?3UBTa?Wvl zA9ey&k;1gKCWbbohUbU7?I>DR;xOi{DIZ&t9vmDSpB&B`j2}|S*SW{FFHZv}{^Yw| zkL^PL&Mdb}7CFGkj88>GbWAtrXW}0oIIYahV8u(t73j;*>c=^TGBFp6+3~TlhNa>L z=(1#J2*lUb+ZNF%n~{-LzsI*BVLS#hiSV!UgFOPuAk=<3WhOv+#CdPfQX_v$osSaw z$?K1ie6j-fQVEV$7q_;09|+y=Am|}1mW<8y;{d;#bBoR0!wF>i22Ig@WqX5ASx8+x zB`fVOMlAalJZcc&O~}J}ddTjr`F*6r2ybE-%jv$+u>oW^>2cmQ;P+70s&2N8%-$H= ztqc_PH@SQ{DL@DtE=uTR>R#G-*}ubC#J1Wspe4Rwj*}hj z=G_WGI1r^o1&N=f{|Zz|eN2&-ehso(-#lF7^Bi6FXpf}U$58I7?emN8FCrtcK4?4r z{U?MH9oG|fEtt@aC8=+>zkYp_2*ty@v|3v<){qY?}E1X`x5iP?mY9H=F4tfcf0;GhH-DuwCgk61l%tQvY2!aiIIG1e8j2R z)Al?c`AA)CMynemGsH4RC^7qk%So2{V0|?P7nK{F%Q6X=itrnhQmTz&O|S1llTY$*sd+-&)C!ZaIxMG$2X@!`3NsrM0|N^a8@^oyRQUuvAB*|w zDAKX0NUiIX`VFBjEFTM<@vz*ZMdBmfG#7&A%||On@q4zj67`*E7`dgOSy=GL2LX46 z=4RTO&pwKW8d6(v8(98oh?&0O!A7BQUo>Ws@L|u%Nom&nyrQD}YZn>Q&12EvKpU9$ za0>D2@~c-O`1A9#b#;Sa!cSUr&Nxy2dP{Tcxn|)(a+OD7CvRDbkN#ngTgG-A2SfO3 zlx!xU`vU}wP2(e2a9`gsz<;6Mb6rNd^HR?KD;MZ&g#@zIzp?K+P4eW**(`<89ZkIPkaRPw_XDW_ph+IQ}y5x)D zMes$N&BLKj#~;mmb4ls`+`$(*8ZI)tihk%T#r_8iP~3eQ`sM)!(n2;V`Q=kyFO+b*9I9+L3clqlMer?s zPQb!-nUhB!-G>#1#v>EvPdlW3YPSpZmsf?%mCDR*s2bmfAZ5Rmr^b|{JBDcDf~u@n zR;#8`S-9@CQnfj=9E6dMOX%|cQBauIotv-a{ua?j!~P-q?h_9J%B{$3b+S^oADHMR z=&S#kYu!5pS`9MLi=Hs~auP&BItAfMYB=+xc@)e(M3lUpooQmfc%mJkejylJer5 zPVD#H@{n{at-6Pd3clo<64Dmu%|mGm{#Z(0?$1LxqbVj}bQ=PTN8|a;t6W3!^>z7( zgL^1l2_tshdrAEx!UZoE!wpH8eCC3{;5XB|5Fn_1t&LKEMcw)kx^fL) zU_uwv%BP}G6%mOGku^$cD-qnxc46bEG&4iLBB~cC=^6l*^~0zRGuz-vAt4f%=Bg_~ zZ;Fo&pUmXS$!wkd{-(&vQx#K@U4Hup(ce;^oWW2STLQK{*vL8%)Hxu=n%mQUW3|X~ zUqw-nGsEZR^rot;9+(yz{EqC)Qoyl+9s_;E8SopN%r7t&9p0}U>8ULl&mZchsLLdP zx|uURtJlUw7-i_hT3qGrh5~~#=CdR0`|CiwR~+H;Eu@$hb8}bX0Etx*3p-oubP!Xk zqY;&0W+U9st5^1Koz&f{%L4gi7-b@F(;9&A&%pw9-A~`MQ`(TCCP%M(G5>0d{%|oV|^C zdz}ET+4`!14nB_DopSqdj05?Mc`mTYa;0J&OToGKLh~!Ek2UQFV>-NzhB*~Ut#QO@ z`GPgCq6Bzd&b#oJ#Pnt@MFTa&oVpSy~sRu5wXmw8~_Jqv2+pqX1EuJAp0ja&iJQ0G8!01^2t70S2@!}%e_-(*$d3{!KZ|~#m z3_oHfoK{ay!P^g}C2e&h84 z`*qaCq6f*P$*VCImN#PQbMwXK({)u>yr<{sHybtt`TFE}k5trOAN;!PiwpHe?-@@++#* zBIbD*JP6SF`MJhZqp-Hgv5wDL4~e@{MH2uI~rFjx16_4D{?)ma4GGzlp2revIn|*EyDJ5kGqSpF`q(lmBYQiFlE^|#6Sm+VaR)$S`8Ow)@?*w2q zKVDADG@~MEg)DK(_?!=y%1sTznb`L^{7i4eOgSP+kVKERF+}dTK24OJLPex7=t>hJ$!=8I=gFUC!E3k{eGdVb>Bn^`g(4hvg$38YI+vn1C($XJH~ z#yiX8c|R=`?Vi?&k&V&hA)f@EJ89YZ6B02enR@_N=yMVmb{TjU8RI zri&Bn6vL^|GO>nob#PK3^fWZHl%LOK+rnTQ?I?&Td%A0)$&>`zuI#DZ%I9>h*HuT( zEZIJYFm-h+(-zm~+20Lf%YY`dmKz%?E13=GjA73TDZoe$ zm^=jNvZqX1`b@;gifvr$l0NgTG>Dzo`n&9xVthC=+mffC(A81_nmEwD!QzP%Bb~!n z@;WVtGjlZ1t2EjQwkmI})`1-F7N@8AMUN~KIcDmSmDC3l8hB+wh|VS+%axUj?uexW z;IY0>-mWM!!DwKF|D_2HV}&DKv%C&ZZQp|>smH$cpZfPSPdbugelGC2is^chT?0$ooc)R}qC30S@blorZSJw9QfaJnfnB%@zS!nVEBD z@>zI3y)*mm?m}d4M9K%a04@ANK_5aEDm^v7FEQ#$F-8PxddT7pMWN2GT6*zGGP{SC zs>&{iDWh~4!qk*JWSrh~2tTwCTosO!aiw0xFlLS~vy&D8Yo z#jw40-go#nZYh(7v*11%g zWU$1!A(VY`3hHHsD;#BAF|XVqTu-K z!F(T_AcUQrm?~*WSW5LC)ls<7#>bNN=h$18i+v8pbOZ<3u0lNBZINDQyi?7R&1SHA zyU}GN{o2wj6LEP)L|5Y&7Usyf%L66vuvd#-I;)oNfPk~Y?sgeff_G5|wg zTyM5J-IDN|kPV0*^eDX$EhLZ&xN^IOp2FMaE z1!W{egIr8kSvaSlRO_plF*`fQuBIBNxKvek+kn?~Q_(?Gw{WP_x#jfe_RQkzXkNgj zpABz@-3F}L$x7U(&p(Ol76;!Wyd@>3(S=k*P zq1${APNohMPIxfqAS9c{j6ZAth_#|R7t=&4-TUAGE26XdBBt<7VFkLafJWu**V`!- zMI3T+%;HjHVnC$a^VNsnt)*$}57v3*<9o~ye7FMG41oS z!wy6g3X{__T(t*vmd5f}xtpf9%Atzco}x#MttFX}=VR6V1R2X4r?ek}&$dysiN$|T zny3_&VR_ZJz{&&clA}mn=->L69-0`;k$~SSv`UHB=qosa^S;VHMJEbxxJYa!qg!}D>{RI_6 zw4y3$##5bbB2BkycX@A`)wBV_V&GRn{c>X)v$zJT)yjbxV71b_m!ca016eF#SF>sD zcd2M0AqIh>9s~QcoJzwHVR9Rpo1q#u2Q7gYnCl_c60>;^51G*_2lJ_Cc-`bwDt+Bk zZRsk;A+-j`Bk7XhwVy_84+&kk&>!5cnDmn<2|42W#j3ych068 zZjh)k<`XXmXrha4M-V+bE@#f; zD({TrXOoaebabrjDp56{dRf@hVP1pb6H z6W_|fTxC=(dpK5gRLwWFP2W@M%0I`uRuqo8WGa<@J(-b;8!0)NTyKT7@Zo(3dQlxDYD-{zPuC z5j97WjvZ$hLqC%7aN4K;w*is*6}#eNszp2p@s_(G(lOF#W)_Yfuq@-8mSzk6IMt05 z14Q_VG=HKmE-tmua6UM3__@9xuyo|5f;UjgdWXkD2N`USVaeR2Ywo;|gqSRM`I#Lb zzxq?KO)Y1qW#>7O=}vU}8Pcb?HbpJmi^lL)`t5bIx1zw{pbszWrU!YUJBN=S;?K6; zu~xuyJ5w)0y^m7$Co|t8>9i}fvs%_l*Y4i`HqsijKDe+0U&1;vaV0dgSK9n;VVWj!y2NyifDvv(NG z$5N{skGsKbhpw$;U*70>Kr5_F;yCV~*geQ&i+i(VT%Y}^vNPSBK%_!=x!QS2vCsHE;bFnoL;nQiGsMacuptQF9F~f`Y~O z9`{RbFvGHXf=OyCL>EnYPPG&BH&v4{d><=@QD_&`s9FI0K5%k;MCA1FI3N$mvpxVu zue%zRnbG|4;zi^L&DzA|4b$}-kWh}rVnP2(x@#oIhb7n5+}ol;S+(rXcGgrzlE|Kj?afxm0T2 zobVgSj6?`zatwQUALJGnz{t%EZ3hBZybym?Tz8lHTWgwQV?zG8wDQ;6>Ng{$muI-W zSnxQu(JX!TB4N=KY=P_A2TH!kxy>}dnF4Vxo$-KBsf?q z0$IKZN)c*cV!SK$;H<*(z0+E3v&wyK8yR-;qkG4A>$E(^Bm`T=lSz9$zP>#8WU+sY z;$imbr{pF$r;|o2lXIDYQDTiNiBs7d+kR^bzV@_x6K{Z$?0j-<<$-mP=FdWlA`>V! zdbnQsx}yopSsYvTqK?i6bPgYNcEHVWR!W4dHV*Vn#!0eCBVtT}WSZbBxz! z1ZivY6O_x3(o9t9XMdg>L#af^vQao)k{=IWg+C+%r$`rl=Yvr*1}Fi| zM5$?a$9sJjN+I_8CwXt#Jv0f$ws7kk)Q>ekqK;&dQ2K zQFXZBMsf5YBSWWgMflTqWAmu{eN1d=Z5-%m-|o))=#Qvb7NxOiZ*caCFC{x(V!@`8 z${<)i7*!p9=k;)v>@X1>1wpK2u_w1@?!T3&)H_g{AqPQpuNYZ@ z5N?#c-%*-iX{^SHj9?JUhB;jimKA;BE0S3z8)ntlUPVqhH|N4HstUDRz-`&th5HH_heYa-KP=&ZGIt`3sOS;|;6WMK@w1MUr4 z0NHH?OOTutKP+rrU6nTTlO+j|3@JQ!qJnSApm}yycgl5z$4vx@X{qP?e}8BGb|B97 z@S17b^RjD|!q@_~M|h`KscPa4Hy}1^!m}V>1(&SKxRzsQdXjWvLhy4lh_?!Xo8E+` zjvfSqCqUznCMB@S#3)IbT%cHgM{}Lo-^aS=kYlFO+H66K5~@_i2Ddt_Oufd<^}2+S z%_eLm^)=w+qWA;!xCQs>1aq>S=o#1GL|xZIaLxJbab$xY?#kjG_!7?=C!iGDfr*x$ zYE8FPgce(BnZJoFIhD}GYbBy@M`;D|%c-H%vC2-*CpPYpS+h5JZ=kl29v))J3=U*z z4q*29DTxFFy4smyxH??idGSUHE(ZRoSf8Aubw%V|L6-|mD0_j!R>cy)$@&8rl%$;q z;mhhT-Rig(8&oFVc4GycCSJ)xPm zy9(%|;D5lg0~h~l2(DCjzWItQ0HG-R_3Z}_j{pOQXs?g$C!jf>y%G_8eD}B0wO-53 z<>1kUHjSIzlHZh3O|3MI1w=ch!30dQ;VCDK7ZlRC$T~O7qTouMR1TIh#G8*?m|yO<{`Y~ISwn8^%URXQc8%EOR-(2p zeJh%@^Xq=4510V3(s1pK%920y*7BC=vB+yHc=+DslnBH$*6gG#d;MhXbTX*xYzsL) z=5roJE3#nozMQLKKCM0eiQ%B}UBU9KGgaazk_mg%O%!}do32s(8gepKIo$Mu=lG&g z&dCoEls7)!VtKnSM8f+KhOO$hp5(W1kQ^f;Hf;1aN>p$D4YjlFl+FG(i!u{fVGC{> zJ@wafXLalEHVHf9N3w402DQn$fL6^>>LX7zOc z9)&rPE`e<)h_Wng1H`!7b!X;g|Oh;j8K)# zrOeG^eN@Rrj(aA?;zULn(f%S=yA_|mq9!YeM2K2dcwU}pZ!y??9w6u^T2TVd{S_kd zlRE!bjb~JrOC9>i;_V;A;^(lEU0xGd%QI>Rnxv@1Wt&@nwq{$lCEk^II@SY@haO* zv<@01OJR*&Qjh!EHy$-3DOPu=A6alLczJ19)8xGqjZD~8l8kWys=;JQKRdJO9!6+E zcl+TGIX6W{JIP`6j9uQqOgE24D;`hASU-=vgO|3h>Iw0Mjz4E zENKy)!`$2#0qHh6oB0f%<4i>}GiSVp7*>SA4>Lck&`=bDOxb@Qe>RNPz|_`nv$vy4@S6>#(`<7IUi1`#Hgv^1k~J?xRzckHLp_)7kgJo95);Wfu6{ud~p3>r9*S4eQ;!YZ!BotgbU_jvJDq=5tZ zV@c*a5|;N*`~7lcp$>k}5%U4@O!z~2%$xsQ`7OVVSmTR-wL!Th#EjzJL@Is!%jC2e z$x?uu$)zgPOtQeqQm)=)-$&>B1AIV?!{Z_M0`5gBg*PQz5Vc^AH~ApnerqsuNc-Bl zM+@c;CRc_2Pnfy1C@7EabK3s^aKgDmL!Gm~v|qj&B*H=2RN~#we!1H{&%8GNxJY^ePA6OWs#TJWCpiQHJda{otV24WlD6*UUtDZnbX(ml*Be&nTv8=N1 z8y0jQizOXrz2F%c)u&j=-{6!xYcWlc^wCrC6;exi@R^cpQ55+?tPG&M_(vDC&SIY` zY_t%=t2mPH!vy`B&S12K{p$~_77mnmZUxup*!Ib@0!1&Q4$Jra)Cv@o#JX-APw7Tm zrQUUHjBWA`u{V5i`TB(AloJ7MN4y(FE$ltl2ZfpZLJspp4W3L?MRPW?!nmZBQt(bejC)WlNegQau}}{oJwQ zyJV>I8V3~~iN9)Ys%%LqHPgWlVP}&p2Ijcu)8}K2Oj8 zIb4v~3N9`l9v+%E9cQSlbPNnu78Xd3uBVKtEvl)Nn_>_;0h$D{wAsu0?vTw;dV-h@ z*_K3U4+w28^_?Y#u(8Px)MwbLN(lo4v85?L3uNo*`B;8u7JP`It z4W?18({iU0F5vkn{^r$+;gl{AC%N4Hj(w$+yHQmv%TUTBPAM*2UM%~vk7%l>iZXm- zPlWVIH{1E8NSaD^NJ!ej#2(kCk<`RQFF_23^mAlvl49fj!Xztvs-SDTpy$)pR4m?f zA(bW_CI-)5QikG8qN008bgDWc#ENli;@~9n1yKK?d{uu>%kkW^(z7U2cR+pNBNIBTCYot#L4Se~_%T>hYV*z7c241xSR%>-iU zwsq8wuF}NT^{APGJ6ZEB8%vjf1)izz0qAZB%ozUIKS*`sLWLCGE1U%TPqLyzLlh+; zm^_ZkOpoF&97g6f9rc*FySe*|tdJ_FLyenC}~XY;#0dQr3
  • #oeM!Y$Z$a$E4d*AQr#xTQ|b-acmJ1 zDsiTWzE``K`B-hjt=_fLYm8}ulL;z_c#cBb*J@RNJ_Z#X7L_$N=zN6x#UvEn%7j6T zncMUBghoDTr>)AoSC-o_t4~H&V5%XGW-Rkq*5W4&ikJVu>zTYPArU8g@MCZxg`TaqT7+0KoJ6Lb z)uX!p_!-b4AzL(gBb0{xOT*WkDXu+TRaTSG5G6y4Jz*)jZvfV@tBDnMt{e&w9cwoC zyTH~j4w3|~6qwH_2iJhKxd`9@_W6SFu&tlV+z1u~`Elr#ZnK;iGCdp>=-$Qn$2Z;Q z4?}v5UW3GtWb(>(>-8zdAU`Cz-{kARojzmGOOf8Vsu!7W3u5-!r_*Qk^O>V1K8sTq zvNt?0Q7iCEo6I|yRuTyd+q4yLP#I{V?_0@3quxvs#nX?;;@P{n-27tGA=Miv>SI|c zlc3)Hu9>lgLEa_|&|&&A;W~p?zfebXe^XMR6j`XwoZt~Jb_^tbHm^Nyt!x;|UO%|W zSrL(YMvwT|8^o2b+BNM#^Dc2;u{0u1t0Wr#t~9aMO8SqG<~e`p-N;Klg;-U!ABwlB26ZPGVTk+8Hngm-PQ6Y^ zE$nTv8B@V!vG1n`zh_$5(KnG&-0H{NPVk)rx{s}f3Dq};VLfKlOcdaRXpZTjep3wZ z?esVDj#mfimS|EB`TfCAYu+15)d`33R=Dese%w@C!N8lEutK%hr6Vk=2_A~p8s?T% z3>QOT`dRh@M}2L0DrH#)ueRMP_E!=FQBEyx2naOmOh@DB(^a}_emtWmtliW{(nPaz za>AK|wcshdv-B*`#M2bq>iY5eQ>I=2m1M$g@u(FS08xvGX0a^$?S{o zaqfpz^sZ9{71TdpNI3(pSNt4ii>gJ21|Al3HP8MqJ5tbNV1)J|#iWSOKf8>zp}s>! zbjf@5N8W}JuM&aJ!PXi{A@NE|xHq>R_pJ<$=&yhyF#C3<)CoGwWGhF*po^Q_Wdfb> z;qC~;C9dC0gCEw^&?Wn^nZES1DgbucX@vnB#7VCqMONU4L5VEzPrd*R<&NID8t);G zU{Y~w`Jx-F9L+ij`U^rV==yAdE7aXOVYn}_H$|!ZWFFXq@EehDdwiHr25|9GAQUEf;uDQmU+!$Vkk{pn`8^12On$7~hSp`7xsfXl6k=J2szM>6$PqJtvqwrs=|^h-0?b=O~-&ZNY4av-2C=?&#ix^N^uDPlO;P0_CD5?7|L<*5vPvm}vQH3!NCTE$G$+L%-y{!cJC!x_;=70) z9tIM49di19r@636Q9rpRjMe1vWy`kro~U9r>2H581HMabvC5h@3q4}3@mv)L}e{Q2_=xJ=!tsrEJ+LTHsP6_&{g*;C;`RpV0NmB#LKT62g zMX#nh0~bxH8dVL&tIk)`i0zr zGdX@tx}bLm=_#zcV9Q8vxLCVAYp*t3vfp&l~T(Z(av173Gt%UCHkD#JmnRCH24ski0i6K5# zK~?q7Ct519nIW{i0b}it&J!YCray@t;`S=Tx@!S7IJN9cs+C6q6Qz7I2v2KKpkuwk zoL#*zK27ZDk2Sa5w!6jhLw(cz?7LC_&&+%b4^zHcgieAwZIy|<%Iz04EXv{+S%=LYqG%Apyhg1 zmhA910`k#|@*8OKk!tuRTDE?7A`9pDe*081BfjO6>2S+0%J#!-ObV3}Yir#y_xAH< z9&(%Lvoa`>Ou=?3tyz%DdRDymNN-SkYI+gA0Aa>DWjKi=b6cj^4 zhLvI`a$=0wl=FC4lZ76!=FwF_shRd5jJ{?R zrWR^Wp~_<2?=JcRSlz+CxFr?-)OZ`y(!GN?17C0!$hizaBU(RnTq#hDDRa1_t!Z_O z8xfbJ@kVkZ62%2BRko9UwwpS`vI$ivg1!Xhnl|h;3f`spU~*$YE|ge=f5*e|oL%JZ zBa(B!cT1uJnDnRIwr*3|lHs?#*MMia-+1;5BT2%eGjGdx@LW%L{1CE18I7?M9wD9i}WJlqXB-xU&C-GNgGqA56_k z#XntE+f^RIT(*ygu}h83SMscAk}bm$2)`n#@;!~y6MZ5CDzM%a7&@euU+wwsYmsKx!U!8P%`4czj<~gE%Z~Gp-;;KmL{px8VJLc7b#5DlMm3hp(`^R> z?|NVwp(wi--EP)%xN!vrsse3)#ryN7isSto=MZhjoz`b$;R3^8{6i_wv&x* z+qS*o#ZJd!OfhKV0X#&iUi~GuQOYbWcxpch#?|YpRMQ*E^0@n`s?3FRaGq zqhG?H7HrsEm1$~`?!MfXc;Ch9;B^|VH`bYHOfu>%?P0X8M6igZP>&yR2J+myn8q)Z zz7`yNjUrhuxjnRQJh%L|LA+IAyst{)CElx&Yh1mWRIxkkm2UG{Qy5_!#rJA=`9#g$ zd{tML7CFWC!q6M%S#eS_i+*=2TwtZ8QB7yIx=f2+Sjq+kTomPI_((fagNb7YmNCo( zQRb^#6A1X~A>R$)9}G%;_XyC3dXiAsseS=3h(1H|8aLjcryjO>;>`J?gInURVhF7> zW-h&?$0gnZfL`IC(|A;6V)_(L5A~|3dM=eX-+~VNV5s18#jIx}UQpMo9R(LH(tM8( zdS@|yK{uTc$+@dtHdkWbi?9EcXSgB9X%u;{Mf&=0*vK|Y-$zo^f#aX zf|XhcI4Ay+9t|em6m+YqX}I?QMK=~U2WfcwhL2f;C*RVfb63~fN_ceUOTz$cwF1(l zhra){le`9JhlVp%$$N*BtB@tYm}#YDnd~q;a6*@cSD)MV2C9nd>bJ?~i_ip@a))AC z{dw7dJ}sS$Ch||^xMrLAQnWU!gP0@kcbow4L9$&eNu7rjiNN{}44b7pOg`Iq35+_g z{goVNcRKftT^(4eo1E$=!+jIDU#+xHR~%F-Bxct7eX%u{r&Z2JtsUGR;UQ0=OBZ}H zSfyk~UvGrGpLSwud8<132BhOXK4Ox_7S*Xe^Ygy|y!H;}f9X%jy8CeF)cZ`dqVc8C zcvelFPq{M}oU6YL;5Sa~Ehl6>TZpliXLJ?Z-6FlLHk|If4mIAw&^^6`gDCZDMYADd z@AMMFcy83>EHvUX+pl;u*W2wE?dOD)aJxsl*14z;SMgb{tx%eZnh+1hy4jATKt+kQ zv)Z(R&BRnadoLT81<}2RgXG=yR&Ao+<3GHu_JzxSzVro8cvqM>IU#&l=Gk9+gsg9T z8YEH;g_W^k=Ahz_Kz5cIVAkK&eZDJLW^d{D9VHmljaN_^8b$=KWH2O&*L(*CE-P0T z8r*m}J?we+Jnuv0SOvMO$A2zeRYmxOPJ2P}?9p`*a3H#v+|$7Ozyg#jw{6ok&f`u% zFRznOktJ?;>mHvTu2WsKOZEah7cQpIe~ zIFm)X?MED1C3^O^l4?qXjH|y@I@v7+lS-%XvoZz2>Rd3DLSPhXE=#h688u zy5TV;mE`SVfX<`JF$0@ql>2FY6z*b{?|nhc(d#qZCdHcR!!wgSq4_<7WwCYq#oids z>#Wg6h1P`c%`{d>Iw^6$TGMOvB`C&yK6(NfR?tVsS@`8`tuTv5veHuXi;B~bw2#$c z?WV&^SDS64@^K+c!~(9}XLT2@=fyEtSVFNErviJ;-L3NH*cp%h%^|VmBb`q3u4T;Q ziyHKOMN$YY)l0A2ATY3kyh>wFQ5FOk00qb6HZu|jvP78Wbb6@`!E&F`>NlDG7~8f; zdyCj2p->wq75*zkQ~)Tkwk<8xwmIi`dUQUpu*GjRIe}y{9A|!CuC{Y-^kSqroi^KC zIfMiSFKF~Tmr4w>ZC-bNLT2iKZEZ9Ai{|&Boy7J#Ejy98YgrBy0GV~Iczk?{%U2zG zK=%$Rx}k?%c3i02oi>AHVIc>j%ukal&!(!H3+(7b9DhzszI+yVUcy!b04%+t0sFM# z!y1~tDp-r^0ZH06Mfpjh=i(TicM6Lwe{!eGkMWrwsPrAt9qnbG)WMZBO6eFqq)W)hLazf>9+4 zQN9p6!;p`gkAqrsb| zLRzZa3o7blG&oDLloN#UfJY~br8OcZ!lF%JO3BCfi#Q33raWZ@7ChmenAQSRW1~LE z0x&BqH4SU0k}n|(*+{F4?qdB>AZ&LmcE+&#Gp7T>!jw?KESUP~7(A&_a6ItDr}JSu zfVzF8Khea+^v57h+BNFZNO_e_@>LHCb z=cUnSCe0YDn5r)_fPODi>vlB?Us3Fp0@Ih_-lM3v38Hvn3?m~Ay|5Sq4)CqJ<1)2U zrpR90Xm2DU+(h)wF|h`v%sKy+YaqM5r1DW}f+BJ+C@f|7)=`1WW-+}Op7@ReZ)PH6 z)QHPHKBd(Eef<^bQVz?VQKl+}4^Ly7x4Ek=9yRR+0q4YJSIN|Tf>7Dc;y%%(5?#KSujN!>IhTHcvlZj1n?13)hQB<1J?ADq-Qs#|m$b;ux$@U&G4Yues6Oa3r8`QA0G-vv5 zS-jLDQ{#|DBuX*y)qZzK4iHvMc|&|y;BxK)&!SwU_av;@~$fd+(Yh%3* zz0R_#>LMPGQnuG8fvWlHvo{uzks?kuhK^6}%UeK-2|Y9_0XPZk{79`eK-gjXZ)}R=zFoO7#@pP0h zyWN-n?oz7qDqQ$e>26>mS{myx-!u7RB++aPo1He$KNPy+Q_TY%(2VX)Q%J}l{!-a! zcU`_32v`mZkYBvBQntGmx$xrYM_8N+C^es}c%K?f&%$X%O(d{WCwPjV$ZwZ-;-hk2 z^(qX%>hP%ILegcf%x3{x;^m{^+wS9mGI)`CI0Rra8}snGKV!i`(vw)Nd?CDiov!!O zK>@H5w*!tU@s|=dPWFx7HAX?65V7a)`@;qDcWdgqIi5-7G>i-pWXU*p zozZL@^Y6N*GCvc?*3#+E$fYH)G@EUcTdCYq)fQFU!R+5yH@$suEy0|A4_PBu*j zuaDRj7QKEiKLIKra;?AlU@(<-`v#%OIvN*HQ(UF_Fi;ThyY`hSCQqlg#}G!Ns{AK$ zRVNvI&M#Vuh?SfD_O7xj-inpb(n*shYi2C0y!Lwd*sX;t!(dbg$POK3*jtvth2(j| zO?F9~h?`;m8(7w^@pdC=ri%WV72$l^uUp_(C$UaG2Pru1b7-Lb$56?ijzlR?7VqPC zY#nn!3KlrCoLzQF&*st#`viP#a__A(Eid9y^Pk532GbKUp&~>93xK&U70}W)MJ9!` z`Zv*gEES4Hl^;JFATL=ytidqOi+Fk50f4nva2K9hX6orbWLFG1pp5lP+5X?qIF}V{ z&WFlM6CNJEnp;^fXdd@6@Uq93t)q<78xeF`&K8Gid%}Dwo(>`H>y$b@=vm9u3~i=c z(2-*WEaclr9+yomOIay0y8|6QLU@ZEpK?U)Vp@zU81sm1bM6{1M&QTjkzKQV)5Qu; z??C(EhnSh=@x~ap?m=~3N<*u`^K79Pv*yJ(BQ$?jlV5H>c*{c^WOd(o`}(GRa&LIA zXyY=p5tE&_+|!7lrMf{|KoK*)=dFZ*NUcQmO{s?1@{NU94OxdKhzEF$&4yQVv`%7) zAb0Z}9fwvOFUgLy*tvHIY(2YEhR6LN&D@QZMTd7Obx>M786z|`Y<#P+o-78KK}s>43IZzI0m6@M9MC|jz9<9+(8cB zmuoJoTz`U6pzA_-?MA2mGjYSG-GpbBnwkC%m=?PFV5+_DY(H5m>oxQ7=J*7SDm?Pf z6M{pfj{nl^RGGbrrMaEFl%FP_m}VN#*eE3$=A;#zP!$s|pf7ZPTlLX9kNEldfI`!~w}`T~3-&F^wFoWfHDi;PSAo{*#3Ez|?* z&nl~JePXlHtxwcw&Ga^r3$kp&=6U;0)>c&vxzWi)D)O_rzA8PzU*5H;el-pgrx@MC zS-#bNvTII66 z7l3)=09Rma%=q1cjB0p{ty=?}zj%_0v8E)v-%}^-c3f6hO0D&zs>}~n^WNuh?1Lpl zAv&&o$6X)|u)9LeAND(KX2xi=nAm)xig3-!p!{X={O#9y8d=-(j@{7yS2@zQoY7;ZSaC_SC*!Al&>AYTugXb9lYyoWQb?0G$$g z{sCD*E=Ce4nN*lwtbnd1k&4o1>8(a*xnMCHuWi^Xx#;Tl!ry#g7bpZK|^AO)d-s+v&H$gekPh*VGWcnEGfnVF7+wv zeglXA&3M6Cg(h00679TMgEE$8$sbe7la8H3Vd^J$hu1D$2J}W&A}4$MI9sM`71hAu zf!TRvf-ep!;>Cfz&8gIOaEq&oxF)+NL{m{QR3&K<^mM#BR&%`r;Sk?$PiI7%alL7{ zC`y;?q3mzw3ttAUovZ&fe_6|*v@^KuSYl%iA zUl>#dRfUid(o!-g&(93`n-zHDE6JY5MZMi_c*BPi5i@%WOvX45zXepO^|^?jd}IL{ zFRY?Y+6a{sPAWATP7WJz7Tc#U{1~e!^hS|zSgqH9iPi?^zh>k>{_+**YgYp45t;zH zDaIRZMZiU{2MP8=uhjpkyXP@h$N$qIeI15JxSZrq$hT7!@I8BdRg(eGNAK^~b)Jdu zaiXM9;}@si(nOE?)GF3MxNl!-Xwh^c6v^;-ovh1;rgL&&HYvf=K9LZk+q}Ip69k5- z+-7}o-PRObcJC{foRzGp?iEX>EltY`os?GWoJnahJ5c3!i+ectJHlx$d%b1=GVknV zyKBlmtMxflSZAFxV(QcD$URMuB6_{ zG%H$K3tklcSX5x)mVczhiqq?NN;JV@7yxTalXYo#Gl`3!-O5H_1Q);Idd2!&)7F@u z2xf_&L`sgTk;6&(sfJb82%k|YVg&hW*m#$dMWqbobIV zF9YeZ9M6aTo;Q6wIn!&YbHb&eonR)M;Zm5#W`fJF-hkTYLBDHjk~DL({=@Vws(m~)-(n$0 zPF0sG%uWTAtjFO*$00VPGHe4@)67_jTLG-ScQ&c)fl zAQ~@pay*pp_As1Ao+SkWo_t46UO{OROmDoRqUEe4G?GZ#8*KSylNjl2SstswaH6v; z&5aF3i1od;%bguB|Ae!?jl%J~^j)4Uyg@`=H3lEL3~PKGL+k1F5^ki$?f46qs!bT9 zhcUk5On-{G1iUY`t)9=21(%8ylH}M}hqwM%X_ull6v9=R1QSY5<@wVXIil!6 zgXN(IpM!wiWJgHjcaG+hMMD_3!j<0otALQIWay|6D+>z|earraULq&`7C@p%kcm6g zeEM1xgUzu;hWEjb_@J0#Tx5@zmZBhh3FLN9yq3X}LxGNy2W6kOl>N-OOr{f?$D07h z`AXCef;cGc8qv%6wMH7LtgH#m_WK9bHp*T!eit-Gt`|XfT*X_m7*k@;^qBGreOJ@TLW$iCIt;mr| z= zUh;CZTxEczqjVpOTFw<#)@Zz1yyCe{sAC%|j$8oWt!hgSw?_=Mn&~lht>^PR(l=fO z0f^CkG|=xf7<7FNO>5k2RHYE6z8!X<{Q_5+{hH7Yso2PPSU$cW-SBGRYv;`_8uF_Y z;oK7?|6X~*!32=Jjj4n-;ak{t9Ta#H3Pok<)WobZEtBL(cs~5vshr^%X zoPT+V(7F2fxLWk&t;h7~_EV_AgL5$_D&?{4vq#%o<>)f_UA#e-1Rm2^)$#e=`@ZtX zo?gnuBp4)p3SM7IU)~UPG7bCF!cZ%4XQ>0{gWH`{+hT8~aT7V@3QayswS83xhMz*3 zv({`ZZnywvAJ(F&dxLn0`_yb)DN~)*Du0BFO2>@UpZ9hyJ%=@CYD@V-pd5n?14k?e?}bYkL_o$>%d{cjD2@zO(Pf#RHo`aN~E9Zh4d$i^X#yfPqpG>GNs* zK+?R%u#1fk=Ww-Mqc89#F(1c=3px8&94Gh#{xswL5GoDtr)4z)*pWk@^IOfSrIZGt z#l_LO-Ei|ZFq%0jd8fBUTfL8oQ2+4}_vGMXS`8f%T=f7#D5deSPHTA5!@@N0@o>3oY za-XuHot4qxsmsUoy;!?hT)+JKg-Qo;) zfaIW8##gO!{V=KuChWT{dQ?Tl8fXlwqFwCyB2m_y!wYj-ztxbd5mH3x+{XonC>}hn z%f65l5LJ7;KIPF?5sq0=_sl*U*`qociVYQktCZvA2BEAvTO z6Z?ryoL_uBiR(Jtz>^tTcyLkGq!$uRHSJ8g*&yWPkg54eiIcNuXM^fB`(%xvUo}ytAO($}GS;p@T!Wcc1E&Am15r z>DFGHxmFdQFdchd1>?$4BY8-h8<8BSJ?Q#SCKaizmM1W|2@ACC^)K4I8-0GvU~~`= zWgb^mrafErJlSj>FBE+FO=NICL@02(X-ek1TgdOTfMjEN)w^jQO|0{Gf9WO5{yhCJ=zHw zYxz&w*yh%nxoBt$y80_-U}VPzlgMvblzID{PhJr?Pmr1#RIoa@H7%dEvD}Y}b9Hqz z-d0ps+Md6UigoDzz7;E9kEL5c{QVA_@95(^8sapx_5-g?#5wjRVzpx7DW%Z*+rF>L}kVjV_&y)sywpXRp3UOcq?{EZxNS z?#%7tASyd&OfNK>J!%Q$vz%;{CGCh?PkPq&@)5ce%25F014v0pl~DfJ1)hBkFK%5; z$1j$opMgiV<-sV0Jea$3$@kjs8rF!;tS#<}oT!Ez*U$)l5EZ4=;RC(zQgWu^u+Pb? zuyI1dYwYwuG<2C`8gZ5v$ug0fkD35EdX?hjyUb}H zQ|H7%J!X3s##LQkd8=Y$SF|U4MAvbMrg_)1h!%R4XBw=xJb4;YbH?PkgQ@B&{`Q8d zkReehAt?#Qzn#X6pD}OVkdUCL=zUyc_#_{$+sd!wKVNM7jljULeFiUJ9ON4xT*Ty- z1eTKXQ!b7tj;S$^#}~=nJfrR7XrxsE2wxF%ZdPHUB2cf^E#k)$hWRA6SaS%Zt)Z?O zZ7^#LRvg1?xi$9S1e&c>Uuh#X7I+^kzZ>;-eHbBzPOhLoD0}8|gh2^#-p3%?WS!g* z^%B61592^Yt1CW&ei8j^<)61#_k&^r)q1vfKPrq6#YEr*6H{k)7LG3R#j1yJotN3; z;S6!ckHezv0dgh=*Xml7enBinE+VpqD{L9V9$AicF=06`j0}{rrHyG4-Ur1+B}?8OM?w zJ1D5Q4hFDqb!zN6d7Eg;p5H{lWOhu5)n{aP48I$wS3dtVmYDoRh?JjdvGCx%Dz<_g z*JScFzvjdJfN6=+qII#iS11G0JKa2hSvXG)m`8VHUz+WSn;3m8yruw33jXN>Fauic z1qfHTdinl@3%L=*F zP}QAlZ5Pbbt7V4f`#v@mb_ZBK>}?<3VcG6B7&Ur$KO#$Z-=yT!L-;uzvT7=XkO}&l z0V~xu{qIlB7#pmEeB|_()Q$K4waAzFg8aH?bwXMs8yiSlBZE(eWfczBa4y^Z5QsVS`_ynOynIH`33CO z(0`?(Tgak6v!2G%Q>*@!@d@a|52fNk&IfT70PcstgH`K^WU8?iM!CvhgsD-Z+Yu#O z=^#udX2K8#uDQ56J31D)f13~s!oH=|zd?4j`(vcX7jnr>2tu7TeT+Mql1Bu>QHfaw z3I^^fAsJV+P1sTCN2yL*_vkS9|eTILE`BpAexx_h@Cd!1{pix<5z zbq^pve^_?)W1+i?rr&oIl2w2BtKRPcC;WFM0J2`hIP(z%Zj{jJf+-D{uRgx(cQp6I z)f5KT|!H z>0Ql*2g>rM<>Q6 zDkX?hk=^$2Hh?M&@NBbxPsFnI)90by9Vw_2MIG$b!&>vebAg z1Y(UK>ifP7qmp^F{bF3^?u?S#RNsohPvE7>(~^@}DnGxglw+aa501iNx}y`f>ZRYF z-_F>^0^IQd@XyWW{@)R}YkQ@6CtC21xdeSspPe!=i$PBj`!!Tf@6ez_L?*DfL={5gOq!P*N}HCqYRz`V3&XVorM38MP;Oz$&UAOk8;UfDuIo_uYrMY7aeB5Ab8UYWHJ< zeyd)T@D2ls%B!Q?1-RhnWM}*S0XP z7YRx>sW$uGcro$)o@QbcB!}x87s4fOP@gF?^BNf`TH|Ch$19WrQcSgNLx4PWGLSKX zMsW2(10ud@1{NA@u&}r2Wn-v;sMv!)>({&rt%*|%B783wrdRn@4ZZJ+;_ExEp!S`A z)|%PKHF@Nx5}4A1*uEVzI~ziwO`kq=10HHQ9WyjqMgh`ITm#_V+6Ni?`4$g>zcm)8rh(^D_JVaY zpyq@)&1vdT!vx0JtpUM>h=BNkYRieEeQvXFoCI$sqI}7GphwyM$^nZATq21oLpN-iM)MQ9@fa$Z!HOo-tFmYt#9>ne;R zlKM)TfSMzqXFqo2PZQ5t;*~xBgB$LRXcY>sjDH0IE=0f9V6Y+p?z0iI1VDN6EZ7OI zj{?4F*=77?4f`^?TMmNP+*M{6aq`KT08xU_Sl=?x+v>WMxK(pEKT3@RWTcYLQBZa7FG zeMA2%*dI}FfYo`;7PlyZe+61Qot_aVZ*CYIG@*2Sj)e@+kr2AUnsvj|)ZrF>ylJ7X zx}-j?NjeIxJ`KpQkZWE(CQ?XA^ta+a zoxmSFgm6LW!~~FE)uCu|`L%s2bGn23Ea^3T=AVf--(wp;%~Xm(69RI-FZjD#paNHT z;948g@zI{64_NRsY`>|##_Uv8^;gjYIdq~lzb_G`Wi_}oS~U1OwUGxOM1iqGk^fdJ zXhHp>W!!|laM{V%OL;8{NWSbNKp6&v!H%_d$M-}^jW2@~euYO8V;jFUr!^|Tlz}F6 z`L(g~cO=agJ|z5-aPfGp>%FSoNJpzqI7Bp9C-~hs#zpwbaB(NnX z=QK0^Q-C&uC;g}HKjnXy`#(?p%jf>q$=j3q=L+y3_rF@9;P{71f2;i?JpOG@;-4w` z_bt%>_hwJXUtGFAfEm{75&qjKHzp2FMll};n>69yG5y=gSSZnshW{3j|34f3|J~RB z`zPYld{GAZ+oSXrc$&%mZ`zV9)55rDN2Ul+5cA;wrN%HSN=8%hw;w?=jd~@V_^qRWS=l=zobB3zc`+qeufJ(SJIuK-USN`wXjw3ZGOZx_)}m=%nfB|S2JD5&h@{Bk>Ub!_^!3^o+AW6NPB zF9_WN=brtKw8(ZHiryCc?tKjE2BVVG>*pC7buHln&j{uFMorBbKxHJiyd7YDl{D8C zTZd7@jIV*7eeqO{rvy+d7&H_jF`)cY499CH=Sw^mak?hE0P9E=Qsqnpyx`x0oruYYzxWY{8UD@ zlV80DTY0*D9NvPrHK^BPti~O3oD7J?iNav2sep*8U6wU)Sbb2iq z3j}>eU;y8tR_Hq)bRTD7Z*F6qf!hFEQ|fH00Zl>*l)M;JL4`7ML9T@GZ)})MdeYZ! z^oUVnr#Na}@3asjV*`0#OKcFA4&urMBGL~Ho9IO}K;Y|fzWjH(aaT~zrMkc*c=SXB z(BiyuNZkj5S38OpGiK5W8GzbrF{nU5LSF?lgZ;jbIyLI2pCKdxE2P#~ReBsX{Fyp~ zKZ&x$*^>{C#iITQ1c4PG{J(lJF)(prbwD&3c39>mZ|{T&972U%E71~vhtdOlhtcUc zgnD|*NLy8QTy^dVTwwX>6e-woBLXz3?ie7c2CE+J%_(9A#sVKYa?2*mg! zdpd2=3EMCaB(%o5to*OJ;CAM*J%W4l7esPYkP4e$x{^?oj!a8{L$(HSzwnn24x>tj z%n!v`@vCs?Mcycsz+F#ArzeAa_k`F>Zx3FiRAtZcOjKfVtD zfGle);i&r1S%7naaO}sf{Bpn&l+;U$P_r0M0C39$>3gATSrYEb=XKFMZm1()ME6n( zQ_L%Wx|osvRB(3(_WED0JFF;C637j0VU+5Q9st>=0-|ULR9`MNw%J8NP)*8@qgV1X z6i+nMlfZag_?@vgIABAjF;}`%iVAucuowZ|HFBBN{iXb&5ar?mFIm%_m}~{rt?&Ml ze+Vn!v%@(FaTe_R(S!h)zH~hZkR3+8&|Y{o3<%LJS5AIkY>Clz_YL2X)tEw|2bSB= zNYsEyz}qr*2oS(==)3O)*`MbUDuIk*&HIAnF9&yHWPp{r2?>A_y;aKw#L>K5tGS_( z0$fSZeWBX9_0l4BYrDZbIZ!0a6e!_A0ayP|)Wu7x(S2;`*iiLh1r7{KogCjMUwIzV5K`Ies>D#9a%jPWEDg@H=;Z4h)JR-*HV-ZYg@Dwc1K$YfA>&t^stXypVp_v)A@u?&Ot$CIR)V;Rvm#zOMyb`4PAxz_%a$ zTz1PBZ6gWPw++c1xA#cewz^-BTniMCs?qZbs#3IzAinNjFt}?=3EAW?A{`MH1a*M1 zU03lZoS~h~eauw$?`OVmeML`Vy=nYi;~y*hj(EMC->im% zVVXW@j8YiEVIREzE?pq5>7D;ECr4$9`sIH|LGvXO|LA5D+QI0D_OX?P>83={u#WY? zVA_xkk6B@zjtBS}4g5;|QjIv8UApjDyY90t; zZ3=Ew!H-$f%zyZOdV>Q8v_el`qQPyKF9^5PmxA6F+*0`e^2^u*N^LlobhTIAeQSw; zahU%CqjWZNtD+b3|0#cw1g8RuHGuN?KQAxP@dVNNK-EY3npGvd^Lpyy#?M^UbJq1` zy8A}5uA2A#1D`=VGdhMy4(7;4Z;cF>ve@d!f1!h5dKu6Fh_O!dcr#2Zst#tO6B!_5 z=d+&rk2H7pWg5DRhK`?c{$Ju>mWoFvB{yRk%sV|UHw1^;?2eu=kelPk?O%0b2ahY5 zpzx^>ZjV&W3l{2zkadu1onaUka8p-(1YembU=)JX+M}xQDLARqKjUhu?%KNB=PU=J z7l$2#5EuHJKZo{dxTAFw#VynlWuDjn5^UUAN?g#3hI)sB4en|cpufr=zMhW4g z8Q9CGo`MC8Ylzfp3>)5_l&C)c2wNm(LqT5y!pJjle+rytSWPhR;9x4uiBRuVWx{ zAcZm`Q)u-{s6f>Lp+FP>Ck#M3g0o!!(~a?C$EZWxLc)<^9r}%2UfvyEV@o;o%PW<< zSK;zSW!-oF)ouZ%>mgVkXoXqQ?54vl9;H`86atxac$&j?i(^j=7xTQ)QKH1|hSyNi^ZT+Dh{b7aJ{gO`6XOXoZY_dVSOI*YFo8CV5GJ@D82r3p z`fsriu9+(N9wF&S5)3N@D%5%r@{LRB;b9VI5~5dfKxapW4QPH_+}aM?!)9Y`R%cZ` z9ZfX{U#t~S0OX3nrW5?NfCjd!iEHhahN0|fYtH@|Lmw(^Za(UrYAjthA|(qFQj)Vy$) zA%7-;4N}krwIUOom!u7e!0Li;&*@S z<#ixJsj4yjFwGUj#2Tky<@=?$ueiLT#l?*QOig(M#UXn?F+V7o@+zFflVTn4k7jwp zUNUbEG_V;M2r3I;%Qu7oi(+C!L+{#xqZ zL6V{j(TbqPk8ZfBnfa16weu5XQbjL(-)k(?IvZXPHg`g>ioe>ov=df-Hd+$8 zB?A^L9xhJV|BW&6^zyRC(`hnU`O^?{SU55W*IA-DU0|iX?)$`F0ko%M)}RqSv4`L1 zFza}1@-=l22?{ClpoSZSNb_#D=7v%NaP@;4faL1d&4|_Y(+}#&o+KF*0EP(;*ovq* z!Tsd~gb*f>j=l}B&bUv(bWbuS`DI=e7>?{IVG`e%urlE2t0B~2f}8bBFe^{<=mtuE zfV=lZgYb_3n}Pc z_xzHD3)C8bz;dVXgQN_MJ&^F#p~7@64fWCPN3e|O8KD08HUF%~pbh{H3Z8e;1rR_E zWW>vnC(#;5X&iw4vMlIO31a?_JRC-i0Dc4vEAwQt6 z?Pl|;-h+os5h4@Xe6UsQ9RpcDv>V3hkg#QkY4o=JitK=eBLhPHwrY?IT2gWd_ly!K zj;vMIlDrMHl-mu-ll7%~V;X=1c-r!waE;$#XhIM_o@St^^~@nI;ndQi9}}Bs`;Fnd zAB!0-*g}C@f{5#YFMmc+A-JZ$LmL42b!ZWb4Q#2@s$E*j%Zi_T+o(pJyPHuhF#%gA zWkB7W3=*yo%QFZBfQeon`UQu<-ms`fAJjj<=y!;YW34a|Kl#@~=uC*RSVd)4QfUam znONNqIW~T|tOf`%)S{s8hJ|`x4FG>mV#@}cqGEMOv?h!gB?D=rBh$*&KY+-H#kqKT z?rGDVLO|qZWL=(Y3f}yk9*Jx2a6s(muqS9{RQ7^Cm!R9={4nSkfRAhW9YdZ%sx=Y3 ziS^<@_PnGhq?AB#7;k5HS6f^AlxqpzJsZu=F;_lmEj}~zY=8g$2YLe$cK&+0WQ+Z; zn$&?s-ue8lz_T6~&Z&V@ux5NXGZRA>$sw=tk#qX|Sdf>qH{zh$*@Nt?@fMGo5X9#d49`^9q_H zg{cc36zwND9;U#XlB~@tj=1ZuE|TAgQ)U55gKnjxcbiN-t?WH1U$9<{J+0gPN`P7-z2!67HQ^B3cs|=M5{cG6+ zKbRcr6?6NsZ3#ZgjXW&x#g_%#+#@C?w&+3uhV#&Hk9j{(&qo)?;&eLs(+G@DT}w?v z$*E1nEkCfRU3OLv>vwv!W5+tQY&na(@qrKbt-9v;EYDIN>s&~hg5>;5zcGk^KEq2J z8)gQ`62R=5fT0xnSwo?<#P3{lor0l>8iusSWktiiYjOxHx-$}IUPXZ(PS`sU+d!9 zMS`N$lQGQe_`_$OGU9g5U3*>ER7W#5|GP~(J(Uvr;qStjYg*&ydm)QO+(;S}E@$k= zlhkg`A@%&ro0gQv3qJP)sl@xhq`KDO(#r(T_lH67npB8xjXQUb9`-7-VHeOpQjR;GAqMa|uN$H{O?Tlh30|~cql$e43_FsV$ zEmiY398B^5P8n*7ZCjt7+yZ)r!>hF-dIq~22$%^ zK``*`@_S@f4A5oB=;HzW;-oX-xw|-#6O0v4ZceC=zlHrBV;H`OwtkiiHGa@%R$9`A$R31PtZ~K7wZE zs%HuF$Yle~JUnan++sehBmB2tF3`$oIXk&M^d-HP25q`tN1nzWUo_;M$=G6a4VxaU zE}sRb{7mMu3sZ!?ENy)7P^+s!qW=;@<9u*vU!2I zX&pK7?h0G5u-I-`NLM6=X>fVC@uY5;gQvqVqhS%zYRz?P#wlv9(1Pw&L(y?T6-IC*tjZ)CE_If}=F-oh zMx7I`%S6}H$ki9iLQ5e%oVJ>erCM1ZZjK4K$3 zo3#9`E7i+0hv%cyLmqZ$(&Cg!HD!9s={Nlc>cHOohz*X5$9)r_vsB2_Lpz&Pdnb42 zw6z}^n_15q+c}E|1^Xvx5@A;aK7rY^7faLS$@z!Q7W(74mvCT$8(j939gooD>DQky zd;$X>&-+zDeY}|q*^=z_hAuzm?%Nf@44W{Dqb#f@udsZkbcdpj>~^avwii&7rI3b^ z)@!dX;eKm`S@C~jWMA$&YYw3Zoej2}?%U8{?)$I7`MlNAaI2Ct+FjoF_J3s8Hb-3& z*rx8`yuVg{&0#~AHXTV45lL>qwN7q$ovmUFp~+eiCHji1{dQsf${|ViWGguNL5Fb| zrNP`2GEYYE?6u1${|s3u`G`S|WMKvh@bun$*teMMKa9xYj7ei`%rcs{A7${jQig7k3I+xRS=&}`zG*F~LTJ0hk$ay52Ac@Km5B8y#}tnBla_!-Xs zsO+BOR}sY^na4RbYDmzqE-5kn;|lp2SW4<;t)U{CEtHcR-HMAHUdKquvfc43a{$sy zJ?a~*uTqA?k!_*2t*~HXRAJ*cVqzLyR3C9;IP+|6b^n2q8q{~Ayb>LB<|0y;);o4u z?rIcKll?9+S8tQzoa)V@nvR&Jxrx^4UGc1^8PPLlSfM^ECC0|0G3iCh;P4r2b#SR` zKlANCqMG-mGra&2!>eJN5;N{GIyzcDC~E8|mw15Qv}q)z&<4a>llE+ATG@4<(%C2< zO<)W{&zY;#d)_Tod_@!QMga$_&A6y?#)YW~LNHXfV#uz0;#@;EFF-x{9hVck;9WJF z^NAzWjm5rEC)EB_5SXPwcGBKx<}kvg<$tvHmQisnUAt%#+#P}wNN{)epuyc;g1a^D z!69gH2=49>Ah-o@+}*8lIGw%UcU(E=#~pWk^H+7P)n#kee4d)MR?Rg5f1MV%lwMSa z?xvpCFkWVXjo@ctp*N$==CkU_2o24%=Zj?ATgrU_L3%BH@P6bSzVGJMWB22-{x?f$ zxt^uw*X!?JhoW2S#neAN`RUiL=G&B(xYPIeTr7VYk!hardBi&ewM}+=o|_ggeB1)@BKAO<24 z2dj1MZWmr|7p>jlfZx`i44J*Z7TX-u5RrBi`R!Yhy{>x*Vv~|uQ8(0gss-pZ@7H_S zRHeHfn|`CW(j!3db~SN>1D*8@O<);U$`LLbPRu5F0d zYd*aN?(22U_zW7|H=wyH4Llp6wxc&T%Dt}3=)2R%@Pi{Z6|^y@NJ37O*XifKIeY$#Z_ zwf(aqACoE4(MewU@0U!h$$dckE0Enqyqf+6El$ta#laJXje@XRjCyy zdEfmJWF1*^CC(sZK-64B=hhi;P$#VesC!D-E%JSFIsM?J&fluJUF-+a^gFjREF-A(2N01AV$qBo>KpVYdUL_z5ws&UJxpozY~K6IEu0pH-Ogd<>)z^9WVCV z^t%XBZo7;5yTsU4yu9Uxqk!{S52`z7Jis6(ckI%m*w)m*tEPTnv8?J*nA_socY}79 zk~oBWJ;;~5v|eNYE$8KGm>zRbW;nGJE!6#rlbrWeP!@2sn&5cNqBaJ8p@Mf)csC~F z35XD|PWzN(Fvku2QQ)Hb7^o)y94tCME?hbYfGYfaPH&rB#GMqg>8rj%EeDHQT~}v5B^1Jh=A@sicL`EFNqG267gezqA#ssfxq3c1 z&0n8er0Rl#3R)U)^^o@6MP#h|<0r-f`^;i4?%T9M&H}aLSPL$L8O7v`luu#nht*ci zeoW+C)y$7|59=9kg#{NY_R_YfZ}<+1G>nXM$GQ_=#^0u$JX1!ReOh?HOSJ6SX)1NE z1&Uqwyj}YhJVYEneXo~@+V!Z{ug5yG2MWql{Vq%{1*?SwK%cGd7@b#pm<=CTnkQG| zx-d_*d=H+`g`bBulP&pJhjgkcs{*sck71d5)_Twy=Nj44GTYBXJE!e({MDUrP1z~! zU;(kLec_^9M6&ei3bCAn*EYKdQX-N=B}DK~i-;^#_RBW>&#lH?gqT0NW(Mv3OqSOo z^A_5)S{cl3isvjzhG_0$!LdBN_04?Xwo>1YA7rSrNq)H$wm(x5LjBdW`i{nscuVLy z1spxkGX)Rl>MWHds~mQ+xSZ!=E7Lc(&rqAO0qf=Pt=+EVgIM$;uE!py@#H{Q3~sRX z`TiYgDG?V;0NdkZ2HeBf08k70=;JiuqDnImXgs?!XiA(cG6bU4w0m&WeQY3i8mt=d zyNf}cq76us!8YCV?WXrQaTNx{+kpLV7dO)u-_Eu@m;4xyzk3khwt~BZy{%xZOtyj= z4gp3Jpe{LH+ck1U+>P1eBankXpNg-Yp-6Pw*}$tHNBovarv`3p_7dbv4LQA^+h>W+ zh_Mgzvbgj0=O@jN@8YkB2sxKh29Xg6E9F(4GWK#;W~a*MX?@_oWSM~oaNDiZV|4kWQA**msXeC!&5V|WaEjBqW1>M3S>h!A3woE+?F%OG~_a6xW7Ss*TSJUa-06*}-o$qLz$4jIjJFA0;T>M!> zGd3$1jNG8<5jtf16=rA7;DC+3Qoet0Kj3+Z-IN{hJw#aHm+AtWU%NSVB9u0m=MA}n zwCSB$YhBmznA6nlcNgCQbTXe*Yxd`KEh(q~y{sHV)zr?NDWI?&uL}nOqi;-|Opf77 zQq$JqQTCwWwvacxSDFy$6spr`FE4aeSXo)Up`+DCYKbOo&3W@aKC|hocYg0w~C- zMl39kSg(z$Z%|n8V|m82QKe!to?415XG5Zq)EfOYUsmvil+rIG$Q z)1~vMSjr=L8e!CYhzOVo$QZQqHv`Jf4NWm+@l+#Pu^*!p=Ny7tTaEgtd2y*iT^eP; zsz@TLn`g;}4kPuKaR_zNLBq2G$Bnsl%?k(sGx1~t=hJPvrc8vDRnEr|Iz)}cdWxN} zR*y=9hg-S0(S(Inr@`9AKQmXrzCT{YtSeO-iJ1=43sT2kN1WMz>M9vwk(D)?$6BPI8maE;b= z)h(^{RTg4PZSEaTJJyutDOXf@#9E&gskeLasA(RU-$SYNPcV0t+SY_vzYpCIq+#mD{GIlRKz~}I301)WrN}oE_WDEPPpej<2 zb~tHzBu!@^(d5FCiK1hUnwnAFpRM`ft4w$1G@$`vk_x09UwgV3>);u$z$DagSAou=(hf6tcUuAR z>J14gDG`I%i^5AVKI^Wxz`V)%GFH&m*DmN}%q+16(ICWs`W`(mRhTixrWPb-RUJqk z`R-#qLl!{=*nH#>F)}azA-9_@S7gN3xBZ|ir0z$@AC-1-?r)B$gTl;>?~ z20v_y6J4%AI&wO_dLjO08hB9CT}p39P|@>A>bc>N{=Kc?jJvJyimMS!*T&DJmEsW)Ubrkex)* zouc;FL)@|&(KhnXH_fl5+Pees#~l(8XbNa$7s`sl9J%tQi;44K99;vIB1iXH{6AKl zY<&FhW$EP+GypYfDe8+nykBi4sO8nY3SmiQ0Y#Blgz%|*(hSK&&t&QTz`dY;VbU`< z&B@xhZmy==3MK1eI{{^N=IsW3gVTebF36djZ(#wd)bbCuadY(sW#6N4Grc`&Um42c zu?1i`aPif>LcFqdya%hZM|YV;F_`;WD}P0hImd5ALK$>SrZWxTvpZH03h(Ig7W|RN zeF(LP%ia_MzYCCjFazP>BBhO2J`ApyCGM!A@`@I^+#82zY%z3+&2v8REGLiq$hspg$FsmyR@6&NVgem?dM>@lW z$riX=-iM2WTO(bJ#?pGG`Ir#* zkiu0-IE!=4)EZtmds*4gg{6>>s^@KMLhN{B<4;fAz5&leLxvO#l-S@tw`ipXJ*B6m$3=&%W3Rp(SAk!>7I7+ndHJ!;L+5^d7lb*=sT5j=}P4R;{R8h0*zl zoc|!{E}k3S>$S_6d3hXcM_|D}(R)}utM9Tt{i*yoXeq~KHmgO>jd!NiS^lBQW2i94 zl)n@Qu?k`L#>h1RL8OEdOD{pqyRagG{FhltDSJ8*>Mk`KvbC-vX?~@GO%(%OS!s1S z(}e7Jwavq{1D$ZTd&keB9tN2hw*e}U)hq^yug^(L>*1n#7*&1il#+px3h;qSXVpV` z<#40sf>1RxpP?cA;*4gwSA44t4v;SsRwT-kNFENa8^e)DZcF8 zse+5t;W4@nzBykj6vXwnz`aa;)MmZ10u8BS7~Qs39*CHZ4JlR zNbtyd=V6+hSsES$j$n3Am(pm%rJm^c%5o-tkUZzquCX^D@mKcRSKLKUpv(zTJ{x`{ zB_)NtZIMqCnSZdeDUbZYk@X9MurK*vIVRD*TD(0mRE1Luli__@2r$ZaA}d=B3a zO*Jg${UYT{YPHAiad{ngB}fT}*SQ3pdj4$UluH=~Cbfqp>KjgHXURCxBo zef)ZKE4O4Bl-qqnEBm`RpXV|0xCui8(DAF(z(eCo6h-7a@`Ejhw2cna{vt8CWy-@g z_%o!@$D4Gi{g?gacW>`=_B=``Aw*;J?SOhx7<`XC$^5u0^7W-v!qTQNktizmY%xP; zg+?43cr8w8-Q{;#OZ}FL#o{u7zzyYWIyEKyCg2R#Jbu%A28p8!ceB-BZlqq5df#Np zn>(Iz=1PINnT5fBg0Jyx7v%kJn(jv(d+66AFr-M$ToXch40yNSlFtJ3s#2bVfnbPP zQh9{)E>Xz-+A02g8r>QWCgUq=Mvc7q%4?MDuE6K=b-qWi9b2{TIIFJ@2tvYW5SpqD zY-{T%0DcD(57DscFuk$}LCInw(JxRJT8}*{NIQExZW)}DRo7R48Mx86>KX@6ng+2h z-G*X7VZeq03XuQ|S~W;yvr9sLQFl$i6^pjA`V1WfNo{SK*t+f_*%cq5<-610$er}} z6%eAQe2NZB*7)4;ZG`VMVIAUw#xMTGq;tIJ8P6OBFLIme;BJZPb6R=hmP$AYl(P1V zsxPu3u?p%c3P#-DuzKT0HBLa)UH3k)T;KnZ<4&La41RR65g>g&7rbnef8f{j>vT7? zNDw_G#9%kOlE((NAq2GAt}D`Od@9;I{A{@%@rrGqJ-wj%Db>OMExE8%kW8P0UcoIi zlkfxgj_qrA^*r^y+VcHP+g@17N?a3M$IX`Kq&uDHSJ30UxG*T1#7bt-sX=d(K=8SU z;QN*y4q#_#r;ypdW)!