From 179eb8db0ac74e5f3dae6589081cde88257eede3 Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Fri, 20 Feb 2026 11:10:21 +0100 Subject: [PATCH 1/3] refactor: community is now unversioned --- .../01-community.md | 3 +- .../02-contribution-guideline.md | 0 .../contributing => community}/03-roadmap.mdx | 0 .../MEP1/Distributed-API-Working.png | Bin .../04-Proposals/MEP1/Distributed-API.png | Bin .../MEP1/Distributed-Deployment.png | Bin .../04-Proposals/MEP1/Distributed.drawio | 0 .../04-Proposals/MEP1/Distributed.png | Bin .../04-Proposals/MEP1/README.md | 0 .../04-Proposals/MEP10/README.md | 0 .../04-Proposals/MEP11/README.md | 0 .../04-Proposals/MEP12/README.md | 0 .../04-Proposals/MEP13/README.md | 0 .../04-Proposals/MEP14/README.md | 0 .../04-Proposals/MEP16/README.md | 0 .../MEP16/firewall-for-capms-overview.drawio | 0 .../MEP16/firewall-for-capms-overview.svg | 0 .../04-Proposals/MEP17/README.md | 0 .../04-Proposals}/MEP18/README.md | 2 +- .../ha-initial-cluster.drawio | 0 .../ha-initial-cluster.svg | 0 ...stack-autonomous-control-plane-full.drawio | 0 ...al-stack-autonomous-control-plane-full.svg | 0 .../metal-stack-chain.drawio | 0 .../metal-stack-chain.svg | 0 .../small-initial-cluster.drawio | 0 .../small-initial-cluster.svg | 0 .../04-Proposals/MEP2/README.md | 0 .../04-Proposals/MEP3/README.md | 0 .../04-Proposals/MEP4/README.md | 0 .../04-Proposals/MEP5/README.md | 0 .../04-Proposals/MEP5/shared.drawio | 0 .../04-Proposals/MEP5/shared.png | Bin .../04-Proposals/MEP5/shared_advanced.drawio | 0 .../04-Proposals/MEP5/shared_advanced.png | Bin .../04-Proposals/MEP6/README.md | 0 .../MEP6/dmz-internet_private.drawio | 0 .../MEP6/dmz-internet_private.svg | 0 .../MEP6/dmz-internet_public.drawio | 0 .../04-Proposals/MEP6/dmz-internet_public.svg | 0 .../04-Proposals/MEP8/README.md | 0 .../04-Proposals/MEP8/filesystems.drawio | 0 .../04-Proposals/MEP8/filesystems.png | Bin .../04-Proposals/MEP9/README.md | 0 .../04-Proposals/MEP9/architecture.drawio | 0 .../04-Proposals/MEP9/architecture.svg | 0 .../04-Proposals/_category_.json | 0 .../04-Proposals/index.md | 0 .../05-release-flow.md | 0 .../06-oci-artifacts.md | 0 {docs/contributing => community}/release.png | Bin .../release_flow.drawio | 0 .../release_flow.svg | 0 docs/{docs => }/01-home.md | 0 docs/{docs => }/02-General/01-quickstart.md | 0 .../02-General/02-why metal stack.md | 0 .../02-General/03-why bare metal.md | 0 .../02-General/04-flavors-of-metalstack.md | 2 +- .../03-For Users/01-client_libraries.md | 0 .../04-For Operators/01-hardware.md | 0 .../04-For Operators/02-operating-systems.md | 0 .../04-For Operators/03-deployment-guide.mdx | 4 +- .../04-For Operators/04-maintenance.md | 0 .../04-For Operators/05-monitoring.md | 0 .../04-For Operators/06-troubleshoot.md | 0 .../04-For Operators/mgmt_net_layer3.drawio | 0 .../04-For Operators/mgmt_net_layer3.png | Bin .../04-For Operators/monitoring-stack.svg | 0 docs/{docs => }/04-For Operators/starter.jpg | Bin .../05-Concepts/01-architecture.mdx | 2 +- .../05-Concepts/02-user-management.md | 2 +- .../05-Concepts/03-Network/01-theory.md | 0 .../05-Concepts/03-Network/02-firewalls.md | 0 .../05-Concepts/03-Network/03-tailscale.md | 0 .../03-Network/2-layer-leaf-spine.drawio | 0 .../03-Network/2-layer-leaf-spine.svg | 0 .../03-Network/3-layer-leaf-spine.drawio | 0 .../03-Network/3-layer-leaf-spine.svg | 0 .../05-Concepts/03-Network/evpn-vtep.drawio | 0 .../05-Concepts/03-Network/evpn-vtep.svg | 0 .../03-Network/network-physical-wiring.drawio | 0 .../03-Network/network-physical-wiring.svg | 0 .../03-Network/network-vrfs.drawio | 0 .../05-Concepts/03-Network/network-vrfs.svg | 0 .../03-Network/tailscale-authkeys.png | Bin .../03-Network/tailscale-devices.png | Bin .../05-Concepts/03-Network/vrf-simple.drawio | 0 .../05-Concepts/03-Network/vrf-simple.svg | 0 .../05-Concepts/04-Kubernetes/01-gardener.md | 0 .../04-Kubernetes/02-cluster-api.md | 0 .../03-cloud-controller-manager.md | 0 .../04-firewall-controller-manager.md | 0 .../04-Kubernetes/05-isolated-clusters.md | 0 .../04-Kubernetes/06-gpu-workers.md | 0 .../05-Concepts/04-Kubernetes/07-storage.md | 0 .../04-Kubernetes/isolated-kubernetes.drawio | 0 .../04-Kubernetes/isolated-kubernetes.svg | 0 .../05-Concepts/assets/2-layer-leaf-spine.svg | 0 .../05-Concepts/assets/3-layer-leaf-spine.svg | 0 .../05-Concepts/assets/evpn-vtep.svg | 0 .../assets/isolated-kubernetes.drawio | 0 .../assets/isolated-kubernetes.svg | 0 .../assets/metal-stack-architecture.drawio | 0 .../assets/metal-stack-architecture.svg | 0 .../assets/metal-stack-control-plane.svg | 0 .../assets/metal-stack-partition.svg | 0 .../assets/network-physical-wiring.drawio | 0 .../assets/network-physical-wiring.svg | 0 .../05-Concepts/assets/network-vrfs.drawio | 0 .../05-Concepts/assets/network-vrfs.svg | 0 .../assets/provisioning_sequence.drawio | 0 .../assets/provisioning_sequence.svg | 0 .../05-Concepts/assets/vrf-simple.svg | 0 .../06-For CISOs/Security/01-principles.md | 2 +- .../06-For CISOs/Security/02-sbom.md | 0 .../06-For CISOs/Security/03-cryptography.md | 0 .../Security/04-communication-matrix.md | 2 +- .../06-For CISOs/artifacts-signing.md | 0 .../06-For CISOs/integration-checks.md | 0 docs/{docs => }/06-For CISOs/network.md | 0 docs/{docs => }/06-For CISOs/rbac.md | 2 +- docs/{docs => }/06-For CISOs/remote-access.md | 4 +- .../06-For CISOs/security-vulnerability.md | 0 .../07-Release Notes/v0.18/v0.18.10.md | 0 .../07-Release Notes/v0.18/v0.18.11.md | 0 .../07-Release Notes/v0.18/v0.18.12.md | 0 .../07-Release Notes/v0.18/v0.18.13.md | 0 .../07-Release Notes/v0.18/v0.18.14.md | 0 .../07-Release Notes/v0.18/v0.18.15.md | 0 .../07-Release Notes/v0.18/v0.18.16.md | 0 .../07-Release Notes/v0.18/v0.18.17.md | 0 .../07-Release Notes/v0.18/v0.18.18.md | 0 .../07-Release Notes/v0.19/v0.19.0.md | 0 .../07-Release Notes/v0.19/v0.19.1.md | 0 .../07-Release Notes/v0.19/v0.19.2.md | 0 .../07-Release Notes/v0.19/v0.19.3.md | 0 .../07-Release Notes/v0.19/v0.19.4.md | 0 .../07-Release Notes/v0.19/v0.19.5.md | 0 .../07-Release Notes/v0.19/v0.19.6.md | 0 .../07-Release Notes/v0.19/v0.19.7.md | 0 .../07-Release Notes/v0.19/v0.19.8.md | 0 .../07-Release Notes/v0.20/v0.20.0.md | 0 .../07-Release Notes/v0.20/v0.20.1.md | 0 .../07-Release Notes/v0.20/v0.20.2.md | 0 .../07-Release Notes/v0.21/v0.21.0.md | 0 .../07-Release Notes/v0.21/v0.21.1.md | 4 +- .../07-Release Notes/v0.21/v0.21.10.md | 0 .../07-Release Notes/v0.21/v0.21.11.md | 0 .../07-Release Notes/v0.21/v0.21.2.md | 0 .../07-Release Notes/v0.21/v0.21.3.md | 0 .../07-Release Notes/v0.21/v0.21.4.md | 0 .../07-Release Notes/v0.21/v0.21.5.md | 0 .../07-Release Notes/v0.21/v0.21.6.md | 0 .../07-Release Notes/v0.21/v0.21.7.md | 0 .../07-Release Notes/v0.21/v0.21.8.md | 0 .../07-Release Notes/v0.21/v0.21.9.md | 0 .../07-Release Notes/v0.22/v0.22.0.md | 0 .../07-Release Notes/v0.22/v0.22.1.md | 0 .../07-Release Notes/v0.22/v0.22.2.md | 0 .../07-Release Notes/v0.22/v0.22.3.md | 0 .../07-Release Notes/v0.22/v0.22.4.md | 0 docs/{docs => }/08-References/API/index.mdx | 0 .../Clients/metalctl/metalctl.md | 0 .../Clients/metalctl/metalctl_audit.md | 0 .../metalctl/metalctl_audit_describe.md | 0 .../Clients/metalctl/metalctl_audit_list.md | 0 .../Clients/metalctl/metalctl_completion.md | 0 .../metalctl/metalctl_completion_bash.md | 0 .../metalctl/metalctl_completion_fish.md | 0 .../metalctl_completion_powershell.md | 0 .../metalctl/metalctl_completion_zsh.md | 0 .../Clients/metalctl/metalctl_context.md | 0 .../metalctl/metalctl_context_short.md | 0 .../metalctl/metalctl_filesystemlayout.md | 0 .../metalctl_filesystemlayout_apply.md | 0 .../metalctl_filesystemlayout_create.md | 0 .../metalctl_filesystemlayout_delete.md | 0 .../metalctl_filesystemlayout_describe.md | 0 .../metalctl_filesystemlayout_edit.md | 0 .../metalctl_filesystemlayout_list.md | 0 .../metalctl_filesystemlayout_match.md | 0 .../metalctl/metalctl_filesystemlayout_try.md | 0 .../metalctl_filesystemlayout_update.md | 0 .../Clients/metalctl/metalctl_firewall.md | 0 .../metalctl/metalctl_firewall_create.md | 0 .../metalctl/metalctl_firewall_describe.md | 0 .../metalctl/metalctl_firewall_list.md | 0 .../Clients/metalctl/metalctl_firewall_ssh.md | 0 .../Clients/metalctl/metalctl_firmware.md | 0 .../metalctl/metalctl_firmware_delete.md | 0 .../metalctl/metalctl_firmware_list.md | 0 .../metalctl/metalctl_firmware_upload.md | 0 .../metalctl/metalctl_firmware_upload_bios.md | 0 .../metalctl/metalctl_firmware_upload_bmc.md | 0 .../Clients/metalctl/metalctl_health.md | 0 .../Clients/metalctl/metalctl_image.md | 0 .../Clients/metalctl/metalctl_image_apply.md | 0 .../Clients/metalctl/metalctl_image_create.md | 0 .../Clients/metalctl/metalctl_image_delete.md | 0 .../metalctl/metalctl_image_describe.md | 0 .../Clients/metalctl/metalctl_image_edit.md | 0 .../Clients/metalctl/metalctl_image_list.md | 0 .../Clients/metalctl/metalctl_image_update.md | 0 .../Clients/metalctl/metalctl_login.md | 0 .../Clients/metalctl/metalctl_logout.md | 0 .../Clients/metalctl/metalctl_machine.md | 0 .../metalctl/metalctl_machine_apply.md | 0 .../metalctl/metalctl_machine_console.md | 0 .../metalctl_machine_consolepassword.md | 0 .../metalctl/metalctl_machine_create.md | 0 .../metalctl/metalctl_machine_delete.md | 0 .../metalctl/metalctl_machine_describe.md | 0 .../Clients/metalctl/metalctl_machine_edit.md | 0 .../metalctl/metalctl_machine_identify.md | 0 .../metalctl/metalctl_machine_identify_off.md | 0 .../metalctl/metalctl_machine_identify_on.md | 0 .../Clients/metalctl/metalctl_machine_ipmi.md | 0 .../metalctl/metalctl_machine_ipmi_events.md | 0 .../metalctl/metalctl_machine_issues.md | 0 .../metalctl/metalctl_machine_issues_list.md | 0 .../Clients/metalctl/metalctl_machine_list.md | 0 .../Clients/metalctl/metalctl_machine_lock.md | 0 .../Clients/metalctl/metalctl_machine_logs.md | 0 .../metalctl/metalctl_machine_power.md | 0 .../metalctl/metalctl_machine_power_bios.md | 0 .../metalctl/metalctl_machine_power_cycle.md | 0 .../metalctl/metalctl_machine_power_disk.md | 0 .../metalctl/metalctl_machine_power_off.md | 0 .../metalctl/metalctl_machine_power_on.md | 0 .../metalctl/metalctl_machine_power_pxe.md | 0 .../metalctl/metalctl_machine_power_reset.md | 0 .../metalctl/metalctl_machine_reinstall.md | 0 .../metalctl/metalctl_machine_reserve.md | 0 .../metalctl_machine_update-firmware.md | 0 .../metalctl_machine_update-firmware_bios.md | 0 .../metalctl_machine_update-firmware_bmc.md | 0 .../metalctl/metalctl_machine_update.md | 0 .../Clients/metalctl/metalctl_markdown.md | 0 .../Clients/metalctl/metalctl_network.md | 0 .../metalctl/metalctl_network_allocate.md | 0 .../metalctl/metalctl_network_apply.md | 0 .../metalctl/metalctl_network_create.md | 0 .../metalctl/metalctl_network_delete.md | 0 .../metalctl/metalctl_network_describe.md | 0 .../Clients/metalctl/metalctl_network_edit.md | 0 .../Clients/metalctl/metalctl_network_free.md | 0 .../Clients/metalctl/metalctl_network_ip.md | 0 .../metalctl/metalctl_network_ip_apply.md | 0 .../metalctl/metalctl_network_ip_create.md | 0 .../metalctl/metalctl_network_ip_delete.md | 0 .../metalctl/metalctl_network_ip_describe.md | 0 .../metalctl/metalctl_network_ip_edit.md | 0 .../metalctl/metalctl_network_ip_issues.md | 0 .../metalctl/metalctl_network_ip_list.md | 0 .../metalctl/metalctl_network_ip_update.md | 0 .../Clients/metalctl/metalctl_network_list.md | 0 .../metalctl/metalctl_network_update.md | 0 .../Clients/metalctl/metalctl_partition.md | 0 .../metalctl/metalctl_partition_apply.md | 0 .../metalctl/metalctl_partition_capacity.md | 0 .../metalctl/metalctl_partition_create.md | 0 .../metalctl/metalctl_partition_delete.md | 0 .../metalctl/metalctl_partition_describe.md | 0 .../metalctl/metalctl_partition_edit.md | 0 .../metalctl/metalctl_partition_list.md | 0 .../metalctl/metalctl_partition_update.md | 0 .../Clients/metalctl/metalctl_project.md | 0 .../metalctl/metalctl_project_apply.md | 0 .../metalctl/metalctl_project_create.md | 0 .../metalctl/metalctl_project_delete.md | 0 .../metalctl/metalctl_project_describe.md | 0 .../Clients/metalctl/metalctl_project_edit.md | 0 .../Clients/metalctl/metalctl_project_list.md | 0 .../metalctl/metalctl_project_update.md | 0 .../Clients/metalctl/metalctl_size.md | 0 .../Clients/metalctl/metalctl_size_apply.md | 0 .../Clients/metalctl/metalctl_size_create.md | 0 .../Clients/metalctl/metalctl_size_delete.md | 0 .../metalctl/metalctl_size_describe.md | 0 .../Clients/metalctl/metalctl_size_edit.md | 0 .../metalctl/metalctl_size_imageconstraint.md | 0 .../metalctl_size_imageconstraint_apply.md | 0 .../metalctl_size_imageconstraint_create.md | 0 .../metalctl_size_imageconstraint_delete.md | 0 .../metalctl_size_imageconstraint_describe.md | 0 .../metalctl_size_imageconstraint_edit.md | 0 .../metalctl_size_imageconstraint_list.md | 0 .../metalctl_size_imageconstraint_try.md | 0 .../metalctl_size_imageconstraint_update.md | 0 .../Clients/metalctl/metalctl_size_list.md | 0 .../metalctl/metalctl_size_reservation.md | 0 .../metalctl_size_reservation_apply.md | 0 .../metalctl_size_reservation_create.md | 0 .../metalctl_size_reservation_delete.md | 0 .../metalctl_size_reservation_describe.md | 0 .../metalctl_size_reservation_edit.md | 0 .../metalctl_size_reservation_list.md | 0 .../metalctl_size_reservation_update.md | 0 .../metalctl_size_reservation_usage.md | 0 .../Clients/metalctl/metalctl_size_suggest.md | 0 .../Clients/metalctl/metalctl_size_update.md | 0 .../Clients/metalctl/metalctl_switch.md | 0 .../metalctl_switch_connected-machines.md | 0 .../metalctl/metalctl_switch_console.md | 0 .../metalctl/metalctl_switch_delete.md | 0 .../metalctl/metalctl_switch_describe.md | 0 .../metalctl/metalctl_switch_detail.md | 0 .../Clients/metalctl/metalctl_switch_edit.md | 0 .../Clients/metalctl/metalctl_switch_list.md | 0 .../metalctl/metalctl_switch_migrate.md | 0 .../Clients/metalctl/metalctl_switch_port.md | 0 .../metalctl/metalctl_switch_port_describe.md | 0 .../metalctl/metalctl_switch_port_down.md | 0 .../metalctl/metalctl_switch_port_up.md | 0 .../metalctl/metalctl_switch_replace.md | 0 .../Clients/metalctl/metalctl_switch_ssh.md | 0 .../metalctl/metalctl_switch_update.md | 0 .../Clients/metalctl/metalctl_tenant.md | 0 .../Clients/metalctl/metalctl_tenant_apply.md | 0 .../metalctl/metalctl_tenant_create.md | 0 .../metalctl/metalctl_tenant_delete.md | 0 .../metalctl/metalctl_tenant_describe.md | 0 .../Clients/metalctl/metalctl_tenant_edit.md | 0 .../Clients/metalctl/metalctl_tenant_list.md | 0 .../metalctl/metalctl_tenant_update.md | 0 .../Clients/metalctl/metalctl_update.md | 0 .../Clients/metalctl/metalctl_update_check.md | 0 .../Clients/metalctl/metalctl_update_do.md | 0 .../Clients/metalctl/metalctl_version.md | 0 .../Clients/metalctl/metalctl_vpn.md | 0 .../Clients/metalctl/metalctl_vpn_key.md | 0 .../Clients/metalctl/metalctl_whoami.md | 0 .../assets/sequence.drawio.svg | 0 .../backup-restore-sidecar.md | 0 .../backup-restore-sidecar/manual_restore.md | 0 .../Control Plane/go-ipam/go-ipam.md | 0 .../masterdata-api/masterdata-api.md | 0 .../Control Plane/metal-api/metal-api.md | 0 .../metal-console/metal-console.md | 0 .../Deployment/helm-charts/helm-charts.md | 0 .../Deployment/metal-images/ARCHITECTURE.md | 0 .../Deployment/metal-images/IMAGE_STORE.md | 0 .../Deployment/metal-images/metal-images.md | 0 .../Deployment/mini-lab/assets/network.svg | 0 .../mini-lab/assets/overview.drawio.svg | 0 .../Deployment/mini-lab/assets/overview.png | Bin .../Deployment/mini-lab/mini-lab.md | 0 .../gardener-extension-audit.md | 0 .../gardener-extension-csi-driver-lvm.md | 0 .../migration.md | 0 .../gardener-extension-ontap.md | 0 .../gardener-vpn-gateway.md | 0 .../os-metal-extension/os-metal-extension.md | 0 .../DEVELOPMENT.md | 0 .../cluster-api-provider-metal-stack.md | 0 .../Kubernetes/droptailer/droptailer.md | 0 .../firewall-controller-manager.md | 0 .../assets/architecture.drawio.svg | 0 .../firewall-controller.md | 0 .../Kubernetes/metal-ccm/metal-ccm.md | 0 .../metal-metrics-exporter.md | 0 .../nftables-exporter/nftables-exporter.md | 0 .../rethinkdb-exporter/assets/grafana.png | Bin .../rethinkdb-exporter/rethinkdb-exporter.md | 0 .../08-References/Partition/go-hal/go-hal.md | 0 .../Partition/metal-bmc/metal-bmc.md | 0 .../Partition/metal-core/metal-core.md | 0 .../Partition/metal-hammer/metal-hammer.md | 0 .../08-References/Partition/pixie/pixie.md | 0 .../Storage/csi-driver-lvm/csi-driver-lvm.md | 0 .../Storage/duros-controller/MULTITENANCY.md | 0 .../assets/architecture.drawio.svg | 0 .../assets/dataplane.drawio.svg | 0 .../duros-controller/assets/nvme-over-tcp.jpg | Bin .../duros-controller/duros-controller.md | 0 .../contributing/04-Proposals/MEP18/README.md | 147 --- docusaurus.config.ts | 19 +- sidebars-community.ts | 24 + sidebars.ts => sidebars-docs.ts | 8 +- src/css/custom.css | 20 +- static/_redirects | 16 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 318 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.md | 51 - .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.21.10/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 318 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.21.11/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 318 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 45 - .../contributing/02-planning-meetings.md | 51 - .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.21.8/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.21.8/docs/06-For CISOs/rbac.md | 2 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 318 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.md | 51 - .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.21.9/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.md | 2 +- .../docs/05-Concepts/01-architecture.md | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.21.9/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 318 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.22.0/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.22.0/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 332 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 147 --- .../contributing/04-release-flow.md | 107 -- .../contributing/05-community.md | 11 - .../version-v0.22.1/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.22.1/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 332 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 145 --- .../contributing/04-release-flow.md | 100 -- .../contributing/05-community.md | 11 - .../version-v0.22.2/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.22.2/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 332 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 145 --- .../contributing/04-release-flow.md | 100 -- .../contributing/05-community.md | 11 - .../version-v0.22.3/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 2 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.22.3/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../MEP1/Distributed-API-Working.png | Bin 53600 -> 0 bytes .../01-Proposals/MEP1/Distributed-API.png | Bin 49935 -> 0 bytes .../MEP1/Distributed-Deployment.png | Bin 34547 -> 0 bytes .../01-Proposals/MEP1/Distributed.drawio | 1 - .../01-Proposals/MEP1/Distributed.png | Bin 31547 -> 0 bytes .../contributing/01-Proposals/MEP1/README.md | 141 -- .../contributing/01-Proposals/MEP10/README.md | 197 --- .../contributing/01-Proposals/MEP11/README.md | 78 -- .../contributing/01-Proposals/MEP12/README.md | 34 - .../contributing/01-Proposals/MEP13/README.md | 111 -- .../contributing/01-Proposals/MEP14/README.md | 36 - .../contributing/01-Proposals/MEP16/README.md | 332 ----- .../MEP16/firewall-for-capms-overview.drawio | 4 - .../MEP16/firewall-for-capms-overview.svg | 1 - .../contributing/01-Proposals/MEP17/README.md | 61 - .../contributing/01-Proposals/MEP18/README.md | 147 --- .../ha-initial-cluster.drawio | 535 -------- .../ha-initial-cluster.svg | 1 - ...stack-autonomous-control-plane-full.drawio | 1133 ----------------- ...al-stack-autonomous-control-plane-full.svg | 1 - .../metal-stack-chain.drawio | 404 ------ .../metal-stack-chain.svg | 1 - .../small-initial-cluster.drawio | 234 ---- .../small-initial-cluster.svg | 1 - .../contributing/01-Proposals/MEP2/README.md | 7 - .../contributing/01-Proposals/MEP3/README.md | 67 - .../contributing/01-Proposals/MEP4/README.md | 211 --- .../contributing/01-Proposals/MEP5/README.md | 54 - .../01-Proposals/MEP5/shared.drawio | 121 -- .../contributing/01-Proposals/MEP5/shared.png | Bin 49790 -> 0 bytes .../01-Proposals/MEP5/shared_advanced.drawio | 187 --- .../01-Proposals/MEP5/shared_advanced.png | Bin 90372 -> 0 bytes .../contributing/01-Proposals/MEP6/README.md | 123 -- .../MEP6/dmz-internet_private.drawio | 178 --- .../MEP6/dmz-internet_private.svg | 3 - .../MEP6/dmz-internet_public.drawio | 184 --- .../01-Proposals/MEP6/dmz-internet_public.svg | 3 - .../contributing/01-Proposals/MEP8/README.md | 503 -------- .../01-Proposals/MEP8/filesystems.drawio | 43 - .../01-Proposals/MEP8/filesystems.png | Bin 24073 -> 0 bytes .../contributing/01-Proposals/MEP9/README.md | 132 -- .../01-Proposals/MEP9/architecture.drawio | 324 ----- .../01-Proposals/MEP9/architecture.svg | 1 - .../contributing/01-Proposals/_category_.json | 4 - .../contributing/01-Proposals/index.md | 69 - .../contributing/02-planning-meetings.mdx | 120 -- .../contributing/03-contribution-guideline.md | 145 --- .../contributing/04-release-flow.md | 110 -- .../contributing/05-oci-artifacts.md | 39 - .../contributing/06-community.md | 11 - .../version-v0.22.4/contributing/release.png | Bin 87019 -> 0 bytes .../contributing/release_flow.drawio | 721 ----------- .../contributing/release_flow.svg | 1 - .../02-General/04-flavors-of-metalstack.md | 2 +- .../04-For Operators/03-deployment-guide.mdx | 4 +- .../docs/05-Concepts/01-architecture.mdx | 2 +- .../docs/05-Concepts/02-user-management.md | 2 +- .../06-For CISOs/Security/01-principles.md | 2 +- .../Security/04-communication-matrix.md | 2 +- .../version-v0.22.4/docs/06-For CISOs/rbac.md | 2 +- .../docs/06-For CISOs/remote-access.md | 4 +- .../version-v0.21.10-sidebars.json | 6 - .../version-v0.21.11-sidebars.json | 6 - .../version-v0.21.8-sidebars.json | 6 - .../version-v0.21.9-sidebars.json | 6 - .../version-v0.22.0-sidebars.json | 6 - .../version-v0.22.1-sidebars.json | 6 - .../version-v0.22.2-sidebars.json | 6 - .../version-v0.22.3-sidebars.json | 6 - .../version-v0.22.4-sidebars.json | 6 - 929 files changed, 159 insertions(+), 60858 deletions(-) rename {docs/contributing => community}/01-community.md (98%) rename {docs/contributing => community}/02-contribution-guideline.md (100%) rename {docs/contributing => community}/03-roadmap.mdx (100%) rename {docs/contributing => community}/04-Proposals/MEP1/Distributed-API-Working.png (100%) rename {docs/contributing => community}/04-Proposals/MEP1/Distributed-API.png (100%) rename {docs/contributing => community}/04-Proposals/MEP1/Distributed-Deployment.png (100%) rename {docs/contributing => community}/04-Proposals/MEP1/Distributed.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP1/Distributed.png (100%) rename {docs/contributing => community}/04-Proposals/MEP1/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP10/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP11/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP12/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP13/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP14/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP16/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP16/firewall-for-capms-overview.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP16/firewall-for-capms-overview.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP17/README.md (100%) rename {versioned_docs/version-v0.21.9/contributing/01-Proposals => community/04-Proposals}/MEP18/README.md (98%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP2/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP3/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP4/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP5/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP5/shared.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP5/shared.png (100%) rename {docs/contributing => community}/04-Proposals/MEP5/shared_advanced.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP5/shared_advanced.png (100%) rename {docs/contributing => community}/04-Proposals/MEP6/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP6/dmz-internet_private.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP6/dmz-internet_private.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP6/dmz-internet_public.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP6/dmz-internet_public.svg (100%) rename {docs/contributing => community}/04-Proposals/MEP8/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP8/filesystems.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP8/filesystems.png (100%) rename {docs/contributing => community}/04-Proposals/MEP9/README.md (100%) rename {docs/contributing => community}/04-Proposals/MEP9/architecture.drawio (100%) rename {docs/contributing => community}/04-Proposals/MEP9/architecture.svg (100%) rename {docs/contributing => community}/04-Proposals/_category_.json (100%) rename {docs/contributing => community}/04-Proposals/index.md (100%) rename {docs/contributing => community}/05-release-flow.md (100%) rename {docs/contributing => community}/06-oci-artifacts.md (100%) rename {docs/contributing => community}/release.png (100%) rename {docs/contributing => community}/release_flow.drawio (100%) rename {docs/contributing => community}/release_flow.svg (100%) rename docs/{docs => }/01-home.md (100%) rename docs/{docs => }/02-General/01-quickstart.md (100%) rename docs/{docs => }/02-General/02-why metal stack.md (100%) rename docs/{docs => }/02-General/03-why bare metal.md (100%) rename docs/{docs => }/02-General/04-flavors-of-metalstack.md (89%) rename docs/{docs => }/03-For Users/01-client_libraries.md (100%) rename docs/{docs => }/04-For Operators/01-hardware.md (100%) rename docs/{docs => }/04-For Operators/02-operating-systems.md (100%) rename docs/{docs => }/04-For Operators/03-deployment-guide.mdx (98%) rename docs/{docs => }/04-For Operators/04-maintenance.md (100%) rename docs/{docs => }/04-For Operators/05-monitoring.md (100%) rename docs/{docs => }/04-For Operators/06-troubleshoot.md (100%) rename docs/{docs => }/04-For Operators/mgmt_net_layer3.drawio (100%) rename docs/{docs => }/04-For Operators/mgmt_net_layer3.png (100%) rename docs/{docs => }/04-For Operators/monitoring-stack.svg (100%) rename docs/{docs => }/04-For Operators/starter.jpg (100%) rename docs/{docs => }/05-Concepts/01-architecture.mdx (99%) rename docs/{docs => }/05-Concepts/02-user-management.md (98%) rename docs/{docs => }/05-Concepts/03-Network/01-theory.md (100%) rename docs/{docs => }/05-Concepts/03-Network/02-firewalls.md (100%) rename docs/{docs => }/05-Concepts/03-Network/03-tailscale.md (100%) rename docs/{docs => }/05-Concepts/03-Network/2-layer-leaf-spine.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/2-layer-leaf-spine.svg (100%) rename docs/{docs => }/05-Concepts/03-Network/3-layer-leaf-spine.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/3-layer-leaf-spine.svg (100%) rename docs/{docs => }/05-Concepts/03-Network/evpn-vtep.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/evpn-vtep.svg (100%) rename docs/{docs => }/05-Concepts/03-Network/network-physical-wiring.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/network-physical-wiring.svg (100%) rename docs/{docs => }/05-Concepts/03-Network/network-vrfs.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/network-vrfs.svg (100%) rename docs/{docs => }/05-Concepts/03-Network/tailscale-authkeys.png (100%) rename docs/{docs => }/05-Concepts/03-Network/tailscale-devices.png (100%) rename docs/{docs => }/05-Concepts/03-Network/vrf-simple.drawio (100%) rename docs/{docs => }/05-Concepts/03-Network/vrf-simple.svg (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/01-gardener.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/02-cluster-api.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/03-cloud-controller-manager.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/04-firewall-controller-manager.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/05-isolated-clusters.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/06-gpu-workers.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/07-storage.md (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/isolated-kubernetes.drawio (100%) rename docs/{docs => }/05-Concepts/04-Kubernetes/isolated-kubernetes.svg (100%) rename docs/{docs => }/05-Concepts/assets/2-layer-leaf-spine.svg (100%) rename docs/{docs => }/05-Concepts/assets/3-layer-leaf-spine.svg (100%) rename docs/{docs => }/05-Concepts/assets/evpn-vtep.svg (100%) rename docs/{docs => }/05-Concepts/assets/isolated-kubernetes.drawio (100%) rename docs/{docs => }/05-Concepts/assets/isolated-kubernetes.svg (100%) rename docs/{docs => }/05-Concepts/assets/metal-stack-architecture.drawio (100%) rename docs/{docs => }/05-Concepts/assets/metal-stack-architecture.svg (100%) rename docs/{docs => }/05-Concepts/assets/metal-stack-control-plane.svg (100%) rename docs/{docs => }/05-Concepts/assets/metal-stack-partition.svg (100%) rename docs/{docs => }/05-Concepts/assets/network-physical-wiring.drawio (100%) rename docs/{docs => }/05-Concepts/assets/network-physical-wiring.svg (100%) rename docs/{docs => }/05-Concepts/assets/network-vrfs.drawio (100%) rename docs/{docs => }/05-Concepts/assets/network-vrfs.svg (100%) rename docs/{docs => }/05-Concepts/assets/provisioning_sequence.drawio (100%) rename docs/{docs => }/05-Concepts/assets/provisioning_sequence.svg (100%) rename docs/{docs => }/05-Concepts/assets/vrf-simple.svg (100%) rename docs/{docs => }/06-For CISOs/Security/01-principles.md (98%) rename docs/{docs => }/06-For CISOs/Security/02-sbom.md (100%) rename docs/{docs => }/06-For CISOs/Security/03-cryptography.md (100%) rename docs/{docs => }/06-For CISOs/Security/04-communication-matrix.md (99%) rename docs/{docs => }/06-For CISOs/artifacts-signing.md (100%) rename docs/{docs => }/06-For CISOs/integration-checks.md (100%) rename docs/{docs => }/06-For CISOs/network.md (100%) rename docs/{docs => }/06-For CISOs/rbac.md (90%) rename docs/{docs => }/06-For CISOs/remote-access.md (88%) rename docs/{docs => }/06-For CISOs/security-vulnerability.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.10.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.11.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.12.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.13.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.14.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.15.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.16.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.17.md (100%) rename docs/{docs => }/07-Release Notes/v0.18/v0.18.18.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.0.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.1.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.2.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.3.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.4.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.5.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.6.