%WKL~dWvzXSodyIPwHrGUC>UkMh^_!V{r5-%es?!j7xN7?$ zgx>LVA(937m00Vu=6_AaWnI4?$ii4 zG0HFN%~oYy)6o8`j01ADeimGNXE{gX%O6U6lW_F%&+7A~9McyBr-{CPP6g^u(_Jj^ z?+LmgIE59X`DgN6m#P&6F9}R*!;ufy!7OealgA?Pbu%=5T23;gyuH+rXp73fxbvt` zTOe$AbS{eWM%@}DRb*}v+mI?y|n{_-H9orl8yYoG}i6 zZ9PYd30=G*bW6v4ySSDwTxZdbz8srbQUd~pg9(7!Hy>UJB@L+dyJ>mwE4_fpgW`AY zQ8O^#uRlpoSRm#jplRlvC1+Lx^f`D(vCO{bR=l}4^$j@uRxD$l+kX~MbSZ#cFLu9? z-cM{xxj3l^EUuEbwU?Q2c5x0fBgL+|71%G`mp$59XFGyb_7YDLE5MPcE&piw>3}RD zhnd9_x5)B`$-v#T{+g@V$d`$mV_#kFLunQ8k9yCC%zWq(uaS-OWuCAXxW>@ou!uoZ~QyUjqb*ibKKoT6o zQuuK=#a5=AL2@X3WQ{A$#If#_UNkTK<(1VvQdTv5{#n5^?sN#NeID=D%UneavU!0> zG(TFZw%1_`sTb#kOF$MO;L5s&o~)=z|Cwy=((=WErOT2Ui#HkEp%^5`!7Fi>nTA|)(3O%~j! z$SNMh*`Ek>>oe%0@ho-CnbAcLOcriP-Zn_DD%S-$_1m z;WqPbD$RZN?Rxoi|Bj8Q#t2o2_Omp3HgTYrQ_XOnxURA*L2B2E8 zTpw=hIS~rv+{yJzsMlG*%(@DfFCm4{Z_e@rSK4};L7O|Xw<7xn&dI`t;FsJ}Gt2Tn zkA|2*X_|IAsmg{b3uo#1KNSp8m2))hrptaqbp??ljkhVd)lNRhQiD)|&WAM$-OJZ) z_(I*Wjh>>LIddYK7?m2w`}>;8f2C(B7YtfjdVF|rTlwTRWw#glj0CMEo4 zYkZ1OcoEi48>L!^T4;Ndkq`NN5vAfl&6+1079qf*LcX_nk%fk}gqk!?6e!N=e0#7N z&VnjoWF-*R^eRM2a{iONfV3+xO&DhaU}me>i=R%@*z-ckI$pS{&hLrgKrHqxqDN4t zt#tfzi!r}JPM8&@3htR!FuX(muNi(NmAH-ZKAIE^lE8he4T_B+<&#-sjbEkNc&&(U z%P@n1o?``^$^0hML}|Rwg?V2lFy%2-#m#*&+ux zP<2%emT!7?0oDzXEdf|~e(=l6EzO)2ysgF!?0)M`Wfzdzm%`e6Yn}mY<||yp;qk*Pamz>XJc-~*5k({QP6!+ePFf;Pu)&DN ze*okI)ZQ}^O{4lL904qo!xb9Tp#r8truhyfl4%v!VMJZ0=-}=n6@D-+Y>w@Gk&wvx z%3e!aB1bFT*Q?Xv%Sp^|ZzOoNb$LZ;f9Ht+&pzlPESp9K(^i>1T zgtjk;VJsuIT;gX^pEdxn7_nZ)>d&UO*y4gt1(%nK0FZLQBt`f{4z)-3F>I@nD37kM z;JCII+k@ZqNugss;?6$E5PD533O`8;!?^PzxVOfWdv7!iH#A^g+Aup5{%*6&<}!gD z4Zl|(irt7#!kI;=ivZqZvk>~d@Vg^x`f`n|z`?kUOQ-iX;j6%!UE<~4bWaNGY6UUo zPbrmyPxhWY=;>bftB4-38#{$z(c(jBeeI<2M>P}#v{b+ODaxoHe~Ya}UO7f+TQcoG zh`-g2+4vi!NxpaoNgw!Vkswkp1Zgbw-QA9ku$<*ECn0p-Ox1! zH)Fb474RLu$jjJ<=_ggi$iPk)f_l#Y>04x9mn%;5%-Rjo;KD-h9*n(iY&ceeDV&+D zLa3qQ7xz#aiV6I2bY_*?Uwy`oYWdw{V~r(AmDNl0C@^=wwWuRx^>#h%zbOywx&9uc zG=LWUCX)xsK&}rMUNA9#Q>`Vy@*C|-Vu`Tm=*Ao%@4yHj*RD|(sR`_c?N3bJm3DuB z7;^d<5TA^k0f6aQ8iWGq1+mP)$I8;!I(6dv2}2PKjRx<;)zow9z!I&@!LQLtJoU&2 z^LzJ*hpzc4&E|jE3v~8^4x_Pd)Cm=H3av~P%ll*9NTPVVqCfwlH@}N=nVp6g+O>93 z8?NDHFWCDIAPRxb5OOgk5jBK-6$~7VBn;gAl0RihYv2(WhuxnDpP89MAxlyat|>cc zA2Np|R?`sWUPWqQKcfZ+5*{h#4Y~+7f>A)^I+CSOxUendw}DLgowt6_Q-}_F!FP8? zCKUGXL!O=$9q{RL;l{84T69hzsQL=d=qwHvj^612HbhFD{cz`+@JdW`wk4v<&8^UV z>McX_dq*Nt4&z-T9D>dBn^fm)hIoWR81{xcYAfzeN_Cd|3P#Sq+Xk?0fCv)F12C>jAz41_=mL{U3 z_PxdCQxLabv$P0L2u2`8s(v-Z$V=2Q;nm-}sF<>9Il~_cLOuNm zIN~a4h3~~xaQ-R@U0z%YoH+B$M;|!*+=b$S8apq-x4a>;&|UQd1)g*I=#@?1-3Da; zO7y^-zM>x$^1g#$+SpDm9ws8dEKm#)lP3W_7>!G0URmwF&#(sCtuTDlpL`0jN z%@`iL=_YpMAr_vw*kLFu)|xO1GyqXsJwD(bD%wYz?CDsJlBdiWsqvq#zkR2?bOKqU|)>kL7$ED2$1JD zND#Y((vDZ1%dZJ=<~0}_@UuC$3X|jA-jjrFSOYNJ(nz8ny0?f(&fZ5r?N%TTpi2-m;0`CagewHSB!xO&tH0E2?u z+urUpxRWBfF#mSK>>ZYOWQiip<4a+R=-?lR8dJh)yb!0g7vVuokvaHInR|G0{4Hr$ z)zlEC7AVl8{%2vg?B#SZ!f+1U^c7aY$q}5b1yDJ3@LZ@gYCQa;qu}eVC;J!I zG{L55D~$+lX7YdflhkACyjL)Wevs$aTai|drz8EfBXY;*fjdZM>h<5_na~J^$|Rj( zAAvP&5eIs;lj(maV%s~)MA-y~za?ziM7@$;81tt_Oh8#8P*OldQkEjW-qe|jf+C;k z|JsMa&>~4qL?JF8K<7;(9J=@-;Yzsnk6G8(QK7}s!#o-S`3xie#|u3&LQY}wPYGv~ z5Eqw1g)c!U&sB;u1qGEQq=qAV(DK+4)xWn;9HG?1d}|bukofY?IBLkKr(L3g-RStp z_#)61GIyb-R5BoA{r=8FmPN7n%WaDaHmxUQTq?s*M0zYa& zi!(^L@%=Ex!oMTHr)Y7)VpN7rzAZtZ$2k8+$CbwUS>pF!CMYq>Y5PAy_ouw&KMlD_ z(OgV1-{%oVs^8C(Iw(jCqqK?7?4l6a@!3~u8__Kv99QWS7@8aK*IBS1+x zf*ZSb9e|H6!1BKDq%{Kr(~b0B{kqeL4-0MdY!oJD(5fT#`f$I=#qg~Uf7wYaOf9Ck zncV*U{7P6WUq_qj(8iQZNZz|+NG8DB7ZA^ z{V13XLO6fb0`k9}hH5Ts0;DXkFgY>d({GCT!c=XY`3I^RacIA42!#QggB{#GZG)o^Wj4eE?}!eNei|>wT|FAm$%qbgEys(4`B|0ZN#RKOA6HyB)XCIbPcu3G4LDqpF_0KEX z5fOZG1&x1a^)j3BFd0o#ZV6P4lsF09jpteM{H%4b6+t1K8qP-5{0hyI?m0I`*2Ms) zr$0Is)mE5j%jDb5AR+z#jXmMa%kBJp8NK?9a@Eg&n06MC&!OfGS#w&&1@cw!hVl4U zjEGfZ(3s=QeK=HH>FVC~6$(6Mt|tjXC1xmT6e$U=7i_46y_hpjy|iV|hgh$FOqjmc z4wV&ljao1eo7G;R!* zdc;PW+Q4=!FyDdAAHV@%h^8XA{q%6*T|~rzk7EPZUwf(<#Aq?lON}%0iD4vU8rk$? zhyQyx09IWYIn-vJo?g^o z{sw}`FV0PAg#j*Tz^r<~ucfSEsaO-IiS&MY21yOzYMG5BTi)r#xt(N8Ioj1f+qWE+uHkp5=mz zJtjR(cqwiHUlMP6s9Z(#jz{XEnBY`?3h>5@kHGfmD&%1icRAj0x{-98SUHUHK}>Fb z_Y_cywR2S9ed`U)8qTH0&O@{h*LLUJ1yLxidq8w1WmWS1xyZB>b>YET(%0ukDepYl9Tl?Hk*8LYe<#7Lg z<0+jAC2{By{aQzi6&L}%2rpq#OK8y`2NnZ_bGqZ9_X-j>n*aIhQXH@20>x|sr&GF_ zdO-y#H%uK>Ln!VVebzXQD(t^OV}qJ4|6JA@g{L=LSh6C^m_+%}K!FAw^M0-AE2op_1LwbWB{ zS$NbpTKwfe|1{*&b_e{|oOH3!>n_nB!+%-WU-{n>ZT!JK@hK_uhs~O}rVwY9Ph1f4 z`}nMs6bqL3X@3`q5Gfg@Wnxm0k#TZ%K3Z93M>AgW2Jz`zO}IKc%gV?=uAT95_U->y zSL*8OBBP?Vx3^DEPWYNbbYSt;VD`nel7XV1F0ZcY>g(lXWTuX96A}{i^PK-(s7pxP z#944<+?}mL+{$o}xVMKOlw3uQM;m5^1c;aUZ_b}TH6G_{VPSCpeKL>B?@_{j|CXSp zF229_EUZJ0k=39}zP!AI>`afBX8*UNCCC5OlE-~(QvAw=_}DB)5}awo;x&Q`L6;LPCxUMJU>5A zNN6A%7zFMPq~r|vqS0JjWu=`uuE|Xw-{N06GW@rTZ6T1(^F1J#!>(n=G&4&Qv<|GjtS z&U*LGdo%Oa3j2_pbFxqN*=K*>PrhIUISKSv#IGJbdW0?|2~v9W=*b=OulnT^4b0a`vPxo>e-sBw}=|I`ja$iC@6jn4n_#I_ii|jV}qZ) z!B&uPD~n)D+V2&`XZmxw#C1Fz5E(n38Ly^{rC?4=q{V7g#Peqqmw{}-alCsvt5(xIBkC9H`XtdWt-Kr_0XxM zR<-`A7G9iut5Hv(dl$8r0-4uYK?z4`Hv<&e6lmQX?8cCSyWc-hxl)+!*n~ttEnZ9G z7WGV`5_pZEZkkMrrvl*~GescWiV3OS;Veh>mqE3#r6s zkM|^o&T@mh)fn$KDy&UiZ==zy)IeJ287<>OIwg#fVFGoYW4tc&4QiX*gXMAl#JG_L zkp|(Omb9|k&U>w2T%Ney?)^|$+cjTb6U>h^89fx-y3fU`5cqw2G*PH?zdWjXFAmkd zH5S+HC4fLQWN7Dps5E|q_*c!<7m3Vy=65fs<3uUMCeygs596`fbxEe2Td$OKV>|Fp zw%W8M@)YZzcbp|V<`0@UYO@2GQ^ayv`aMO_%Ia=QMOM1mw@gku=i?8zXbXmfr=D=K$gl`}@b4t=5n z>e$%}jb1xUIDS}@_(rqFXdm3hveV?4Sw}kg ztC1%v>nM$P^O8QR)w(dHr-Vd4?_uj#;l;_>@&rZyzU_&%LrI9FuA++Ru-nzTc-QMF z&n@A{4C>(|6qPQ{&dx3;MdWYavHv!Yz@*RGt36oVrBTyaAa`vgj6zv%%h}U%Rrtc0 zLE5&dlJ#WZaV-^GWueu%y+xRSGEj1#Sf|{4Zlm8N%|>H#aE6AGM|Ovhz;1U&EOg`y z{+V-u-rOu&$#`x$l^PJNd&XkQ^?pc7R$5LjByx_!?C69USG>Mvr6?$+CnHdQ19|t) zCUIN$RJT?_!#*BYlaq&^E3WG;)LHj3XWMx+N{4xQ$ZCz}((&`W=Xrl}xRa5;e@Tvi z5*$g^9UwP?jm6ry6Q1S`>sqy?4?zq`^*jd`F^|j~eaRjS}DQQa5I;c}(^E7O{ z#gzcXDGPq-eR%{p6)HvLk8?;U!^@vf=1085#(v*-3eO$|x>Os14-PsLqRBfJMoz7Z zhOmq_HuN0nn13-Z{O(2UNI3Ft%B3S;=*hLH3tUFO$S;#GFWr(oiqJL6qB{E9Jg*9+ z@@>K3Qd$~-xS{#puG!u$0nTFI-j*GP1o+t2!hc-Zs=i9;NJx{`%uMjC*oj3FrJi%5 ztY6pj9S2I31a2Yuep>Ce@nHMeJHX{4dn-og!i$fVW(GE6tm7lYLvCYTB)y2m6&jJv z&O}lv`kF8roGN+7E1!q#T?ZFZS~+v8GXovB%c^0@*rgV?Ig{bkk*pV(^|HIS+BBu1 zpAP27qN*LLdRyH9;wy{Y{uF@0kz%>7Ucurwb-L(8043wxb)s2q8FITZ4SsJ@ii`&d zAcL?1gDTaV+`Lzu7~=CW_gSs25cT59aDYLRS+5RL88Y1o+jN2R%a{S6YZQ`04gL_dVt}N8?_{~Rj!v8XM5N>biO=nzXQeDb9!_w!rw+|1og=uwBafT zi$9iCc6yB+Qm!ZMjCQY6uT`@A){mq@P=e+nwlNvVYi?BxHIDSut66}ibrQ*4CIeR-r!YQi=X6V$LtvM7-%tdXd@oBLZtHJn5% zFoqk2cYI@5QL?8N5tGpwvw)H_wEY$%3uRHJq&8!VO0eeXPv6K9 z)}2vc0~+xY%l6jivdHNF=q3OERr_W5De`!QJyujyRP*P^e+%N$AKFKDBZWn&X=r{# z6i{YDzVQBb0+%4L^6QcNm;L^B%KuY8fA5U}qPNEH)mJ8kdqLuh7|Zz}8VKnd93c0E zc2;4dQ-M12_tQV}FnjfmPtv@OQgHOJ1$lLMib4ZQ3J&&MQlTmN#?*lq0^wS&yM(Jb zFuv>I5T~<1#PY(E?q{FForu!9jMT%--}zk3(d%9DWjL6h z6g4B-x57?8Zqhs1W(Zc?C!mk+P>RBd#<7q?sn=dCZ&!%Ra%VDpHRj@zl)$`&1_G7D z#pnu$w1gnTwRUBkEbuy~b6yo0t`h+X+}zu!J5zR+wO0+fpE4*{olEz?SG%|5FI46E z?8NCppo(v%vt#lrA&{tK&p^zi6G|LRWIuPISrYC?zg4q;zQ897zpG*q+jt2A8A_NH z!*iTDqE_Xs>#XkM&#iHd$P0p13VSu{2J7Btn-wIu(sC-Fz?}#;eI@C_#)Zn+C^#EM z3J_ll{$!gib$%Zbxbs#9yegWn(g>)RE-=lF!m^klS!m2O^Id?GErSlVS zO&9rV2>Ds$wR{=c`luR*%YvWFfN+8;%C|TeU{dbK?{oCk&Qbq=Z zgoXy`tsrA%XkCo&_S$d$2R^eU@J+uh1|zoFh<#5WI3Yc;VS{^Bgva;J1jCzz$aY3cU- zK}}zJXLGq@hIh_1P0*#fFS{I76qH&WDRUEytNQAeO#C(Wd$t(I@V7QOk@XfO>8;Ee z<@kt`3pTFzy1VA(mse+mq~84E185q~f{=i5*WuMTzhMmGh?w)#+8?yD!tJc_HZ=G1 zFAl!&S{5aMfLZX_>t-vybh6~?a*6M~V_| zXG?hk+ndOF^JR)3QpR)k<^fFc3%ZjqVM`~O>LiKPyl(ir8$8dL`nINaLI6ybQ8s#U zTuLeD>iC@vMCEX6KKthO9_X7^$y5sJ+?jR@LXX(qJlTKrHtX*9Z(&7wWdgG~_t{Hw z&9-C0kuu$mPq232CE|mlVpeoqa&yo{;y43VLJ4wx{kiuiU>LIz5sQrd^QtPd3&A!= zPNHMszd^UZP~4;ca{JGCuK+L6-~U<7A2c{FJ@H_#0s^_XxR}3@rA>e-N{nMGfP_d_ z8hO=xA!FMAzdaV*{|gMc<4sFfJT9HpmB3Re87j&EeK1*PD0XYzoa)4hBJ3XiGJHlK z@@<@NaB%j~Ewh^`T5$-_$Ni);IwaXO{`LPvmuN$tGOAwoYx+RtH+M3-bfXyiZ@GV@ zbM{>={sVO0MYH`g=G@7Wpp)f;x(=Nb0EtY(zJ_~#hL!0iHxu5;$kgp#3|?>D6L{g# z`Gntp4!9frsw=^~7)@}}G-)fmvd~m#&*7$CoS3OpBxdLw1}!eNK8c$iMFK8K>z{=o z#p6V*ny3eiPZZ)V>%y*iqE3l%G4q+C=--$Wg;-TyoA}guNb(;QuXgk&BKKsMGAJc5 z;F&y+I>ECkagOp>hF*j`SD|ZaLNrqoOb3eQv1s4Jen8}(j+@2z&$#Pf4@Ta>j`pv7 z4p$7z7h~|tw4lzj%UBNMr>)HNs~UXLBBdfftO=$e6C%EiS)Oz?cM{~B5&=Th4wuz(zduEl5vX>S4l4YwS1^T z9GAQpQEmFl*(a2So}P{`5XjZHL~jz#2lxChQ?;180^2bP+Ng!N_412Kc!n{!F|nFd zC%0~&6%I$*rPPcdRmfF)jPB~clmSj+uqZ@Nlm>Kbs0Lk zZLkM(PGW%OYDZX;oUOY;O zoBT)Ct#tLHBZ0EjJ`{(&AAJ?ovH4t%>WYPTGio$C{_0syJ&?KNSHMPnPB3}r*!g3qf1~a0BQ*ac7te|k?K!~Y zcRDrjlq6iU#_;-XM3&0^`4Cw?8uH+h2#2>Hx3)3}!j9#yZ8pd?<+%dA0MA>%2sNbZi3k_?D4pq_G`BDAC_r3PUdVCNU@tn!o!zp zxYSOz(M{qPx`q;~KQ9(6@0Y?NbD#}-Uz`q34pOteiX)zG-f>^crk++!Oic*hBuuymGF=;q+dTTMxDRaiatKGSQF$iT; zrF>-T`9?l6gDUbgV@Yu(n(o)@`(S7k`I-F8tW~ooQXmEI$^nHyH*lm1?KUUr)KKMS z>>x|wY#ANgcYXFoAT#_^f(aG=*9>@((-}P65dau0iuja4Fm3bEqHYLZ=Lgz0XI{vyN zgf56|_#F!n+BwTTYurhr_Pr4Un-$+Czr;ocgq*a>K4a_#MTdCyYHE?UUkP<(&^US9 zq)X%UjZMw2xkv5s)l9{bp6?djc@6ey<>$#!w!UL&yXvYVk0D#E5G^PIMCRWwmIV0O z%mjA;giU|ndH3Bpp5>kYNE#xt`MQ6x%7*o*vK0WF%w88YM9lN9wl@a5SeAdsQKes(tYm71bYqHDK8c=BeFG#jiV$mIxI**AJV_dNQBah0;=(q~$8n$D@qk`_?lJ+nyUwqIfSC?`fUhyUg`jL9o827>Kvx0cd!cy##lGJ4Kyp9ZX#KhMyu;nqXKhsM zsGdd`L=QN{LRMV}VRf;Z^fV@*#l|M$czY*yk{3SK+E+4Kb#nC4%f5m_l*(m?^~c^O z$C-o;-s^+i=gIu8zi^ER`L04ompEm~PhzBDJv;?6uIa_l-fsAJ?uYR7M7tay^#Ag5eHN63FX>nc*Qem~1Qt<7)|& zzsZJ{8_gHLV33zhyp+-0YjQqUdi>(6`JsWN7QEIX;5y6Wy8CF24LmILNkrsZTG~Rh zo

    &ceAFiHHc*FVV_Ibs<T zcCWrh!#4iN678;T+7(6PDXtm>?@hen= zUopTV-4|p=vZc+O^wX|wA}7&;Z{v13UU5u`8$r9_d%UjD{E$A?iTSZUbD|X2lPJR! zjH6~(0uTSwZ&&P|K645hxj4?o2BLvYD*`17XNRM+Lr&4;f567*m&wPEOGmJX^~6bI zn4x~nnG}z*wqz$sjFt{5y_?&(bWy7!w>}BoBO!u7>Ql>)$n7Jf^zkoSbIEN*y!?EE zD6YW`czi_tkEH2PdEDxbTR-5O;< zmKkhi%PFuU$aBuO*-45*u+dS*=av|05=kn=gM3AZX)ZmyHeW_jK|g5^IX zXi>B|f1Zj8tzQ>wDXZ01aH}t4(m|gl_O<9d50^ol67qiNdCm0;2`~zvSwRqut#qe6 zaGgQ$GcmpWMU!GRBH5JT(W?#I!d1>s+z0%Z#X=|T{V~pm=C(cS8O^izx314|LdtD* ze15qMH}Dz)049AS0cdhNwL9!}<@vcej7*#Tiv!gO39{r19sU$JeMkF=)pvQKTk*4 z{$1RW>iZ0y^IVkzbXnQOE^jQnON{+~%TrBtF492A_$j4T*Ya=|1f!uj1B(@ZrAGHWN6nD`&e|M*zYNEnQrFM=A))f=((V)e z1Z3C52LsWNcUYAw2eJ4WVE4Jr_Ng%$yjNX-s~7|CCt)})LwaD|+KN@vjs{)1G(@@B z&FFbTl~do3ya=H2oCkdS!$sf4IgnX^j-s7cR)B20xRpnuh@`kHy=pthbMM=H<=pt< zO*5@s;j7BtV5vUF=qqo&4|JE?D^`U&jj8%e*xvWy#opc~{e>hLHf9=veCIiG+}`37 z#wrTuu2@#)M)%tTe@|bt)$dKBqJkeom*r=QAC!ViR1*(d#!g6YnpWNtAmJklmPhP0 z>n-MzgY9DTtnX8{CVZc?Znz^Wjyla@dbP7%$)&;)+0vkcCdWm~L#jl6z3IUD(#I3m ztt6wA?eA6t@C}Ms@#E%>wDS0^vr&))$J3u$h%Pc5q{k3nU4YN!NIOnLK~_u5KT#9lLv|u^3$>q z007avH=dS9J@mMeN=_vT3;ZNDlkOe`rLh!MR=k;OaYXq?E)FiVIE|c^#`o(Vam`dE z@`kW1W>BsY=Q(2kk&@|;g*+oalhA(`Yi1H!l47p<@M5z!q1d*J6uPZbC`5G}*8N3n zO;^h8O#fzE8QrF&Z_un5H4Ej@qs+QMvdPLhSInTx*6+MWH?2%ThOa;#fu=7u@LEn} zP+DKAK7XDX7k81(_-k8Bt77C@^$9jMtmOlP10d=h-<^VZNAR=O8v+$o`kIC}Lzqwg7$m=r%w(Lw>MpTIn5D05Y~!D8R~{oU8}`y^{YA<`UCgrTpI z{DkREh6l6%Xu*Is+mqJByMr7D{Y&f57e&uH&65&OlalZvJ#_r5O00j4tAt+XFR_e7 z)6o~F! z#s4gAUYS`zZne=h&N%?UYTQPgJo5}raN>_UL%ro|v!?+)P|fx`zm!23!}C_Yjr}}P zF^Yi&#EGhISVTY)fL-}y9d)qv{=1r(_7=i%Rn3K3ezyv4g%Z!mYjUADl67?mGv@q2H4)iAbzY`{?*j ztmp!Lr{i=oN7>>gFv-~(SKcuKIfB8 zNwl1GKWj@lJUozB_K_gw`}fagX8DEH`grvQvlPt_DOk3HEl?K4-2IeVEq;3s%=}C4 z^PUYy^fJoK2s%J!#Ieh6ktjOkA6@{unBH{0@nd#Qt#sX{-E<94DzTHgR$;ofW;5NI z{WX_}?JZ=u88%K9_=L>C$awo{59{wy`|3}x@wn>jV3sGUxg9g{)j^%Ss z6~-Fi+2(;ij!oOwr5o1Qe{s7aL!Q`Pi+c3J%gAplAhpNiL|*>Ci(&8JcQ6&P)AiJZ z#YTmK{w8lO<*#DM^DM+1*UWJ{yX~VSP#C!eu& z3QStlG|xfJdV}^rbdt&P)bm2!{$$mB$L9b*)X?{h6rY6}i~Eon{f`q7dIC4G zFh$A8ylZVAUVyrR!=EU6o)ttjiOAB+V?l80~5>LdlFxW#F1Nb{U% zyywo&7uqTL$-Bv=B*pPw?z&o@geM42Bv_T@bvC)J^cBK=CjQh@J9W-QK>z0xzF&tt(35-~X~l-qcK2f=x7zdVp~7wA;xQQ^uVe+&jvW8uQ{@btIqq>3GWmarq=cR^+Qp>z?ySMzCO1y&S{dJ>_ZFnOAsS;S*(=zV3t>o z&$aYpMX-QqScH7DxaU;rkooM)3(;=m99(Q07Nv^a2z}Bme^4yZS?|JlcdZ^{k#W7J zGJj`tO$7BBOSs^f)_T5$;Ia&^z61eEXEo8 z+X1UGK*YywpjB3iN|NiIG_lp_GK^fuH{(9Wa2a0a!WhNoGgak{rwhPGNs8^X)^6}B zz7G4UX9y6;A2z=tc$i9g-&$w7c|$3{-pu8L9FD->&mwt~1R#>_ZiD!YsEPhxnj~mq)mg@&`g#kM|d0 z?1=tz$E?+^q&eFK&l^Gqs=AlE3%{;T8=r9?VNR`Lc97Y3jflSL4Nb9E(OOeh+lt0mz*0WK*J<~mn`GYOONzf|;{@MowF}%h$xX7|RhOY$K3uE~mb@a> z9E(J8KJ|k0hY3qQv<7%yG711#u;)-*$%m_3HER_BDtPM&R2doqN59)Kl@fwq^Y>+t zpi<%>BX!>KI~BY)_VJS(X%T?nrEbxxOGK-oxaDIb#d4!Ifh;wU*J&^Gnt~FATjt@y zLbW9xp7gnk*X7oB)+#jzr;m(kQ}czEfIDS=X{WlHp$bx6`*}<55ldw8Jdi9fwY4xf z%I<0!K{oUn&8Kcp%#d_^Ei{viN`>kmrR~(Ud?qbp|5o;%7yWz>^bN2UnR|BGfh2z~ zo!P`;9sSd#J3TAHyc2@5y2rEZz2-zD#bw5^Xv{Yp@HWDRda~ukWXU-4#+%y%#dGml z9NN9RB-q5c-~*3~aiZ+Gey1drwQ6qicDRHP1KC^tUEU;1|6{TuyPI*X=J`K-zsc4uHCkZ3R&C)Sn$Lc6Cm zdsAewZ8>&1v;OkRsh%+}W^TDsb;3s{5ruV@1hk^nM)MNid?bp zB=knc+IO`i53N%hIe7F#9{K79O72c z(qMD(i%*zpG_ID6dpdq2hRh`m0^*bAKHnjb7vW`_md_4HpQrT*I8 zd2^&sR@wM%jmi{V08!G)$)C*rw9Usz+9$o{A=%6sksTMh*>4c@aB7ykeq3~eJOX05V9pox`75M=v)FYK07N5$yyX?LGM$9^I z|9vATd=qfmD72iQm2g&ot>;>aOcizLIm*3km+2*S;^Zwp6LAm?@hogE;lCf+{8G_}Z=? zjh*k6v7r*<{#m2WM#r>|KQ_I5(*EJdXLc$ueR}pW7=-;8?C)D2!3{mf{Jrw37VOwzLMA*{@BWtZ zi2RYeAN`lxznwJh1Niv3rF>jkHBK7KvTqL{M{i2>5%(wX-Eo|%C0N#qvR#r2z#5VD zIBUx{lTNaCZNC(~Li-l0zM?OYlE9ZwU58@)3O{hg`rDH{*IKp?oF~VeCyl*l>fL%w zt5$lX!DH-uK&pmpj&GRe9^2T`s}J+FXXfh%HA<5|>ul}!$oPNjprup-R?@k!d%0vW!uJ-a)Xg}8NhOR;{9Z!eu$ z@)q3Srve+WywtNK{E^wK$vPghC-D)l@Y{Yh6)NFia9MV$)p6g5ON9qZP;oA+bgJ&c zQ;1H|N_MlGah7f9rF$AQjaCh6z+$_Oxj#NWtU^OBCYz=a-)Mr!vbOtniS|Z!&k@#> z=4PU*hxY|b^^A#094>PDT&&oI)p9HdTXmBddGW!t&*k|&VZeIVGglc{8_CqXKZL_h z&}QXJ(_8GqkV6Dw><9I&jp@1ldJ!o}k3jmZuKJvr8V=ZYFVcA+4Dst%^LHobi|DGy z?4I18OUJxK!t-lEf&76ShlOb$ZAMCO`B2U2ztlt7PX8u!Io)W`93Y$)_4|_5wH^(; zY5;h$6J7AA zMK5!+rt}`@H439OIVd^cs(R($Xf#N~apz@9E>FSW2-_{)!U^deu617;@<2&;%4upf z>>$V21+NYEk$Mhn>(e5ZlfiA>8)z?>4eo=^i_F59e_X!(-?b{j{-?)FVq{W6+T~p@ zMEZ78ZpYkpUcF8x_i%GpN{%ZIl|ygF&*ghRmgPg*YvmQ%w7s|jO*p@AWA!{+h*j|M z9$OVWM;StNscPO|5+c0!8-`wv%s z;=Dhy)2x72v|pLT*aVC#GY~LOoAB-#5n;c_jiy=>@2|s0du~Qh(y(%R{%wRAa7`{l zaOcctD6K8CFTP|{qBqA}W^33vaqqAd>hKx$Sbr2;3ZxTC8H&(%DpL5m`DGT%15z+s zS@Rw2cGEC$IRT>juDJIeCO~1hP3_I)HCQ?0_h1|hA!Jgnr|}a9*Z5v&2;F}+>&S#6 z8Gr8MVmy5msCmC*XRWdW*mK~LV-vzi;xoH553fGq7ckH?5l-ft8XK4&=E(WAM5DAI zKx(mQy#QN+S@*v$XABERvf&AdV}4Bv!L1OFa>|26#^W%2kd* z>ltl>W%|e-6kT$os$O3kG8A`vtAv%sQIo`}Q)6NC^LBS_ZLQwwqN7YGxS!! zX&$|_W?(qShy^>kT(GzCUVd}7w^Bano3BMta#Em`&H0;2B{fL25(K{W5o~&Y$eF1K zM6*hX$chN`=}O^Tl)Sja;KF8O>Drf6$};&F^&M<|7{-rDhT*rd50ppb`5go~^gL7z zw-a($Z$Mp_qB?H)P2>Rq3XW@6CI>%*@n6F}+F0;|k9sf2Y)UhzNV0wufQ-%GA*M{f zb9`XuD4R0<{cgxiP`TK4jsiS~Q+Uc;me{xv{cvUKF|nxw>sKL7(`0VgVFyvgnwXxL zqSqAJ8E7gyv7deaip{@2Qh$ahOW5dk)u|?5U#c?jyFPa#Eu=sE+~3OwA{*%F^%&F| z!9B>V{PzM6$YREHbjU`aLmx59FOW@ewIkFWine77jaA8c<6m^=nLjnCnKEOoKw^bV z$*ow|DR+L&oVkcm!%20R_D`XCB2oD|^itkO_Cw<_?Zw2%# z@RfoZ>8}ujXL?j|A%uV^2-5(I3QqZ^7`UBy<3QV&rdDJb79(Fer$3z|wqW*z%xJVA z_xc(PG&)tKqB}d%i5U2mtAAv0BxKOFJ28T?Zb@pRxZ&q%MF~@&{`daPvk+GPFo)$W z_AvRw*^{xWxTKA+)>3uz1PDajC9-U5wL~lIe(bUhm-}ZXnVi@}w_Gvzt=nf5 zT}%&lKE6X_Mjm#$XKRr20Aro{&U~Y07-&fE#SkIq&E4K8`d;2^?ULwZZm#{wp-4zO z&I!WCLdL1C1e%Crt>wl49zCJ(>0N#hg~iBJ9^Piq?gn{VBy3#x>7V3-E$KCS)(#FX zu9Y(B#5Dm*#C|L+#hh=?0U`HNyUjJ?Im&VB{b7hwO(#)t+#!Intw zY_%1P_XMwAsdCtw6GegW_xFPbdA`(tT7uu%(}RUP0j4T}#paTT-)`xJCZDuUUP zppo)usqnEm%9jVSY@^xxvEf7Wmj&pz`2Reof2Be~rQK9iRGE0l)F@NU1A!@V zfV8gC{jsiQ|F`)&kH6w(A?sk4H=eatg=|^*=rUplJG@4J$xr@TOxTjl%*^Iz=6huK zEB~k*LE~r(8spgE&-4K@JR=`o9?p(fBCZ^8yIZf@+)c3(XKcufg%AS1(iVcD7*Ai+ zfhSD-Q?r-C=aeSE7yY&u^D(G#uD)s9dpY+B4Bh^c89rM7N{zWXD5Vk^NqQbr&V?{A zriA8eBE1jrg&)zaWBfxt&E3Z9^}3`DZL)bt2hb{4s9(_>a4X|d|5!DX5ccNLIDKbu z5-SG{nYgxk4zoIa-z&fx!>q;*;QXiO!8w6K)YO-NVzqKTsK-FE3AW94$7x!99A<*M zcXl)y?GasiU|^M%uZ}XY94GT#Sgq93`tTMPBaL1^A)XA5 zY*ExY0A7W`M&i(kd98o}E=SvTh|8t&khu>A6CBj|=#L%&aGnVlSO9I-*V^nIuM!_I z1xjKKt0{zv$k#Gb)Y^>qYxnfi;X)vUYs>Lq+k5wOhZ?L?7R38Yw6h7H9kYL;thDdI zVS3QOGE6{u0-q+)H5{fs{uP~+yK9(&uP_y9ym&NZ)^7W`^cGyhx&p&tkA2CP zNrdQ4B+Fu>+|~IO=iA)8rw|V zR=b%}N$-6f{D`-~*9nD5iPkowDotyeMqm1)1&665gyPIT7jCuQdfs3AW7rgFOe|E+ zE~^l3Kj8lBP?+`V)rZcg8JOeV?Yh{~Dlxi+c8kyX&iL<;6znw@9&qx9PoA(utE|w# z>(F5T(Q34O>e`H{B|j#}Oq=^rZqAP)`o*5|?uy4*liY>RACYUUM?I@Kx3qqjliJ!S zm`3~CO}s!iO9E^*7dzrf1ZXX40IdQ)0OpgaJqVA)?gMljC!PFR~Ck!SChf z>B=5Vzc&4iXO4M_WI-cD4E2$~yQVTQ%5(FxnG-8HJo@3c3b!JW1-3_;YbhijKsn4U zP`hh+l5olw*E<4UQ5;rpZP{;)t-B-p5Mh_*3+frcz9VM;Q2;va1r8}+ZF92e2KE4s zWAxP9c)YXcX@?iY8dZ=(i)j7JbW;$Ql}|j_ldbF- z{+6k-}P+|4dL8Ql8hzj zuTG`i2FuEv2IEku=Sjf}>F15p1Fj)&W7tT&4rYpa?xNRmVOzRx+`&zsjJFk;v9R0O zSfrV?$ilri$*vd#OT_fn!P(2GroNuI?X4rjG+9@JQB0mJW-(>0mGAZYfveURbGaec z=P9a+8<-N`rFJosfCXfOw3cM&e$ZFa#UR9dbny3Vo>4(|RtD1Z zz!iNDZI|`$4`l^Le|V-ui8@1z@74C8c+TA%flFIcd;NjA<#y|G2iq;KXqE?n)9fD* zD?3{ZbZbSI>1eyys>m~K;za|sX@iG!-WS**rn>4<6f+H8KLG{3P*w6VP(&jJ_y z0_A}bwHNlEfG&ZqPGcsL>x+DJR!3dcg?LX2VPj?bo(hPNbGiN5;kNC&O+VI2^m~1N zR{*whtbRWlAB#OF#^y;vIo>HqWCRMdumk{v3zcM?!APOMDCCv%!IPgTBRrY^!prid zixkx6Ga5X{eQ`GM8XJ|0)4@()9cC{RU(}5*&Qc*Se-Uo<#_C^rO8|zS=5@gs>+Zav zke-=#xdzi^(=M#2ozaJfivCU;+nN3U zF1Bf*n>Sld^h2^aUD(Lk(bS|sI7?;Z3s)wC9obD?UC3t^H9NBNWclOhNRl|~0K`i!KMzil zfXSn{p0S!rfjzhG&Jbv=uaM90|B}6))uSP4RiSNn#r5|s6{cc2st>&~_x+uH-#WI9 znz>4iy2GtZ5OTkt?oA&wTObSi0K!pDHn87uZ8HP6ycz@?NDA|dFAtpVXi3s}53b7Z z#ELByw)gRnp8|xH=(?o)TeAN?8HKQHfDY^BAHDh!;$XP_?^TfFXXCzn@F4fM?y>(t z-jV4+cwbb_-w3#m)HjGfC8lNO+2OSDLNf}4#MX0pS1*~4cG&xsY~=&~xPj&h18h!n zK{0AZf&PT8bjt6~Y}3Q>ZqMtDgNyDrbWQq_21qV+r5Lt8@o9VWR#YcYh=N2;4n#?O zfcPo7v09!%-f#=rAzECzb=vsSFf>AhDjEr^C6bFnn!dT=4X$KwDjX*ouyL#;BqYoT z%5Q!>W}`%w1g>2&&Z&=38#;WK((JDbfYm1t5pGL$Y|XQrCUc)t@&~@DY}Lll>$O|# zi>2sHlVMe((EX%x0z`1eB_v8R$tzqC0ZZH9Gv!;#7~X=LR1(PIi_o6NDSuRO5iMTU zU6&m!BGkjT`s2?W`jzP+h6HkQuEKCUlQfN1`pLDkqt=pQZDL=9ieu~OnL&h-NxJ4W z4E@M}GRh4((gH#(P>)d7(;W_rk*Xt!bDK3gT4}-ivsjB1BkAW#e_0hOw*Q+l1hoCx)9Q`Hq8A~NVi?(uW%*(AYg?-+NN1!+#5|T zqh6vXKyiGS9Jh5=q+6rva1STFj1(xeV>adHPpG?3VHir6S1sPy8dBjrTAFFs=$8!B zZEp&iio%J?>Q>j%~apTDV^sO2O)7fbHspBRGdH3y$S0X;bJ$@WE&g$1l!!36NvHT*4!G> zDJy%p9;&2lw|7Kp2~Wow%g zEY3P0ley8?dCWqpTER1-+HO?mcKn8))m>Ux^KN|W-reP#@Yqwx_*`~B}Qj#G0o<2RYvBM*{ZxmF2%wI z|6JGjPv9`N*I1rx6;lGa{QkGp|NRj${$6cZ^srK}-PoO(g@oDveT6DlKZA##9qVDm zs?tB#Zx4MP++oOsQTpsyZc@CqNu(D|1ihFNW@+J|L5d{xq1sLiPRgM*2Tb6ksq`O= z95k|X-2-92ew<(wzPc<8pN-F14j^9o4XN>KcK3Lw+zx3Ch01peEV`rAz4gt+iW0H6 z7R(8XJoH=Ji&&6pF17{ws)({Czgf<(G$)Of46@f^)seURw$oB6xguCCUUW2CvmSeVYHZ2VXsXj3LvoTVRV9;NWcZfO%%7r`4w?>=>RU-?*+ z7*4#IQQ%2T3f9h{Z4ZenXxs-BBuHRy|i5sKO2|VwiEKg5TKMmou+rb z_PccQ48`3tO2N%!0?u*j0Sy`?reF*(Exh{*@nt?6;ty<|?VirXm6i*TMC zcNkR{kgLybTTD`g)~B(%UV3qtYKifB%x)(=y{ey-$O@c@!uE819sW|yR^M?&C|%)z zE`Zhfgwv}*QT=50rb&Zz<^EjWgN(?gxr@mwAS{dxS#H2;JKaZp(Vj7MMbB-{Gy@#>*pdVp5eAu|UcpIDQXyeLpu3 zH+c<%(`#Lehw=uLdy=cF4{4Jz*?NuAWYt$ z+Ia{2oHu$pVO8o`GfN*bHyPe+iN{4B@>D`h=z>Pb z|3mcrJ)*)^xb1!-e*5-3;XC1B`p^RZk>_D!Xwa`Up`mR~OOo%dt2z`Cpd2|tu+|LV z_r`_;zW7jmq4sQNv5D^i%WhbMn~yy%5Md?H0ight?VkpNwg%HuYtwxdVI4IW?7;~M z2fgL6BXTXCgR?Brz=)fh{H6av+gnGq)$VP=eQLDDid%sK1&SAUXp6OIaVN!{;4U>> zQlPjOCrELJ;u4(T5?lho0>R0IKIgo1=9^jXcjlcL{@AQVlD+rZD|>Tazsq7XUeLQO zR|7Udv=UZJBcr_9v`XHjy&>xJFn-I~;e;?b{aFjS*#FOc*VHsuS)_HboT#| zpMEttl*={+AEusyzDsMcJnY{6Ub zCibxA>#Xh;i}{?%SOp+7y}!N6puD+R0^}*;-4r%P$w&UXu>&~W4{m;-?u$T`;r}R; zrmW#(_*!lKk^XtQ4gkzr8N=9a^@r!II|ZD1F5(m_?C%+si_Lm&I06=WxQ+&rWu}KD zoWKhEVMO@zbGT!cF-Ay&StF%p0h*|U>Zn)dwB3f|*y%@W75BBhoX!uxzL@{6R@2W5 zdbFDj19O<@gA!XC?YvcZR8$S@{11K~rpx-$o9-LkyPJ3A{+^UD-3OlfX0x6^`2r`p zUOSjZI)|0Ms86JYhpDhHkt;>lr1e_x(DkmK@T^(hGx;Jl-W8^3htCamM~9sZ56UR) zO~IAQ=!UWgu8-iNE~5pkWp~j}0Y9SBqy#-s?b`#v6ECXVXch-PaShLU@}Wm&LusT}sHZ;#2ymydZ8n8rt3y{P44F>wXWvptM#=ZDV$B zifM4Xw{et6c+F~dAmK5$c7-~Bsj)2L6+h#{WQZ%N- z&-Tg%HypzNT=|yc-ZpFIHhvuqdsAK&b^&qUEo~e$e#G{~5M_jf3_@6VDqgMIP9&C- zRj#Fi53y+(kGDmk2O!$1S-)#xPKRr-Xcj%QP0Hu@lKFY!Z~fx#QrFn2C>}{oDD2n! zSRs;AjH0iTo2$MSse|Nb75bIcYo!z>)qSl&`~G{M-ABGJ92)OVR9n1ZXfkM_+3zJn z_B+59d>b!vRcYM%L)|1{*3<4=3N8utE8s?t9!XyvR{JmU#kGYs2Be(Xn zd%ntg%rGO%Qhk;@oD?x9Hilb@+*R5lTme*ABX8t)M)rUbgQmxKv2c_VE6*_DDi%uk0?xelXnUeKo-XTOOp3P`QB0xur_m3|>ac6}OEd9>z({At@lxwerD zF;7*F=<{X~rK(D;C?HZ-08w(UARkrH{g#y0rDG(i9m zdV&^CPqIJFs}RR0=C76{3FVpu&bF&zMLsx)@{k+;Ff}qZz$b(7Vd&tE7pbjj%MBQL z{Yd-(W?DrR@GOMo&YhFb)00jE`B7F_o+|3%$rzM$=XSR7zq9=V{_p(RF8Te=$;tV{ z<}5WIAJrBsyddNY%Y*dyzok}{dwr|ENr0bSf$ExW<2-2Z|J%`E|6(Wqgr9mx>CQ=< zUSW~e)CFtDW_TdZSBs*3A@gdzzKIJSz{`=9>^OJ;#Y~Y+e95(2*1PAO!kE;s-!3{{ zvkN8+_;L)#P@q_Q(cZJximR3E{#j9lpk;kQR632damYq-t;W&Ulu|^0f$>g3_G{5h z_1}rIvoB4r#hpnkIbe?a4NXxzgn+4>)8}XuCRgl3>qLEEk-CQ>jgadNZPzdmp1J~u z4`W5>B^1yLoSyEt>iOk<@j2bRnkko5zVTfv@RF;T>GAuira5<$R1LiNZ5%%IqZyK` zmcN%M_6z;#uX_*ip79+cLt!`0OBPv2WeG7JN*PV(i#w!c@W~e3O=n#@H()G&*&=5d z|KX!=5A|?*3SEeh>QJj0-M0@oorg@x!w|+lHm7ad@;Fiifd-Y123X*nNLZ;* zQZ^HPy3*^-QYAa?k7#t~M6xGNW5BG%Ah{r!1c7(IH=uJC-plKjD8gdmC8)qbzar!s zf6@?PP|}zkov=T)y}Wu|l_-MJy)*b&Tx@59Ba$=YqH^PXUay!-UXe8<2*ed0TI?q! zu80miR5XvA9f7WGSJ%zKyI&$c09K~V=Q~lFmo=%J8zH0C zPp5OT{_2LqMj!5s41mMGF%NSN%1IWsnL{7%>~55l^!Kusy|J}ommT(gofG+3KROwF z>mNVp78Z|C{ZI!9i`AyB58mR{KyDU#uKs!~AUM>Iu>ox+3@X~!I%ZO32%R@eQPt8k zrj-%v`vjd}j?`>+8bJ;17ZB&1$Qe8{RyxD?hc&Hlm3*P(0LxN8#Isw?>2M6o>97^- zve4qadoO>)A;Wjqy4_NN&{V)d^u+Qp*p_VC{vGTC1gmvu@u~I)9Vf4iPN^CKQ+iq% zxwIknk|uupmA!}5%peEj3xk#qOg#&)P#HGMHtWsC0AE#4QI{YM4*?|uZ`mONf^ybs z)BQkLRh)ggtMmmzd(f4Fe*FZ{4LAUx0s$LQWMo3y2SI~9`~5oiFcSM9w-bRRcBI^yFPNoZs?B^%9RW?p*H8;7hPnZe7H9EoOZGZGm7BG$Iu-%`5hC ze-itF(yZY!X*RxUxc*HfPi#ZMVXH4x3pV1c_tpNp7<u1q3fa~Jc3a{WZIO!+oH$K)}3XAaMf61kMT~)u@D0I z18<1CVIOGgV;7Mpj$VuZQ-boqa!CB5EvZS{_u_b`pJb#$tg06?S6r$0XY#emuGT@1 z)fw1#X2CMJsdi6j)(ZMiWlViO=7<~btgFSnxXU`u)$g7+Q_FufyQfh#JhCN3!GyWw z0EOj#xt|f4?xf!GGc}1-b~sbk>GqI;is!uq7WEM1~W8iThpX8W-uP80n`1>gqH-S@^_Rt0vY6tGn$^5xo z`_%tNw_Mxo8Av7UOYv0&C856H6L(${D8(j*49l!hGo)dtc(gS)zCF2}5>{)J1ov?g z9HhFW;FfL=dK1}SYS8E7uBf@079mjzs|TDi>pw}>TH!7&ol3v{8`LUpgI@n6TNk{;A)q1(n7W~3y1*ge)_P+kPJK@D{`4mi zD}fhZQH01}CE_BDA?MPaAt}-g58xGj<)Ly~!eW6GbJJ?$Kks=P@gC?AFZ_4H^rf zjhw@EqQJ4yo(>6;u8Ra0`bK$A>6{@68fx3cOIw%-^PHIeQjAH`)dnzpoMu>VqX^uG zz+FA)uYx|q4jmkSxZYghzIS(p#&9m+?d*=eB+>lzxd2uAH1F%#(b3T!G2^xeha->F z5k)^wuz0XBSE4wgdr&I(^IL`BX6>4(I-Fx-w#xl7QD*HdYd&!0ubNOCw^zs9i%r`W z4P};fj}tt&oh&K)3!>}35Gl04(Apvl-2R4E zOG(Mwo91M{ZfeSa{OK5*x|6bmf|>*Yf&O=GJ2Q)RhG@5sr^9y}iL{eQE4LCDXk4TQ zT(Obz!aSBCAvRBrXechpn+zF+x=O-NQ-cR+$u6`@RVAk-_%GBf@@epV&AXSkkTL$_ z%_lc{-ZY?mt;zDrBgKJ%fiIUTaC$Gu;OjIW_yKOp2q!5HiNyH=#8$A3i2EVky+#ch zgYpG$8%Y&$oRg;VydDpuTB?;fk-Ed5vc*w4Zkr!h`b?y0BH2upp#t|}{gst`zFn|B z5V4y{Ph1P$V&jkGIp1r~7Ezzo#i5*0qa%)Cx4#ah$7!&E7lz2BghJ+gLu_wqMx*x0 zNeM_tyA`f3v=PbG(5Qu9g5^4WEbI8g)MBwW?IFyjgd<}j{&Ov&m{2#}m^z!^%y z`lx^mPeCoPs1oF}*9V*^8qTu&CT$)SuV#(w_Ykj91GB5>=N3PNa-SwS`>;}_g zojgTqL*2tO3FE zB#BxZvW)5h{p~~_#V^Q2+HE= zr~KwB+~EDEPy|GRrYuy~*E;sYx{A7_=-Q+u>P#yShrsFRTb)M2NOZ$+WcmU17fK{1 z2g=#sm7OugPyoeFKme=hnBofoxjgD zUn8Hc2a%0p4=)B)pjiKfAv_}MMbJ&wQQI*E)d=q zCHdR_mTbhV>qDi#VAl1zy1M%qeOB(AmXWaDQP5Y`Y=$JhzK#@-$fUa6XvYjVMh(U% z!t8u&$tP3dRPEDduVJN zGf+3Crdfie7sTa^^UI?vyKIL$z0fUziIE$h)fRr%u3Bys`@zMYPfI*+A3n|a-mU(f z=H)xKY;(KC8HEV1un#c0;hFVmHyO;#*WOTnzh_`Ofw} zZ2=5E|8|09uIFSAjX3ht+UZ};zyY|Z%h(M?3!7pBik23yg##vOA>H`2V!lId z?C~KX>MWYohzyEG=2MziXpI?BL)KEU?cO4a>|i_^G1s##7VJsd_v~sCR2gTqXxE9s zg&pP1U(=Ks;GbeQ8`*k9px0KJU5=?Dn_3PPl#!Ysh>n3HclKmw#}w)IQK-76QKP28 zP*yd(tm4PKe)S*i*h`alhMbLw8llyL98O*}prhzjTO@(5NfU7P1( zTa9QKyzuJiJ^{B<5zx1^(80~<<>ZGn+i- zFf0T2s@c1(C5b4e5tlcmF$h?aOQ}&sEvkyKZ+b zz?qZi83bx7bn76i5EDItn?Z3U3?>*zrp(PM>>IarveC3(6@x>ur*M){!2MV<4;j=D z>b3dUiP_Xp^A&p)xruc5(BOpWt*m1y z2(;If)$+pClQP9ik=s8K4z^O!tz1fXdu1~UuSJAyRzarwk^o^r?3&>1Pz+z&vK<6JPAn&O=DO%;pe zw&QVkhu~3B*Q9@15N5B%5J!?z{F`Uja=$slqI1{{`q`UBf$crTbgCXs%%k&0PNvFNsKlcdwo#S}$85 zh^lv-jpsld#!QGFdC2E?chERHw-YS&S()LI~cF)-kvkk z`M7xfb>}B&KHBNwknuf9#7ys*Zr$n*)uS;WEMRT35WSXw)A37Jj+8^#RT51Quu;dL zwY-`qo6JbNaIC+Z(G|zfNyFc%bH zpJ&(=uWwC|un=nE{HiY>T+2hMxmGHks^3j8`%daoo>y{M0yj_-e_t9<`r5Lv+?@Cv zV_vcOZJydvEg9TZ^7|nD8x4KA$6Tgi$`C0Z;-e}Jx+jCS8Uf6C=eaFzw^$wrCK8wB zAYaYXzggO)wXUGVr`MEqR%-2o;gJw&JG=K4c{WBPv&Bxv>$L**>X^ca^oc0_ z>&v)=vuQ2LIw9ra?Y*RzyuHwJnRB^~skmmC! zhYXtzopDf5z3}yVy)}&eIPY^>1bLQ`Bg0ITf)_$W7kS^PL(85Fx>QVK_ zf~^zq#mZf@@A!E*<7(;y-GE|)qwzy)-dSCVZL@O+L%B2bF>+cZa55?i_ZgM<13v3r zJNECsV&>(L8WvG@3*Uuq4Bt>4T{RP;l`&^kS%ED%H19g*;f@6<($^>5FWKWZpTMyd z;9BlnZ*tyq+A@ahU)8vhP5BWLs@Qkj^G1jWx)Myj*ll$&ifU0ay^YFxgJ3`YQDM(* zJwskPuG4^P7<^`3`JivdM1k7?D|sB$G`L+YwexEEJeH;Ziwkr3msxMC<|90}?xgAd zUv!4^k%1At(~M1)-zo(N4iR5dgfRvfwy^L)e46Qw@eq}}e+K3i%0@9xViM}A-;?yU zq)cpEpL&?erun1TWpM2Giy@}c@o(;Vi^9ab3=b#S)crQwaUrh*OoQH?ss6$kkRkQM zQHAjNRn^v=Q<`TQJ>qJ^q;+RU+gHCOsHxx>Kw^0I>D79D_%Lk-1w+Onum6SlVdopf zH6m~(-#_)}WJ4cRr;WvA&}>(QQBa0v1bkhYf6LEOn$g6G5Es(;Ik>qq`_Ofp)C>bV zN{`xF%;#v`&TK+x_m;gKkX1-G1g*)>;im+qBx@7n(ST@IE|Dz4zhkyWX0t296IG-m z>fYz*XL6=IOYzLPgL!GJC|$P)kF(7}jNYVkqgiw=#bv$6gl1lD?enQ^PA~??ME**- z_E9visXKWgD$&f76%dt~>tB`uahre^9jO=mJ1MX=jc{}fvS@LL@_z~F}XX$|$wTv`OtSlM)x3lZy z4ln&Z;7BP`bsPdoSi8ya9czpfhZgzm0a>RMgJLx}Y?8K@U3zWw7Z0T%e%!++9MmYI z8KYI65%uDMme##ggTTDeVvLHAi3i#?(&LHDOWAHoUuH5`?CMOjewi)1as=W?tUO&_ z_4#q;o|YG|(1z;R@>@I-7N2dg_p2Ee8+SAT#7+f1OfRhWH`0=zdhX>1K2#ix40Arx zab6)JDEAVUktNL&8>@JHvlhOj5(4(E+q}%c^BM%&lDHdFWU^##)eErdgGsDeK)h-Q6V-S(NtHFVV_er zTtG<~AZsJteXUba_OsQq`=X(@R`)tK*u~LfJ60kL- z4P^Qkj^Ww@k7Aih28ZSL<$n~0sQ2GAIX52EZ?-vBbc$m_z~}uKD-D!7wKfbE8`g{L zc>{=o-aTLHGiS6h(T)EhANN5{uJdVhgPQ7~cofL~O08C|D^IgvBJNxek5=B(*H#?X zw7t2iZ&9LOA({I`bggnpCz*zwOprp zszO9xdmx7rdp7I3-BqfeaNyl6JQkBvbW(^ZNmChvxO9Zq&YLu^COvi26z*)|9YIB^ zcbJst})BB`MMlccqh%2SfcyPwlt8kZS% zJ;m}6iN+*5{^`HK?@Bhw$84|eluen_Y~~HdL6~qB_D2I2a~#!!LWIt%u~}&O(FUjW zs)Q}3@16s@x-L1782V=BS4Q(gLp*EJT9U@QTF!qjo(7}}9!BIEewFB|>W9w(gNu1ct(WVdf;twZJTA7+;stX#wv|b-=IoBxZvptT2j5AsLb_6fy zj~|ma1#+^_V;%}OtTwV@u-AWQVem%}yDpUUb>NxhaBe^R&Arn&r@*3FNUv3rjyrO+ z+gG{(qaV%mcTW)TU*x^M4Iv(NxN`bvTJ<$ALA9q!A3fq=^~jU<;@`2=K+z-F?C({$ zw0`Ph1W>QD--1NUFFTX4j?x33YfhZYF!(oU=@+Z!)1EuozI{NWjEBKmlqCPc@JM_c z$!@9iANVpJVA!W-bh$mgo)Cw5^t*NUP4M>k3D})Y@7Ds@w6a70>|aWy#JC{yUH&yR zw^f>hb~UZV_Pz z{_VrE5blko9TQt-Zxc~JhB;hjTUM|o;$y7ay7T9-5b(SD6r<~@eN77OVP?ogr&i80 zLv&-2F7hGypO|HI`qKW5TzA3$_nQr9-PBLgzHV`Bk7;t|$e;Y$`TsfmIyrLu^{I4{|mv$o?Ne3SXlmu%{;lp(Sg}_>0{o#zyu>F#Ki^v zKLN>i?!ddtH7D5hFL&NXzYcM+f)ZqH-ph^IBrf2vix_RXles;;QoK&JXP8iFfY@K& zNj|1ogDpO3!*VNz!3}ub;8A_|f``!AXXi{S#M;^c5+9)r(j?{etpVr>I2*~lC_vH8 zeHRofNh@r#7;X0tNISuA3p@VYL7K+mlc12Ryuj@>l1V3(K_TFcI5|ogC9>=?D|nyg zblg+&c>NiQ=gx@d5wxjO&qp5PZMwy$s?IF+F*2rEQ77{$LGRa6TP3uw! zbYX1p#XokDz{o41tp5fv#vQ~-_ZQy2#J#(Bu1?9tcm9eNV6v03DJA@jK|A>ky>vRLAGOF@Fj`>)HD3BHpe%xu|4yXIUER)tpW&6` z69lTSC!NW+<^{LKYK?k8{I3T0&kI4vxYfP~JG;0}4+2RNES1H~sJNMqR9&Il17rRA z<4k)FBTh$Kq+WhJP+8l6ZzUS%mITjB%?R!-k!S84@0o2h3t_lW;V!mJ$je~iL zHYMnJ!ga$7`|BYEUCp-&Fit6~nyRUG&WCsQ-)OTO*=~+PKS6~2YyB-dK>+*Y!?3DvX(Hb!2dT(lRC){y1fJh`G$@M2=~ zj4}&cVhqyr?@9*87`tfK@AMI!7GHTa-$ZbIVO6rM!S|1P`=7=&6;7}P zoSU{oA3@MwwjY@GuetLokX7rSnMgugISfz0=c#QpCc74QGM8Pc8t@LsEwE#zy5c7@ zg+ItC9SS7mouN4NA91Dn7qB-uHVD0%H{9VjUcO2yioYjXPk~Jl?bPwhVOiOPer4uC zkWdH)f3-LZNd5w7doV~mj%aQ;MGl8G)318^su7#5Cro^wZczP|LXbTq6p-GIRUHRE zB9E4N4NF(9RfcIao%CzK!W*p@r-wu62nBF#G~Cza7c0+o;7zfkJtsaW{8vTd4PyUm zLWpY!VKRO?c;(s|Lcky!L4E?!T(^}}aYNfR>6&HSaiKemZ1Q$>Yj8oi^WQ!heiQs9 zUKvGg@MX{w!vzicc+?1P_Jg{_>Oj3;MOw5mORCPqpl@@29#vakIdk95&q6q{PJxC^Y^`c?vsbZisHx(6i8qE+ z)I)pQXESro2o!)G?+f6{^KM?<3tq8N5;Um7my@ljL^GQ04D@cO!z~@;BH)q|%CCpC z`>YUVew5P6q3k2(mjW(js!ecETNQS_M&*VMaIF?8n1RMriuF8~5A%!I?gu$MiK=>q zcO|LH=y2|hFn@pa6?IO+)unisjewJRCHX!iUM;dV2ex7N-QsmZlt@=U{=b&kd^;V>kQu!Gv&=* zN%f7-!ARF?o|jGc4t$fN-}$|l@xYzAl!wD&luJ%*BPem3bR*8$Z0IS$1o4_U4~pBf zF?1|-WwOg>NNNLwea$viKx>yl>Bmy3j*r#Cv+8*4^}cm`(K~=c9Mq%Ew)2u_7?Wbm zUWd-%j6n~x+y4m>$~{lWzU%fY|2jZGt?V!CfM=iFM;v{7N-MS8Wp2BIjuryt-14d_ z$@waB-@bgIJ9|MS6PNfqLc}J%7BPMvWlUg9VBcgUNgD{9D$aG^4QdYUl2>L4@Z4KU zIwq6tCy)IUKY2KJOOQDA$8;{tmA%({K&jq$V#>UqaEm^4log5@zkd^0O`CUR&ovmF zSOd(oh<1q%$X)U`XMSRd?bD6&L-qbuy3*bC!ukWlb$(XF|4h!LF_#^(BT6btjW|9K zIE6ta#{m?RrV;n_lL7Np`^uqVLgszfV2>vg0r|Bz1?C@bT9hn#*@V^DDu4z71;6R; z-r*z6mlvjzv;-(;y)KXno4yWU(#lf(AQveb>W?XKL26wycvYLf=>B<95FJNV>x=Yi zQIlIab&>?ok%(bH!NJJzS_;OamZn`|zB=aw9eI8W3cLzi2Ss%T9^Y>m3u%+G_Y%t+ zENBbERaHk3S6<+~S!mfsHdwd*XB-Qz^x^+0$3lP(04_enB!JF0ANGXK(HBx#cfWA08j6eA|8xi*Qh#SQplWR0 zQu1RM&NbW`_tKit%<7FAW6m0C{wk79_o3(XP7CvGnc{y**|c=s^RJpFvM32OuT=pQs_`FvhlNqY z=n%;NL3PF1@5dweKin1{+K}{2#7{l&E&tw=nFJSA)-5SAw)Kjp`~0DxOO9;<%~PQ{ zVdG|x(Q}1J-=!P6js1b;uq!tJjCYL7F7ZU))`$rrqCaO>bBfG)%>S>+jOv0~ja=>> zE_A$B$E2#+xRHKcvelA{PMvz!F#e8~Ab7swd0M+>XpIg7jW zihHXr2m9sF%-}Z|h=vYnINJh_Ylv!*V2Z4kYW>$cy~-R0I2f9~@Q2OkgMdD>RCb5C z8n`ji249^2TpNFHI^d$a!z6dQeWulI$_UY{^Z+wG1#U9eUK=YOq{QMdgTjpr5Bk3N z4+#nS)ynC5T@A`%h>Fi6pUPsi!7dK#OdeH7J&xwh9HvffT@inzPA^Ie3qSnfHumzf zK~Qx-T<+Rp(I2(b-Rifx>bLa9d3iOb8a~t(IQ_alhRwD`*Gac=y?}PoL9f+L&GP+G zkZw50vhXHJ%49Ek-F9CTH<`BDspEpy5``=kuC!QPmwOh?>a=h+G4%tzmOPn5ePKK~ zdHm3jnM1#o#b$ZBX2WA@FjT%^$ulpK-Y1A3+D%t0v24>^%=l{e#yW-Hbl%`hn%&8& z=)yoI-UiGt3^j)5gsd;HSHp`1py6rJCDpHGjan4)gF&a`CLd%+9=WBza9Kap7t9M* zOhkspk`hGM_^p-#X0~r$*)1gPKDcE7aHeGQ7*>-ME5Olb_pPZ>{U2*ON! zr{j42 zK#jPadacr8@uRBV<~S{lcD+E<ZioC(!1cU^) z)XJ<<5ADn2V)487B&j#6lZA?+^>jACx9MtgE!HrVOTlu&@9^$n)0)T*3plzupWxx3 zs;4#^kCPjx*EhK>ui_(c2?+@_QyOG^DYh+2bNj^`J`U9=v=F6i$90wHlG^f^p}1O@ z_$i!v2$5hRNRNUcVXOc7dvF_(sN{Pw=~OX>O1)XtqwY{4xNjh0%gO#^x_w;1(mv!Q ziNLsj{h47oXCH82>^zw5}3pwezL((O~VNgDGG-sqnua=h+ z+L9zNtQTUxlR--}Vmnoz75 zmrF*su4QSzF#SrB|C$ZU3zMp}uYOe(yz9>nIlct@og(4;Jtzl+X`#GCo#R-lU*AO8 z6$wXZV`Dw3)QhSkpqb_m{Q>6+1?KT7(1+7B_hx?0yVGBRwmSP zXMBrqyB4Jch@=!V(GxcC*@tx^LH6nHEv45|ipLc6CdFTxyhV=KV)kU1HRzA5G$`Ee z>iM|36CguF2n0i2v7zR%rbHm(=a`rDCNL>YZH&_qa?%mgO&*p$E~QsG179yg#17IU zjt}gp?T#GsUiQ8{JqNI<$Bqpmd|Kwqd4sez;_%JbA#5@0%+h`VNT=S9Bsj2lL(yA- zt*pe3yRr9ZRP1c_9c=a&>%1-nm^YL}U7N4#mdHrMV`1V|=EJ#SW4y1p%@t-IO4~UZ z7v?r2APU19X$ywCyw1@*3W8r=Jw&vHW{B3~8uj^NwA0|n>$-jQm+H1sr zrgXAT=a;MtJ-0OBOsYz>@5v@p85h!ZFP(-a_N=C)%+*KSG(>VE-(t6J;1`6CId|f@ zd#f-XZ*A>x!xQ!+G??~ue86p;Kv{*V>9EUI|I1Gyo_VCQ=Sjk>Jf3tuhsCo|cJVc) z+Y;f{3#nbhpm+Q@wtf1)Hq~~V=!Qwd!7tg!sNhq6gW;BTdFtO8Rdh0l)m$DcFT zp#t|1ypE#@kkBnzSS}#Z7SdK(VkmVqGVGRYP7Y2h8w-UQLtL1``((yX4qoOCAX`>Wo z+ISG!TZBmH08h#(&8sVlkaBW(;~g`4FE~B{jQP(RKsp*x*9YqrYK$s&H>y^rh2r-x z_kWAa_(s1uQPAG$mLyOOyysV1c7p=nrXbV|HPCl|3L)=UB3PxhH;_E7)Qr>9GP1wG zC*TFq?sQlMKyAk|-C!KLV9D#s=dt;P%4^fsv+ODNMBRsBjXGM{<{N8d0#@EwKzn+b zh4K$$#=GC;Y_%fi^b2iw7MebHt*Ss#l&|(yOLkhRP88yLKdj6df0|QBI9SRM8H*=# z00eL|^lJFuLmKfX(({@xCx<=KmJeZTqxiCs9%R-7$k1fPo`|Im_%wH$Wrdl5sudpZ z+u!uf&dtlaSrD0oNP+FfW5R>YfkFj54XE)Jly#>Z^$yEFtP()V zG@|;;Qi_+OG6XwpURUeGr=(3Rs|ONccKm|J{}4}YJqtb1dG#-|`yw0h5uUrze7&R8 zFf29D;ecJEU>w3Lv!Ku~B1AK1twvIZ%Q-OV9+Q$$xAX_9d9My-XvYj)(nmMuvhO6C_SZmCe#Hy~-u z{>kt&LKjSo`u7(INe@kEG9X@Y2chf7X=8hpt%u@J{W{_h-LfHunPp45rHTxo%_r(M zWN}m{ax?PK$;a@(r|G6;4^nFE7Mq*~+nuP3V+8ygSInXsqAJHkshG=}OFLy%xg0S# zs$(ysMwhpHFi@p4D-G^LVEeB~M1GzG)BXCl79b>KRfkW@kCQ=rXU}SFz0uYC%u|vh zFUpVfwbWaDZGXg6Ns>~xGMtE>p9EVbh_F=|pp0q#g1J^K(M~rBpD*Y;qd93CDX~My z%ad%Umy#qSo=ldle*0*t1wErmht4yh_VPya}JuJy8{~ssld|xw%J~(rrqN+Mx z%Z=W`6M=nlN6)#yT>-K?G54PsIh-$krA02$aEj&@c6!Eqq6#E&{Lwy?G zNX<5GaT~Nnd$A#X{o>xA@>VFEe0>-NU$%ZOFamCH6s*MLD&|iiGn5tA*E~=qAz?lr ze#^H9-M-^@fx5@Qw7r1WkDK&;_r;g2B{wcMF{LiG@7wyqYYkXl7I_J+$CvtK=t^C8 zRhJam>&Rtfb0=W8O9*h)9nIBr2s-!M+K`85wq&3VdF5w#frx*dx)*eJG1nj@(liV- zvnQR-J81C2`_7X zQhCE?Ps+@|y~!bQnmYa>)={~?m^KHJ*TGSG10hwp^Q+*R4L<5dvo9sA>%YVJsgx`t z@C2TlD1=qL?FQ|07AVdhE^u9nk>NNacP7w#@UGRHkxDmLtEH_KlBa8?`8^nMZ8$Hh zU-$4HC#TZ%E8w-naNyT@8qm(GhR+=V2h9yOZ{Lp7$_fxZRqgd9+pb6|M3CaR`gABg z|M^f^-~qlf)GW((dEDAp#gf5T6P|v~cDjIiwzqJdaz13+DzYyc;QHx%2(;*-Qm`*? zyIu-M=%v@tU+5t(;S2dl1RJg$R(0iwdVftBBnZb#f+UxGn+D z%)8S68jFgGlGu2R%^4Cbn`om=QX=_XH^jtBhaxg1SpHsMJf2UPU6~Wb7K@ez4B(+0 zMd3<0sjD+59V9}2K@MDWc0qrd=1hs8F{U6U}yg>0hm}A3n(tYc5RsV3_>$dUL<5 zMezCql;S!ow$*7Yt0=WYp_Jq!^Enqvq3bYh3K4WxgXhpxKmcaYS`be3tRRn;TkTII zsvi8Elc7FNlhq>s8Bf24ndzMFLS89bv8C~#VCaWC=~vkrjYokm6!ZgrKKhF3=3_M( zwOBb4pj}CxqCk*0e`>id=Hdi2A)UPoV>IJ7=f#f4+sQed9c>{!Z)DP(5GG*;N_JlT z`&1xsN|4CGImWZFTfSx52ZDBLlFYZnYiL0nvW6NP+?MAxdvolIQYRzxO zt8b>_masiF8FS+dO76Y2k=cv9$3{v`;7T*n9zmy7@`8i9{8NZd?oasksP^-Z{btVb zrn<_xYS^x>(l`X=nsNNoW%J{@o=SsZlC52$h>y-yXe;}yumZ|`bIJ}f^zUe{46RQ| zB}5$;+P{a&lc>D>7*Yh3Re{+atqU6N9zHd~?BPsK3ZLMR(ltX696K1m|2#)|j@KuD z^xONANOD5{M+nkF^C)cR+e6{K9S(@pEKI+Oy-PjFr zw-I-n%7%^pq**C8>Rl_wS;#4s({uwl!@hyE96;u|ueIIS^2g@zd0dF&OM(Mt7vHDQ zt@P7gwOFq%&zYN42E7>~0Wlx{I@k7}b3c<+_EN$%C4ioeOGFkav+Fy(D9ki?9Z@-#zGkl)I-%VOe7zQJ-A0lu}o_Em;>EOeYnFgjmeS1ci<}D{BsmD*H?IPosz=DZ4ky(d;a)Y`jBjU5mX$hz1N5kZbE!J$MqQSBy`0T z2!kYJ)#v9gR-NALmuX)lY2-h{R8AMI66M!a)32~T(E$~jGIa6l29t4KA(DHxUQ_$- zaA8jGY4iCWhkze!Kt(QsoZF-`M77mGldzC?C?o&ijeTx|n5-GWNNxUj$+#d%^-Vy_ zpd2m5VF>xXvgg`f7Byi)w>HGg8}X)y^UkU0`~2?S&zi`aAJPoTzNIG=J!`NfTi1rV zD`>ArjtBTd!DX%W-C9xf$UFirB0w`C;CdM zDIg%Rx0pSeWgsmw9Vasc6R#;BM%%2^@buCBXAnYtH3JI^+w%a#g2!v3O*GcQ@OsQI zx%QwtUp{5hf9d})Uspt0lI_s7Fj-{3pf^=JJK0dZ_nz7fq*ao=*G5R^qp46U})o!0M;UPrzTP5bqmF$rU&2~O8bQIgrbT^F)>K@S3(iYv^Igp2H? z6v8bz$dYuDHf0JtdB979m~*~k#C6=1`bAOkWGvn6v03+1g18)szBn)Pu$KxiR-nmK zx}Ovsex(0skM*Bdd@vBl1Q)w{q^zj2Hj}--0 z!#fP84i2OZ_CVLXpl>T{2Vi_5dir$r*!a?##1K!nH=~tjofSWK2iT*|csc|cXiDHP zSS15}we*tnKAOZ=YjzAqsvdu_)R zd0(K5-G~A@WRNXFrgLsbKQ4yjGglW+cZv}y8z93JE&(vie~aud(!{dcFM_7Y5Bc1; zS+C_ZJTSRo|55+(mKyVuA=#-xj(N}7%fBB}|91Ds-&U%>KlJw&`Y1xJQ2O?6cpa&M z!jkLa5(~0n<>bV3lcxSl=023bsK9h4_#d$f5B^KB3ZPVS!#lLB$|Wq5kKUSl84lPe zNaHkMa1m4rF3;DH>M>6u>;|fw=KU`3yB(K9u({TVpTxC%GuE*M zmdz}%M}EMZs3&z@c0R9joPZ57&5pg@tL zC0L6VhXCOecXvIwlj0Vjw73?RAjJvpPN29`+}$m>+uJ=?#(nSIJH~zTD>8Ogw(q&- zH@`WV&;t7NJVR(Bu!wOv9NVY1L%jJsS>PV-W21STP}gJ?-D#u%f96W2@v`6ZJII6O z=s=YH!M*Fl8q(8@To!L($tJj@go4j=QCLobuVQEN1o31d-6iUSLo0MmEy=YVSC~oc zO>I`*ng&)1;4}fHIen36U}eUPF>Z0TF27rCtHZ{sfYabM(TevnspfbCc08QDi<%(6 zUA+cO42mz2-ru7ftZIBWUWp`aVJ;Td=X=4^VuoXnBI&4(?|FaZA0&g*Y|Ib+SDz^b z5Htze82j`n9Kb$aSQpvhB>cq}ZEEOt^Ym=9!9hv7aT z6PWpLzTnVhl0LaLh7#!$WrFV^RgPaI*9D47&j;okK8o-LX@2B)2dq06L{uHzeUnR@ zGgBbCD|xCL5rv|=s0DB9ro&ocd3f!9^f!#gf#^)~9JAxN`#W*Zg>GLOkerjv(9F_k zuTEs6Uc3PncyidxH%8EmMb36CZw<9C9#Qc+3C;7)?J1Rw@LdK5>yaOG_z?TEwl^-& zi)7W@Rd$SGZ*JQfqZ*4_bJm=oscqzdIE-3vkH~YSv@5>Pw)TXvf zf)pbSJttiD2tsdNSf_2fuWgl6FNf~RT(QYmZ!<;Z?rL|`53eH?!_@`dEI1SwM^W;2 zdda3ML-|;GOzEb&4Y{K@^p)O{y{*GGt+5Z*S^0IdZ(UgkxB9cyBdWNKp<%|sbxVKWLZwRGI~;o zOuDY~%c4H&FKK4vGi1F{eojNCUCmi`<-(Bjfujta;I95N#7sw77zAOLZMbR=YU=QF zap~8qoAf*?bq~A23evnkQKvh_53eG%Y~VTslE&Eo)^#7!-73G{bO8oS!7`Q>Nl2?V9OpHmrs6o1YWQyY*x;bY&_BKMNUAGxLY)T-U7sc)cHMB*2>kK zY(}JuF@(aq;pw9m?bUT4+z+$-l%M{#V1kcmefWTAYY+4>h~M$V5Ubeg@uLNJI&)_8lz6tmE2k7r~sI`}MJnO%;*Y5N|1T)z<-s_X$pr%ucPA zL?96voj!I^dl&DMvJGULmqwH2eJ#XBfRUrjn=yfB^DpZo>4S{yJnc!D5XvYGE=%*o z)Z||n`9GRhNicUNyLF_gx$?#v%_h;Z9URItzY#tlCJ$!yit*>$XxPk0(vin1=FSHF zJumvOnED^wFsT4*GiVDgE1DBY!`rMZdlfslekT#nm`j{wphSb(>UBNhqZ`lr=A!Y@ ziBYG&lX3epjL5VQEXgh4dHBmUD~n8GkfV<}Cx=Zyt?YMisIV768?*O_ip z_U=S0_XxS3M6)(`eNy8|DG!)-*tVJ-RRvy#Rx)Dn!3nj81bLge+lBYO9;=Q@{ZD3onIJ;k)zzR_l>^)IwX=3h|jEELF2M#sOV; zjmc~_I1l#ZjY?1t&}S1F$jM&ebY-c<_fEMufMEtBM^I*@x@O!Pk}f{^SK9I=A(q9? zmhNtbrEJ1gtWd~MbHj=EMUaHCp>6UpkEF2wdU^vmIcWe4?P-q5$i7o|6VXaBWDUcIv;<%mJE#Y%huSTQeOoTMlCHnRSYq;FJ zsLrja)+I=u@*Lpmt|)@8>JuN=&m_UUMIKUox|IdW!UeoF=JDkLnQLA+(671zkoS%45n7C6&?Tf0@QsbULF3VxCnb&2X?M7KNf{8a*h?4~m=%n*+FVFd zXLyCklCpg;426NKpp%GLlj#U%^D)cF@M11$5tyRlFno@v-D)f=yMT%oq^GNp)wyxX zC5~PmHCci!nB20x6Bt51H%k;1aj^av@NnM7U+nJh_H4dQI|`cjh?Cbj%TfTj99pxx z%Bi!Qn5{At)=8quo-Z=FN9C$E?EgMW!DqzLbSC0!G+(`bdBY|#IhSox@;Oz+TGY%d zSWbCUi*(vyDYs0zd<CgTHTQdamJTfs3xw zu-Ez?ynMRL_ghR0xMi-xIpY#1t8trt5vsELdwDjr7bYIM5!KA~Fp;xh z2F=ja`7sM}OwBPI1(CnVmN|CA`uqfN=*P9SX56gOqEQ_!WVMdhAYO@6`bOQu}h z3&^2Cfj#E>inA;+hxy?Tr8Z9k^ZQcs5P za;=x}rq|S=%p*ts6|(4;JKCdhHMzOyEh#+g%uKpSw)S;1|8|1oEylb-AZ%U)OTc@s z(xfkrNt>%Ab$*r_c9tWp+3G#YL3!8y%}qS2*G9B36KVtjohnX`DHGwjPcBUMO^s!a znlV}Jek!R*=H7ZAEk$qx9w5-Ky&o=u|a!sPcSBA*?%JjECNuS3UrN1IcF zw$9>CuIY96tT^DqMeF;U)`1wtj}%TmU8_B9(CE9mtu^L+f~|rL<;o2(NF{Hs>nFM4 zwiV3n$M4y7CM6x~5ly26$x2NX%Qox7`bj>{kq{%E2TVeuyF($BcP+62(;Xd+W#SQv z-{IT7MOSuE6-xr9WXGOvkE#BJV)+1R4Q&eO_VMr9g{l-y5bklNQ0$>Y^Md5sh1Ib%N@{w(rSvJ{kJ%&dFv}SF1bfVqaus z)-mUutn&A;^JShK^i$TeM~CE85n}~LO{V^>nH7owQLdo9`k(%O%?%;oq}h z$NJ5-(w1Dd!!BIJ>&qrqHQi>gb*n5zlzz4L_&uCP`K|RtQ5yr5p5W;x_hay5eJ`ah zm3&DEa;s~xjW`^7-XT9Iz9}I6+9a^hv(bsrul?M)n2MJ2z+IwIyC4$09-kW&5-*p+ zGb<$|LT(b@CWurWzL9=iNOF+~{w=2;L)hemipwNF5%ezG50z~AxI2S`gFinFf!65V z)EkN!s}yMd?#EFB!!}~a9ja4ocruNyOfe94Ltqx?#p9-Fz>l3{Ith2EL?3zk6Q+jE z2ZAv5UG@zxo*CE|+axqxCEUynS+nB2c?5BFA1wZ?2ZmYh`Lk=%Y+>bnOb>_<>_Nt3%wMlV|i87Ri$LknzcTbT{9W_G?EuGK#_*Qj*&b*q6Vjos=KO% z&wE)IAjBWI_goWC9;Z^d5Q0F6Fu0Y)ZRzRpr{+VEj%Y6vbnnRQnwn*n^oyG@JG@Oj zY}vxu;^K*rwBG5VA*o}uTt>FsYc>#Q#O1^hxbiy{X?$cq1Ww=0K1~}|wv-I)&X8*w zS*FtzmcN<580BFrsTJmQ847@VfoB)R;FL<0L~}HTgVPN@-yH+1ij})GL`3{ikYe}{ zwPm+ja24(&NMj_K=O{DNx>==L78qo_rrT#5%Rpx>Egx|JPs4N6CiqI zoyp9B7`YtUYlP~%M8qUFQy_B~3yiXjc=Na;F|p7u)>c(G8FV6#d?+g!J#lOLGxZ~< z1L4}ENN4TdGsd32Hl~GPLG{xlI&?+Hg(EqLFKrRohhxA z#ns*jex{iL^DA|H46b!4N&*aiTd%wiY+?^wHoE3Me~Gk9kYL{M=A}PtQriE5jdfeP zc2GH@s-u%Tl+1cBRtr)}!6Hzb(7oLc<2U}L4Q=tQ+L@p9p!t!8GE7lp0Oyxy?UqbZ$m z-;A+@f{XI!AiI=}FlB5T-kUsy_spAK8Zt9h5n3-SG3mxfW8dIdyuwJsj4L-(Or@8W z<-b^oBGRPNFUT`$*6p_4Qoo6o$@vLg8hd@`HX^sHnfq$UKCV%&IiOuJlN9-^61{LI)>ry5g}5g||z3c|h^u z_lw*`pY`i~!pb_w0Qa<`D`6c&007ey)q))xa$m|$sz6M9hNBXn*RRIETK*pJ8{kP) z|8`vW@q|4Y#!+~>1V8+PzW#%s>3{WpY2J^VnaQ{DUPDS>^f^{7XR)AONpZ3T~a~ouD16KQCzsbG4K~(FG$>jQTv+r0hiIXV|qW-kw7X`Ui^VFpcX#>)NCNx=T8lMg%lq`0JkGAfEE+gS}hUO%M8s^H$_ zV+E1#q?HH-hxQiR(j4~;X+R)KDv->0X+Vgt?^x!ETHNczd08*Fo>2H;(by!_$&QOv zT%&{c{{%c3CCO&1hPA(NRXcbS63_tr?biqX)59L_17df_PhMPVnc?#_FsO4Elt8vR zr~PC%o<;CO+IZV%M!Vy)-bI4ATgjhcfxf4KrKBZDxs}{ZaJFyb6rI{=&R|@b$eQA& z1(6aziJ4(2Ni9ioU1ER3hffv6z}7AJ(X*q)Cq+SR@Ayy5QK{J6caA@r!?@ba8MI!b z3}IJ$x|ldYRyUl?;V-0Df-c8OOItgUReD5a2B*86XHlw<&^97X?F~W64o6d9JXeEHnH#QUkPsdZgoaUQerghx?b;TYKtKD- z+$u;q_#a``lBX}ZnshHdpHb0h#O^RZM#np(6j3WDtv^ojix4mP8FFd(YDusHUTyCN z{wQI*KPp0u^meJu3aVKzV8do0SVxqPwL1*iPT|@|D?9ZMu>NzJFNkj$6zzh|#5!)H z-ASJ`qi7l$PvMc7w1uzPciFj0Cr*NXgBU0%niAmk3y_U|hK1-zw@bb`9oCHyMDyZ$ zs%dIMg3M;U8quEw@UJeuiuAFs{4&aO>jG{}p#))<$cB_lGA^N$ttIT;I?4)7kW+e>TiKMC)D+Z3I?K(d7)bdVOddqZb?wnj_ zD){cc{TNnp`ei^+WL0jRN($n&K)uz8`|#LDva|b9+TeajVwGztgS1Fep*DIvlfGTQ zshTWS1~4o%{{5kli4lJ%Dpl~j%C+|3^jm@D=Qo!2+`y<~7sVa*XyGSp@oyqkHpUts z9KApPO+4=ak(!c4N*ZEusJ(w-hcY!i| zJWAv~w|N0^)9%=vzBwm`l==yU)WS)+9yD)qC5ujpKxgBzM$8u$`CV#QK%7~@Q8Ql8mX|ee+(?_uA%eZ20 zmoH7A1_-jfH4-M3Rwj)sV3Nd`t^YC%?K}zK{-IV58_1lBx{to+R)PB#_DRPlN1_kt zt$t*2b6j_Il)~vs(LT4o!SMj9g-Ih0&X~s|%gRRF$vyN}M367B>EW#BTkJ;bNq%@} zE|$i0lKf4E$CXQYIzB)Fd6M=lOw;gGcb2n4CR~0si0Em+^&s0z9E(Xy9er+28u|Ai zvBf4$BVOrtf%-40PtYo>#tn%CHd~Nkc!Q#AFOp`>iW9uK8mm&U+9cMTJV_Fo#z2s} zwV_OZYzheM^2g`QcriX~iqT(DJud{{EAur4736K^(`c`)Gm&3-Bh54v?c9Z;@&n@& zCZH3)ztJ$?-?~`}Rz^ps21aUKzTR7PTs^Rg)lV_nhr#*G@gje|y5d6)|MUv$uM#o* zt~KD{Z1eM`HsjnV8h}AN?B$uznW~DA5(J>Cx2b^mIGYMB9DTnyh=Y-)J&e~BvMW*f zh2*w&j5d3UU##O{1volE)y@HWsCDy5q}@aWg#m$4MRR^)W2gVHww@jIS9?q+kzVY- z(&F1wFZ5eVJ9%McQZ&_-BSn^tBE~be$1A^z8SSuLWOa3Z|3to&PNrv~y15QdBad6? zpm~e0IM2^^icOqc=W>xj^^zBtZ&6S9hJ$sm|HCJjNCEA}vDTSS>;eHLrxn4edVH(w zBjt>H*1hL)e*1(kgar;#X)RBDRVn?1ws)pn*H&=!a8ISG+B)`A&iZ5ln#;RbZm%5o+k347<$t=VIjLOGVr(0=wwlesuAfE`nn) zjKDCf>CyFpu;3Xfg6B1bsqyp*ZAE|F`GtKNVc zS1L-LF{$}NtS!=>y=g2<=2u@bC5T>9axm77IOv0NyE%vITg`vx&7<;Xu^&35X5O1` zC%r!v=IjEW-x@f{p9(us(3Ng|GEqf86+X)jZ>m~KK&^#ud>5~#{~;l9_GPu_v^8Qg zUlbolS3&eZ`|$2tlR?A@4+#0`qvI?ThYQG0vY&lhq6n1W!~ZG4M_y;^rs{^o-3~j6 zA8guFzs(l$TkIhSY`0}W=n&1hyLWcEh3F!sy0Efxwi`_~ zkM)06wIin?Lo6R~@$-Gi`>-(dv3yMFjHs%GOj2+?MABF;kcz?vu z#%(G6N)&d<2!Z5BZ_$JNgC3?R*67a3HMk6%+;JpLsyyrEF6*l_JAkwMf2EDDl{j$! zGn(5lsBd%ebguq8k|d@1@R)>`7TTBdE;G)uavcjf zkM914iuJeq@vQvnWPzqySM~VsVOvJlI5H%8T(iNMi^mABXFyI<^SiBLVUbQIw6nSf z!v$Xlg6b+_`hNY?ss8_r8IM&T^RoU7pp2p~LCce-CWzZJRXS9GVDYGn7(xXM1{;#) zp;lH_{;dswArg=Ly5oLK-Go#zg}G?+dY6r}Dx3%bJOT2KUhnXp)fOP5au6`wmzgv* zm;J)IwDLNlTL5avJ0jAJ9zwhHK99V3g5m@??Eh2h`d=Va-W5Q%2mO&xeI?%RpdeNK z@OCR^hnbS{@&7lG!oRH8*ChE+=C9ajxf5?4Vj+E{h1I^xQ1qdN6eF|Ut;K@RojzpV zIqq_=*?3((tt_{x1VoP3&w@Ii-ZsC4DY6c!-#3cT$9*wqmJ_6Lu6BGyG*!FRzR*lT z5K?RStNO0R)`@cxi?oIIB@hrE9M#|TuCTTD$LBl2USaGuEl%4{ z+11_k7K_XKGDOJto1^EwHrt_dyA=lHc7SD6CduRb#mi9NY&cZEZ<%3{AZR@LVws5^OIL=SegVH6XFdJouZOHM61I(z6@b}mxGEayqsIjfM;=W+ zgfpHLUZb}ArqR$I?lf|KI9asqyjgA8?wc&quCP}7Q8E#>By09?v-SL;nGMiqgt~`X z)|^{$6UMy|eeOC*lA*9&ZN7)9b9Haw*3*&^C1H$r-oB7%U>*p?asLVSCpSDLxdscq zs7t+p&2L1vf@*1z&Wt#ba^I^{gUpz71wGZeL-@&z7H2jE3J-Q}xL0)Q&&|zgO#&l( zExC8uw{u@UHigzv^2{M~ImeK79^8H(=vW#2#G#KGx&I9!3NmZn9itSwgJzoehHJd} zp3?@m2FU2FgHg-sW}9_Z)Avka??5Z$0b+rT%_^lLmY^t}Dhr&Z4Qtq}UX=#!2uqsW z@y@X1^{fquzP8aiynOZ6$4P_Pc{4_Tyv^&~8vRC0^AOmO+s1nJ^n}k#kUUyRBO`9A zikvMU4u70Yo>Bv9iu4e>WSW4kB|N%XW&Z`o(wA4Yn!Wad6qZDEoS0go4ic(mp>u_Q zk>KDQy+k)H!tp<2f77+tm^NFAIx(R2HwcuF5CB7`sp4mNYhn?J9i6FZn7fl>05>f{ z6ST>l!jFH(qdt^58Q-QgBN6D^*dWe@o>rT^f@xKQ5-jw1ni%+snK{vJv@Z7A-B|DL zF;(&*b4oqe8#c!wEJEuj6{aJMKw(^Wz2OwMciT!pVLG zS4XZL1zdR+>kv^pac2?m`8$=xN3$PbOPj;0kb+&5IydF1RyDvy2)t^_U*9)6yVVx~ zpkY6i{30Xm%F2-L8?8z^7_pqA&JK}4ZCWp0nmvOYQ~RRSibQv4*r=1;1Z9wq(<(&S zTd&e}`u1^-dNrwM3$Q~hE-H4zF1^mDoYh1XXT1b+7ah)n$E9;CnfObOf46yWEC!On z-3r=-aBD{hbc23ea#cCpaC9@+&HI+n4d@;2ZU}U>t(2!eJWY!=dGpD6qtP!U$64i} z%y2T$;-reuEL0F>}$L6d{KQ5$V~NyO7LGI)N37( zvK>LE^BCK31fAD>+?e@ZhH8P=>+%Mqm$W&TnD@fb3}TV>_q3=IuG`*52dN`hi$~_> z9`RasTW+TfPqgasO7srAxr8S+$;D=S z?HgBkNH2LbaaBP9KUu1-M=x`WOQeqCXdrRZ;*Oja-C&0DlkQB>&WPk zWJ<9Ol|{KU8pG3h{uB)5Q9yndnP{fW4NPEOL6aNyk2U38jN+&_7Cgayt;`=D>LL=W z&Q9>fb%HhnYXc}Fuf4noK%G-flQA?58xgyUzmzHEzzvq2h5N(V6=5Q@#i&;{{(+np z01dvg<2MWBOiv8=^~nfj*-YltwMC1|^L)nlf@Jq>rlgz_iAfLV=u4li|E5k2B)W5# zZ8B!Wxwsq=O?O&Ud&T5G?65O3%Wxz_jnxkI^sGE{B>Sym+X6VNZm%x%`3y9>cqkjw zC?|KIzIQ$AwzGYCI3ezQD%;@fd<0}K;rx3&!0YgSJ}O?H0l{tDGm>Z|7C|oHe!8{1 zZ?*b_5LT;K$I;y6> zQiP?w?svB(MT#X9TW|y#+QY#=d}YqUmsD)zJM zoae*x6a;LAcEx{*@vI;R$cmirXv1~MNcsCg-pDM0%BCPWMZke0qEB9GGn)Be?r>_j zS)Ptt*FW%?>YC3}9Bc|x-pilpf`89_e=5j$#aHBL8docq#%pw2b_Qz+K>IHMa}1Cn zJFpAoeg4{ZR{;f)vW}vF{8MolD$XbkW{#$Fs=VhxDsIO{>S%S9q+5EooKS15X&Bt7q^B)6Ny+qd=wkPeNj=ftek#)4jq8nf>z zh9Z*D&pOZ18~C(2In{ERwAHZ&;&&*n z_HTF%CDUkb)n_)h(!zS`+72fXTg~jfqU4dgKOY9@n}xcYAS4@pgEzm+u;$H}4#K_i zXvfNG2uMd$=7wR1-D=NqUn0nD`4ja}F_CB2_McB)MMO_g7yNpeE?RI=v zZe?#b(bMjRVpt8Cil3ao>c6o6^a+@w=0h{J*kp$&Y`X+Kxc-%z@w#c6>n-WQN=Da@ z77GrLjQ~?z;AKYZO8i0hu+3EG+4*1!&PSRjcD&diC^hm^YHxSarKa9uHB~1PkqZ(2 zwzKi8!y$ezLZW*$@UnI7Foln*2=3kkJk^w;I(0yIhLGZlUr~S(yz)yCj}$B0ftqQ2 z4S8)Mf)em3Auv1S2EBq zxct`~w%&fd_=1+9n2Md|@cyGL<8byj_5hR!VY>1X711^&?&SFyeX_$0s;`7THG!pQ zGLwbHP_OseDcK3zY|QBmUgUSUP_5~fVecDOf}$HP-5R%RI5 zZ3o)k9PmPz~&kt?Uu6jC?W;wc#rJ)h*oEA70qw5*?7EYAW$^#8hv zKGLt|Fp+p~Xq=-180+sw+Y?ze4|Sb8M&hdS^o6q?zXOAz+J}23>XwzEWQ|X6>K_~= zi#RB>p26O!)S8@(eWxGcbUHs69(pRcdL-vu?PkHprRTL~6y9=B#}v;dN@YnpRv9!klcX-HUNbnE z8*T>cr#^Cxf2~7SKR@c5V?|G4YEo%z>Vuj|Sa>mxErbmt5>X>}%60uo@o0fvOr3nH zi|!5C;}-(swyT^E#+^E2fAq>*PN;<^!0UgX8U06a{FOKiV1Kv%B)jEB_TDdjpnCDd t{m*Q|l3(Ya@%~xrf1g`?eVBWA9CDB=I;0gR4=nyjQdCZ)Sm^I>{{v@yvTFbU literal 0 HcmV?d00001 diff --git a/documentation/files/selection_401.png b/documentation/files/selection_401.png new file mode 100644 index 0000000000000000000000000000000000000000..81e145d775bfc2c89d3aa37545feeffe440673e3 GIT binary patch literal 6935 zcma)>cUV(f*2a(06bm3KMVjGClcpfjBN~dRR0$A}CS9b)00Bai3xp=pM5IU&=^z9Y zkRn1*dY7s+={ZNik_Vwf}m5k)et%m zbW{kuPB?ZHjAe;4*5HZC?dI+K$BrEv9@qQ<4jIwP254O;YqYz$s}-bc`vi@)a(x)k zc^rb+OK&5T?t2U^je2UGwHc#Z{Z0~>7;Vk3bEb|9b@}7vqRJZ53<|AREAJ;vs9d5} zt{8c-_%i)#Tz+LG%IV#0J0ZP7Wd94q+NtcRJP3)hH*YfXgcZ{H!DE z$+Ps04Z#d?S2>6mbs(&`PIadbRNyL`Y@ZlOcMgKl%+aMSN5mB3@1A{C4%i1G1p1S!gQH!uVSgAF+iT9-0)z17aZ&JU#C)=z4) z4r{b19mM1D9H&)lLt@*Tl&@EO#8se}41I)j$P2TR?QdR8lChF>#9n0wsX+FC_f8T_b|lT*x>*u=y^*Hy0{b^iJ$o`W)<=Nqhb-w~Uhni{Em zl9xQ~yP0Ro6g}!lta%I;O*=zH@GO3J*Bcog85tQGYTm;lW^!NPtgt^}q*Yd$IXbAB z{Z~e66nx)czlc@Q+rz?QB1bnHCA#x#ZIat}*QNcH45G}s?IqHvbkHGyhxO#2%={X? zy}icO9&1Y#->vnKd2y5PS65e`KY!lc-MzZ%966bf%p;BwM?ScL2%G^s{B9!2sbbAy_*C!p<4k)X2p`Q9$$D)G ztH6CEM8|x#AHasdvIyYg;^Gzs1;Lmu;5hg$C}hlQD17X`t(f+BY(ay-Cs{Q9h}kk#=8C0ZG>thhn-=g6k&1E0onTXD-0I% zWonH%C@3ghpnqVXB`k^?&Ico)mP(3yQ5cLAQ)5$8Ia$A?=t4x32F-1wh?WGf5qvNV zhw0fy%JvF#7f9RTdHam6xA%osMn3T3CzggQWFjA3hS=HJU0q#GJg3jW$P-~=&v0av zF^8h}i;(l8#sc_>{XNRyQE&woWtaWk9YkzO%2?nWUG%jdypNu};eJz7qbMimwMX6r z+4!*5&(6W2+I9NtLQ$;-!s+8C2t^MsFJ`7;I#ONaKwocfF|4Xyosl}K@8H+kLr<^- zCCRK?wr$_Pr=H`M_jvZ|6~~z~6Vsc%+Yd`-^fB^kL-xise^9ouT0(IJnD#^on-JTr z#ldcl{zR}tB5v|bG}P1xWo6IZs6bMW>O_D7XSbPnNcxLs&&(v*!5St$d&YyGSRHTp zSY4gDp`!2{$7o2U_>T4oIoi_Fk}+B(!;Y}EwKR;#?3o)n{v1dFKke;%_f9c+dU;h4 z$Z|R)+j~QigH076Qt){C^4g8h2Sjcj-DaR3MWb2nN=KODu9z7Z&ASPDS=c_!x zo{%K_#NOz@gkjM_s{m=Fuh0M38N@fLV5{@>EzyJ%HWbPOoD-%;+V!#h4h&~{XuHg9LO6+WGhA7n6 zcG+@lK$)(x=OYAq;`8wx|Md>|L3Lr_^5S5rSk13=;z01J3n~bZVNN#O1qDshcdV_f za{A_hF8`dK?(6FVLcjd2Y6Emewg&;DBC-2k3r z0gOyc<|PJ0hI^cXZ?dvLP96^scb!t((YrD|J-sp0F|e@79$~%vYppxc+|K_&6-Hru z#7%@MgEzuU^2zeZhYxNuWC|s(Z@#m$voVZi*r7ar^iv`0?so0L(v<^{s0c}$c8<(c z#dCt1;U~1uCcS*=?c)t{m`*s|F1-%YIe`@fHY*@G{ZBM zOo*hGiC+GCJxeDC34p`N(UA`p*-#?KT8x%W*2tdptSMCrQagfBcgo`4dW({ZC=B)o zB9JmuRje6&c%C6U73@rKgMSSz1T_r|RHUWd*faeYhx?XyvuhO089gI(f#W$Xo|x)~q{un;;5fQi6a(S*yFE?p83P^&!N?jThvlrlpMXDf9a zt!!#inKJ^R4+?0XJt2ng-cYGclxk99VxqRTHmab1czD?Is+G01x}N*;$ZZV`Db|zn z9YBOXfBr0C)2>DU%9(JzWgkLbv+orMx*46C+JW!t>H-AiK%Qs}qYr{fN}heh4CYKu zd^}u!iJ$-bM=yQZGY_=1oIwN)4GqyTa0wfgFJ?q34i%eI<;l8Cd`?#m3kVE6apFWz zPmlZJxAADNiOI>Nq@*I#THIvQsfuAvZf-HFG%$zJDtD*RN&)~b2?+^NQO9Y(#{kT9 zSE@HOw6r=m7Y1s9aDha;Ip$z&%)w-3W5cWs)Imc-1B1cn>78S;va(|8$~P=6<}&wl zb7y4=g?ugy=XRvRzqeogU4$~an(-3Wtvu;KypfiIN<%}uyu5}fX3Fsw?(#8TewW>r zs^~Mcgz?%{cW@AHxs>lgCfRwG1~YK;r3am0!Kc6XJ;2$O{ehp@-Ps5gP*C7}#7tKH zocJ%?M0BH9fr~>C7p`lVP{!mp(~Fw^JQjc#wH}(nG}K1pE&Wbacz>=l9Vjt_C_biGDnn` zx4~92l0)VyFK=L$EYMedQ=fASOwOyP(o)ynugD4t3W|t`2nxAeNx2 zM!DG7zPP;Vv$rAuz&(sYQBlkXV`3yHZ~B0VSA<@&yyx=}3k!=yjMwekU&`!yT#g7HxY=ZjTX_lu5ND3XU?dEv%c=KJxSZpoponr zw2HrPdAP!<_pNrmAx0@#Cnwhaf6_^VIPo7nQRxM|KMFXqC#9L9E*_bEo~K_F37{Di zz3Yx6H=OGHfDE)+m!_tsniM4{x-8TEV55KnlN=MHtFONe(E43;+skW@Iz=EgIP`G= z;QnN;US2>zz#ENZA-n|^O9oj9-aVP(ajMg3%wsa*`j`jR9^}{cm(W1J6{oJJH`EOd z8oMQU6g33Vp4;jjHPQSReWim~TfM!#fpqd5vnQai4M>J;ZkP^egjld{9Fai&PTC*J zYR{Vdfn;|S&#`XFN-oGuoSE8xW@n6ZkNS82NV*0=;-E}`IyQeWUqG64mR@bW4q93C z3|8`0HPF!ilu~TIXD;sA(6jJ5tlp@n5=>Ec-;= zqzY*3)YKHfd37S;1U-EuH{8U?i1MR8(5fZght#EdLCV2Qk6+`JL7A<#v$Hb@MX;kF zK;&ID!DhI*Z2+ls8hJmCshXUe%sLtS;>CMV6+oMa)YAj<-_+PxVEp0CBRX1P_u!I@ z^Uz*2`ddNY+;4nuZ|6(@_RYX^2}J&|-44(lgry|Ap-WRZ8zMF)hSy1p{Gqv7ZKvZ< zYootdS}1QVl6$f>t41C3ug;1^TY+}=d{~?HWg#I~X%5Z~LDoH}^S#UDx6c5KLTA^f zTMGKGf)afvUib>@NufCP*ILC%i|Xp?1|k&EN2-eTpo!8R<4Jn&Jbv`D#tU)(5YXg2 zksW<{oLNUl=W9z#2?nD34$;;ixy`0sSlq!$6bhxI(+#SJvbKY*t(hv5>{yy=L0PLm z6`g@aUQtmkdagTO#OS=RfnVIw!)1?`95H9+YT#s$k@>5U^YepX;LrRvFhRAmv7T@tM`t-k`O? zel*GG3g?F74)*uB!j^^zEw+;M0gUI*$H&M2)P6)j-Q$Y^@W+EdAPj`h=LlWDe*NM_ z^Uonn!0s>;7k*Gl8vE#F;4ZEurl3{!q_r~6{|s>)rvOq;;4J;$K*r%s1^LySILx!( z(DkpjQsryr70TN7w$s6J7)ao^#WPb|SaQzWw{HszF|x_)nj}T2&g|#pWJb>%wUSm| zU$-b~KJ!>DimEO$Z816QP>qO)P=k*ivKM`jdX|u=Xncp5s3bP8#0e+`?_aBz?!?E&#oZ<_ zaLId6mMQ`R0($MA+_+H(+7boKG(i5XEr4cgYil5DmwttHA4!n`K1zH%hO+e-S?xpF z0+a4>YVFR?r10=?LESfMY_>b=)7GUs zpwGqqS{(XD^YN(^4NxeQjzkGn*))Fm5MSyu?f@@~$$zS6$mq`} zGwsP!Qy5>82<0Qnd)TFaqaHz&d<*u?4%xCOn>p>1@d90 zRWmwstwWI_44UGcoY1!L(9nzNBoc{CCa0&TgKp_w;#HcQ_mLK9xBdi5yN4uv9SQvD08evSKziChU95D*MI9>ikMWh;563-pe_2lJTt910AB z^oD5QXpm(*R(Y7R-n=P95%3|WIc29x9;>RToY4l}$z{-SmSkYoF@Q}BO5VKrGena8 z9$k;7Dm&bFzk2ub;^U*)nyHwoQG+N2E0o5ltt_2u;2|k#E6FZJoOWH4 zFVe|jzi=URwlz@#;39CqED7upKY=NA`|jP?(|pa8+L{`ZyuRNyq%s2gv8J$46u2jg z-%4~SomTWgpB$tpJ3Dim*g59t?&)?*qoUy@9Pr*&#y(!gPZXOs0B!|B=QKPvHWtOD zkeid!HHSvr*VUB(ww)5={K7&O##of4>I34e@>ZwM)`KWkJGQHwcGV>%+PDGB`}fbb z=zy<+79Lo1z~p;*~uH+m)c8n(-SR8hzldLxe%W>nMf&jSs?r)@GKaNei z?oEsN+T~rtG#lZc)*kGw2*ufhhxbu&?=a=rBq`l?ivzK)zq1<8comu_Sd?ME{S0{~T8)!8` zWs~045DFlf zM+Z?IL7qGGG*}rKi!n>6utptS-G?Ox`{aRIS{jS44)f_Jkw^qheS!&AP*gOsa+}uJZ!AM6=j-nW%IE4gP_G7$ zeQ~S+o+}7RR}SE^R*LR+0?Q`!Eyx+U2vr1vLl*ruGxO<;C&o(4!$TTr5mkS@FFWV` zdylSk<@)-1;J$+~j73aTP%zrwcO&ULYlI5GLY*8y$iQ^eH#8K4i{&1g?A#z3jE#*! zO?PuEC5?iuF$awXfJ2b+pmST54y1oiN)t22c1ELs%W*Z4T8WYRA`EsDcgm&(Gvy|4 z@4hs&IpWswB-;g}WOwuCrw}GyN%n|(GlNQW&TartT^1drz>vTNk+7L*6bSk;cZ&@E zJvoHO8;37`4~Iv8pYk|b6e%{pvJ&N<-N4h8oP8erixJ)3FqaK9pt5pk4*eD0MG@E9 z`SoiSEvv-XYk$pa`x1;MjgGf5PZyqXUkJD{9UEs literal 0 HcmV?d00001 diff --git a/documentation/files/selection_422.png b/documentation/files/selection_422.png new file mode 100644 index 0000000000000000000000000000000000000000..30bfd93ec718baf36dd1e84ea5ffe0bd2b01f625 GIT binary patch literal 79922 zcmdqI2T;@9);DUy3fMrDA`j9*K)Uot=^dm=7wIL07J7(^f`Sz3z4sPrp(iTRdkrLn z-a>#-LJdhiJm-7A`_4V@dGCDp-kCddXEG~f?fH|v)?QhA@89~ZFM2wvG&dPm{T(kJ%>|9>B?EO;R@cQ-Z=mp*R^N)9YlwbQ803Ce%Y`p9* z7&w7^eC)k!KMdcvaN(~D>PjyR{ZX43$6&gZ+0I>82hBiEwmTYsUAdI2aX)r8J%aF7 z@%QZDE^|;k@+-cttI{Zrq}W&#{4NOJ>6QAGZ_j`sVj!IKTY zD8%Ptn$hdsO<{k3!~Z*90s{utn0 zV;K=CTRxfze__uz;fz^>Be?-jbJ~<&Yq=f;v7BkOQ)6W|UO)D(@jZh^#W<&gWGc)g zcdbodli%6~GCIspSU;|tmRZ=7;kw*-U6xoRhpw-IdIpY(Qnx=RB`=s4uJw7-nki=i zMn7~hof3^$2|XM4*TxzTgd{;t=J4u?puo7qM(=?QqjJe@U0ykG%HdMZ--^*Ll#FE0 znkZHHI+nesVQ#(dRWoWVgpt{BK`(%w$ z9n_W}x&kVeRrXjS?XN~lrOgHIxkFk2lW$v~fq=*c4qxr8 zHiQCNV70&HD>FWBp=t^{?FQ_^x)}Rb>2_jzx3Jq4L*0cW_6DS>uyN@Ix_RyU`h7*um_PEm69UGqP0#OMi*L#T+Pv) zAq{_FxSxnjJ;xOrth(QF<&MGozoMep`};8l z*-b^nv0HJP+BVBPd+~``N#AN92Te;y3^s~Lg7eWFspUD-(SI)6j=7yCDbdxPrr^7rW)w|lkJKN;b=9(hAE8{J$ zzpDCW2S?pc4o_VK&pk}yPA;-OyXw&2+EAkykToe_$$jQ+ng1PtM(tY#A*LXM13Z=5 zf(!R|INOqHb>>b9XN%p_+>P-eEpnY~sr1`vSs~Lt`m-Gt{ebUumGDc0aAF9A^GV6e%9D2#WM0a?ACm#623_9Kl}OLpj=QJ`}ABL&q*u z?N2S%jgDxZ(4F*XUb_$c;;H7)WMlBE#&Vi>_HEHnt7IozQ`N(2RD3yG?RKQ+!=IK! zpBrM#6O^`RCgF~PVA-F%Qm*o+s$AjP9#NP6cE{ebg82Tr*mvFiXf&mvs%l-9Xnp*f zHjuI;v&imJ=R)UomLj0;Y-A~YlipWjLcDf_*Gar!~MJKOJ2lqBQ>W9O774DR%tLd=yXW2 zFJ&7B#1r^zw-w&9ge_E%@l>fNka{stUjlNwx!KvmFg9ik%Vbg2nTVV@nCnS5@Orv? zj8oKVFUH8URP<*WWU-F&!QFDuTMTB^?!^nhK@?t~zchNO93Id(lsNI^GI-|ww+VA< z|F?u@S$7}UZLQ3jaZHZq2ZLgS@dA9Y$*4*G$!@wUiMrhgk4?XzFq>>D~3 z*9?SVnv+CdIYcwJ>~G@L{3nAcn42*zo(&SYslGQh(-K7X71%?h+*0kE5xb=Qttb18 zN{xI+0Y^B7FzS%`PpU1+eNfR#OFZb$R@2`mI=b(_i=hoETBz{C_g5I4WFb}|dpkd1 zAlu$6r;QdNY%67wTb@Mz`w~e%I63pRlGB5Xyt<`ZH)8~frQ4<=vF@XVmW{kaC}+{b z)z>UppfQKd-R2D#qFx(N>__~HP4}*N^BbMROS zFJh4flZ8mh=Iq){Y49B!1BtJh`DfyWSW}JufET%l?NNw{Y}4}tW^hvLdeiF9FuUjN zWs$5e7fgYwG#z*KI>uXu7w*fxa@3ZHx1G}CY~}{_n01) z(x-Bc|N7ZZbK0U8Df@{4ACxFlltJd}R|I0Cl~H;#I%>keca$TCgw$wKnDp=%F6sR;HwqU_}L z?_2lh=bv6-61fB=oqE7-6WoJp6VV=qq^_Ce)FWfxhj5m;x%e%6+z&?#i6-@%q_*1X z_b+|-zFca|5iyZ9Lh_zx>kQ+B%VRye;kCx;#`Ly<@MkvDNtrURZB6-rGxfBC82@CO zD`Jg7n@MBr@0SnQfmK-BhgHYd)(WOz0COUum1{iquK$W{?d>c^hXOn^#9X_9O?86k zkO|koV@`a{8@w<)UWc*W(#J~&BSqAH^*^(ravfxdS50&b7J)Gy zOvtwg4)$qV$e(l+m+{8`M!P)!Gw*02kL&ZMM=st9iVm;Q3=c9-Yn)F9zZ_ZWb3N}) z+^^#9!|nQ4=H2!ks{Ql{9}%zkO0+=BUyUTA3Y7Kq^4gdjX*geayDPr_e(92PO8SlT z05lBb)4TI9oSG8o_jT51PqbpGT!BTe!};MLBPAm~Zq7{5~SJobSSU)|fi#6G&CwifDaMn}VL72JoLrB&z0h^EEYYOh_YYcD^HF z0CdpK5z(cECiSj~SVTFB7^)Csey+^|-w!wOWAw_{_l3uo4^3<;FvSi4jjgsvH{ zSO{SEAAj|J2nWo~hP>5+Aeg`8`D5Zvy7KEY;_^2xdk+$Ip1I;xEzfAA%H*C4u|q2s zDt3o|QKMm7gz4Lcpl)jXarR1=F4B1e=IMt#5~ZfVDE!C111~uu#(5i(L^=J+B^!c< zAi|YkR?x1foyx4(t`aP>lR@q>b!|V*Qhep_k;^Y>*c*pR@*QUr2xGAx1}YwSV9aY~ zNl(+oD(?9Yy)!kQEhb)^VkKLAy+o}swgBW1+IxU|PTu!`zB-Z5M1bLqTFnt@ra zt|}}hn52TA8nZs5{>*wdDAWG7zh67MO%$8Lfqwz)s6zVU0_SRD>LNTcn*XvcT{Ad> z`7q5|j)nB$&6`g!`QO3I>9&Wa4uk_>8^pWvhr!XUE0d28XZzZIY2&N#vqau5p~ry~ z)B}$$B%b=~?dK*Pt(+^IxEf=KHpNv@$Suw#p3Mu;R++kB zmnxzJ_1MC*sKu)EMcDUlOB)sit6lQY+=e-ZvV85tc#DWC56#me{?5=>01U0&ee%h2 zB(8pqh*aGsNH1;sjHR~#6J4!I$C%^@v zFKrExqB2dJ3H9ia7Qr1A7AN!Dlk2ET_u6VKy&>%DWry0q39?5=pNbpapPxk?xXr?V zwSoXenv2Qo_ozHx0QqG-p9;4pEj+z%`gQ5!*5|DtTXYWd*gZ$Gtjx48mxVW=(xPkR zT@upg>$A$=Qld!?YJ<{>b1VmA%RNFqJ-Z>IA~2U&Hr%}RwMfDoZDWm}Hpp*>X z3iW<0-{*s!=pFj5+n@byAE{{(b?tUlJjo=b|EBojC2CVu+Q&VV+O77;2W~svcQJ5- zHs)LF=;P+c!qN9EWjfq!Mp}NE7F#1SH1E$eo0nf`AGBz43XpFn{i<@p9#>ee7Ner~ zGNJB^>22b7+vY6m0+(P4bL;CtRW^$S>Fon!h%r2YrgA)oNSfQ!eR#S$PBlkeWl^!D z5vq7j0MFK3WY0qYQ*l(EI7leYf8|Esz}DVi4|Tum z$hh{k^ubcXrfqo417H4wCa;}$j5S_$$@i7d+eg1yKrEcqDGn>q znJ&^R7&-4#>7ml!JH$=fr1B8rq&@W`d-MA8rMf@&6A{+{Sy#t?)LJ4gLXaizI$fjI zE{S#igV*yKT76^Ttk-spF32HJM1L)4;8e_fa`2m%(Eo0_lgQ z5pp08$+NPFZcu^b*`+gTP6vkv9(>3a@V+l}xx}o^rRsRT!is;eR3Ph~xnu|6&%!I@ zy4PE1E?L)`QH4(y<7eP=uj*@6l|EUI%vRzgiqKw$m3Px!!?#&kvOP}as185ss@bil zvSJ!UbeVN!zri6R4NzJCv*D#71ux5}CzR*a#d?*!yU|A$uoq&20(y zWHPwNJ=9Sq8_-J~QF`xNTVfa#YOWFaxirIec>{;z?-}eT&^7l|@n5B>*q$jCCne5q+7W@Bk_7k8i3uZtdD48CePU7rdexi$ z=jY841bBYvzJv}l;&fVtCL_)cPYKw}Fhoy$hft)sHM_2Fg`ns8;uWS3mxiw%Aef#P z=ne_8m|N>hl{l?2jB;a`-DflAuHNxJ;I~y+_ip|$=q;RCFYOl*Kpv{Z6%9<0?ArK> zWN{Ats3njw5Y5$@u>9E-T~uS+6a8pRGAMn*s~aWf+Ibb4aU)Z@(<6)F9M1}1E|ORcV(RhD$QZ{t+P+|Nub~e<7dilMtf(Dr>&CUWRvY5H|hJHMMUNC-m4EQ`IV9Mp!q{Q9Yi88F9@9@~E;C5fbxlNgYh+DCCKo>-VTyIw9TWu9 z!Z@-AS+~xy(;)0VYlQ>qTIY->M)5wZ=#yj%vAqHXu9p(jlSvr)iPJMj)T(89QLxBj7QAw?9c0(u z5438n2W=(Y))tsa)}G0nHA4U)5;8?I40w?WMHz#)j7BuiG<=1@>3+`l-%ge87YnE* zWZqfn8%rqmi2)8o7D8k4z~!*4dXqfj!3p`H*^ho%>-+JQt^G>AX!R7&@; z$QGfF@b;_hz;_XwB0E;OU_ynTc~>--S==KtF2dOnkILVA@7Si*zo<9KcT0P%e>Tc6 zMPW;wIi;oqy-cRM?#HZ=i%oAiWq}2X)cDVzN}I@1RMn6MK3WO1K=*SJk2A0kJG#pF z$SJ<|yA!)7b4gE$juYFjXCHyUw{Uj5LxJqqnbH{*qs0@X0E5z zVLUL;GhJwY0l2JDW6nH*u8;KWmVS0ZbnenD=={}uh-Y@OBTI$+dH~%FHRv4F`KG&n z5nPthChD13iUCdC2gYQzk)fgKj=?^D`y$eZUAP8$qt@`|Yp}qLN*g1VSpn8L((k(8 z8FC)v$VXGnI3sdcVx!aSMn9oLl%b%z*qNAAjCg1J5$1v%w$FYo=4Yz18u7?G+Dt_a zJvacSI!B_HdnO2BZ1t95Ag4`l=u@@9qa4y&dc&NDX7Wd_n0{R$58uJ5kNygZS=x}N zLhDi%vjaE@N0gW37AjXO`l9RV#wX4A2;oytL(P%}+wNNDiRQW)+n(PbS3h%+_C?nu z1&UlmzSo2XZO{3J1+(xgbgUqGE55MKdzK+s%r;%hTPnpcTnk#7j3XW@3pf9ghI^8- zEJ7E?0p^GP_E!umll+S5y_7Y*IwyOJ@}m_f%P8+_by4ntnccn^ z(YS#Wc&OP)qFX~_+Kj&exWQ(NxSfhjE=p3$S8O5R865(RwN3+y*LI)^1M+ML9h7AP+lzwqU8NHI&Lb7$h7evL!9)%ajGU z^>OSKM-?Z?wkIjz%Z4|=u)>ZNa2UZ#-=Ksn~aR+tM=M0iuK zI{N2r2trWNOPWQRSe`kV#cFkGm#JDK_ZV0utoJzHi#Zq#a@}@(ts25a3L3P@tOx#@ zYI24>LRIx8Ztvp-Yb}CVI24RoxcS?k@+ezi4L>aWi)49l&_rH)5-CUBUchW;*fFr= z#)m{BiIMRdOND0BwI+Gj9_lb6o*Q`m=KS3fG1a5&Y$QR}&ORo5;lI2IR*>@`I+}Vv z4K`V>P2sGic>qptKK}M3Z!Ok+L0ZCgvwUea!^04-P?7_v@y9Gycn?J?mP;o#6FT6M zAvF^C5g6EQx)`s8GHGv@^K3$;@1RVV(ApXdBQLiibeJicnmtBLPj9v>VU~h$TdTVrw z1i<@DHni3kJ-Nc11-ezFn~6Z#Hm3VHvknf)F4T0gOTD`_C@sCT5cVRBgZ;0nHAPl! zEBKOHMAu#c^VBmU`fljPr?fC?6D=z|JosnSewnHaMOo#$*s<-e680)H zB854sF7{8sdC`5bk46`F9}z`sQSim~kZK!yc9OUJf}n{c{^WZtf~_5ay}w_Z^gGDs zyUt;dH+qI$3~Q{t8=gaOYgVUuU^g}5u&>RStlP-{ zJ7UmfsK6$XStKK|D##Igcc^D=tCF<3nkN4TU;a^X|D%HeCK_{ z#xf^I%31m4=VfDNzjo5UNf3wD(@NNd!62?+mAfrZhW>%nwg8l;i}r$kWj@Npd3rg= zyVFW8enxUWALk+OTc%l0xcg#iG5(UtBhBT+bIPLaf<(oEg66SZ};o0i~>XN!qJ2#<=r z44R$d|0VVTdb08NA;^)131TZ{;9wViSM)FgD~BH`1p4s1_I_<87u&Awew4uv4ne;> zvu|9)XMam^H3;;=3mS_azngbOVnj5VTQ7Jobo<5>``j$ot4<~-AJ4)GoPm^ zyZ!|RZbRlQidpu?G(`LNGaU#g(nGoa6xj%v4r8R^youH^+ndwTr&SaQ?wfF)uGZ{& zaKj!<)3c-dki4`Ve>tpR`Zm|`Ly`WRsq#Q8KkY6qqfnN?^~d;1dD-37^8!oQ?*_cw zS-XNL0A1^%q}XtdD1P&-ckMVheN!w6y;uccNj*@i)iV&8v0pUz*`BSpY)?7I9ovm^ zyJR3m87;e?n4sv%h0-JBt|&+QPGkgdyw2ti{AyY>hGWGTb+D->2D93_vXDnMh zJgiUQ`SREKzpYIssjjqBy9QH!W3t}*c;%WUI_7=f>W{+v+!VFH0`qsaH~ZH7&xrE( zMc+hdTmDkADLxBvwP^yGhV0s3XF;v!QeNL3NsLYfa>1jyb(qmFFWDp<3B`(w-F^ooihVAy6j6sT>HoPv8};F0$oAY+T4xlNgX z+7EdBl&1~n|0}PT-qJlFgpjtm-!nr(Ya$ye9%J!dr&m;w?vQ;=16VN{me~}r{JnF9 zWC^#a#>}3Hj-5l=$8inUBtGx?HIdr+tv!h;h>F&0jW9s5Tk77NOtWN}S?8Rybnu7# z`zY$*^ zELlRgvE*}2#TY1cJnflYn_b%vZNF8Wr(5rcTc*s;w%H_p{=1=1vhFQLr`?Jipb4`s z?6DQdW^`L=rvL5Hc==b}5_HqEZ_K)XE?vK0N6?