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.7.md (100%) rename docs/{docs => }/07-Release Notes/v0.19/v0.19.8.md (100%) rename docs/{docs => }/07-Release Notes/v0.20/v0.20.0.md (100%) rename docs/{docs => }/07-Release Notes/v0.20/v0.20.1.md (100%) rename docs/{docs => }/07-Release Notes/v0.20/v0.20.2.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.0.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.1.md (90%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.10.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.11.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.2.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.3.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.4.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.5.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.6.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.7.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.8.md (100%) rename docs/{docs => }/07-Release Notes/v0.21/v0.21.9.md (100%) rename docs/{docs => }/07-Release Notes/v0.22/v0.22.0.md (100%) rename docs/{docs => }/07-Release Notes/v0.22/v0.22.1.md (100%) rename docs/{docs => }/07-Release Notes/v0.22/v0.22.2.md (100%) rename docs/{docs => }/07-Release Notes/v0.22/v0.22.3.md (100%) rename docs/{docs => }/07-Release Notes/v0.22/v0.22.4.md (100%) rename docs/{docs => }/08-References/API/index.mdx (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_audit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_audit_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_audit_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_completion.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_completion_bash.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_completion_fish.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_completion_powershell.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_completion_zsh.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_context.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_context_short.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_match.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_try.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_filesystemlayout_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firewall.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firewall_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firewall_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firewall_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firewall_ssh.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware_upload.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware_upload_bios.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_firmware_upload_bmc.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_health.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_image_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_login.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_logout.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_console.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_consolepassword.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_identify.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_identify_off.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_identify_on.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_ipmi.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_ipmi_events.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_issues.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_issues_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_lock.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_logs.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_bios.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_cycle.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_disk.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_off.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_on.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_pxe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_power_reset.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_reinstall.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_reserve.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_update-firmware.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_update-firmware_bios.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_update-firmware_bmc.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_machine_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_markdown.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_allocate.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_free.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_issues.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_ip_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_network_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_capacity.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_partition_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_project_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_try.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_imageconstraint_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_reservation_usage.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_suggest.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_size_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_connected-machines.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_console.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_detail.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_migrate.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_port.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_port_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_port_down.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_port_up.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_replace.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_ssh.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_switch_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_apply.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_create.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_delete.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_describe.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_edit.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_list.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_tenant_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_update.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_update_check.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_update_do.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_version.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_vpn.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_vpn_key.md (100%) rename docs/{docs => }/08-References/Clients/metalctl/metalctl_whoami.md (100%) rename docs/{docs => }/08-References/Control Plane/backup-restore-sidecar/assets/sequence.drawio.svg (100%) rename docs/{docs => }/08-References/Control Plane/backup-restore-sidecar/backup-restore-sidecar.md (100%) rename docs/{docs => }/08-References/Control Plane/backup-restore-sidecar/manual_restore.md (100%) rename docs/{docs => }/08-References/Control Plane/go-ipam/go-ipam.md (100%) rename docs/{docs => }/08-References/Control Plane/masterdata-api/masterdata-api.md (100%) rename docs/{docs => }/08-References/Control Plane/metal-api/metal-api.md (100%) rename docs/{docs => }/08-References/Control Plane/metal-console/metal-console.md (100%) rename docs/{docs => }/08-References/Deployment/helm-charts/helm-charts.md (100%) rename docs/{docs => }/08-References/Deployment/metal-images/ARCHITECTURE.md (100%) rename docs/{docs => }/08-References/Deployment/metal-images/IMAGE_STORE.md (100%) rename docs/{docs => }/08-References/Deployment/metal-images/metal-images.md (100%) rename docs/{docs => }/08-References/Deployment/mini-lab/assets/network.svg (100%) rename docs/{docs => }/08-References/Deployment/mini-lab/assets/overview.drawio.svg (100%) rename docs/{docs => }/08-References/Deployment/mini-lab/assets/overview.png (100%) rename docs/{docs => }/08-References/Deployment/mini-lab/mini-lab.md (100%) rename docs/{docs => }/08-References/Gardener/gardener-extension-audit/gardener-extension-audit.md (100%) rename docs/{docs => }/08-References/Gardener/gardener-extension-csi-driver-lvm/gardener-extension-csi-driver-lvm.md (100%) rename docs/{docs => }/08-References/Gardener/gardener-extension-csi-driver-lvm/migration.md (100%) rename docs/{docs => }/08-References/Gardener/gardener-extension-ontap/gardener-extension-ontap.md (100%) rename docs/{docs => }/08-References/Gardener/gardener-vpn-gateway/gardener-vpn-gateway.md (100%) rename docs/{docs => }/08-References/Gardener/os-metal-extension/os-metal-extension.md (100%) rename docs/{docs => }/08-References/Kubernetes/cluster-api-provider-metal-stack/DEVELOPMENT.md (100%) rename docs/{docs => }/08-References/Kubernetes/cluster-api-provider-metal-stack/cluster-api-provider-metal-stack.md (100%) rename docs/{docs => }/08-References/Kubernetes/droptailer/droptailer.md (100%) rename docs/{docs => }/08-References/Kubernetes/firewall-controller-manager/firewall-controller-manager.md (100%) rename docs/{docs => }/08-References/Kubernetes/firewall-controller/assets/architecture.drawio.svg (100%) rename docs/{docs => }/08-References/Kubernetes/firewall-controller/firewall-controller.md (100%) rename docs/{docs => }/08-References/Kubernetes/metal-ccm/metal-ccm.md (100%) rename docs/{docs => }/08-References/Monitoring/metal-metrics-exporter/metal-metrics-exporter.md (100%) rename docs/{docs => }/08-References/Monitoring/nftables-exporter/nftables-exporter.md (100%) rename docs/{docs => }/08-References/Monitoring/rethinkdb-exporter/assets/grafana.png (100%) rename docs/{docs => }/08-References/Monitoring/rethinkdb-exporter/rethinkdb-exporter.md (100%) rename docs/{docs => }/08-References/Partition/go-hal/go-hal.md (100%) rename docs/{docs => }/08-References/Partition/metal-bmc/metal-bmc.md (100%) rename docs/{docs => }/08-References/Partition/metal-core/metal-core.md (100%) rename docs/{docs => }/08-References/Partition/metal-hammer/metal-hammer.md (100%) rename docs/{docs => }/08-References/Partition/pixie/pixie.md (100%) rename docs/{docs => }/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md (100%) rename docs/{docs => }/08-References/Storage/duros-controller/MULTITENANCY.md (100%) rename docs/{docs => }/08-References/Storage/duros-controller/assets/architecture.drawio.svg (100%) rename docs/{docs => }/08-References/Storage/duros-controller/assets/dataplane.drawio.svg (100%) rename docs/{docs => }/08-References/Storage/duros-controller/assets/nvme-over-tcp.jpg (100%) rename docs/{docs => }/08-References/Storage/duros-controller/duros-controller.md (100%) delete mode 100644 docs/contributing/04-Proposals/MEP18/README.md create mode 100644 sidebars-community.ts rename sidebars.ts => sidebars-docs.ts (82%) delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.21.10/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/02-planning-meetings.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.21.10/contributing/release.png delete mode 100644 versioned_docs/version-v0.21.10/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.21.10/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.21.11/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.21.11/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.21.11/contributing/release.png delete mode 100644 versioned_docs/version-v0.21.11/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.21.11/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.21.8/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/02-planning-meetings.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.21.8/contributing/release.png delete mode 100644 versioned_docs/version-v0.21.8/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.21.8/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.21.9/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/02-planning-meetings.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.21.9/contributing/release.png delete mode 100644 versioned_docs/version-v0.21.9/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.21.9/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.22.0/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.22.0/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.22.0/contributing/release.png delete mode 100644 versioned_docs/version-v0.22.0/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.22.0/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.22.1/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.22.1/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.22.1/contributing/release.png delete mode 100644 versioned_docs/version-v0.22.1/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.22.1/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.22.2/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.22.2/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.22.2/contributing/release.png delete mode 100644 versioned_docs/version-v0.22.2/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.22.2/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.22.3/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.22.3/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/05-community.md delete mode 100644 versioned_docs/version-v0.22.3/contributing/release.png delete mode 100644 versioned_docs/version-v0.22.3/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.22.3/contributing/release_flow.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API-Working.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-Deployment.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP10/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP11/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP12/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP13/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP14/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP17/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP2/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP3/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP4/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/README.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.svg delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/_category_.json delete mode 100644 versioned_docs/version-v0.22.4/contributing/01-Proposals/index.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/02-planning-meetings.mdx delete mode 100644 versioned_docs/version-v0.22.4/contributing/03-contribution-guideline.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/04-release-flow.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/05-oci-artifacts.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/06-community.md delete mode 100644 versioned_docs/version-v0.22.4/contributing/release.png delete mode 100644 versioned_docs/version-v0.22.4/contributing/release_flow.drawio delete mode 100644 versioned_docs/version-v0.22.4/contributing/release_flow.svg diff --git a/docs/contributing/01-community.md b/community/01-community.md similarity index 98% rename from docs/contributing/01-community.md rename to community/01-community.md index 7d83b347..8898486c 100644 --- a/docs/contributing/01-community.md +++ b/community/01-community.md @@ -1,5 +1,6 @@ --- -slug: /community +id: index +slug: / title: Community sidebar_position: 1 --- diff --git a/docs/contributing/02-contribution-guideline.md b/community/02-contribution-guideline.md similarity index 100% rename from docs/contributing/02-contribution-guideline.md rename to community/02-contribution-guideline.md diff --git a/docs/contributing/03-roadmap.mdx b/community/03-roadmap.mdx similarity index 100% rename from docs/contributing/03-roadmap.mdx rename to community/03-roadmap.mdx diff --git a/docs/contributing/04-Proposals/MEP1/Distributed-API-Working.png b/community/04-Proposals/MEP1/Distributed-API-Working.png similarity index 100% rename from docs/contributing/04-Proposals/MEP1/Distributed-API-Working.png rename to community/04-Proposals/MEP1/Distributed-API-Working.png diff --git a/docs/contributing/04-Proposals/MEP1/Distributed-API.png b/community/04-Proposals/MEP1/Distributed-API.png similarity index 100% rename from docs/contributing/04-Proposals/MEP1/Distributed-API.png rename to community/04-Proposals/MEP1/Distributed-API.png diff --git a/docs/contributing/04-Proposals/MEP1/Distributed-Deployment.png b/community/04-Proposals/MEP1/Distributed-Deployment.png similarity index 100% rename from docs/contributing/04-Proposals/MEP1/Distributed-Deployment.png rename to community/04-Proposals/MEP1/Distributed-Deployment.png diff --git a/docs/contributing/04-Proposals/MEP1/Distributed.drawio b/community/04-Proposals/MEP1/Distributed.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP1/Distributed.drawio rename to community/04-Proposals/MEP1/Distributed.drawio diff --git a/docs/contributing/04-Proposals/MEP1/Distributed.png b/community/04-Proposals/MEP1/Distributed.png similarity index 100% rename from docs/contributing/04-Proposals/MEP1/Distributed.png rename to community/04-Proposals/MEP1/Distributed.png diff --git a/docs/contributing/04-Proposals/MEP1/README.md b/community/04-Proposals/MEP1/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP1/README.md rename to community/04-Proposals/MEP1/README.md diff --git a/docs/contributing/04-Proposals/MEP10/README.md b/community/04-Proposals/MEP10/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP10/README.md rename to community/04-Proposals/MEP10/README.md diff --git a/docs/contributing/04-Proposals/MEP11/README.md b/community/04-Proposals/MEP11/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP11/README.md rename to community/04-Proposals/MEP11/README.md diff --git a/docs/contributing/04-Proposals/MEP12/README.md b/community/04-Proposals/MEP12/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP12/README.md rename to community/04-Proposals/MEP12/README.md diff --git a/docs/contributing/04-Proposals/MEP13/README.md b/community/04-Proposals/MEP13/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP13/README.md rename to community/04-Proposals/MEP13/README.md diff --git a/docs/contributing/04-Proposals/MEP14/README.md b/community/04-Proposals/MEP14/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP14/README.md rename to community/04-Proposals/MEP14/README.md diff --git a/docs/contributing/04-Proposals/MEP16/README.md b/community/04-Proposals/MEP16/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP16/README.md rename to community/04-Proposals/MEP16/README.md diff --git a/docs/contributing/04-Proposals/MEP16/firewall-for-capms-overview.drawio b/community/04-Proposals/MEP16/firewall-for-capms-overview.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP16/firewall-for-capms-overview.drawio rename to community/04-Proposals/MEP16/firewall-for-capms-overview.drawio diff --git a/docs/contributing/04-Proposals/MEP16/firewall-for-capms-overview.svg b/community/04-Proposals/MEP16/firewall-for-capms-overview.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP16/firewall-for-capms-overview.svg rename to community/04-Proposals/MEP16/firewall-for-capms-overview.svg diff --git a/docs/contributing/04-Proposals/MEP17/README.md b/community/04-Proposals/MEP17/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP17/README.md rename to community/04-Proposals/MEP17/README.md diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/README.md b/community/04-Proposals/MEP18/README.md similarity index 98% rename from versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/README.md rename to community/04-Proposals/MEP18/README.md index eb574491..e1049fcd 100644 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/README.md +++ b/community/04-Proposals/MEP18/README.md @@ -6,7 +6,7 @@ sidebar_position: 18 # Autonomous Control Plane -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.md), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. +As described in the [deployment chapter](/docs/deployment-guide), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/community/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio rename to community/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/community/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg rename to community/04-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio rename to community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg rename to community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio rename to community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg rename to community/04-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/community/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio rename to community/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio diff --git a/docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/community/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg rename to community/04-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg diff --git a/docs/contributing/04-Proposals/MEP2/README.md b/community/04-Proposals/MEP2/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP2/README.md rename to community/04-Proposals/MEP2/README.md diff --git a/docs/contributing/04-Proposals/MEP3/README.md b/community/04-Proposals/MEP3/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP3/README.md rename to community/04-Proposals/MEP3/README.md diff --git a/docs/contributing/04-Proposals/MEP4/README.md b/community/04-Proposals/MEP4/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP4/README.md rename to community/04-Proposals/MEP4/README.md diff --git a/docs/contributing/04-Proposals/MEP5/README.md b/community/04-Proposals/MEP5/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP5/README.md rename to community/04-Proposals/MEP5/README.md diff --git a/docs/contributing/04-Proposals/MEP5/shared.drawio b/community/04-Proposals/MEP5/shared.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP5/shared.drawio rename to community/04-Proposals/MEP5/shared.drawio diff --git a/docs/contributing/04-Proposals/MEP5/shared.png b/community/04-Proposals/MEP5/shared.png similarity index 100% rename from docs/contributing/04-Proposals/MEP5/shared.png rename to community/04-Proposals/MEP5/shared.png diff --git a/docs/contributing/04-Proposals/MEP5/shared_advanced.drawio b/community/04-Proposals/MEP5/shared_advanced.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP5/shared_advanced.drawio rename to community/04-Proposals/MEP5/shared_advanced.drawio diff --git a/docs/contributing/04-Proposals/MEP5/shared_advanced.png b/community/04-Proposals/MEP5/shared_advanced.png similarity index 100% rename from docs/contributing/04-Proposals/MEP5/shared_advanced.png rename to community/04-Proposals/MEP5/shared_advanced.png diff --git a/docs/contributing/04-Proposals/MEP6/README.md b/community/04-Proposals/MEP6/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP6/README.md rename to community/04-Proposals/MEP6/README.md diff --git a/docs/contributing/04-Proposals/MEP6/dmz-internet_private.drawio b/community/04-Proposals/MEP6/dmz-internet_private.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP6/dmz-internet_private.drawio rename to community/04-Proposals/MEP6/dmz-internet_private.drawio diff --git a/docs/contributing/04-Proposals/MEP6/dmz-internet_private.svg b/community/04-Proposals/MEP6/dmz-internet_private.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP6/dmz-internet_private.svg rename to community/04-Proposals/MEP6/dmz-internet_private.svg diff --git a/docs/contributing/04-Proposals/MEP6/dmz-internet_public.drawio b/community/04-Proposals/MEP6/dmz-internet_public.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP6/dmz-internet_public.drawio rename to community/04-Proposals/MEP6/dmz-internet_public.drawio diff --git a/docs/contributing/04-Proposals/MEP6/dmz-internet_public.svg b/community/04-Proposals/MEP6/dmz-internet_public.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP6/dmz-internet_public.svg rename to community/04-Proposals/MEP6/dmz-internet_public.svg diff --git a/docs/contributing/04-Proposals/MEP8/README.md b/community/04-Proposals/MEP8/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP8/README.md rename to community/04-Proposals/MEP8/README.md diff --git a/docs/contributing/04-Proposals/MEP8/filesystems.drawio b/community/04-Proposals/MEP8/filesystems.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP8/filesystems.drawio rename to community/04-Proposals/MEP8/filesystems.drawio diff --git a/docs/contributing/04-Proposals/MEP8/filesystems.png b/community/04-Proposals/MEP8/filesystems.png similarity index 100% rename from docs/contributing/04-Proposals/MEP8/filesystems.png rename to community/04-Proposals/MEP8/filesystems.png diff --git a/docs/contributing/04-Proposals/MEP9/README.md b/community/04-Proposals/MEP9/README.md similarity index 100% rename from docs/contributing/04-Proposals/MEP9/README.md rename to community/04-Proposals/MEP9/README.md diff --git a/docs/contributing/04-Proposals/MEP9/architecture.drawio b/community/04-Proposals/MEP9/architecture.drawio similarity index 100% rename from docs/contributing/04-Proposals/MEP9/architecture.drawio rename to community/04-Proposals/MEP9/architecture.drawio diff --git a/docs/contributing/04-Proposals/MEP9/architecture.svg b/community/04-Proposals/MEP9/architecture.svg similarity index 100% rename from docs/contributing/04-Proposals/MEP9/architecture.svg rename to community/04-Proposals/MEP9/architecture.svg diff --git a/docs/contributing/04-Proposals/_category_.json b/community/04-Proposals/_category_.json similarity index 100% rename from docs/contributing/04-Proposals/_category_.json rename to community/04-Proposals/_category_.json diff --git a/docs/contributing/04-Proposals/index.md b/community/04-Proposals/index.md similarity index 100% rename from docs/contributing/04-Proposals/index.md rename to community/04-Proposals/index.md diff --git a/docs/contributing/05-release-flow.md b/community/05-release-flow.md similarity index 100% rename from docs/contributing/05-release-flow.md rename to community/05-release-flow.md diff --git a/docs/contributing/06-oci-artifacts.md b/community/06-oci-artifacts.md similarity index 100% rename from docs/contributing/06-oci-artifacts.md rename to community/06-oci-artifacts.md diff --git a/docs/contributing/release.png b/community/release.png similarity index 100% rename from docs/contributing/release.png rename to community/release.png diff --git a/docs/contributing/release_flow.drawio b/community/release_flow.drawio similarity index 100% rename from docs/contributing/release_flow.drawio rename to community/release_flow.drawio diff --git a/docs/contributing/release_flow.svg b/community/release_flow.svg similarity index 100% rename from docs/contributing/release_flow.svg rename to community/release_flow.svg diff --git a/docs/docs/01-home.md b/docs/01-home.md similarity index 100% rename from docs/docs/01-home.md rename to docs/01-home.md diff --git a/docs/docs/02-General/01-quickstart.md b/docs/02-General/01-quickstart.md similarity index 100% rename from docs/docs/02-General/01-quickstart.md rename to docs/02-General/01-quickstart.md diff --git a/docs/docs/02-General/02-why metal stack.md b/docs/02-General/02-why metal stack.md similarity index 100% rename from docs/docs/02-General/02-why metal stack.md rename to docs/02-General/02-why metal stack.md diff --git a/docs/docs/02-General/03-why bare metal.md b/docs/02-General/03-why bare metal.md similarity index 100% rename from docs/docs/02-General/03-why bare metal.md rename to docs/02-General/03-why bare metal.md diff --git a/docs/docs/02-General/04-flavors-of-metalstack.md b/docs/02-General/04-flavors-of-metalstack.md similarity index 89% rename from docs/docs/02-General/04-flavors-of-metalstack.md rename to docs/02-General/04-flavors-of-metalstack.md index 207bebd5..97767a7a 100644 --- a/docs/docs/02-General/04-flavors-of-metalstack.md +++ b/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/04-Proposals/MEP4/README.md) and [MEP-16](../../contributing/04-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-14-independence-from-external-sources) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/docs/docs/03-For Users/01-client_libraries.md b/docs/03-For Users/01-client_libraries.md similarity index 100% rename from docs/docs/03-For Users/01-client_libraries.md rename to docs/03-For Users/01-client_libraries.md diff --git a/docs/docs/04-For Operators/01-hardware.md b/docs/04-For Operators/01-hardware.md similarity index 100% rename from docs/docs/04-For Operators/01-hardware.md rename to docs/04-For Operators/01-hardware.md diff --git a/docs/docs/04-For Operators/02-operating-systems.md b/docs/04-For Operators/02-operating-systems.md similarity index 100% rename from docs/docs/04-For Operators/02-operating-systems.md rename to docs/04-For Operators/02-operating-systems.md diff --git a/docs/docs/04-For Operators/03-deployment-guide.mdx b/docs/04-For Operators/03-deployment-guide.mdx similarity index 98% rename from docs/docs/04-For Operators/03-deployment-guide.mdx rename to docs/04-For Operators/03-deployment-guide.mdx index ee0f0d7c..ce58e0e0 100644 --- a/docs/docs/04-For Operators/03-deployment-guide.mdx +++ b/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/04-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: @@ -75,7 +75,7 @@ At the end of this section we are gonna end up with the following files and fold ### Releases and Ansible Role Dependencies -As metal-stack consists of many microservices all having individual versions, we have come up with a [releases](https://github.com/metal-stack/releases) repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack. Ansible role dependencies are also part of a metal-stack release. Both the metal-stack release vector and the metal-stack ansible-roles are shipped as OCI artifacts following a specific format that's described [here](../../contributing/06-oci-artifacts.md). These artifacts are signed with the CI token of the metal-stack Github organization and can be verified using [cosign](https://github.com/sigstore/cosign). +As metal-stack consists of many microservices all having individual versions, we have come up with a [releases](https://github.com/metal-stack/releases) repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack. Ansible role dependencies are also part of a metal-stack release. Both the metal-stack release vector and the metal-stack ansible-roles are shipped as OCI artifacts following a specific format that's described [here](/community/oci-artifacts). These artifacts are signed with the CI token of the metal-stack Github organization and can be verified using [cosign](https://github.com/sigstore/cosign). In order to download the release vector and the referenced ansible-roles prior to a deployment, we provide a small helper module called `metal_stack_release_vector` as part of the [metal-deployment-base](https://github.com/metal-stack/metal-deployment-base) deployment image. Its main tasks are: diff --git a/docs/docs/04-For Operators/04-maintenance.md b/docs/04-For Operators/04-maintenance.md similarity index 100% rename from docs/docs/04-For Operators/04-maintenance.md rename to docs/04-For Operators/04-maintenance.md diff --git a/docs/docs/04-For Operators/05-monitoring.md b/docs/04-For Operators/05-monitoring.md similarity index 100% rename from docs/docs/04-For Operators/05-monitoring.md rename to docs/04-For Operators/05-monitoring.md diff --git a/docs/docs/04-For Operators/06-troubleshoot.md b/docs/04-For Operators/06-troubleshoot.md similarity index 100% rename from docs/docs/04-For Operators/06-troubleshoot.md rename to docs/04-For Operators/06-troubleshoot.md diff --git a/docs/docs/04-For Operators/mgmt_net_layer3.drawio b/docs/04-For Operators/mgmt_net_layer3.drawio similarity index 100% rename from docs/docs/04-For Operators/mgmt_net_layer3.drawio rename to docs/04-For Operators/mgmt_net_layer3.drawio diff --git a/docs/docs/04-For Operators/mgmt_net_layer3.png b/docs/04-For Operators/mgmt_net_layer3.png similarity index 100% rename from docs/docs/04-For Operators/mgmt_net_layer3.png rename to docs/04-For Operators/mgmt_net_layer3.png diff --git a/docs/docs/04-For Operators/monitoring-stack.svg b/docs/04-For Operators/monitoring-stack.svg similarity index 100% rename from docs/docs/04-For Operators/monitoring-stack.svg rename to docs/04-For Operators/monitoring-stack.svg diff --git a/docs/docs/04-For Operators/starter.jpg b/docs/04-For Operators/starter.jpg similarity index 100% rename from docs/docs/04-For Operators/starter.jpg rename to docs/04-For Operators/starter.jpg diff --git a/docs/docs/05-Concepts/01-architecture.mdx b/docs/05-Concepts/01-architecture.mdx similarity index 99% rename from docs/docs/05-Concepts/01-architecture.mdx rename to docs/05-Concepts/01-architecture.mdx index 316eeb37..75298df9 100644 --- a/docs/docs/05-Concepts/01-architecture.mdx +++ b/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/04-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/docs/docs/05-Concepts/02-user-management.md b/docs/05-Concepts/02-user-management.md similarity index 98% rename from docs/docs/05-Concepts/02-user-management.md rename to docs/05-Concepts/02-user-management.md index 21d9922f..e6c84fea 100644 --- a/docs/docs/05-Concepts/02-user-management.md +++ b/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/04-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-14-independence-from-external-sources). Until then projects and tenants can be created, but have no effect on access control. diff --git a/docs/docs/05-Concepts/03-Network/01-theory.md b/docs/05-Concepts/03-Network/01-theory.md similarity index 100% rename from docs/docs/05-Concepts/03-Network/01-theory.md rename to docs/05-Concepts/03-Network/01-theory.md diff --git a/docs/docs/05-Concepts/03-Network/02-firewalls.md b/docs/05-Concepts/03-Network/02-firewalls.md similarity index 100% rename from docs/docs/05-Concepts/03-Network/02-firewalls.md rename to docs/05-Concepts/03-Network/02-firewalls.md diff --git a/docs/docs/05-Concepts/03-Network/03-tailscale.md b/docs/05-Concepts/03-Network/03-tailscale.md similarity index 100% rename from docs/docs/05-Concepts/03-Network/03-tailscale.md rename to docs/05-Concepts/03-Network/03-tailscale.md diff --git a/docs/docs/05-Concepts/03-Network/2-layer-leaf-spine.drawio b/docs/05-Concepts/03-Network/2-layer-leaf-spine.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/2-layer-leaf-spine.drawio rename to docs/05-Concepts/03-Network/2-layer-leaf-spine.drawio diff --git a/docs/docs/05-Concepts/03-Network/2-layer-leaf-spine.svg b/docs/05-Concepts/03-Network/2-layer-leaf-spine.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/2-layer-leaf-spine.svg rename to docs/05-Concepts/03-Network/2-layer-leaf-spine.svg diff --git a/docs/docs/05-Concepts/03-Network/3-layer-leaf-spine.drawio b/docs/05-Concepts/03-Network/3-layer-leaf-spine.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/3-layer-leaf-spine.drawio rename to docs/05-Concepts/03-Network/3-layer-leaf-spine.drawio diff --git a/docs/docs/05-Concepts/03-Network/3-layer-leaf-spine.svg b/docs/05-Concepts/03-Network/3-layer-leaf-spine.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/3-layer-leaf-spine.svg rename to docs/05-Concepts/03-Network/3-layer-leaf-spine.svg diff --git a/docs/docs/05-Concepts/03-Network/evpn-vtep.drawio b/docs/05-Concepts/03-Network/evpn-vtep.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/evpn-vtep.drawio rename to docs/05-Concepts/03-Network/evpn-vtep.drawio diff --git a/docs/docs/05-Concepts/03-Network/evpn-vtep.svg b/docs/05-Concepts/03-Network/evpn-vtep.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/evpn-vtep.svg rename to docs/05-Concepts/03-Network/evpn-vtep.svg diff --git a/docs/docs/05-Concepts/03-Network/network-physical-wiring.drawio b/docs/05-Concepts/03-Network/network-physical-wiring.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/network-physical-wiring.drawio rename to docs/05-Concepts/03-Network/network-physical-wiring.drawio diff --git a/docs/docs/05-Concepts/03-Network/network-physical-wiring.svg b/docs/05-Concepts/03-Network/network-physical-wiring.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/network-physical-wiring.svg rename to docs/05-Concepts/03-Network/network-physical-wiring.svg diff --git a/docs/docs/05-Concepts/03-Network/network-vrfs.drawio b/docs/05-Concepts/03-Network/network-vrfs.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/network-vrfs.drawio rename to docs/05-Concepts/03-Network/network-vrfs.drawio diff --git a/docs/docs/05-Concepts/03-Network/network-vrfs.svg b/docs/05-Concepts/03-Network/network-vrfs.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/network-vrfs.svg rename to docs/05-Concepts/03-Network/network-vrfs.svg diff --git a/docs/docs/05-Concepts/03-Network/tailscale-authkeys.png b/docs/05-Concepts/03-Network/tailscale-authkeys.png similarity index 100% rename from docs/docs/05-Concepts/03-Network/tailscale-authkeys.png rename to docs/05-Concepts/03-Network/tailscale-authkeys.png diff --git a/docs/docs/05-Concepts/03-Network/tailscale-devices.png b/docs/05-Concepts/03-Network/tailscale-devices.png similarity index 100% rename from docs/docs/05-Concepts/03-Network/tailscale-devices.png rename to docs/05-Concepts/03-Network/tailscale-devices.png diff --git a/docs/docs/05-Concepts/03-Network/vrf-simple.drawio b/docs/05-Concepts/03-Network/vrf-simple.drawio similarity index 100% rename from docs/docs/05-Concepts/03-Network/vrf-simple.drawio rename to docs/05-Concepts/03-Network/vrf-simple.drawio diff --git a/docs/docs/05-Concepts/03-Network/vrf-simple.svg b/docs/05-Concepts/03-Network/vrf-simple.svg similarity index 100% rename from docs/docs/05-Concepts/03-Network/vrf-simple.svg rename to docs/05-Concepts/03-Network/vrf-simple.svg diff --git a/docs/docs/05-Concepts/04-Kubernetes/01-gardener.md b/docs/05-Concepts/04-Kubernetes/01-gardener.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/01-gardener.md rename to docs/05-Concepts/04-Kubernetes/01-gardener.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/02-cluster-api.md b/docs/05-Concepts/04-Kubernetes/02-cluster-api.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/02-cluster-api.md rename to docs/05-Concepts/04-Kubernetes/02-cluster-api.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/03-cloud-controller-manager.md b/docs/05-Concepts/04-Kubernetes/03-cloud-controller-manager.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/03-cloud-controller-manager.md rename to docs/05-Concepts/04-Kubernetes/03-cloud-controller-manager.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/04-firewall-controller-manager.md b/docs/05-Concepts/04-Kubernetes/04-firewall-controller-manager.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/04-firewall-controller-manager.md rename to docs/05-Concepts/04-Kubernetes/04-firewall-controller-manager.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/05-isolated-clusters.md b/docs/05-Concepts/04-Kubernetes/05-isolated-clusters.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/05-isolated-clusters.md rename to docs/05-Concepts/04-Kubernetes/05-isolated-clusters.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/06-gpu-workers.md b/docs/05-Concepts/04-Kubernetes/06-gpu-workers.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/06-gpu-workers.md rename to docs/05-Concepts/04-Kubernetes/06-gpu-workers.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/07-storage.md b/docs/05-Concepts/04-Kubernetes/07-storage.md similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/07-storage.md rename to docs/05-Concepts/04-Kubernetes/07-storage.md diff --git a/docs/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.drawio b/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.drawio similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.drawio rename to docs/05-Concepts/04-Kubernetes/isolated-kubernetes.drawio diff --git a/docs/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.svg b/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.svg similarity index 100% rename from docs/docs/05-Concepts/04-Kubernetes/isolated-kubernetes.svg rename to docs/05-Concepts/04-Kubernetes/isolated-kubernetes.svg diff --git a/docs/docs/05-Concepts/assets/2-layer-leaf-spine.svg b/docs/05-Concepts/assets/2-layer-leaf-spine.svg similarity index 100% rename from docs/docs/05-Concepts/assets/2-layer-leaf-spine.svg rename to docs/05-Concepts/assets/2-layer-leaf-spine.svg diff --git a/docs/docs/05-Concepts/assets/3-layer-leaf-spine.svg b/docs/05-Concepts/assets/3-layer-leaf-spine.svg similarity index 100% rename from docs/docs/05-Concepts/assets/3-layer-leaf-spine.svg rename to docs/05-Concepts/assets/3-layer-leaf-spine.svg diff --git a/docs/docs/05-Concepts/assets/evpn-vtep.svg b/docs/05-Concepts/assets/evpn-vtep.svg similarity index 100% rename from docs/docs/05-Concepts/assets/evpn-vtep.svg rename to docs/05-Concepts/assets/evpn-vtep.svg diff --git a/docs/docs/05-Concepts/assets/isolated-kubernetes.drawio b/docs/05-Concepts/assets/isolated-kubernetes.drawio similarity index 100% rename from docs/docs/05-Concepts/assets/isolated-kubernetes.drawio rename to docs/05-Concepts/assets/isolated-kubernetes.drawio diff --git a/docs/docs/05-Concepts/assets/isolated-kubernetes.svg b/docs/05-Concepts/assets/isolated-kubernetes.svg similarity index 100% rename from docs/docs/05-Concepts/assets/isolated-kubernetes.svg rename to docs/05-Concepts/assets/isolated-kubernetes.svg diff --git a/docs/docs/05-Concepts/assets/metal-stack-architecture.drawio b/docs/05-Concepts/assets/metal-stack-architecture.drawio similarity index 100% rename from docs/docs/05-Concepts/assets/metal-stack-architecture.drawio rename to docs/05-Concepts/assets/metal-stack-architecture.drawio diff --git a/docs/docs/05-Concepts/assets/metal-stack-architecture.svg b/docs/05-Concepts/assets/metal-stack-architecture.svg similarity index 100% rename from docs/docs/05-Concepts/assets/metal-stack-architecture.svg rename to docs/05-Concepts/assets/metal-stack-architecture.svg diff --git a/docs/docs/05-Concepts/assets/metal-stack-control-plane.svg b/docs/05-Concepts/assets/metal-stack-control-plane.svg similarity index 100% rename from docs/docs/05-Concepts/assets/metal-stack-control-plane.svg rename to docs/05-Concepts/assets/metal-stack-control-plane.svg diff --git a/docs/docs/05-Concepts/assets/metal-stack-partition.svg b/docs/05-Concepts/assets/metal-stack-partition.svg similarity index 100% rename from docs/docs/05-Concepts/assets/metal-stack-partition.svg rename to docs/05-Concepts/assets/metal-stack-partition.svg diff --git a/docs/docs/05-Concepts/assets/network-physical-wiring.drawio b/docs/05-Concepts/assets/network-physical-wiring.drawio similarity index 100% rename from docs/docs/05-Concepts/assets/network-physical-wiring.drawio rename to docs/05-Concepts/assets/network-physical-wiring.drawio diff --git a/docs/docs/05-Concepts/assets/network-physical-wiring.svg b/docs/05-Concepts/assets/network-physical-wiring.svg similarity index 100% rename from docs/docs/05-Concepts/assets/network-physical-wiring.svg rename to docs/05-Concepts/assets/network-physical-wiring.svg diff --git a/docs/docs/05-Concepts/assets/network-vrfs.drawio b/docs/05-Concepts/assets/network-vrfs.drawio similarity index 100% rename from docs/docs/05-Concepts/assets/network-vrfs.drawio rename to docs/05-Concepts/assets/network-vrfs.drawio diff --git a/docs/docs/05-Concepts/assets/network-vrfs.svg b/docs/05-Concepts/assets/network-vrfs.svg similarity index 100% rename from docs/docs/05-Concepts/assets/network-vrfs.svg rename to docs/05-Concepts/assets/network-vrfs.svg diff --git a/docs/docs/05-Concepts/assets/provisioning_sequence.drawio b/docs/05-Concepts/assets/provisioning_sequence.drawio similarity index 100% rename from docs/docs/05-Concepts/assets/provisioning_sequence.drawio rename to docs/05-Concepts/assets/provisioning_sequence.drawio diff --git a/docs/docs/05-Concepts/assets/provisioning_sequence.svg b/docs/05-Concepts/assets/provisioning_sequence.svg similarity index 100% rename from docs/docs/05-Concepts/assets/provisioning_sequence.svg rename to docs/05-Concepts/assets/provisioning_sequence.svg diff --git a/docs/docs/05-Concepts/assets/vrf-simple.svg b/docs/05-Concepts/assets/vrf-simple.svg similarity index 100% rename from docs/docs/05-Concepts/assets/vrf-simple.svg rename to docs/05-Concepts/assets/vrf-simple.svg diff --git a/docs/docs/06-For CISOs/Security/01-principles.md b/docs/06-For CISOs/Security/01-principles.md similarity index 98% rename from docs/docs/06-For CISOs/Security/01-principles.md rename to docs/06-For CISOs/Security/01-principles.md index 155adfa0..652053e0 100644 --- a/docs/docs/06-For CISOs/Security/01-principles.md +++ b/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/04-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-14-independence-from-external-sources). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/docs/docs/06-For CISOs/Security/02-sbom.md b/docs/06-For CISOs/Security/02-sbom.md similarity index 100% rename from docs/docs/06-For CISOs/Security/02-sbom.md rename to docs/06-For CISOs/Security/02-sbom.md diff --git a/docs/docs/06-For CISOs/Security/03-cryptography.md b/docs/06-For CISOs/Security/03-cryptography.md similarity index 100% rename from docs/docs/06-For CISOs/Security/03-cryptography.md rename to docs/06-For CISOs/Security/03-cryptography.md diff --git a/docs/docs/06-For CISOs/Security/04-communication-matrix.md b/docs/06-For CISOs/Security/04-communication-matrix.md similarity index 99% rename from docs/docs/06-For CISOs/Security/04-communication-matrix.md rename to docs/06-For CISOs/Security/04-communication-matrix.md index c326b401..341a45be 100644 --- a/docs/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/04-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/docs/docs/06-For CISOs/artifacts-signing.md b/docs/06-For CISOs/artifacts-signing.md similarity index 100% rename from docs/docs/06-For CISOs/artifacts-signing.md rename to docs/06-For CISOs/artifacts-signing.md diff --git a/docs/docs/06-For CISOs/integration-checks.md b/docs/06-For CISOs/integration-checks.md similarity index 100% rename from docs/docs/06-For CISOs/integration-checks.md rename to docs/06-For CISOs/integration-checks.md diff --git a/docs/docs/06-For CISOs/network.md b/docs/06-For CISOs/network.md similarity index 100% rename from docs/docs/06-For CISOs/network.md rename to docs/06-For CISOs/network.md diff --git a/docs/docs/06-For CISOs/rbac.md b/docs/06-For CISOs/rbac.md similarity index 90% rename from docs/docs/06-For CISOs/rbac.md rename to docs/06-For CISOs/rbac.md index 736c2b1f..617434aa 100644 --- a/docs/docs/06-For CISOs/rbac.md +++ b/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/04-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-14-independence-from-external-sources), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/docs/docs/06-For CISOs/remote-access.md b/docs/06-For CISOs/remote-access.md similarity index 88% rename from docs/docs/06-For CISOs/remote-access.md rename to docs/06-For CISOs/remote-access.md index a7281722..9e8a7cf4 100644 --- a/docs/docs/06-For CISOs/remote-access.md +++ b/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/04-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/04-Proposals/MEP4/README.md). +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-14-independence-from-external-sources). diff --git a/docs/docs/06-For CISOs/security-vulnerability.md b/docs/06-For CISOs/security-vulnerability.md similarity index 100% rename from docs/docs/06-For CISOs/security-vulnerability.md rename to docs/06-For CISOs/security-vulnerability.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.10.md b/docs/07-Release Notes/v0.18/v0.18.10.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.10.md rename to docs/07-Release Notes/v0.18/v0.18.10.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.11.md b/docs/07-Release Notes/v0.18/v0.18.11.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.11.md rename to docs/07-Release Notes/v0.18/v0.18.11.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.12.md b/docs/07-Release Notes/v0.18/v0.18.12.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.12.md rename to docs/07-Release Notes/v0.18/v0.18.12.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.13.md b/docs/07-Release Notes/v0.18/v0.18.13.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.13.md rename to docs/07-Release Notes/v0.18/v0.18.13.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.14.md b/docs/07-Release Notes/v0.18/v0.18.14.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.14.md rename to docs/07-Release Notes/v0.18/v0.18.14.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.15.md b/docs/07-Release Notes/v0.18/v0.18.15.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.15.md rename to docs/07-Release Notes/v0.18/v0.18.15.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.16.md b/docs/07-Release Notes/v0.18/v0.18.16.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.16.md rename to docs/07-Release Notes/v0.18/v0.18.16.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.17.md b/docs/07-Release Notes/v0.18/v0.18.17.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.17.md rename to docs/07-Release Notes/v0.18/v0.18.17.md diff --git a/docs/docs/07-Release Notes/v0.18/v0.18.18.md b/docs/07-Release Notes/v0.18/v0.18.18.md similarity index 100% rename from docs/docs/07-Release Notes/v0.18/v0.18.18.md rename to docs/07-Release Notes/v0.18/v0.18.18.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.0.md b/docs/07-Release Notes/v0.19/v0.19.0.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.0.md rename to docs/07-Release Notes/v0.19/v0.19.0.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.1.md b/docs/07-Release Notes/v0.19/v0.19.1.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.1.md rename to docs/07-Release Notes/v0.19/v0.19.1.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.2.md b/docs/07-Release Notes/v0.19/v0.19.2.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.2.md rename to docs/07-Release Notes/v0.19/v0.19.2.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.3.md b/docs/07-Release Notes/v0.19/v0.19.3.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.3.md rename to docs/07-Release Notes/v0.19/v0.19.3.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.4.md b/docs/07-Release Notes/v0.19/v0.19.4.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.4.md rename to docs/07-Release Notes/v0.19/v0.19.4.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.5.md b/docs/07-Release Notes/v0.19/v0.19.5.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.5.md rename to docs/07-Release Notes/v0.19/v0.19.5.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.6.md b/docs/07-Release Notes/v0.19/v0.19.6.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.6.md rename to docs/07-Release Notes/v0.19/v0.19.6.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.7.md b/docs/07-Release Notes/v0.19/v0.19.7.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.7.md rename to docs/07-Release Notes/v0.19/v0.19.7.md diff --git a/docs/docs/07-Release Notes/v0.19/v0.19.8.md b/docs/07-Release Notes/v0.19/v0.19.8.md similarity index 100% rename from docs/docs/07-Release Notes/v0.19/v0.19.8.md rename to docs/07-Release Notes/v0.19/v0.19.8.md diff --git a/docs/docs/07-Release Notes/v0.20/v0.20.0.md b/docs/07-Release Notes/v0.20/v0.20.0.md similarity index 100% rename from docs/docs/07-Release Notes/v0.20/v0.20.0.md rename to docs/07-Release Notes/v0.20/v0.20.0.md diff --git a/docs/docs/07-Release Notes/v0.20/v0.20.1.md b/docs/07-Release Notes/v0.20/v0.20.1.md similarity index 100% rename from docs/docs/07-Release Notes/v0.20/v0.20.1.md rename to docs/07-Release Notes/v0.20/v0.20.1.md diff --git a/docs/docs/07-Release Notes/v0.20/v0.20.2.md b/docs/07-Release Notes/v0.20/v0.20.2.md similarity index 100% rename from docs/docs/07-Release Notes/v0.20/v0.20.2.md rename to docs/07-Release Notes/v0.20/v0.20.2.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.0.md b/docs/07-Release Notes/v0.21/v0.21.0.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.0.md rename to docs/07-Release Notes/v0.21/v0.21.0.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.1.md b/docs/07-Release Notes/v0.21/v0.21.1.md similarity index 90% rename from docs/docs/07-Release Notes/v0.21/v0.21.1.md rename to docs/07-Release Notes/v0.21/v0.21.1.md index a2f36d47..eef201b8 100644 --- a/docs/docs/07-Release Notes/v0.21/v0.21.1.md +++ b/docs/07-Release Notes/v0.21/v0.21.1.md @@ -17,7 +17,7 @@ See original release note at [https://github.com/metal-stack/releases/releases/t ``` * [Gardener v1.110](https://github.com/gardener/gardener/releases/tag/v1.110.0) ## Noteworthy -* As part of the [MEP-4](https://docs.metal-stack.io/stable/development/proposals/MEP4/README/) implementation, it is now possible to deploy a preview version of the [metal-apiserver](https://github.com/metal-stack/metal-apiserver). Note that this is only a development preview and will undergo a lot of breaking changes in the next time, so do not deploy this for any production use cases yet. (metal-stack/metal-roles#391) +* As part of the [MEP-4](/community/MEP-14-independence-from-external-sources) implementation, it is now possible to deploy a preview version of the [metal-apiserver](https://github.com/metal-stack/metal-apiserver). Note that this is only a development preview and will undergo a lot of breaking changes in the next time, so do not deploy this for any production use cases yet. (metal-stack/metal-roles#391) ## Breaking Changes * The support for meilisearch as an audit backend was dropped. Please migrate to the TimescaleDB backend if you depend on this implementation of meilisearch support. (metal-stack/metal-lib#174) ## Component Releases @@ -73,4 +73,4 @@ The fact that these pull requests were merged does not necessarily imply that th * Add CODEOWNERS and code contribution guidelines. (metal-stack/sonic-configdb-utils#3) @Gerrit91 * Try pushing to ghcr.io (metal-stack/metal-images#274) @majst01 * fix(ci): forgot registry login (metal-stack/metal-images#292) @vknabel -* Next release (metal-stack/releases#222) @metal-robot[bot] \ No newline at end of file +* Next release (metal-stack/releases#222) @metal-robot[bot] diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.10.md b/docs/07-Release Notes/v0.21/v0.21.10.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.10.md rename to docs/07-Release Notes/v0.21/v0.21.10.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.11.md b/docs/07-Release Notes/v0.21/v0.21.11.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.11.md rename to docs/07-Release Notes/v0.21/v0.21.11.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.2.md b/docs/07-Release Notes/v0.21/v0.21.2.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.2.md rename to docs/07-Release Notes/v0.21/v0.21.2.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.3.md b/docs/07-Release Notes/v0.21/v0.21.3.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.3.md rename to docs/07-Release Notes/v0.21/v0.21.3.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.4.md b/docs/07-Release Notes/v0.21/v0.21.4.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.4.md rename to docs/07-Release Notes/v0.21/v0.21.4.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.5.md b/docs/07-Release Notes/v0.21/v0.21.5.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.5.md rename to docs/07-Release Notes/v0.21/v0.21.5.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.6.md b/docs/07-Release Notes/v0.21/v0.21.6.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.6.md rename to docs/07-Release Notes/v0.21/v0.21.6.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.7.md b/docs/07-Release Notes/v0.21/v0.21.7.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.7.md rename to docs/07-Release Notes/v0.21/v0.21.7.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.8.md b/docs/07-Release Notes/v0.21/v0.21.8.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.8.md rename to docs/07-Release Notes/v0.21/v0.21.8.md diff --git a/docs/docs/07-Release Notes/v0.21/v0.21.9.md b/docs/07-Release Notes/v0.21/v0.21.9.md similarity index 100% rename from docs/docs/07-Release Notes/v0.21/v0.21.9.md rename to docs/07-Release Notes/v0.21/v0.21.9.md diff --git a/docs/docs/07-Release Notes/v0.22/v0.22.0.md b/docs/07-Release Notes/v0.22/v0.22.0.md similarity index 100% rename from docs/docs/07-Release Notes/v0.22/v0.22.0.md rename to docs/07-Release Notes/v0.22/v0.22.0.md diff --git a/docs/docs/07-Release Notes/v0.22/v0.22.1.md b/docs/07-Release Notes/v0.22/v0.22.1.md similarity index 100% rename from docs/docs/07-Release Notes/v0.22/v0.22.1.md rename to docs/07-Release Notes/v0.22/v0.22.1.md diff --git a/docs/docs/07-Release Notes/v0.22/v0.22.2.md b/docs/07-Release Notes/v0.22/v0.22.2.md similarity index 100% rename from docs/docs/07-Release Notes/v0.22/v0.22.2.md rename to docs/07-Release Notes/v0.22/v0.22.2.md diff --git a/docs/docs/07-Release Notes/v0.22/v0.22.3.md b/docs/07-Release Notes/v0.22/v0.22.3.md similarity index 100% rename from docs/docs/07-Release Notes/v0.22/v0.22.3.md rename to docs/07-Release Notes/v0.22/v0.22.3.md diff --git a/docs/docs/07-Release Notes/v0.22/v0.22.4.md b/docs/07-Release Notes/v0.22/v0.22.4.md similarity index 100% rename from docs/docs/07-Release Notes/v0.22/v0.22.4.md rename to docs/07-Release Notes/v0.22/v0.22.4.md diff --git a/docs/docs/08-References/API/index.mdx b/docs/08-References/API/index.mdx similarity index 100% rename from docs/docs/08-References/API/index.mdx rename to docs/08-References/API/index.mdx diff --git a/docs/docs/08-References/Clients/metalctl/metalctl.md b/docs/08-References/Clients/metalctl/metalctl.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl.md rename to docs/08-References/Clients/metalctl/metalctl.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_audit.md b/docs/08-References/Clients/metalctl/metalctl_audit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_audit.md rename to docs/08-References/Clients/metalctl/metalctl_audit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_audit_describe.md b/docs/08-References/Clients/metalctl/metalctl_audit_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_audit_describe.md rename to docs/08-References/Clients/metalctl/metalctl_audit_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_audit_list.md b/docs/08-References/Clients/metalctl/metalctl_audit_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_audit_list.md rename to docs/08-References/Clients/metalctl/metalctl_audit_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_completion.md b/docs/08-References/Clients/metalctl/metalctl_completion.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_completion.md rename to docs/08-References/Clients/metalctl/metalctl_completion.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_completion_bash.md b/docs/08-References/Clients/metalctl/metalctl_completion_bash.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_completion_bash.md rename to docs/08-References/Clients/metalctl/metalctl_completion_bash.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_completion_fish.md b/docs/08-References/Clients/metalctl/metalctl_completion_fish.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_completion_fish.md rename to docs/08-References/Clients/metalctl/metalctl_completion_fish.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_completion_powershell.md b/docs/08-References/Clients/metalctl/metalctl_completion_powershell.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_completion_powershell.md rename to docs/08-References/Clients/metalctl/metalctl_completion_powershell.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_completion_zsh.md b/docs/08-References/Clients/metalctl/metalctl_completion_zsh.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_completion_zsh.md rename to docs/08-References/Clients/metalctl/metalctl_completion_zsh.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_context.md b/docs/08-References/Clients/metalctl/metalctl_context.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_context.md rename to docs/08-References/Clients/metalctl/metalctl_context.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_context_short.md b/docs/08-References/Clients/metalctl/metalctl_context_short.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_context_short.md rename to docs/08-References/Clients/metalctl/metalctl_context_short.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_apply.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_apply.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_create.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_create.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_delete.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_delete.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_describe.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_describe.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_edit.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_edit.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_list.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_list.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_match.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_match.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_match.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_match.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_try.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_try.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_try.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_try.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_update.md b/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_filesystemlayout_update.md rename to docs/08-References/Clients/metalctl/metalctl_filesystemlayout_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firewall.md b/docs/08-References/Clients/metalctl/metalctl_firewall.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firewall.md rename to docs/08-References/Clients/metalctl/metalctl_firewall.