~tPlpb+HGQZ)q-GFi-OkOB&7)zm zT%Xc``UeExP^y{AvsouaDOr6MTonkYMG7kA@dP$xn5wH9M+GhY{F%vUBE-75=Jniy zY(wuNwk@_!Hc=VGq`oQu+wLvftZ1t{9RC*dA=55R58?Q(xra6yBEcv`3vM$kaI$UuH)s!S zd(^MCcHzc3q2Y{@nBjJ`4Y+n?3QR(B)SqPl073hc%}jYk0k;aEsJmZAK*&@lng zQ55*C=yEa>JeB5xvd?;~4*6XkR;akhpL*fbof!b4vklrpWn}U}}pqQ=QLaC)N3AU4I6PWUW}l zv;Qgc%aMXt+X;vzLZsnG2LIDJJA<~*WAFQJo^w4SN;rVP^%YO45E{ab^XyT)@L54l z!jJr{?T+LvOW#|dXM)&86?@ie>1kQ4@`AiAYn>^v8i@%vSm#W*xiEola5gS=yYuCeW3Uu}xXSKeLOJoF zy6KECJ<05lKjDmsVv?i)ox8PP+{f}HT*W`7!A^_F4-X}-l|uz@78>iD(ROJnZcIeG z-eE{xD~~x_ZSM6m&v0d6`J`!GuFiJR{wSU&Rxws|KWpBT<0c)O{xQ-V>!klf!D)Wh zLwD!MhfX83ItzD`d~KXh<4a;L_?Ex;Abwu%#auj(9%Dwy_{z)vB>cajIQ_ro+yCt6 ze@k)tcSNT%uoU(ZouWgWd|L6h^!me;H~`g2xi2RsIMKb-qbY2B-1gM}eaKW^{TB_G zk%X4X#4vaOWR%0vGl|Q_-PJ4y>eIaSFRgZKuF4P?>QSJUVu`q}zt0$0keGIwJy#*L z!>FLzrtg)oev(j9XreF{Uo=T$RPmF{%23_y?UgVx(=y)gX;q);N)BVQww|acF*nB^ z_DUbM3hk_(TN5#)F*=aFPSm1ttB~pAof;;Gp89@qC%!ayAJ$Cd3xR!6aR+v(11sG>ni)&3q)fr?9jRIxF zgGv~!@-S$r$n3y;B_X#jX)YG#M=3X(E-V!z=E$s^ue^|TuNrb{xrjWIPZy%pV9_jN z9}}C`_$yfo8p?ZkMh4z*aO%%5PJe%yAMZ1y9VogwUSP&(tZJz+F5?ZNyh)7r#gFQ= zJQp3>>0TM{kd1l6G7@E5H>1i*JF-*bSftQqX%aJSgHp09+o{UOgG1U zWAw^Cdj{ni7>(zzlQ*KzJ9xu=GBmQYWF~J>udR-%HPY>$OlXtlGKv_DO$y|&f}cDc ztoW3cm75;8Hf63JQIaQAHK}W5)QdYd{(D~}8e2Fg?v?Ia(7RH6YINYFdO$7LrOCq^ z#ov1nPFs+{jKDR;5I)36U@Cf5CKDJGMrx}>4Pb7=`L*I(?_OoN=xOWvy+X#yI<&ma zLg^advQBezXHJl>vpOK;1C<^UK$Bp>-|(Ch^*1mJKA;$gyCt_dnO%9X2xLU)Itz+d z75X)o!CUlN#x!dvLZkA`g_+>0Cv{@ZMUSnk4tV*P3R`5dg4{N)kK{bmMpf89p77A5 z8h?G*k~LT_mEnDj_8yhSt6-^J9{lB$I4TT>J2n$awiSp+!PNo7o-b#<8;Yp6`C zI1*&!aG~*OXByRmg@~pN1=WLeCkvLQXk2KiS@ILAOxrAZ+McAYq(LLwPrx22-}%4v zbL@;tpcJ=JQlF7yWtyQr`eA)(p79FkG$?GrCgLF8h7XppA;qDI?;n4EU0^-GQ%Aj- zPsKT$K#&!1$$3zeQ6zG^WP2d6$ZL{Wg1c0oM$Qj3DcLNo6V|VKKEd02 zq5R!ys(M<0o{7(J{=ssrp>k&4!Rmu15&Ob5V%)>o%&uu@f*6a&Hx6LYBw#}EmQi7r zJAeOypC*229L`g@o`1z4PWrffQuoxW9EFtKhsODq4*8!*j>c5d`wueq8J%(J0~2QE zT9j^~F!WF*ZxIf>Cy1rQMn8@Yqa^us#1&oNW&E|_2L{VIO<@4BMvv+*_wb^!GlFWM z(3hE?cz$v28IL0|bdGAT%Abj!5iGv^%5Mr7vSKz5eM~0EXr0{@zSxQkEYD z`??FZkpiHNzSHqAE%S-y-s7umC@nASBo*zU=;~};S#jBJ(gs)Je)@vAC{|wnB+|%s&H8_O z?sZcK|43~r+r}NwqKhLJYhHo+jXN&+6(`$KAo6GiL7Q)gy-!wBu3p)2MuW8(<;LZY zZ*k?lrB4XF#e+Xl3A#^{E0?+s#w^+(hM85ymklPrU2=U|_dQ*aI{AkhT_eY$>v}z7 zptiKXnm5e3-wRA?abO;0MXti}!|4?ySe~L+27T1cIA>R2jgFPE*k!szfGtdCJ=FBn zB~pTuzk}a=&mXkcY00k~?q+nWS3)w}(In1*lQ3IWc=*l&1o?8nEz(lQ5O*Ud9rR2(rV+37_~%iBb!$J!qJ zJZKF`nw}(Z)jwh@d+6|!=IdoiUt~^g=k`i3ecAQfsIrH#mEAOnx1T;s(xkOMz*ZbF z^(Khis;VCTg*gO$J;7RcsyJDCjB6YSrp7@ZN<=fGN*gHj@#Ci^c z%v&dyWvC=|BO)foiS>c$A+vdN64;+cr@F00M<$@!oMb(%uredVF1MrS2j#_|V+g$* z2hEyMw}datP}sk$#jdK9Hz8(I3UKbmiYC=Ao3elGZ%KCg`DeE<^QXe=2=$OD!7w3< z<|j}qQ_D!AxvnEaF0%LJ%BoxSOl)wlQGP|Qbfli`d5$9V3==@8J0a#xW~+~R`-d0k zOpAe3=M197Qg6!_WpA9qbGhh^N^HwZA5R?Y1-I3zurMvlzXMoRlq1&@<(s)mz7NP? zm_Un$+&Z`YM&e9eWHf2Z!z4t*)Ok? zdnF^Qbl2SOq{LlqlJ_z?4w=Lu`g)7K&b2lvGi1HcB)&my!6hEK0z&5-n%mb{Ubbv~ z?cKI#7Poxe$dVN>l}jqtQDdIU$<`&&=07Sqw6C`fU3JJvUHJ9swCf2eaVP*@WKtH6 z2q7B{0g@%r1UaS&NSbc|{e8WUt1NScEg_>qrH*7Ui7z5HPUL3b4NhK5(ZgP9J^N%k zo_-VK2-*xd_UyX@vy7;(GgB@mz5aOo`u1-L@j!!yiUDb~{V^}9u-hLzu7-QCK2lk8 zOW$@nlJXzFl=DdO|6h@Ucu4fHm}Jg%nJ=!CsoNU=lD(XHx}~IlwMMz3+B?egChC3u z4+GA>zcmu$`W8)L2E1#Q>^lr1N-@G0BEm!CPujng*a$FVc z^le?(*OA&NBlWa4Es9i52zdNQ|59MF=u3f1ge}%no|iPtX02w{c1~|nRJKPNF&la> zBqv51AWq$eau$l%YlJ=4G9#6JUHfGj6gCnszHBZxp(TznYfxu@Q2r7ZoSp1^6&Ekx z99Wk{)UaI|ug!b;6fjdLY;Lc-u@5i9caL;`NJmaur%SANvIo|cZd~OPP`71p(tTG| zUhu9i*!tz}v{|!G_U7OzW!Y}PBL7R*cy)`JG)Jk?*Z%21`!D45zi=h9DQx`9%ZNlR z%(O~&)JP8g;Pqvy?BTWjdIhcQ$zBrG*FhH09BrHUi_9=w+B@&@*Hw!`u5@j)5jDzs zUdf;@S>Apo8TStOeb6&h+d4uWwpO`vx!R~2$uA%TnPTA90Yn_qoc zr=4Z7`-~n*a-%EN>~a1L&oTo|(W~pbP0f@bPW8k-+``2`4*6_XJNdxEhI^0+gi7zB zL3!Y5Rpe-rOQ#P;T!$TKk{o?HH5tk8gSlr^UZHxr{$nT&=*aSx-NmW%jhvL~&{;{l zm2%QZy(PgS{zFzY-QDt3zx8;kQ{VVmOrD{^$X&+a7ZjJYrEADr)2(>m@R;bqs@;}$ zJX-gl%*hUTu$O$c54q9d;5pVy zGl-`Z%e(^Z*%=#tC^{Nr_a;m|FMMu8E3y4=>Yu6Scxe zuDz|MTrR1xjknBOo59fMD-r2(L0h+GGOa$4Al2uGw`FB{=V-1K@ks=9v+3Ta@rp`# zHKAXF#Cx&yy-E>@_f&BN+Q`;&{kKTlwCgB2|CDzILpf` zo~omsbf_b-{n}85fM!KqNQud%IzUb@!x^5Hzp_tcezCHSL_P>(4e?#Gzhpeohio*^4Lho~Y#u%@W#KT~QY+!GF0ngOo&R%U_u$%B%%z%+=UwcdeL4E6F3eMf(y$zEnBf6 zMORt$5k03xMYJ5w+r?&E!;MOh)-rUl=1CRUMp;e$1ZKhgd)j~;_OAK`IdFqY3u3ev zysfm~7kfEWpBoEp=o z3l?QkULIVd-HeoJbG}cSEqJ~46x{crubGZl%3_-n)tEZ26&I-4X6kxuz8ya8Xyu>r z=}&{!e?}($^WXm#rTBMP-TzHk>z_a%&rNPi4^!_BSfG~`Azl@q$FJv4mdBp7(cMG) zD|eE)g5bHydeZ(ggC7Qi^~-t0M=z5sPTG8b8#xcZPhMwFxEVzFWwd=SyW9pX0lsx^ zSB`%p?z~~||MUK|{|mP`dRvv3GE(q|;% z%#^XE6S}P17ErUk_yObrCj-^ibszFU<#V)#p@>c>NNj}E{0I&z$2{;iM@Op^P`{{ef=nRXN5+; z0^&|K)Q2FZ}Q{1zaJo%?;#HnblI~P+Pux`Z)oi1%lCMdnTf1lHy2y zy5`Cyl@V4?EVmAEpIlxQk`4=sej2!s9EpjMd;-PK{cx_dK0`o+bb!-t^WXOtdsjX^0sr!mS_b)SVQ65f1uO(8b=mcx|87&*e*HFuw`?%zTLROI?D}7 z9sTvz4Ub;x8>Mut*aW(iC0!Zyu+60^mm~RvJGeNysg*Adu2p34Y@=lxqoKN0wQIH! zZ0NFfx`_x!hh!!5{T8<<=2TclSouP{BGc$D1M^(|`S<5Sr1SYy5|NduKo8-aA!u4`9jKouHyihS*%u~gq ze*NQvi8PD&;lGlYGXDXg|9z-tv)q3j#-SLeMfuorN_HI11$o0N%^Gbd8clDh3Oet+ zo(rnFwPckM`6=t_dBSyeWR>w)>_4EES(&myU*EqiEuH}Ss65_O)RV(NgzxOw*w7x%s92hZy&U5&70}pRq0&C7lZeH9^NmW zW4vQ3`cs$p5mt6+adDxF`}|>xMWqEMy1Y7j*AU`_d9K%|zzOd&Q%SYByKmhn8+Wta z!Te!CF;B@(3lD1Dpz`z?VUOIHEy+Cz2wKUlVQG=yTT(EaG3fpHQ1tJPCJuW+rrm)C zO@3N3%s>$mnEI!s_#I;Fvsl@Iz%IWvT8vzHS=_x1=3dDRnRMpwxsE7O6v9Uc50R^h zpD&dgZ|rIivvz6K?TH7$!x;)8n>9eLEVbQ~i!1D|hxib5rRV!F4jGc#=mMDc)0rIa zKhme3#v^;2LS17B*`VJG=?hsvi9#JHW3z3FaeylvGpPMk^P#MIpxfLbWgRUKjR8qQ zmf))dGF8{VrUnbE(3w>M!20^cWlS=gynaXbC)b~6bL?KX_*P+X*0|p5qELm4|3LC@zTp;} zZR&!)-I9)OCCieat&eY8Dsx+0Ih(wHzNq#R8amd9H;9oOFb!e`f@(>IPX)REu)Ulv zNCb>SRhP0_N#rc~-siB*u>gaj&6#?I_QTts-CyVLXAYzp`7v>?8Sj)&7qVn{;n#&_ z_+|*|Lz9Ut0b);=ruKAKbxs4;wnHDA*x6-T4G?K6U#%`Xjit99;sWk>0?}|u%Zo1( z(pRE8KWMK#_)2m{!j-6g8@hQ0q2)7w>BJamkF_{1)_ps_ z=rzwRMMt>!XcB+6v4i(Evs$Hpwg7R*l>YRV3zD+49uu|= zl~F;UUTODKjw+Zmc zKa$N8wR7@AlhI1F#>Gxkh_qJtX1>9y7R^`Okwt0=O2@P(GV5$1KXs7b9pDFuf76u< z_Lk3}^z5`hVh^e>eUq^?u~|{TIi!2+shDbo_ZyPYnc~&VW+IV&O!9L9%}5XK%46?e z;Y*YtLUZxsvQ5Wg(#hU!psrqx+111P z7Q`wr)}%e}S}sY*i13WJ-AFnjIwZLDZUC5a)ii%%oT^sATdA%U>MAMY*J01&Hs&1A(x z1%bjd?a=Lqk5>{3){o1wz?au_$syK#5EUle&A@|xC(Pi~*}`vKh#xF~l$KS$FaOOQ zU?oLPzMr_=x^QS?uccnee~smMacK@&)mFYoPc%7uE?Bw<2*oo$4%jnr>6{j#&QS1l ziw|qC2OqV^f@h4jX2b8jwT!#eB0J(XFo76iYA81eE#ro=F#p#(jl`Y?U6VAM_d=N| z(^liPz?tWNjmNr(^Rgb}g%k)SWgOY-C>rKS<82u? z!)81GA+wjN_1IrAg|M5Oa_n=orG}u6DzNdi{B1FSRZlG4T%DKJW{tR)9miyd~XDgT?-EnXYa{fVxsW6u?_D7YiDP>D{zgxc94k`a>-2Fk4c(YhAW19!@ z8Uh5Mb7Hlu@s43JZcr}CT5Z^ zkx~yS)qb-!`WBYV@}ezI`?i18{J5l|#&-B2Z0hYb<%`PtcjyZv34=8<`=pO6KHQGNL9`iH;NTs3%ZvMMp`$_faiM1)LU89QY@(Y9^oDgOF) zhw$;h9ekhp{lyoK$@KbSC1q4>7cL~s!JDy%V{iHK?=J=i)EaJNwezo7CvsM{B{LHW zy?S}#+8M;)T{;Z*$@-%oc48zyNml$-sTt{Xr~7t4gVzQIH@S?xm_TG(^@?UK~gG{!7m zPmG!Wssr7*&F8OfbZAIwQfz-+_FtoV1cL`a(T%*$_hKVx6G~?THK<>DWjJ1eK8h#qxb(I$4dGc3!Amjd?Z{9^8hRck+W*6j z+_S^l;)0$=ou{7^n7a0wRb*e8r6nsWZlzE9IKL3oX52aEcu`W8c%I=eAx?kIFZe;+ zWiH}%x4kPJ!q5*=+mKyR!{A}uy06<_zhhe49 zui^jXcAV*DN}tVR#B zefVk&p5m{|t>dO$QprgbYQ~sqq}p zUlpU|4jfomNyX1}T;yozVz{Im6A=Q_M{mVuYpZLjDHJ2cYqY;Qs z3~GLj>(d#*7;b+0{_;xaJJy4S{5*z{Z(y^M99FzEN>w%X^8L`=!lm^wJ2XcjW6&x8 z%QWh=DIQr){ih|7j|(^^a*vT`36od$yJJOhQyi?{mRysg5T`4?8Y#1Fz0VHy8A zD= zfjm3{smSHlxvS+omZk6nqG(4eKj8X0hNCNLcXKLi$-~*pkL}&SZf>p{@0nwICVIW= ztaes<51=DzrNs65tHXAehqkV)$1JR`3>VNNYfq%p$aU)ZAe}WMDv-ZhDj6n&y@e$u zV{DBy_|57CNZ38S`ZdM#Zm!+MRXA*937!oAk-nD zb3W|Fs7}cU$s-&ko6t(7CzPvVZ8g9>A(x)wQPR0c8c{=ICWkMoE>`XX^}9W_0qYpW z#CTEYYDaFUW%aohY@v9rMioi5pXpJqOn0&MsMWPB|1K8o%=SLwm2ur~(PLAn|^Vb}3hgZiQ zxXD?Cf{N26olz#Fra(A+_DO+I0Dz{xmuN3Zhu4A8cHc*wLSnekZ#2o$^HutmNKU}| z`#IrZdiVOO`1pHm&TF5Nm-p-~Bo(`=VXEtiPYh2>#jzk7(Ge_Tx~=%ZLz9$-09?;x z&wxZ)a?k#Z+|47khPigK$)iMGAP`X```Jl5Ro_JkRixit0>@X~PolIaO zOELS#4b89??bj6+3L>FaHs~n$(6+aq#}61w>jVwcP)>zTHCsd{sz)xp_D`R>`@RfR0GcT>fDL|0YajBgCsq zTEuKUrJ`?e|4lfOpJ(5H=F4lc^w5?YR5A)`d2paP zIpN#4_%&9v_MzfDP3v$WMdCjD(p{GIc4#NIJw1E9Yu+z*OshTetoVcsfD~v2o4pF! zvnVMs+$EAA+!LW{y>tmE!`WxT+z!_d5A{;Bta}{s-4|V*(vfK=`m^?z;N8_#ZKA=lLgW@@ zVK>PeT+%P1!C5+LgMiMB_B{ko2e*DaDzti?d9Q?t!&t%j7`z`XU+2g4K1rZkw~LB# z9y_v7a4oD{A&}KGLg&hmlST_D<9L5GK*GlT z(*9z8(%-rOF;+38Cd&;pGXn$sd^id4n6GUbIpoz3$mFED9+@YL?3Dlj3b&|2BhO&z zm)mX=8w#}5ums8< zg@nKOzd(stJ?xrrtoPESGM}&?cQkUBjluU{7rJ957k;tv1igc*hW{$GG9?fb^9~>; z28w?wv8w=^Z;h!IS1vW$%_eto&n_IXNpkycPR|QH?q+Z-m z6KkD;y23t$%=6FKLW7a-rD1LCZCGuNwiyiL6NMJ5+Yt?B(@2>all3v!mXj_alrdh~ zE^Um^Gfp?+qpu)DVOScq@jAobs!k&c07D0p4{8j*nEjgjCVb=oL&uf(pO=pFMd zFgH5lT^vjrlL@2A^Pz2tO%TGmOF7X;DRa)>rt+ck~6aTrp-w z+SJzpKd(Z<`pb_OIXjkUeop((^00h;t<^XE254%jj56F|X&m>zM8IpI;r4Zt#J2v* zD-|J@&!<%;Kx}h~iE5fkK@g6!G&Z){Fk(=2d$oLQ{-D>}2|m_SR8Y2~Z2g4t(g zGNbUM&TLa3x`4Yk9WlSS zb?A)9GH{i(s^G?0cDaPOSP8Js>W@`c4=2I52(pP1z?lsxIji%mpJWme%W_;S3Q-TJ7EatznIMj=(2&6pk1QcVT$=gN)`mS~GB zN*D$}{k8bbsGXvXpQVlh3^233j8mX9OmBz%q{Qkb5kZPd9G#d@;qeI;Msb!hxwfw< zA5ChOXUGFjMRB#h{>)-Xawa!S=P=wffU@!EgwRsz_u%}(VXV+}xiq$TgQHcv6MI=4 zL6{^*NW+*rqx4rzCqOk_j0?Jffuz7&U%Ox{lV7e181Yo7Q9s;TVZ^@KsYMrpWNza( zeocLlEM?tj_6CqG<_FZ9Sr3<#E3uhFsQeU?1^o+C(g25GD>-ehS%g#}vb*I*s96MU zyNbGXro0Uad`iW+MGYlt5f4(9=4wKBd2k6@;SP!vYMUkcU#%=SvT8}TYwMdSNs#F) z;qYzgw1i{=yBd45VC9cgNR~80RboM3^K&)!je`IK#QFCXy^L3{6R(rET$YZpR!zrF znYsI6sEC`$OEf#;i3-gH5MjyxG*@OWELB=j0vGv|NGl#vq~)Uhabw*Ozv%WHoxIEk6IDHi(oxl@Zj+C>RF~m#{)U5|wm3_31^QvBj{lqCe|&1;g#p zPAoEni`G)d7Z}sANja}TUa;-poHy3xhxpovnb_1}5gjk-*vG(|{>w1Z4-@H@@5v)dzj}Bu>BvXS@j)I8$-Zs(+4*{9; zLmIQkHk9#$5avphsl~5x$k-g`qERur=GR$_ESo1-MMVLo@5vBcyK%exucv|f8 zPLT>#W>}5z!A%lDpjQ0Y!_6`DyB56&tlrcJKcSs8DR-{Xg{)39amp7-d5%t#C{kI& zdzQ3?JCVAXiJ2U)g0s(3>YTv>+DPI*d{?Xko__#CoC+AS*H3lyU6R}s|Z4Y%KErULyFm8sGxgn9sYU)@Q996NMb*w(tC^t z>DSA6VvG0dbpkuiJS}1R49UevV`iJn0}$p*Dh-~0(mPhX1bJ?0kX$7n1Bn@{SuKIW zd1sNELopx!%q}VC5?R@p`D0h16UDq@-`>f&iPuI$Ty+4Z65;NRYoXl{=%yDOg^f`q zFcKpcLOD5KbEEOyaF|X4H{V*q{uUN?k-lKRq(A-O2(wO+pBK|I^7%p@D&VPHr@@D7VRCPtz4vsM*cePE*^Bt3ij|>UPj=zPvnUm*N!+cDLhG znUlS_f4o7uU&WnLS$o~`iANVqpIX{6|KXa5i zcON?hjfrnHKp}H7Q&RrYmTK%+acG?QRi(W$%CbE6sJ8oLFRG5l#@tPHmLTX7&8^ zP#e@GC1b0JA#-SEG<@qSCn-~`d7y!sC6PHp2Qgn4Nqm&ij7gHX!1tm!!NI2Vwf5D8 zKVCR%tF()Dw71G6@i6Jqn>4VuZmOFVsNmE4y)@|30RZ`7J=Zsx0tc)G!Bl|v(99RN z=@LmzGIs^K^uoq%%ngDosrp};Dc2X$!U}RF>w`ZxD=?AEgy$6u*~hGxlSHV!oOTb= zRM(z&r@D}bgGlrD$6m#hrFT{&-T04F)Mb{}LWDwfFip?m3r|rU$1j)J7VV}_K6zQL zUozEWAGAEwwzUWLib=@e!X7r*yj;Ry19}2}ElXG6wpgaj_Z4wFd9a>~D^{J@soJ}a zh*yN;M6~~Sc3d~+(WrY?fCSjv+~v*oCwSJ7%-D6$WVFAYm*6;6ABB;Ry1Lr0wYg|{ zWh`CSD-ECXj5=3Nx^-7+*=Avy9{O<`E5onyjJj+L90 zX!XosrndmnjbEWr1j-JwCb(K@qASbefXP#^wwF-3r2nEikL>!TFFZLkZ8~wjpiqBu z)a};m04;RII|ymym|n(D=|pZSKlFmBJ2BrYR3L{6=i~GP{AOp7!Z-6mHT*DzKY$hdZKQYUMp) z*BicQ6q~;do@wJXLKGCd)q91%G+?Iw6t|{jZ!jE(_0+9U;}jWr$?wM#g32Vc@-!@jE4V!^=sJ&AdH*;K&jelYIib3zgY*8V&_B-BPHI|2U_^ z5ys)&Vn-wI-32kKBXz`hmUkyH7~o*&LFxUx_3#G5!Q)~Cay4et5qDE9$-K@@S6DS+t5~4q$McEKi6Nt{j_Xv8~lfyIL$+^O!&a}xF^U= zt6VydI1LB6q6QuFo6q+Jj_e{LFD`2~7vsaXV=_x_X~*qm)g`oG@rkc$7fSqZemUSV zGUKXA^Iq!@deR1$(L~oOMlR)<_)CJbrI`2}&%221JU9i?XUfgVxi>;ChNncFz7uFB z=I!ab@zkby$==*{NkE(v&R1Y{#}pIOhW?r_6EX|<7HUR71&q8Z4sv?aoo-mF1Sb>P z6v~faH+!>L*^Gp(^J8gU(51O%W+ z^YOhK2dv$BIo6H!-i98phknrsM(e{#ky_}K2Wx=jiGa~5f<~1PG#Rb}_gchs!Y46UT~1tzpSJUtO-^F6W1hdcR2Fv5 zeKD$U>Bmr1`;{3=-Vn69Y*|Oco%!i816(q)%)^;;I4@Gv{XDZkiIyj04}y5!GJ8-z znvjOBINvAh+iVP}iXViSS}+=4hMb}?{>#Ha?~1x9IQ%*Dm;76!4IwmsBnbW}<)D0> z`iVi3=DQ5wr|0a5@L)Skobk@Fv$>S;Y@)vc?c9}fAA~Irvg1&ap2@XXY*X~RJ5Dm0A*5U1*;(8un;N3VPAgNbz4%MtU z3E<EFYWl=uop#g0-`wr(BN74d4XGhm!at0y9cJg-3bp{-B51LpE-xr#{{{YCR*LAR_ z)APH?(7pVcD;c&!LtSoqwV-rgFu5SM-LY29F|eja*5DdQFmd!)cZ&d>WxU*be^u_4 z$u&JJ`g64ZcFL1vmDsYBGimi{-(A!GhmcB6V7%gHz+!(+S+i8CIZN6L*QghHH3+z@Xqc+p^=PlQtqU4I2T%c-kNF+7s_QB(4Dh}sEUSSVDL{> zbHrEyE?35Q@AUD-&{19cSjxjw^B;vZ<<&LY$?S!M^q@!QwoO`5CSoAK_~dS5BLBjK z?2hp-az8D5e``=LK1PL>=4=p(Vc#78@d7k=1I!(#wzoGA;Rr;WT7_{;KHjIVM5x4E z&2Qm|LEdultGnJ8CF`V))t16Y=t26=&4^`)jOwxZ9+UD0q96KIeC zf1g$#jQF>M^5+5j$8-gXysA)&&T|Vrag6@-!9pN{xzJoA0c|?yz+xXHdqzy;yi3gL z-m0dfpyPWlWP8&5LOHI1=^Z3{G3`cocg4H18qK5H{_-kbQIDk+r}7$iJWf-BcI@uE z*I((M2R{hVlk2JvU6#4!c;cp<{50nlLfIp3iSFF^W zE){1*t^idvG;EoOl>)|fh=q8(Qo1W~G3aZKgDM#j;)&MvIZE|+xckz-PkmJYDWxj5 zJ9uw{lM|m{wj7082Ck1*wFZpEU}9s&{S%LFDr;u}QB}2%vRJ9#@4{wgx@!D#++^SU z%e;gw_8;!9Ci1Jll%KSu>*?}Z#ziT9&&*&tG|8@Jz1&K0BhB#-OFKygq82x?eIOv? zX}#JB4hX0%sIC{=YS(z<8Mv@#jn2<(y|vEBKqgYCt9A&=@_|l8d};MLT&_>`)=KfZ zufV}PyME`V3IWjDXK8qQvD7PIWoT(`tPD9{i)7QbVq59XnZz^b>i8d#E8wS&-AVD2 zpO}!w7&+hYN`2(rt=%3^oA~E10>dtM1G{baW4NMW?e1h*d;(VupD}|r#yRiLJ{7uA z1x?hXb6Es9Z9P`LcPd|LOr*+Rw7`pQ3vai6>pbOTH}OD{*p_9#^3Yy`!~nadop8(#+dZswrSAB+wrXE>N&=1zI2E?!^$C=1DUjKJ|MJA*qmo zM_P+`8hM`H42Gt97D1KQ)S8!cVWb~svgTupe{?#nsXM)+_Vjvg;hPdlv*X!`hwXzTa{3>34 zC-eE7&4_$XyGR;ctZW4*Xo==uQWWl_$8~f*qXz(#m3kL+64+KE(^e+wMuOwGQT6Yz z>JE>7Uz7}${0;ZiJ{kSOa?Lo?=V}cctdl{r?Rt9np~e_lYFS|9wy$>rwcAWOS2xX) z#+Two@^oPxj2Ig#(Mvr4^?<8`$~mUi)8@GeZ2vqIY%3xlP1jx(n}by}6bZBM)s_46 zXJ#4=NxKHp^b_!W;KRbNA1Mxm-Q_lzk#`~7IF9)pj)ODoeoTk|MR$sH%2kt*DQ)zm zY5Ey9Xuf~WU|S{pP+1N6X&WR7$-MKfx#?^>CX>nK8ZLcTUe}m7?X8x9H;UFw{oj={ z*(~a6#WlOzS^$LBMgk z`>0X}C|5k7XF6?iJhC@?k_ZlzJwVyv{FWW>NkpK?J{&Sm2M#~0^kK@ke5b;JSy)|0 zy0h*txXseih?(%AhjG|am)e9jbb`~{Z{^8)vSxjv)Aj{#5w*WBBd}ur zFpfb%eU6O5sIF-@t}@-JzcN?5D}j3^LW(WgRSMT@XI+I@8DRygfO-*3s3y-IV|*F@#!0{G;oWa>PW#%5owUKYh! zoSx?@)?{3c+udfdmA;@8ClG@ll=>M*a53OCo=!9O2fk-V(*eF_{s5Wb`5eZT=HCJM zE*D{e<>n5_(_VcryiUq{$rUpAp@{(R6i}I!n5mAM{afr($j6Fp6XMf#P~!itp&PR> zy}P^?4=>f$@`cuW*kZ%oVT_=*QeQt8V`qE2K)dt8=kCiwMZVlXewBhS$YF@;`MKhtHoBmK1PTJ$5xZ zsYGB2m24h72&GlU2JD*koHI`)q3}QZRJWpF2c@6r{FQ^1<%OhddrC_cSeRNy^j9JYAgr42j`u%wVv3v4|>k zbqdX`fEQCvO_2?DuoA>h;@`2TA>xSZJIzpur&4aC@ST&{52L|xGOstr>{qTjb#w^z zk_Nw#q;T{U?>B!><51W4+lNv1E^_E)`TJ7XnB)C({GJ6q^bAgnWJ58wwiL7aiV7v4 z*-Qiyqnz-w(O0C0-+8(bJnj!dOGU;j)MuWacbXqK78|McKF;1KAo8bNioY7E=tFdq z?e6j(UEyVZA#Tc(dCKGAx&sohKS#Q{|2pg0=Vj4nyFVM^#f>z(9VYBeQFk+XnXw(x zASjb%25kXe^Q&BLwZBApgsNMPo0@brKz!EL5`m^^^Zr>)IYbVS@BOHx!KXxBvNS^w z^G({$2u(-|-B^ivm~yOwG}HCNRG7*YYcn>{N1h_;b=B+h!P{Xlbw#%O&AFs!sVjRs879|^^@2gA;X&~o5mhV{Kn}rd6 zFhUd6$X6;dYI79Gs@jLh^3=4qvBHACI@g;1O~-%QFo`YhFKoIC=L}nW@+4IJQC*dK zv`;xsm!CojVG5>lRSz2INV%hHvwW!T3pL`iBl8IGN_Q<3+u5+zTyCUqe5mQ^8F9kL zY*<)P|J+F%n86s5A6#9W25L~E;%-q8Ap`vF;TWq+c!qT3tkxC5ubZkH3(P3m=k3y%;SgI*qH{A8A-4)M*no@XLZDT!& z+|!;;ijN+Y6GY%ws@pPF?MGgHuScgWJ^k`lSQZYQnDaD)@jt#zq;N|$>(a!7wHX*g z>UHhU(+Y|Dr>a7{%}wVF&Bix9ASD66{TBR~R092yj7@L-W4Q&3C<)Qg{lss-y8TnG z{ECre-}Dxg%$^E$`_lh@yInUW{M#qOlp#}ik`*#}h(5@?3I;G^T2*r?o?Sn#bMHSo zAHq?ww41#aGVUvfX&Tag7Srt=1qWtw4M&?{W4TD)5pdQR3FkJ31X};h@}$&BN8U|V z`xn~fhWrlQ8-!47RM%u{zf|XGHZX*oyW32q{(8!v*iX${W9U`RFB>_*OaS@5691I# za=K{-1~6N->ks88CVSZaX4mxpbu`S>X(2o8)_zYi3+nS|v-Zp0ihS%@0`8gK`Wn0`7!2IqA08rG9zFctN zc6+bd3~8TIxzryx(C%1TXZR?5VIFnHg#n|EXzt?grGBl~2On@q#I@5rX%4*tn!>REjsTO!;KaheY z$LVgUu!z!uS;Av4%UnGhpEK<(M@#ODm|_SGzGOQ-4CSMIfr0pqyODB9W0aih8=jIek#Y+w$MkCLf~35Uz#gG%>0LZ8?K>DRa*Yd9yefoHC5xK zRV+d7o1K8di+d6O<^`Tc6XLep-?rG%6uA!^$)P`{9zqwd5;IB&%Gck7CX$n~K|M6x zJ4rFV<2IFi7<^b05gYB(6qXJB?#O;K+}MG}xPUB=*-Fh4Q7NoEE8k5*&dWN+FmBr;ZDWmpiZiIaIX(li#c>Z@1&C;?%e4EG5>#QcB7f2_kvjra+}rso z6D67wbY&HWrofc5%t&*VTc?z4ilS#N#P|d`{cG05WHLAray-w_H+!ys%)6rq67%{- zKl>$sgUhcg|vBb(f^+I*zSl=c$ zDZWfHvrEcTP?5oL?`vwm4Wk5MX_?JTJf11MZ;}a6XTCWl+NC@^ZAn`Pa8kbP6s`8c3(g?V9DUYhIf@P|E}<+6oA5$Hu_6rq+vLLHLu#N7x`>bZ~h( ziU}ZPgF^W?73X~PAP|^NHt)bpA@npN|#$zQxKChlaqBo@& zdTLz#K>x2E8B8t7IA4?mmt?)DaHgX?WZoT_Iet;5qb~DjKP5v-yLVbikmu3E0IQ_A z*C|U_k{KcYGdcNr*k1jPTzZ{8=lc_Gwif2T@pv#7lsZ3#EDFg?^?d{a;V$&s+PCX| zUK#dDf+^KndBXnrX8!5X>+=48?G7r4{wL}?2P>Mi>wnq-1PZ9XW3Y*oF2f$0mVZu1 z9iQNBax#rn23=;yTD%rc(;Rb}#fdr0gpYpO*N0sS6Z==+qUiuGRn`EA*F^IfJHj6$qS?502}!h_%UQBm1VLskZNkQ7@mWO4W$t zc4ZbnI}*7sHD&w`z~-hdhCw6U^u5izADJtg<|E|a)rew=mD*X+`f||KZ3bv)EWMV3 z*TGy)0wVSTZ2ASH={cz3({XZV$^GN^w1at`HMY8Uw&WQGnUOgVFJLkZ%5-qstvVio z6(>}*VK29?U%#5E*Cp+Jm*QA_FL{6YOCK2k5+v{ce{&HZtH6!9xqt0F)gJgVl2)X* z_YVwWZ+4Gi_=mkYhO}8=h5sL1#8Iz+xbP*T)$N2tW4CbWQ?V7R*hyaRr^_cDX;pgl zp#PCd;6VlS$YoluW0_(-og?X3X+^|e_6Pj17`6$e&aq-0BS)K;cfa;tbR{J?oOSd* zHv87)toe`~2KCSIk4k{Z+Namc+*lgYF9=l*BQ0K|RBy*=3vxMpY*bTm z`g#U4i28;+(;fGZw#c4w`eXM=_%xXhT}RE`ejU$py~rbQxw>Rpe#|0#iA$u(xm|}7 z!}~$#p+%u!>ekJjWugSnAfvTWpJ6c9do+%2sDNr)1#iV3g+uc2F}VOCI@ZR;Z6+bA z%M{3aRJy(+Cs}`M-~O~e+b^@9yg1AwMC0*v9?O+*2=KD>rHxecG+A!P#z%F7t2B;Z z3Fd7Cc|0Kn+qHDFApP?*>e_zfsEr%UTyp}ws47#x{0yC}F6>KClpn6DJJes*mAJfq z)}-iO5lA&5@(lVXij(Ry$Wk*uzYS2d{dy;02j!hKZuo9+Kb7+XdasB5W_k_v(Dw&T zIvu-r0NfU8>N0&)Z#k)|fI9fQJe0Gv23guC`;i(XB2s{Nupp<{+`$0I-06^REWjv= zQg~yr+2z;fm;wOUo9cZU9Y0)Je2UUHM{_b+lRAYuc48G$V?8kObG8Yj3stAPxiNsPB>V^4B-M2 zR8HoBk0IsH&fATx_c2-Sj1@LKSygqU(d3jgG-X2)&i1Z?0)}qq9Xz=I8g9ygxrM~- zs+7R2-^!Pr)T1Wl;ZnuDWj^~7wmDJ9>;5XWIk#GB z8QHb(FSQ0~N6<%n)y{c0<6SW+LFJvc?Zo&{g~q{7jF#K@3zDZ?e_u~yX!yRav6K0z zaQ*n<@9k{oH0oT*C$@LszGJjh*?b9d2X;pRPxgbW52(!q#9ZX$)X}08Df#3SGwve^ z|0%=y@Ti@CUo?!XA$;DJ+Jp!4t0!Vi5}K$M7P+JOx7DibOSsYUiUB1JdZTz=?#1xu zDH}>Kz!c@Av4m_N-rYvR9JK6!<7C3};A83bJFlv7 zeiIo0T^MlX`#TgCYNN}q;kSsQyE%jnR$zOjyE5Mh9DY@eMl@=6T^^qec{zNbybc~} z=GBSVZ5+eOlSx!j0h@?NfdTZ)DxssmOAT_P*IMMS5c`)aa5|9zz8_$dFEMQ0_(+MR z&v72t1jNgL{FQ%Rp6>MDOKCXNsmP5#z-dC^G{D{AYTa$^jQEi`^^ib5aWYGi+lM>n z)-cfpK`FSPNhV_KOyz<_R`6|wjXkqoCaYR^IDvslR~>a}C|a6pYO(MuC7@0Gq%;4M zv~rsR1Ne6&iOBc*XZ#8`SAd*Bi}ZzFTE$Ic9$#sUVJ&22r%gS*3&;Znf;w5ZVy3p9 zh_e5J4frA@o>A0;!I9KuW8uIe8BM?KvQ=)6oXtw!CiKEWZu&Zn!JLL5xMn>^BkIS6 z2jRKBowEH$7qo+#fC99C9OY-=5M4@Lg6Yfk(m2N1%Yz}FOt z{Ekc2alHc^TyYl2iys@J{RvzdfC5)pXL~7E7-N>ApPyWA&t@*tjb?KIgb$}J?o5tC z`8{!YJFph+EoxP{d9jT@8nC<=+?+*FF#vqG-M7H`49297JT>Mo<6;cqPu3rIsmiNA zX+5x6@Z*MIG3B%Bm}G%|abqs7kjMRg+yN5LK`Q@#e+d5?&44&hR?--c9|t-0pIMnp zV~l2D$)ngun#N7UTuXntF+-0*#$^A)w?PY;?yAMr3G+%VrYm>n%Vr)2w}mA$AQ%4L z!5;A_v+{QQ$0_c*HvW>mV_$rF{TH~Cf^d|Wi3bORsob34v9+F1jkDx16h_-B>ob|c zqb)-Bw1=CaSTYQZx&IcBYI-T-goBq{a6dSQmt1dKg*cgd2Ax*X@I4drW6x&*pyxlq z&=4pA-suQkIirc<#Z?ftKHTX;!|VUwVHuz>LhIMt_{ZvBUU#QGlS~%Y-&A=61_x(9 zf1v+TXSaJzq5Ke5iBu`XeIgGp?=!eccr<1`#j;=&C_Dsnux%y>+jVp7rvY6 zh-Yx~Y-tCTcV|HcYwJl|7|eh3zlM{Xb^f~u*5CVoGi7S%GJo^XIqE+!FOk;XIb4Et zmIfAY-Py(jZ|cEU^QOz<;CS0&U6}$u<&}3sXdD;Fpj8AFzC8Z*XNe#b9roL}Tj41HoiYKEUrs>7~QQRwi;DwPQ#g4dH&9>)1Z4++EsO=(&hzFRe$ ztw&}>KPD#T^Nxwjw|VPrX3nD{(?|=jm#-rKjKCf6-T$hD)K^{+I6Ov-W1*~0k-f+h z-~(SGabHEa+f<#lt_d^*cqgN^VSV!tjo2^#1=;q!Ny?Z|D~%ECy!<@+y}U3~Qv#vf znTV#oF2MbeamHw)6xFl*YJark$6!T!Iw316K}dQwS)?TBqK*w?&Mo+Mu$ITI4s8m( zV_+~&u)AqRrKq}W{3@q`gGw6|9w?B4S6sRlOqlGn@K79TbPOZwh zaVvExAJr!sFtEhkP2Iw7z1CHuRH@DKW#jjGXuaE&HfFFPL!=1blaY7spnwt2w4X_c zbUOC4L7@M0ym+VtmGvoZLFL`ZX^pj`Hb1Bz#&$2S#);T1-~(zivb=s)e5UDFaiaO~ zy&9eJTB$BS5F<4JL=5;=(BkehxBRh!EoR6aTr7N!2Ga@hQy7j>o|?hgb4bC46LI?@ z2+s4nXDpz4$hZ`gCFGcNg0`2|VBiC4Aiizk7qxL@gYNI27G{B7J~Tg9Rm-rsrKOk) z$rq2_9vTD<3JdO_T4d$=q?}P8}XxiU@|Bn~{Z@2p2?@s_@ zKekHH%0j)GEWzxilDilbWTn}12$^?Lz(@)EtuFmZXJf7?1E=8etkYdS+}V+~P40<#HVL?L}Sxg0$>;@{fqV|L7z`CItW>{mE@_KYDPJ+qe9< zrQP51=?aB}4nmo-OX#CUuZ~Fat+Z%})y_#EVY!ztb4-259d>yB0K96-~h!3>7$VUG=IQcAZ9A;0@mw9(lv!f4-2HOToG_e4h)6rux>niFz~JX zib4%T(6Ntyb!X4I+n<_Pw7P#~{jahR0A$iW=x!(Bk))+XkJUuYx&~Bih|NJ^0|+CY z+<{}F!xLUX54PrAyTv_)7G10B+9j7Vd8e}fVibh)HC0ei`?k9<4VlOX$w5BucJ0U? zqEf>c)41hgWI*pj9v(;PcitdzD$9%wFg5iaSf0rheMMaj1Ih~jO*iSk1N?8^i+pSa z^4fM%!0q$g(1vK=2{bH_8)!Na5Ht(;Zl|`Nirq$A$8b+Dmm1p0uUZ0lBOkWbxcVdYE|*Zc>?r;7~A&66-5`+ zEv#(UUrj@CML@lSE-&M9Y$|-2QL_3>D^acZpwilCl8$Kb&zfr5=l+?(wfkmZ{~N%Y zDp4HcWpOs;b}zhj1fBN7@nHuTz{FbhS@$Zvr$K&6PUPRdXi2~Z^MhC-0L=bZ;HWWd zS{XCId;T0J)4$_-KC%F^Q6v73y*g<8_KKMd(9t>EHO0XK_HmYp9y(lFg4D5i9(?e{ zI2hfvmCFzjax zO01Sc^u`l4>yQBrO&K^H@whWKxlLk}rC$*A!TiplCQl_I0*-fUkz&T1@Q<$plyYVO z4ZU%%s_EWghTva$HGYm+SD)w=m)f;YM*mMfr(tuZM*L#b;t$apW#mWuLuwRhxchRy z2=U9|+XQyj{Oni)5wMef4w?SoD!VwpR`kHWu5zN#Qq;g)ERK6UgE`@l|9R@sII6U{41cEWb(jRVJUhAL@7M;yLqXi#crRlI>ko9i~O3j z)t}ax;-FnU7Wh6jRNRUc?L_t^Ql1;P=?}f}{WM!5lw|gsSgq=3bhVm#-;t!S&yQ{Y zkuSxXMc8a#(6RE(j!CN#SoB(qFWYgjbpLx1pRz#070e)o2BBr|iJe2}A8#|*?N%?y zQN+-E%(v!Me}uIXwZDZmw4?_I*mTV*^Ycc6F1n+IBsQmCm$)Y*0WT0Pe_ zHM*1!MMZ6RfiF89?BKm5ri%^m$&d>7xY~^c-Z2h? zzs2qlwmb{2U=TAKnQ=Gy3@m(QypFxuep)L2F=)+SvQ#*5OrAd&nN#o4EBtEBW~cMV@_154>O*NjXNpRp3w zLuf4`djn z_BB@j4{2{56vy}Niw*=Q0TLX7B)CIxm*4~l?vUW_FgPT^-Q8V+ySvNa&fxCOpl|Y( z-#z!b4)v;(m+cmLVa0uLs&brGxr$Mpk-L6s_AYC*y;xn8 z&P4qbtw^0ODUnI4PI1MPLWoImTi#L_k1Iu7uq=bvJ+@QJ?Ypra3D;ijN2Bo`NSRYy z*BboWK~S5AM5~N4Ei=VB_=TChl$D{6_1{zW|LEbr&8-!bZ~!p=djgVNlIVX57=_M<0Ce z`W}heMK%0W36HwrC&B!M-d(eTWOWW6?yja&3;1fz;4$Wk3=V0@p>$Sid^CVM5RV|S z0y4fznAqmoj69zQ0lqZZtqU+Q2Z|MXiD#K3+1Qw;aurJaQ(e_`M1l$*$OD=!V&oqq z4Frt>OO$?PF!ICrj1w;NO1kZy0qZCKi{b^q{GP>B0N-^(^62@j${u+T8<|J~4Jl23 zm<-@kHpDbIOk1A)!|m}=m>4u86EECyf$8&g25t3VQ>R;uHycV)KupxxOM6+&Pnqqr zZ1hffJQ1LDC=El%9ddYoJ((bDyYu~4uWY;WE48J`{>$nl-4g_-as_Cz5r(F9h{Om> zyVrr?*4V2!#rSvy#1xjLM_rw+Jn9=Y7P$LTSy_t_YNTZAbQAhlxM^5HukU!?^Yv;> zO0&Ya?=atT&I2EBO@8E=nRZC9ew6hc^||vkSugpCH7hP!P{xn9xig9OPkEcB$sSvf zcej&avPZJgTq8mEl+k(_8nSV)ah9}T1pJPxIyA{kt)q||6pY=RtuOn94J96ry)RMJ zfbE=pg1l}%Ob7EQxKQ2TGX~ag>cHSh;Ye`&O44mNqbCpmFU$>!KtF0_1)lIb?2PbF zJxf}UvQj*y*fEaHe)Ow-YU8%HG8$0ZtOdi24=S{WHGN3ChHMNblPqGMLzQ|#-b|IQ zSU87U*n92TBkP0ym<;Fb+4#FyN~PKh7p2XQ0j1w%O&N=+SBED$K+T?0C-DDih#-+` zxI59YSO7`s`-S+^V90@BdF$7qP5H&gwBM;>-JPM4P1{59Hly1lJ;eWMjv$eE&bDEz z;Foi0l>Q@VU1fK5Ng|^HFOg6G!RKb_K~Ps};^!BdHx;+lnt!gI+5S)cEs5#iF^O(2 z1~1covmS?YoKYM6Q3D_p_1lwGtq2>NK21;~?B}`LFN*{^tv06wZ;Z8+g})1bE5fdM zBZb`IfGIr|H7C%KVAAj_f<_MuMw_QK{(qDc|COKoFa4VUJv1ZgAJ&rLWBAi%h9K;v zRa?gWu{z8|8QD7W3!ZGX8-1+jIfj&g>iWB)bGA>`AMY z?lZF}6{XT4mZd(&NmGT>xsJ-N?UkwH4M^8~@jvo;%5cJ&05gOdP1OsR6%sTk= zR76q+<|o%h#Rr@C|a0|1#ZIbKBALwamrhI^4U$ooTzsa>?~Nyz?O zov&VFa&o+i+}VumGLiqN!?7W0hPBL;F5HtHE8C}nK!%FF%}>t7(r1OJ+|Myy$@#KS zb@SQzb4tO_ce?rUFzsL}zu3@?>lGEUa^o<9>Wk)Lc8Uo#T!`TKv-3sQIe{-!I~hJc zW%4dYPexhvql6xaMQNmV0YHlO;&yn$Th+9(>9g*>B?xqM$9;7bM9&Kw-X5)C zNZ+F9GaW>%wXxJAAYxjeA8(YOuf_UrSCwv4!8VSFx~_^{kkNI*U1?mRv#K>fAnVWF z41u)Y$4@iR;e3*<7?oCU2lIXUDWSf^Nklqy8!mXFg6sPsm0ts28td3SV!Tg6U;Sz_ z=QPG*E!9c0d34`g2!ZqwDQ`9QhrFblID{hHDp2ih6zYXrLgagmf^XN*Qh&Om%UPk` zvzlzlqsprMSTirOAS|>ik%bhg-J%^0nF#`IIa?FfogOlC;|&a}Bz%r1t+{N{z$-pZc}!S<U7qdmsA7C^t0$ao$c>KM3yz ze=(Lz7Enon^GVM?NOFH}ySh84SHk@voj{?~G(CWKQTF0>sDgM)LFQ-ZyyEe*QZ-(3 z3mXR~-l(6CznU?By36 zjcdq%LPe6b0ltC!PX2nxH}cb)Lba|ml{bi{W+&77*t9ZNyUyoF(JxnZNo8r`yc{VG zeXJH;4kA^(HXucJc?=Ay&;|3eHP4b)ejI{udt*#2LKh4%_VHWo1nj9eQ=chrlXBwr z5^k6BY8ceLzL}xOWvw=gVIyQ=`zv?%QLV`t={GCr{|Xh*Ny^kBe2UIBtAA>2zp_3UtOtU#5@w8G$z`BZOm8x3R$>T12W7Is@jclea z!v@7>n*~S1%B!l}<@*{V`)R6#REM$G4hCE0;VMj~uE}%4%^ks+X(USgGBywwHq~l! zYHiwGyv!|sJ)$v*`@#>}NqKNmqwpCTrq7mS&oX|hN7*~N`+TTp=EXBxz+X~Xi(SF< zg@^+f*g#6df8cUQf~iPljW;@14IsjCUgip)o(}_{E!ZM2F?W{ZZ?5(-HVv*^88~%wWLDa&5`O1=oiKxcflbp? zEDJ#>UW9@5VYtwknUhsEXp*;uLog(R^3=SLL|ZRc;-{LFMklxFT3Gh-bh)m@&)-I< zq)%U*7&O<|fTTt-Sfzt66^R1F1Lo6HwGam zSc6$7F-9zg2R7@ch5!_YI+CfJUCZ$FINF+NtfvzclQ~;DM=Gu%4M4DRwTO;gJ_>dx zO1_7U9-^wbDoq^#62TKryU))%fL5E+`D@sqk5u^-EUOAMyRxvKDi1OvA({}og)`2_ zz&>-}pd+>OtD@`TceD3RvzCE-2@s@R&U=tS%>5b~d2&PT;&zK%@>F=!mm1uOdQC4o zuv88##1~! zRd5?(Y5@ZSa6E6FLiWSP_p2x=dW-LT>oFv0f@$4*fIHXw_SN#ebJ3*;>m@Y+Da$V< zU?{x8w=mn6Gg+1Rq^gKNYoWKtC(y-~!qd^@Ga5h$5>tz)nlYR7j<3r7nn}9y8ljAE zm!_;KL3mdHRoexZ@^#v{8uh0cYLi0tk3$jQ7oe=%uCqTY;>C8otG(jJJLz+Y>=+wm#W$;^`eV7 z2Hx=ZIMwF^3r?1xXMQ$UKbsSh7AHv5w?w7@D89IQZ@jd+Zv2cJ;C^;U2oJ#ElOSO| ziAJPi4e@QYvUI`Lv0OE~>yXfb1zCP;ytUohTJ^@VuTlrrgoNM#VkMXa&un7Pd%Pcj z3Y!N!cn7NT-#=9=Bg2MXF9F|S06NrV(49{0$oCGI0_OU;xa-yYQhz^Ckt{Re+}zjv zswnk7LMD6vr^sPb6Hz#O{4QV=>@NhCkj~;Y-s3b>AFted)hX8dF4~5)iinr%TXL-r z;M?K#W7p2}!CmI+C*CiF>xKoJ7gO`)UqnEuO;zis_G=|6t_@z-c`4Q58?G$n?jRqH zjgAfri?InXg2X0u-Z;JEMj1K zPq0HW&-}_<$D4q4c&%@rHH#N5w%SQl?zy{Pjzxt6D#LYGicC}0z8Pzp^&NklBFcGF zC+4pke8*Xls;V;OP=Wu@YT^wf_TtBh5c*TJDxjnhv`*e4*i4voOMgToa(VuwG&D2i zkhEyBAsKb_7R^Yr%dzfbmOdNxWGFX0XtEqM=j93DGNQnI(bd0XX2yB<>M0?Fn@`cZ zXAPTdYrC4GpT`yc9y*elPp2-w#ls@;cgs}QfZWV5iC-^|E3!8q!_HZ8e8lE4;N$F` z6KQO4<1AW+74Yu2J_I{PL@KBpUqbBU%<}kV6CFk0l9X(AL1{K)$eB{2Qq@7Da$*=( z$8Z}CG-aZnokU{ee@>MmiT4;-#;4AOKiMGU&p>u8CekC(v zRqlC&nP{HACtSi?36qjHL6m=#h62)s%X^6ZYPyT<=U$eS*EgdTk~rgL0U#20Yd+`U zUGG%9V~ZG)`@_aa=r(L=c6ItuVm^$5xjucX!*=EM*j&~^)+b$by0ZkHj(Lcbs%2!L z$vxI^>h_8zV|#sPl#+t+$<58Mf|MneKVL4Q=J7q}j;^vhKse1l2*RIor7AHp>D5uM zIpMz_6JW}O=I^o(O|bk8UPjiBQEhyj8*Rbz*z5G>Whzg{z7ct>d-E0!aE&k`2mx2N z7Gl=I1mgg=E~~#$4^;o-3SVRhT1ThxjIbB^@2A z_+{~U^Bke3$Yp$MPY{@s@uFT#%k{|!8OD({A%-=F?4o=2MvIR|P;ggXt2&dYnbMB8 zeoB#K>C;n@LU{O(zYmxe3P(9deQ7bA53X@{lJxd!54Ko(2x*64;8QE^H$6RdF zms-RYAc?%&>S^=-=wg1pd7oDl1Z+HpKC8x?P-S94% z8E!6CTB{jNfYoo`Zs5*k2+Gsv1xaUZ+&#z#vs4OcVnM(0D-H=1l2|XI|ImrK6l+eW z_{_u6o`;LcG!k`|a%-U^pIrTA1kt^m&+^g`r-m2Y_}eQcm^|KIEnUkfK>vS+l&@HP z-ih)w4?(1-aDOiw=}-}6vX*SZ9Iq`HSN|OVNu{|c2Uk8ep}i3c3B2)4`1GJg?|s!* zY$;_aQ7+^y$fDcx8T^WzMi#m45p>glyZa^!j2FsmaCOINx%4;EE0fLx6^vWSyl&vzMm)RYkaj}M*JUV7>W zg#aI}$HUU4?h)8$!u3Ik%X*#m&zOHeyTDJ$Ujy*Mf~a$XuAmN`O!CM3vTu`4V;xLt zSGHCOPMh_Sk?O^DKOaaRKo%%XF|_m?!W5^xK+5{=Eq0M zcjOfSN zIEl`30{H26cLvE>#v5;=C#hG!m&<(aiHi*y&KcZ>H%#fev%jIf3FRjGq>J6bXPs$V zdHug3>_FImZa+8ZdZo6hzP>DRx%!HoO~c;v*8g|O#LTpEUe$+J7OdHOX2v*TXJNh` z2Tprq66gEdYyiNLq0dqW%tw_LrXK^Hw|^1!qBOFFn<0IoSfI@m)m0s+xf4PbO;9GH5$?CfptBIX_2&QfA0>` z&loFHYX+N1anu{SzsD)@fj;m7~*) z`0QiNpPKHu+fP*72Ws_B!?$bK+*{qwx#CWlMIS#93owW?zyslbo;Z3Lb`1w}^6X7- z%^PZV%gF~|2=Y3*_Rl7W#g$x$)!h_-rDyDJ4OGtUHHC#M!gON4TBhQ{bcQyj7=rVd zIC0Zua~ob`L|0q@!1QIU`^(T_ty>a2u@FP01O}Yz%XFBptV1K9d*3}YHxA`QkxVHk z{Mh2rQ4tX!BH6Nh%MXmqsEogo-MY~NN$IRkh+F=gCbd5~K^h!zK3q~F-;%W7+yEis zn!9Lel>mfXuP$D_h~vvY;tJmWRqD^=l;szJJd_~lO)Z5&(s)`f==B^1gJVAMAd(%W zeA5D)MY5T!ymvGqqsH{#^DBqRB$sln$t{z8VY~MqQZM%Zk3vUnv%r7}Kw9H}dmRVn zy}vx(;v}tL#;+;{eI>*J?1kgszrn|Gq`w!kRjBmcA`GLy*+IzGj%seBLk67xajm_fYmUPhGLg%Geey%*QU=@KG9sQS)suj4WyNwEz2)tMH+ln8DBgc4)`qaFCZawZhy9TjS|g5JIu&3^C+;G)DCQ4P$W$7OQ*$QYUn7@9{8< z5DgjGvH~(E^-{H+F2%P}L_|jCOQsU#&wfnQ?UqPyzE<)mX~*%&l*u?j<+i8(z%4Vx zTJ-j5@A1k)tE*gFR(6<{>h6H@1g(3g(fLy(XfMeETYfExUt>@~$OQb7V@$5yJ{Df! zaj5)Qnn5LAIQFv9jC@e_T@m^1a6fqC?;lnCN4+Wty3M9^J&GoQYU&~f5qK^7qAFI` z8IBipfK24Jr<$zc{28lcll{3}i*|uvj^RJm5N2rv^b}{~RsP-+-Mv&^#Vdcv-=*>^ zF3#CNYaZ>z@?5YDEDonoG_}9Z<0>!6FqjhPv>QQ>_E9t=+{yTr&i%LT^*05Xn>D(6 zjpi6hG;?+SHW#2YyKi6BtN=KJusp|S5QCd=gL+5YC|BTY`kTk=)chx^Hjdmco7KOY z`|pYnG_?m03j;cvf6mGDF+3^iIS(-)x3`7lO?i%W2s?sXJ-^R+p-$AiOwZLFV9A&+ zd;yo^H*NGJ@dfPD@#32nmel?FKTtOd_gz6+&ie^(+)p8JALlCN>Y8kL>y4pcn-cmH zaG}|vqYZqN5OG7_Qfp(^$?&7YDt%QlEjm#a8mrfAI)1IBM_6?d%>99r5#@LPV|M9o zhw9g^J$saR6X)uSIg>VSPachFlTKS8>TC+{Eqb|&5;gn>;zg@LwYc6Sx74sksKWJv zNgG`Lec9whh-e@TjOpcdPNR4l!$Pzmw5_M-=<&ku1loTR2d>3YQKYWEZ?h|NoPc3M zMVnSC!7!FL=0Z6T6#;8mww}DN)d}Drk$d|GV>Y|fcp7ZY9PUNPkWXAM??(VI*HlL4 zhN1JiQQ%2Pskv??-IdA+JSxV~+C@s6_8(Xw#s zy{lL=DAR#;M1odHU>`{8DNz^{9^GS|IT@-ggw~IX;yU@~+-~V91;{V}4(oj5_z9K{ z+JYbOq?kB5c=N;JZvY*_oG<6o?v+4PGp#UlL?rq8Uv=>WLPg2Kh*8L>fXt>bQ$jwU z!iE7S)^6P(7(kgG!`=GoNxaRiB)c%+Yood9>R81z1Tl0#m8--Slt4l<dxG$~ai75ecorv$yyia3lZWk@ zW+|qo3{M=g)h=yGAy@)zIoW9?pX`)8lv@h?UP-ae(!LMyort07`=&+rZqhF)Y^5n% zIc%=4o93s7=vt|J?m|{|c8uN>K{$Vj9A0i?<1dydPbPM)=OiQ}o;1g?v>q(YsUj_2 zO?nz!nW5fyMNk-yJ6Ak!OXYXT%FMKnPGgzSuh{)xvnA&c#;)ucxk*>}B&o)W_AAA~ z{x;4O^`+XJ@4Y}2jRQ^XZ-;fj*i#vim~y#E3aE)4DeJ`Cx>H4Uk~E>DjV~u5If~e0~$@ z+ED_tNa$D&;x}LAOS2n#jt1W#*UgM{HeA=|hxsYNK@vMGU?ndz<}N>lP{#|&C?ETC zWaSrq9^V&p#R>$(9y(6u?Tf{-QQb|w>8!Q?KHSAeum}U~>|qL$1*nCU_kP(QPTYCm zexHyo?BSPCQ}#fJs&Uk_pC3-WetSAfIqSTAu2P&%N#*lZVZC^IKCWhiU!>5YBuZL_ zV9TC8-o&1@=}{J07RC2C&^!r4?-grs-A+mHCiJ!@#sO;6Y#7S!(~2sEQsZV6VpssF z{{}`Z|5QU;u7a1a2TLh$EP#?3exCSn<6Ki~yEue~XOJKk#b}BMeZ6wA`)L-63U~78 zk`W?h?1thMvZtf~6=DJ<_f0|O^g>X$?pki&kRSuIDt%ef#pQ6OJ7&)M$)VphYV{~8 zS@yPuu}JXu=~1};!WvRr{7JvSg!1(XhnX@sixpqYLnp$OA^%vq3duj(zd<_;2XBQw zs?1>_E}N#MH>7P5!^A@JitMoI9W-aTn)lGeKOb)??6FJ&k(Hg1ko>!vw?^8BTj6|7 z3cH|%7(z_TqzC_XtUof!$b7-|x+%=a$*!X>1himLxF%+*5K1SwuHaziTRwZe0=CC6^1YPMs`h5Vo5bQ8{=5(y=hEtD}S6CScEKWPV{{Q6fg zL0nXZ%nuym<-L+?E<#~8()(=_?1?zAXu{U^KsL$$1`vkqfXiA;`n5}#8Q+Gck9c5B z2iIL&wr&v1)jFZ{=CMuFQBUo3LEjoa4>(*vZc_i#tn7ZvNkIE#o)c}+?%QGQxi9-o zw|6lI=< zY{>Dp@p`017i?T^U@cQs!}QEvo45|WkRBG0aY=mLq$5k~fYi&AM*iW*++1{Ll|MsK zbwO8Zv3IphH<+=^gmZi}|GY@Z1PijJUDkIIYAwDuAAIMitF64Z(Q z7M6)xMW>cKX+veCfG4-Q)I$BVH*g)oVfYoro8xV%=tJsQ%S-c8Q{GZFGkN_TMQVi6 z`}ZF&MUJZR?>X27wuLD&B4jAl+0(mogNe&f7cb?P0H)PYK51cMd&8)qk#I}_BC_>&;ih3tE7b=HQ42EwT*jh?;DCTe8& zPA*qLDK$9AC};w&3q}EPv3Fc5qhmS&%2$}scjQ~@#sVP{iC`=C%t~MNVkCLeTU>|h zV=-=)ZIy+iN(Zf%LFL1hm&0v2@nY=W=XARi`Lb2d&C_E9nO%H)A2~s+s_WG`*o+^S z2@8j6;G(DOrHV`3m&fzLw(UOE6rSL-JD8Ib#IW|U96{eE&( zqu@YTA9@}L{f_`&neHkD9-F}G{!ewQ1qD8MuRumM3s-T@O}x7@d~zLZ;=1!AS;f)$ zVb@8NP6!LGJ-Lg*>mtwsp2faB)bM@PkM=&A#LHI0uyn8g5X|~5o{RZxG1;M}V`QG} z+kh`P+Cn}i9A0m6khtYYt8dY72c<1`_-HT;x$gSPDhtw~cW+o8%12zm`_<28GUw7a z&kg!6(-ylAeB-im+iMxDFBdF%lVmQnPB$2 zYN~o!id-RblbPpQMv8d#v_;EAb`yK+` zP>S|b+en>6)#trMxhkhER~Mk49i%%e7ZTeB|F{&uR3itzue{f+P3K@j>#>$Xy3#|# zCVIm zuu5&a6aD4ILAVkEk6e-F^T5cwI#VNOl`L=Q($*fGmH^w$CnB!PWd4AF=E~7~^WQPR zwH7AYkLVJHw+m6@E`%R>XNxQ{Ule=a9xagt54pqNqrY`<`JA9~*{UHp;PLJ#AML@& zTm_PvVUX4m`rP!P zZ`dD-_}h(hS86h|(+;94951%14nKt$G+&jOx4-l;xewjb@N(31c`B3=IisiKGE}CJ zz}+*IKjvc;{5IT}AS|h(s3dBIeR?YX$Spn%OvH%m^)J92^W-U;6(yuqb^zskw_I3JW-!?%_)6B&;Ph>p#N(|a~?Uk-6ZmXHT+ zhd`UbAgs3foN=Vd8eCy-=vej<8hupy`-af8;&*%pBH=H&y*k8Km`CVD4j&Bk3%dbI_b@ss5eory3i^h>&7^7GvdhtMTpEu2{|wwalBSI+D4{nNcd zg#zUG{N{G8`mqCAz$6tiOF44uGg{qa(=JZFKbs0mjw$tHm-av7RF*DuSoEHD zYjLGrAEi>-W8$h!xf0(h*8fr0G`-5lE(fSgfy86#HZ zGltw~S2^G|!t@G}r`jm_B<02sDd0N2)pMkUgqM(fWp&+q#|`BT;CgyC(HDCevRbrh zx7cQZNGJD?27o6rZ}X7ote;enWNgYx*t<-M9;Q+KVUdC6v9q;pk;8cGR!&pi#^$2k zrC>vmIjc(_Q~9FJ!Ni{T3z&5~f{Y9S-$Y0Kz2l>9+&3wyyK9}!+{4r#dS!d-i;RbT zHXlAzN}qg~WB-5bHC}C0D04^V82hQ@&zo~oW8hFh@pPUW9tBe%;TVv zA(e#96YG!Vci)EW)UyBD5mn!$Podx5tJGk>8$+6-m!^Xk-320%cP#SIooVr~<0jRqQa1ZNW3XemAOp zu(A$QFoJIL)%MouUyARtVXk>(*t~R3+nyMBA&$?6KXL+xf?BmC=?1CI@w5KcPdGtk zd3_oSjT+ZFN4(OpF_bCo4sVE3HEd1_2Ct}xNyw?r7@FN3^uV%Ah=9!M(>z1F*F>q< zp-sd~wCqS}?o2dclgIp^(dvMruoR=)q|e4L8~aA1v^K}9Om~6#Be{NI0j*c(3no?a zEOFvJE2DExw-aUQe6b1ArlhWqZsZO_!{h)<-8b+IQs2eBRLy(!G=+s}5Xunj|G$X2 z$YeLMN#wXsq_0%y`vVus@ZvPB zZ6>G0)E-GGG*E;R_(Qy8xe^x&>F_>PTg4Ijt`Qe< zWOIP;M@bTm)`a|mp=R@i{eClD+voE%Lc)`l0Zt&vh7!$Mdn#@tp|Z0BkoacU1Gk!oL&(&C+kzGQ4rAx1J| zzW+A*hCyDs&SeIef$hkkaH?{Elz&}=$BITe!c!7omf1`~k?HVtW9md5eI5eL|0FNb z&aQ27hl=NcbELwy_ClEh3kfR`g1e*|1LAA?U@JcJ3nCjD~GOje|(cxFg)K`)leb^-%V zk9a27Uo$=BP_OTD+1lNd9HpeJVMeDEOC^4{X8SFVd_4gS+e)hJ+T6Pznq<5{`V4x9GJK73F<)h$b;ex< z1B-?;e)Cs!+<~?yHl26HVvkymt{^$`nGIQMLO= z@sg#kJ-Y}WDZrzHt|Gt0ctB+%dcN#k|CJnH*c9zLDazLV5_|?l;(4!YYd)=i<>m&J z_4Sia__w_>mW^-y{JG|GUy!%au{(Y|jx2-cwz`H*NhvCJyKN{C)&2Toj1k9>i6PJ< zC|gztTHA3P_&d(-hEQ2>Sis7)Hnny!g|eGmpvU+omeu+3hu7F8d^5$#fw|xaoHEEB zdgDQt|4{2iyFrA#T9U6yU~G`!?8S3=ax!Bq$WW_TUQz{an>zauQ3sd4&|!bNJ}}t+ zLcL{Jd18u-%RpL7@NrfSDJbEgZ5Qo=bvC*!XxZzKn|lP@2~-U8*fK+B?!hezXX&Z$(BRfCFG86TPXO6>N$Z)&jBaw5D0b;freJ z`3y8RlaZ4xmDTU0m$ra&wAr9QvL& zAZL$R^N4dNy<3u!FsmICeW!miGCfDdX|Z=2vmoR;y(a(X_|)oN$_Vhy4+YCn@9+4^7%T zrLP@u6pK(O=i_RYvBQrxm(!ZwSWjKKl;0R>_Wx$nO5<)B-47&2W=X zKJL|+*!}7+{kDn5V9#h=@xid*3Wv-(pY+H&jO}8h2lwJRsw?+3+gF{B@gR|f#p8Yw zte$xx@!!=ZZ{lwMh}>W5He4b2Gm#;)5B`iPsw%pTE6{FnM*SI>f_tQ1;436mq`#B`G|8QlFVM*aU&BAPblYdt&e3_@)^C?uIS=EEYi&JC2KVg4*Zx#9%_>(T_ z&z6Hfq&(`pB=cX5pJ0}kqz@~DFYhg2keaUc+ak9=bI1c%ndeS>vO>7ybiNalIaq}$ zK}wc}b>?201S71~6EvA8M#8*oJ+||n2v7Ts6=hFc074X^&qqyO*HNMFDRPYa_1}{% z-lWi7u^HQZ2cs(AhivMdzARd_df&EtKQmqo5)xqKp3uKo{Q?9!oLURCdJOFBTYHZZ zziYTYO;|u7)7U@6co|jl{8>gNT_W+z?Uxq+kE^G?NAX^(+_2FEaFuqL;G#&Lk8)CD zZPMbdEXgFD0E@#ir7L$7ekE5Nt@51C?7{I=@%zwP%Y`bOg|qgA&FPsLmt~+Qz2#M# z-ZAmg3QYRHS^!^x`ePpR7wPbZtJQtFA?_BcG5#je)au~YspV~!G8rxlJc3>}JeL6i$#<;^#DC0^K3iuI7b@xrY`MGX~01nH@m&iloYhsE}B6`y7 zL}N~Pc;?yt&(9C#m}p9Fp{ZNb3-K;*9Ur=!7R`K%C{cw{?aX(A*3{b`)I7x_*ymjA zZqK4dqDMr+C3e%tilGwewfbL&FEq^fa|VxBjKpawtRM+EA`tugY4BIs3Fctdu2*`- z`9>{|p}31;Aa+P9d&+I$8y4ViMq2s1lvj89`=4`Zw49O#*dHZ6`zX4zL+MmId#O3 z#wvR*)jx=77MCsyu;_q|aikLxk`9WOQY<$4g9&PWC+|aL2XTk3F?>v=D0>G7!iXw^F-FZ*{jH6NJb4gIV*h~lFxygDy9~n)GxtOg4K_(ZWQ(*%v@~bs z=Ahu5?0+wusr)E!aD%hcO4|6aCQWa}ZZ%Ft#<0kn(j-s#=n5Rj0tlNE#oFM)6`I`s z8pBS4YP(lfJA0cw%eg-b;&%);UftP!zs?bUwA4Bqld(LF>ki;4WTX9OLkNlLqd3^~ z-1_a2g{_k&z8sezxj%7uOh$4SLntD;>yH<^jQ4GxZoX2H$sN|qm)KXJKNm?T-+D+G zx}Dl(@senaR@Ba_eekjR)G;bL;VMZv7lUUbGOKg_N0J#g73y_12bIV)2`OKV3@15I@k~V*Ksk8!^tixM+!eY6uu5>u;`* zP{d0}EyQU|&>nPw4dsvYovt3FOZw6#7 z<>%&l5Hfc?(t?NK*_BfyKtgm;hGX~%?S`8|Jj|IuD!PanOEt{{X8ZF&E3qp$O2o^F zurvT4^71uVuUlFmpfA%jO{A` zz*0cy&j8XIwxMgVMTX8rBKfwkmvfO~9U`Dv z%Jn~tBRj9KCeF@8=2q1EpHzi6mE6&!0P13J`qa3Oof!dAF^_a13Oh1SX>K4aDgIx} z6Z&&unt?8+=>L}d4W1)q6*e*1!4trxX)2PpPiw499bDs33evkMiNwHuZ#Mr}rRnh| z^`6wJYxvK?FjWVBobesPJl){s6G8zfZ=~nY-3&m-UdEru zpt&b;s*QLzH-wQ6^uriq1=_dXY8G&2!$e=q#2puz0B1q3Wm)P7AvzIg#^%}_l3iub zRXm^DKIWY8V*o6pK*ep=*#rgLKgpO)A1%w%(>cFs!)X9ZL|Y9E%RC>@>TSnO{}CuU z@`+gcCL82ggtj#mu(-?cyZ~oYA+!=W)&kyb0{OH603Ocjz@J0Ss=bX1pHk?UadV(EokqM0i=@9&KnMTe z4av$HZS5+?@e&GyDUdKk_yuT2%f0BQC@31?+2mzzgx@H7FISx6?D0V$8DYF*h>hVS zo6CiuIA%me0DxU)YApVg>hGJ_>V}QDuk(sGoOY)|f{F<*hP6VYFM^Z*q4O@u|Dp5p zsSD+A(=nXc**{*Mrpp)IKU(}t8d^Vwbd2!Z3^eR5Ycc7mwuFBvfO3Kp1kP?eV$c%2b~{x}Z^DqyF-Z>*k;_RnM^Jsskbf-$H6t)VlpT zHFlw;?9W5m>b3XZGl$F^r0n_ZHiU5WOF#mFvx)c)Rzmd?{`cIFTN1xi`dOmmjcoWx z#bcjwX2Ry0%c&$Fu$<$;tO&cklW6l3!sIRC!8!E|O(y zy59V<9udivmT`a?S?ZA^^xJdT@&7`gS!QuVkH@S2FdOKi#06}-}6m29Hrv)o)r$xW_IxXi`= zd1=77C3zN%rx+#IB7>oB3cfC2seWypDuCIvDa5TMv9%@WafGF$l6@1JI@fy`0*XfywVgl)4&(XHD3frGPrf;6ij<;+`1u66J$!OPTS;IOPavb<8fM;$PoPT3FBpI#uqlr%a^~W z`Kt10|HGm~kiVI`Cbzt$@YlFdKrzhYl5 zPPg6B$jF{tN0!n)&ZEgrll%Y)ceD@gv!=?_-V-kMd#FEl9eyW#$>5EZ*)7mpdgrxm zZmy}y-3iqs0`WLNwJ|>)MIzXa#l}fEKa)8G&%=fYFd7sT!$mYjZVK)fm@Se6BvDCD z+g)j?*Nx2a|M**v5J1kymf9>TxVzw$w{G`e^e-%ef+e^14!Mnk8#xF8K63GCXaahC z8kie4PkbyQPS3cjvR@M@YL!KLE-LFAE~5KFbzHr%!k@@w7(*^v-@kcmS>m*+z9SaX z3eZbj68Uton(Oz7)v{?T*Vy8*knJ;PWXtu?;$xj>e_NW{62?WGl5cEn_5GKDhma!(?wnZ{un6!$mno1A|OUpt_38cB z-desA-9@r|SYlJBdi3CuuZMqXq^!(^ z^o=cNG#N-hWikXE|3BOgkZ(gvKATn>N)-%;pJZz)I#~or83@P;zsgmhyWtCj&wmoP zR8D*`?jVWjeqL;eotz$@<(eJ(iN`bPo{0}XkyN{$RJ)YaJ588Nw_0Ohf&(mPb#|m5 zp^o&oh0+=f0?yjY!aFMrQ&hQzr&?$bjBe=h$bgQ?|Y%XfW!TFUTeLlKeMq9Wy6 z(N-YT0dv-u`z+`Ui5KSe&4SQu-)@M4rUY=1@Z^#atY)u!yexx=RRG*dZ*f zQV^w&agc7{%TU})UV`-aMC=i)M?`k789y|G!|I3XpLj0noZ42Xd1J_w=v3irZ$y3i zN+lypjOK)p#2b0o$xwsfCyjHs6tKL+w=8RsC)sza7kj9mXGVXXL?kI1Iv-$7$29 z2lnd1XLwUEtR%d@$>liFIgePpi!pd0q-}_q3B08y;Jd;7@^t=bxQyNTp!dGD)^Atv zNJeh-iWpvi*#EBxk&CxN90{a6)f^uDi^rk*2Q)JrPhNds47*!%12uBKi2v9V-%h>$ zxp!^a&1zoH8d5a%y6K|0cBhaWs(e(g-OBl@E&ZxK>aQmuWsw>)UBdjBm<{G{|2?7{ zD@yiU&KpqS${2mVZhM)B3N7hc@moh>=R7#xI4@or=z!^Yh2>V)j=!fQbcreSP$P{$|`vDQ03S(pj*A|m$Opez-G1*{BIvR)&` zp!^+Em&^SwxE_1iD&HAH^#9@Qt)trf+IB%Il$MrKihB#it!Rq3xVvl7;1mr`1$TFX zy99S>aS!eg+#$FVCT)N3nRmYLyl2kLtTkEBA1oe7^6Y)zdtcYJZ;_N5@j!lci*|PN z-(MZuqR(;Nvi&v2ZI1kTU(f1;#z(4`)cid18igQaNo9&>6Vv5cb-aI%4UQ4%l?;zT zaPT2!q5hXzuaT9V{dCVr>LEIpI4{qZ^IhcveZ=oPF_Y`{Y(&5>2C<%gpmp4K5~dxP zSzB4JMYR;PXl`Jfx3eDJW|-RKBM2_d2q){FdmvIgvip%1*P(<|VD8{hv-6mN+BfR8 zK6_ZueDA-DczH^xXXH3>?r7KH`2A#^E3}Z&WVOD zY7t-1PZs#Mo#%aUMP)8wR9__jCvfDv!zNID656bf_*SZh|F?$4)rSoGEOHWkSM&R> zoAShQ?V({Jy1Kci%X;&I64+z**9ZS$9WHS@fh&Z8{r;p&jXEC({tk&{K_z!Pgbno< z0ezcawW=}{i#mBY;K>}i5lnGw7b_8l^gcOV+EA^P8wtK`|^DF0?oSwB&Q+eC}4lk!9>c1)cm zOtq^{s}!JTEisRLUe-gNul!?wPRK&-^(^3}mO69d67etUVvl^>k;g9r)Q3sWe!Inc zDl81Vd2639EZ;re5C1E-YEs*SHB>I_F9_yFpUTl&&^u^AOx?M??FkCuqB zPP&Zf?Yw24AB*}M>$~aEVTZIOnQ1#%eU9Jr(JV*)zvesokfu-U=>eBm9X=8$4gztK zas^J3g~VExzn|JN>B>t}Dd7?44gQl9ru`P1xYTP$1(d=zY!}oLPbvznFZNQpxcx)Y`jPWS#>Am{u&>&TxrZJ= zG`Z#9Nt#O?u6x&XH%r8SIX%^B*^Y6Pxq6XoO655ZY&6l94n{) z26nW)X)F(3nuJc-I;<0CDrc!*FD@}%TWLskWITfEn@ZKYxiKr>$dJ&j)Ff;o$@;$* zLVWQ%d*gm@dS>M&G|&>xy!#gm?cp?TN^dQ*LaBHG4Of?Tx~&f-Q|hHeBBp)SCCkaT z4nPuuaaH1{xOmCwQ5UJatN)X^^HD6 z!`|ga)p^srS-j4otYXy0>iOJq8WW;>YEA;Iyry5*q~Bf#o&UxYLEKDpd%L2Xy@+fF zG@0^)?L5NV5$1SlRm<^y$s)xPj>;bL_?nOBd=eQ*66bV5AUN?cn8B6w?7fTnp<8cV z4!Z@5Vius8z zce!P6KL3ok(90i5M@q}Ey8Q;A&qGlpJZT@+Kj@2Qu1OURVBF>ueo%w3}5Si4j04(A$vNZC^ z=_Y(@{U;jAmYI0owJs)qBuA!ED1dOy;#A5_f-P()C+Q78@fP5%q?PXoN9{~4qNrm!C@(%SC+s&eQ6Y?U1LAR4Cv}JCHjj8`wz^`c zn?Bu0Hx?B_NXPR;XapNBBd;cbiF3P~PGcs5TA_{1fBQ zd8;a`A$y(rP7)=kaGF*+T~+rmQekZT?bc}~AG!z%icjvh^gS=9{#9 z?)6-gqKO|KR9c_N3l|5dB}GXs9Fa|$O7V<^k&iX%8YRk66CGL>!j=p$6)t)7Kg`eN zX$DzZ%mxrRs&FL5p{o?7{qdwqC9!(Z{IB-%(At$#HzipXJIP|_Y(PKI+3lf{mWF56 zNBj-rk?gRK8Y606YFHRrxYbBK#!0(WJrr!*wnrP;yjRO|ASWExBE0`%dEyUm74N#u!#6^61roZMWAlVxLL z1uR*A3O3;IAqzI>DZX=!JA6;**qEd;6yspqTx`M3&&^z5(|>jzVc^J#x=s967Zx!D zD2xuR2|>2lvJftLj7$dnyEH8e*T6YEma>?>0lCWN-9OkL!v)c~HH&#?J4K&MFs&o) z%W}~t!lfSWe(*-nh-o{yXTKI4-O!R1I(?>#MZ^2y=4Hstt!=Zw4izKxbViv1WqmQzKSSW?^mHx+Mqm@a?vZrUxMHs?^_X^`Fql{ni4*R&@L_}!AEyp=S^e}r~snum8 z$>okIS*gC~_C~QVvc4Ts)AB(~-&cat>{Ll~Nxni47Ny~;5foesAKkEDbu3a4Y43H> zp6eL`$^ik*7vIZ4p(E3;6wN2o1H=>xCGhJ^F78lhY1212(XYL|yn2QXhK2?fbT;Oh z@|+s?EZu>y{9@A$Pp0B*kO}r^`2N{)!R{Hoxrb}2r#vO9-qJc1)J=tl4NiD+5%z=v zS-AiOK#G#Y%zIC&UFs`k#t?+F&FtE$+J8eW_kJm>8(Bh!M)FgmGRI z6Ek2P>%tS^QMg~YiD||EBM;A7UL;!~0p_r3*x#K=FgN{K^OGI7(GuIW(lGMv+KIZS z-JW13Wto!?4+*3j-w?*_HsHoe<1p#~7aXaSXa@w-K~Oesj$E+o7c_umFO#U$!+m+4 zMdz(qv>NcQ9~(_WV){BzLm};Mf0`*ZcIi{YwVImHZku^47S-41s3t3V2f_>Tu zZvW{pL5}vX3g)P&@w3je`DbAnmzi!sN>ljpnA*zYLz!Li7T#ux^$Xd=&N=;Xy!cv# z>&L|X3rr?@n(%Z*GFw}Spq+Q(kq+mtV;i%Ol2!h15}#Fw5#wIx@||<{+*H&vCwFO6 zysIpV?`bUxg$!Cm6t99)TwTH*B8M`4R(WvH*p(Zryr~I3+Y3>d@P5Xlot`}l99+AI zgUZF3lm)HEd2XGj<@0$vSMdE%1`}K+hHK;Y#R92%MIPSw?%pfqk^h;OuNIK@#h=V` zoAm3O&I>%^Z#F)*Zlm^D+@KA7mT-~3s!@G7qQKvJi#d-_jtO3Y)M%YL*gOcWIe_MS zw5+Pd9wR6TGOJk-N{I0@%FN#r{ndM0A&rjSmAkU5Muom-j@t?gYA@1JIUkl0yr>So z4~~@RDkE>YyVnQb?WQPd+C38-KXkC&rMvd%E)iOW|Jca7IjT0Ny!iI&=%f+A=aRyx{GP+{dISOldWupYwg+8x zh3XaWylu{)qvxCVaj!?tW`?FZ$+(;-4-iamgLwG1Xs663msk;f1OB8cfE(w}a}FTb zta=n-{ngI)*wM4z*Pld@Ow_ACWE`vjs*&{kg4ta6rK2UcWNteu&z| zQ!|98CzW|ywBV$UHm8<=Q+%H9!^n5*mvz`Q;O*-Wt4)hffj|f(tuM$$>2ukHxRu$Ra?w*g189GHdm;Z@cAmF^fJ?8CB7Ztz zk+@RRjcQ6b77cCyCB@2^-j+Q2d9})0iVCit7Qy#C)b#3QqqLk%Ds1_XqAVembVC(= zSPW&9Sz%DX#5hOwIKJojCrzrm29xu3xF|XQeP2EdQ}_uX(z8OCn2aU)h2-zRYn(#~ z>l$&Fz}{;?_(^`AhSE*ZfDEc|HirbU(I453_=l|}yg1-?R8Z^>E!jaoaq}S)+*Xwq$h7&fJ73B9jo}>-bOm~Fx-ZeKN`qWCI9oIZd^c8LP4I*oXY{?&cIa8 z!myk05lO$u3(a_ZfBq6UR~9l{9AU$!xILTsk%9pLsC|F8*dE=wz)h5CCS zJ%mCmWMx$mpL#YLo%}Q=O5U1E7|-@iRGIb3h;(eZOcZHHX(kk9WDGuoRGzdu$-vis&}U5VNC^0(oh(V>sn~i#_dEU zX?Fh{g&Mr);pEg<)|89;_^#=am(zdb+-{5(tiewIl9W+}r2~hQnUW7tpT3Y=9``0v zGMMW9wcwjYipS9N^4TzS>Reo3ZIuUOv0Ili(Yg5iy0|~my$Q1P4)~>&DiWlC8}*cslOhxnHoe zIT+jPy>ii$6Rq#|osYkIm{(A6Vu~3VSi`JsU$@4m2exav=vy_J`!zW<_*&xThkw{e z$^MRq-CRzcPo!A&hpW}rl~Gkorz0iP0I1a9swS@N{)ImMt5G9weS}IQs5b7bE?igp zdy!yS`<8Q5iqBer@KoGw#I%D6FN}xeAKd4t5$o69z<9OX2~!8pKXZ56?8zxxSUy*7 z4B5)Q3$zJ0uyi!z%8bn35_c3+?fyz-NYA&WO^BY5DHd~wsz=-4c6^PZlNfg#-WHFE z;c7FQK4uKR-k=Yni1O9Db<&hNYH2#mon0|%DhMK=i1g|g9n?ANAMd5jCoCstb!5!4 zm>N}Co~rBd54D_-4XcaETAArkJK1MeA(F?L*RrEi8gzC9=`P1sMM%&_9ErS(#M|ia z2&&+XEmnOU`{G&F#Lu>t2UwbJPVco~XKQc<@()iq$Mfky0)Lm`ORX=nZd|bK8IR3T zN|yEML(lF>asI6(;8`HOdV%$Z!i_NIY`WFQ43qq>K8G=7)Iv?R=Xmz)dQXeNNv2oZ zBR(CihKR_ms=FMM{wJN<#)}@Fs=kU7N`{x;Q(k;?3}%Sohsv z&D;aGhyo-Q<|;B)$VcMG=I}ejs2FBs->Xwo7;<2!YPvdalRdk-O62|?6&7T_{j7%Z z%-O8;RCIiFL(wFx)@pZn{Yfgw9jH=qegR(O#>_%&>^PMIGZjW1WZP$R_XhJ=##~49 z>DB38DgJg{70~y!kroDg_MO{T3evH3Np`#1oGJq68cIF)6ELDB|ZH*>X@KQ(45KKcM25AAa z-5)NO@MV+|35&E9ZDGsXOH-iB0xOfO%*M%~yfex4aeIhOTg(Kt(m|4bfw9|`3?mLE zorTV1p)`>-e%Aus?u8OF3#b`y5)tc^t-b_uBh&a6AaM;EE;XS!eL@0XQ$+^yQ?yUE zI$cCG5emOOQ9R71z0SD99OO6~%yjZI0e4HY^sY0L|6V!K@ImGlqDj&yL|4}8B}pXZwu zl=-c?{L}U;>N8)q_6W&PH)o3%SgH+bX7G*X`>js>3#L|}rM`S3o8CN+{mmqUENt!EgylAyu{|P8FHlI)Go)f+ zyfjM|0{(#4uzc~b{(FT%7LQ=@*{P)h-vzGAw|IQPZbeO&fB=c=@|;lny)%_iyb_C+ zXTt=zn~A!}F2~$dn{FpkLG0ef{ zYlM9H!P#rf$!upYl9U~X0qdZ-7CkO*g-W@X?6OU3WW$&>_v0=#B0vH zG}_9$M>(<`9pf_3a~}p8>h87>7vIEL2}0zbGMoU^U*XGFi#D9O?Wr~bCFxkt$&iFO zrZms{aji^ba9|4Q9*1~lx(bJ5i9UJ!%8xUGXUzvJ0Qn7%kE|Tjlpi!k%T)M}S*O6o zvV9@tCrrA6SadFrLyz;{Uou>O5O8EF0*)FcNe0t<9+zLNbG%s;?8d*2 zZ#+K@y)?O@*t24Mub_Y{BErvCUKX8Xe`Q-}N7&RTX=EAlS_QQL8r=;7RX~dL4`w%3 zF(*oliVHJ+zI|s2gZ7_SvF@xW!^hNuE&ng973HrVqM-cUm{C58Jos&a|01>j4{zs( ziRkbAj1ubYuX5y6^MfwU@B1LEi|-d&=!537faVQSFZ{3s6poA9*5X}pOD5E?fhMg{ zo2EwT>GVDQ@oceP&C5Ez^b{NBZd8^I_RlLu*<)N(fAep3TN;;H0?%U$!cVVSB)o09 zb2|Bt}X5jyQhJPAoA9qC~e}blgdt(8i?9J5$gNZYeBa9uZrIbKdNfZ zk9Ia?R&P?QI2^wtpvp%VAsK7y)RD}%CAXj?%kIcq`;3$TJ`)^Us3^-TUoiy!0s1IQ z3|}|@{)F-uv7)^BV+a40|D*hWyZx_u_z!RXzj^zgS^O{3#DAT||C`(Y-)!Jt|NWOI zA&a5?!3zJ)!2ZMSe7D~g1e4`Uh*ABDncj0KcYZggaUV>Y$9R7-->mZDjYn}Zv0JP* z*$r*|=E?~Hc|MPj+Jyp+!+NPbVH5G{Bh~KGZEL2%s(#&dPR2TgE~9|-pv(2{F6#xR zmZ$(BeO&`LhcPiRi%XpgzMjGUctoS8reESrg~G1a0JZHWO-cLC zlmE9~WX%PO?Yj)3K&NP6YkQFOSoK$c^3m06O;JnPsu6K}pKoGE(ACJtMBmbqN!q?gWaE!N3$dJgpEmpfuZ zy^*udVGD8_276e44C7-p&6=NFqNm8b;ogQx@J97`gSX?*Piyaff|8*z5YvgO(Zt=u z3z8oz zM;u@?Es$HX*euI0UJ@Gd8jH1$Cs$1Dy6?r4dqJwUSHGv{C-99sc+#x>8`TiKh{%DT zJmf+fpDeNm@SeQ@n9<9ck}K-Tpv{U^5UaW7KtSQ@SGRvm*KE}xVmuCD(b75pp&iIqWMG&`f2W!`6UIv4rf>@T$GN$?6wi&2L;P_ z+6gsV<2E}L6ZoqYhbn--Z}7DuS}pgqO7+!a3PS=4LyUQGFrO2$doB0a?D#62{MJZ<9fj#wm`+Cj3Ug3ZO3+tY3Z=ks?%6Buq9s9AarMMCGjoRVXb`jJx)~YXmhG%Yz z4PvjiJd_7TgS$OM&dpaA62&buOIFuqUQk-p1gGtuxu)reaCE>2{tc)rHs=lKf-9yo zMYr*gYs$<_T^`kMELR+V3R6ZRZG53yOFrWb(?-uwRv?co?`&Wo?FB?L6j^CneztX1 z9yKfEuWH*eOITpE`3a`4=jgc5q#gDEjjyDi(d`lo%W|vLBf(?vnDATq_IEXF7!fPU3w;qhkRb zVK1kZYylx7?hbqLvVwzo#pK425$k@^LMi0a#sa7EccJVw}`nEsFPf|7CY<(@8;?A0}B?ID+I}61zvPZ8HR_EP0vnG$jvpXR?eUy)9z>&>1|&b2j;1T+uJS| z?oUo%cWV+K@Xc}dDQ0zF-$VrjS`!huJzoU}9XbL{OA*}Cc2qiO!yPF&n6+0>1T zb1&-?hqOJ2e5aQLsE@Z+#+OCo<%iYC(m=RlX-isw?-t3PBd0;38OKK_G=__0Qsjp# zFcLd3K%Sr5DEt~^w4t3mOOKuAVrmgw;9YR}m=VLCeRb4^M3WtO{k8SEm*8ddvkP#w z$;LMHK4rmERi-^7xyF%Aot9-tl3%dsEL%|Z&P(euD@ROhJon79;brfK24E1R@bI{A zK5jJ(UGE1zT0>$bojPVISg_@ORrH1nFl7=D(1C6!cK&59eK53paK3s}0q>-{;#aHe zK_8J%m=o>GWP9Pf0aI(l_Ulj%+MdyPNd1kS!MoXQ1a@P;pp z^nG6$Vg$2kGR8#*NibH}>=c&^(C>s5*Ea@8^fcjJN$6_t8>pO0XVeG?zw;(|om#TJ zxBZTp#<{@pl%DKWPAh&mVdbf6bQ;YIXMjqdyR*YwE^>M99YPDIhtvLJxnoiD+~kP9 z!lGo>n;{Bl;D@L#YHeFh_JvP@0TN!I{RY7?i#r$dkyqlV6cm_wv#9bdX_ZdU!LaE0 z#GBX>PY0IZ2nS2qa82(*kJj6ZG^_DG>sUVL_J-)*ILcBMlKHQc6tLV`I_I&W19al$ zIS$vmLg8ml{(g*Ph78mc_Mp=4i#x9&KhM=$zu7X8j`t$RFYM;lmEC3n0(+oB7kSWtlFk#^sn?ufFg{*_r@lymRnAk&WE~TP zNS1$r=_+O#>S?X7ueQXf<&wZAIbsm#v2F#~(PPjUJZ6|XlEq8^nP@roRu z{Pz_f5%cz~z*$!gjq&niot_;p!Jug{;#p%^K_X9@{i;xk0&J{^OJ74l$B6jnsWy0fe95CnbnAgRo1wzz5N(W(P1Zoa7QUBuf zTK}oBLPd6wego+&vXgDvB}LJP%+C{?oG_Kapbr#amRhP-jb{F*9;R+Q(22<@SLNpK zlKfdK6U7<95MM{-aZgF!smp+XcfoiEocl@^RHs^v|cnVL-f<+cZ@1_1#+Ao6O{gbN52Mbw?cnT0SWV81NZ0RWn3>(E1v7CXGo zBT?68#H(0~UpWr(mg4p0F?idQzz>Uar`gJt;f`(0Qfwq&t>9rCU9;LNAGZDckK9bI zpjUkb!LF4ZljlyXIv(uwYHEUPY(qc2l$gp38dHZxk%z(j0}zqT1Wvo6{y0#2-9@w{8#iv0(x{6ZR3vRZp>GmT9&ZrYtjFBGJ(-=a+nS(hXdg22(n2J} zEj3qmHzv^W^o3=ahlhPZ;pOcq{*1k%YoR{?TRgOR)P&(QCcPFF|A zCWwTRSS3;|1JZK*1*T5zYF}fIH0qW*T4~m_Jz!P9#li~w4W_gK=j4I{0DIw&{Z5u@ z;@4>PO=GD$DA2!>D={Qf2+~Ky1sXBzLq2dJaBD|97_8e&psS(uE|ecT>0@r`BIk79 z6rTJH=ZlaSP5!jrqE-l2rBT;FSqi$B6UfH!6I6J}KVBskWKk|tN4-Ju9mTrp; z?v?{KbJtX)Hu`VD8T=uB8-P=bY#9-YnwOI^Bb##bO<7Cx#gQwmgmdU<@7Q<$h4@~) z%QD@y%Ia_Gb5+%?{Ju(r`qLi?Q3!^;8a#|U!oHoo3Vej}Gyd(fR%c4+ihJ71HbOgi zeJGddkzdUmw;k|4P1V%Vi3=-A_+<%(TlSReGG^!pib6;0?JK6N5sv{#JH?X{gh?a} z%)MU?duC8~{o~QBOKo3{Ys;7 zt;=Um@0CZl%NLqZC5+9}1i?+&@jckWoB|$F`D~lh$;!~>$L*`%I2?)5b+0YBx`8uX zquH%`T1Xknv&_WXm~{CzAEY!mj6Jz>zyuF*!q-dNUtw8(hU-y&nfrxPzwkjm)*DcR zixE&dEA8fJclXohRC2+y_zVYq)G%z1FDZYlDl4@v2^=3lyYxI_QE%r1k3;WFeM#pQ zFOsvMMR$W+!8U8_Hl4Ax8UkJEGc4YZ6NhF!jBlr%>a$HP)>#G2P9LXbHYU;QYsVFy z4Cs3|ovwB%o)GggTigtFKI%%pVgbex$-^8yHbVBV3_a(%gwI27dgVjkQY=ujBQ(s< z`*YhJ@=#l2=(iH*oD%BHO#zlUN;j2$h<^XxDaJG`f@Eg1iSs)<&83eFzVhr}=v%VX zOCzEB9#(o6cZJoYvoabVIIX>E-?yxNLz^rM)GkRm^uJ~zVG4c{U9@RX^xBaRIZQSp4S60jtD z)v>brr1-^iq;&dy1SCS)L?)es+CkSm2L{!o3A{r`y73znNs&(~ZN7fDTk8v(;YFR@ zv4R>g?eP8&CJQbY@O7rt#-DD7zxIBa)LdK~4>cmxcwsv%Sace7FP{orN4Q@K9jsHN z@@|&wmk0~Lba9ogZPE=_H0zOKf&UZ)#nO=jHd3#P(B_+utglH3SNmZa|CPa$OX1U7 zW2TigL7FE6enisbHe7$0O!&gq=<+?4)b2CbyVg{!)S0LhjBy=;%#S!4WJosokI1<* zUUofj3V=yAy*S_gsefTE7uHdakBz={x4?pn&zAxllsoCxeFlNFABW@LALgzZUF+Ey z(eEHF`6Ft=z>BE zB=yT@#a>`pE11S3Bg{ZAmYiG!M}hMw5SUw&P{ys4w>p|$0#q9!(qiyhJ$>N$l0O<- zQL*dtXbw&c(yM!8w!1aC6N$vln)a;W5{QcxR-?H2v0YAs?U7L8nsDQZAKm$N4w!Ak+hp@ zjn`Iij;tXE%8nu|yS#T28($Vao*P{m_z>%vtDQM|n7|M9p}ncj{;YcaTHnf>nG-vI zD1Qu=qQPaHFs6@~Fi7qu<42LZKe;I>Nh$eFc=1-~T!)}m>yCoZ!Y_Ax%x?il#{b1w~ zUd!GET_7Wk>uC(K)o~NT^XxMXu@w^$fygj&_}+;F_R5GyN)$0v<6?GdQx(#XcrEc6 z-Aq(w&v&d{0wQxum8PTas_q3JB;2&KHdo%U5fWRl?LluRV z=KioneU^Z@8FY;}_(0i%R82->VspN=N*3wY_vY`9WCeZCyx*z|$#tmJ^l!kuUxWGN zOFEGNkd7nTGbSkCb%_o@Rid;v{tfKT{hE;Uczbvp)Of$FB2Wd71^AsV9=N-%4lKt!K>}|P zoWn#N=djs^H`~_@IjdTZ$L!9v>LBORnFfbBbB2rCR82mI z)jvYa4)2-Dr$lpIp)cOD?(VIr&_0<%bY_h6>WRJDJ4q+$c!VZf*YlZJ>w)(o-*uSr z7hz!g#y2<{o6n2G!qj?qZV#Jpgmd1-BiGI%bCayDZZWYuoLXs#MwdNDJbku6&{0W$ zhdv+f^^TM06~GyqN=9bpXCFMdB4En+6f z>zt?=(7l4W6@RFzll3{2=fyL#EPW5lfH#Al=kJZ-f$7ZZaI1O3OW`AoQ;*SDD&5?@ zpeQ0&E=&H3=yJT|d%p9oazVhY<9Wx7evOrlcC=AwQiFC`Z9B^?ljZIkH-13NYiD)( z9vfXu@0qzZr%@4endw-@uDjjr%ZniG=!r53W#;K7>!{av4fdEyJ<>GXufyq7{ z-2IdB@>*&0{)Hz4K>M@|J8zM%*%R0TR3Dpe1~HSiS}%@wRfCd~TJKvjyJhu`0)u6n@*l{l)AWxAzoWO@!ze}O{KK%<`-wp(5bL#0#g-M~ZD zGiNmM2N&AYP1N^%j_W%N9vE=}KH+=rCZWGT6v%;kHaaIwDh_1k=B=$J@btH(%^bG3 zI=}nckdt?Q=jVF6$8&T#Dva6i()JBSl;8sU=i^e|*%ClW;@H^jnf8w-g9MHi(-Cy; zn}g?7+JgDi!1a-7tM;M(De`{O9emh(WdhH)Nwt->1P(W|)gJdR={vt2wi5%=qDMdn z)kVusy~09{QZ%WEgGqQXuMx+YS-Tqx_AfpxnOo~>y7y(x8ZWkCX-YfG6M88P7q8FQ zYz;{cqQB&8s@mzvPt3G#l{aT~TPM1@?d;xgfdco@y@OrmrO)KFJ)@uyjpq7v zf^L1!dOBhpATj@QOdZ%=N(=yFmg=7#C~n`CF+c_yoR09k_}!LUs(w@^1O&)8+EdDv zp6H%DnQ%nGW%TgdKO|I(l1F^Mt&`a~=YcgEl7@dmljGYU1NQJ+4F_eGzSTxjU5L-Sm)VbU|Vqfb8<~Vq}PwzUp%XrC5k*M_aG^b=cbVpro zr|^L%6jd2|@a5Bxpijfa)mFzdUFJr5LciNqr3{u2xZ7FNQ$bvJI>)53fLm-d%w)dC z!;|g4gzRW5g@20&Esg4aTMxw?)GfRFk~g~UBrIIx>MG4b;sW9mcj3g);9eRW3|tRk zM^b~SJx`Oq4EhX1`+20pY?z|Q|Mx1 z$Pwn|#a4ra^~!>5b11T6ruW5aijOUbFmm**1Ob3?PnP5#k zNN29Yt( z?L7QnVO1j&9H>yp1q%qI4?t_@$P^>63!(1|_dnQCDCc8heo^OO^=2bpF&}of> zEG7QV0mgdq*9yr9*g(UrrdogxGrLX>)(#)uw~`Ey#J`fXLIFd5+F=8 z%&EAnO~zESSa+LUa55XkiU^6MQFI9nbJAjgEDaDF^(_mt?5`2vVPE21gNrN2#cs_P zXF+#?gTs1%HVXO|us_=E7E-%){Ne;ZY%l)Ner9wZiQ6m*z7*e8CzZndfW;@p1)xz=-aU)<-V z2(lmp3hIou1_p+!j|h&LmduMk(N#H4uBA7tLlqZ!N7sWdp{Sa3s#^YiAm*}TQ$F~f zirN^bc`0zj?#K~m-N$Dk_SG|PEPQx$b5YilEaZtt(jD)f6f(ZG(Sedr*LZARwuonu zi6)gNt8XLmUSu62!i$Lnz8PYBrID-t0GXaRdq2A4R^l>9%Mb#ol6vgj%C~n2Dc3nT zwuf!4@qq&*3cTi?dCqYtxw~7m)A;%GQC4=f)Ic`-Q$(L*DpS+(FqW_J2mMx=r4FPG z$M5`#KOD`;mr}`dIs68=hivS@G*L8*;eDTX>g$tZjdj_~c3@IjYrgw*0OpQoXZ+0; zC%&k@e=as7LCojNM}tKyF8`na+AfHMP-OU@fk0V^P{E1SXtLamSSo=z&r;%29r$ zJBtS1TD@a6Ar`wZFpEX0L$`wJ zZ@jGlaMxpMyv(i3Xo3oQd#`>lZ#`LHQ@JRTDspUVOoH6{7NtAghnhY?O>IaQ@3&kQ z8pv$)thKK%Y?Q=LQVT-)_^CvPh$e0pOD0OA%v!OD;30?VGpEJz+|NqT{CAlykty%u1!t#qZCAC~n|T6R9_xXV z+A5#8&F*dPxUcWOZLYmxcCX9Pg$^V~`c9}shAv;+lwS1eiRS%6&X%70(o zO3o7_PpN1g%Q2YjJo;h3@5ec#%vzg8wV#Y5KAkD1yLn)(BO%fuIK%3FrOQn(Dm6hji=xG^wjg?>2yWG!4UR+ZpT?Z z8V64kEJ}>TaZ5Yn5v@;1P9TNk1VR7C3EYkUZ~~;G9JXyDQTo1X9z4ahd%b_pKA5Pd zaDx5L&ooFM*?^jW31XnkHxxQsZLEC5)E>-SXm>Vulf*RVY}&5>V6nt0Snq8iaC_oc z1#MUk%$YBuzvjJ~5kcEx)iJu=6mKDol})qV5q=k|Kg`C&pYP zfv#2^Zs5|zPX@H-@(e~~B!6?1AfA8cD9wL4%I?2$l=@N^{&pfp@-&@7Di5#gV5|DV z(r-K3(QJPx%V03fcfOeKTZ~{SJhpaop-S5FDL@ge&_91ISnX#?;UgGd$Hm9>v#UT!4CLR=DgOs!+%IRv^{lZ^L zk~tn5>whTCbciCRY+XKQo}#tH$Da7G2ASJVMd4j~P5 z6ll7gDiW}4;v}F@gADGNK=s13IZwKs(UPhx=6ZDW72{&BxNI9$+a>Yj9gG5#0&cAdRf9=_&>dQ00IPgvg| z9{*lP0YKgsmI$Aj;BbbgN_X2P1FG%z7jie?t&lD9j?jw&x4|h5M&N($!z792yjbf*;cN&m|kL!69GsHX1RIR}(aUt1dmQLp> z69>p#>0}VS#?Jv;S#rxLGTgri???2eHlsiM46h;fr{DQe6N%&gka@dCOhX)>|xN9?O%+BcrMHsHB3}?#uKM zY>(6a))CR_-X>qlinu*6+iiBbW`E_vaB6fCE{Tha`9!25yXc%(+Nj}aALsE^aQNVE zi+**DaPqU~dAWmdye@oxnO|F6iAUX1mHJ$yU|y!n9F~J%DV5Y{Jb^MtwL%mp&`vX8H@zdsCQW@a z-J(88cIifeKIC;dlCmsv>da#>S$6V^AvL(ayIE3w-n}Dpky6Uq`|4|oe56}zDq@C$ zgTB^PdV4+Qm2=6(v+0z>y~x{CFOCiL&yqF)XADI z-$ip+x>gg{I2so<*e)9XiI~u9a=uT^_UI%E8+?K)yE7`0(?lJUyj+oao63u96Gc+i zk1V+MeWOrBOA0u;dWiDT>6h7@<8z$} zro*!kTI2W>u+%2=8!DlN00f>_%CK~O_Z|R)FC$M^^i;aLv zL8#%A5FDb4?tX2e+lHoO$F2@<5ZLve>fixzjM#UT(RxCM7F!QCN1&_K|ew(tFB?tSNemdWIg zoXI(R_BmO5t@V?AAvKi0bNyOUUFJ3nm4gS8E$Z)cR0$>M2-{t*7E9$69Gr9B9FM-f zRzU4#%sD%&-5`q`vCIk)Dq9Yh;|j@RZOeI40kfrQxCsI92gHYjS2hwE z8$bPWI6bb2GDfe7))$9})tjh8nWArqMU-g^*%o7CV+?}Vh*zp(^G+;{Esf1bE3woC z+qrh5M*xDCldQjZZ&y3H!rE1bw!*ucnU@nU$pfWnjtGD+?M!NmS$y-ef*QUUI-Hzl znO))9>DNIfsdZmNsv-7GSx2jAQN!s&c}zRHx3gRL(TD!+{1Jaq2V6B zWlIsajl7}vidB{c5U)exdEXBa!CBe`INOIAc$W>|IMZRYAr zM47)QOgT)uDK*lm6Ty(>_Q9a2AFo%ocY7yMakB6igDwQ12e(tyg{c+EfjaOHh2m42 z#zG6M1N-}qT`L0FnhD1gKAh3+>8w&y#jt4CPFBhl#ybfJgw%}U;lXK3e$IB^>3xQ6 zPI4CDvFIxRZGlRQI1WYQVb3_*?U=JZ@8n&nB~nDi#%Si96gfE9Cgf-B#+y`lf->N- zC3{H2+H+I2;$k0T<21kP9Bo5YSHbk$=o&|lB>j*f4yzRq(cNG2IV_X&ytJGkzkdAk zb6VU{<@if}ZiWR_8PDh;*i4`{D!D%~w&^H6h?!}4QTG3gNVlm@V^4aZpmfZB{~%eh zDpXbX?XNNV61!~Z^=4ch_b)&8hgM}D()0N-W6ucebJ-`)f|tH-CP`TwfkeN>FPs+8 zG?UI0v_FpUcZ5lWo`1sb(ap4?I)PU)xmAtchxc@LiGoLm^|H@4rX0@JZy)d40iyk z7$g?0CA*-$x;R|YZ`Q}cwdjpP9I5#_i!WEAco{yX`&<7B*RJ+Lzu-Fv;wd$5V3(g} z?yx{3h@ONt_xKfjQJ$))X}o&-gmX-(j#eak7|&I>byIMfS=PDmvN=f-&ftC`?el# zgV=w(m!t2Pv)85k(e-_T!(qGm_e+DK+X;5~G|%fa#X6Q=U;xV`54;pZov)-GpfH@< zDw-LogIJ($29PTAKvI?#NJoB;7dn%D{otBFhJu6?>z&Io&;q6cc?oG4Eg#UtllMm401Myd-5!LU}F{ zD>y$-q=^JTcM*`>a!6CPt6XL;a)_>JXq*Y#7;-;oL2r;h)81d;xuzRxN>aY63G!{s z$xojcX^Kt+Ic=|GZyM)sPLBFcQ$*6_GHqze?v9S$1Cut)Sa{Z0@?5s;@t(aR>bkBf zvV-&F?W0p{GeE-93j7%M{1axiS02Q5&hJnOQqX56mOhu{si9y^S=85)L5VaHmT;B< zA*^SZw$=F$CqJ5y#0`agli6{}pRJ0+H8wwctrThB_s>^UbRGXYyHT_tI#*o<A+<8>{}a2MFgQ76`jMjtiYQc}?Fd-&U}Z-(7c3vasK_PpimOoH7ic*tp) z+76?M41Z<~y-YlQJjvD>E88SM7b}uSjt%#|vNFFIf9HE=;er62e=41wtWJBlb%R*y zlB9uc{mhQw2u*MG?CX^lR2L_JBR?apoF3J{am;(>tm5NKEeB~l>g#Six)%a`-J7{f*0>VAITaqA zuax%M^z>vaEwj3_Cs;;L>?{{`%>WmgJH4NYR0CIk<%@P|10Kdmc5c(~D+(MF1&mU6 zI{FkAdmY*Vxf)H6k(N6YmDkdVfDbD;zUP~MH&;utHsC6~hI6sS5p2I{J*S;TA_fl{ zG(LXFh@}<4DI@30_KhpngORw8c$b2EY6@LK=PO|iZBpkv3VOf6$RCv7f~G=4g6Gna zhu-i^n86|+{0GnfHCb?!{5#gCiOBF57vR4V2bXVVoPF~U7l&h6lo42hA$HqT+zc;K zGi(QojJ^(rWgOz{ic)G*=S?z8v*-}{p>QQLcr#nU~ zk1@B+957Bn&W0AD2Ehg|I*hHR&?rb8XnJ!u8&7X8Dk_Su(k|H>7P0>==f{CEQ|r^e z=CVJ-do$04@^`JQWZgSA8E#^R!Gv;#k*~pgW$t4c$zneR^Va(Lf6Cv~JhQf6-NCNE zZq(uv;r+MNq-MOceUtv|^&$`oefX=@Y*yoi+H+-VGhh9m@~V4^$mwS;j4PJCdsc>wiazT4~8>CXmV&fa$|B+HS%}V zL(&xNG;ryJ4?WbiK#MltvrQ3cCt58vnRQGTwgskBO zXXt$@s;cVi&2W@i>FEwt@I&r}mflIl62EY-FMU>I#}CN>Fxv&5n4JpKhw;)m3;UDK z4DomOKeQ~aD|z`ikc?K=e2DZvf!@d|UIN_h-Ti}aV^6UtB^P^^TS`1*8J*OHHLDi! zw$SYo3|}e}F|eeaFHF!Ij3xAO@%S7DijPeq48B(8tCxzIRXIEBkN3alqY`^VB|^^` zYc`ky*NNlc;4ut1shsPJd~4rjx&g=w4U7IE!kl9!N<=a${z9_JGd{4pf_P*{yo0nW__XcuhAb8&zkk0gUf%GPma3xPE03Zo4QZn*YLWvO7sS6w` z5%PzP9~=z)Q4JY<($4<;vK+~K!U5$dHBCv@(irASPJ{tJ&`{;wxRP=ZfF~>ZiC~}v z)wua3!U;r!MmZfDr&2n(<5^cc=i%YzY6J^klVBh7?!bkCO|2Afh5>(qg$^|-=UeA6 z_f?nirG4h>)S^Giq(-^oXbVS>%uvrtp~-r&YSg;W;3oIe@UX!FEskUkr%F`uk%z2b zaPaU@-&&!Bi7dyZMMTR^>JEa_cU?Xu)m~hCLr##ELzol16s8SQ2n?9pW$~NQK%~W{ zo_P!wuMjfrriYl8#H!vaOwAl01TYjFY(%_U+$sUvUPwAyIjxc+{>%()=ai!KVq>Gq zdGW*cu)!6{FRZz-e>zEalAPy+W?x*~!sPvExHHuI;eDU8G>-iZM4)W5lfX?Uv%U#0 znhkFuF-o0Vn82Ylvkt7T;^sh0DajQlkTl8JZKROiSj>1jliN|0MWZC}B2%1Dk$e!c zIVhTTUA0qEAbx@Px;ANLinRLSzYv0rVN}D%RQMs7nzKQ@#`U@5qSSj~pnRxHpuD|U z`8)1vYvtdgj*!4g=L(uG)*v&hC{un_N_63 z?{=T=XmJ=7EMsg{m~2y05D@Aq-RRd$t{V4G!{0tRpM9i*d zw~gL}%Pr=}GWOX@zQLu30uq!mbeciL4W)g;u5O z)6f**Vc1G9xqG3`TCsGe{7|H3jaySzO7ewv!FSi^L6oY2dRpF89-THpE$!g0y^xIr zNs773BcR6*9rf-x=xmQJzTdr5z1cBcCiU@iZ2_*P`4Pq0&-^Nt1#k&OvSo z)X3fDvBlhvz{B}QC(EOJ`g`fvO%f{)G}a)O0dEzZFQVA&lzE(1-Ld;6FW8)NgpIt@ zqFp)3mZjIgAW}S$ihUdHyfsg%I^X%d-KsfGjD;>Gr z*t^+m!mI|#>b5l9?D|20J5P(`=u{u;_H=e1&I_;gYs93aWI0hf&wf3#AqV@uQ6eC% zxSoAaL~chS*uztWcx1xpi}Z=7oNq#Q6(f&3lSTJ3toxaa1Z8zclL_OajArXG?87xz zk>tof4<+q}7WttNKK?M|;iKpX#a_&}oWep9p_+vgJo3a%`@#Kmt1Yx0qb|=DM`nK3 z%@%5*^lc8r_n=mX3a4*&$o1}T8DC2SjTRhaGOfbIqKt8R%t3<(7T2CRI>@C_5#H{< zkpTV#pRAD9UeC$^ZuTrMq>sl;DqGg6@1?`-;C(UVJVC+LLj1#wR)T+|Z&%13qJR%R z&DsDvCMG5@sqAZMV28bl)#PL%+vSY5ir%5c*M~N@n?Ey=;g@`eE=LRyJ%iYKt1ItI z^{kW9650zd3r~F$o6UyL&M#5q6WAr;F_K}4;y(5xbHxUlednCnfb6%+${hx>|LRu7 z)U$7!!8xW+*tt=5wB-vzsfU21;5njXN)_y=< z+`n{#wCO0ldCYde8sWY6Gbwo|5H)5PDc}weq4td}x{;rzgV5NY_FdzB4cx@>eVsXJ zr8nS<5b`HvnSJXT=V&q4_dSHOd6*!zFKQ|ESG{>hAw)AxU%5;3gp9}Sqi2MSo7bgF z=*Lqj^~XvJWyPAHE=a-qBs#vv+>i#UYGKsI?0#40!;QWdyr|kE9RW@sWLyMRyl3QP z^Zrr5>jmF^)zatg-}C z>M_x#3MWz_Y9$oZD(~!qE9ur|FpVD>>dBHs zv}9NWin~~aCMAu+`T)DBBF2XqV^x4eg0Uf%ou)0%r^7AIABGZi(BZ4#MAn;wnwWdi zfz@llu`)6}0tD!I^dm>A9K!T*+4EKNo)!XL)`iSw3lO-eA`aHTD>;zPw&?sZL@mBx zcOpW|$WTS_8OGR^g4Dy!bg&J>#3W=PQ$)95xQ|$Gc2o+Uzc&FC0GB6EMp%dZopNq| z+M3?9$=N`5F$%@y=~HQ`BADI? z=9sN{mYL$Z0twJd=_nx8OiCt(z$=+=4$<+M^Qfy{A{4Kv>&|I(F?Ed=(l1+ka;oAa z^3uXTr9{0y&%uV`ccge1OUY4YPS1__C}V1fSZHRIRx{1+=SYJp%%amRFKfR=c^~&t z|2Q7_zH~R?HNLYmdV9+9*jXw!4q;~j&Stsouiipcl+f$y2_wYfgL@F=>buA-=|vGTjhZ&=W-z>>^@r+WREt{X{Oyg zWkg|ht`w6!1o?o4@K0M=;y{|)!?v?ROGVs9c})=u>65}RtP@-V)AxJQK)r>FZg_j#+MON>SuOKxaluXN4gSC58@qg z+cHH4EEm#a!@y_X@Cq|V#$LSGSPD9NQF+;6W@=D=ZaCC!vm;_Ygjf<=+-lF>9Cw|; zCOw?1ng28MrbiUf4CU289>iw2HSLs075l}OrfZw9WzReAblKe;N2{vSv?o_pu64|r z4L_g~*_#Brhn2v-nXFsKaU7zN*~f;KO#jnDr&j{ANt#a$mxbXu( zo{|v0@l+S0&eK;PUM{SSY<8JW9_}4j(}Hbu0ThynUl>t?WR&^|3TW~1A$G<`Dq@s? zL)adN=PF9XEd{_#1pL5|80#ZB0ZV)BXJul2ki~;Ys5S*izEt8IbH8adqYe{+Oh1D< z&!|SrThdvM&*OHPzoW>YPf7(@e-$qz=WR?uVk8<;1q{M`&=hZb>??d zWe=swpWEty5nUUg4~}USzN;<%jccSt&!q1^xui4(@0Rfl{>imlME^G9HgCTe3LwDs z*J1_ZCIoZXC%f;QBsK6t(?TLeDO`DP}WRv!^tgm@7^T_+}WM1?*_NctKrG(cmLNu}Z?}lb4)) ziln>)b_KkOCHEFav?=My;b=6Xjbpk7zy;VlqEQ2o(>sSs*DTtkWJdZWo^A6Tt{E=4q z;z~7C)wm*O^1eP);T0`R)mK(t9whT?9tGFToqXE?aguOY*mga(NY)ZkFJ&P7$q9Qf zRFG@Ws)4~sZ{l5RPu#Q<%yu~!C)tNi-N_|5PfygpMBVSnfWPa5D*a%hV>=X{V4UEabECyj2>MTnFwpLAxExjVC%2C%h#EY6IbLOo0wn z6^{*-T*{x+jcYx)?VWxk7i!K`+*M9houP3FenyYrp0zvp0N6v^Jf^vOQb%$Z-bjFbV00 zmE?Qv5(%EQbR@?}8VSu>yj=J;+u*QBcKo@O09k{pI9&a>X#=)$xv9A5#eZa@2^W=;tI2?*K8f7v5Na8^9>Qk+UL?|Z$Ad(!1Y(E=~}7R zMiMee>Iq$-gn(0pp2qA>cH`x#+;7+$hU3^Nc6|NpoZ=Zu7&#P_u@}a0mdGqE3fH#g zbZS#>r#q^k|C59&By||{#Qo3!Wd`fn&r%+gHH_Dq@|f{EC~?)WTrB0q(~se<7YS^* z%uDTu{{6b3yHO9c13R&f>x@b7{vr~>M#K6I4Hf$U+jJ+H^vTtQb%&~RW|Yo1e7a!# zFgfGhQaSZcW=uO=f5FQORBJrx7l7T2W~NWN7~|0yERj;OfaJA9WbOWaixfXK#OeB< zYBX))e}ex4{7uj=@DlAG96V}Iu@CjRnq}$d@YdBY4m6ebU=@Z9dD##29+Ux0n7Y#E z^2pOJKPa&V1_QNh-+Ope?<)BQM2w#5mLYQntDU=tOSE7$%H!i23#09^qf8&QLCfDUHoSrHcGw@#kh7)hUMAog-ag`yi9^;gd+ za6CQxyqP8_*)OnG09KD|i?%dso*k{LTG>+Yylu92v!lSUG!RM9{u*UmS2x-IKILtr z)O8LND*RD(;j=(j61Vs0bl{pp7kPHOuoUmK+iEux2D6EbyxT z`YI-fm6FxQ{aod_Z131KG!eRZVXAwy6s>f0)NEgY^LHe1)`t1K4p`#x%;P^(ev`ZQ ztqqHNlqB*J5X6^+|CWi=R#YM5S%g()%i5`-b4$}-plACRfXF5j_K)-EaMM)k_^kAi z0zN{CUxmwvQvsx(`j-0EEXR(L$}CG%?