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firewall_create.md b/docs/08-References/Clients/metalctl/metalctl_firewall_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firewall_create.md rename to docs/08-References/Clients/metalctl/metalctl_firewall_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firewall_describe.md b/docs/08-References/Clients/metalctl/metalctl_firewall_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firewall_describe.md rename to docs/08-References/Clients/metalctl/metalctl_firewall_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firewall_list.md b/docs/08-References/Clients/metalctl/metalctl_firewall_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firewall_list.md rename to docs/08-References/Clients/metalctl/metalctl_firewall_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firewall_ssh.md b/docs/08-References/Clients/metalctl/metalctl_firewall_ssh.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firewall_ssh.md rename to docs/08-References/Clients/metalctl/metalctl_firewall_ssh.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware.md b/docs/08-References/Clients/metalctl/metalctl_firmware.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware.md rename to docs/08-References/Clients/metalctl/metalctl_firmware.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware_delete.md b/docs/08-References/Clients/metalctl/metalctl_firmware_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware_delete.md rename to docs/08-References/Clients/metalctl/metalctl_firmware_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware_list.md b/docs/08-References/Clients/metalctl/metalctl_firmware_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware_list.md rename to docs/08-References/Clients/metalctl/metalctl_firmware_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload.md b/docs/08-References/Clients/metalctl/metalctl_firmware_upload.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload.md rename to docs/08-References/Clients/metalctl/metalctl_firmware_upload.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bios.md b/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bios.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bios.md rename to docs/08-References/Clients/metalctl/metalctl_firmware_upload_bios.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bmc.md b/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bmc.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_firmware_upload_bmc.md rename to docs/08-References/Clients/metalctl/metalctl_firmware_upload_bmc.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_health.md b/docs/08-References/Clients/metalctl/metalctl_health.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_health.md rename to docs/08-References/Clients/metalctl/metalctl_health.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image.md b/docs/08-References/Clients/metalctl/metalctl_image.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image.md rename to docs/08-References/Clients/metalctl/metalctl_image.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_apply.md b/docs/08-References/Clients/metalctl/metalctl_image_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_apply.md rename to docs/08-References/Clients/metalctl/metalctl_image_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_create.md b/docs/08-References/Clients/metalctl/metalctl_image_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_create.md rename to docs/08-References/Clients/metalctl/metalctl_image_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_delete.md b/docs/08-References/Clients/metalctl/metalctl_image_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_delete.md rename to docs/08-References/Clients/metalctl/metalctl_image_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_describe.md b/docs/08-References/Clients/metalctl/metalctl_image_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_describe.md rename to docs/08-References/Clients/metalctl/metalctl_image_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_edit.md b/docs/08-References/Clients/metalctl/metalctl_image_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_edit.md rename to docs/08-References/Clients/metalctl/metalctl_image_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_list.md b/docs/08-References/Clients/metalctl/metalctl_image_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_list.md rename to docs/08-References/Clients/metalctl/metalctl_image_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_image_update.md b/docs/08-References/Clients/metalctl/metalctl_image_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_image_update.md rename to docs/08-References/Clients/metalctl/metalctl_image_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_login.md b/docs/08-References/Clients/metalctl/metalctl_login.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_login.md rename to docs/08-References/Clients/metalctl/metalctl_login.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_logout.md b/docs/08-References/Clients/metalctl/metalctl_logout.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_logout.md rename to docs/08-References/Clients/metalctl/metalctl_logout.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine.md b/docs/08-References/Clients/metalctl/metalctl_machine.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine.md rename to docs/08-References/Clients/metalctl/metalctl_machine.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_apply.md b/docs/08-References/Clients/metalctl/metalctl_machine_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_apply.md rename to docs/08-References/Clients/metalctl/metalctl_machine_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_console.md b/docs/08-References/Clients/metalctl/metalctl_machine_console.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_console.md rename to docs/08-References/Clients/metalctl/metalctl_machine_console.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_consolepassword.md b/docs/08-References/Clients/metalctl/metalctl_machine_consolepassword.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_consolepassword.md rename to docs/08-References/Clients/metalctl/metalctl_machine_consolepassword.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_create.md b/docs/08-References/Clients/metalctl/metalctl_machine_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_create.md rename to docs/08-References/Clients/metalctl/metalctl_machine_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_delete.md b/docs/08-References/Clients/metalctl/metalctl_machine_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_delete.md rename to docs/08-References/Clients/metalctl/metalctl_machine_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_describe.md b/docs/08-References/Clients/metalctl/metalctl_machine_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_describe.md rename to docs/08-References/Clients/metalctl/metalctl_machine_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_edit.md b/docs/08-References/Clients/metalctl/metalctl_machine_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_edit.md rename to docs/08-References/Clients/metalctl/metalctl_machine_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_identify.md b/docs/08-References/Clients/metalctl/metalctl_machine_identify.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_identify.md rename to docs/08-References/Clients/metalctl/metalctl_machine_identify.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_identify_off.md b/docs/08-References/Clients/metalctl/metalctl_machine_identify_off.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_identify_off.md rename to docs/08-References/Clients/metalctl/metalctl_machine_identify_off.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_identify_on.md b/docs/08-References/Clients/metalctl/metalctl_machine_identify_on.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_identify_on.md rename to docs/08-References/Clients/metalctl/metalctl_machine_identify_on.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_ipmi.md b/docs/08-References/Clients/metalctl/metalctl_machine_ipmi.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_ipmi.md rename to docs/08-References/Clients/metalctl/metalctl_machine_ipmi.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_ipmi_events.md b/docs/08-References/Clients/metalctl/metalctl_machine_ipmi_events.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_ipmi_events.md rename to docs/08-References/Clients/metalctl/metalctl_machine_ipmi_events.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_issues.md b/docs/08-References/Clients/metalctl/metalctl_machine_issues.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_issues.md rename to docs/08-References/Clients/metalctl/metalctl_machine_issues.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_issues_list.md b/docs/08-References/Clients/metalctl/metalctl_machine_issues_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_issues_list.md rename to docs/08-References/Clients/metalctl/metalctl_machine_issues_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_list.md b/docs/08-References/Clients/metalctl/metalctl_machine_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_list.md rename to docs/08-References/Clients/metalctl/metalctl_machine_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_lock.md b/docs/08-References/Clients/metalctl/metalctl_machine_lock.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_lock.md rename to docs/08-References/Clients/metalctl/metalctl_machine_lock.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_logs.md b/docs/08-References/Clients/metalctl/metalctl_machine_logs.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_logs.md rename to docs/08-References/Clients/metalctl/metalctl_machine_logs.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power.md b/docs/08-References/Clients/metalctl/metalctl_machine_power.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_bios.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_bios.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_bios.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_bios.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_cycle.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_cycle.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_cycle.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_cycle.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_disk.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_disk.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_disk.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_disk.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_off.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_off.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_off.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_off.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_on.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_on.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_on.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_on.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_pxe.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_pxe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_pxe.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_pxe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_power_reset.md b/docs/08-References/Clients/metalctl/metalctl_machine_power_reset.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_power_reset.md rename to docs/08-References/Clients/metalctl/metalctl_machine_power_reset.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_reinstall.md b/docs/08-References/Clients/metalctl/metalctl_machine_reinstall.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_reinstall.md rename to docs/08-References/Clients/metalctl/metalctl_machine_reinstall.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_reserve.md b/docs/08-References/Clients/metalctl/metalctl_machine_reserve.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_reserve.md rename to docs/08-References/Clients/metalctl/metalctl_machine_reserve.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware.md b/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware.md rename to docs/08-References/Clients/metalctl/metalctl_machine_update-firmware.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bios.md b/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bios.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bios.md rename to docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bios.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bmc.md b/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bmc.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bmc.md rename to docs/08-References/Clients/metalctl/metalctl_machine_update-firmware_bmc.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_machine_update.md b/docs/08-References/Clients/metalctl/metalctl_machine_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_machine_update.md rename to docs/08-References/Clients/metalctl/metalctl_machine_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_markdown.md b/docs/08-References/Clients/metalctl/metalctl_markdown.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_markdown.md rename to docs/08-References/Clients/metalctl/metalctl_markdown.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network.md b/docs/08-References/Clients/metalctl/metalctl_network.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network.md rename to docs/08-References/Clients/metalctl/metalctl_network.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_allocate.md b/docs/08-References/Clients/metalctl/metalctl_network_allocate.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_allocate.md rename to docs/08-References/Clients/metalctl/metalctl_network_allocate.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_apply.md b/docs/08-References/Clients/metalctl/metalctl_network_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_apply.md rename to docs/08-References/Clients/metalctl/metalctl_network_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_create.md b/docs/08-References/Clients/metalctl/metalctl_network_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_create.md rename to docs/08-References/Clients/metalctl/metalctl_network_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_delete.md b/docs/08-References/Clients/metalctl/metalctl_network_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_delete.md rename to docs/08-References/Clients/metalctl/metalctl_network_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_describe.md b/docs/08-References/Clients/metalctl/metalctl_network_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_describe.md rename to docs/08-References/Clients/metalctl/metalctl_network_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_edit.md b/docs/08-References/Clients/metalctl/metalctl_network_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_edit.md rename to docs/08-References/Clients/metalctl/metalctl_network_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_free.md b/docs/08-References/Clients/metalctl/metalctl_network_free.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_free.md rename to docs/08-References/Clients/metalctl/metalctl_network_free.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip.md b/docs/08-References/Clients/metalctl/metalctl_network_ip.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_apply.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_apply.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_create.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_create.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_delete.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_delete.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_describe.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_describe.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_edit.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_edit.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_issues.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_issues.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_issues.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_issues.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_list.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_list.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_ip_update.md b/docs/08-References/Clients/metalctl/metalctl_network_ip_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_ip_update.md rename to docs/08-References/Clients/metalctl/metalctl_network_ip_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_list.md b/docs/08-References/Clients/metalctl/metalctl_network_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_list.md rename to docs/08-References/Clients/metalctl/metalctl_network_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_network_update.md b/docs/08-References/Clients/metalctl/metalctl_network_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_network_update.md rename to docs/08-References/Clients/metalctl/metalctl_network_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition.md b/docs/08-References/Clients/metalctl/metalctl_partition.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition.md rename to docs/08-References/Clients/metalctl/metalctl_partition.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_apply.md b/docs/08-References/Clients/metalctl/metalctl_partition_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_apply.md rename to docs/08-References/Clients/metalctl/metalctl_partition_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_capacity.md b/docs/08-References/Clients/metalctl/metalctl_partition_capacity.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_capacity.md rename to docs/08-References/Clients/metalctl/metalctl_partition_capacity.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_create.md b/docs/08-References/Clients/metalctl/metalctl_partition_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_create.md rename to docs/08-References/Clients/metalctl/metalctl_partition_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_delete.md b/docs/08-References/Clients/metalctl/metalctl_partition_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_delete.md rename to docs/08-References/Clients/metalctl/metalctl_partition_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_describe.md b/docs/08-References/Clients/metalctl/metalctl_partition_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_describe.md rename to docs/08-References/Clients/metalctl/metalctl_partition_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_edit.md b/docs/08-References/Clients/metalctl/metalctl_partition_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_edit.md rename to docs/08-References/Clients/metalctl/metalctl_partition_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_list.md b/docs/08-References/Clients/metalctl/metalctl_partition_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_list.md rename to docs/08-References/Clients/metalctl/metalctl_partition_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_partition_update.md b/docs/08-References/Clients/metalctl/metalctl_partition_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_partition_update.md rename to docs/08-References/Clients/metalctl/metalctl_partition_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project.md b/docs/08-References/Clients/metalctl/metalctl_project.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project.md rename to docs/08-References/Clients/metalctl/metalctl_project.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_apply.md b/docs/08-References/Clients/metalctl/metalctl_project_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_apply.md rename to docs/08-References/Clients/metalctl/metalctl_project_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_create.md b/docs/08-References/Clients/metalctl/metalctl_project_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_create.md rename to docs/08-References/Clients/metalctl/metalctl_project_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_delete.md b/docs/08-References/Clients/metalctl/metalctl_project_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_delete.md rename to docs/08-References/Clients/metalctl/metalctl_project_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_describe.md b/docs/08-References/Clients/metalctl/metalctl_project_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_describe.md rename to docs/08-References/Clients/metalctl/metalctl_project_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_edit.md b/docs/08-References/Clients/metalctl/metalctl_project_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_edit.md rename to docs/08-References/Clients/metalctl/metalctl_project_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_list.md b/docs/08-References/Clients/metalctl/metalctl_project_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_list.md rename to docs/08-References/Clients/metalctl/metalctl_project_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_project_update.md b/docs/08-References/Clients/metalctl/metalctl_project_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_project_update.md rename to docs/08-References/Clients/metalctl/metalctl_project_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size.md b/docs/08-References/Clients/metalctl/metalctl_size.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size.md rename to docs/08-References/Clients/metalctl/metalctl_size.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_apply.md b/docs/08-References/Clients/metalctl/metalctl_size_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_apply.md rename to docs/08-References/Clients/metalctl/metalctl_size_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_create.md b/docs/08-References/Clients/metalctl/metalctl_size_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_create.md rename to docs/08-References/Clients/metalctl/metalctl_size_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_delete.md b/docs/08-References/Clients/metalctl/metalctl_size_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_delete.md rename to docs/08-References/Clients/metalctl/metalctl_size_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_describe.md b/docs/08-References/Clients/metalctl/metalctl_size_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_describe.md rename to docs/08-References/Clients/metalctl/metalctl_size_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_edit.md b/docs/08-References/Clients/metalctl/metalctl_size_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_edit.md rename to docs/08-References/Clients/metalctl/metalctl_size_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_apply.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_apply.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_create.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_create.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_delete.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_delete.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_describe.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_describe.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_edit.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_edit.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_list.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_list.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_try.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_try.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_try.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_try.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_update.md b/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_update.md rename to docs/08-References/Clients/metalctl/metalctl_size_imageconstraint_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_list.md b/docs/08-References/Clients/metalctl/metalctl_size_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_list.md rename to docs/08-References/Clients/metalctl/metalctl_size_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_apply.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_apply.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_create.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_create.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_delete.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_delete.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_describe.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_describe.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_edit.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_edit.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_list.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_list.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_update.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_update.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_usage.md b/docs/08-References/Clients/metalctl/metalctl_size_reservation_usage.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_reservation_usage.md rename to docs/08-References/Clients/metalctl/metalctl_size_reservation_usage.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_suggest.md b/docs/08-References/Clients/metalctl/metalctl_size_suggest.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_suggest.md rename to docs/08-References/Clients/metalctl/metalctl_size_suggest.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_size_update.md b/docs/08-References/Clients/metalctl/metalctl_size_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_size_update.md rename to docs/08-References/Clients/metalctl/metalctl_size_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch.md b/docs/08-References/Clients/metalctl/metalctl_switch.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch.md rename to docs/08-References/Clients/metalctl/metalctl_switch.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_connected-machines.md b/docs/08-References/Clients/metalctl/metalctl_switch_connected-machines.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_connected-machines.md rename to docs/08-References/Clients/metalctl/metalctl_switch_connected-machines.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_console.md b/docs/08-References/Clients/metalctl/metalctl_switch_console.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_console.md rename to docs/08-References/Clients/metalctl/metalctl_switch_console.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_delete.md b/docs/08-References/Clients/metalctl/metalctl_switch_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_delete.md rename to docs/08-References/Clients/metalctl/metalctl_switch_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_describe.md b/docs/08-References/Clients/metalctl/metalctl_switch_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_describe.md rename to docs/08-References/Clients/metalctl/metalctl_switch_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_detail.md b/docs/08-References/Clients/metalctl/metalctl_switch_detail.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_detail.md rename to docs/08-References/Clients/metalctl/metalctl_switch_detail.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_edit.md b/docs/08-References/Clients/metalctl/metalctl_switch_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_edit.md rename to docs/08-References/Clients/metalctl/metalctl_switch_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_list.md b/docs/08-References/Clients/metalctl/metalctl_switch_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_list.md rename to docs/08-References/Clients/metalctl/metalctl_switch_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_migrate.md b/docs/08-References/Clients/metalctl/metalctl_switch_migrate.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_migrate.md rename to docs/08-References/Clients/metalctl/metalctl_switch_migrate.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_port.md b/docs/08-References/Clients/metalctl/metalctl_switch_port.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_port.md rename to docs/08-References/Clients/metalctl/metalctl_switch_port.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_port_describe.md b/docs/08-References/Clients/metalctl/metalctl_switch_port_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_port_describe.md rename to docs/08-References/Clients/metalctl/metalctl_switch_port_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_port_down.md b/docs/08-References/Clients/metalctl/metalctl_switch_port_down.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_port_down.md rename to docs/08-References/Clients/metalctl/metalctl_switch_port_down.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_port_up.md b/docs/08-References/Clients/metalctl/metalctl_switch_port_up.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_port_up.md rename to docs/08-References/Clients/metalctl/metalctl_switch_port_up.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_replace.md b/docs/08-References/Clients/metalctl/metalctl_switch_replace.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_replace.md rename to docs/08-References/Clients/metalctl/metalctl_switch_replace.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_ssh.md b/docs/08-References/Clients/metalctl/metalctl_switch_ssh.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_ssh.md rename to docs/08-References/Clients/metalctl/metalctl_switch_ssh.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_switch_update.md b/docs/08-References/Clients/metalctl/metalctl_switch_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_switch_update.md rename to docs/08-References/Clients/metalctl/metalctl_switch_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant.md b/docs/08-References/Clients/metalctl/metalctl_tenant.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant.md rename to docs/08-References/Clients/metalctl/metalctl_tenant.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_apply.md b/docs/08-References/Clients/metalctl/metalctl_tenant_apply.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_apply.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_apply.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_create.md b/docs/08-References/Clients/metalctl/metalctl_tenant_create.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_create.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_create.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_delete.md b/docs/08-References/Clients/metalctl/metalctl_tenant_delete.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_delete.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_delete.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_describe.md b/docs/08-References/Clients/metalctl/metalctl_tenant_describe.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_describe.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_describe.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_edit.md b/docs/08-References/Clients/metalctl/metalctl_tenant_edit.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_edit.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_edit.