{R2cQToW8TIpZ1ggbZsTUlf%qgB`8hyniQXnEJ>!Rqipyc}yeo(D_a|%X{zbsiCZ{yWccI(9s&Vz5u<(#% z`*V>Eq3<-CMKz9)8a-C(P^yPmnk@FU@MPk5IreX!7XNLI{<{;^|J&hzm8k#A3&XeS Z_7OvOeYDDR_3yt%AuFi}go=Ok{}0L`A?W}B literal 0 HcmV?d00001 diff --git a/documentation/gestion_groupes.md b/documentation/gestion_groupes.md new file mode 100644 index 0000000..ebaaca1 --- /dev/null +++ b/documentation/gestion_groupes.md @@ -0,0 +1,92 @@ +# Gestion des groupes + +## Gestion manuelle + +On peut simplement créer des groupes manuellement + + oc adm groups new + +Ajouter des utilisateurs à un groupe existant + + oc adm groups add-users + + +Retirer des utilisateurs + + oc adm groups remove-users + +Retirer un groupe + + oc delete group + +Informations sur un group et ses utilisateurs + + oc get group + +## Import de groupe `Active Directory` + + + +On peut importer des groupe existants d\'Active Directory et les +synchronisant en créant un fichier de connexion yaml + +``` /yaml +kind: LDAPSyncConfig +apiVersion: v1 +url: ldap://ldap-win.abes.fr +bindDN: CN=acces_ldap_okd,OU=applicatif,OU=Utilisateurs,DC=levant,DC=abes,DC=fr +bindPassword: +insecure: false +augmentedActiveDirectory: + groupsQuery: + baseDN: "OU=DSIN,OU=Groupes de securite,DC=levant,DC=abes,DC=fr" + scope: sub + derefAliases: never + groupUIDAttribute: dn + groupNameAttributes: [ cn ] + usersQuery: + baseDN: "OU=personnels,OU=Utilisateurs,DC=levant,DC=abes,DC=fr" + scope: sub + derefAliases: never + filter: (objectclass=inetOrgPerson) + pageSize: 0 + userNameAttributes: [ sAMAccountName ] + groupMembershipAttributes: [ memberOf ] +``` + +Il existe deux options pour cela: + +1. activeDirectory: + 1. tous les groupes de sécurité d\'Active Directory par défaut + 2. le nom des groupes importés sera le DN AD. +2. augmentedActiveDirectory: + 1. On peut personnaliser les noms des Groupes dans OKD + 2. importer les groupes d\'une branche, pour notre usage ce sera + `DSIN` + +Nous choisirons `augmentedActiveDirectory` parce qu\'il permet d\'être +au plus juste des utilisateurs qui vont être amenés à se servir d\'OKD. + +Il reste à synchroniser les groupes sur la base de ce fichier: + + oc adm groups sync --sync-config=active_directory_config.yaml --confirm + +Si les groupes sont modifiés ou effacés dans AD, alors on peut lancer +une synchronisation de façon à répercuter l\'effacement des groupes +disparus dans OKD: + + oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm + +## Ajout de droits RBAC par groupe + +Ajout des droits `cluster-admin` au groupe SIRE + + oc adm policy add-cluster-role-to-group cluster-admin SIRE --rolebinding-name=cluster-admin + +Retrait des droits `cluster-admin` au groupe SIRE + + oc adm policy remove-cluster-role-from-group cluster-admin SIRE --rolebinding-name=cluster-admin + +Énumération des utilisateurs ayant pour rôle RBAC `cluster-admin` + + oc describe clusterrolebinding.rbac cluster-admin diff --git a/documentation/gestion_noeuds_okd.md b/documentation/gestion_noeuds_okd.md new file mode 100644 index 0000000..167e175 --- /dev/null +++ b/documentation/gestion_noeuds_okd.md @@ -0,0 +1,57 @@ +# Gestion des noeuds OKD + +## Généralités + + + +Par défaut, l\'installateur OKD provisionnent 6 VMS + +``` /bash +[root@vm1-dev ~]# oc get nodes -o wide +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +v212-t4k2k-master-0 Ready master 19d v1.20.0+5fbfd19-1046 10.34.212.60 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +v212-t4k2k-master-1 Ready master 19d v1.20.0+5fbfd19-1046 10.34.214.242 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +v212-t4k2k-master-2 Ready master 19d v1.20.0+5fbfd19-1046 10.34.214.243 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +v212-t4k2k-worker-0-dgjzp Ready worker 18d v1.20.0+5fbfd19-1046 10.34.214.245 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +v212-t4k2k-worker-0-wsmn4 Ready worker 19d v1.20.0+5fbfd19-1046 10.34.214.244 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +v212-t4k2k-worker-0-z6pdg Ready worker 19d v1.20.0+5fbfd19-1046 10.34.212.66 Fedora CoreOS 33.20210217.3.0 5.10.12-200.fc33.x86_64 cri-o://1.20.0 +``` + +Les masters correspondent à la partie controlplane et les workers au +dataplane. Les workers sont donc les noeuds qui font tourner les +containers. + + oc describe node v212-t4k2k-worker-0-dgjzp + oc adm top nodes + +## Scaling + + + +Il est très facile de modifier le nombre de workers + +Les machinesets sont les groupes de workers par cloud. Dans notre cas, +nous n\'avons qu\'un seul provider `ovirt` + + oc get machinesets -n openshift-machine-api + +On modifie le nombre de `replica` aussi simplement que + + oc scale --replicas=2 machineset -n openshift-machine-api + +Une nouvelle VM est immédiatement crée sous ovirt, s\'auto-provisionnant +par ignition, avec la création des containers de services. La VM peut +mettre une dizaine de minutes avant d\'être disponible dans le cluster +OKD. + +Ou bien en éditant le fichier correspondant + + oc edit machineset -n openshift-machine-api + +Dans le cas où on veut diminuer le nombre de worker, on a la possibilité +de choisir quel worker retirer : `Random`, `Newest` ou `Oldest` en +éditant le fichier précédent avec ces paramètres: + + spec: + deletePolicy: + replicas: diff --git a/documentation/import_appli_pro.md b/documentation/import_appli_pro.md new file mode 100644 index 0000000..3064987 --- /dev/null +++ b/documentation/import_appli_pro.md @@ -0,0 +1,350 @@ +# OKD: Conversion et import d\'une appli Docker dans k8s + +## Objectif + +Adapter une application Docker existante tournant en production sur +`diplotaxisX-prod` pour `k8s` sur un environnement OKD + +## Application choisie + +`Qualimarc` est l\'application la plus récente et la plus complète +correspondant à l\'ensemble des cas de figure rencontrés sur Docker: + +- backend: + + * qualimarc-api + * qualimarc-batch + * frontend: + * qualimarc-front + * BDD postgres + * qualimarc-db + * qualimarc-db-adminer + * qualimarc-db-dumper + * watchtower + * qualimarc-watchtower + * variables d'environnement + * volumes persistants + +Le projet Github source: +https://github.com/orgs/abes-esr/repositories?q=qualimarc&type=all&language=&sort= + +Le fichier docker-compose source + + +## Prérequis + +### oc + +``` /bash +wget https://github.com/okd-project/okd/releases/download/4.12.0-0.okd-2023-02-18-033438/openshift-client-linux-4.12.0-0.okd-2023-02-18-033438.tar.gz +tar xvzf openshift-client-linux-4.12.0-0.okd-2023-02-18-033438.tar.gz +mv {kubectl,oc} /usr/local/bin/ +``` + +### docker-compose + +``` /bash +curl -L "https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose +``` + +### kompose + +L\'import de `Qualimarc dans OKD` réside dans l\'adaptation du fichier +`docker-compose.yaml` en fichiers manifest d\'objets k8s grâce à +l\'outil `kompose`. + +``` /bash +curl -L https://github.com/kubernetes/kompose/releases/download/v1.28.0/kompose-linux-amd64 -o /usr/local/bin/kompose +``` + +### droits d\'exécution + +``` /bash +chmod +x /usr/local/bin/{oc,kompose,docker-compose} +``` + +## Connexion à l\'environnement OKD de destination + +La connexion au serveur OKD peut se faire de plusieurs manières. Les +paramètres se trouvent dans le répertoire d\'installation du cluster: + +``` /bash +~/auth/ +``` + +#### fichier kubeconfig + +``` /bash +export KUBECONFIG=~install_dir>/auth/kubeconfig +``` + +#### login kubeadmin + +``` /bash +oc login -u kubeadmin -p $(echo ~/auth/kubeadmin-password) https://api.orchidee.v102.abes.fr:6443 +``` + +Qand on se connecte avec un login, cela permet d\'obtenir un `token`. Ce +token peut être la seule façon de s\'authentifier par la suite, +notamment avec podman. + +``` /bash +oc whoami -t +sha256~X +``` + +Dans les deux cas de figure, on est connecté avec le super utilisateur +`kubeadmin`: + +``` /bash +oc whoami +``` + +#### login avec slogin sur LDAP + +Pour se connecter depuis LDAP et rafraîchir son fichier *kubeconfig* +pour prendre en compte\ +le user avec lequel on est connecté sur le namespace *default* + +``` /bash +oc login -u slogin +oc config set-context `oc config current-context` --namespace=default +``` + +## Etapes + + * Création du projet + +``` /bash +oc new-project qualimarc +``` + +- Elevation des privilèges du `service account` `default` pour les + droits root de certains containers: + +``` /bash +oc adm policy add-scc-to-user anyuid -z default +``` + +- Création d\'un secret qui permet de se connecter au registry + `dockerhub` sans limites de connexions + +``` /bash +oc create secret docker-registry docker.io --docker-server=docker.io --docker-username= --docker-password= +``` + +- Rajout de ce secret au `service account` `default` + + oc secrets link default docker.io --for=pull + oc get sa default -o yaml + +- Téléchargement des sources du projet + +``` /bash +git clone https://github.com/abes-esr/qualimarc-docker.git +cd qualimarc +``` + +- import du fichier `env` de l\'environnement choisi + +``` /bash +rsync -av root@diplotaxis1-dev.v106.abes.fr:/opt/pod/qualimarc-docker/.env . +``` + +- Génération du fichier `docker-compose-resolved.yml` contenant la + valeur des variables `.env` + +``` /bash +docker-compose config > docker-compose-resolved.yml +``` + +- Nettoyage des composants inutiles (notamment `mem_limit` et + `qualimarc-watchtower`) qui ne fonctionne qu\'en environnement + docker + +``` /bash +docker-compose -f docker-compose-resolved.yml convert --format json \ +| jq 'del (.services[].command)' \ +| jq 'del (.services[].entrypoint)' \ +| jq 'del (.services."qualimarc-watchtower")' \ +| jq 'del (.services[].mem_limit)'\ +| jq '.services."qualimarc-db" += {ports: [{"mode": "ingress", "target": 5432, "published": 5432, "protocol": "tcp"}]}' \ +| docker-compose -f - convert > docker-compose-resolved-cleaned.yml +``` + +- **optionnel** Ajout du port `5432` pour que le service + `qualimarc-db` soit directement disponible + +``` /bash +docker-compose -f docker-compose-resolved.yml convert --format json | jq '.services."qualimarc-db" += {ports: [{"mode": "ingress", "target": 5432, "published": 5432, "protocol": "tcp"}]}' +# ou bien +docker-compose -f docker-compose-resolved.yml convert --format json | jq --argjson json '{ports: [{"mode": "ingress", "target": 5432, "published": 5432, "protocol": "tcp"}]}' '.services."qualimarc-db" += {ports: $json}' +``` + +- Conversion du fichier docker-compose-resolved-cleaned.yml en + Manifests k8s + +``` /bash +kompose -f docker-compose-resolved-cleaned.yml convert --provider openshift +INFO OpenShift file "qualimarc-api-service.yaml" created +INFO OpenShift file "qualimarc-db-service.yaml" created +INFO OpenShift file "qualimarc-db-adminer-service.yaml" created +INFO OpenShift file "qualimarc-front-service.yaml" created +INFO OpenShift file "qualimarc-api-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-api-imagestream.yaml" created +INFO OpenShift file "qualimarc-batch-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-batch-imagestream.yaml" created +INFO OpenShift file "qualimarc-batch-claim0-persistentvolumeclaim.yaml" created +INFO OpenShift file "qualimarc-db-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-db-imagestream.yaml" created +INFO OpenShift file "qualimarc-db-claim0-persistentvolumeclaim.yaml" created +INFO OpenShift file "qualimarc-db-adminer-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-db-adminer-imagestream.yaml" created +INFO OpenShift file "qualimarc-db-dumper-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-db-dumper-imagestream.yaml" created +INFO OpenShift file "qualimarc-db-dumper-claim0-persistentvolumeclaim.yaml" created +INFO OpenShift file "qualimarc-front-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-front-imagestream.yaml" created +INFO OpenShift file "qualimarc-watchtower-deploymentconfig.yaml" created +INFO OpenShift file "qualimarc-watchtower-imagestream.yaml" created +INFO OpenShift file "qualimarc-watchtower-claim0-persistentvolumeclaim.yaml" created +``` + +- Remplacement de la bonne version d\'api pour les manifests + `imagestream` et `deploymentconfig` + +``` /bash +sed -i 's/apiVersion: v1/apiVersion: image.openshift.io\/v1/g' *imagestream.yaml +sed -i 's/apiVersion: v1/apiVersion: apps.openshift.io\/v1/g' *deploymentconfig.yaml +``` + +- Création du service `qualimarc-db-service.yaml` + +``` /bash +oc create service clusterip qualimarc-db-postgres --tcp=5432 +oc set selector svc qualimarc-db-postgres 'io.kompose.service=qualimarc-db' +#ou bien +oc create service clusterip my-svc -o yaml --dry-run | oc set selector --local -f - 'environment=qa' -o yaml | oc create -f - +``` + +Remarque: ce service est indispensable pour que le pod `qualimarc-front` +soit en mesure d\'appeler la base postgres. Si ce service n\'a pas été +créé par `kompose`, c\'est dû au fait que le container `qualimarc-db` du +fichier original `docker-compose.yaml` n\'avait pas de ports de défini. +On aurait pu le rajouter dans le fichier avant la conversion: + +``` /yaml + qualimarc-db: + image: abesesr/postgres-fr_fr:15.1.0 + container_name: qualimarc-db + restart: unless-stopped + mem_limit: ${MEM_LIMIT} + environment: + # cf https://github.com/docker-library/docs/blob/master/postgres/README.md#environment-variables + POSTGRES_DB: "qualimarc" + POSTGRES_USER: ${QUALIMARC_DB_POSTGRES_USER} + POSTGRES_PASSWORD: ${QUALIMARC_DB_POSTGRES_PASSWORD} + ports: + - 5432:5432 + volumes: + - ./volumes/qualimarc-db/pgdata/:/var/lib/postgresql/data/ +``` + +- Il ne reste qu\'à appliquer les manifests dans OKD + +``` /bash +oc apply -f 'qualimarc-*.yaml' +``` + +- On vérifie que les containers se créent bien + +``` /bash +oc get all +oc get pods +``` + +- Il faut vérifier que les images se téléchargent correctement depuis + leurs registries d\'origine + +``` /bash +oc get is +``` + +Si ce n\'est pas le cas, aucun container ne se lancera. + +- Volumes : par défaut les PVC (permanent Volume Claim) de 100M sont + créés.\ + Pour augmenter leur taille, passer par un patch : + +``` /bash +oc patch pvc -p '{"spec":{"resources":{"requests":{"storage":"4Gi"}}}}' +``` + +- Cas de du container de la bdd postgres `qualimarc-db` + +Le déploiement du container `qualimarc-db` ne se lance pas du fait que +la base de données n\'est pas initialisée. Il faut donc importer le +contenu initial depuis le volume du diplotaxis initial. Pour cela il +n\'est pas indispensable que le container soit démarré, il suffit de +rentrer en mode `debug` et d\'initier la copie. + +``` /bash +oc debug qualimarc-db-4-c8gpn +bash +apt update && apt install rsync openssh-client -y +rsync -av diplotaxis1-dev.v106.abes.fr:/opt/pod/qualimarc-docker/volumes/qualimarc-db/pgdata/ /var/lib/postgresql/data/ +``` + +Une fois la copie effectuée avec succès, il faut relancer le déploiemen +du container: + +``` /bash +oc rollout retry dc qualimarc-db +oc get pods +``` + +Une fois le pod postgres up, l\'ensemble des pods qui en dépendent +devient aussi up. Si ce n\'est pas le cas, il faut faire un rollout de +l\'ensemble des pods qui ne démarrent pas, ou bien réappliquer les +manifests un par un. + +- Pour accéder à l\'url, il faut exposer le service du container + `qualimarc-front`, ce qui aura pour effet de générer une route DNS + par l\'ingress d\'OKD: + +``` /bash +oc expose service/qualimarc-front +oc expose service/qualimarc-api +oc expose service/qualimarc-db-adminer +oc get route +qualimarc qualimarc-qualimarc2.apps.orchidee.v102.abes.fr qualimarc-front 11080 None +``` + +- On teste le webservice sur son exposition publique: + +``` /bash +curl http://qualimarc-api-qualimarc-sire.apps.orchidee.v102.abes.fr/api/v1/statusApplication +``` + +## Debug + +``` /bash +oc debug +oc log +oc rsh pod/ +oc rsh node/ +oc describe +oc describe dc/ +``` + +## Remplacement de WatchTower + +`Watchtower` est l\'application (également fournie sous forme de +container docker) qui permet de détecter une nouvelle mise à jour d\'une +image docker sur `DockerHub` et de la déployer sur `diplotaxis`. + +Le daemon `docker` ayant été remplacé par `crio` sous `Kubernetes`, il +faut donc utiliser l\'outil `keel` pour arriver au même niveau de +fonctionnalité. + +Pour plus de détail, suivre - [Keel remplaçant de watchtower](keel.md) diff --git a/documentation/import_image_registry_interne.md b/documentation/import_image_registry_interne.md new file mode 100644 index 0000000..2559314 --- /dev/null +++ b/documentation/import_image_registry_interne.md @@ -0,0 +1,166 @@ +# Import d\'une image de container sous OKD4 + +Le but de la manœuvre est d\'importer une image docker ou podman +pré-existante dans le registry interne de OKD pour pouvoir ensuite +l\'exploiter. + +## Depuis une source externe à OKD + + +Le but c\'est de se connecter depuis une source qui n\'a pas accès au +port 5000 du registry d\'OKD de l\'hôte +`default-route-openshift-image-registry.apps.v212.abes.fr` + +- On se logue côté `oc` dans le projet dans lequel on veut importer + l\'image. + +Attention, `oc login` (et non `export KUBECONFIG`) est la seule méthode +d\'authentification qui permette d\'obtenir un login et ainsi par la +suite d\'utiliser ce login pour connecter podman à un registre (la +méthode par mot de passe ne fonctionnera pas). + + oc login -u -n + oc whoami -t + sha256~X + +- Si on n\'a pas les droits `cluster-admin`, alors il faut + s\'attribuer des droits. Si on ne précise pas le projet, alors les + droits sont donnés pour le projet en cours. + + oc policy add-role-to-user registry-viewer -n + oc policy add-role-to-user registry-editor -n + oc describe rolebinding.rbac -n openshift-config + +- Pour attribuer ces mêmes droits pour l\'ensemble des projets, alors + il faut utiliser + + oc policy add-cluster-role-to-user registry-viewer + oc policy add-cluster-role-to-user registry-editor + oc describe clusterrolebinding.rbac -n openshift-config + +\* Par défaut, la route qui permet de consulter le registry depuis +l\'extérieur n\'est pas active. + +Il faut donc l\'activer: + +``` /bash +oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge +``` + +- La route qui expose le registry se trouve ainsi (3 façons + d\'extraire le l\'url d\'accès au registry + `default-route-openshift-image-registry.apps.v212.abes.fr`) + + HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}') + HOST=$(oc get route default-route -n openshift-image-registry -ojsonpath={.spec.host}) + HOST=$(oc get route default-route -n openshift-image-registry -o json | jq -r .spec.host) + +- importer une image dans le registry de podman + +``` /bash +podman pull alpine +podman images +``` + +- par défaut `podman` va chercher les images dans les registry + prédéfinis dans `/etc/containers/registries.conf` dans cet ordre: + +1. registry.access.redhat.com +2. registry.redhat.io +3. docker.io + +Il est tout à fait possible d\'en changer l\'ordre ou de rajouter un +registry + +- Connexion de podman au registry sans TLS + +``` /bash +podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false $HOST +``` + +- Connexion de podman au registry avec TLS + +``` /bash +mkdir -p /etc/containers/certs.d/${HOST} +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee /etc/containers/certs.d/${HOST}/${HOST}.crt > /dev/null +podman login -u $(oc whoami) -p $(oc whoami -t) $HOST +``` + +- On définit un tag où on va entreposer l\'image dans le registry + distant + +``` /bash +podman tag docker.io/library/alpine $HOST/openshift/image3 +``` + +- Il ne reste qu\'à pousser l\'image dans ce tag + +``` /bash +podman push (--log-level=debug) $HOST/openshift/image3 (--tls-verify=false) +``` + +L\'image est disponible en tant qu\'image stream dans le projet +d\'origine de connexion d\'oc. + + oc get is -n + +Pour lister l\'ensemble des images disponibles sur le cluster + + oc get is --all-namespaces + +## Depuis un container OKD + +Le port 5000 du registry est disponible sur l\'hôte +`image-registry.openshift-image-registry.svc` On liste les noeuds +disponibles + + oc get nodes + +On lance le mode debug du container voulu + + oc debug nodes/v212-t4k2k-worker-0-dgjzp + +On rentre dans le chroot du container + +``` /bash +chroot /host +``` + +import des paramètres openshift de connexion quand ils existent + + export KUBECONFIG=/root/auth/kubeconfig + +login à l\'api openshift + + oc login --token='' https://api.v212.abes.fr:6443 -n + +login au registry d\'openshift + + podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000 --tls-verify=false + +tag d\'une image, à toujours faire avant de la pusher + + podman tag docker.io/library/alpine image-registry.openshift-image-registry.svc:5000/openshift/image + +push de l\'image dans le registry + + podman push image-registry.openshift-image-registry.svc:5000/openshift/image --tls-verify=false + +On peut importer des images docker depuis n\'importe quel registry local +ou distant + + oc import-image openshift/image --from=docker.io/alpine --confirm + oc import-image openshift/image --from=image-registry.openshift-image-registry.svc:5000/openshift/image --confirm + +Par défaut, l\'import se fait avec le tag `latest`. Si on veut importer +une autre version de l\'image, il faut définir le tag de cette image +dans le repository: + +``` /bash +oc tag --source=docker docker.io/anapsix/alpine-java:8 alpine-java:8 +oc import-image alpine-java:8 --from=docker.io/anapsix/alpine-java:8 --confirm +oc get is alpine-java +oc get istag | grep alpine-java +oc describe is/alpine-java +oc describe istag/alpine-java:8 +``` diff --git a/documentation/index.md b/documentation/index.md new file mode 100644 index 0000000..7e679ec --- /dev/null +++ b/documentation/index.md @@ -0,0 +1,43 @@ +======== OKD ======== + +\- [Installation d\'OKD sous Ovirt](Installation.md) + +\- [Connexion à l\'API](connexion_api.md) + +\- [Commandes utiles](commandes_utiles.md) + +\- [Création d'un utilisateur](creation_utilisateur.md) + +\- [Gestion des groupes](gestion_groupes.md) + +\- [Import d'une image dans le registry interne](import_image_registry_interne.md) + +\- [gestion des noeuds](gestion_noeuds_okd.md) + +\- [Récupérer un mot de passe](recuperer_mdp.md) + +\- [Import d'une appli pro docker dans k8s](import_appli_pro.md) + +\- [Keel remplaçant de watchtower](keel.md) + +\- [Scaling d\'un noeud master ou worker](scaling.md) + +\- [Réparation d\'un noeud etcd](reparation_etcd.md) + +\- [Redéploiement d\'un cluster operator](redeploiement_cluster_operator.md) + +\- [Backup du cluster etcd et des applis](backup.md) + +\- [Diagnostiquer et dépanner des certificats](depanner_certificats.md) + +\- [Mettre en place le service Chrony](chrony.md) + +\- [Lien nfs](lien_nfs.md) + +\- [Drivers CSI](drivers_csi.md) + +\- [Snapshots CSI](snapshot_csi.md) + +\- [OpenDataFoundation](odf.md) + +\- [Registry d\'images](registry.md) diff --git a/documentation/keel.md b/documentation/keel.md new file mode 100644 index 0000000..ff89f17 --- /dev/null +++ b/documentation/keel.md @@ -0,0 +1,285 @@ +# OKD: Keel l\'équivalent de watchtower sous K8s + +## Contexte + +Dans un environnement `Docker`, `watchtower` est l\'outil qui permet de +détecter la mise à disposition d\'une nouvelle image applicative sur un +registry, en particulier `DockerHub`. + +Sous `Kubernetes`, l\'outil ne peut pas être utilisé car il cherche à se +connecter un daemon `docker` qui n\'existe pas pour exécuter un fichier +`docker-compose.yml` + +## Keel vs Deployment vs DeploymentConfig + +Sous `OKD`, il existe deux façons de déployer une application: + +- DeploymentConfig + +C\'est le format natif d\' `OpenShift` avant qu\'il introduise +`kubernetes` pour gérer l\'orchestration de container dans la branche +`4.X` + +Le principe de fonctionnement de `dc` repose sur la notion d\' +`ImageStream` propre à `okd` qui consiste à définir une empreinte d\'un +registry externe sur lequel il indexe les versions et tags des images +(il ne les télécharge pas). Il est donc facile dans ce mode d\'intégrer +des `triggers` qui déclenchent le déploiement d\'une image à chaque fois +qu\'une nouvelle version est disponible sur le registry externe, souvent +DockerHub. + +- Deployment + +C\'est la version native de `k8s`. La recommendation de RedHat dans la +doc OKD est d\'utiliser ce format qui apparaît comme en retard sur le +format `deployment` mais qui à terme a pour objectif d\'intégrer la +plupart des possibilités de `dc`. De ce fait, il n\'y a pas actuellement +de trigger natif sous k8s permettant de déclencher un redéploiement +suite à la présence d\'une nouvelle image, dans la mesure où l\'API k8s +n\'utilise pas nativement `ImageStream`. + +De ce fait il faut adapter tous les usages natif de `DeploymentConfig` à +l\'utilisation avec `Deployment`: + +1. Création, Synchronisation d\'un Imagestream avec un registry distant +2. Integration de Imagestream dans l\'API K8s +3. Trigger de redéploiement de l\'application + +### Création, Synchronisation d\'un Imagestream avec un registry distant + +=\> [Concerne l\'objet ImageStream]{.underline} + + + +Cependant cette fonctionnalité utilisant`ImageStream`, il faut qu\'il en +existe un au préalable, ce qui n\'est pas le cas par défaut lorsqu\'on +utlise `kompose` pour créer un deploy. + +``` /yaml +tee wd-is.yml < + +#### Mise à disposition d\'un ImageStream aux resources K8s + +=\> [Concerne l\'objet ImageStream]{.underline} + +Par défaut, les pods vont se référer à l\'imagestream dans le cadre +d\'un dc, puisqu\'il s\'agit d\'une ressource native à OKD. + +Dans le cas d\'un deployment non natif à k8s, si on veut que toutes les +resources kubernetes puissent se référer à un imagestream existant en +particulier (qualimarc-db-dumper), il faut l\'activer dans le deploy + +``` /bash +oc set image-lookup qualimarc-db-dumper --enabled=true +oc get is qualimarc-db-dumper +# renvoie; + lookupPolicy: + local: true +``` + +Vérification: + +``` /bash +oc set image-lookup imagestream --list +``` + +Si on ne veut pas utiliser une ImageStream: + +``` /bash +oc set image-lookup qualimarc-db-dumper --enabled=false +``` + +#### Mise à disposition de tous les ImageStream à un deploy + +=\> [Concerne l\'objet Deploy]{.underline} + +Si on veut qu\'un deploy en particulier puisse utiliser toutes les +ImageStreams de son choix: + +``` /bash +oc set image-lookup deploy/mysql +# renvoie +spec: + replicas: 1 + template: + metadata: + annotations: + alpha.image.policy.openshift.io/resolve-names: '*' +``` + +### Trigger de redéploiement de l\'application + +=\> [Concerne l\'objet Deploy]{.underline} + + + +En attendant que les développeurs de Kubernetes développent nativement +cette fonctionnalité, RedHat a intégré dans openshift un workaround pour +utiliser un trigger, se présentant sous forme d\'annotation à intégrer +dans le manifest `Deployment`. **Cela permet de déclencher un nouveau +deployment de l\'application quand l\'imagestream change.** + +``` /bash +oc set triggers deploy/theses-api-diffusion --from-image=theses-api-diffusion:develop-api-diffusion -c theses-api-diffusion +``` + +Cette commande a pour effet de rajouter la ligne au deploy + +``` /yaml +... +metadata + annotation: + image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"theses-api-diffusion:develop-api-diffusion"},"fieldPath":"spec.template.spec.containers[?