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_list.md b/docs/08-References/Clients/metalctl/metalctl_tenant_list.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_list.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_list.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_tenant_update.md b/docs/08-References/Clients/metalctl/metalctl_tenant_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_tenant_update.md rename to docs/08-References/Clients/metalctl/metalctl_tenant_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_update.md b/docs/08-References/Clients/metalctl/metalctl_update.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_update.md rename to docs/08-References/Clients/metalctl/metalctl_update.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_update_check.md b/docs/08-References/Clients/metalctl/metalctl_update_check.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_update_check.md rename to docs/08-References/Clients/metalctl/metalctl_update_check.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_update_do.md b/docs/08-References/Clients/metalctl/metalctl_update_do.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_update_do.md rename to docs/08-References/Clients/metalctl/metalctl_update_do.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_version.md b/docs/08-References/Clients/metalctl/metalctl_version.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_version.md rename to docs/08-References/Clients/metalctl/metalctl_version.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_vpn.md b/docs/08-References/Clients/metalctl/metalctl_vpn.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_vpn.md rename to docs/08-References/Clients/metalctl/metalctl_vpn.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_vpn_key.md b/docs/08-References/Clients/metalctl/metalctl_vpn_key.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_vpn_key.md rename to docs/08-References/Clients/metalctl/metalctl_vpn_key.md diff --git a/docs/docs/08-References/Clients/metalctl/metalctl_whoami.md b/docs/08-References/Clients/metalctl/metalctl_whoami.md similarity index 100% rename from docs/docs/08-References/Clients/metalctl/metalctl_whoami.md rename to docs/08-References/Clients/metalctl/metalctl_whoami.md diff --git a/docs/docs/08-References/Control Plane/backup-restore-sidecar/assets/sequence.drawio.svg b/docs/08-References/Control Plane/backup-restore-sidecar/assets/sequence.drawio.svg similarity index 100% rename from docs/docs/08-References/Control Plane/backup-restore-sidecar/assets/sequence.drawio.svg rename to docs/08-References/Control Plane/backup-restore-sidecar/assets/sequence.drawio.svg diff --git a/docs/docs/08-References/Control Plane/backup-restore-sidecar/backup-restore-sidecar.md b/docs/08-References/Control Plane/backup-restore-sidecar/backup-restore-sidecar.md similarity index 100% rename from docs/docs/08-References/Control Plane/backup-restore-sidecar/backup-restore-sidecar.md rename to docs/08-References/Control Plane/backup-restore-sidecar/backup-restore-sidecar.md diff --git a/docs/docs/08-References/Control Plane/backup-restore-sidecar/manual_restore.md b/docs/08-References/Control Plane/backup-restore-sidecar/manual_restore.md similarity index 100% rename from docs/docs/08-References/Control Plane/backup-restore-sidecar/manual_restore.md rename to docs/08-References/Control Plane/backup-restore-sidecar/manual_restore.md diff --git a/docs/docs/08-References/Control Plane/go-ipam/go-ipam.md b/docs/08-References/Control Plane/go-ipam/go-ipam.md similarity index 100% rename from docs/docs/08-References/Control Plane/go-ipam/go-ipam.md rename to docs/08-References/Control Plane/go-ipam/go-ipam.md diff --git a/docs/docs/08-References/Control Plane/masterdata-api/masterdata-api.md b/docs/08-References/Control Plane/masterdata-api/masterdata-api.md similarity index 100% rename from docs/docs/08-References/Control Plane/masterdata-api/masterdata-api.md rename to docs/08-References/Control Plane/masterdata-api/masterdata-api.md diff --git a/docs/docs/08-References/Control Plane/metal-api/metal-api.md b/docs/08-References/Control Plane/metal-api/metal-api.md similarity index 100% rename from docs/docs/08-References/Control Plane/metal-api/metal-api.md rename to docs/08-References/Control Plane/metal-api/metal-api.md diff --git a/docs/docs/08-References/Control Plane/metal-console/metal-console.md b/docs/08-References/Control Plane/metal-console/metal-console.md similarity index 100% rename from docs/docs/08-References/Control Plane/metal-console/metal-console.md rename to docs/08-References/Control Plane/metal-console/metal-console.md diff --git a/docs/docs/08-References/Deployment/helm-charts/helm-charts.md b/docs/08-References/Deployment/helm-charts/helm-charts.md similarity index 100% rename from docs/docs/08-References/Deployment/helm-charts/helm-charts.md rename to docs/08-References/Deployment/helm-charts/helm-charts.md diff --git a/docs/docs/08-References/Deployment/metal-images/ARCHITECTURE.md b/docs/08-References/Deployment/metal-images/ARCHITECTURE.md similarity index 100% rename from docs/docs/08-References/Deployment/metal-images/ARCHITECTURE.md rename to docs/08-References/Deployment/metal-images/ARCHITECTURE.md diff --git a/docs/docs/08-References/Deployment/metal-images/IMAGE_STORE.md b/docs/08-References/Deployment/metal-images/IMAGE_STORE.md similarity index 100% rename from docs/docs/08-References/Deployment/metal-images/IMAGE_STORE.md rename to docs/08-References/Deployment/metal-images/IMAGE_STORE.md diff --git a/docs/docs/08-References/Deployment/metal-images/metal-images.md b/docs/08-References/Deployment/metal-images/metal-images.md similarity index 100% rename from docs/docs/08-References/Deployment/metal-images/metal-images.md rename to docs/08-References/Deployment/metal-images/metal-images.md diff --git a/docs/docs/08-References/Deployment/mini-lab/assets/network.svg b/docs/08-References/Deployment/mini-lab/assets/network.svg similarity index 100% rename from docs/docs/08-References/Deployment/mini-lab/assets/network.svg rename to docs/08-References/Deployment/mini-lab/assets/network.svg diff --git a/docs/docs/08-References/Deployment/mini-lab/assets/overview.drawio.svg b/docs/08-References/Deployment/mini-lab/assets/overview.drawio.svg similarity index 100% rename from docs/docs/08-References/Deployment/mini-lab/assets/overview.drawio.svg rename to docs/08-References/Deployment/mini-lab/assets/overview.drawio.svg diff --git a/docs/docs/08-References/Deployment/mini-lab/assets/overview.png b/docs/08-References/Deployment/mini-lab/assets/overview.png similarity index 100% rename from docs/docs/08-References/Deployment/mini-lab/assets/overview.png rename to docs/08-References/Deployment/mini-lab/assets/overview.png diff --git a/docs/docs/08-References/Deployment/mini-lab/mini-lab.md b/docs/08-References/Deployment/mini-lab/mini-lab.md similarity index 100% rename from docs/docs/08-References/Deployment/mini-lab/mini-lab.md rename to docs/08-References/Deployment/mini-lab/mini-lab.md diff --git a/docs/docs/08-References/Gardener/gardener-extension-audit/gardener-extension-audit.md b/docs/08-References/Gardener/gardener-extension-audit/gardener-extension-audit.md similarity index 100% rename from docs/docs/08-References/Gardener/gardener-extension-audit/gardener-extension-audit.md rename to docs/08-References/Gardener/gardener-extension-audit/gardener-extension-audit.md diff --git a/docs/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/gardener-extension-csi-driver-lvm.md b/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/gardener-extension-csi-driver-lvm.md similarity index 100% rename from docs/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/gardener-extension-csi-driver-lvm.md rename to docs/08-References/Gardener/gardener-extension-csi-driver-lvm/gardener-extension-csi-driver-lvm.md diff --git a/docs/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/migration.md b/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/migration.md similarity index 100% rename from docs/docs/08-References/Gardener/gardener-extension-csi-driver-lvm/migration.md rename to docs/08-References/Gardener/gardener-extension-csi-driver-lvm/migration.md diff --git a/docs/docs/08-References/Gardener/gardener-extension-ontap/gardener-extension-ontap.md b/docs/08-References/Gardener/gardener-extension-ontap/gardener-extension-ontap.md similarity index 100% rename from docs/docs/08-References/Gardener/gardener-extension-ontap/gardener-extension-ontap.md rename to docs/08-References/Gardener/gardener-extension-ontap/gardener-extension-ontap.md diff --git a/docs/docs/08-References/Gardener/gardener-vpn-gateway/gardener-vpn-gateway.md b/docs/08-References/Gardener/gardener-vpn-gateway/gardener-vpn-gateway.md similarity index 100% rename from docs/docs/08-References/Gardener/gardener-vpn-gateway/gardener-vpn-gateway.md rename to docs/08-References/Gardener/gardener-vpn-gateway/gardener-vpn-gateway.md diff --git a/docs/docs/08-References/Gardener/os-metal-extension/os-metal-extension.md b/docs/08-References/Gardener/os-metal-extension/os-metal-extension.md similarity index 100% rename from docs/docs/08-References/Gardener/os-metal-extension/os-metal-extension.md rename to docs/08-References/Gardener/os-metal-extension/os-metal-extension.md diff --git a/docs/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/DEVELOPMENT.md b/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/DEVELOPMENT.md similarity index 100% rename from docs/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/DEVELOPMENT.md rename to docs/08-References/Kubernetes/cluster-api-provider-metal-stack/DEVELOPMENT.md diff --git a/docs/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/cluster-api-provider-metal-stack.md b/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/cluster-api-provider-metal-stack.md similarity index 100% rename from docs/docs/08-References/Kubernetes/cluster-api-provider-metal-stack/cluster-api-provider-metal-stack.md rename to docs/08-References/Kubernetes/cluster-api-provider-metal-stack/cluster-api-provider-metal-stack.md diff --git a/docs/docs/08-References/Kubernetes/droptailer/droptailer.md b/docs/08-References/Kubernetes/droptailer/droptailer.md similarity index 100% rename from docs/docs/08-References/Kubernetes/droptailer/droptailer.md rename to docs/08-References/Kubernetes/droptailer/droptailer.md diff --git a/docs/docs/08-References/Kubernetes/firewall-controller-manager/firewall-controller-manager.md b/docs/08-References/Kubernetes/firewall-controller-manager/firewall-controller-manager.md similarity index 100% rename from docs/docs/08-References/Kubernetes/firewall-controller-manager/firewall-controller-manager.md rename to docs/08-References/Kubernetes/firewall-controller-manager/firewall-controller-manager.md diff --git a/docs/docs/08-References/Kubernetes/firewall-controller/assets/architecture.drawio.svg b/docs/08-References/Kubernetes/firewall-controller/assets/architecture.drawio.svg similarity index 100% rename from docs/docs/08-References/Kubernetes/firewall-controller/assets/architecture.drawio.svg rename to docs/08-References/Kubernetes/firewall-controller/assets/architecture.drawio.svg diff --git a/docs/docs/08-References/Kubernetes/firewall-controller/firewall-controller.md b/docs/08-References/Kubernetes/firewall-controller/firewall-controller.md similarity index 100% rename from docs/docs/08-References/Kubernetes/firewall-controller/firewall-controller.md rename to docs/08-References/Kubernetes/firewall-controller/firewall-controller.md diff --git a/docs/docs/08-References/Kubernetes/metal-ccm/metal-ccm.md b/docs/08-References/Kubernetes/metal-ccm/metal-ccm.md similarity index 100% rename from docs/docs/08-References/Kubernetes/metal-ccm/metal-ccm.md rename to docs/08-References/Kubernetes/metal-ccm/metal-ccm.md diff --git a/docs/docs/08-References/Monitoring/metal-metrics-exporter/metal-metrics-exporter.md b/docs/08-References/Monitoring/metal-metrics-exporter/metal-metrics-exporter.md similarity index 100% rename from docs/docs/08-References/Monitoring/metal-metrics-exporter/metal-metrics-exporter.md rename to docs/08-References/Monitoring/metal-metrics-exporter/metal-metrics-exporter.md diff --git a/docs/docs/08-References/Monitoring/nftables-exporter/nftables-exporter.md b/docs/08-References/Monitoring/nftables-exporter/nftables-exporter.md similarity index 100% rename from docs/docs/08-References/Monitoring/nftables-exporter/nftables-exporter.md rename to docs/08-References/Monitoring/nftables-exporter/nftables-exporter.md diff --git a/docs/docs/08-References/Monitoring/rethinkdb-exporter/assets/grafana.png b/docs/08-References/Monitoring/rethinkdb-exporter/assets/grafana.png similarity index 100% rename from docs/docs/08-References/Monitoring/rethinkdb-exporter/assets/grafana.png rename to docs/08-References/Monitoring/rethinkdb-exporter/assets/grafana.png diff --git a/docs/docs/08-References/Monitoring/rethinkdb-exporter/rethinkdb-exporter.md b/docs/08-References/Monitoring/rethinkdb-exporter/rethinkdb-exporter.md similarity index 100% rename from docs/docs/08-References/Monitoring/rethinkdb-exporter/rethinkdb-exporter.md rename to docs/08-References/Monitoring/rethinkdb-exporter/rethinkdb-exporter.md diff --git a/docs/docs/08-References/Partition/go-hal/go-hal.md b/docs/08-References/Partition/go-hal/go-hal.md similarity index 100% rename from docs/docs/08-References/Partition/go-hal/go-hal.md rename to docs/08-References/Partition/go-hal/go-hal.md diff --git a/docs/docs/08-References/Partition/metal-bmc/metal-bmc.md b/docs/08-References/Partition/metal-bmc/metal-bmc.md similarity index 100% rename from docs/docs/08-References/Partition/metal-bmc/metal-bmc.md rename to docs/08-References/Partition/metal-bmc/metal-bmc.md diff --git a/docs/docs/08-References/Partition/metal-core/metal-core.md b/docs/08-References/Partition/metal-core/metal-core.md similarity index 100% rename from docs/docs/08-References/Partition/metal-core/metal-core.md rename to docs/08-References/Partition/metal-core/metal-core.md diff --git a/docs/docs/08-References/Partition/metal-hammer/metal-hammer.md b/docs/08-References/Partition/metal-hammer/metal-hammer.md similarity index 100% rename from docs/docs/08-References/Partition/metal-hammer/metal-hammer.md rename to docs/08-References/Partition/metal-hammer/metal-hammer.md diff --git a/docs/docs/08-References/Partition/pixie/pixie.md b/docs/08-References/Partition/pixie/pixie.md similarity index 100% rename from docs/docs/08-References/Partition/pixie/pixie.md rename to docs/08-References/Partition/pixie/pixie.md diff --git a/docs/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md b/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md similarity index 100% rename from docs/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md rename to docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md diff --git a/docs/docs/08-References/Storage/duros-controller/MULTITENANCY.md b/docs/08-References/Storage/duros-controller/MULTITENANCY.md similarity index 100% rename from docs/docs/08-References/Storage/duros-controller/MULTITENANCY.md rename to docs/08-References/Storage/duros-controller/MULTITENANCY.md diff --git a/docs/docs/08-References/Storage/duros-controller/assets/architecture.drawio.svg b/docs/08-References/Storage/duros-controller/assets/architecture.drawio.svg similarity index 100% rename from docs/docs/08-References/Storage/duros-controller/assets/architecture.drawio.svg rename to docs/08-References/Storage/duros-controller/assets/architecture.drawio.svg diff --git a/docs/docs/08-References/Storage/duros-controller/assets/dataplane.drawio.svg b/docs/08-References/Storage/duros-controller/assets/dataplane.drawio.svg similarity index 100% rename from docs/docs/08-References/Storage/duros-controller/assets/dataplane.drawio.svg rename to docs/08-References/Storage/duros-controller/assets/dataplane.drawio.svg diff --git a/docs/docs/08-References/Storage/duros-controller/assets/nvme-over-tcp.jpg b/docs/08-References/Storage/duros-controller/assets/nvme-over-tcp.jpg similarity index 100% rename from docs/docs/08-References/Storage/duros-controller/assets/nvme-over-tcp.jpg rename to docs/08-References/Storage/duros-controller/assets/nvme-over-tcp.jpg diff --git a/docs/docs/08-References/Storage/duros-controller/duros-controller.md b/docs/08-References/Storage/duros-controller/duros-controller.md similarity index 100% rename from docs/docs/08-References/Storage/duros-controller/duros-controller.md rename to docs/08-References/Storage/duros-controller/duros-controller.md diff --git a/docs/contributing/04-Proposals/MEP18/README.md b/docs/contributing/04-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/docs/contributing/04-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/docusaurus.config.ts b/docusaurus.config.ts index 6e982903..8cf29b22 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -74,6 +74,18 @@ const config: Config = { languages: ["en"], }, ], + [ + "@docusaurus/plugin-content-docs", + { + id: "community", + path: "community", + routeBasePath: "community", + sidebarPath: "./sidebars-community.ts", + editUrl: "https://github.com/metal-stack/website/tree/main/", + includeCurrentVersion: true, + lastVersion: undefined, // intentionally no version + }, + ], ], presets: [ @@ -81,7 +93,7 @@ const config: Config = { "classic", { docs: { - sidebarPath: "./sidebars.ts", + sidebarPath: "./sidebars-docs.ts", // Please change this to your repo. // Remove this to remove the "edit this page" links. editUrl: "https://github.com/metal-stack/website/tree/main/", @@ -115,10 +127,7 @@ const config: Config = { }, { label: "Community", - type: "doc", - // TODO: after next release change to: - // docId: "contributing/community", - docId: "contributing/contribution-guideline", + to: "/community", }, { to: "/blog", diff --git a/sidebars-community.ts b/sidebars-community.ts new file mode 100644 index 00000000..c95790cf --- /dev/null +++ b/sidebars-community.ts @@ -0,0 +1,24 @@ +import type { SidebarsConfig } from "@docusaurus/plugin-content-docs"; + +// This runs in Node.js - Don't use client-side code here (browser APIs, JSX...) + +/** + * Creating a sidebar enables you to: + - create an ordered group of docs + - render a sidebar for each doc of that group + - provide next/previous navigation + + The sidebars can be generated from the filesystem, or explicitly defined here. + + Create as many sidebars as you want. + */ +const sidebars: SidebarsConfig = { + community: [ + { + type: "autogenerated", + dirName: ".", + }, + ], +}; + +export default sidebars; diff --git a/sidebars.ts b/sidebars-docs.ts similarity index 82% rename from sidebars.ts rename to sidebars-docs.ts index 53e3d643..7148188a 100644 --- a/sidebars.ts +++ b/sidebars-docs.ts @@ -16,13 +16,7 @@ const sidebars: SidebarsConfig = { docs: [ { type: "autogenerated", - dirName: "docs", - }, - ], - contributing: [ - { - type: "autogenerated", - dirName: "contributing", + dirName: ".", }, ], }; diff --git a/src/css/custom.css b/src/css/custom.css index 5ee4be12..7d723f72 100644 --- a/src/css/custom.css +++ b/src/css/custom.css @@ -7,8 +7,8 @@ /* You can override the default Infima variables here. */ @import "tailwindcss/theme.css"; @import "tailwindcss/utilities.css"; -@import url('./fonts/inter/inter-v12-latin.css'); -@import url('./fonts/space-grotesk/space-grotesk-v13-latin.css'); +@import url("./fonts/inter/inter-v12-latin.css"); +@import url("./fonts/space-grotesk/space-grotesk-v13-latin.css"); @custom-variant dark (&:where([data-theme=dark], [data-theme=dark] *)); @@ -56,11 +56,10 @@ html[data-theme="dark"] { --ifm-background-color: var(--color-neutral-950); --ifm-background-surface-color: var(--color-neutral-950); - } -html[data-theme="dark"] p img { - background-color:#f5f5f57f; +html[data-theme="dark"] p img { + background-color: #f5f5f57f; } body { @@ -120,8 +119,9 @@ p { @apply text-base text-neutral-500 dark:text-neutral-400 leading-relaxed; } -ul, ol { - @apply text-neutral-500 dark:text-neutral-400 ; +ul, +ol { + @apply text-neutral-500 dark:text-neutral-400; } a { @@ -224,8 +224,10 @@ footer { /* hide the navbar on non-doc pages including it's hoverable dropdown */ .plugin-pages #docs-version-dropdown, .plugin-blog #docs-version-dropdown, +.plugin-id-community #docs-version-dropdown, .plugin-pages .dropdown--hoverable:has(> #docs-version-dropdown), -.plugin-blog .dropdown--hoverable:has(> #docs-version-dropdown) { +.plugin-blog .dropdown--hoverable:has(> #docs-version-dropdown), +.plugin-id-community .dropdown--hoverable:has(> #docs-version-dropdown) { display: none; } @@ -240,4 +242,4 @@ footer { left: 0; width: 100%; height: 100%; -} \ No newline at end of file +} diff --git a/static/_redirects b/static/_redirects index 109db180..607a1b46 100644 --- a/static/_redirects +++ b/static/_redirects @@ -9,8 +9,20 @@ https://docs.metal-stack.io https://metal-stack.io/docs/home 301! https://docs.metal-stack.io/* https://metal-stack.io/:splat 301! /docs /docs/home -/docs/planning-meetings /docs/roadmap -/docs/next/planning-meetings /docs/next/roadmap + +# migrate community out from docs +/docs/planning-meetings /community/roadmap +/docs/:v/planning-meetings /community/roadmap +/docs/contribution-guideline /community/contribution-guideline +/docs/:v/contribution-guideline /community/contribution-guideline +/docs/release-flow /community/release-flow +/docs/:v/release-flow /community/release-flow +/docs/oci-artifacts /community/oci-artifacts +/docs/:v/oci-artifacts /community/oci-artifacts +/docs/enhancement-proposals /community/enhancement-proposals +/docs/:v/enhancement-proposals /community/enhancement-proposals +/docs/MEP-* /community/MEP-:splat +/docs/:v/MEP-* /community/MEP-:splat # migrate archived paths to stable versions quickly /stable/overview/* /docs/:splat 301 diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index 205670ab..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - secretRef: - name: seed-kubeconfig - generateFirewallControllerKubeconfig: true - - path: /etc/firewall-controller/shoot.yaml - secretRef: - name: shoot-kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - secretName: ${CLUSTER_NAME}-firewall-controller-config - - - path: /etc/firewall-controller/workload.yaml - # this is the kubeconfig generated by kubeadm - secretName: ${CLUSTER_NAME}-kubeconfig ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -2. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -3. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -4. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.21.10/contributing/01-Proposals/_category_.json deleted file mode 100644 index ec1a4ebc..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 3, - "label": "Enhancement Proposals" -} diff --git a/versioned_docs/version-v0.21.10/contributing/01-Proposals/index.md b/versioned_docs/version-v0.21.10/contributing/01-Proposals/index.md deleted file mode 100644 index 9046bdf5..00000000 --- a/versioned_docs/version-v0.21.10/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | -| :------------------------ | :--------------------------------------------- | :-------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | -| MEP-7 | Passing environment variables to machines | `Declined` | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | -| [MEP-11](MEP11/README.md) | Auditing ^of metal-stack resources | `Completed` | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | -| MEP-15 | HAL Improvements | `In Discussion` | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `In Discussion` | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.21.10/contributing/02-planning-meetings.md b/versioned_docs/version-v0.21.10/contributing/02-planning-meetings.md deleted file mode 100644 index ef602204..00000000 --- a/versioned_docs/version-v0.21.10/contributing/02-planning-meetings.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -You can use [this link](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZTVmNWFkYjYtMzVmYi00ZTMxLTk5ZTUtMGFjYjU2OTk0MjQz%40thread.v2/0?context=%7b%22Tid%22%3a%22f9d9b921-8f78-466d-95fd-4495e73d8d65%22%2c%22Oid%22%3a%228ac2a791-e637-4a90-8505-0a1ee175ebfc%22%7d) to join. If you want to get an invitation to the event, please drop us a line on our Slack channel. - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.21.10/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.21.10/contributing/03-contribution-guideline.md deleted file mode 100644 index 15a73d0d..00000000 --- a/versioned_docs/version-v0.21.10/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.md). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.21.10/contributing/04-release-flow.md b/versioned_docs/version-v0.21.10/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.21.10/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.21.10/contributing/05-community.md b/versioned_docs/version-v0.21.10/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.21.10/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.21.10/contributing/release.png b/versioned_docs/version-v0.21.10/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.21.10/contributing/release_flow.drawio b/versioned_docs/version-v0.21.10/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.21.10/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.10/contributing/release_flow.svg b/versioned_docs/version-v0.21.10/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.21.10/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.10/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.21.10/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.21.10/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.21.10/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.21.10/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.21.10/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.21.10/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.21.10/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.21.10/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.21.10/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.21.10/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.21.10/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.21.10/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.21.10/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.21.10/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.21.10/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index 205670ab..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - secretRef: - name: seed-kubeconfig - generateFirewallControllerKubeconfig: true - - path: /etc/firewall-controller/shoot.yaml - secretRef: - name: shoot-kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - secretName: ${CLUSTER_NAME}-firewall-controller-config - - - path: /etc/firewall-controller/workload.yaml - # this is the kubeconfig generated by kubeadm - secretName: ${CLUSTER_NAME}-kubeconfig ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -2. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -3. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -4. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.21.11/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/contributing/01-Proposals/index.md b/versioned_docs/version-v0.21.11/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.21.11/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.21.11/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.21.11/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.21.11/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.21.11/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.21.11/contributing/03-contribution-guideline.md deleted file mode 100644 index 010c2a05..00000000 --- a/versioned_docs/version-v0.21.11/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.21.11/contributing/04-release-flow.md b/versioned_docs/version-v0.21.11/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.21.11/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.21.11/contributing/05-community.md b/versioned_docs/version-v0.21.11/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.21.11/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.21.11/contributing/release.png b/versioned_docs/version-v0.21.11/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.21.11/contributing/release_flow.drawio b/versioned_docs/version-v0.21.11/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.21.11/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.11/contributing/release_flow.svg b/versioned_docs/version-v0.21.11/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.21.11/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.11/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.21.11/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.21.11/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.21.11/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.21.11/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.21.11/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.21.11/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.21.11/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.21.11/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.21.11/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.21.11/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.21.11/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.21.11/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.21.11/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.21.11/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.21.11/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index 205670ab..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - secretRef: - name: seed-kubeconfig - generateFirewallControllerKubeconfig: true - - path: /etc/firewall-controller/shoot.yaml - secretRef: - name: shoot-kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - secretName: ${CLUSTER_NAME}-firewall-controller-config - - - path: /etc/firewall-controller/workload.yaml - # this is the kubeconfig generated by kubeadm - secretName: ${CLUSTER_NAME}-kubeconfig ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -2. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -3. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -4. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.21.8/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/contributing/01-Proposals/index.md b/versioned_docs/version-v0.21.8/contributing/01-Proposals/index.md deleted file mode 100644 index 9f3ef30d..00000000 --- a/versioned_docs/version-v0.21.8/contributing/01-Proposals/index.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [docs](https://github.com/metal-stack/docs) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | -| :------------------------ | :--------------------------------------------- | :-------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | -| MEP-7 | Passing environment variables to machines | `Declined` | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | -| [MEP-11](MEP11/README.md) | Auditing ^of metal-stack resources | `Completed` | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | -| MEP-15 | HAL Improvements | `In Discussion` | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `In Discussion` | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | diff --git a/versioned_docs/version-v0.21.8/contributing/02-planning-meetings.md b/versioned_docs/version-v0.21.8/contributing/02-planning-meetings.md deleted file mode 100644 index ef602204..00000000 --- a/versioned_docs/version-v0.21.8/contributing/02-planning-meetings.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -You can use [this link](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZTVmNWFkYjYtMzVmYi00ZTMxLTk5ZTUtMGFjYjU2OTk0MjQz%40thread.v2/0?context=%7b%22Tid%22%3a%22f9d9b921-8f78-466d-95fd-4495e73d8d65%22%2c%22Oid%22%3a%228ac2a791-e637-4a90-8505-0a1ee175ebfc%22%7d) to join. If you want to get an invitation to the event, please drop us a line on our Slack channel. - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.21.8/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.21.8/contributing/03-contribution-guideline.md deleted file mode 100644 index 15a73d0d..00000000 --- a/versioned_docs/version-v0.21.8/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.md). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.21.8/contributing/04-release-flow.md b/versioned_docs/version-v0.21.8/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.21.8/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.21.8/contributing/05-community.md b/versioned_docs/version-v0.21.8/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.21.8/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.21.8/contributing/release.png b/versioned_docs/version-v0.21.8/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.21.8/contributing/release_flow.drawio b/versioned_docs/version-v0.21.8/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.21.8/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.8/contributing/release_flow.svg b/versioned_docs/version-v0.21.8/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.21.8/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.8/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.21.8/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.21.8/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.21.8/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.21.8/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.21.8/docs/04-For Operators/03-deployment-guide.mdx index d45ff631..208e0aa2 100644 --- a/versioned_docs/version-v0.21.8/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.21.8/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.21.8/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.21.8/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.21.8/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.21.8/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.21.8/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.21.8/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.21.8/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.21.8/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md index 680b95d8..3f3c8794 100644 --- a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.8/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.21.8/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.21.8/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.21.8/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index b9cf4f2f..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```shell -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index 205670ab..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - secretRef: - name: seed-kubeconfig - generateFirewallControllerKubeconfig: true - - path: /etc/firewall-controller/shoot.yaml - secretRef: - name: shoot-kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - secretName: ${CLUSTER_NAME}-firewall-controller-config - - - path: /etc/firewall-controller/workload.yaml - # this is the kubeconfig generated by kubeadm - secretName: ${CLUSTER_NAME}-kubeconfig ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -2. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -3. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -4. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.21.9/contributing/01-Proposals/_category_.json deleted file mode 100644 index ec1a4ebc..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 3, - "label": "Enhancement Proposals" -} diff --git a/versioned_docs/version-v0.21.9/contributing/01-Proposals/index.md b/versioned_docs/version-v0.21.9/contributing/01-Proposals/index.md deleted file mode 100644 index 9046bdf5..00000000 --- a/versioned_docs/version-v0.21.9/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | -| :------------------------ | :--------------------------------------------- | :-------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | -| MEP-7 | Passing environment variables to machines | `Declined` | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | -| [MEP-11](MEP11/README.md) | Auditing ^of metal-stack resources | `Completed` | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | -| MEP-15 | HAL Improvements | `In Discussion` | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `In Discussion` | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.21.9/contributing/02-planning-meetings.md b/versioned_docs/version-v0.21.9/contributing/02-planning-meetings.md deleted file mode 100644 index ef602204..00000000 --- a/versioned_docs/version-v0.21.9/contributing/02-planning-meetings.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -You can use [this link](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZTVmNWFkYjYtMzVmYi00ZTMxLTk5ZTUtMGFjYjU2OTk0MjQz%40thread.v2/0?context=%7b%22Tid%22%3a%22f9d9b921-8f78-466d-95fd-4495e73d8d65%22%2c%22Oid%22%3a%228ac2a791-e637-4a90-8505-0a1ee175ebfc%22%7d) to join. If you want to get an invitation to the event, please drop us a line on our Slack channel. - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.21.9/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.21.9/contributing/03-contribution-guideline.md deleted file mode 100644 index 15a73d0d..00000000 --- a/versioned_docs/version-v0.21.9/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.md). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.21.9/contributing/04-release-flow.md b/versioned_docs/version-v0.21.9/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.21.9/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.21.9/contributing/05-community.md b/versioned_docs/version-v0.21.9/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.21.9/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.21.9/contributing/release.png b/versioned_docs/version-v0.21.9/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.21.9/contributing/release_flow.drawio b/versioned_docs/version-v0.21.9/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.21.9/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.21.9/contributing/release_flow.svg b/versioned_docs/version-v0.21.9/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.21.9/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.21.9/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.21.9/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.21.9/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.21.9/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.21.9/docs/04-For Operators/03-deployment-guide.md b/versioned_docs/version-v0.21.9/docs/04-For Operators/03-deployment-guide.md index 3a73e919..441b240b 100644 --- a/versioned_docs/version-v0.21.9/docs/04-For Operators/03-deployment-guide.md +++ b/versioned_docs/version-v0.21.9/docs/04-For Operators/03-deployment-guide.md @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.md#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.md#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.21.9/docs/05-Concepts/01-architecture.md b/versioned_docs/version-v0.21.9/docs/05-Concepts/01-architecture.md index 3c81cc0a..61602bf0 100644 --- a/versioned_docs/version-v0.21.9/docs/05-Concepts/01-architecture.md +++ b/versioned_docs/version-v0.21.9/docs/05-Concepts/01-architecture.md @@ -150,4 +150,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.21.9/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.21.9/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.21.9/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.21.9/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md index 02318fbe..a288346c 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index 205670ab..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - secretRef: - name: seed-kubeconfig - generateFirewallControllerKubeconfig: true - - path: /etc/firewall-controller/shoot.yaml - secretRef: - name: shoot-kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - secretName: ${CLUSTER_NAME}-firewall-controller-config - - - path: /etc/firewall-controller/workload.yaml - # this is the kubeconfig generated by kubeadm - secretName: ${CLUSTER_NAME}-kubeconfig ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -2. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -3. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -4. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.22.0/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/contributing/01-Proposals/index.md b/versioned_docs/version-v0.22.0/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.22.0/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.22.0/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.22.0/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.22.0/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.22.0/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.22.0/contributing/03-contribution-guideline.md deleted file mode 100644 index 010c2a05..00000000 --- a/versioned_docs/version-v0.22.0/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.22.0/contributing/04-release-flow.md b/versioned_docs/version-v0.22.0/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.22.0/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.22.0/contributing/05-community.md b/versioned_docs/version-v0.22.0/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.22.0/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.22.0/contributing/release.png b/versioned_docs/version-v0.22.0/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.22.0/contributing/release_flow.drawio b/versioned_docs/version-v0.22.0/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.22.0/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.0/contributing/release_flow.svg b/versioned_docs/version-v0.22.0/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.22.0/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.0/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.22.0/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.22.0/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.22.0/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.22.0/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.22.0/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.22.0/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.22.0/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.22.0/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.22.0/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.22.0/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.22.0/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.22.0/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.22.0/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.22.0/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.22.0/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index dbfa59d6..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,332 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - contentFrom: - firewallControllerKubeconfigSecret: - name: seed-kubeconfig - key: kubeconfig - - - path: /etc/firewall-controller/shoot.yaml - contentFrom: - secretRef: - name: shoot-kubeconfig - key: kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - contentFrom: - secretRef: - name: ${CLUSTER_NAME}-firewall-controller-config - key: controllerConfig - - - path: /etc/firewall-controller/workload.yaml - contentFrom: - # this is the kubeconfig generated by kubeadm - secretRef: - name: ${CLUSTER_NAME}-kubeconfig - key: value ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller-manager - - - Add `FirewallDeployment.spec.template.spec.userdataContents` - -2. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -3. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -4. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -5. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.22.1/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/contributing/01-Proposals/index.md b/versioned_docs/version-v0.22.1/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.22.1/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.22.1/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.22.1/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.22.1/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.22.1/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.22.1/contributing/03-contribution-guideline.md deleted file mode 100644 index 010c2a05..00000000 --- a/versioned_docs/version-v0.22.1/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (Github Actions). - -Docker images are published on the Github Container Registry of the metal-stack organization. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -When building Docker images, please consider our build tool [docker-make](https://github.com/fi-ts/docker-make) or the specific [docker-make action](https://github.com/fi-ts/action-docker-make) respectively. - -### APIs - -We are currently making use of [Swagger](https://swagger.io/) when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using [go-swagger](https://goswagger.io/). Swagger additionally simplifies the documentation of our APIs. - -Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using [grpc](https://grpc.io/). - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **End-user APIs** should consider using go-swagger and [Go-Restful](https://github.com/emicklei/go-restful) - **Technical APIs** should consider using [grpc](https://grpc.io/) - -#### Libraries - -metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are: - -- [metal-go](https://github.com/metal-stack/metal-go) -- [metal-lib](https://github.com/metal-stack/metal-lib) - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.22.1/contributing/04-release-flow.md b/versioned_docs/version-v0.22.1/contributing/04-release-flow.md deleted file mode 100644 index 2a6403b7..00000000 --- a/versioned_docs/version-v0.22.1/contributing/04-release-flow.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `CONTRIBUTING.md` - - This should contain the following content: - ``` - # Contributing - - Please check out the [contributing section](https://docs.metal-stack.io/stable/development/contributing/) in our [docs](https://docs.metal-stack.io/). - ``` - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.22.1/contributing/05-community.md b/versioned_docs/version-v0.22.1/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.22.1/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.22.1/contributing/release.png b/versioned_docs/version-v0.22.1/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.22.1/contributing/release_flow.drawio b/versioned_docs/version-v0.22.1/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.22.1/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.1/contributing/release_flow.svg b/versioned_docs/version-v0.22.1/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.22.1/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.1/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.22.1/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.22.1/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.22.1/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.22.1/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.22.1/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.22.1/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.22.1/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.22.1/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.22.1/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.22.1/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.22.1/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.22.1/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.22.1/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.22.1/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.22.1/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index dbfa59d6..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,332 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - contentFrom: - firewallControllerKubeconfigSecret: - name: seed-kubeconfig - key: kubeconfig - - - path: /etc/firewall-controller/shoot.yaml - contentFrom: - secretRef: - name: shoot-kubeconfig - key: kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - contentFrom: - secretRef: - name: ${CLUSTER_NAME}-firewall-controller-config - key: controllerConfig - - - path: /etc/firewall-controller/workload.yaml - contentFrom: - # this is the kubeconfig generated by kubeadm - secretRef: - name: ${CLUSTER_NAME}-kubeconfig - key: value ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller-manager - - - Add `FirewallDeployment.spec.template.spec.userdataContents` - -2. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -3. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -4. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -5. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.22.2/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/contributing/01-Proposals/index.md b/versioned_docs/version-v0.22.2/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.22.2/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.22.2/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.22.2/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.22.2/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.22.2/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.22.2/contributing/03-contribution-guideline.md deleted file mode 100644 index 2c0526e3..00000000 --- a/versioned_docs/version-v0.22.2/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (i.e. Github Actions). - -Container images and [OCI artifacts](https://github.com/opencontainers/image-spec) are published on the Github Container Registry of the metal-stack organization. Please consider using Github Actions workflows utilizing similar actions as the other repositories (e.g. [build-push-action](https://github.com/docker/build-push-action), ...) - -For OCI images, we usually utilize [oras](https://github.com/oras-project/oras) for pushing the artifact to the registry. - -For signing artifacts we use [cosign](https://github.com/sigstore/cosign). The private key for signing artifacts is a CI secret called `COSIGN_PRIVATE_KEY`. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -### APIs - -The preferred way to implement an API is using [Connect RPC](https://connectrpc.com/), which is based on [grpc](https://grpc.io/). For working with the [Protobuf](https://protobuf.dev/) definitions, we utilize [buf](https://github.com/bufbuild/buf). - -The metal-api does still have a [Swagger-based](https://swagger.io/) API exposing traditional REST APIs for end-users. This API framework will become deprecated so it should not be used anymore for new projects. - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **APIs** should consider using [buf](https://github.com/bufbuild/buf) - -#### Libraries - -metal-stack maintains libraries that you can utilize in your project in order to unify common behavior. The main project that does this is called [metal-lib](https://github.com/metal-stack/metal-lib). - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.22.2/contributing/04-release-flow.md b/versioned_docs/version-v0.22.2/contributing/04-release-flow.md deleted file mode 100644 index 744d9274..00000000 --- a/versioned_docs/version-v0.22.2/contributing/04-release-flow.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.22.2/contributing/05-community.md b/versioned_docs/version-v0.22.2/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.22.2/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.22.2/contributing/release.png b/versioned_docs/version-v0.22.2/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.22.2/contributing/release_flow.drawio b/versioned_docs/version-v0.22.2/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.22.2/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.2/contributing/release_flow.svg b/versioned_docs/version-v0.22.2/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.22.2/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.2/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.22.2/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.22.2/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.22.2/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.22.2/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.22.2/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.22.2/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.22.2/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.22.2/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.22.2/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.22.2/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.22.2/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.22.2/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.22.2/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.22.2/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.22.2/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index dbfa59d6..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,332 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - contentFrom: - firewallControllerKubeconfigSecret: - name: seed-kubeconfig - key: kubeconfig - - - path: /etc/firewall-controller/shoot.yaml - contentFrom: - secretRef: - name: shoot-kubeconfig - key: kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - contentFrom: - secretRef: - name: ${CLUSTER_NAME}-firewall-controller-config - key: controllerConfig - - - path: /etc/firewall-controller/workload.yaml - contentFrom: - # this is the kubeconfig generated by kubeadm - secretRef: - name: ${CLUSTER_NAME}-kubeconfig - key: value ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller-manager - - - Add `FirewallDeployment.spec.template.spec.userdataContents` - -2. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -3. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -4. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -5. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.22.3/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/contributing/01-Proposals/index.md b/versioned_docs/version-v0.22.3/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.22.3/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.22.3/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.22.3/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.22.3/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.22.3/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.22.3/contributing/03-contribution-guideline.md deleted file mode 100644 index 2c0526e3..00000000 --- a/versioned_docs/version-v0.22.3/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (i.e. Github Actions). - -Container images and [OCI artifacts](https://github.com/opencontainers/image-spec) are published on the Github Container Registry of the metal-stack organization. Please consider using Github Actions workflows utilizing similar actions as the other repositories (e.g. [build-push-action](https://github.com/docker/build-push-action), ...) - -For OCI images, we usually utilize [oras](https://github.com/oras-project/oras) for pushing the artifact to the registry. - -For signing artifacts we use [cosign](https://github.com/sigstore/cosign). The private key for signing artifacts is a CI secret called `COSIGN_PRIVATE_KEY`. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -### APIs - -The preferred way to implement an API is using [Connect RPC](https://connectrpc.com/), which is based on [grpc](https://grpc.io/). For working with the [Protobuf](https://protobuf.dev/) definitions, we utilize [buf](https://github.com/bufbuild/buf). - -The metal-api does still have a [Swagger-based](https://swagger.io/) API exposing traditional REST APIs for end-users. This API framework will become deprecated so it should not be used anymore for new projects. - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **APIs** should consider using [buf](https://github.com/bufbuild/buf) - -#### Libraries - -metal-stack maintains libraries that you can utilize in your project in order to unify common behavior. The main project that does this is called [metal-lib](https://github.com/metal-stack/metal-lib). - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.22.3/contributing/04-release-flow.md b/versioned_docs/version-v0.22.3/contributing/04-release-flow.md deleted file mode 100644 index 744d9274..00000000 --- a/versioned_docs/version-v0.22.3/contributing/04-release-flow.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. diff --git a/versioned_docs/version-v0.22.3/contributing/05-community.md b/versioned_docs/version-v0.22.3/contributing/05-community.md deleted file mode 100644 index 61eaf099..00000000 --- a/versioned_docs/version-v0.22.3/contributing/05-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 5 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.22.3/contributing/release.png b/versioned_docs/version-v0.22.3/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.22.3/contributing/release_flow.drawio b/versioned_docs/version-v0.22.3/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.22.3/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.3/contributing/release_flow.svg b/versioned_docs/version-v0.22.3/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.22.3/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.3/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.22.3/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.22.3/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.22.3/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.22.3/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.22.3/docs/04-For Operators/03-deployment-guide.mdx index 58ddafd3..6be800cd 100644 --- a/versioned_docs/version-v0.22.3/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.22.3/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: diff --git a/versioned_docs/version-v0.22.3/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.22.3/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.22.3/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.22.3/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.22.3/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.22.3/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.22.3/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.22.3/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API-Working.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API-Working.png deleted file mode 100644 index 899e223d25919d8ec5a2c2cacd2099f8731ff1ee..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53600 zcmeFZ2T;>r_cw@$3U)z7RKP+JK_HYQfb^w6fB)Pfwd&)icobx&7hUsBY2lk%a z%f!TVKuc52fQgBP%EZJR$GRK5ljyUCWnyAGKvXv)y8Al1xH&NKOR8@F#V;Z5Oz4god=JIGE~!84SiRsRI7ealw;(!EawA+!`(=1pZR? z@Njc5b+ARd5TWss2vJEm^cA$Gk**HEgev&k%?0NGexV%fa0KWp-gp}i@JrR%i{S1; zatB{S$cT!IO3Fw{iy~zH`2>9BfB(LrjiZg1%YRu0qSMF0%iD#3-zF0#Au25j+a}0? zXydf~E*$Tu1=n>$Xc8UGWF)ZmUNQ*f?J-0@4~OkB_6|NSc3@2jeo1w}VS5)FCodcD zY~n6|If#SV!XzYga0G;fy|yVuP0G|75C;uMnE2?}d3sB!>xtU{l2s%O)iEw)A5A<) z2PS(~6eAV5gQAC6fUJ9oL=ukJb$GPg-z->|PaAlOUrXk$k-Vm>4 zgc0|l_<)(nc$6O)W-dWAG%}!&^$1e>WF*B`5~WJk#()ppu%^bQhAMVsJ3l`uGee@S zxtX)Gqcn!7qCtR5!%2oFp3=r@%BHFo9>%VQC>?WOG}^@pMxi(%O#Eb|%}q36o=&cg z>bhQj>R25#(NRVfCV{drl_X;|!1N~esu-9L#X{Lt+}*^^&c_`oC4qE=I~eI|`d9!i zYe+cY>@j#r54emj(aZ~@=4Y<&0Mtpv#X;B4#*ZK)>5Iqdqs^2tw)T*A7&+VONt4vv zwGAx1ZShz?6rSR01Bbh7>S$8%YFhTTdd4cgx}IuU-iEfGb`UFd@UE^7es)*{S=t