(@.name==\"theses-api-diffusion\")].image"}] +``` + +- Keel + +Si on ne veut pas utiliser les fonctionnalités natives de +`DeploymentConfig` ou adaptées de `Deployment` avec `ImageStream`, il +reste l\'option d\'utiliser `keel` avec `Deployment` qui s\'avère être +une très bonne solution puisqu\'il intègre une interface web. + +**Attention: Keel ne fonctionnant pas avec le format `DeploymentConfig` +d\'OKD**, il faut déployer les applications professionnelles en format +`Deployment` sans l\'option `--provider openshift` de `kompose`: + +``` /bash +kompose -f docker-compose-resolved.yml convert +``` + +Ce qui aura pour effet de ne pas générer de fichier `ImageStream` + +## Installation de Keel + + + + +- On commence par créer l\'environnement propice au projet: + +``` /bash +oc new-project keel +oc adm policy add-scc-to-user anyuid -z keel +``` + +- Les manifests ne sont pas directement fournis, l\'application est + distribuée sous forme de Helm charts: + +``` /bash +helm repo add keel https://charts.keel.sh +helm repo update +helm upgrade --install keel --namespace=keel keel/keel --set helmProvider.enabled="false" +``` + +- On rajoute un secret docker + +``` /bash +oc create secret docker-registry docker.io --docker-server=docker.io --docker-username= --docker-password= +oc secrets link keel docker.io --for=pull +watch -d -n1 oc get pods +oc get sa default -o yaml +``` + +- keel est fonctionnel mais sa plus-value réside dans l\'interface + web. Il faut définir au miminum les variable de login et de mdp pour + que l\'interface soit disponible: + +``` /bash +oc set env deployment.apps/keel BASIC_AUTH_USER=admin BASIC_AUTH_PASSWORD=password +``` + +- On peut alors créer un service `clusterip` + +``` /bash +oc create service clusterip keel-ui --tcp 9300:9300 +oc set selector service/keel-ui 'app=keel' +oc expose service/keel-ui +oc get route +``` + +## Paramétrage des Images à tracker + +Les images à tracker se paramètrent dans leur fichier de déploiement +`Deployment` au moyen minimum de deux annotations: + +``` /yaml +... + annotations: + keel.sh/policy: minor # <-- policy name according to https://semver.org/ + keel.sh/trigger: poll # <-- actively query registry, otherwise defaults to webhooks +``` + +- en CLI + +``` /bash +oc annotate deploy/wd keel.sh/policy=force keel.sh/trigger=poll keel.sh/policy=minor +``` + +- Interface web: + +On peut tout faire très intuitivement dans l\'interface au moyen des +boutons à droite de chaque `Deployment` + +![selection_304.png](files/selection_304.png) + +- Règles de déploiement: + + diff --git a/documentation/lien_nfs.md b/documentation/lien_nfs.md new file mode 100644 index 0000000..61c8e0f --- /dev/null +++ b/documentation/lien_nfs.md @@ -0,0 +1,211 @@ +======= Lien NFS ======= + +## Drivers CSI + +Les `persistentVolumes` ou `pv` permettent de définir des volumes gérés +nativement par OKD par le biais de storageClass. Il existe différentes +façons de définir une storageClass, La méthode moderne recommandée par +OKD est de passer des `Container Storage Interface`, autrement dit des +programmes qui exécutent l\'interfaçage entre Kubernetes et le provider +de stockage. + + +Dans notre cas, le `sc` par défaut est `ovirt-csi`, qui a été +provisionné par l\'installateur `IPI`. +. +Ce driver crée des disques ovirt rattachés aux VMs worker d\'OKD. Bien +que pratique dans notre cas, ce driver n\'est maintenant plus maintenu à +causes de ses limitations (et de la fin de maintenant de RHV). Ces +limitations sont entre autre: + +- pas de snapshot possible +- pas de mode ReadWriteMany (RWX) + +Il est donc impossible de créer des `persistentVolumesClaim` avec ce +driver. Plusieurs choix s\'offrent alors à nous suivant cette matrice +des CSI supportés: + +![](/files/selection_393.png) + +L\'idéal pour nous sera d\'utiliser OpenDataFoundation (`ODF`) avec le +support de CephFS, mais il est aussi possible d\'adopter un montage +classique NFS que nous décrirons ici + +## Mise en pratique + +### Création du partage sur le NAS + +Nous allons potentiellement utiliser le partage sur 4 NAS: + +- methana +- erebus +- sotora +- solo + +et partager chacun des volumes de ces NAS. + +``` /bash +cat /etc/exports +/pool_SAS_1 10.35.0.0/16(rw,root_squash) 10.34.102.0/23(rw,root_squash) +/pool_SAS_2 10.35.0.0/16(rw,root_squash) 10.34.102.0/23(rw,root_squash) +/pool_SSD_1 10.35.0.0/16(rw,root_squash) 10.34.102.0/23(rw,root_squash) +``` + +``` /bash +systemctl reload nfs-server +``` + +### Création de PV + +La documentation de `oc` prévoit un partage NFS natif en ligne de +commande + +``` /bash +oc set volume --help +... + -t, --type='': + Type of the volume source for add operation. Supported options: emptyDir, hostPath, secret, configmap, persistentVolumeClaim +``` + +Mais son utilisation dans un deployment n\'est plus nativement +supportée. + +Il faut donc passer par la méthode traditionnelle kubernetes qui est la +création d\'un PV: + +``` /bash +oc apply -f - <\" -o +\"awscliv2.zip\" unzip awscliv2.zip sudo ./aws/install \--bin-dir +/usr/local/bin \--install-dir /usr/local/aws-cli \--update aws +\--version + +### Configuration Globale + +#### Mode direct + +- Non sécurisé + +``` /bash +aws --endpoint http://endpoint +``` + +- Sécurisé sans certificat + +``` /bash +aws --endpoint https://endpoint --no-verify-ssl +``` + +- Sécurisé avec le certificat ingress d\'OKD généré par défaut + +Récupérer le certificat root: + +``` /bash +oc get -o json secret router-certs-default -n openshift-ingress | jq -r '.data|map_values(@base64d)|to_entries[]|select(.key=="tls.crt").value' > /tmp/ingress.crt +``` + +``` /bash +aws --endpoint https://endpoint --ca-bundle=/tmp/ingress.crt +# ou bien en exportant la variable +export AWS_CA_BUNDLE=/tmp/ingress.crt +``` + +#### Avec fichier de config + +- Création du fichier **credentials** + +``` /bash +cat ~/.aws/credentials +[admin] +aws_access_key_id = '' +aws_secret_access_key = '' +``` + +- Création du fichier **config** + +``` /bash +cat ~/.aws/config +[profile admin] +endpoint_url = https://endpoint +ca_bundle = /tmp/ingress.crt +region = Montpellier +``` + +**NB**: le fichier config doit contenir au moins une region pour éviter +l\'authentification du client auprès des serveurs d\'Amazon. Cependant, +on peut désactiver cette fonctionnalité en exportant la variable: + +``` /bash +export AWS_EC2_METADATA_DISABLED=true +``` + +## Le mode Objet + +### Rados Gateway (RGW) + +RADOS est le daemon qui permet à OKD de présenter objets Ceph sous forme +d\'une API S3 (Amazon) ou Swift (Openstack) compatible. C\'est l\'unique +passerelle entre Ceph et le client installé par ODF. Rook.io est +l\'orchestrateur qui déploie Ceph et rados et les présente sous les 3 +formes: + +- file: cephfs +- block: cephrbd +- object: RGW + +![](/files/selection_401.png) + +#### Installation du client radosgw + +Le client RADOS n\'est pas installé par défaut pour contrôler le cluster +Ceph puisque RedHat pousse à l\'utilisation de MCGW pour le cloud +hybride. Pour contrôler le backend ceph, il faut donc activer `radosgw` +de cette façon: + +``` /bash +oc patch OCSInitialization ocsinit -n openshift-storage --type json --patch '[{ "op": "replace", "path": "/spec/enableCephTools", "value": true }]' +``` + +L\'exécution se fait donc dans un container auquel on accède ainsi: + +``` /bash +oc rsh -n openshift-storage $(oc get pod -n openshift-storage -l app=rook-ceph-tools -o jsonpath='{.items[0].metadata.name}') +# ou bien: +oc -n openshift-storage rsh $(oc get pods -n openshift-storage -l app=rook-ceph-tools -o name) +``` + +on peut à partir de là consulter ou créer différentes ressources du +backend Ceph: + +``` /bash +$ radosgw-admin user create --display-name="Your user" --uid=your-user +$ radosgw-admin user info --uid your-user + +$ radosgw-admin buckets list +[ + "rook-ceph-bucket-checker-8104169c-60b4-4458-b224-8041031d9718", + "nb.1683297491248.apps.orchidee.okd-dev.abes.fr" +] +``` + +A noter qu\'on peut également (non recommandé) exécuter dans ce +container la commande `ceph` pour superviser quelques commandes natives +au cluster. + +``` /bash +sh-4.4$ ceph -s + cluster: + id: b654dd82-706d-4b72-9ba6-c6a70b9c2d1b + health: HEALTH_OK + + services: + mon: 3 daemons, quorum a,b,c (age 2w) + mgr: a(active, since 2w) + mds: 1/1 daemons up, 1 hot standby + osd: 3 osds: 3 up (since 2w), 3 in (since 13M) + rgw: 1 daemon active (1 hosts, 1 zones) + + data: + volumes: 1/1 healthy + pools: 12 pools, 353 pgs + objects: 92.73k objects, 9.3 GiB + usage: 26 GiB used, 1.5 TiB / 1.5 TiB avail + pgs: 353 active+clean + + io: + client: 1.6 KiB/s rd, 7.0 KiB/s wr, 2 op/s rd, 0 op/s wr +``` + +#### Configuration par défaut de RGW par ODF + +- Utilisateur **noobaa-ceph-objectstore-user** + +L\'utilisateur `noobaa-ceph-objectstore-userr` est spécialement créé +pour RGW par ODF. + +``` /bash +radosgw-admin user info --uid noobaa-ceph-objectstore-user | jq '.keys[]' +{ + "user": "noobaa-ceph-objectstore-user", + "access_key": "", + "secret_key": "" +} +``` + +ou avec `oc` + +``` /bash +oc get cephobjectstoreusers.ceph.rook.io -n openshift-storage +NAME PHASE +noobaa-ceph-objectstore-user Ready +ocs-storagecluster-cephobjectstoreuser Ready +prometheus-user Ready +``` + +C\'est cet utilisateur qu\'utilise ODF pour créér le **backingStore** +par défaut `noobaa-default-backing-store` avec le secret +`rook-ceph-object-user-ocs-storagecluster-cephobjectstore-noobaa-ceph-objectstore-user` + +- secret + **rook-ceph-object-user-ocs-storagecluster-cephobjectstore-noobaa-ceph-objectstore-user** + +``` /bash +oc get -o json secrets rook-ceph-object-user-ocs-storagecluster-cephobjectstore-noobaa-ceph-objectstore-user -n openshift-storage | jq -r '.data|map_values(@base64d)' +{ + "AccessKey": "", + "Endpoint": "https://rook-ceph-rgw-ocs-storagecluster-cephobjectstore.openshift-storage.svc:443", + "SecretKey": "" +} +``` + +- Bucket **nb.1683297491248.apps.orchidee.okd-dev.abes.fr** + +``` /bash +oc get -n openshift-storage backingstores.noobaa.io -o json noobaa-default-backing-store | jq -r '.spec.s3Compatible.targetBucket' +``` + +- un service: **rook-ceph-rgw-ocs-storagecluster-cephobjectstore** + +``` /bash +oc get svc -n openshift-storage +``` + +- une route: + **ocs-storagecluster-cephobjectstore-openshift-storage.apps.orchidee.okd-dev.abes.fr** + +``` /bash +oc get route -n openshift-storage +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +ocs-storagecluster-cephobjectstore ocs-storagecluster-cephobjectstore-openshift-storage.apps.orchidee.okd-dev.abes.fr rook-ceph-rgw-ocs-storagecluster-cephobjectstore None +``` + +Cette route sera utilisée comme `endpoint` dans le fichier de +confguration de `aws` + +- une storageClass **ocs-storagecluster-ceph-rgw** + +``` /bash +oc get sc +``` + +- Un objectStore **ocs-storagecluster-cephobjectstore** + +``` /bash +oc get cephobjectstores.ceph.rook.io -n openshift-storage +NAME PHASE +ocs-storagecluster-cephobjectstore Connected +``` + +#### Configuration du client aws + +- fichier de credentials + +``` /bash +vi ~/.aws/credentials +[noobaa-ceph-objectstore-user] +aws_access_key_id = +aws_secret_access_key = +``` + +- fichier de config + +La configuration se fait uniquement en **http** et non en **https** + +``` /bash +vi ~/.aws/config +[profile noobaa-ceph-objectstore-user] +endpoint_url = http://ocs-storagecluster-cephobjectstore-openshift-storage.apps.orchidee.okd-dev.abes.fr +region = Montpellier +``` + +#### utilisation cu client aws + +``` /bash +aws s3api list-buckets --profile noobaa-ceph-objectstore-user +{ + "Buckets": [ + { + "Name": "nb.1683297491248.apps.orchidee.okd-dev.abes.fr", + "CreationDate": "2023-05-05T14:38:16.695000+00:00" + } + ], + "Owner": { + "DisplayName": "my display name", + "ID": "noobaa-ceph-objectstore-user" + } +} +``` + +#### comparaison des clients + +- `radosgw-admin` sert a gérer les utilisateurs, à consuter mais pas + de créer des **buckets** +- `aws` permet de créer des buckets à partir d\'utilisateurs existants + et fait le lien entre les deux. + +#### Création d\'un utilisateur et d\'un bucket associés + +- Création d\'un utilisateur avec **radosgw-admin** + +On peut cependant créer d\'autres utilisateurs et buckets associés, mais +ceux créés par défaut par ODF peuvent suffire. + +La création d\'un utilisateur entraîne la génération d\'une +**access_key** et d\'une **secret_key** associée. Ce sont les données +qui seront demandées plus tard pour authentifier le **bucket**. + +``` /bash +radosgw-admin user info --uid your-user | jq '.keys[]' +{ + "user": "your-user", + "access_key": "", + "secret_key": "" +} +``` + +Pour obtenir tous les mots de passe d\'un coup: + +``` /bash +$ for i in $(radosgw-admin user list | jq -r '.[]'); do echo $i;radosgw-admin user info --uid $i | jq '.keys[]' +``` + +#### Création d\'une bucket + +- Avec le client **aws** ( lié à l\'utilisateur précédemment créé) + +``` /bash +aws s3api create-bucket --bucket your-user --profile your-user +{ + "Buckets": [ + { + "Name": "your-user", + "CreationDate": "2024-05-22T14:55:34.244000+00:00" + } + ], + "Owner": { + "DisplayName": "Your user", + "ID": "your-user" + } +} +``` + +- avec **oc** + +On peut également créer une nouvelle bucket en créant un +objectBuketClaimn en s\'appuyant sur la storageClass +**ocs-storagecluster-ceph-rgw** + +``` /bash +oc apply -f - < + +``` /bash +oc apply -f - < + +``` /bash +noobaa obc create tutu -n openshift-storage +``` + +- Récupération des objets `bucket` et `secrets` générés + +``` /bash +oc get ObjectBucketClaim tutu -n openshift-storage -o json | jq -r '.spec.bucketName' +tutu-e50058f9-a891-43a0-b20a-3d757f80d941 +``` + +``` /bash +oc get -n openshift-storage secrets tutu -o json | jq -r '.data|map_values(@base64d)' +{ + "AWS_ACCESS_KEY_ID": "", + "AWS_SECRET_ACCESS_KEY": "" +} +``` + +``` /bash +noobaa obc status tutu -n openshift-storage + +ObjectBucketClaim info: + Phase : Bound + ObjectBucketClaim : kubectl get -n openshift-storage objectbucketclaim tutu + ConfigMap : kubectl get -n openshift-storage configmap tutu + Secret : kubectl get -n openshift-storage secret tutu + ObjectBucket : kubectl get objectbucket obc-openshift-storage-tutu + StorageClass : kubectl get storageclass openshift-storage.noobaa.io + BucketClass : kubectl get -n openshift-storage bucketclass tutu-bucket-class + +Connection info: + BUCKET_HOST : s3.openshift-storage.svc + BUCKET_NAME : tutu-e50058f9-a891-43a0-b20a-3d757f80d941 + BUCKET_PORT : 443 + AWS_ACCESS_KEY_ID : + AWS_SECRET_ACCESS_KEY : + +Shell commands: + AWS S3 Alias : alias s3='AWS_ACCESS_KEY_ID='' AWS_SECRET_ACCESS_KEY='' aws s3 --no-verify-ssl --endpoint-url https://10.35.212.157:30937' + +Bucket status: + Name : tutu-e50058f9-a891-43a0-b20a-3d757f80d941 + Type : REGULAR + Mode : OPTIMAL + ResiliencyStatus : OPTIMAL + QuotaStatus : QUOTA_NOT_SET + Num Objects : 0 + Data Size : 0.000 B + Data Size Reduced : 0.000 B + Data Space Avail : 1.000 PB + Num Objects Avail : 9007199254740991 + +``` + +- Création d\'un backingStore utilisant le secret et la targetBucket + prédécemment générés + + + +``` /bash +noobaa backingstore create s3-compatible tutu --access-key='' --secret-key='' --target-bucket tutu-e50058f9-a891-43a0-b20a-3d757f80d941 -n openshift-storage +``` + +``` /bash +oc apply -f - < + +``` /bash +noobaa bucketclass create placement-bucketclass tutu-bucket-class --backingstores=tutu +``` + +``` /bash +oc apply -f - <\*\* + +A noter que le endpoint contrairement à RGW se présente sous la forme +interne, à savoir, `service.namespace.svc` + +- targetBucket **tutu-e50058f9-a891-43a0-b20a-3d757f80d941** +- un service **s3** + +``` /bash +oc get svc -n openshift-storage +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +TCP,443/TCP 388d +s3 LoadBalancer 172.30.239.146 80:30321/TCP,443:30937/TCP,8444:30063/TCP,7004:32220/TCP 388d +``` + +- une route **s3-openshift-storage.apps.orchidee.okd-dev.abes.fr** + +``` /bash +oc get route -n openshift-storage +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +s3 s3-openshift-storage.apps.orchidee.okd-dev.abes.fr s3 s3-https +``` + +#### Accès par le client + +- On récupère toutes les informations de connexion via + +``` /bash +noobaa obc status tutu -n openshift-storage + +aws --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr --no-verify-ssl +``` + +- Connexion avec le client: + +#### Mode direct + +- Non sécurisé + +``` /bash +aws --endpoint http://endpoint +``` + +- Sécurisé sans certificat + +``` /bash +aws --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr --no-verify-ssl +``` + +- Sécurisé avec le certificat ingress d\'OKD généré par défaut + +Récupérer le certificat root: + +``` /bash +oc get -o json secret router-certs-default -n openshift-ingress | jq -r '.data|map_values(@base64d)|to_entries[]|select(.key=="tls.crt").value' > /tmp/ingress.crt +``` + +``` /bash +aws --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr --ca-bundle=/tmp/ingress.crt +# ou bien en exportant la variable +export AWS_CA_BUNDLE=/tmp/ingress.crt +``` + +#### Avec fichier de config + +- Création du fichier **credentials** + +``` /bash +cat ~/.aws/credentials +[admin] +aws_access_key_id = "" +aws_secret_access_key = "" +``` + +- Création du fichier **config** + +``` /bash +cat ~/.aws/config +[profile admin] +endpoint_url = https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr +ca_bundle = /tmp/ingress.crt +region = Montpellier +``` + +``` /bash +aws --ca-bundle=/tmp/ingress.crt s3api list-buckets --endpoint https://s3-openshift-storage.apps.orchidee.okd-dev.abes.fr --profile admin +# ou bien en exportant la variable +export AWS_CA_BUNDLE=/tmp/ingress.crt +``` + +#### Mirrored MCG + +On peut dans une BucketClass donnée sélectionner des backingStores pour +sécuriser les données. Pour ce faire, il faut créer un nouveau +objectBucketClaim à qui on va attribuer cette classe. + +- Création ou mise à jour de la classe: + +``` /bash +noobaa backingstore list -n openshift-storage +NAME TYPE TARGET-BUCKET PHASE AGE +nat s3-compatible nat-cf3a745b-ac64-440f-b6e4-02531d6d41b8 Ready 1d4h45m19s +noobaa-default-backing-store s3-compatible nb.1683297491248.apps.orchidee.okd-dev.abes.fr Ready 1y34d7h25m21s +test s3-compatible test-c0127d64-b478-43d1-9566-53deda2caf4f Ready 7h34m38s +tutu s3-compatible tutu Ready 10d11h16m24s +``` + +``` /bash +noobaa bucketclass create placement-bucketclass mirror --backingstores=test,tutu --placement Mirror +``` + +``` /bash +oc apply -f < + +Tout comme un `pvc`, il est possible d\'attacher un `obc` à un +deployment de façon à ce que le pod puisse lire les informations +relatives à l\'OBC. + +Mais alors qu\'un pvc créé avec une storageClass `cephfs` ou `cephrbd` +va permettre à ce qu\'un pod accède aux informations contenues par le +moyen d\'un montage fs ou bloc, l\'obc a la particularité de monter deux +éléments contenant des variables, et que l\'application du pod va +pouvoir utiliser indirectement pour consommer les ressources de la +bucket. + +#### secret + +``` /bash +oc extract secrets/ceph-bucket -n default --to=- +# AWS_ACCESS_KEY_ID +"" +# AWS_SECRET_ACCESS_KEY +"" +``` + +#### configMap + +``` /bash +oc get cm -n movies-docker-ceph movies-docker-ceph -oyaml | oc neat +apiVersion: v1 +data: + BUCKET_HOST: rook-ceph-rgw-ocs-storagecluster-cephobjectstore.openshift-storage.svc + BUCKET_NAME: movies-docker-ceph-722ee512-df61-4d19-a8b9-efffa669abf7 + BUCKET_PORT: "443" + BUCKET_REGION: "" + BUCKET_SUBREGION: "" +kind: ConfigMap +metadata: + labels: + bucket-provisioner: openshift-storage.ceph.rook.io-bucket + name: movies-docker-ceph + namespace: movies-docker-ceph +``` + +#### Accès aux données de la bucket depuis un pod + +Grâce à la directive `envFrom` + +``` /bash +apiVersion: v1 +kind: Pod +metadata: + name: bucket-example +spec: + containers: + - image: myimage + env: + - name: AWS_CA_BUNDLE + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + envFrom: + - configMapRef: + name: example-rgw + - secretRef: + name: example-rgw + [...] +``` diff --git a/documentation/recuperer_mdp.md b/documentation/recuperer_mdp.md new file mode 100644 index 0000000..c61f21a --- /dev/null +++ b/documentation/recuperer_mdp.md @@ -0,0 +1,19 @@ +# Récupérer un mot de passe + +Les fichiers sont cryptés en base 64 dans OKD. On peut facilement les +récupérer dans l\'interface d\'OKD: + + Administrator => Workloads => Secrets + +On choisit le namespace dans lequel se trouve le `secret` à décrypter, +le secret en question et on appuie `reveal value` + +On peut faire la même chose avec `oc` (exemple qui suit avec un +bindPassword) + +``` /bash + oc get secret ldap-bind-password-676wf -o yaml -n openshift-config -ojsonpath={.data.bindPassword} |base64 -d +``` + +On peut adapter le jsonpath en fonction de la nature du password contenu +dans le `oc get secret`. diff --git a/documentation/redeploiement_cluster_operator.md b/documentation/redeploiement_cluster_operator.md new file mode 100644 index 0000000..b99dffb --- /dev/null +++ b/documentation/redeploiement_cluster_operator.md @@ -0,0 +1,78 @@ +## Redéploiement d\'un cluster operator + +Les **cluster operators** sont les services kubernetes essentiels au +fonctionnement du cluster OKD. Ils se déploient également sous la forme +de pods tournant exclusivement sur les masters. + +``` /bash +oc get co + +NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE +authentication 4.12.0-0.okd-2023-04-01-051724 True False False 4d7h +baremetal 4.12.0-0.okd-2023-04-01-051724 True False False 75d +cloud-controller-manager 4.12.0-0.okd-2023-04-01-051724 True False False 75d +cloud-credential 4.12.0-0.okd-2023-04-01-051724 True False False 75d +cluster-autoscaler 4.12.0-0.okd-2023-04-01-051724 True False False 75d +config-operator 4.12.0-0.okd-2023-04-01-051724 True False False 75d +console 4.12.0-0.okd-2023-04-01-051724 True False False 4d7h +control-plane-machine-set 4.12.0-0.okd-2023-04-01-051724 True False False 75d +csi-snapshot-controller 4.12.0-0.okd-2023-04-01-051724 True False False 14d +dns 4.12.0-0.okd-2023-04-01-051724 True False False 75d +etcd 4.12.0-0.okd-2023-04-01-051724 True False False 15d +image-registry 4.12.0-0.okd-2023-04-01-051724 True False False 4d20h +ingress 4.12.0-0.okd-2023-04-01-051724 True False False 6d8h +insights 4.12.0-0.okd-2023-04-01-051724 True False False 75d +kube-apiserver 4.12.0-0.okd-2023-04-01-051724 True False False 75d +kube-controller-manager 4.12.0-0.okd-2023-04-01-051724 True False False 75d +kube-scheduler 4.12.0-0.okd-2023-04-01-051724 True False False 75d +kube-storage-version-migrator 4.12.0-0.okd-2023-04-01-051724 True False False 4d8h +machine-api 4.12.0-0.okd-2023-04-01-051724 True False False 75d +machine-approver 4.12.0-0.okd-2023-04-01-051724 True False False 75d +machine-config 4.12.0-0.okd-2023-04-01-051724 True False False 4d8h +marketplace 4.12.0-0.okd-2023-04-01-051724 True False False 75d +monitoring 4.12.0-0.okd-2023-04-01-051724 True False False 11d +network 4.12.0-0.okd-2023-04-01-051724 True False False 75d +node-tuning 4.12.0-0.okd-2023-04-01-051724 True False False 5d +openshift-apiserver 4.12.0-0.okd-2023-04-01-051724 True False False 4d7h +openshift-controller-manager 4.12.0-0.okd-2023-04-01-051724 True False False 75d +openshift-samples 4.12.0-0.okd-2023-04-01-051724 True False False 5d +operator-lifecycle-manager 4.12.0-0.okd-2023-04-01-051724 True False False 75d +operator-lifecycle-manager-catalog 4.12.0-0.okd-2023-04-01-051724 True False False 75d +operator-lifecycle-manager-packageserver 4.12.0-0.okd-2023-04-01-051724 True False False 14d +service-ca 4.12.0-0.okd-2023-04-01-051724 True False False 75d +storage 4.12.0-0.okd-2023-04-01-051724 True False False 14d +``` + +Les deux opérateurs qui peuvent poser le plus de problèmes sont `etcd` +et `kube-apiserver`. + +Le namespace dans lequel ils évoluent est de la forme +**openshift-\** + +Voici la marche à suivre pour les relancer: + +``` /bash +NAMESPACE=openshift-etcd +oc get co etcd +oc get co etcd -o json | jq -r '.status.conditions[] | select(.type =="Degraded")' +# désactivation du quorum pour remplacement d'un noeud etcd +# oc patch etcd/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": {"useUnsupportedUnsafeNonHANonProductionUnstableEtcd": true}}}' +oc patch etcd/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": null}}' +oc get pods -n $NAMESPACE +for i in $(oc get -n $NAMESPACE pods | grep 'Error\|Completed\|retry' | cut -d' ' -f1); do echo $i; oc delete -n $NAMESPACE pods $i; done +oc patch etcd/cluster --type merge -p "{\"spec\":{\"forceRedeploymentReason\":\"Forcing new revision with random number $RANDOM to make message unique\"}}" +oc get co +``` + +``` /bash +NAMESPACE=openshift-kube-apiserver +oc get co kube-apiserver +oc get co kube-apiserver -o json | jq -r '.status.conditions[] | select(.type =="Degraded")' +# désactivation du quorum pour remplacement d'un noeud etcd +# oc patch kubeapiserver/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": {"useUnsupportedUnsafeNonHANonProductionUnstableEtcd": true}}}' +oc patch kubeapiserver/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": null}}' +oc get pods -n $NAMESPACE +for i in $(oc get -n $NAMESPACE pods | grep 'Error\|Completed\|retry' | cut -d' ' -f1); do echo $i; oc delete -n $NAMESPACE pods $i; done +oc patch kubeapiserver/cluster --type merge -p "{\"spec\":{\"forceRedeploymentReason\":\"Forcing new revision with random number $RANDOM to make message unique\"}}" +oc get co +``` diff --git a/documentation/registry.md b/documentation/registry.md new file mode 100644 index 0000000..c5e0a62 --- /dev/null +++ b/documentation/registry.md @@ -0,0 +1,506 @@ +# Registry d\'images Docker + +## Nécessité d\'un registry + +Openshift/OKD, contrairement à une stack kubernetes standard, intègre un +registry d\'image prêt à l\'emploi déployé sous forme d\'opérateur: + +``` /bash +oc get all -n openshift-image-registry +NAME READY STATUS RESTARTS AGE +pod/cluster-image-registry-operator-7f69b9db5d-245nn 1/1 Running 1 (88d ago) 101d +pod/image-pruner-28644480-9nrk5 0/1 Completed 0 2d16h +pod/image-pruner-28645920-x552f 0/1 Completed 0 40h +pod/image-pruner-28647360-ctvsr 0/1 Completed 0 16h +pod/image-registry-7476b49c58-dwfjd 1/1 Running 0 3d3h +pod/node-ca-2b496 1/1 Running 7 419d +pod/node-ca-6nmpz 1/1 Running 8 419d +pod/node-ca-9mxdc 1/1 Running 10 419d +pod/node-ca-fcjrk 1/1 Running 7 419d +pod/node-ca-kmftk 1/1 Running 7 419d +pod/node-ca-lh2z9 1/1 Running 6 419d +pod/node-ca-q9skh 1/1 Running 8 419d +pod/node-ca-tm79n 1/1 Running 6 412d +pod/node-ca-wlgcf 1/1 Running 6 412d +pod/node-ca-xlcp8 1/1 Running 5 412d + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/image-registry ClusterIP 172.30.183.182 5000/TCP 483d +service/image-registry-operator ClusterIP None 60000/TCP 483d + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/node-ca 10 10 10 10 10 kubernetes.io/os=linux 483d + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/cluster-image-registry-operator 