*#5l_~}a_O?}C}WCN6`r#iyi z)k#~@UE9Z9ljP-Uh&Hfr_8`MG$S5}tPYHxAPFL4a3W!mKs4U@ND5D{vrmZXmGt-r{ z)gpVtRbA1(Zl+kAyOe~E4#tIo5;w&-`xyCXs=BGmpxq47HV7$-o4b>-qpz~F5#AFc zr2}&^G50lcvc*ezxNAG0ytTAE{BRgoM?f>l#?Kbz?5U?>DsGIh#S@Hdq#ZmpoPAu> zZM4CbQGppzT(rH>Kr=Nw5t5Ehp3(>%BP|soT3JHez}?TxPR9i)spey+t}p3rYoH;m zE)FyHbthmj(nvjoorAaz+Dli{z{}jhMatgUS=GZ&UDwSQrcN-kGts7a<9w029(b^f z6alL$PQ+^?+*CbLs@`rcHa?PO%JxK4H@q4aVS{ra!)yphO>svlH)8`y@C74jUy7d& zO4`QF981C?ZC%|E6pEca%t74N1!-&~Nz~9HJDMY;Oug;QB_vHflvPyx%pIKVl^vZm zZSlHDIDw=}q1c-HN)wP8&RB}AgOshBF&ugp3oP2s+1TEggf-Fg^Kf-`aIp1}a6`as zHPw)gh8FrryrikK3Rx2&X^STMIGS1*%ec8pY1kWksLI&NxH*VJqVs~=K$`@uLexXM z*!qbh9gMJ8X;&9#bw4dUTG~!o%|_D!MZswpOG%1rxT)*to07=3WSFhAgpMjqQqtVr z-Q7gW*9NcegYqG(=mLE;LaAwxwY=cQj_SU4`noF4CVJv3wvJjbtTM$;TNUkOVr=53 zqOW6*uy=RDc%votwLJ;WNW7Oa8jbVyLBnC%p8C#`YF-v<<|HF8TQf9@geEB?br1*% zoR+GtgRweB)zs0*R@0Z{ts{eSur-8Bc^YV``MALhlnMIoHumN!KvOVSX%l^8Uu_)G z4G;%tC1~r2`$@w*JUldP!AnO|PkTR485svvPiZ@h2?p3h6$v*zU%Z1j+#KNzlZ5-| z7=ibkP(%w?Ef04iHwQAz9%g}a^^)-t$EkUeP(DuLMjkj_k}i%6H}I2CclE`nB6N+= zUM404TXB+yA4 z4AH17~pPo9xOUnhPYzTzrqavek@2>8m zqlt2X6Wx^kBuEaP+8Vwx<~U;*&J2tIN}y(-uB)yGW{2tN80krPpe$gv23~lgiVu#g zDXwi}s|%OGIO`)|>IgVd59vrUw~;V#L-=~T`x^K;!IeF{P~vvV5O2(!%wRZ4gqx8E zLJDn*cJq-o*EAukNlIe0d}So;b)~c&HH?rx7%6jc7r2|WGFjTqSK7oBZ|-M+a+lFm zCfLBe_4Q?pO^xlH+|)dgZW`vE9(qU_2R)<T2u;hA6wsc-q@xynu3RVN5CZ$^@jVnx4BO21Sz57B`T@n>azXS_7sbW8#GNu`tH^ z*yxhA9dt~c?Yxy$o#2|T7A|-@oSUArG0DZ(Km%^*=L!vneF-~lbC|g{3OdA93?Qa!gCAE1iWv-}hjDfwYB-5&7?~RxqV=5pfJdM~HYYeE z+-2;vC1o)7I-Y1LFF$XX0iFWBWeyjI;T`oPEwJ`Fz?o3-GSIQdYN4T%z)8a%Pa)&o zkr1Q2P4)FPe2_$E6$E&ttPdT?&_AG68vmTbTZb}u{nzu6RM!>16UD@IhDl3J*~r&w zDrsMZkLq`ZAm1&o{cKoS&9RV!&%5PbC>R_)r(!UcLOc`Ge>yD@n|?S|MfMySzi~#vuCHF{U58gGO`wOibHkJpyY*nAbNsO^DDEf5QHfg#u*BI37sZBI}ti^WEJw@k+u>FAGh? z?O3+g0<%|V4x*WuwmE+utaZ9DE~Tl>JV@rF-Cu4;upFj(eLbn5y2blBmcs|`iG`Xl z={eXPv@)R#`o;&5!eJ=dS*C$2mk@xSH6ciM6)5pzr zgGD9gbz=U?2nW8~!SzmIYpSDK@76K~x`Q5RHHkY<@O^yoQ{pcMz|-bPh6HX)Au421msUhS7oBX=+@^I~>!ZV8qHcp> z5;`YEw~5+h$sw%ePLHO%mpJzf^X0RozRI?!bJ)&c%$=Clw`IY%V=^HKx2`TA|M6L7 z^#17E_1h$b?gzsh9!p)l4GA`MgUxJU;Yv@F;tdBirKFfgPS0;{3*3xDDe-k9)6%v? zG`C3z*P+~2HWd69X-v#q>`IAW#9d0Z^?j8iziPbrZA$R&`nw^rLg$;**tV4*UmyhO zkhEiJn}kQ(Byc`i*ncAf^DokvSS0vDkg+x`9$Z@@pBKCq*h+9$WbBVSvV&xxksQXp ztqRw4nLNM9?(Dj=MZ&pl62v6NxpwO&+5bb@4pw_jCeMrilFBgl8j;xcATqM^p#A?- zNh>|u4b<&q^O%IxjtMtsdm^;?A@u?8S7(Cv|LS_az{97`;sXJHN+9Zcau_V@JH1{@@-2)!y#x%XZ4)8}kN5A}W@tzVY)7@w5X&{5zq{j(lI!#LGzOhe z{P|pXiOk63Gz@a*`d47BE)`U>&n)#24vAtc{eH#bi~D@MN0a^Wmr}Ct8nVBesa&>d z5~vj}lC6Jqc6;Lh;>6_vVdGrin75~Ycslg)^Y>wb$zw}>Wb5T>4s1z!yj6D+u|*4? znI7l0hnx7Yd}F@8FD+7G0$;gkf@r$@r(`ymvA+4H?OC+pKGBkAJx(csyS3|LI@&lApVa$DW6mH3cmd&b;5lORPQZ{Z+|RTkv+(?^|LkjP<2r+VriY?7XV( z%E4oK9)^oUc-lryUoeAiwGnkD0~c#-GH0jh zw)Xx|(2u2FZ!81((`Yc}=F1vR>)z?A^_dy)W|agl zr16&SJcxWpQ`&rl;_=K2oW}KyQ&VO{D;EsJFx;NiN30&MeRWb8f&-Oz8h&G)DElkM zu(y-8Nh1He#aYH#@nct2uI+kvXO&6$L0huXOstqFtJK+M`&^uDeATugKLivlz$-R~ zx;7%SV0XH1ceow&0rQdO^+#3nv3YGgm*SB8cX)h%>_9L!{`e2@F>wcP%*}ApR&H@p z`I^W0qF-6lCrqs_L@7y*4aZbx0%d!bVqmb&?bG$1K8_8Zr}L|gtF`S>Tv2Aw*q>8U z1Z9nhKSKAc17CFy zK6WA043~%J> zMn_SfPtPic(fRY|XD$)^>Lsl*MBk4B_0M2jp&`>-Q7CRwOz^PYtap@RC1bksFkO{* z?IGs}3iCsjvuu_W7X8^z-45}V70qp87~NybWs|Qat>211%3`n|O6sLd71UPfrE{2b z1VBDDt zIRb4KcoX?aYJvZE@ zEu1Umf4Wi?9eHv>-s=A@J!(g(3)el9o<@zGd*qb%06sq(+p-=@5xm8BuyV>l%)7^} zuwg1bYFV*^%At*WRhn_dt)ONjuT7WirOh1Q&!5idBev@Hag%$0@^ZGxWi2p!vFT7u zWBQf(ZL|iPuX;E93U4cT|X&_7~6YR7|~R9F=g6t6uRQX3-af&n1?)tt@WSQYlP^< zJWsCJJ&?W_Zn##YP#FMh6{9>@unpLM8AeyiD{|$eB{(UXf;YXz&W&@M?7Q^lA!o({ z>vNX#^z}2q3O-$Uy;wd|Rv(#5R?JKZTE)`ZsGF48)@LQl{r-gD4_Y*fm#wbsjXwQ; zqfQ$ZDWA;1iM!E-%d32=$d%;%S=jBR<0fmdJ3?2=w zIQ&Dh>i*^0`%x$FX~h?8Eq(_qPWEy+&X#aca^VDU&m;t{Rr+)kL?UB7-?tMhF-dJw z>ctW4&u+^;HT!TK?6AX+!B?(5<3CuNkyf3<0b+#an2^P87k8SF;##q4h^)&U@AzCj zRm(=v0w`o*MFEHCbiFOgwpHJ4g6%XoxRl;err*3BVB)sC!l#tBG-3-9LLBgxmDu3(;#j###G?rmX5gNkJe+SOmphG6LUkTz(-XY(VdkZf>&vt-ei4Ybp}-a0wcBFQ!%bHE zt1Jv~Qp$Z$;|NZCc^^a<2DIPB`1L?E`*`(lua!LPO(_rxPOB3o&28JBG|1IBF3+ zV`FUK;EstG+>MrRRSuA3%Byz+x9ZGkAW09AaPBZ&R6(Yo2XOCp?3gTS?GD;WB)UIh zBDI{Gig^0`e<}OLWo0LTxyK!nwEMIl;XU%Tn~u`Z=Q&$EmgAENAq@cXae$j~=icYcv1v_!T0(qr+-)e~e9vtnm3J zSlWx*wk-~Bkm&lLpfl;}Q}quSANR}O2BNsmmcMj7apSluwb9~cpT1$69*P5Pwsn+) zP-5@?H`PD8h%t{zwm`FUz*q~XXZzRN%>TR1bW|s#sQAZl@d;T{$A8EEYq}vtow7R} zx~Pp`K6`(?keT|J$aMTxU#>CdRPGX_)ih@o9=9R49hGkT zR?U7K(z17eW6V1*c_QK5{EkVF!QRAyu^n6&J}Qt*G?MK!v<}p~sPBR(D^mqAvRtWD z_)XnAT$KGlfp>9So4$lxy>uIsRP^6%CNnU$s8NY)DYH;w{jeSJPf%Fa%ncN` zuP)u3&rSAgvmFSwFFa<#5#HAkV8n?W^)7B{^#dfSf}6V_r4rpFVw(<>CKX!}m@B_HWnt8`JRVh6LKSjKANqeszbH614@6 zt;&ALI6u()Q)WBr0jA`x78vz!bqorPz#z@1OzYJzT5otmyov%E6RUG^o^(?eRaN@Y zdus%==HX~C>fZ_qOal#iD79lLOpCf_6tYWvfbAEb7!6OdCPV~y-x=K+0j+sP0E~i- zOTZyH&VXm1z=$@SvuU-t&GYep402(f;)uo^YJ^Op=51g?B{DyE9)WYOjvQ>-3U{G3 zm2|);yML$c+w_GfwXk#v3MBC)-hdu)KahmI!K1wMZnEwlv~DiuE6h^&gA%*WLQhQTU&u@PGJmf6vSR|M^&T zHm$J#Dev7lUMHABq$X3cpd3gqNGpxNzuR+=|1==Vl^Hy}p`Ujy)xu&k|7*@Wcj^(c z4`g`p52QO@_EKp-*Cz93;k_QJ#j7I;ho*v|oL%psA=67v5>rHwnez+!qT18RCYbo+ zZMUm1;calx!L{YLbewCRVuZ3?`%i0<>o(dABqW=eqy5UU>JTNaG8X?Ja_X7Wjwu4OE76T&caoQ+^oE(v|fzXE5A0DHq&v1 zKmxh;$o0)-+AJ1*KvqT?BwWk;$OC;zC_D*cx_^^@ z|42Fr}nCfOmhEUoLGT@zTdoeWtWEWAGxdG0AV_ zN%EtBRu^jN$kY0LK`ATMg1rFom#hE*DQO(*h8*M0W)l#EM2)3Dtkem74D;*33C6Dm* zejaSf+b}NOd9^jOBQ|dnm*uy#KEUYzW1Lji2=evgc2J@;;8I@6;Jq1M#>$;5*Ftv% zBwPP^+F9b=C{ufhwlTj+>^UemB|c8W9qjxGgXNL?Nbx2d!CI~|7O0B!oCQMu z``t5(dBK&2mm&BfuW3|~u{s0(D=i1=zmXW+H)%BrrRSF!n*)qLq)gd3#$e7SeXjDy zF0sdLGe!v?pGZ2bDZHj0=mUGk(|W*oG!3qqH64vr_`W;i z;NRnRkS<8gu*ee`J@6K2d;n`c)-5>YWfSLgLH}~q@@f-yTDS@%^VXZ}m%?18IKDHA z2Ct3W_@@@2n9)kVzSLYc(8`%MOX)1{h1H(^lOr#>PGczSurFe$CVm+$lsCur^b$3% znt9dn(+{NK%lHNAHou{GrwL_C-8eBa!0AdrTC{DzcjC5ncoRrMBI?Rgd;MoC>AF9J ztyi^|0e9+(dF@B!i(yR{U0>CYZ=a zWhBf(7|LdKtZkI$vjpD$Uo@8bejKD1pKSThm(r1`R0w-|55KiKO# z^dLEvg?W{4hca_Dl%)*f2#CdLO&LavBzj{~h6d;}WIU9%Uu_v!Fnh|PKu=(S_f;%g0}$lq&YDX*MmN`I zm*ISES`~#Qe0MJ@-qT{vR=CW6`~sF;F@|bdF?cLURjA;1F^!(ehuY152rT6Mz((H;te)G@4+TOdV7v`T8 zOfQEQaMUDZj(oqEoinI@IP9Y0%KJkVB?4zPrHi{=vsX_jETkSP1t?4Fs3mj4tNx9c zXVTwklRLf4c%G_qh=obA%l^7k&D&mqtQh7O^V2Y_+5CJyvZSy{p(nf~OQ=1YN44!_ zT194Z&D8?U3mv^?0DJAj2F-KOd=_e9pI>3_AE4wIc&o0)`UU~pSQ;5PW!FDzy*VFW z*a;ph4PMC}TKnl!fCwZp`qhrI^zLu60?HGTDXU)#dBUfyYa#s{*$)T$xv{OE7d*B7 z&rkC%?5Zcz)-7qpZOM^=&*=(}=+@=yiqm-vfZ&zR&3Q7?$+JAFdG_P9E(YB+@pU)j zEaulTS4v{7J6`r^1x9#ml~%se9glNUVPZJq=CLFFhZ~t$;^N0x*oXas175?TIT()kl)tEFi>9w0vr?M{|rr zt|1b#eF8_+1aptxs8)TD7wwz1&z;4{RJH(~gG`r^5IIzksu;<*WlA!#9Y6~07LUQ(_;=bNY{v^dJnb(^sLCr{419msLWVBaxDd! zh&*PS0@TBrb)x=2pups@y=zmG@)`r#=K^{1u^Y4HT0Px@uNm0_m|NY9@gQaYfqov- z<>TF)CR`7+{!TKFT( z8C`x%X48Ex$$%69J9aLA6S}4B^X8!?Fmsy%#z046Fe_u#k$4{epotTim;%kjmb%?Z zao^h43G$d19H+__UPh=TDQ_-v-i32ROrZ-Mv79&`s`UJZD7R-0VeWGn^%~rYuarOpQRFXNCD=H863uyXws{vh6%~Y=d$DS@Jt_ehvQe= zV8JKz8Bbl4$FCfh7r3}X^ZNafxJ^@7){HbK>3}ds>tXgsJ6mq;>edbYT&<~ZLyy?s z3RXR|)~QZg{@~M|R(&n^{5}0C{?ijQ(wf0wtf>1YNkT`uM+|e|b&p(XMr~j__IjCU zE`dGYxSS$o{s(pHBAYIKvcc$&zKqG~N>WC=>MyKd_i*;ji@79@yv>F>qsiEs#PJ@rgncjX66}UfHDeB{$~1#Wd$!u#!x2Us zQJJ-Rh2RBdV|h5Hee;m#MOxF!@MXMrYpUU13gQuuVykW{o}FJ~5ol}g_?)<9*?8MH zUtb6Ys6-?WswJJ{=tSD7Vr8GT8m2`qlf)K;t#Iy}sCD3t{&1go6NPsq?UVxwfqqW% z&OuW@1+BHF99+nwDP`ehi9>nF1@-}K!01jgkRWdqaDk@yKhS!!qInFp!Ss_do|73HRp>S#ks zZzduFzrvq92Ga;f4@M70t-M6rW>>4WzuK6hmt%}v3^NISZB7r7?cvIU4_R2-t1!31 z9#wzpA3v3}aKtoFwTpvVeI=4H4$I3F4LcRxAodOO<=bNuMRa*%b0c5g6v%SUwm-|aSAjxBrCJ^KecdmT>Sh5R1 z-}C3+DR?41FIFq)r<|Jgt(Dsd!_9RHIR@IiY!XcRGHW@-ks^d~v2ObW9S+i-7uzFXDRK0vB?T!w5)rEQ;fmDgJ&@{c2~ZB24@4`ewWmihFJW_!b%i=gjCos zcjQ@uT^Lu{_nFF=QtQMPEf!$hpNFxCCPnC3_brSI=ul5AyqEgisOG61xje={LNSeG z5lAxlcH+jSWhBcuF&wk@S&>boEUc~WrShQBET3`S%Z$M@M^rW^VYyie2Ln$C`>eho zv=KjM5rp43FW06T!VKq9rV13;grNcyx^9Kq3);pnvCX;5m13yb!EY`CbFF)>NAyk% z5LGk<{o(z-b_|5PKsu^tp`SOfH8sIiK5xK(G^W3Ye@>N71N9v%hVa*EWUa+;!<3C- zL3-GkN^kAOR)5|b8-*oAaJEz$$+3$cjl5}4b3Rq`T&PzbhbSdAv!5GYut{O$8ah%~ zbQW{VqF7TcTCaXHTRYQHo>Pro%sbicl9i0)|EVhdvUY_pWTGvW=UeMWGi@BE9VUKb zTPhCrWGX>SOF%VZJcO)eh6*ivtr{sN(%vder)XXCqjS3meP#m(*F=8b-t^j0C+Fo6^zMKy9oE1+e_iFf12 z9{OYUy$k2u+0My+e^D{9aL4Ps;sVZry=lShnVKZMMT3#INCyQ1%ZT6Xyr8<`ml>iD z_^2#GVHYZ`CtDx0e-shx+n78WUG@IaSjT#i!fGDs(xN++$1>LJ1^M&=c51a2b(2qg zZ1~B9k!^C&k-TMG;Mymn*~Df~M|l&Oxz53u^MMJ}Xj2NRi(K`Go53U8{>D{1NIUVQ zR1;su7z`aKEIcz$6Wk3{Vla0@OS5BKJnRPhQEBQP`g;Cl0S@ZIE9qRWtg}hUE$f{| z3G91}y(>wnS;+K6t)oVkS#PB~iRZMa$!kLoyCk1j{<5I+AH`HqXaN^^NrSq7EG}m^ zq8ebo(B}#}xGK@u$c80`MT*yXWmCIs9?ImWXV#MmC06E*r`!O9w0d|e+Sj*^n~*e* z92tWVe<=yJE~W{uRXC(L)3El8&i+m8GS`~z)n!(SVAja3DzmouO#1SzDTV-}s0zLu z3@U~L-U?2-BqT&+o*BzPKaatG&bDHwwxMXRVu#W>usB84|!Ia4( zV~T!;1QyCxb+nQei^2Eow$%;W6f=W#_DLg_iLbnORj!!`9Ko>5oN zk#}A_EM19jbWi(3c+$MU!!K6pjia1{M*T&1mVdIgJyHCbBWWN6a4hXQVl~q6J5g;v z?0c$Bikqv){(ms2(T(+pg+}&QOKk6|0!Pe%6`laFb5>JCGUM#KJt>w#@A@O;RTq348eC+4it?7i+2jg z%|G1&z!?A*?!B&J%Rocv zQCOK`Kj<&FWVTgz3wV5u!aQZ1;dC^6*Oc8OhpPZSf@(=m80|Y1eMq7F=EwgJAGcJF z1>Ws^e)%KsX1?5xBWw`1cat^Wv;e&uqUL+VJ19E=72kEqg#79TB)F!f*+nw(2KW>) zK{U)9+%ck0_R``5_#%bH%x>C?8G8Hed8NLd0)i`-XO@uin%r@w@^c}T-2NiuJ4}CG z%9Zl510v;_a|(Q9LZP>Njy#*0?m`sZN4CeDp&y~{$A#2%9#+VZQw{NJdt$^63br4f z+0kKE{$fjZ)2w>SK2r%68i}sj4>#``-j;qhh-2k#O*;GT@`TPsHc%(7`H%^hV`*@W zP|H*A!}1b5lkTPS7-@dZ;A)|dC$G&(-;5k@JbaCZBoNC2N_P1)L!>)Ig|?(E$J|!Q zy`B*Vl78$j6bEB$4&<+#{7_4DVik{+jn-xcRq^b6?@r?4k9PGG)V}84G0`6pXjp&O zP?xQR*YivMZnJ;`KkdpSSstU3wD>~-e9Fdt?LiTG?>0x7NQBy|Oo!^s43_aoq=VT` zk*eFjVSQZ8U(*_2L@5CQu(0KS>gM0ICxStAi;#?`(h$`8Hs?WG3HXz;gZS7|lc) z5Fx~E9Hu_~714j!FhlxUsqf?65uU6pe9f_bZLvt^jJQ+_K0OP1>~TW0!F6K}O2gWR zDlSFJs8&cBAr65Kx@*|rg(6f7wVuqsdRb>@Es}+qeVg1JhV^=v*e~R6YKIqV3BAu^ zs|1nsz$!l%f7KlW!c3BMYmcn6INd%vCX{PJeE2pK0#TAoxkSFm8H&{-frzO2N&WulTPi- z5t~YwOCu+d(P8lTnFb;!^$@~EOT36VTJj;YNBhL9OXRbNk<3}?@8pRvxgu474Kt<+pdrP zidXyJiPy5AQjE6YRs7{*_R7loz7?p^DEn2JYr)m-gS}pJ&T=MG%4d%MeH!7W`={c! zXZ&b#XuaAdti}bK^y%l9mo6L-3v0Jocx!${(IvIK z!M&jG#Ab7W)Q$ttD0ygTXa*pPGgG2l2xkLgV2XC))Y8PN6e!>=1}#(N!g&=fxwOqS zJb=bid|r+ZCi#R!AV3A5#`VlrsreAjX-HM)-VP&jk?G9~skya9$IY(opk+4SS>0## z`?^rtX78xNCjiG*HqTbRm^M=<1B+ zEX6cERm8^BOFUWwb=vc$qV(eLkB6F;%%lq#o9pF(inGxd=E>2NM#Vd7*Rb0*pv#nn zr|qm>`X+?9F9R^H)4k;9?HLfR)7Al8INbqS7K9q6-?UR=D!?908Bkq@cZhZKgS|cEUPrj# z>H0|hxMyC_Vs;gWmVw1v-AjMP1w}t6lrLQB23hh^h0VFhbwebSo#+D% zBojfKe^SbC9F!e1Pl(^c2I2iKP9kl+Z?<=?mRHgJ_^Zk#i{(sg;1^)gb$jA= zw{n;fzo|n&xlDQLgz71cS4*tG7)`5(@v~O*ZyUiu$AoWoM_w8P(^Vc~+9#!|mZCuN zcVHv_SvT)Q_$vsD1}GG-_wqn6O>T8Ky7DeR4A)2MT%3L*RsovBdgH4W_-T7KAi(0_ z<=;x=nq#IVP$vk~gEvo|I3zQCSh1txPvhjS9RHcp+F9ZCyr2}~MYLTCsl(jR)>hFx z_gqORdfXnBLcLwP29*-Oy0F9tCHITA4NqrZ_Oj z_YlM$q?-TTF`;x|V+0W-`8%$-qJ|)_Fx^=`K*tArxi0sSml>}Py#gJ8-Qj52xJz?m z0A?rU1=A<{j7=?n@$P9GzYvJ)2nLYCfH#zOURFjGICz&uo4w8@R1>qpvt>dz2{lOR z_C%+oBO;uUvYRb?n1%ix0zw_E3cA>5+VsVnXXIt6owCkiP&?RqWn$GrTNr=R?TP6f zi?VEiVSeN3@oUkB?1gVoF?U}CLtTd(oEd9~FvD5DCjX6O1M0@2bMjJ*YqlWM!o@HM zNejY$r&-5f=Pj)>CeS8qHoR-icQW=rrVlSHK07|ek?nc!d)AkV`z|R3XRj%P<4U71 z${JizU>nU-(^@BxlpJ+9odeTt765wZmJ)W;6X3fjoR1VrKzpUD@Dc67XdcEDkPW1> zW%Yl05#0JM(p+rF%CqJeT`_R-%7EAUOnKh=yFCix;vAIf-#~hQ7`4YDlxDBMFuJ$w zWWQ?0h1ZG)wH#*_`g{Bfb?&V?AOQ9tAB#NL0b7lQTUlnU3t^~E>)^`rpSMpX_8Yzs z6Z7|1GH(@QGCf9pqu8EoFc^*bg~P6b20@3n$aaomqD3}&F(vV-G%oHG7uTHN>)n;2 z*XhF^g&~219u+FZuO!4&d+aZ>nn9M{;oTP1f+>7TV=ZY{*2Fu{2dn^#czz|1aaNu~~U zvcG;+I&!iYREkK|AFoVNRvNfBu9jF;Fl=c!&3Wh7;J2VRW;c~i|26d*zo@vX`r@r?$d4OsUdB#lI(vbG`0o_T9k2-(OXhUIN0q?L=5#C_&!IE_6`q zJws5QP!t@4rM-N92v_N0K+Atls92be0y^+*inDS|eN*!-20QNimgl>nzx&0v{S=%S z&$y~(wJ@v@)@_ULyJ z*o7sxj$3@@rFW1fGO3gT9maaqa^yCn5?Di~Wofxyp#Ax;^u)* zAxf^0>%&z5on!4HQtSPhyfhwe?nP90>Ab+1)Q&;*^|)|UKi5Zp){XdWcjg)V4`1`* zT46W#HTJ8wg3iLzKwHGT=25@HV{4=OQzB;blW&l*ALnrO!?mJQQJ;#xq{a3{d7*Rq z1h*}2nYCx%{rvhxr_z)uiB5du&APPL|BM+2>8FHW)lt^en#|J?)>i~*=HFY&Q$mb+ za;KsKS&3oW&oE}-9(xoWKiTA^_}$^v*T@x?mnkdv3m)=7{xU{nm1L6mS~f`DO~_0j z*v#5R@$uFK2Kx?=v2S}&-_pA;3dOzZNLdVeoqZMk^whofi;*Ti=z6ia40TAo4xxjR zj#5P;tq)z<8&}8MVcLBjqrda;*tyVGIUg;<(!!-pRCFwJXh)Z#Er%^W1Ux>G20dfk zV>?^S9mw0emgaZL*-@OhoSTo!%z}lc1j|1c z-CPA1MA*iK$sA+ONobI;smt>oj9HwUv_Zd@SpB%B?O!eA%EW959CuQQuqUzLllI+A z++zHfpx3yo=*Rn_Yn)?I!sY2BPfA+PK>qg)ei|msQ0Vmk_3B2!Leqlf)kQb`#4l)M zU$*#uNv5+JkA>*p3Fv318X*4%6C;u82b7+Lvy{C)Nal|a?J#45kuo<8y0JcCIJQ5a z=Vn-h!~Y_S86v^qLzJ~sb*53o|ABcsazBC{yI81l1(@2xz41-aIW6rnPUQx{nczV_ z6nXDbv{y3md-Gb34^)(#xe%(nUM8U7)x!Y~YxnB&Z3GCqV?&}$VHiVeA+T1i|7V2k z#0AJo@%_Xa3yMTrx1+jsvF{*JQUz7^u@0+V8+w570q$a-~eVzQRb4lY3P(sUnpSo@;MZU8K>k_?s!MdGZePdtiG6mT3r*KaK z>PyNUd!Xsd;}i!&->EUnH0GWT%$P4z4Ot71Mwfj0*}e1ulkn|1f~Do0UianK_c=YYY^JXWfZ)_- zp4q23Yo~Dej&HD|EKz(9hkCz!8|90RG%RA(187CjUg|@P$)As3@Mm54zpAjtz#~P5 z)DvBinIh33Y!dg|QGTU8G`25f?8IJXE%wiz_+Mk*QFXPM7A!A8C}?rZP*X5_)yARt z;Tv|xvn<*PsJOXv80kc#xH=FyJ+27p%bj@l1+PThzbllFZ5UbXwIEYBJY;l&O;_R@+uQ^%uBK8V~@a{2RF!m2v+cJvnsKOov@&iry?ZnN(P?nb1ZdB_)fdekIB zLGVdHVwQTynrdQ}G4dAi^;2FGpM6@wHpf+-z45c>5*sx7sO9kFGMJ@qUsqq&!JMhx zYPEWYHKUXwyoFII(K-s4_H#<~vzYdai7K+@4TprwZ@q{W-*@&Ox&3_cT89VBGQ4XF zZ@kCEXXkUf3#@!vXKG7h)0(sdc&V;Oo^1k<;27p?QqIVo*glmO?Z>wcUvTF!{}hgF z_b@R3Un=&rv^0D`K*iDpNyo1ql1_~|eZkwAnD!Yg=!nb_D2VM7Z#%JzdHk;~l^qLl z`pEulQ$X;Of@hcZgronKIwhF%Wf`#j)kcYAhqyY#!AirC+<9k*V#B)gCs=ha(VIZ1TJ7B{obzM764U_u zjHU!vZAF3L5{t=X-$AzGg%)&qG)A`WQc;@$K1;V2G@APt)0cYIJ)vlrJp2eHTN(Tl z+#Wy%t@yXD_)i!0LAB{yz6)Yiy1h<_&18OY(wb3L4hoU`wkndrwF;%+wvdmJVhpJC zmJA|{vfQ`bUsB$+fU2ogN!Y8pL2KJE{$6lz$JDE;HCJjwCv%n#s-k3;xbjw8J>idgD`K=>M;ex z2onl`ZT_k1gI{yZ3wy(@H*Cq^tf6?it^SH9b6WYPLT6l`@*eJC(Xz2~%isc(t|V{- zZGMwYN-P8MMPC$JbR3FU#jd%73`x~2sB@K1M;3tuPzktu;M+cZsQR)OLj887flSbs z+=}@xGf*hP-2TKVc^q`rJI%Hl4YqyQCpNX^*FaUoLNOG=Hz+bTs*=`D|Ghh; zCT6hheB|Z95pWX@L$ep`g%POaI#>k_3gooLt7AmvKT&-cpcK9jG#H5gPBIJ^d3{$7 zTwBw3rGNgon2J_NIY^UK>Sf@H+D*K{LuEsEJ6r^Xk_X@yf|8`7bH{mbF@0u!iLWl_ zPGLqlgYPKK{5>xGlYS@;8cm(NE1maU@HO_nW%>O>p|1|#Ejmd3QVZ<8&`{Rh*Z_Cg z{`LOlGN^c(b-By#kl5vMqo`M)M!kIoSPdVLS=uD92U0r0yZCsPGJON{VDF%xOGO*7a{6O?ViO8&sZ*m8B{VL`{J}t zReAP(bDR0+}eOH{ChPW6o4m9m-EniuH87W5tdcQGnwG)rG0sK zO&*8I>$%F=KtlJ$u-Mx1{a3yxHHvK>4DJ1UvM$TM53bJal0J;HD#Y5SoGAC<;$^lx zdl<)!iH(H(l~2Y;gjbCb-0}q@f{Lqkg_;YBn;EU@(48*yq2PTY`5~Ndi61hd`ljqIKy`{?7dy2{Kx=T`sToDBe?=8 z?RhzAEDD)kJ0*pm9gg`lR(aZTwzeDat#2?~YzEw3;|-O2`vya|-;_bu#zgk;#t$|J zV~^ANL;0_`O7z#EDo%LB7tsDwb#|4v~$^sc}WM)EXpp@z;U&*ms zW0mKJ*waUz;zSweypxP5W2tv4oZn1jWv@jWpTd`=U8*E#M{4wMgF9c!wz>^Mb{_mK zX4Y8*N|gOzy40eDl9a&~v13cM{6F3FHh>OA@BDLEobNEsJ%Y<1LZNo}eHX}@ZVvvA z__s!7Z~gF<+pi2UvVr^sFZabm5tYwbr)s9qOx7)z@X5s~a7Ba|Mil+)ivmnXKGs6f zW(>BMWi#?$PFW#_c9$A|ud|YvMO|*0m$e(?oCU4+6GZ9hG*E&y+IrsCvSiD>5FNgM z;!Fq>)qqPT6e0zj>J$pB9u#16YTa$cMjTE=+&6&#b5I@_ed;jpW#aXnC?!(CAQr!( ziR+8+WobFTec&!gM50J+dco1rg(J4^G`u{R1wHeG?$r?dc#LZov&}!Jy{lPaTwT36 zFs$;W+b(M<%a6k>%pBVe^N%;M#Iumg`XzrO3gHg=E93rK1KV;P6h(WHceOE%DwR0u7~Uq-8+p~~*&e2Oqq*x9%@|Rn90I#f zV$x9nF$rZSF62Rh#O<5UvNU*qdd)39ai)A2nN^*aJ9!=*-l%KbqO`kygh9YCx2yd2#DSPyW2apLrNFgluX3r}XHT=X?UpM|YDn zd6l=``xJAY*~|0g#I9+Vz0lXX%m<8{^0T5CU0kHsi3tGjLQqqm+=Rc4W9_)f=qJN~6X7b3Hwp*?0Fb^d&ai zI!_v{pDVG8@7~^ihF7F_>PI43E(QCV>b;|tJod|izqY)%%fs+Dd|Mm2n?qO-e?0jG zq>#Q`Vxy;OqZJiNl(<3t>ma&bbAj8I3gmVhzqxWyb?pY(xZ;PeE=Yl|IO~U`{l$3A ziY3PR;uFT~PVK{m=? zDVi5>hEFd5u>4F+$|9_`cz0pTyPUZ7^bq(;qT%SR3)C;-|Kd&5OJn?*n>dp9nC&Rl z3N#2SX?0Z8^Sft%zi^!iop$i%0qvL-?k`CcxOeAORD*x+Bmz^%A!)AnJ~tj8>f;eT zyE{v|i8RM&~=guq~vP>xIR_0UQ+NL zJl`pkQ?f6m3s~;#8TkR^iGGveIP48u#S92S$3fVCy{JM^v2d?)w1p?T$%=_H)eQ|Sp#|+=R5kEsc zzzs&an2}40`wQRQe~Z%(0f1@d7gS#|qjA?G$`Oz@06pnH!-pwgzAS8E%bMM>*tiWvX{ch{bE=|{$OxLV#Cddp)@xNkT z+s75~)}Of2WWObjA9Ak*902!bm?io9wlkeQK-j|Non&-C&kwGcb|)oE^q6y>E=LmlvuH1lXtZTNe}@3_-tk4NFO zU?K6|czM(oaK05_E!hHd+o#41a~*G5&=e~NYpWf2Dt48fGC5_yAv1aC?mo^J4V4*w zwAU3*=Nm@vf3c}4$RV?bQa9LFok#f<8@R5s01xE#^vOL_H=mKp$|fuB${Z1lc)W*l z514_l3*|2!C_7QFx_{Utd`}YYy`S{1N5MK9y*L>Yjs>gcGel6(RL;y)1V!W(<55aA zxTOS*(N>*$fk8j--Spqkw*#N)Py7_adj3~;Z^nID?NaJ0TbCXIPli&ui_>{|Yuso4 zQk~lmdHsB*-s7%^BprWv%Ewp>4Be1=7*YYhD1yM0&ZfxHB(|b_i-_`SN&6FVscJ=9 zq%Z9(-+0!D#go?NUi;4!a`TkMB1`9~?>_&)o$4FPDYEB5`3uM%b;Q3P3vO<#abW2r0Srt0#M(CZn*q1Hv)Z+vD6i4XxfI(KmmDhdZiX|#{>REY%7q(C3fNhAg+6ci-8>AgTw|YZ3QJ4LSJ0+^#ge}-(4m%&&nNgyV0d^uH(zN z-5w^jXl`)msP6$D6&Q$Fg8DE>uIt5qTafth;^q}$u)33i|su3x$*bL9RkgRL1~ z5RG(%OM)L_09$ZYu7Sm@u6D3R*WBya*ryEtTPdkct$R;J@?C)7i@gB8IOf>hjf<`T z8UIwl!eO@oR8Hx9v1UiR87u`h*bq()5%PH&i?v7$w^;_y{T$s#XNyDc?u_oa`e)ks zFY+o;@rSOkYu|(7@I$Uo>Lk0fvZwhy$qbnnVb?3ii($qt{SNUd$t5WHoYDwJ+A+g} zD3!+!FNr)uXG$Gr2@b93()q*Yw+`)rL$lxzell@!XU>j4l}Vt6=Iq$N%o&eP2&&$z z$ss3y;9Zxnf}9h~*T{wSBooBk4?Ef=PEaW~b?)lMb;Sj_^b3@JIktDi2mvl-P?H)~ z!5vhvlHztdM+@b<&eclN_35R7neEAr!&uz2i_Str%E2I$|DxrW%5KiSA^c&)(QI2n}yoI6wOKCw%;x~9rZB> z!=adb3zm#yobN$53wz}LLsp6uGG;X6d)sl@; zU&4>ia(4{D+RS@?T#PdA5nkZtrs~E_c-BtC%cj+4J>ipFp1Q*k6rN9wI1DZ6QNZRn z#tcCOT{3|OuWE-p$&7M@Lq+D@+ec#gleez^mi zF$pQHRg_^nT7<_8<%-@qBEV{yEGgMGaqHnI6O2MF%x;Rozzz^&(qd9*jnLXw*VR zkuiR$cYSU%Srd&401tPhZ1>@$&qaM1?|Bk|umc$%P$QH}?4BEGQ4*>QH(2=m5k<%w z5RU8XUAJw3c@LrFQKdO^`@kM>=V3T&Tmv(slQ2cZI5^F|igkIi@I;@v;z z;{W{{(76eo=JgkoCUWn zR)wN>0Kn^$nO1mcngQTx&tlXDnMKu4voM;xT4HIb1lI3Um83^kB$HFm^4lNT58KWe z$bZx(>yo?Bw{kvH5k>%8l8~3vR^b>*?)ELt)TW%{tlKT8Ac!y4gpl1=9UEli#h5wp zG6aSLk8-Bq=cB-U4PA`;=)qn#!H{`EU)%mxYqM#{MHm?j+Vvux<4#+i0qxnkuo^H} zkAUGqvvxc|?Z?V&<7Kos2sFYCc#ROy5*kI4v9|z_ZbH^xEuLsO7>RWDC;{bvK={{?)GyK=f{{KAuB#EhCZ7FR2O|t?SNlGv? zywb4kG@YC;pUVz;KDA#&P31XyfVp;z_hJCP1{^E<9alDpI|;4osEW+R%fYf&a_CU` z`=G;h@qGJx)1sSgkHn;GjkvG9B<^24f;si;j1?(QpcsHoZpZ7N^38WnZo1QSiBLxM zd)WVdz(}8_f4|9r%Gc-0gpMPA&yiH(&S{{BSc|&%8vcF<@W z9C(b6X_Iq$mpr6$dhtJXpK@kGBe3`#pXl_{jH9clocudbZoCp`Mwv@;KrWJ5$lbzu zV4iOJFU0#$$Re1MS`O0`fm3fa0=#_|XyQs*ZYTi|rHH{qjj(8c*Q~r}YLI^00%cSd$&+D|Qck zx9FPo#U9bh1SD#ut33|*G+{w47CDG^BLX`|DCbuFY_WbmGW+$XuS+Q0-9UT%oOcC{ z0mj>`9qi0AD1I!)mX{2Khwcvo*7dOe2#ymEpv-|`_YQ?cNC;kT;;G7zw)F7CYCbA0 zQnp16UxeKL9H9rqM#^{k5T(TznI) zb4T-RNlc<+*9xRMMcq0E-=>I&kKDq|6u%r0}Jd|NKK;6AJl|#kQXUP9<*+#0IF0C2L_JWzO;*5aS9)RT1M1F^$O;> zwBP_2eR{EcoDR+DpkNNKUK^^{zDKeQtoLk_>|2$D0>XW|)<3F3I7NJF4}Noi9KzMc zG1<@4B3t#2TW_D^AExFgg;dyMO!F31rfY(#Ogw9A+-GweCKN5JxplPFPD4{|9o1h= zS}VZs>IUI~Qr0)jiYKLWr34nB-76EYUA(UVKS`Gx@L~Q~XO6d;tbfxcC%qT5Y;i{C=k8c6O zbN^OMf{Z6bEC;A>#{mx}0l#=^S(k5T3Sy1Snx`e!?JP5y1orkIADpITs9dV41pl^% zniSW?MBZv#n(ry7e|^DI`0iEyQK+$m^&pcQkXu{Y;yUI7@U9`poV=;&r;W!9JAejR zrvHql^=t@}<^6$%7K2=3F|W=xkn~!e>j5-qIT4zCh(`}-_xQP9s09Q1_D-)13~9YA z@HRxX_7n35A@g$7VIeY8GK-au4Zgnv(OW$WE4TxA%GSd~T*s2fyd};ksP7p6id&bq z^qSL4tf0*t!2OfAO_05>cewKaHC#VY&54gTSqFUvWPLU-PM=-%`LO3^tq#cMjJ=VD z5HuTXI`OUU!Mb;cuD*60E?Ux3sR}P46)tI=L`VCA_!gnS;aG1HtrJmjJImvua{TR2 zz>bCSfWcZv#zO*A-XMDR{h;ysnU4RD&g>9CVEux*fdpjHBKYE38H8zL=4bSgAl@C> z9%Dtn&`;{5J((=?B~4$p|Fyv(*;HOPjm$S5*EQmG6tadP3A-SPmz{E%kg}5RN-n?r zD$^O3M@`u0-(Sl&*5uBu9)kPS)oykPu+m<&CU5o)gRN9{i?J2q2E!l@q1+!{1zhU& z`6gp&AmkThrgtJtI9ae;{<(}~Rto_xG zTKv>^Fj)cU+dpnZV@KxPcQDYGOrNc>&*ObA_(J^??!^i})B{av&}4*2?%ea`a-f^H z={p1zBXru%0yOhB;G3?voKn^ljatdc+KJPQs>N?hL%TcnScK44y(mE+@r^&!reEoi zCm8i4*~~(0U5&((KznmSa&8MykT1wod2&>UFyK)IXtkbx6YB9gN3ZyFYR3sHu%sPF zLlRA8msw12lwxE9?*RJ!4&%M3K|p~s%}aLXjb_x$%*0b2W(Zfe)!M<;D>*~Hwsz~D zpFB+7c*WWLjDq(n3XhiM_=?jFoJ#h#B6|-zX8`g48_&n|h_ZK2DpsUy4Nd!rX-DBb zx8LO(B)>au7=+^QDbbM=;9@#*>I|S%Z*IMkHI@sUBLHl@BXb3mYs4!RcKN?2Q0`;@ z4z-I>V%^(=yX5AmS83u2oOc%&rg{^nxJxLKCRKFrJyKAgY--b0kJkp7!^M#^o$9EO zpgBhEwOAkC5BmK1=e&94XD`8)I&G8uP8qoPjm7k8KS?t%0O~(KAj&Y85?x?OyZMim zi%qRQ!%+6Q8Ga^zp1E!!Cmz{}e`s@y`&)CRc$B30_~4&wU=V$Ok+WSY^5E> zE@Fhufiz<>6LFBNM+dfwJY|)sQ?uDqu-QaD)%YV+k3VS>v{_O9I&;QSmM*7@-tX`< zXqmGdWjOQoCE#8H;>HMAxBjVW2O$APGTqTNa=Uj;bdpTZ{Vp^?FTn4{Rq0+!bncwt zk~$c^?fD)Z{=HE3LIvPIcN8_idgflqF0o3Ui>smRd6>`j5aWH_fxv|iusNoyI~a5dVMyO7F8nkwFc!TIShUAJ)mIq`5RlMKNOaq ze*$pm>n{SdKkH@#6Ft|(nEB1y%RK2i=A|lvG4od=+bo!Pv!_x+S!SUt`6p3(knzJy+* z6IU3^j`m=xf*tT%g*nAHc2@N?%OrPp({=#%P(LyQY6ByM2LgQLqe#x-o@^n7J415n ztl~kbI2OOEr-kB1cxbKPVUKWvxjhQJUY%Ipxeg9XOvPfqcW=&?#cVJzMgjmu6l|#; z+gERBaL;b=$aZ^h=*eSO#H0Yoz|AAGL2+ruQ1!gl1Km1mTIA4ARGzF#BU7CWz z`ni?ow}2`o>kbh=LdUOIV_bcH08|lezwkpomickH$&dC9-I$?>4y_NMS8VMuyf~m@ z(w99#doGJ)80PoJFmuu4#MDVpKr^o<>c1v*!2uf6^QTf~{~|GItp1pl!w_^tlxN?3 zf8`ffp3_9>siBt{V2FwCsUB!32QlDTHw~{-+%t!xM_ix^t~OGMVzN(H1rMbj;i<_R z);@Zs%u}i}#fdr=Gu5!o%Z;F3t&#lv`cmJfN2m71R2_xceQbOrGo;SUjJafTRcC9D zXM({};r@TKs9_C2LA34mm_|Q;Xg&g3)BU-NDm^N>ve$lEXIo70czu!w|j zH#M4W8q{dC=_bCu)I#WJC@Y;UJ}dX$6+UYZg$ho`xVBpXpR}RbJKLh4zcD-0LiKFP zVsnQCt=>Kxq1RB(@S`6-C~c)3Boo$NL|F-1;XCDCY+CPEoR`^bs62{3A(_inSBmt} zxA{hLDJe@z;<0_BqtdAb&qaA^aJ-4FMET~-dj42J4Wx5W6GO3}p<=YcUTay7-eJEZ zwTgwDWrluN@!2;{L~_CU{Aao8$Q5ZuAY%j43olS0h=;NHe8ZQ4~%m;;1Rp#y>c=wii3%C}-PY}JH_AW|K&eY>x z?_^Yb9d|P-c`a#NC&Dq~IUoa6|3v1`ul*Uf-JH$;Dhv4^=U63f+|KHHdamnu zj$^X^K8MMC#}SkthhG)S%V8fSV3_k2?CBl8-9bN_QnBO}BF)TYO728OqUK;A{rMUs z#Qp`@;8h~W`^mgf_-iMN(V4-~UI`%utit-Lf_EXLpmi51nBYI$Y#+I2C%ZiWCF+?U zY0iQb3gyW`)x*E$$(!lN4Cxv$M#-gi{QIVO0uDkMa-Qoq9^Zj7q%& zT6S15k~O@LbdTUs2O49@B4cy)a$clPK`evFd8niTYp`hHNZU?1#j?@Ek;A2l8OE{W) zV&alzVmgnP?1Eq6f9JU%@Jj;$8ql65?VO0`Md?Rvp%d`{<4N0?ovIzD9oWkd%lrty zrR>k$R9$iw2j4M=>HDP_?HC=+e+Q#eQ&St>*w|oDxHZ7{v*&SdM)N6`tC{Knw7YKG|R?8g=Y3-eCVg*b*BlhZpcTOYpPM2|i7 z^$%u;*wXG$+2A}|4*d^Dmpn@wN(GN>p8Hia z0o?JyRMgbV)fBP<5sZ49FGmfD0W0cQ6E`<#<0YT%YUn6*(Q%x2^Q z9oJ*t23cM3C4R}7%QN<&1{-iD%5+oyBQ0ZJsFxjX5$dF(mg+Pxm&P{=XxSz%f8X<- z`Y<0X0c}l~Wm*#sHli~ZDbJWX$bNdPT^khP>x3l-g zwKD>}z9)j06tdMtG?XNgJ_be8oNklN)?*3d3)WR>^z zsu#91QwA)lYx`XVZ-1DScuCozS3TsN%sI+{V`ikcZR1;@Cibfg$?4)=U&ak(VamT~ zXukVXdg!y9e6=c3mwo-+X4TuyT*Zf-Fj}gOVrp1^zbs_{rs87FTwPGj8pj}q;!({< zo+;obdE&#OoznYTvLz9*I=m4@jl8c1PTl%)R{J}&&7k7yQ zivLh;zXLA9TOp%zc| zZmjv*q?-mZrROjKYoSG16nO$W_6!N=3nK^2$(70lh{heBlV_~Or*ywzh2DM?txg?t zGuiNTgbH(QX6hvUpnMIzP$2V@aWvnJr>uABCz$ktgDGlQmHF+&s32nzl2KHq<`SzDhbi{>;vGb*KdkdBhr7s=A1 zA;Z6jRGhBIwoeS1riif-ne`Mq*mMZ^zSkUz3l6%P)|;I#&2KjT;sV68RA+=mK;kqr zpq}b=m=VjuC=ig>@-DCAV5y#Z5dpO~o&n8Mw_c>@-VHuZ)l&E1c=$Q-L<&;klXe*Q zbbZ_8M3PC)ii+%dt)-%r37p}2TE|!^oqcIDo zAeqygig!~F-b#zibY-4HjL;zqa4`*45sfRl z?W5|Ki`2`Qi`?%YYf=qydEN+d=V-sNqOI)9C62sID3hLe3troYx$|#?W<}=GJT_3EEwt-Jma4U`!iwx{a09cZN6n?ClGu} zwgL(x8K4YHG7nP^%0g{qK|7x=P~w{iM3agy_77H{u^8wHZ2@~DCm*pZy>0<4-36MJ z>1Q;qoTxM@XgO(~+1bgmO{~%eLuf2OW#9~G^Pufr(Usf@3QS`_73qM-C!Vl30AuGF z4#2h5krjb*7Hdmyhu!ziC?mt!s9>zG9HtPViFEB*}Lq4}) zT;C6`3sfMPZREG$WDO*=W-`nR{Awxpy_r^6@|^)JSaVSW>-c+`)_zy>xS*|<>yd|e zJlJ|QBV`JxW$1gZvOqfqFCFD1E@{+|9r<^djPog zL4cDZ2bBej)Uo*cwO7E8)qi3#oq9n*az7)S*LI@T_ZCZO^99$G$B!v!oYj>H^7b+z z=XtJizg@9*@^Nw$xl(>q>+)&pn@nKPZpLZ70MS9mvlqp{gKSrcNFBmn+}X;-Xig)i z4`yEXc`ST@@!Lj$WR+wItGLB}w#e3t*A9TYQh!vYAdgbg%xebY^f-)bp*^{t`&B@S zMAD;Cv5GTSxXDi1Bo`h+8SXMEKYQ?GsOE((HwPN$i^{$)lo@EgE6G#bZKDMfHGXhs z2P0F*bhw8akhU*}h0sm}<(&tLQC+<87EGI!8MmX@ghQS*P4c+PLASoXduwMM=+^c- zx8C62xwZJF({y{XgNsX>Pi*<9oY(x7O7Eq}1HtV;yZAb_k&#j7?5tzqT$z{6q|Iwd zmTm(i1*u4ETHay2$+xpH>K4#3CR5Ak_PXz@6FBKaXDb!FT(olX7!|`erMtJbG>Z`{ z2y^OXq&EG=hYrJ;D9`xpMI~uNhicd(h2b zqk|6s&h{sj&w+-;kH80}{UUV&X%VqwY?|;B>f8e)rabHTjD>OmqCGP` zV!4Qs8{GT!W$;1neEew4*9MK1$LZ3Hbiko~MMG15ioqr5VQ+zEm)Fo?QqjYGN*nz& z44_YP%n9&;(R!A;G+`iQ(4(fdU()gpzJgil`!q4LF?CRbDhN;(jjE$u@CeJDXL3A$vd6q z(jYQ+TRcg;!bBjYaFy@lDDdSEQ&PrLzg`gey6NdK5SjQfNNNQD?Z+u!g9*?FA9S=J z*mT$|a}Rfz_%V+zgJ|hdaIhxT*Y)^Y+ZE?rnzToi5`C8MBcD)w1**UT-~)R*^uf%> z!bXqm&s0Bj-H_zjb6L5TcXu`{6H3Q3z;wv}&zg?OPDoWN1NdjMpv?ka!b@C{2ug(m zH$U4eMvs8bR+01r9U78K?t3giL)lw#wMJX5Ykk&8;hK#x4}fn=nv=Ufe$&llvfX|T zypP^<-U|b2AbtnDLa!|fH}TwiPakM^F3+g9)KOw82#vX+xxmPa(QbeUKVNhW zlRH{j!@-co5LRQbP)`uZ!tPF?|q_@5q4^xVo_10>P0~=pn zkIZuIo-SPg8QO4@?y*)~L-NEXV7%%C+M~}7yL1DA=(OpR4<2!Xjuczg-(CW*2pLt5^0+O3N(3UT&e&Vck&1>1^;HB;_}^ShxSqF^R$$}RIX4R$H%Xwb^}_0=)8-ssOO09^r5YS zc&>E=5smf!eWXFNG9b4o3bjJ3GZiWFTXaYIC-U^LBa-;>;>fy!4!I{NV59?(_3jwy zu!33@^qez*DdTBoX~{wAA*Ip>-twE4!@Trb8c{eH4e9J<0$sh+3gc`YM-}t&pn_kV z14vEH0D&A++0h5gp^}j5T<0XHTbXkeq>r##Lm8(-&6#Evz0v-%Kp&%PiA-9ecfyTM zW~D`Hi1>Yt=!9?g!VlfghjbukoPY%7vQZDDGB=8zOzq<$jdIb2WuP~6&>CAgIKX#u z_G{L(5NRCS11jrPTa4?%;ParhmcL*2(cpqHGK3W`Yoj8G*t8HPJmmo0#>IZMqg8l_x3 zod|7qIC(#(ZuS)&MZ$y)cPzQ*40!@AKfG|;TN910JR4?l`LYYAp$3W_AMzbl{%P!?WkV#ELgouAHc1EeHO(Ysz>kt ztu9pl{Rk14rKaFmzFt7yEXX9Pe%SQpu3B(`YsOpLQ3uj?iZScP)7GR(Yq}s3P!@xi z_aeyzWMlvekOZs4pz*l0&1 z5@7BtKtN2VVhs&7$*4=zC!BQm-IlIdc@l_ftIHrCcL>z46)-Vi*G^dK;<*#)<9j+*i4G4)0zu`fB%LhzYb}_-JF8#SFq;@iLn8w; zAd{;GGLf8$ad@DL8MJZKie#ceqRS4GpWvxWG$6F0pf{~+GQ@fx%cal6!n@^&%XRQT zcSi+9GT|iWO8Dpiq>>UARW%XCH03n8^kK6Sy;W%=Q-YQishoc|NGz>6UzgnnO0nt& zjR|QFiBPZZ(-(r5k_16&>EbnaD))AkXC_lPQGJWoQYD0jddJNB2*P$aPqMNkl6N200KO@~6lgEW~H3|p}M9`Fi~@u^RZ}Ag&-wEMBS`gl)uF$=vgM4 z+X2_E27E5Ak%Y}Q46)7TTC6SJ*q%gVO~P5YlU~XuwG>!S+YI&?TPH`#W3Qx9J%Bo= zA0@}zA^Kh_~zgy7LS^6n#6pIN52XP zl!-O}yh12jn-rmF-}i&fdEg^ap;w49x{>w`8Z^qaI)6J> z1(0K9d}w-Y4ppwcmy(7$peS~lvDBEUHb`o7`FImJw`Fv4!Lc28@^9D59CEF4LU5a& zlHI4kM^X&HhfU#R{PJK5*L3p&TOkz{gGtKYeqs>hCl)Xv0EOcXU_G9&L=Yxn*k_N4<9ul@asQ?O72^X2h1r?mGppar%Tbqu|+!KlRjv^6%vGKQyf6%Y#YK zHw&O|&j0!*+qT~~o3QlZO7G(ZV}Tcm2;*e_g?}oCKqrq|LOVe zELT@;U>WRr)_qe8Z_fi?{18G40sZtpd~s$vActNnxjPA#iDh+Dz#Toe(Z9h6-0*)y z2RhKcP1y&%D{zoqM(7gjf~3BFw;xvn!~PEk`Oky@8Sy`+@>^K?XL0`7RsQVb|C$W? z&m2HSF*WYf?Zu^~H{Vki{zaRcoBO7xr{^A9faNizvb@X|5P@~L_dM=hve2oIf8KMJY&%yOziPzhh5)RCSKa#GzEJtQR^ft2)BtGUwEA%ioU zS_TKKx_o-9@;cRG%cL-C0pOr^<6D{nd9yaQYV2Ie?L@QfOKBbF^1e$xF<$5q3^eq0 z!nusfH@miE`4!w;D7l?xG5i2rkp24wqN%els}>l-z0ha1Ym5=qz178tJS+OZ41qlb z4poi?Ml)$G=85nF)9N4_*W)kgRN#4ha+VK>%&PzO+XZ2?u#O3rFy-Pc7Y8i#M2qQb zPHTQYB(&Llw8vroB^q3?k%0hn8C{UwLXG5@`sWRvHkKX*7YP1-fmW6uA6$<5^)OsB zdMVbrz*8j8I;T$s>CjT^bgWiY^>HKc?7huJt(YjgL)%@EZ zzuG4l{(iv=y)~^7FPcl0m^eO+5ZY?a$_#B(5T@7_bGPrDRf%!V>eb1-wz3eA9}q~J ztxhQEt9Ww9lQ~kc>&?C2E~tBevd5OHa1U&ko+DTh*39sonE5|fkYy84pu$Zr?0^BF2cmvK;iT`Ws)#=gHx2SvYRrF+C&t~Kq_d>f_L=S;=Pyde)!vL5sO#ITEal^~1 zgP9sW%AP=v;!et$(bs_m+0YaE7iDe1rVH9Cy%djF@2vQ5@sJ4`zl6n>{nd4hckYBm z9^B;$^ovfo{A68l<1#7hb-N>O*xRR|wQ3f4Ll>m`JD zB01sF-Y0jqgV~&oof%r-4sCo%fyf^hg0aMctG>$6<3-^*{WqZZ24mSKVw(oWGS5BR z6MFObv2U}UJ7X!kJC;P=@(242@dbh+)6Go61Na2Tz&Vfi(h z%|-LBz7zh~v)LQ^2FxN_YH5G~{h|}j&f18Pe@S&`N%t797);t>%mywTd?GO#`KGyXF4~MFy=&ezAlgLhM%A1(4)baKx$bQgPNbo*XD$m^Bg!MZx8RY4FG16l zmOg9I8fMiV&1+G-Bnj?2a|g}>4Sb1jUwh_Q&dxcpB@S&|kbRe4GfTT+`5UTVV{{h516*u>lf46KVXx}LzI-^Ns=1H

aHDI zU`V}O^e7;?N>C{W+nYMj`#(5ADpN$v(1Ps~b~3P!d#Xp!)xDM%>sSgNDs~zE2fKAx zg*CpSFCBt9s#l)C&!NsK%1;AX;PK9~nzcNa`?qTdQ>y?*;I5vMEKrAP4!fWPt&44= z@HY)4RNZVDu+lICTH_q|KToKztn^AZ&^gb`5wQH>vg3!2MBC)CX*|fs&gha?b-SQ! zY^#>ENXYhXKXW*%h2wD#IWr@9e149=&z_ zLq`(7^vN&xMVxhC4XW-SRE8jzk-o|~%jy1N1Jo-fECNKtOmB$KtHpW>RQ_(Pz7112 z1JyRqpvhb42#}QI89P$obGhYy$`J05^w3)qOuC2%sL{^Ig>hz0-W};w5hOaxX%U-( zh-$LfPba$okoI9UTuuH&^+tn;4ye-2>{L_4KD(To3Va%G##<7?OnDf#a2kOtAkp)E zy`>UoneXg)oE}T3w%uveQZKp&J3)L>wsimA3>vd}cTSc=L8W zio6lk1$qO;FZ%UWWQZx6;`B3sr#Ryzu_Z*5u; z|K3K%GgEFj`-iLJHiH|;K^@G+UYiA=_HmgttovvPYlcLJyaYr&s#Cy$)=l1Dd5$1T z3FqlENdzSM{B|Rp*mx~F0ImSK73o0Tc32Bd)B{Te_5STh-T-s&lG5_^_}Zxadj(zM zXJGh;>#`TTAB7sn4ApCtTA~&~x|7VlSBi`kAwORP^-7sUudAGb3fnWfx=rlvpGD8e zf)sRERQlwoF6n@qVn7ur)8nkUrhq;aqoltIQvDKvQxZrv#a=vX&g+~^0ecRv`-sS6{F!Jq>r~8%Q2u$0GdoMpm7YVBQ zy3*sVD#BScW{ND`P*sCHu-T5ZHS6;mi%T?!Lae5R9m968 z)+~pNYNOx*xai**>uG7A9%+R+iC#M^!Hdl67EnhAQa4ec!6i~*9^w}wS2V9q`wOa~% z2a}R}%FySt=>cLRFFlO~w*Knlqh<(Ohw-3}Jy}FA zRYcJY=#S+n3up;&=4hqfc#H?c%m}*xBV}2Vn(MM5R$@hCZZBtQ^JJlkDL+g*BAr2I_c zumRK|Dl}>-kBld(!Z>v%DL(^Taoz*yoxg$fidD2Y1t+7XA&Gh&s6H?(s${#RfY`G9 ztd=-s0IrW(oh&QF>LT1{fsR0pq+(Du4)Avrsyt)J_qO5Wb$Hzx&J#GiVh1z9@&GN) zwgKv+IO!@Fgf=9tU^yrOccyna`Fg*9b-=XYDW&N$4(rv|tcUQ9B%N~JAdLm-!Je#^ zN=wUhlDru@UFOcPFF@DjZy(H*nr4|HRO-Cyc724K*zhmvR%B@gCq~m&UQcZL;(alI zbRAQ1h>+ZUdH?M)#3W`lR_ReZ=2i=4D+ax97D8RY%i4$Cy^3HK47y7ImHdUHziTy4R#0BG|n-n?K0k;a=sN>=!iJ)mq++^0)%g})vIAXOPL9;_wex=^# z=vr~6g3AULCm+*7Pn2i(1u6{^0a~I#_^YIa8)XF&L24ZU&6BR5K(d4y%*o;gVe3mi zL}#2k=ZWd4-l?q>pdVP|d^T~%oG-%uY0ghZyQhXguAW#N3l=!=XV;*aZXGI{&Dr7X zJf0P5D2lOqwsK$u%hKrFsDKbS2Af7A5KnDyBs`A znk1NCZ1c*`#>PIPKo~tMh&GVe z;Pzti*?C6C!0B%1hgb1A?QokumE1=Kf(07Ux3*C-(eY^Ncw-kC`E<(R;bv3^VW)a=-hgEai~k7eNF+-zqpZF?JsG(Zq|D=EzXh4lZr z!0lg0`A@L+Cs_L}bM_~-_9sjG|NSiO@OyWAGjnqZFI^u2DnP$+@boO{o*cGhRVq81 z{a*ql3Oyk50ZsWX2c*CW=k<*pa6tAd9ajQ`)PM41X#vTB`}r%t3L`te z{?M_*I{pWp_RoX=8Sy`+@*9c$&*B8z&Hs}U|7TbEvycBdfc~`*<x%n3R~+4~t`w73jo z_Y!U?F|YUqcF*u@VpJ`-iH`aHBKwZ($*w%mX}^1x?;QNU{#T288NGT`eJ%&#D@_6Z OQ@^ZpDgWZNd;b?C)@Qc> diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-API.png deleted file mode 100644 index 688c7c2e1bf9d75f570cddf3a92fe9d4b8ee0072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49935 zcmeFa2Q=K>_b-fy5Gl$Ngb*Q!sDsgaA7ylgB+86l2BVD8r4l20Nz_EN5F$-reLWsAHSoK;i<<-Zq2+*a^MtziVC}rX4>f0;r-zH5 z2k0gxBP=Q`E+YXKmXi7V8_?zd`MHUmqaDuWKTHGB>F59>S2(~oTa?uL#(G7(AVi68Vw7svhB*Gnhq2cO|Qd0$@(bTj;;I-BK zd{oS(@cyDMs_t$GLjw&fcQ1l2)?Hf_W3R7;fV+C=I;c3PyCOARePuk+I`(2%O;=S_ zReu!|BMV&@M=-ONrB{HNor9(w&?-#{INr_A6RRTXZ|`7%v(m>)E(^#^K-@` zKtC@}4PAn$3_{%l=dEEW?x1C9ZtU%ZMg+n=&GhZ9)KJb61Zf{*Cmk0l@qhs1Kp9Ov z6%zv;ZG@4Xs+TF=)zit;4UI9kx72XQXn^t12sf;!pQSUw9_J}x4@2M)-X>ah2#l10 zr>B=U#=ue1#m&rDUs6rgGC*I{O40%Et7?X~kjCigdTY4ZJ4hof9CXyAO;P$-3nbnO zrlw`-q5&jlqVE-G;%s1IVyKSx2JEm?LFs6_nBh#V#Qoh>?Q{cB(nfGG2bi&+nyM&4 zN?XU$LEjN>V5cdns$r>#burOL8hRKwd&BJ2-5k`td?1OLsvw*!;C9}cs_ri8nr?v@ zNgXG=F~LyV5DnBs)zQ-4QN~2a%|c(-)k4xUz|-7UU0UB4FQcRGs-tR#Hu4}4ER4LJ zB!C_}nmB<04bU#0R(`IcR$|@~UPfXnh6HUDaVH~h8Fg_tf)3gZV+tCXi)wD&GEu9TC z0}Tx%5k|i1`eM2cNMn@%7~IXt%1{dEv?|)jz{CrwZ-sXBbT-5~N@H<2Z+nCx%-qYt z5FTI$GnO*&c2#jvF>*Aug87@v=(xLxTIidaOFB6E_<4#06QU~V=HTS#X^#^#f*I*s zX<|?+7TPW@`Xl#d<(?d5{O~~FPT`;w)p|iQSlbuF@iiV!Cqmctb$61@8q8BLP?5uBW zu7j~exm&t>nWMziumnkQ11mjkFDY|`q_3#I3>d-{M0qPnExGxfzSyiNkI$*A-ql^*8513Rn~e zDZ4=Mt13!E+bmE_R8zy)O2PszuA`>v?J7eM^U#&{GBx$WU>(I=)!~q-GxM?tG(~s^ zXov?I*c&0?z^ZBnVx$SaT7ee+7-KIzaZe*lXhb9yDP!g=?J5@FW}szhf++y13$E`jIRSQH=1aDoH5$c!$Mq77v|_7~z)A}2H)SS+`xe?_NwACO zO0Ctj5jP6gB=JR3Bh>c`nDgw9=ZR_F7k^B5;l)MOo@yzvWW!4)e$!_8?e_kA1G_c* zqb_nkXMOsY<=x&4R4LWZ1eRHEmpDD$-V0uMmG!E=epP<^WFoKrgYgYzG77qIGD=Re zh;Yi=ckT@T`sLifF?F26gpq}n701oZof83lOHK_MX42G5 zbECCJ9OX2IPUSScN{5YeLMd1zuUh4igBCy+uFOQi!esd@oh?aLoKJ>E?Xc%{ z#s(JJdr7A*9IlhD;aLuqF5&t=J_$c1Le~ycB-;j z#72eftRbJIFR$(&ChGyA!=`$q{^)=qMdismLu1UB(<`49G5%Wy87f8$-Bz1l{9w_g zN%bk}WM(VFAzSDY$w(-@s+E(6;<=QhjD3G$edAV}qp)r86(% z$^Fo3PS5`cwDBU)w?yHPKU#B~C+@3Pi$dtb=l5yTWnuqTohBGtJfz1t>VuDZ*ehp# z{y&g?-@n^Q$;y6_iKk)YeG|pV=U*4L86(R$D|u)KIEZmD{>SI`U%EYXP6 zx<4wQNn?v*Iiu+P<&!1)+lga`oGy$5jKB3Lf#HurOOborZp!fKoSLuO#;)JP*KkWe z=rvFp_NZO$@10v;`|62j!@hY~y}!3z+Z;BLY%xUmnfX)ltGoDu8%a`rG7U47i65Cl z%1k7Am(@?CTp8j`ckj7eihQeHrF|t+LnjgY_tuTn278d}YSkYTf#S*Ocor}ouQjx@ z{BgnYflGc)g5Cp(R-u~T@8%!g;W&;Z4*P%gz>bEj`&n2M917Axh%ne_R`62mZT+b8 z9)9LrYUsbm;tPj4)>5>b|D#&@lbwp&vy(}m1Ncaj_nkQKzuz9KjuxqVBLnAg>~ToF z)}Qe*aExvASLvG{cPGCDEz}O|u7~a8G2yLYVL#^|FH?7$)SPzJwJTEr4xK$p=zcS8>_J9j60jb!pKovTIJe1$$fsa z#lERIizR68)xd*L;Wyu|PmYf6@2yue8pwCoP6&BM8D6lfB3e4xaXn`K+upncwyw7{ z?)ipr&2Lo)diqlb+R(_w8N27V+bAZ;5w_!9(ZUt|rh2~WgHYvo0=AhQ?<>}i;LH5P zqH>HQAgB6gR?rXyt>8BxBB}M+7ayw<4HOAiF?vXykj)P^*u91A(fv@&bciG1zCYlwwpvkyXC3)`AGSx>l)10 z#!o5j{GN~pfC5couv=ep21^m!@~Zhu;THHCd7~8ALYj;AGnp~yTP)Na&r>+ zJ~InADJ@M6cU@PperH02Em5ca;Ubb41@rHK4@eZec)ZJ8_xtGj9i^RzmDYNqGBj&b z24Pj3Hn6u;vFJ9JC*1d>A5~&YV7#PHB`-Rs9kU3Nla!x-M2pN@2TtWpv0`vr`g)?U zJacQpL@Oq;5-v)*n6MPfWtD4p;|04chpAXT~7u1hm0T z!2w%>i%=_IUS`hhD(^Xez>jfmx|z@mvD;B^x$|R!$Bono8O9v&zkrrFwto0MAuc_* zx?aB@QUx)Ckypv{iSljRY-_##!Bn`XURf{a4Ch zcN#g_w&^)==(#3l8+Sc1nJCE#rxMufPT3iWf-$OHY9)fHDaZRyTTy0CR?9rX*C-2> zt_9Ma1f)cif)l$cK|GM1jV$+Fq9pWD3MG12Wc=o5srt>1N$>i~pIOxerxX^uBN)9C z1-c@&FQd$n@loBYU?bF}!gw9yGjbABKN)Op{#4qR8DwERf+W7Y;#u1#R6YAV=HbQL zUy}eE2x#+Gr@GBaw-E=)jUoJKNQYc&=vHrbmD2v^$3z1_izn>4y*%NZsiIh^{Biz; zi;PTK=R;mz@#%oGeD!2uv$;t)F}E0azt>VA86gR$$wz9unux#Cx{s}z%AfDnI`6^JorF(l z{V?A&lz_j{D%afji2>u9V(I9z_vmp3Wn!NDX8=+C2fTF-MxgRP(WvU+c8h7F5*u75&`;F;cUP$Jv=K*W2BOL=#y=Y})n^!WlO zwLdwdd*(A4%bBc~kQ%?d2q|p-CqAXk)=7tzCF)!jnI*1Z7-9U@Hc&APM!ogJ=7evO z{Fh52ug|*?Tf;tJ?iN3N{h$KI80z;i7fCt5dCH5C4S4EbF-JQ3&CX=Px%x6^jc=qO53 zj~9xw*|+xGAzS^a79|OJjw{ePQ5OG%dXTIz;f5{5G<9yySjx5!zp6vWhpia-kh6h= zW#gbt+C&dUG_lpjE~$RJrJ0I+jYrbA{{hcxf!Wy~*MUdfbr1L*a@LbqUXY90P>_MK ziF7TsBlxrDG40yk_Yg01Ge765lggtYz_PSIk(xgMAuw6k-Z zF5)!#bmJWc4>Wzw9y&hH2095{fRCIvac#%ho$PLE+=0Ogpa+Zk$uUaH5c8Zd2l-sr zR+en~wZO%9-}54ZdWbvRyV2929hgk$^`U z=zQ&4CzX%45y^p!IF%xXWplRpUTneDsYNRQaM3oajgMb{_aOQ|ZuXno7-ztVzFYOyIGUM~+*29Mvq{PH} zHUouUs)UDt%fu^3#IB3k?KhBGzT^gb`CjT~zdKobDszABL8 z2qF}pY(#>uLN`L?ljKAg+&GDznk`(+mrDoIhDsW*`j)5RF^fgwY_e`030u8SPIyE2 zS7$9CcXpBGr-Ni^BIIO;Qf%0LN6Q!!$dJ<+NHM--O<7oPz43+xT0JXZf$QT-+;oy; z4!_isAU(h_ehZDiLe4g3;`G1T6+nLB+qal`SywMAXRcDVOw@uMQTy8)2B{|;?1)d= zMw*=NWNlqhmmm!o=WW>Ks-Tc06?D4)DuL@x8x)H*9))%{JCL=1O?!po5!*USvO~#{ zt<#F=NlYWcWoKyOJ_Lci5cquz4N>n3u8&3WkBG{j$&wy28bPve(GTC&z#erc8e|T3 zS-Pcs$~Je1qy;1@%K;MS0`7ZuP&EY8kR8g5e4g1l&G}OznO{F6XX-lG1*`9xn;_~x z0e{JaTjOlRGxAGne2<_TTU!0?2Z`TMyk_5J4Wh{ z_B@a~K`P5==<14NJA1ZBUbm-LCp@J5-;;1K7f^4R=DIX7XeSvS100m~)k`_b7H(g7 zmKsq0r;Rddxj;L23u-2hL7h{DFo&+|U? zB;@61HMO)7iA|hz&s1#>(H9gVRUR@xX*>;eZ$hUA1qRAsXY=`TyvvBNl)6)QIpR+$ zcQ5Imkq_+8;~V_N*-+E-@Q4v)8Y1<>R~03{@9gG!hn|egQKVq~d4_}v@neE>$7q~` ze{Yl1`q*}qw^ooc&BF4TICQU!7^g%nByt-laJ7-w1V5p9Z*xzN1mbMS= z-%>SjyPN2FoT9z>e;n&2>znXMc5>EcUcG%Lnu9J(0_9qrtkG|@WG6*543>Gw!l}V5 z^f^5|ke$5+W;t`0LHeS^sS`=_oH;9}Q*DVx51vwc`8eOw4Z*CKiqMlYX@?Wca-45M zr)bU*^8W2pUB{~_V`v$PUeTO6-qv=+Ge)w3*FT{e1Aiqk(*&jzoTZ=P1LT*{(?f>} zwF)4gQe!wIryLs+S*mwP{{2@;Las3y87DQ59?5k&%9U_kmZDw2FM*B@BL5OtSgx&E zA3tj`a6&I%IGD!F_-av47pk!cSLS_grNqb#*QOs%NWMZ&0=^(;+-@dD)D}Ybysixyghp=+45y!n?PumoLgiwwM;xenj%PxpLS;+jvQ zW``x~?s`OC*+8gLlcK?wG%MB*nqO z;SX-Xna%e_?XIUwd!v8O+_`;wsHH{w=S(FX1)RY)6QUJzsYT)B{Xx5CZ>=rsHPxMC z!%43gG40muYi%eD{kl%!?`WTy_@JG46WlvGG@>Gx&!oJBP98lV0P8Tsc>ksKjjc0W zs?n4ZowP()bn<6zrx=YP?#v$|9Z$997o(ZuD4$$xs3|lyPdJ$E3^bcY{FU6Hu^Ed< zY9WR$X%SJ9pgB4=1J2|f>wC9eqJjfJ$JWXWg$ZQKk8~^%$Dxyugo=R2ZD(Z!?NIP= z+aEcc?#L}>F%2LIvHG5^HfTEC-sk`iI$P_%G1zA#Gi4D&tP>nI^{VR5@!=#w1kACV zA!xj$JTmC9$xdG7D!_LaDH4>EDbtwE+H{PeLpPtRA+W6e63#6tD0ufc{X-2Pk)x!v zCY{;%7eFHM$i>vje(v>+CR%L@GX`60Q+@#iYySD7`iF}T<=n+seowUx(e z0FH}_Qo!}28Wno@_j-l`0Vo|nj>yrWXpg?^z{3x@5iFRa{mSz}xcNoeBx2l2x&!{7 z_{+NGFTnqn9i1701ODra{CK4jPO$p}jzbKg`rl?q+FhX8dyiV48qF`R3aHOB&Y>>6geKJl7427*LQ2MRn z>$T5AVYfo*aLH3gw;;j*B|^hFvDI@V)a zI(O*2AS=moYw&J3i3^)d7GtB8W3J#?zw2M|{We?G_Cmc<<&T2w(5kP2Gf&gK0dk1M zuMgv^@ik-Y*qUs<)6af}W0qOUiiLM<2oq=UBZQxo9g<&5Ol~%x^C4D)OZhN=L5A4; zYQ+#P`m24S{-Xhnr^`uMrKoSXs z5~R61wM#^LH^?rF_s1|{sGSATl+#GCNS~oun~+sAsa`$t%3I9VpA`UV5pyY4ekn3N zY;QB&QzL)X$Hk_{spm1G>;v~>7{F62Dnr(X2d)t&k~8BrSTN{1h0XEA7+#pttIp!I z_Fo53O%zZfUDK!6+F!Z4dz59gv0%z(rRpU*1&A=EIcKxY3SRT0_bM-4^X=A{FSglz z60|nxlvy*Xf?TSZ()YwMU-gQBu+<>|Ow2M_IbT?>T?qLo^rBsC{xc@luYP}bVVG8= z=G)#%fszai_Ba+GW<%`Wjr97}5b{?!*)IOkS68_5arM|exgh{*j&p>p7)gC~e^IG+ zN~SSnDKXpEWMp>YCoX2Zn#Ah%Cik9fTZimSNm=4<3wNw<{qCG+`r`S3ZxQ+RFFq<( z%gn8&kM5A>YL+|aqxiC%Lqm5Ko26uifjF^%A$|~kvJHT=`N^yxEWVW|^$osu=Gy#S zfl{vz!qx6R=vi8ujdv1Z!XfzYFo#;jwa*yr2cZgg5`!kdh0?cwFxN|)S$aNuOEs^s zKrl%Bcnv>1@p{maZGBRze(+l8<^+VsyCdBp;B)@IQ=cR7ipa; zL)}BcQnw|VGe;bCM_l;I+XB$M^8l#Are5>+2D4p#zkcKVPEPgKbn)<6r;P4j{C>|r zqod(lLRG&WAtle*>~9SWTRLU-U9F!ft*%m7`}{rzPExNov$*!kWjQ`J*k0^TIUng} z;tKc9#PZ&H{b**ukEnSePlE2k1m|SUH2XRBgWH9&C{W0^hEL`$<&$QUd*_mySQ1C2 zLid)lrEF}=0OB-1o@kIYy-vQ?wjWyc?u+$VjNY7BiTJZLsbiUE2iVO774{cn!z8HM z%ffbNNbPay@hoSucW0g0#x#ic@pa3Y^AKn$2XOY`4ynwy25Cr!rsOh7R0su0pe#c z#1$>LR3%Shvp}}RtY0clvwgGx5YL}kfz$jIAQ}bt-UpiG+-?F;GfW%mQ4vdy-2591 z##P7td6fLl@Av6STbz|O+rta~%+>*Rm>-C_bNC_en6qnnA|WnMq{7Ls|D6jkwgjMd zpN|RyA=_U^{Rgh$GZ}9f-0P3l9Np@#2sGG2EkD8A`X1f@RcM}#9BV3i{sP7N!U9=s zkus_Qkp~ZZ=?(x@@ADfC#~$#V$q&ADENCK(4b#5{%)#YU+gg>TDw$s$Z{}OjQ=9M4 z?{)2NG%I0|%&l6)5}@LhGH-nro0z3Y#NbBd1V&x-bW0Q`Op9tD7=*K2kX}(|xu`yZ zK-{$C7w24(U}7wb5->%(E4?u;T<2j$z@TJLCJi>E#WP-m(C)7wB$h6zv_1Io0i(0Y z9$X(r8h5&}2nBZ}9n;c;&9hzv&z zk)EwiK)@Ayy>F~ZjQynq&H#zqX}=bSd_KZAqg!PUf&xuUS0wVsvx4RaB^ZSs`;W(W)@1{k zcwW5IhxD1t$h;eG7{f&>n91h6O^LbE_+W8b0qw>$g{KvU(cU`9y{$>CD{5CyCkApmk z(Pb&#!~@5etaWjMEs+r^{ScPjcp|}nsXk#0Sm555@dj5gdhHFu@>G*a8S06>-e}G? zOvI9Q5sUtk_LDSifMBdSjt$gKo5xjie`8&kg!Dy_p(v47c&m#8kgX@fL)~hkmGtdP~nNtwB<NQxs}ZwvV->5w z){Y%JiDYl3;e&aOFLp%0UW1^cRP5EZT)*D!NEk0wXI`rH7l}mFghYIefF8$o(t1=Y z_g!