1/1 1 1 483d +deployment.apps/image-registry 1/1 1 1 483d + +NAME DESIRED CURRENT READY AGE +replicaset.apps/cluster-image-registry-operator-74fcc9f669 0 0 0 483d +replicaset.apps/cluster-image-registry-operator-7f69b9db5d 1 1 1 405d +replicaset.apps/cluster-image-registry-operator-fd7d9cbf9 0 0 0 419d +replicaset.apps/image-registry-7476b49c58 1 1 1 88d +replicaset.apps/image-registry-847fc7fb97 0 0 0 483d +replicaset.apps/image-registry-856c9cd9bb 0 0 0 419d +replicaset.apps/image-registry-86cd4c598f 0 0 0 88d +replicaset.apps/image-registry-94b6b4885 0 0 0 483d + +NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE +cronjob.batch/image-pruner 0 0 * * * False 0 16h 483d + +NAME COMPLETIONS DURATION AGE +job.batch/image-pruner-28644480 1/1 9s 2d16h +job.batch/image-pruner-28645920 1/1 8s 40h +job.batch/image-pruner-28647360 1/1 8s 16h +``` + +Le registry est un catalogue d\'images docker versionné par des tags. +Chaque version de cette image hébergée sur des catalogues extérieurs +(dockerhub.io, quay.io, etc\...) à laquelle fera appel un `deployment` +sera téléchargée et stockée sur ce catalogue interne. Il est alors +possible de créer des règles qui permettront de surveiller et de +comparer la version de l\'image en interne avec celle du registry +distant, et en fonction de déclencher un nouvel import. + +De la même façon, on peut y stocker des images buildées en interne, +avant de les publier sur un catalogue extérieur. + +## Accessibilité + +### clients + +On y accède indifféremment avec `docker` ou `podman`. + +### users + +Si on n\'utilise pas le superutilisateur `kubeadmin`, il faut ajouter à +un simple utilisateur certains droits pour accéder au registry: + +``` /bash +oc policy add-role-to-user registry-viewer sblanchet +oc policy add-role-to-user registry-editor sblanchet +``` + +### interne + +Par défaut ce registry est uniquement accessible en interne sur le +service `image-registry.openshift-image-registry.svc:5000`. Pour +utiliser le service interne, il faut se connecter alors depuis un +worker. On peut considérer cette façon de faire comme un mode dépannage +rapide, en négligeant le support du TLS. + +``` /bash +oc debug nodes/v212-t4k2k-worker-0-dgjzp +chroot /host +oc login https://api.orchidee.okd-dev.abes.fr:6443 -u sblanchet -n +podman login -u sblanchet -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000 --tls-verify=false +``` + +### externe + +L\'idéal est d\'avoir le client `podman` ou `docker` directement sur son +poste de travail, ce qui permet notamment de configurer une bonne fois +pour toutes la couche de sécurité TLS. + +Par défaut, le service `image-registry` n\'est pas exposé pour un accès +à l\'extérieur du cluster. Il faut donc l\'activer +( +): + +``` /bash +oc login https://api.orchidee.okd-dev.abes.fr:6443 -u kubeadmin -n +oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge + +oc get route default-route -n openshift-image-registry -o json | jq -r .spec.host +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +route.route.openshift.io/default-route default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr image-registry reencrypt None + +HOST=$(oc get route default-route -n openshift-image-registry -o json | jq -r .spec.host) +``` + +On peut alors s\'y connecter simplement (sans TLS) ainsi; + +``` /bash +podman login -u $(oc whoami) -p $(oc whoami -t) default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr --tls-verify=false +Login Succeeded! +``` + +### Support du TLS + +#### Création du répertoire contenant le certificat + +Par défaut, le répertoire `certs.d` n\'existe pas, il faut donc le +créer, ainsi que le sous-répertoire qui contient l\'url qui sera +appelée, ici +`default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr` + +- podman + +``` /bash +mkdir -p /etc/containers/certs.d/${HOST} +``` + +- docker + +``` /bash +mkdir -p /etc/docker/certs.d/${HOST} +``` + +#### récupération du certificat root du routeur ingress + +``` /bash +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee /etc/containers/certs.d/${HOST}/${HOST}.crt > /dev/null +# ou bien +oc extract secret/router-certs-default -n openshift-ingress --to=/etc/containers/certs.d/$HOST/ +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee /etc/docker/certs.d/${HOST}/${HOST}.crt > /dev/null +# ou bien +oc extract secret/router-certs-default -n openshift-ingress --to=/etc/docker/certs.d/$HOST/ +``` + +#### Connexion + +``` /bash +podman login -u $(oc whoami) -p $(oc whoami -t) $HOST +docker login -u $(oc whoami) -p $(oc whoami -t) $HOST +``` + +Pour mémoire, même si cela a peut d\'intérêt en utilisant la méthode +ci-dessus, on peut aussi se connecter en indiquant un certificat en +particulier: + +- podman + +``` /bash +podman login default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr --tls-verify --cert-dir /etc/containers/certs.d/ +``` + +- docker + +Il faut d\'abord rajouter le certificat ca dans /etc/ssl/certs en +changeant l\'option `pem` par l\'extension `crt` + +``` /bash +cd /etc/ssl/certs +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee ${HOST}.crt > /dev/null +mv apps-orchidee-okd-dev-abes-fr.pem apps-orchidee-okd-dev-abes-fr.crt +``` + + docker --tlscacert /etc/docker/certs.d/default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr.crt login default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr + +## Quay.io + + + +`Quay.io` est le service de registry en ligne proposé par RedHat. Il est +également disponible en version on premise installable sous OKD sous +forme d\'operateur. + +### Installation + +Operator -\> OperatorHub -\> Red Hat Quay Bridge Operator +L\'installation peut se faire dans un namespace précis, mais il est +conseillé de le faire dans tous les namespaces. Dans les exemples +suivant, on crée le namespace `quay-registry` au moment de +l\'installation de l\'opérateur. + +### Vérification + +``` /bash +oc get all -n quay-registry +NAME READY STATUS RESTARTS AGE +pod/first-registry-clair-app-7c4bb8758c-brsjj 1/1 Running 0 3d1h +pod/first-registry-clair-app-b9f57dfbc-cv8gl 0/1 Pending 0 4d4h +pod/first-registry-clair-app-b9f57dfbc-jtnb4 0/1 Pending 0 2d23h +pod/first-registry-clair-postgres-56b74fcbc4-ljs7z 1/1 Running 0 4d3h +pod/first-registry-quay-app-56bcf564db-sjlgs 0/1 Pending 0 4d1h +pod/first-registry-quay-app-6f6fc5c598-nwtx9 0/1 Pending 0 2d23h +pod/first-registry-quay-app-6f6fc5c598-rr9km 1/1 Running 0 3d2h +pod/first-registry-quay-app-upgrade-ds4r9 0/1 Completed 3 4d4h +pod/first-registry-quay-database-6c7c878bdb-jxwtv 1/1 Running 0 4d4h +pod/first-registry-quay-mirror-b8df68446-clpph 1/1 Running 0 3d2h +pod/first-registry-quay-mirror-b8df68446-fmxsm 1/1 Running 0 3d2h +pod/first-registry-quay-redis-6f74bffb6d-dpcnj 1/1 Running 0 4d3h + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/first-registry-clair-app ClusterIP 172.30.159.44 80/TCP,8089/TCP 4d4h +service/first-registry-clair-postgres ClusterIP 172.30.50.220 5432/TCP 4d4h +service/first-registry-quay-app ClusterIP 172.30.67.169 443/TCP,80/TCP,8081/TCP,55443/TCP 4d4h +service/first-registry-quay-database ClusterIP 172.30.86.243 5432/TCP 4d4h +service/first-registry-quay-metrics ClusterIP 172.30.227.132 9091/TCP 4d4h +service/first-registry-quay-redis ClusterIP 172.30.236.180 6379/TCP 4d4h + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/first-registry-clair-app 1/2 2 1 4d4h +deployment.apps/first-registry-clair-postgres 1/1 1 1 4d4h +deployment.apps/first-registry-quay-app 1/2 2 1 4d4h +deployment.apps/first-registry-quay-database 1/1 1 1 4d4h +deployment.apps/first-registry-quay-mirror 2/2 2 2 4d4h +deployment.apps/first-registry-quay-redis 1/1 1 1 4d4h + +NAME DESIRED CURRENT READY AGE +replicaset.apps/first-registry-clair-app-7c4bb8758c 1 1 1 4d4h +replicaset.apps/first-registry-clair-app-b9f57dfbc 2 2 0 4d4h +replicaset.apps/first-registry-clair-postgres-569f974c98 0 0 0 4d4h +replicaset.apps/first-registry-clair-postgres-56b74fcbc4 1 1 1 4d4h +replicaset.apps/first-registry-quay-app-56bcf564db 1 1 0 4d1h +replicaset.apps/first-registry-quay-app-5c88898b8b 0 0 0 4d4h +replicaset.apps/first-registry-quay-app-655c5fdcfd 0 0 0 4d4h +replicaset.apps/first-registry-quay-app-6f6fc5c598 2 2 1 3d2h +replicaset.apps/first-registry-quay-database-6c7c878bdb 1 1 1 4d4h +replicaset.apps/first-registry-quay-database-8495f75c58 0 0 0 4d4h +replicaset.apps/first-registry-quay-mirror-64654b76db 0 0 0 4d1h +replicaset.apps/first-registry-quay-mirror-655496f946 0 0 0 4d4h +replicaset.apps/first-registry-quay-mirror-b8df68446 2 2 2 3d2h +replicaset.apps/first-registry-quay-mirror-f5656f4d4 0 0 0 4d4h +replicaset.apps/first-registry-quay-redis-6f74bffb6d 1 1 1 4d4h +replicaset.apps/first-registry-quay-redis-7556559476 0 0 0 4d4h + +NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE +horizontalpodautoscaler.autoscaling/first-registry-clair-app Deployment/first-registry-clair-app 23%/90%, 0%/90% 2 10 2 4d4h +horizontalpodautoscaler.autoscaling/first-registry-quay-app Deployment/first-registry-quay-app 47%/90%, 3%/90% 2 20 2 4d4h +horizontalpodautoscaler.autoscaling/first-registry-quay-mirror Deployment/first-registry-quay-mirror 35%/90%, 0%/90% 2 20 2 4d4h + +NAME COMPLETIONS DURATION AGE +job.batch/first-registry-quay-app-upgrade 1/1 19m 4d4h + +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +route.route.openshift.io/first-registry-quay first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr first-registry-quay-app http edge/Redirect None +route.route.openshift.io/first-registry-quay-builder first-registry-quay-builder-quay-registry.apps.orchidee.okd-dev.abes.fr first-registry-quay-app grpc edge/Redirect None +``` + +Cette fois, la route du registry quay ainsi crée est donc: + +``` /bash +HOST=first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr +``` + +Configuration du registry par défaut: + +``` /bash +oc get -n quay-registry quayregistries.quay.redhat.com -o yaml +apiVersion: v1 +items: +- apiVersion: quay.redhat.com/v1 + kind: QuayRegistry + metadata: + creationTimestamp: "2024-06-17T12:50:04Z" + finalizers: + - quay-operator/finalizer + generation: 2 + name: first-registry + namespace: quay-registry + resourceVersion: "624060656" + uid: 22049a1a-4d99-48ed-a495-fe1a5373c9a1 + spec: + components: + - kind: clair + managed: true + - kind: postgres + managed: true + - kind: objectstorage + managed: true + - kind: redis + managed: true + - kind: horizontalpodautoscaler + managed: true + - kind: route + managed: true + - kind: mirror + managed: true + - kind: monitoring + managed: true + - kind: tls + managed: true + - kind: quay + managed: true + - kind: clairpostgres + managed: true + configBundleSecret: first-registry-config-bundle-wql84 +``` + +La mention `managed` permet de se servir des ressources du cluster okd. +Si ces ressources étaient positionnées à `false`, alors il faudrait +manuellement configurer tous ces services. + +`configBundleSecret` est la référence au fichier de configuration de +quay qui est `config.yaml`. Celui par défaut a été directement généré +par l\'opérateur avec des valeurs par défaut et mis sous la forme de +`secrets` + +``` /bash +oc extract secrets/first-registry-config-bundle-wql84 -n quay-registry --to=- +# config.yaml +ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false +AUTHENTICATION_TYPE: Database +DEFAULT_TAG_EXPIRATION: 2w +ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg +FEATURE_BUILD_SUPPORT: false +FEATURE_DIRECT_LOGIN: true +FEATURE_MAILING: false +REGISTRY_TITLE: Red Hat Quay +REGISTRY_TITLE_SHORT: Red Hat Quay +SETUP_COMPLETE: true +TAG_EXPIRATION_OPTIONS: +- 2w +TEAM_RESYNC_STALE_TIME: 60m +TESTING: false +FEATURE_USER_INITIALIZE: true +SUPER_USERS: + - quayadmin +BROWSER_API_CALLS_XHR_ONLY: false +``` + +Pour modifier ces options, le plus simple est de passer par l\'UI. +Sinon, il faut créer un fichier `config.yaml` avec ces options en clair. + +``` /bash +touch config.yaml +---- +BROWSER_API_CALLS_XHR_ONLY: true +---- +``` + +et générer le secret à partir du fichier: + +``` /bash +oc create secret generic --from-file config.yaml=./config.yaml first-registry-config-bundle-wql84 +``` + +et on redémarre les containers `quay-app` et `quay-clair` pour que la +nouvelle configuration soit prise en compte. + +Le paramètre `BROWSER_API_CALLS_XHR_ONLY: false` permet d\'indiquer +qu\'on peut consulter l\'API depuis l\'extérieur, notamment avec swagger +ou depuis un navigateur: + +``` /bash +sudo podman run -p 8888:8080 -e API_URL=https://$SERVER_HOSTNAME:8443/api/v1/discovery docker.io/swaggerapi/swagger-ui +``` + +### Gestion des utilisateurs + + + +Par défaut, il n\'y a pas d\'utilisateur. La première chose est donc +d\'en créer grâce à l\'option `FEATURE_USER_INITIALIZE: true` + +Nous allons de plus en profiter pour créer l\'utilisateur admin +`quayadmin` déclaré avec à l\'initialisation grâce à l\'option +`SUPER_USERS`. + +``` /bash +curl -X POST -k https://first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin2", "password":"", "email": "quayadmin2@example.com", "access_token": true}' +``` + +On peut alors se connecter à l\'api avec ce superuser + +``` /bash +sudo podman login -u quayadmin -p "" https://first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr --tls-verify=false +sudo docker login -u quayadmin -p "" https://first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr --tls-verify=false +``` + +Si on veut utiliser l\'option TLS, alors il faut procéder de la même +manière que pour le registry interne par défaut, à savoir récupérer le +certificat CA du routeur ingress et le copier avec l\'extension `crt` +dans +`/etc/docker/certs.d/first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/` + +``` /bash +oc extract secret/router-certs-default -n openshift-ingress --to=/etc/containers/certs.d/first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/ +oc extract secret/router-certs-default -n openshift-ingress --to=/etc/docker/certs.d/first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/ +``` + +Sinon, on peut toujours créer un compte directement depuis l\'interface +web. + +## Exemple de manipulation du registry une fois logué + +### Avec le registry OKD + +#### objectif + +L\'objectif est d\'uploader une image existante dans le repository local +dans le registry OKD + + + +#### Mise en pratique + +**On liste l\'image contenue dans le registry docker local** + +``` /bash +docker images +... +registry.gitlab.com/nfdi4culture/ta1-data-enrichment/openrefine-wikibase 1.1.0 2512c8cf3084 11 months ago 284MB +... +``` + +**On crée une imageStream correspondante** + +``` /bash +oc create is openrefine-wikibase +``` + +**On tague l\'image docker avec la syntaxe +\/namespace/\** + +``` /bash +docker tag registry.gitlab.com/nfdi4culture/ta1-data-enrichment/openrefine-wikibase:1.1.0 default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr/movies-docker-beta/openrefine-wikibase +``` + +**On pousse l\'image précédemment taguée dans okd** + +``` /bash +docker push default-route-openshift-image-registry.apps.orchidee.okd-dev.abes.fr/movies-docker-beta/openrefine-wikibase +``` + +### Avec Quay + +La tutoriel qui suit est celle proposée par l\'interface de quay pour +s\'approprier l\'outil. + +- Logging into Red Hat Quay from the Docker CLI +- Starting a container +- Creating images from a container +- Pushing a repository to Red Hat Quay +- Viewing a repository +- Changing a repository\'s permissions + +#### Logging into Red Hat Quay from the Docker CLI + +``` / +docker login -u quayadmin first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr +``` + +#### Démarrage d\'un container + +``` /bash +docker run busybox echo "fun" > newfile +docker ps -l +CONTAINER ID IMAGE COMMAND CREATED +07f2065197ef busybox:latest echo fun 31 seconds ago +``` + +#### Création d\'une image + +L\'idée dans cette étape est de récupérer une image depuis dockerhub, de +la modifier, et de commiter cette modification en local en lui +attribuant un tag qui aura la forme `//` du +registry distant. + +``` /bash +docker commit 07f2065197ef first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/quayadmin/myfirstrepo +``` + +On aurait pu uniquement taguer cette image sans la modifier de la façon +suivante + +``` /bash +docker tag busybox:latest $HOST/quayadmin/myfirstrepo +``` + +#### Push the image to Red Hat Quay + +``` /bash +docker push first-registry-quay-quay-registry.apps.orchidee.okd-dev.abes.fr/quayadmin/myfirstrepo +``` diff --git a/documentation/reparation_etcd.md b/documentation/reparation_etcd.md new file mode 100644 index 0000000..083966f --- /dev/null +++ b/documentation/reparation_etcd.md @@ -0,0 +1,85 @@ +# Réparation d\'un noeud etcd + +## Contexte + +`etcd` est le `cluster operator` tournant sur les masters qui gère la +cohérence du cluster OKD. C\'est le premier élément qu\'il faut regarder +lors d\'un dysfonctionnement d\'un noeud master. La procédure à suivre +est différente suivant qu\'on cherche à remplacer un master etcd ou bien +ajouter/réparer un noeud. + +## Remplacement d\'un master etcd + + + +## Ajout/Réparation d\'un master etcd + +- Lister les opérateurs qui ne fonctionnent pas correctement + +``` /bash +oc get co +``` + +- Trouver les logs qui en disent plus sur l\'opérateur (ici etcd) + +``` /bash +oc describe co etcd +``` + +- Trouver les logs qui en disent plus sur le cluster (ici etcd) + +Etat du cluster + +``` /bash +oc get etcd/cluster -oyaml +``` + +- Repérer le pod chargé de l\'installation de l\'opérateur + (\"openshift-\\") + +``` /bash +oc get -n "openshift-etcd" pods +``` + +Il y a 4 types de pods: **guard, operator, installer, revision-pruner**. +Celui qui nous intéresse est l\'**installer** qui doit être en mode +\'completed\'. S\'il ne l\'est pas, il se peut qui\'il soit en mode +**retry** C\'est dans les logs de ce pod qu\'il faut chercher les +raisons our lesquelles il n\'installe pas l\'operator. + +- Trouver les logs associés de la raison de la non installation + (manque de resources par ex): + +``` /bash +oc describe -n "openshift-etcd" pods "installer-10-retry-7-orchidee-ccbm8-master-30" +oc get -oyaml -n "openshift-etcd" pods "installer-10-retry-7-orchidee-ccbm8-master-30" +``` + +Dans notre cas, on tombe sur une erreur de rsource dans la partie +\'Events\': + +``` /bash +Warning UnexpectedAdmissionError 104m kubelet, crawford-libvirt-xqscg-master-0 Unexpected error while attempting to recover from admission failure: preemption: \ +error finding a set of pods to preempt: no set of running pods found to reclaim resources: [(res: memory, q: 11067392), ] +``` + +- On efface les pods en échec + +``` /bash +NAMESPACE=openshift-etcd; for i in $(oc get -n $NAMESPACE pods | grep 'Error\|Completed\|retry' | cut -d' ' -f1); do echo $i; oc delete -n $NAMESPACE pods $i; done +``` + +- Une fois que la correction est apportée, le redémarrage du pod se + fait en principe tout seul. Si ce n\'est pas le cas, on peut forcer + sa recréation en le supprimant: + +``` /bash +oc delete pod/etcd-orchidee-7cn9g-master-20" +``` + +## Redéploiement d\'un cluster operator + +Il peut suffire dans certains cas où le status du cluster operator est +bloqué de le redémarrer. + +[Redéploiement d\'un cluster operator](redeploiement_cluster_operator.md) diff --git a/documentation/scaling.md b/documentation/scaling.md new file mode 100644 index 0000000..1e4ddef --- /dev/null +++ b/documentation/scaling.md @@ -0,0 +1,123 @@ +# Scaling des noeuds + +OKD fonctionne avec 6 noeuds `coreos` au minimum: + +- 3 masters ou etcd pour le contrôle plane +- 3 workers pour les conteneurs applicatifs + +``` /bash +NAME STATUS ROLES AGE VERSION +orchidee-hw8b4-master-0 Ready control-plane,master 57d v1.25.4+a34b9e9 +orchidee-hw8b4-master-1 Ready control-plane,master 57d v1.25.4+a34b9e9 +orchidee-hw8b4-master-2 Ready control-plane,master 57d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-mwr49 Ready worker 57d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-nvcjf Ready worker 57d v1.25.4+a34b9e9 +orchidee-hw8b4-worker-png59 Ready worker 57d v1.25.4+a34b9e9 +``` + +Sous le provider `oVirt`, ils sont tous issus du template +`orchidee-hw8b4-rhcos` créé à l\'installation d\'OKD. Ils ont tous par +défaut ces caractéristiques: + +- 16 GiB de RAM +- 120 GiB d\'espace disque +- 4 vCPUs + +## Cas d\'un noeud worker + + + +C\'est le cas plus simple car la fonctionnalité est prévue nativement +dans OKD. + +- Récupérer le machineset + +``` /bash +oc get machinesets -n openshift-machine-api +``` + +- Récupérer les noeuds du machineset + +``` /bash +oc get machine -n openshift-machine-api +``` + +- S\'il faut réduire le nombre de replicas, choisir le worker à + supprimer : + +``` /bash +oc annotate machine/orchidee-hw8b4-worker-mwr49 -n openshift-machine-api machine.openshift.io/delete-machine="true" +``` + +- Ajuster le nombre de replicas à la hausse ou à la baisse + +``` /bash +oc scale --replicas=2 machineset orchidee-hw8b4-worker -n openshift-machine-api +``` + +## Cas d\'un noeud master + + + +Le daemon `etcd` permet de distribuer les charges sur les noeuds du +cluster. C\'est la particularité qui rend la scalabilité du control +plane plus délicate à effectuer. + +- Il faut récupérer la configuration d\'un noeud master existant et + l\'adapter en le renommant, puis le déployer dans le cluster. + +``` /bash +oc get machine orchidee-7cn9g-master-0 -n openshift-machine-api -o json | jq 'del (.status)' + | jq 'del(.spec.providerID)' + | jq '.metadata.name = "orchidee-7cn9g-master-10"' + | yq eval -P > new_master.yaml +oc apply -f new_master.yaml +``` + +ou bien en une commande (`oc` accepte également le format json en +entrée) + +``` /bash +oc get machine orchidee-7cn9g-master-0 -n openshift-machine-api -o json | jq 'del (.status)' + | jq 'del(.spec.providerID)' + | jq '.metadata.name = "orchidee-7cn9g-master-10"' + | oc apply -f - +``` + +Cela a pour effet de déployer une nouvelle vm sous `oVirt` à partir du +template `coreos`. + +Il existe cependant un bug dans le déploiement de cette vm qui +l\'empêche d\'être provisionée avec le nombre de core minimum (4) qui +permet de lancer les `cluster operator` `etcd` et `kube-apiserver` Il se +peut donc que le déploiement échoue avec ce type d\'erreur de resources: + +``` /bash +Warning UnexpectedAdmissionError 104m kubelet, crawford-libvirt-xqscg-master-0 Unexpected error while attempting to recover from admission failure: preemption: \ +error finding a set of pods to preempt: no set of running pods found to reclaim resources: [(res: memory, q: 11067392), ] +``` + +Il faut donc arrêter le master fraîchement créé dans ovirt pour ajouter +le nombre de coeur à 4 vcpus. + +``` /bash +oc debug node/orchidee-7cn9g-master-20 -- chroot /host shutdown now +``` + +Puis on redémarre le master dans ovirt. + +- Une fois le noeud up, s\'assurer que la vérification du quorum est + bien activée + +``` /bash +oc patch etcd/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": null}}' +``` + +- Vérifier que le nouveau noeud a bien été intégré en tant que membre + du cluster + +``` /bash +oc -n openshift-etcd get pods -l k8s-app=etcd +oc rsh -n openshift-etcd etcd-orchidee-ccbm8-master-30 +etcdctl member list -w table +``` diff --git a/documentation/snapshot_csi.md b/documentation/snapshot_csi.md new file mode 100644 index 0000000..b9d98f7 --- /dev/null +++ b/documentation/snapshot_csi.md @@ -0,0 +1,148 @@ +# Snapshots CSI + +### Prérequis + +[Drivers CSI](drivers_csi.md) + +### Introduction + +Seuls certains drivers ont la possibilité de d\'effectuer des snapshots +de volumes. Ce n\'est pas le cas du driver `ovirt-csi` par défaut, mais +par contre ces drivers supportent cette fonction: + +``` /bash +oc get volumesnapshotclasses.snapshot.storage.k8s.io +NAME DRIVER DELETIONPOLICY AGE +csi-nfs-snapclass nfs.csi.k8s.io Delete 22m +ocs-storagecluster-cephfsplugin-snapclass openshift-storage.cephfs.csi.ceph.com Delete 374d +ocs-storagecluster-rbdplugin-snapclass openshift-storage.rbd.csi.ceph.com Delete 374d +``` + +## Mise en oeuvre avec nfs.csi.k8s.io + + + +La logique rejoint celle employée par les `storageClass` et les `pv`. + +Il faut donc d\'abord définir un `volumeSnapshotClass` + +``` /bash +oc apply -f - < +Annotations: +API Version: snapshot.storage.k8s.io/v1 +Kind: VolumeSnapshot +Metadata: + Creation Timestamp: 2024-05-13T17:44:34Z + Finalizers: + snapshot.storage.kubernetes.io/volumesnapshot-as-source-protection + snapshot.storage.kubernetes.io/volumesnapshot-bound-protection + Generation: 1 + Managed Fields: + API Version: snapshot.storage.k8s.io/v1 + Fields Type: FieldsV1 + fieldsV1: + f:metadata: + f:annotations: + .: + f:kubectl.kubernetes.io/last-applied-configuration: + f:spec: + .: + f:source: + .: + f:persistentVolumeClaimName: + f:volumeSnapshotClassName: + Manager: kubectl-client-side-apply + Operation: Update + Time: 2024-05-13T17:44:34Z + API Version: snapshot.storage.k8s.io/v1 + Fields Type: FieldsV1 + fieldsV1: + f:metadata: + f:finalizers: + .: + v:"snapshot.storage.kubernetes.io/volumesnapshot-as-source-protection": + v:"snapshot.storage.kubernetes.io/volumesnapshot-bound-protection": + Manager: snapshot-controller + Operation: Update + Time: 2024-05-13T17:44:34Z + API Version: snapshot.storage.k8s.io/v1 + Fields Type: FieldsV1 + fieldsV1: + f:status: + .: + f:boundVolumeSnapshotContentName: + f:creationTime: + f:readyToUse: + f:restoreSize: + Manager: snapshot-controller + Operation: Update + Subresource: status + Time: 2024-05-13T17:44:46Z + Resource Version: 566490942 + UID: f0f75a60-c647-4a68-96d7-9af2a0f0882f +Spec: + Source: + Persistent Volume Claim Name: movies-wikibase-mysql-claim6 + Volume Snapshot Class Name: csi-nfs-snapclass +Status: + Bound Volume Snapshot Content Name: snapcontent-f0f75a60-c647-4a68-96d7-9af2a0f0882f + Creation Time: 2024-05-13T17:44:46Z + Ready To Use: true + Restore Size: 33989110 +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal CreatingSnapshot 68m snapshot-controller Waiting for a snapshot movies-docker-ceph/test-nfs-snapshot to be created by the CSI driver. + Normal SnapshotCreated 68m snapshot-controller Snapshot movies-docker-ceph/test-nfs-snapshot was successfully created by the CSI driver. + Normal SnapshotReady 68m snapshot-controller Snapshot movies-docker-ceph/test-nfs-snapshot is ready to use. +``` + +Le snapshot apparaît bien au niveau du filesystem du NAS: + +``` /bash +[root@methana pool_SAS_2]# ll OKD2/snapshot-f0f75a60-c647-4a68-96d7-9af2a0f0882f/pvc-48d777ae-dde9-4c27-85c6-4390a13b26fe.tar.gz -h +-rw-r--r--. 1 nobody nobody 33M May 13 19:45 OKD2/snapshot-f0f75a60-c647-4a68-96d7-9af2a0f0882f/pvc-48d777ae-dde9-4c27-85c6-4390a13b26fe.tar.gz +```