>`UYe-gbJ%MTNkmGTd|}0)cYMEJD5x2~cI8oaS};y^`h(5hlD)Y0k25#QiebD1 z(MCMM&7t}2o;BXhptWn1CC_=8Ilcu!w%~DZB%x%rKxwyVdpUbwezP$xgKir-s^ljx zQDw6DC&U83z&`3!LRql-X_<#0;C0vEnAxqg(h=j{)>>Dd&0l}?iruX04|plVWa&ri7(xaWthReZHCQMSrAY-BBc+3MNz! zY_=p-PR4WsUNq7X_==ua33omR#2UA4e|!DKwU}3ukmR42Z0;(N{6J>*+4~0%;(G}R zvCe{|2lA={q$ex|#v;eg2YX>2v`#6>uwRn-5HvkbnJs^hzks$$J#nA0*Q{NO@Yo-0 z2>8XhQs6vlI>`+3-cJ9dGim^sD)fsVtuXVSUgBT+(4yW6GlF&Txj#gx-M$~$5Y3y5>aT|h{P@i%x z+S={utNg9vB;1yE-Tg#HrzNia^E=;;bp(BAe8z~;`SBNKmc-`ienNyWRh=Q3&`jGj zPS5=lgtxs9V_S$FbX$u}+c`HPVra<%3&MgX-o<5gfy;%Dva{IKg>p$1!HO2m>ZVzDrQ#)1zuQ?SbD3D3&aRacBr_tnccaSwVz@^ zJOgWN^c_1Ap$OoWkYC{^_3N`Fw#8-Fy>vaBs-(@pS43cqQeJaj8O&Ce^f9Vg+jZq{4#?CHfph|Dxa z=th4g0lL86F^#OnX+LH4Se=g|%2Vc-1T!{r4dLo=OrigHYQC`VKC@cg*Sq-c$AqJfap%Dr6&&dw~l8AS- z_a6b2>%NUk$OHtC`-YZ=uO1ji;PAS3UT}Tj?o!^qbeec`xsuMA^4AF+shgjwr z6Gd5yK2)P@OVZh+fhk37Ml-wsGJSfw8v>`OH2`G#7ov7Ir`*~jvgGOk%8065P2#}; z$n>Z>&y7b;JgNz|F9XQb3`chYGB(aYV!02^dSR@^@z<3va~(parndaX-Ka+XrBc5W zDqg}Zx+pDsR# z1Ni3!_uCLA7#9yvR?Us5+nQtQIcG_K9dv0orCBpD2N2}PHtgwNE*3#zv0CATGqFMn z&@5f*0Deql^+v0VNnf4nlRWI=um8H!8VCk?otBqT+2AfY#djLfvUlQnT9Cr90$1D3 zl*e7q8Tcf%D$0lW_b10cc2gph{ZGj6_!;0Yaz-2miW#11RY8j+Bafl{%zV&)Hu-O5 z2y!68Twk0amn3`Y)y+aNLYa1Dq|h1C9I!@1mGGd7<7cVgQIk)m(?1l?i-M)l1Q)%3 z&YAq=oVOca!%$Bt-Qu6rW^04+AgMFt5x$gZo>QnR=V&nPkERuHjw;jSvAP#T*(utE z+Wt;>W+I;-c9_z5>A+}Pm;5w)?H7#nQsA+mBGW~O>vTvsSVW&Tf(z1kPTQMg>sW5p z#C!niOPvujWuqjaUiFX=#H0MDECO$l`9!lq&43mrX@m#iEd%L22Ehs(W(pJniLklj z{L!&T5%)Q7nw%t`G>01}P#?5qxzJGiHL~k*(RH$A{aYvcs3KtIPhWa7U{vnDPqx0$ zF!bo}5T*nDw~=cp*6LRz$tSN2Zn?yAVDze0+kRkFjCrZQo2rFZn#Cktq&Q%hCbids zB$tHC6V8TUlM8CERBVZ60v;KSsJI_qc^1^76@`a<4Oh0Le1lKTWA0AT58pI@9r`7= z`7jL;6_-S#D&0qCi#6lsiGpMh9!^g&R2@UD|KKvU=%{Inp$8ocrcZ~B561KuD9#zc z*1w~qhX1hjAGZFZt^XK-e{AbNw)LMQ>mN_x9|!9n2kRfd_5b^IfYWCNL>9N@bYBn^qL@u?E~8y*+WmQggbKTzA832TRtKA)ul)_c)-^$( zx{Ki+YToegYLO56;VlQKe$H`<+34c9_>0FcG*}b9sFsVIGHGDJ*hxQ_x^*)AY!Tuw z3RjwEr;3tqH$ao7aW(9=Bn@4pB~PYA-Feq?9maG!_r7&nfa7CcBkDq)2HD5vtQ1fd zrR`m^b#4<}q9COygDv}UZdwwG<(^}p-H-e657aN@q>#8D?~x;4P0pxlre{%X@v z$Y#1Bm23`RN<);W>}`J0Z+Bq*vALDS_X8#`^4U=rayQ7{gyolBqG>rt?lu$mDma9e zRk-f4GblK18?W5X@a**|%MSw;&%XcAz3UI? z69nJwwxEftV@_+Xyjhl0h;ty5{n;ryViCV41x&Z$i>$qn&FH(^(IWg`0AN!NzFXyv z1_Wde0sEHsURe-ps=|33j6qL_yHe=n4~t;h^ra7)rPr0wqm9h6j>Pf@F}Z z6<@K{m7vPBp+kPT-Fnwh+B%KoL0KQV^M;jz?w3KhA2p^V>`eC&$}Re|ZdqSYY6ah( zfHIU0YKK8|7T3%XRFXIotOSZ=pRlpB`#}|%d^Wgl4dzOa$}&1vyFOAktcR6~ba{7^ z20Q4G>Ic$0(yxT=t`1M8dn&%Kb4*$|Ay@d4{OUp8q#+%!`=Mw88%B&cr0iKa!6dal z_f^0Lq7Q3Hm@8sssY`kaaa{4f+8J+|Mmy#8r_OlA4gFM{a-ws|I z#@paQB1=^n$cMp#imtWkyYCj?-Gud@W`uSiJR*t=3BbTJwWO7GIJ`=ENYKn_GBhXg_97GZzqS8i;T2~wu1wQe2Miush) zEZt4_>$j}^k@39ya~hP)1>bhs96cKnyp(Bl9=<1c)zvgPgA*WVfV@CIG16pqSZGDN z*oQYDV)rEzB&cCQ7LG5J)G-7yn!ZECk~XZ+Q9MJ&xnEBs$X=< z7Q?z4wL$IW>I47hr|UqW;IKvgR-fa?Z79bC6xY6k63^zL^4lvQfiAs(@1Ek;ulzEZ z$+TS9$1ISP<#=9UOsdExw9CNx(zhO zaQFM^FlTHV+ObtXBwFaT^S#^Ip<7e)HyM%6*v@p1*Y~&k%0l~w(v(24D_qKdlgWM9 zZ@>ddoU0fO?fA%yvL(ku2}`7ub0?X{rrQL{d>05GgNDG@Bl6ez3*L=?eNmnb#qY78 z@Y5L`H}*|zl8DS{{k+tXmf<+o8$-re#wJw?;P7|!w(Rd%Xf5-Xn0}; z+KSce7i0&n`oM!MHm_SEU0eB|z0I<)w&b#58TIYe?}&oIdh87ZsZw@kzuh>Et;g;O zjo1|@p(-rjnE}&%oI-Iu_b=}xSxq;L9#NREV}$f=ErP+`j@zdWjn}WeDuYXTZQdWs z$qrc?B#|w{NROYg*rJ15xl;w6zBKm1xj#d&RFkvN25rw(;6Z+1@NzE591EI{Q#<9o zziP7&FXdQ5{RFvneeS#)zI+XhGoAMYE|5it0uNG@^v;x_Ryjuw>@aP;!c?2kL80d@ zT=SUo+bACjJz{b7LfzM4ke!8vN^$Eham*5U9wb{>4}N7y+`JbJr5s8kB=1g_2oQ0E1Zv&GqdBKYi8Dy59I1DhS6n zow3jxU}u& z_EEev{%jxMXwCsgL!sNw@5K7E3J7f1t59hQ4s%OhYgE<>6{vXRgZ!5MI@dQ8AQ|mb z-Kp}hwc^w-GYzp6Pk}HpK-aDAbwyaeXIhPg52d_(7_aqVboAwc%hq3tc0L*Lo6^<# z&S$0V0o@M2Zw3*N(};wes$c1%r13?B3{@w0((YY{**?7*FTp7qaQtc>9KTm4yv_h) zQb=G&@6X!s!3QFgj#_~N4;kP=uIAd*!btSLLywA$fPM$z8oJ*H%bm0ldU;d%9L1|r zwb|^ieY#Kmy6#at1-tTaxn*Bi#;618f22YE0^Fz0f`ZwD#ZFrAzr3z2PXRyZH=rBi z*Of(K0j_3$=6iK8UsD8(DfT=RX9SKcc>~Lgjm8RDL@1@}RX}1zSrqF`j>6GW5I4ht zyWzA}y%mPY{cZO+M$f8fkvZD^iH(A>%-W;%1V!F~br8rik9uKE0TuaU z_OF)J)!p}2TH?_Fk27%|cn9{ya==G9X0gp+`(yLJd+T8BC0`!dP;UT+F7cS*<)(8E z-ag_1V@?+^{Cm$Ib*EitzpAn5$TSG{fl5=q!fa6B@bCP7TXr!41rkdSkn9t17oX-k z_MeX&3%k7nZupnM4S%aO;@`Xb{TE*JV2BqKKq(Kv4RS+qw*U4j5$@MgvciJV2HBs5 z0F5ZjKKIXZ|KaX`tuom2cmYHWDjdj-vYVCl{bZz73G&(%+}y3GoI?5^QF^052>wOR z64B@JDaZCmCSc720MPax*2F^F{Cqmgz6bIsp_&CB=)s$D8*T8O5UK)HHN3fTS}|Zr zq}c2RrwrKgY~+?Vz(YD-74MDoc!6Zv~wMLbV-Q^ zqzLGI2_&IyO0;OXBErp}DKE#um{Ocx)haBvi$h+N54fR3rvqPZ7!#{73C?Tlbtp9- zyzG>>xllRzp!mxU0>E-zDz;O3ss7-+FH6VVlNka>{jZUgd@1m{N>HcJt53%BASJt- z-hT4ZhK9lmvJ;+n$(B2kh7uDUY}`%o&u@oILX-0YfbgEfs=^%b|OUgvNP%pBGbp! zIVr_KYK7zDtjk7gP5!U=e5jo-G}K9FFtA|0qs&JWgXLZ~P|!*gNKl=ZdAbPhU^uIi zz*PhtMIbeFFDsK{C%KdlxV;yd4s=b{p5|)^F18t46tlN+2gxya!g-+;7lNY;f;35? zawHd+`18a|l&193;N6|!pNi|1zzexDx@C_45ygkIawn?pJSu&1l_noY(O%JZG)pCL zHrivxV2!RzIXuLh;GA%PD z{u&N)OWf|(E846zy(Zc<6dWjNAF=_J^Lr;cRyjxSdA#V5oCo*) zv0?P&Cx93Iy70Stbhi_#vk9ayW}vAr6rjH@sz+yAcR!9$g?KKK52c`-1Svb~Cg4fJ z^YykCr%#`*?(Xik-R(9)QK+e@VeRcNx)=2Rijj@H_hx|XlZr@i-_?vKr>ZE%m{&{3 z-<+bDqY)kbBEDRCeK+oOUa*Jp@UfyB!K~XvJ@yU5C-wSIWFz$%FoKeHANK}PgzIge z1d|nuNUb-^H|$KN5?wQX9BoYs_YZm5oQjaVeM=eCrBz%)v0okYI@#xTIm9@I@ox01 zP-D>YoZHr|whE>YQIe{e`o~aL{=zJlPu5vF*`{NKN1w_+Gu?X3swIPc_1$GaD=66Y z7LO>kFW8|oWF2D+ZvvIuK3_bTIP&?ghX)fsYHDE#7TU5UItV^0R~s-k)bXM^%?-7o zIn|&Dl`16U5)cqwbj z>Ot!#wlK--&uux!ioD_UrH&v1bL0K(J^a*wVeP@%AHG4&@IjI*&$lTIJ{ZhYV`a7= z<@$7#%G|_(D6P8Mj_5*zC5@T0WkG}%n4>6eC?5lap6Zepjwn9%n5YkNHiLL6nnM;E zj^Bz%d^_;yGzmrGVwLk1I+{o6^jq|x&9`u(ZyL0ImUy9n2VYjZIc&UCe$i2!1zYP! z!yUJCr4Ix3q3Kk;%li!=$zk;C4LAFt!E)}h{3&A&O8*yS%wAiR!F=+5hIk&MV}3I; z>6xDF8*9u}nQI%WKXt?CS`guzk{(;LcW~woJLMrWS+bF38lCioH!@aMiE~$u1#)Hi zUu3~V{MB}i4rDgpH1d$D3l90(q$9DuQNGmEQzl|F>R-OprVv_E^Kzv)vuthSrC%)fjYuQJY|M5p;`cw=eRgIS<^Xso$SSGWE^6m0^3mgQgfWvurRx3@AU zCHW*92^A@O`RVD=s&&v||6g_R6bgosD9lXfuY>AtPNHk|;>65XVe?0o&9TX;DWM?; zbXfdZ)?Dzb<^m0^AK}W>;2B5(a!80SE!_L3#@ai{kvP_LC zX}Q)nB1E6ekq#6jYVuG)RuAZ~{Ngkx5pUp!)G`t?9_%NaTjb$sT4j+#Gu>-w`;K~YGS;TWYVI92V4w+eH6 zwthbif;Pp+f7RjtdPRr-DMeog_uc=g6#e@O%?2`HI%i(z(W&YF0V%mr+23;_zH)Pm zw>nezIO7t@mOZ|#44$4SY1_bT_bd3(*+ge>8y=IHnmPNm;?#<|{H}=a$hVAi374LW zbBpF|HbO_uij@xx_*2=YP65b}Ms*bT@4cGIRj9L?xnASWU|ZMJ&0gyL=Jqrk`kJPx z$x7+KO2c)a+=*&{@`#a zWbvhnXon6L%C7c4{ODM9*&b{B1!5D68KpBYGme-8uiK~{oN#kLRt-{B8Z41j+; zgsNow<|k5Z`~gy*Cb!%!KKv+Jcsjp=e51oNbj%;T9gv?r=$PKY9=5ZH z9FhACo)7JZ-gCtQq!tG~AP}_F%9kFN_-4bg#Drge`H`fbXja|QDf#Yc=*3sGJM_3A zR5O16iDJH)7TS^B?~~Cy2$gv~w?hF@4h__;!7Juof32D+tFJ4{PBynH8eD0OdcQdB zaO0$;7XS~Vf(EKbCZLySNu25C*KTpIZ)Kr7dilposH(N{i77ey+&{7tgkchc09(^Hg=d<;^N0wk2`c4K;Q{SBw~}&A6K;UCx(RMx zUu84Nrc-f^6;Z#pLQXCO=~_}`)2oiq$dJX2FC^eQg%;|wKNBgfICW7RcDtX&%Im+)qTG-`{AS2XwfH5>gm3u}XVyuGq(G41rSrz8#7h5LA*J$nxz$ z^ukG?m}|WfeEte%4po^?GJ6s9j6;o>)W*TvoCM6hsHt+GPjHwWk-!wIB|a)kcf(#j zq=}Mo8B@Qz=3}6+ngkH*Io9PB=K77M@h!Ss*BV*b`8Q)jD#zHzp(il&{Tp)>!1XO% zi503VKB!(Jwk$w@(pYw8Y+z&3}3dJtv706%(ar3(<(pn|fRyfuO9OIz!+t(iy%^2Jn>^>+~3+~-d z%ydkq?gYz$W2-;FL~f1U9vNbEt;0Iy6-sbigm0g2ROpSN46PX%tO|{h2o1M}G?U*% zr1^L_q=WYUV0Rr19cH@RBg&Zk-F@r}WU-idxmfp&U9_SUQcS!?KAQ%yPipE{ErPTb zbS@Xm?BD{*Iq-N{WgI1{jyby1M@in%;OywRz#O<=r!4G>ZH8;k|R|rp10KT?9|?rB!3>_8R7C!T4Qbps7ihNIofj8r2*WGqqzta|^9# zKAy#5YGR-zH19P5zq>mGJM)aE1H9C)rBlURLRb6zIL61J_vBW5dK6z!4xz(0LBdHm zXV^L|C|)Ge;C@hfd&on>gKhX#qu~Tu8%|!Op$Bmp^i!eqmOg8dHRp#6MBi5lMucB< zv^k@uA$?L}{_V5eDdvp4UCb6Q4xChQG*FYDav29iTf3|#ZY3P-1&$xsP1}mWUciEs zn&&$L(kBp~nsEvO#b)KcJ>pY{(*5+yv~X1BPua?t0(07L%PoaypDCp&ThO_P4m}1Xi*hGt(`!^hS5dIPj{#h!* zjX5hA&%)o-29da3G5Z#qqDq^umw<^(g7?9oXeSUdxDruj<*plt`acqTEf9Y>B3fGY zycF_NKi*T_&iKsew0qrQ#!U)Q(gOI0F^gfg_(S+j4gq~aMYXTr4zBn*o>v>5`Eo8H zX3GQRt3$uU!Ec?JNIMxkrrC0&tt+plO+q9>LAutvhP6=?W$pqG;c^t9raPs+$6@q96SBpiNdZG zWiglspW+-HXTV))e>#*Fa@lKdlbtLd{&><=%<%N%T8m~M`rD#2G%Z$XGGAFhX)PMA zcB1>B;vO^kL+p^K zzH|dGuQ#AQ0#4NA5cgbcb#W3)s@RKvzAU;))OygN3nao4*R_}!Mb<2ns+SSUB11C? zF;~JCqjii=zGjAm8e$QmJOg)Kxl;-UjlIF=JUm!-ijQ~YxP~Z)(l*hw!H|7{kjrB` zPs;LOVsvqe+UnHTTHd&>Dc|ft+oD#TtmxZc0|lY zTCXLh`DC*G4`@_qV+&*0@>9W-_k+)043n%I&!Y2(+evn*h79qVWMr4JZjEf`{16Ft zDIw9aS)Eregs~nTdbkZ``e9|-NG=YKyA-{>nPd@J3|B52REjlLn0k-P5stU-3|YQV zvt#v9=L1)D*IS8~dr~`=Kuh6_*z1Z<*gAE!O(M;nZSbDqP4`zXMGjD&2Te}>G5=D+ zl@@&IJh3Zd72Aw+Ycd^ry_&g&{J zy9eg_NQ&yE-}>`!L(y+T(f>_D(a(BMBRzkXK08L9yq8*ot=afw^O5ew#f!kvOILia zq{x+iSb)L}fF1x|BfpdoqrJ=1uD2*o>(gR z-|n5??wx-v_l}i|OM6go@a%WrcNW`!)@;iuit7?~qGNN&B7g2E=X%C2YKjDEa5?hWBq}gsxsEn+s*iffczMZF)T??t zqB~mx6C~Pn@*EnCr^UH-YEltxR4)=?6mW^}-}Pcrxx&CGrTK_M*!FC4_+-Q0@TV+b z+!xohq`fWk_MU0Omu7DkJ`5!V4o1m8f!}!4%Qp_qmV^af%+O+bng$kK+-c*^i%M*H z+&We_N8?W$*Vb)9!}hP??F(!0Awc4Ffwb>Qu10zJ{4?Nafa&i zhjf;QGH1A{Diq@xz>Tf*@{%lPd8LLBhWz(JexJy1()xWz{!ef%#myrqwh}Lfv3uEf z=idxI<9;L^M#Iar`3=gY6R7O9 zaN;tCym#fkxIyczXQ`7}P(XeWZ|^~1rV)^KNPxS1lWRw1xsr9o4xI>K)hMwxWDoCs zu=$uCBw|r$XG-6H{Fav&l*SO z+J8+wu{Y-w;5E~x24j7|d`;zq7xX2Y_VIAw%RdzZ$-bdb2i<+L-DDDE#5vBKOm^cg)x}Bna+idlTQ?X(KoKRKB`)*>qAE~`tTBu3}U|nCN$-0h!P4?Z9 zSW(qIXqiT*a65QW$q#Z2B??NRRV;UWDuB6;Lg1)(GaZSihx3F%EN`QkXIY_lF z5sI`1bHQYD)Ile%Q5no+fC`&Tn9?q|0;q10H70xQv4qvj#8d@v(sBSfK_Ww(D+RcB z15x=z6mr&oG0x-093%{X1rW+MIaF~G94^+YH^Gi~u!i~o3J_JIoL4dqWxlN`2lP+e z5pG69@qI0smga!ay}QYDZ=t4^Aic{SoL_nA()d`g%;^3(u=}c?wgIPu6QDOqzLc?( zc^7!DS|d>va~zo22Jgh(7#Gk2T@|1D^P&EPB#qS6H-xQt{^+L8FxGA3bI zSn^XcR6fKU5eb{?SEQ#ra_0UQuSYUfclF96Ptw_4cz$=UP4&5p44V%gzeCqUfBeju z?INNMZ@IqE@mYK{uyHk={WxdRDcN=Hy@_pB?!=75q2gg#DtuFC-pDZLxKA<2ZamP!waPdJpfvbGClS2N*q*;nC z`&n_w0>@oG-P=qoPcrnVYvIf;CG!z=qaY{u&R=7=s}Z2?)xYP-M1X1 zD5&8(YL}RfLJHY6bz=jg#eyMyJr0Zr^O(=x7nC>u_^x>a(^Aji=4I;16Wyi_`Z=*= zbB|-?qF)Q3(ef*jUdz3U*i&v6$gZfU!nrDNW*K*gP6M3ve(GqzAsY{4(a-xW;QO+hgAMh^Du>)$lndW8zG z;#a?&@N{IrQo1}FPif6)Ht||&DBWaqL~^6c>f@pVFR$mCzT&534x}cQfB9ktFfqn^ z!@~97Kj*%A`}S^`Z|-?Yx-(47%*+_Td5*dkg~2?GQz_f}j(9Bz;p$`+QWglyF~c>V zF`ObLUTq^Iv_~;eF5}tE2~~3TK!eJa39;p-WvSidl*vq!1!XRV!X+VINn~?|kL0oQ zNz_**C@`0(T{`0+q3#)8S6kLS1q6}#lL0%nkyGL+i+>3Bw5q0XnemmcL?(xDV67=) zg2*TgD0*hCHd!2v9mF}@Zf6cWc?>n@LEV(#q9T>cHDPY*916=#lxW~Q=%;ZD{D z<$hFPlx-Lo1MN2Xd9#<0VE-mZ*8s-0Y;YqT89Aklz?aLOgo2*;66{RFM-ipew_<@- zT0&sU;ypKJ%#C!tfFr5G?M`W9i<@bH%%55Mkbc&W|^?v=yIsJ z3Wa5T*>1G&QFD%U5V^6oGN;?N3Q%@IJ1BzC2TA!i1Bye-qD2B56n+&5@#Rj^9m#r^ zeDPx}RLfHpP};5VB#yVfb3REs5caM-z^ib@x8mU$t3vCT3-2O*p(cdL7Ft^02m#$Y z0K_=lb@dIcxusr0UU%}AK+Y=IRdMX zv_PCR$2jycIjUPGV+ZA?`;ar#$GRc%aB$-b9D)T3Z^S_^R=1U={njQ zvgd2F=l!$h{d4>J`fT1ZtU-xsi9Wz+(Ac}aGlV|iy)zv0Z`-}b3RN()zt0tq$eCB) zV^9+#Z}(=Kw)NmQanUytW=O5Dp;#KVgtqTA}x*>i$z!PFO zUX9l9O~Bekx}7rD*eouWU9)>1Bi&~_;ifwewH<`d(N=PLkx|f-Cbd$GD;zX%_%TFt zwJfP6JBXvPaZP+=K^ixQI4yG^PN>{W?Q8I*=}LC0^8{r&xG&A4{Qb^e)qOh4nK@7i z!*;o>7b-aPK{0R)D&R_db{~pqXp&v435ic6d zzC*DU8)9ni{6PHj5nxSXlpWt2S=vGck_(B$j@;WQw4lsn5|MPzj(vfZOrVvx(d2!O zyQ%zRd^>O{n@`CO{ZV6a5Xsvj!jJV{f%)swCiXLp2^-`+Up&7wzi|Od7O06U2J{Ls zQe7k{3l4-B;`?-2AK_NmEF7{KLm-~Uwz9lj5f+wH(cbPHSS>sf(o4mtpg#+BBjlDL za62P7B#!Yl)J0C$2tcTr^g9;_UEeYft+rb(FS#@jG(J`6En{3*XHbC*a|jcnOQSTW zQzY|t+6XJ+-tA^+Uz^|G@s0`DM!Gp-8?M;X|KKXkck<o2xh+g9H5Fakm08cO+#LcG$>AZVj>lLf%~=ttS?gFf8}3h^pDJHSdwr@{dLzG-N0<9St{0@5Sd z^SLcoDY3~ti5uJRu!RDnLgRAN!$O3o`A82-3hizVa{Fg^X_x{(OkuX5r+M{@JEbP& z%U;bH=D?PZ0}HQ$chqotdF6Q(wn>5j#RdY@qZfqjlgZ~O5e}<;e^)` zE~ukQdcNU%&Ga<`PY00H@<4=xS=#mrjKzF|PqX1u9s||@GK!|3pN=#2?}3cMOE~}5 zK?}m;o{*7|yqER4}jt5wP0A;X#hD|F+WhozFu9k^^JTKCE zJYZzxFFl*|f_Un5zYw4L4zFB3cFKYEr_fk}(@nR(8=%NWK3*tu>Jx`gZ?gpAq71-A z6^r1djIPjgYdlAK)I|;++`AL!S-EA)mfKJrMeI9p(Usi&I&dCJ)IblyX(~p76uzXR zc~><(-3(`=>dZo*Q;bht-!ApTmX8KXkd%igm)yxadUk|CK<75MYUFL#>ETpUjELq>slPNSBu zP~+WR=}U9W{Zj$N{NI5GJ?)nsx8U7~<-pS!;RVuK8F*uz5-VY?h{v|5-Y-)Iwr2NJ z$X%>QLhklWwG&q1ycV^*ok)LI!#Jkz6zi?2kN4`Bh@A51CJniQHAF z-*kIndc+T;7w)Q(Z;9cj4XplI=XaN;Ar?^2B(D_+q zHU>zW5Si^pv?03hgB_=&d#G>rEJ$Lr9|zV&ufT4XkLaU~@ZYcTUWE&rKuX}5X_Y!^ zcN?+!=8YE@tJ)#c3BwcD;az_>Bd9d>nBWnq5lEcv$H3DZPeakOPG+%%`0eMp;BIlo zA1HSYOr;MeBS-38gVEwVn*|M{;PXwTrKH<`ro3|ur2YgR;x9udcf>8= z9*ln9r&#U_YTBWw=-yM``X$VOJACl_IgohHF9V5uT4klORE-p*o*r({DhoEEc9E;& zR%fT2$2}->#lQRU0PYEAHz@Kv`Uxo$if(#%}~wt|_TT!{C7n1{hEv>25w$>pfR?%kBF0bNg9H zSBf$bQE^YJKnrixk@z6sth>cm&85|YK=LIc_xMRDZgsy9%74uN-(k6vLrX`4Nt=_n z5jIElFiCNRXUa73CYgfuS)@8r99-uQ2R%R&dK)T&_AAe;jp>H9^15dEjU5)Py0jg1 zUb+wK+fF~a&pwE&>I5^AGL6?6>L~4T3d)Ppmm2KJY_D z7B0FVykMc@3XkLVs{l0e#o9@Hc@^z#;c;!Rkz;16Z^^lw%2 zb!H7q$t@(NNzzf%JtUbf9EgANBGvn%6A*VT;X>^s(32?eAAX@s}{~c!$VWxN7huAo$&=;bwaYraH9?(sSsDQ&X zVd2w%$`Jn{LrHDM?_y=$0-5}dZoVDL_|rJnWWFT9zS8xh$$)q*b?I8C4al^Hyzh@G zBKwDW&N+oAl1-zT9tADacV>(7`ad-qyg2B9TYS~L@(L&8lT+Y07OQJB@W8G6=!G$N z=Fv|X$6dsy>pb$bJu;?-XW8D3TrSahKd8jH8L2BrQn5)U&Ib8)(vKI#(iuz|iXAyF zYjdO*zw&7F#P)FB7Lk#Wv2kLn9udlSI8`#X3q;uP(^!4qg-!p#AHg_5H)!a!KUb znzR_<*4;!Lvyp{09Q<_+7esgjO-M_u92&Eef}h3y`sa(>r%f732Wk*CsyphW+Lo10 zc&?FK_oby?VD6(1F{chJK@|_PT~dRzMxAJ)vU2<2=cd2;IYP=+j>J=Kjnhn1+k}kE zGV#yk8~AmRBhH157ss@X{U!v_^p+QbB#Xlr=Qg(Q^stmyg`4#U?`v8r;unM9nR#vADK9* zbg(+ENO_McvNCKd9Ctd!W>sP`wyYU!9Ap6MFgApd5@0U0QOw)^XE=(4f2tdWKax=jas*G8I^kUGD=G0;_FpX(_8p6WZST&7Z+#qN~kq_!i^bDAFSS* zYm()J6@44L=>>FXtG&s7EZ>nwnBpw56mQE|&X|H;T7{h&3o`Ay#~#SMN86gj`kJK% z4k1gMZNBQ^{bKC_y`dprinUZkTLeyDneFa_-MO%$Ihmwj(u(+MGVwX26;a8H^6ay3 zk%DtHXR?W5Hzy6e9H4u}D&1XY#V(@lac+xSZGcx2VwxQ!N@{FuViR+c9a|jM=WcBL z%UW!$u(ty2zJB&Mb+pR|jJ zYZPYMH@w?u`HRoZLx1@vH^*6T?Co%0Sb@#iyf%y*IWL^vL~|7WhZ#XI!Zsl;<>KY0Mkx7vZN8GJln#}h^+kq% zcL=_v1>5Okm6D86iwIpxoD!Y=*ySTte3-k)!g)4wRJYP;dRbQH!nLVo*=S$v@PaG9 z_m0KAKNv1`=hn2oGZQ?U-;C$$D;g`#&H@h#!om1!$4Hgba`r*YGY0JV_EHdyQrWw< z>P)QAb3bDG@~ZjWW63Xv!B}w*XL$GnGEkhy^@|8^rB9-=oVnIPvji13qp~6U>+Mea zGC9_(<>Y;k18}p#+Ct+Sxw$T`CKmLn3*2hmd$*8Sz}df(vI=Rf`&EeoeMPQV6K4_p z^z_Ue|4KdDUH^$K!1rd0Ouk2D*<88(E>egFd@ybt5fbDY=~pMT zKUE6gPtjb36olO7tIG?0;IdC0j}C{zyw?>^fH~_LYv2l0ImV!Dn(2}E=2{^%kNt`J z)X7lBPZ^DBOqc%jv{PKWkuB_;?9CsGlgnM5;c(#570f<4J%^PVxWptMJc{}-DuNqZ zh45Ab+5i-IbqBessx-8#y;~h>*qBg3VVg7g5Y(%qu$h@kgV5mOPWN)Mk|tevIwbDa zJq5he8(PWRkU%(l@oXK+=-YSM{-)u4*N8k*u)^y6sArA2-tv<1jnCXruTlX6HO`N` z1Xn{PWb`#*%Y`DYe&C`}C|+o=&)lTKvG~ES(y7f@mv$Jtw$$tQEpxhi0_)rkMdi~t zxR#&;J>wDNq8l$;TeXhO-$Y8~N~F%o@otApW@P-P)zF?TQrNU7Z9I~p5UZ9SLn{kYGk4ak+aSqHHLn=m;qhNw;Is0h! zq2@|n=3_8lVp$F!ZuJ`(S&W=H)ChiLu%z~iy0NC_C)_puBIcc!d3b9mGHlV6W$j;G zfCRbP9+iC9rZME*gB-? pY~?&&u_;MAzF<}N;Y?@jhR-_v>C()i0c)r>7dSpDdQzerhDFE{MKo#A+E^03EMhlqWNd3}Bno}AdJ>m1%7`m{-W%;2!fGh2a4PyM2>O?dotFo7 zSua*I&F8OGajXQyH5)9I)%58upF6dDyzQeh2OEMaIKB5*IJHZmFW;sm%|?aMvsiT1 z-zNvMO`9!$5+u~HB3}eydLX4KSa#~|D9y}3N^L2SjLw^+d5ciUpE$4d!2cG$Za z$Nd=voEOp2t?isXalLQhm5DQ4pp`ivu-1O4JhQd2GpqZ`q@ThTRH~f6 zZ@$}v@EQ-!!OT%*o|@I0%lq_M1FQQQtsq@%>BH&Uo+uod4w=U=U`GQ~zsGEp8oFl)lsD>|GSH;^I=2%-8>lb~Mm{R_&r zW#62FbX;#5N456eG|Y~ z2Vq%F!M2QJaN(76NW@i2u$b^$mnd#F?#VM3%R0O@t)I7`pOY8cWc$5P6F(7pua};& zY{0gL%{imAT^{R-T~_xc%%dddi?{%SvVey4&;uu|zy;QaY~WOGNqN(spC!i}FcPw& zQ|Gb@-Zs{L`y+vIDoa2`tk}g*ad+ki{2cZ(PS@x;+?8l?!cSPH9byhp*zpqi*-Ht^ zas&3=fu8-&p(W!^S*izm)rkI?9}lb!zt>z9G%1#E|a3`*2HIZ z1ZAVPReFx*0bzBOm1p{K(U}eW_G!AE(}G-S-#a*r^+sR1#EU4yvWL;jEjI+Clme|5f@q9NGA*gzTfa0#=7Sn}}-? zL~9*^;zzDS@*QdNI($u^|^17p{?G9cP4V9I1-l zn6X%wc3>tq!u?4xl9(k!Mh69ZT5X5aOu*5cH0RZVt)4#N_M?ck0<=1{zt!q?{UMQN zD(I^Z4$N3nf(ZUvq;)L+eO%{ZXL%%HzVi4Sg{!I^(L7%t+ojj&99QXcr^xOZ3 zBELmM6w{3a{I~6Rq*&LMxeWcGv6V<0;-ZQ%dL&034oA`z1%GRwpilohYM<}dF^5-5 z?!lAh7aAJcInU_RE@(3?em*6yVUmt5sC%sJxfQ|th^iS@mtMM80?j`NRP z+!M*Xwj_o)Y-?DAzimrn(s<+LmYUYrM=*dbxSn^Jb#4UUyK@_H$(ZCW+?QVsHomdPG+AGBY^=iD%1$rosh66^=fR$ zz>g!z(;NFJmJAS}06`uW5PY38p8E@N!PSSZ^6S^H&m#pK5Yi1{U40;)^AKk^h4&hG zNSBAnbN3xgL`N~C_u6`{$d zuZhTiY#K)=OjQ>f_P@`A;+@sZm4NSCNZm_LPaA6Rd& z37SYM@+KKVpl4x{RUfI1$G&p2jF5Y^nrKi;x-UU8a$bt^0B&(_wLD51Tu~K3d69xY z*CYZ>ipXX7x&bZrN=S|dLB#34a=~mp&Z$KL<{kBF-~5f7atf9_l*>cEKDYs3Df2A- z0nrZ)yu6_a?T3@!bRcH*@;7}c^iM?&nC;lJ^DlOiHUPp(PjBPAuK^n!Cmy{%yAL}6 z@5ilbwBBF~G`Zq+`cxt4lUGz5D@mKasNz+j$H5SuMA~Xj2*Y(F^LB?83mLVy*9VV; zAW9+q{=MidIL%O#4c9e`7`|Yy8M-kBqkn!-Mq#hd9||H6IP6Q$^G_QvgY;jp@2u2$ z)(6jn&9|=I0YM+A!3JouJ3hP#2l2O^O}T*I29&Ej%(hjz+LDj7(U{2-vFwVRaiFxy z+a5%4Ttqei98`^bx!!;onsk%JKDYuni>}Bgz6jEfnF$3mtUN!DD#D)AAv%~L`%Nmp zN#!@GpbP$+tNc&7O8LB*otc^0bwEFcMB;yP|4Ckvb@=15Pz(c?8K(%~qg=2OUcB6h jL6cG3qOgFl%x&rq?(2)+O7bFuzmrO*k7ph=yY;^S=*%*^ diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-Deployment.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed-Deployment.png deleted file mode 100644 index 8bba51b8d0495141d02b68797ae1b51d466f45c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34547 zcmeFZcT|*3voA_g1{4`Uzz7UMBl1DM1kw zP?7?IBvAy(Ih}r<@!i|^+uwKZzH6O()>(Ufe<(BabU$5PRb5^EtE#@Ct*JyoeukWY zfPg|pSzd>LfEYzUK%{^;3V!L_+d4)-Kx*ryVCd!SXJhYVO~583hyTPT$ZzNB>BS}_ z&n777>+8#Fin(g8YK~Jp2MY0z!KH;%q{)!V=&=ej#3A zF+nW8y}7Nm%kOt-xCYoeIhnHwDvI#(gI8TN6cAt&LW580_AcIj;IE&!sF|oR2lyoG z=H_ILv9?gN_k!9BiSY`FLS599^)%Gk1m(bICwoV0@JGqo($N*_;^|`U2L8y|dAK^; zdpm<}ViLUkyh0MfBD`V}e?0+R{_%HRa~pFH`#*+(=ILYY;c4&cf}f^6o0DeN& zUgoy=Uk&B-v{k&-y?C^Eyksr0Jp9&LX81N<{%+RzHdfX?_Lg8wK{g=;z+o$Ub6XE{ zKpVgPZw~q>+A5&s?KCY^MA7_)?!xY7fGKcu0RuNpOA$|B1#Nx-ZFh5dU$mXLg}Rve z)c|)rXG?$n00U*ToV%@#JzCMJZX+djZT)kwt4Qcg@q-A(1Hg@ibpAllPX z#X-y;Yh`1nA*?4P=BtEJa1ao2^wN}6)wOl) zFdoVZ;CBIaFHLP7AqQtGM{{)peM5CERShAF09QK~B_k(Ce_?AyVHGbyF991ZK^GfM zOMPEYKLITTXKNt|9gL;FnuVa9n1mjnLrhpt$=<>-z|u$8K+(@%!p}%uTSEwNThY|)%A1@@X?nO(QucS#kgo2xTx898hXp>J9}BH z+bMYXJ85aEK*QL`qHScIG@K1=RWSD6wz~4}2DTzb0u~zX&|?)h2SZ&8VI3Pe4|^X+ z3kL@WS$h#DZAEP%H8nk33juv20d-v;ZB=a{Ej0rTPis#X1wAcGBWodyfr6?##?#N$ zMMXhJR>w#|)gu5C!0)c0s^M*At)}2E=ZW_Ab<(i+yXr0~DywK{<1XvqCgQ9qYo{%$ zW2E8g=Vr;TtEHwa=;|n-Wv%Hh;ov6AuPN&%XeaCwAnay%_3Bk|1sexT6<<9KZ3Qh? zaWzkjSb&qVtgQrASVh1~Ts=Tl(?|ZQf~Bm5n6HtxypFiIjfAg*G^*+@yn z+)YE>*+$L?E8<`!U?r@1)!ac$TUpN9+z&`hQ9;hhP|H=w&rn+hsD!?PwT-*GqN1>q zrl+Q&tAVbgm8OIq*2CRES3ujt++5L0T-{m4OUc{b%TM3a$X(S>&cQ=j2Q8Mc-tvy3)$)^>szQ9y6DO|Xj$4jVw^>ttc3l=)jTw0UAt{_0k4_L{z4nyS8*wnm0%LpMJ`T_7EKtfh{JkiCJrk&d97pufD6ybH!c zSH%Ka=N_s)g0?yu;%){G5(eH{;1|$A11m1zrRC*d<>llr;N~VOfCfuM(MHTy)7s0; zP0mNd*2>W!z}v}J-wUIwDX$|CAY$+7uV^78E~erO`lDqv{jut5Xcr%}wF6e~s)whw zn~J}-zNV#>lCq(fzrBN^oq?XBo#$0~VRtbX2}?ICZ$DwIsF#HUr0M?V5(@S{mX;E# zVt%6f5^DB3;*Lhb+HQsd7*SP!TMrvw2?IG-B_BC=eqCi3O;t@rBQPjdS;X8<4>Fw^ z5&|MFq5)SOz-KRrrT#AJLK3#%gOG%)fs(hk7FJKf+QCXq32SJfhSs&U7e}L&fV~9P z!_C22%friBPfi!>q;C}9;9}!~RkX7A!RWes=?f|e>Dgex3>B>f)V&?eUFX~bQNsHR24l049(rJo+?*e{2i`}X)k0pw z#>Z95DnQB8N68H%Z?1vyuvGU4#!O4dOUN56eno8!44< zh>e<Ix?Hs^WEcSn69FMYhJXm^rjYaav78hevu>XH{YlQUOOf0C z`BJphC4EOc<-qg*Y`Tv`WWS+8RgwNjU+7ulO#)`t(+=lk|JF8~fEg$CpIxE1BvH%Y zSle$2!K41iBPui{M8$u6CsH9}LMKhWKK-{r!VnKh{~{P}8lFpnM5(w>9sjc{QU=#c z{Ku=1VKO>Iv5C30?nm)+{XGg3`upF$%P?_-cQQ{`^=T%{osf|C8F3c#pT47H)pKR@ zZfWp>*K zaw-r%e*CyYA^Ir?$+S5h+C1O1`^#g*xrXA@N3PNaX4@?Pyqo7Q8%S+W)7+QzuQ<*q zb*-fC+nM{p8=tKocn{v8l-kPKI{X=gLeJ%Pjs7{cQ}<*}QmuSc<9myBEY{C-ny(%* zt?1WLdwXSbl*RUecdAq6d(n!o5yv{G5~NKtT}DH87d&1Pl6IIK?qIeT4-Xb6g{?u8 zWVTd8w9glBjKtR0NbCBA=UgP3;%r7%cNC_}-!LRI9&Wu6?BcHM*la!w{_N4kGxOqS zN%GX~%bHE=#jYvOmLDfbVKc|PyuDM-#0dONX2=*op~q+Iw6}mwJhPdew;Q%5tr!buqtSrR05Af-Hi{=COx<7TIc?-#b1^FH@RgI3>rv{Hz500OuI7aMDeYQ_TE zRXS?jr>v?643dw~8Ont0|1|5uktlbDhqBgnWoFjcsKdRU!@DZU7iiHIZLw5%;xcG$0O}X9%($f80n(74!5L z-|+{W78f)#FLD)E>9{k0^OZfv*-^5%Yk>>Z9&gV3c1*-DO1)Q6E~Ct+89&&l*}X!x{X;91bI2?- z*qVykr4<{pJri$hsF=WT{xnP9-wv^8{8P2^y zbrg=;@~8e>xJ+bV39+hp-N|%2YrvYQPW;CT3rCP(`Ovi#TogP8jaSMOXFwz+l#2}9^eUk^*6$vhRYPnBWlbCdQs|R ze^S&zLQW;<(EpSJSlB!Hn$lmynwBXf*86p>*S>%F@nDMTZ%CIr~I?SagjsNd!qGGW(M38*aM7-#>SVn+fn!_Dc*e_Mmv=H|Fri^(!g}?IcUEAa}<8I>zwFImoGo5uOB%n zll&mzjEL&+lG>(531PWhPBF=)OP6vB3mtpcKD{AT5Y8do-Rj*EI75W|o*m}HSYu(w ziH=z1(9JWP8S`siattCKcaJgWmUOb;8w&JflL!_Jt0#(+gAzV0k zR9(pN?zPsj=GSS7BurmZ;dYbHy^m793-qMOBBVoxg<)XQW<|7q)_%1$A>5P8X(VY_ zI&n*(V5Nd;k=_U*YBMK?I_paE0vK`q(uxqS)%1MtYfF_S1P7>IQ=+j= zdU@qrjbi>QR-Z!;_h&v?CZwd9g&2Ly4n24})*y!Ix4I9uRAp6}`ewU@q@#=yl z*mi%_mqNySZ@pkZD6uoKUhsR1?>qBOI zg(WYZ?M>1*Ctm(lD|fIrE3KsV=2){GnE(~wY&78P6A@-f(+t zvk4>IlY%kjP&)5@chq~x#ABg)h;A`>Ya*sS6WT+$D>|4x_LkptwNgrRL;H78^TCb> zc&yduM=7}^gF;7BoQ+1fSF)0k5FvY!y`~LSK4-GWHkRF-Yr!!2rt~eQ%^wuczV+<6 zlCPp!-L(5pC$F3s$9ja z_45_+ds}a$Qv-k1DYg7)6Y7y<0h_Y4)%pO2kEH!uhN~&!cJtx>qDQyH?8*0aUwlU1 zrZw+be|9J=wyK*+O&)QnFGg~MohK9a0orLX9e{J(F$@8AD7^^rAB$0lw>FK*7fG;k zGJ(qTHW1-Ouq8cz2b_oY(A_yqGgk63l~dD3btx@7(?nx_ zcE}5H7fSXE!0Y7D)NL_qeDUJN^rLuQ&f8P1T%SU}31vghk4(sVq1juJp=&H+qi(HX z6eckU|FsWF)-_*zxF)BL01M0{O1RLj<|t+uG`6{X*0rI0tJPpDQm=Nb&96M+O-{!- z!0b>Gi-jI9&HuG*Fg9_FJ2FfhxMedBV;GY9G%pv|M$Nq!8_y(c z0j?AC1kuvoYL8YhpJX4EQ!9s3ZST#~LWZ1dZ?ni5ZHX}LZfUyI{G zYl=_cCfC^ZtZ&nUtuFi$!j8`rTQ4XOF#M*q#xhD;^@~@ZMmw2*5&f=%1Ql9AeF{Kfj9vGoT9`V`=E9;VV77(NuIHL|&H9XG4mBDXlv)`rI6rgoW% zB4WwMhg%?*P3AmF6+K_^m+Jxnqi@Fjrfy9-`nRrs^~~NKz0UD;+?EmZxCKdsJVg|4 zxVwr(pK`O~l2_hREMgMoZQfg%Ec9s=!$d85Q1(QUn3n^o(2v_tXYC_u`1YsSr8%V9 zv_h$=m7`)l%-*-nnrs>$!z_aN$9!pxT$~7Bs~*HU$^bv?$T8*%4Hq=hSy>csUOYHl zTG~S&A;N*l)fV?fS#@r~|&(f)whvffzIFbq0tpb&OEl7K{&1~ynvi0wWTY%HhJ-t}VY zB>;Pbt$gh2g~_ck|8N8)5f2+oAT~}Vg>JW&oCdO9R&XQb>4-O3x2JYL$=|2^!}>W_ zn=`sPTE9I;)C6|bY%0|4-I%GsH|;24L{(Xm5zgWdcuf^Nb#^>aSL=#CaJik&k^KUky+#HW$NZGgB64H-8s>z*+)GNr1t}NW@&d&2 zi8s$KZbdMLnzL5(8d+17cpZll48RvW(?kf+^)Jx&>UJkQ!JglM7G z&+(6)C(sO#gO!d3JLpY>y(&8uJM8MC0V{Z6?=kiDdX`_gmqehY^^!1KVG3o*-M zl!_o{)Jg$1Q`ScktRRn5oC#J$aXV@>1YWP?KaxORd5!|UFP+HQ0*KC7{G{6B z;{Bo4GBQdq$36^DaY1w#QNaTny<#zfzMjC#@kBZf3AOfPf%U&(MoAKyBf%786X@nLEO=kh!2En$!J`6+{pCxTu=5SjGZ`kxeHUV8b(a200a49@-?J21H4>pYV&(C&xLSFK z9HP?@KdGYHd!(Q>0f`shW|*8Whv-P8g$GWfl}v&p^EC`lR*njS5VQ^xg9X)X9MT3I zU2_)j+pUS}NLLU*1g5J!;PXcqS0~yz)4ROpFZzYF2Z#2M4!v?P#zlC#? z(9qYF;ohh7A{?Q{MtJS5a8gTxM9a?)6GrL^3+n%mfWc3g2IY zS&xQi_%I^)Z!Q9?q zbWB{7jbZM~T~#Vub)vCd1}f^x;dhXo%wfZ?Coyh~TO()RVVMEaKvNE`yqK z-9`0Dtk4C*#oz?Q4I}4okYIbM@mg~>^`9||_St*B1%t4`uc*C`E|Kv{-&61gurs`0 zxU9f^2={osPiJv3?H-9O8m5r5s(AB}f$|L$F*0YYO6fL9Rd8wb>TA&UztS1y5Xk2c zb@x;R1dZ}jfbA*2I{udLQ}&OK6>mWjr7%M z)#I`dSZa3{Q9c$^yx&(cgU~MZXee_bg(q0hYdaQ?MX^Q0SSb@)b&X&soVx7XJsmz$ z1t#1yEazObn%{rY5QgCRKzxl<^`*yk)y8ut!;wieums6@CK{j8>R2F{aSUMu%(?QE zZs#u&c7=1SduWrOl{J6Q9EYEIEHZ!q01wnxUV7({aFgcscga#AP!hk1qW-^)sO%?* zi8P<&(n!V2YfZ6dDbl`vq3+#i9OU(RWDpX#TDHNMVLLMW*wnd{fBXGSp!YpGI79mO zVQIDMbA)sHx9JBLm~s{Zi%pz34MM0;;PACV%8E99loI%RBbxKZr2n7XHxRl&u#8+j`LZ*xt(&>r506y z@CWEC8zRd8+x>jA=Io%A8_=;arPgtE?(+5<#!&9c?n{nrp~0m7C7X%KmPCj(Iaq0q zV}}BDPcgYKBn8y*Qob6Hml@f_)~B}=NjjUjOM`<`1#}qpZQeDh180z#TVi90X8Us( zj}|iaj$|z<4hVRLa8h?OfXzmI+5+&Xb-|O=Bru%Xx2!;y(^mq#1Y8F6F)10YO-9{U zHm^zSEw#=7$U6x_&ATrzN*V<%w_E2VCqjpFfQh78WPP^HHqn%rIZ4*@VQ;}TG}*c4 zi$T-=f@>Fauyk$Owplifbp$<_)X_ysjKNishkL6lYkgW>S|KYm-~@$<+m;IgYpzDaV_VqmN2zTNkc!mDF0GWCjf_DIk;}j_VzY9saR>R^q za-flF7UD1Qt9EL7W5hKL^h1NAZpCEkQ#b0Bou8#$(1|@kY6l<*K4bo~7W1W{`#%X4 zIy$*Zxh-Gc)>OtF>&*v0o2Lu%v(gI?WKFx@)&T~+o^kje0LFE6w}7el zz-2|JcZA_DV8v55NnyNh`cKx319|02m3RAjd1Y~T1UtzDt<=-zjbTTRVf%dALsM`f zodz%G!KolgAuN7*9K?D|w%^%Gu`mWLg@B9MF%XjMKkW{J8;)sX^yQ9zBtwQo!%aiO{=`=?qp~=svR6mJ0Y^7Cs8^Ph zmWU-&5H|#Y{Il7iOgRjjWz;blVoO_FO#!jdnsonYhPp!_nAQYkEjuxyODbJH8Ba?*YcaMaT{+gR? z)$@YFu@6L6%!qy&cy&8m+_|nB;2QU8vS%T9F2%V0tr!wAXWeH9UQ7f+_!xzH_dWyPJzN~u^BmHl1@0mLE|0y1l7I3!yI z09IeXJpI$`@CC^$np5iO!UcYLEH@9qiZzZ+{4slsU04=}8+qK)(8!K5zdaVy-@3{* z_4-ya04oijj|DhxzmYz;+O`V)9|DG?TitliHBEJJrE;%Ti1QVu?8f@D!m;v6O9n*0 zEIggLr#noZ|H>j3bGZ~F$S6}w%Ua0WJ((uFP?AE_4C03~e4$2}%I82d5(*ui%s)MG zavD++O<4$VJIT&9Ar}xznYTGcP1p9O%)B*@w6pbXD~Oq4Vk7kpjGl;ddAylw}@}dxm^qiZ_@;fzg1u}O23I9a5v!CdjmX7%Us+%SMa5BprEPZ2gs*hr& zZo8P!Z5A|VjR-M{pCbIlMxEik%9D^YQ?&8cl3_7kJb^RO+5uL(C$~fSL%rLJX;HF> zwUEntK#O{UaHJJOSVtZ*O6Qp5sHOF)iL;MdYBZxr`{|9H1WrqbG~h-GTI42=ahJ(7 zH`7ozJ>&}7%Jv=eKju#55=_2&`V&+-z*EEQjKEUC-G;z*uP+)rIvFodAf zcLHzDd4T^;Qoe{88Vg)BiOqA{p?2vb_m6Tt`ZEKARNkLSK%6cL^k*cxMC85Td1*1y z*qQ@<^o?Ly)aIiTBGRw5)WQP#s3hQByZdZw-s>xRw!$#qRE3xd1J|MYLm$mU$_Fci|p9OBo-NEZWD++&~nl-gZaYF@QtR zN#4I8=%ysN<&(QKGCueh27etX# zv`h{i(QvS)BmHG%uIAXpPbum`+1|~$Z>jk}oc(EFPC*9R#NDxZ_>S4|Oq$O?{Bb#i z9&65**(x8}*6+UeQq1I)=T-CW_q;IsXmx`g!G!L=(%Y}`u%xz{8TU`R$l%(Jru_&q z2u|m4`RD`r!=9H7q7(}XpJJ&1k5<&`X@^r$$cqXx^*#0rsuGw}#@jQj@>kErTo~M+ zM3SMb@n(Zl*xW>6AP)JPQ_lgXIN*6;I_p|Kb@DO)vn~%I=Tk)l(4}wQf*>kpg6C2G z&~RG;*H&VczFoA-rjhCw{t_I*H-l552^2q9-@a4mFna1p_ys(2QGWU#n-eh0e<3!= zh)5aFGiyMi<_2FQiEgpyd||KlDGxW?cHWUn+A1=S~JW#4o%2`amVioT=AHUS`uY4fgsgg{$Z^Q+@-zXC8 zcc62UMen__j239i=Am7y^xWw*Zy}n zlf!whO(Z7Xk?JhIJImC!)(8%WZ8-vsVo{KLQjqp@1$j*ao*{^$b@qvh{OTmLl}Ze- z9V57(w+Nj%kKX#x$ZoBT3XCk2WHq|)-X57dS2j;(G*_|@4viyv_m);c9-qc z|JBy7ajV{=qf9c5_6g_6Ajf+4)`YfJTjPwJBr(nR@81(kN_hEYnYi$vW0cRD zX+JrK011?BbNvjw97xB6NuDa5>Glhkp#k^}B@#vZq9gDsS8f|p9&v?$P+s|1K-f>+ zV{yvl$XEchgoJ^C?eGI5QELPsF3t0uutbaJA~S~!6E(0=guq5U{NrpXgR9CRt(B_I ziOnSlR|a?rX>1~S)W&~OLO}H~g5m2Zy+KaEO3J2S8`iV zz8s}b=;gvAaVf;+*Exv#AD`sCiRyI#yd{=bE*vSn<}sF0eNEI5gwN$rIbSHNeB^FK zl?M>@%k_|}A*vn#pb1QM;{^Ae>`fb8ZU8^sDa$v_%G_(iZA zgb(tnYO4!gB%Bkt$b1|hs3T-%%`iA8d3EvqCBLJF0DLM3y8v;q2>{7#uM_o0o&YFt z003fv{MY96h{iHfbO0#x1K;RH$Lfasm6a0d&vH3@u!M0T3UH3q%i}Q8az3^XnZsZ& zK6Qjh15cIk!+7fU?~O(@<}X2N1{3q}zKkPj|39jl#`j0^0s*dr@~7MY+6H3%BgFGl zw|LHn%Q0Po$6*b4n{oN!rj0YN5p#^pDxREGgs_ms+=q8Bs6zmAD z&?r2$jLwn5OEb9Ib@UyOrn?N;DI$ssurMhUKRoR%P;yN z2$Q*h*Ap72>L+Bg!@Yt6Bv=qXXbMNzJO514dKXxk+7n9!pjLgDl^Br|ulFel#rw#> zPey=66!OZS<3xM2NY9)#6h=pf0jC8-Uu`orr@pk-Ewix_B3RjB+E`t0tet2SGY??) z19LdalJiBZ$|rJrYCoLp<$Xx$Isx$L%7pGTs0!a0%P0$1COb`34E9FQteDimGs3Op zG=HC5P86^kXJZrTM8B+Y_`9|oSCxrF+MOd@XnI)fc#go9u=TT%EP|AX0?!fQoEy<+ z9&KJY=MZueq|r=*ypglm`Yoz&A}pD!&%{2XnT`VWI?BwdnDU@!qLJ*u6pJK)pk?Y^ z?G`Fz}NX)(O3WeKx7_A5Ao}(;sA1SOH`pK zyM+%pef%gz5vpK(J^YB($6OU%p>qNjxQ3NZuFQz4s&BbR!tcSh%jDfBkNfe#l4+{R z>?Ct2c;J3rU;4_8eXcY4OuVXSB+~9UtlvZT+8!L~l=@Y~gd+|=ijSn6=~uUwTiC@2 zYsz+h1eu@y_$|V}uPE!vuAjHhO`OaxJY!OQ?Y6kETd65a&W4i5KCW0KGmtRjT}CRo zE*H*?<#|=j7Gx|w1b9Qora2kc{Ky$3^a+}`kYpWMHom|d8Fm?uG@C?FkjDl$$hI@< zA;g(sqV?=jySp`i{Q6bGpM>K03*9Hj6fen2@A5v@mv#hEx67_~e+0VH-WO#kY}(X# za`^qb?RZM%oGlbz$wiL`KsYW|1h;dSi@l+9S=HHDpRw4i*u=pla@)~iG;(Gjb+bUL zPPL`*TxtKH!Fu^h;Y>W@L(-h(EClX43?S!pOEQ-@-*8n|>jzhbRQnXvQG6>caHmYg z7?0&k&2W+dbXmvPc;HQEX)18S)yS!I!tcIEF2;99s~(z8%oH>Cy|#o0eIV8e!}l*H zA4<)1{NspdoF0?4P}}aK%7+n%<<}->6Tk%b9Tor(Spg_5*fQJ&-8c#U^>F0OZD)O* zB@OnA)(flqzGZZl6u9S4S}w%w+$|*dYw}#p*rr${4~M++5gk#v2EI#YIb)Hoqt(lX z>y;pkubJV>S)cd%L0m#LBbYhSUo$V-bJ%7^SLFh4O8N8g<)-gWPnpmS?nAFF2YRs0 z*vrmM1@q}=d^x2CL!N5Yk-z*0cK(l@T*ec`4|vOS;dy*|{&y;R${SyNBx+{)__=#w zn+o*xA#0vakD9&##e}ra>DgK^{wo(3`C29Iws1)C&S#)N4ynv-FD?!qRKNeAS3kOi zopoGjE(m^hYb34|7EbA4cc-gs5NME@?vQrY>}OE%zF4(ZwY%|h^@?$HSH8SeCjdOF zEFXO~dR4yC)y{?ed0hOCcW|H8cBpC5YV}5Ty01g1K~Oc&J^4h(@AfRMWy=c5Okd9nANz16E*uI?ThZU(r&mqR<|C&rQf?0x(Jni-8m z*#~rfj2{TGp22jTq5AI*7n>-2#rj9PLvzJSq4h1WRO9Ss8#$Qs90c`Uf{MWmT|Zip zJ-{vx>??4Z#aj+w$yu;euEZm5n5f7jm{~Qni~`DsOThv#VgU<)dD!1IF18?DJq6GG3}GX5 z{%?NXF@lfPtjr`-NqPC)jfM*tgOKVXDil_SYN0_)p-oRCuk%)^chlg3MmqOHU9Kju zbm~8K6v4O!HB|&crB652v}l71tkOZSN(*9r#xj^Ko?XzLc|CN=%<=GoMrv;Xtr@IC zR`|fm4TLN%_Xmd>pTTZQiW!fid~B+o{N+UrDgpiE0*@)j2c^}a$rseV_rog0D=LTw zJ>+pr=#Oi6pU@ZXcLK3_r!wbOR_eZ}udlvoQ+8Iw;qKbnnjXXWhYu(d6O)uTLT=ZI z#^_DvcRuu#-`Gh9N&;(8!N*Pf*V3Yky*&ogeOuLYwt)C&MsY}<%!By`=d|sKUUTZqKXiT3Os_ z*F0|QEyYNm%F$;Dr2}LCY^d?xOYlr*bHPpOqH1*nHT8qp;5M|5hL) z{0rH$UXb+ToaZ|fW9VKvT(SU~E77xPOg~vzZE7HHH3Dgu>C|?-rXVlyjsl&LylKFX zC!8~9S56h~*a4M`KF+*Ck~KBBQIi+ib={JYPp&YNXLsvnLsf9MlxfM(4mNOX7M%$W zn$^XHPoeS&Cy*<+@?|juvF3B@#W~MCyu3OsPP`asgnu$SB4mmrjwE5r#_lxh3RzNN#9oia1 z2zXx~>A70b>-ACowpsh|02F_+8+5c8`5l`3=*yCC0ls$YuoQBL!^ z8&vH8@+moeLCs6~(TJzbOD)IZ`J(+m79*TeJBT$D+F#!Nz0)JsuQf@_xHtD8=0zoCXiP4u&5hT$-^`<$N|L4q^&uj;imb>*lEQI`%-0(9Z5 zbJbOpWXwv%ui4U|8Ls^ed-3*T5mP__sUSe00HR*0%mYmpmop!&)i6YSul<(pm^YSH z+fHYEG9Nb~%+b(dZ(-;vi(4Do?2Au4n2*+p41YbSpZ#hQ+Bhh_@vZNAx4)NS$WMAG zCDHKd&Eaf9-u%?MSD?x6wIVwz;06uq_q#0*Uyr273)x?kB|Wc)xaro3H0|Q8FUkx( z*lr&>7PATEpBH?HX{MIm_++^Pr7wdzoSH?FdN&U$(}|5|ZfXX#8ikuaMQ+A#K>?C+ z!(p*&aG~GReGqNqb=f7aaXa#ms!eI}&;?|i_XS;9zUKK}zkyLxLGlJN-m-_hIG2Ii z;XH}GpU4kZ`M#bBuVS#ig6VgpGfhd#>ld4L>4+YcBFGju0S~@_2pql=fWss^V&zXuHeltn9<11|hHSLz=o>oTAUQP|<8>1m_r8+0zg6AR z9vqMS(O5%GvMk{Ascf>(S+`kV zVWj6F*foWvX?~r2b#)Ty}qCztD|AH+c-Aftx)YAUu^n&(UGEiLZh~f;xISncTT}1^_NUxu|E3;vHIUYf=$3(zT>7N z1C`E1CuXR<5PeZ424^eXVy`N$xxUv~Ev4^BRQhcCiM zj_tc=P|5y$sjg2P5G_;2=JFecY+I@u|ZB>>UMSzq~Ok6 zS{oI$-1+Q%`GkacVaOn4VotYt(e!Q(#8xC=rVKVO?$o)oJYO|lNCqxrRiz|ZId5Eb zsI#ZK>znpM&boj%Mw`jihXFr^dtC62bVlx9@wB&6rYYANr;2vp4u>{+E!fsfI?iC! z&i%i8)UJIB%JY}{MY6qve|8o&`$OLI@ACmT0>J0J|AxCe{cg6h#5JA!uqPh!Y;{*P z7kc7Kfh%hE-*!bwh}JyQn<`c;^v!_t*!_Rh^A-8`f#n|$EFc#C;K2h>U0rM~9Qozx z)yKK{`S~kbw{M^LF*o;2GAo=IB+h=f7)l7atPs7M59qwt!P!l$*#baC?tSTxDFC;S{{?=001M&CH_>~|AUtho>g=BlpbFN1fGP^4 ze4y;OCk7M%|LFV+Zcze<$+Yy5>j&v)Hn00v&jbUsBI*ADtyo*6H67y=1n|f@G^qdM zQ7FN)h>KxP_cr%GjQDSGGCrhvs zks%uD{T_qEPi~yyD<{()2PG#xNir_` z^H+fJoN-W|9totm&=QuBipx_)lQb#xCUOF)LI5)3k0oXc{r{x)0@t%#gjt)*{fusuf5}3f3;viCe1~eNl zTXEDswFvy*qDw3f%?dA6tz;m1N|<`FM8n`P;mC858ZI&{8x||tOFeqhJ`A$KcgPp~ z&p>T|*3q>c4bMaNmH?z*cjba6sNV=7GT4ny8Q;0lJsJr$Hh6HSw^W}7yR8vRhe6u$ z5H0|pq?+#J4G`;lLT0#d)*wWUI8OLwU{h?Oa@2<8EvW7KwPO~MGP(%6Apl--_|t%b zI&Epf!r<0U*L`^jGLHA+H8vM1E`B87>NW^rF}FN}umY8Q0O&VrW%Wlu`7sa?W`!$( zJ!#3v!fxg7Ll74($j5Ubs#3#zz;PdYEUpcNAU~26ZBTGEKOs~&^A+qw%DL#ktk+Q6 zfRZESvN;?u$A<1U+@Jv!MA=~jP3AK-A&-PMp~kWLwybN812}^ann&%lAPNtYP<%we z0)*P_@qG9g#!RsU2}0-L6)j7s?UkX3PfWch@eEcSYXjwO{aUanjHRz?qE&^ui%+XU z9Eqz;8CU*v?X$( z<~$g|EC56yjOUoW%$=itU_YiV=*`M6huUU2$~qzK$YD{4u(?ix@ctb8^=enc?c(h3 z@2)_NEe1}L?PEnAri|n4+>eA0Qo|%T%HBBzM3Ii?gK&;AalIo|9@}z`a7;i;%vw?=)j2H@gO*W?*FJr7WE4X9m z?gf|x9!R;Mb-_$KyebT}9rEOfr6AHk!3@ru*2n}h-p4D?I?W7guJF`o`a_5#MdHTW zw{W-YnG!`{23u1kPXi+C5wNZocP?Hr)BGR4+@5||1fUQ*lxz*%5cK-yX_iI}zmF>H zZ$XwkJ9I%16gc?6QnqsT3e^RmeR;pmMm}5$xpS5~WDMv5P{#G`m(W`GW`OFWktXNQ zTCam*4G1x2Z;hr%mYB`dg{uDV1N7c{vh9YT|H|~_IE&Kln_0;zJm$XLLVjge!d&&=z1v#if}*|L&PwKh>P3?W#3&{fxkGW-XxUrh;lVo zv$eG$JMMyuItGWWV+@TvO<7be9Y$O#I;2O`0Xq6REp=cN^Rkrf;;WX@X$M6<#L^sVzw{s}Fo-qh< zZ0V>%b|k^c8C}%ODj>b04_USobbV&%#U9+jJEs48bLozjJGo$GU*g>mNBOt?$d23i z9w(T{Ko240S5KAUyx*m@avrX-`!TLDi1BFs*-EB9cAFV7iR=>I!BaY$VRnBTu4ES+*fSgXr@0JUVbBtWs)u3oB+m45mYP)I6cb5d4;wT+<*250 zD6z2G0kLkcFQM`}Hq7U|{ld+UFL_8Rm|k95GqEY$G29+7AjU_{pd7>gXQ=*s{TbHN zEJVZJxz$3d#5Kr{2!fxzzW3n>n=u6dW+-1ozQNq@HjFp2j&ram^^QjM0#s;5B0ptn?1v>#o zn(GwpXXYiUw?rQ90W68KBc}WEATSQ6iHceUt3Hlk;d}}HzvoMko1(OD!}II(e*>y! zFUo~^8%7%h7{gPfhN8A8G-qPP>B-;^pS53ck#th^mar6?NGw7riq?p-6J5Qku8#VQ z07Po}ha?BTC>aTu9bB{LL9uGial%3K)7T%*Fh|r*0q#X13S>HMVmB3R<&KmhFDl8@ z->&kRX|SXK_7C;)61N;zW3hfPhy#;Bao|4^A->W=$?`*Y21_!1i@=f)Br%M!wtG@j z{VV~XVCMgyn4S6G$|q3TXX+(^XXA+OZbJ}q5e4ygnl*~E^mWOVL6>MCWn8kNU0fSK4LT80xaAhw5X-C+0`G#z1lK%bj# z_pchhHts#mncxrGY)V$hEor!CBoC;fl_vb@-8P#PP~Z1w$D`PJs19x(M5{dpjcnh7 z^s$+DLOpjuT^t77RmcniuKCxz2lSzffRwjhwJwc;3K*;Djyr-bqvCZSW;g@xx=Wh} zpn3%et9F1O3j5{xvPf=lN5~4eH|V5v;udsC+X<)Rk6W;GE-pW3G-ZIWu@V?-9x zy#3ylZfY#xCyx;n)dVG796{0`q+ZdBK1NFdqQ#{xhh*%T$UDlT1r2;JYCj8}1zBY9 zf)99PWq_!P3|qf6>8a8fYz3pW>3Fo3m}diuyFr&IL073wi#2cG%Jl4(@BnpRUC>2& zQ2iHNILLqCXttXUT@U#Dlf|*^wR~wF5F*l=>6N2Qp*IVL&@}c2=+}r8 z21SZ>d#l-pclkho#RFVk*a7OM z1N_?_%6DQOrl|T9iSz^1A9JO=vZn2hUIsVc(XpdITr~@dq_+o7R9U`dOS=n7Kbt|= z^6nIu*|zHP7+@q1R4S+`9%1MYu4=Ld^8$5)P}md-dYEs5JBT`mkffO0eifm2hch4|ayGUMUZ*xMjF z2ttV}2H-Xx=4!X}3J}ffngw?<**7_J-Gm~<&<&0mocs}>Gv7pA68{Cnou!akg`Xhy z=VV?3);N7n3MgQ@05l^YtXtYk_Hg%>b~L*RyIB5v+;nR#qF7|lxmO6L#Y}r&Eyem z4JC~m*w4TcSU>-4!}V?b;8~&6*y;r-L>nu-1n-p#fGU1|p70lgsBE=KFDw+gzr@uX z*&c=XK%IWW#6;n|UHLe0G%FUKkI+%xjG2{eSulW{7AVQ1U2YyOk~@rv`Or!{FDv|R z-d72_z&SM`tj4=zmRdeGZ-feUMz!zrbk!%Qiq9V`xf#mPExF}$Dm12JbA2Q> zU`vH+MZ&*PFZp~a)Wt2;$&crc?O50h-Cv5N)NNVR&JFR8>0?X)nUXJ>3=W3jELjS+snV|7gcR-ZQYXuz%8PaN=HDh(bq{aNhte7 z0;sh$C7?x$a%a(4xkO?Lp3%A23*p-QFe_ny0(Jv&H8bkt4m zGf?ArGat%kKI%y`kk`VcT_Tm+y`z^9cL!+)?)w2cBEl626)GV5>wv-uu9-fqlpD~p^J{eI{B&NuA-%X;5uexK)luIs+9o0E0f@Qqe0J3cK@L0#>M=<7pE zA{jb!aDLdwgzrz>a`lWST&a*!VD7}$lRz`)m9LhWSwDsLd9CS}kDdDp%H-!(Qw{t> zQLKHOLbXjI1dvz2XXp$HcCv0X>siqw&v)Dehi!o@$r;0U;19Gb<|5b-d#2)iBUh*- zEgYcn?^t7zG@KejC*bM|jz;nPT&F#Lw26t9B?6E|UeC}n(s=>$L zZr7Lf?W0zZQw_)x_8`BmfMKLX;E~2IC1~w%>Bqp>LaxV7rf_^+T)x1zBo(gx4s0*9XbTrivo{59pG zX2uaYY&B0r_xXb}*AH+6%7z@Ms!^>sLY`DR8VC;9d8sr4liOBYI(7b8WwlXCqYw@P z-O%;nEX{d0{&vKIHR1jnYhrejp6XLPjTA&5oQ6Xu$eZQqcn#~NVQ4a zBYzgp1_Ea(aY*wvLcBw)RfaMEXJrLAZk-4{Zg&Oji@4nG`UB09=iI~?{Doe|O!?Tb zD7!p}+7EvhIvwXb+EfSCBcXNr6{Zl;5NZ2kS!IAOiofYrkl z*`0pH*AWG8idpK&&IRiS6Qf*xv|~pHh0jcy<}1Y5l7JlA24KeDr6+ma-)lpK1uhsZr7^!Txt{ZC z^HNh{U^l;}TK8$zFMsI9G5^A~8Y#sM+$Ox7!N*yfkz*lk4s2kV>UA<57fK)!f7{o7 z8|{qz>Z#twT!W!E)>P_nRaYY4J&<&JAIP< z8N=Bs2nJl>@Px*r@hDx``cFw>U4PbmX<2{-Jp} z_iMQaY{9EMuR!WI9uh;F>Jp!&GEcDPp(HaCHi#TRKHX>aOR+WADywHWF&j59fVsre zPL7QtPh!s_9d=vZMz8o*{Yf}F#cLyAvakni+i=RS9&ac7Zq?Z1~6Mv4TWJ!SJhNzB{``^F`f{bzx`c5p;>g&dxsuON_Z(4{B}RG+@zq z;6^cajW+>{>F)y@VJnzbl;-*b6#WxG$e+*u1E8pJ69_OaTC*1A2msLNUo=*|`xn%| z`1F;;mxeRlQ;ZqxYcN6u!uQ$%y>462V%qPbnKt2}gCMnOkWswjd0F>k729R;CUHQd zc7b7}b4Xy5s$?YD6z9|DGE$J6oUyI13c_Th5-eN^>9<-o@d@pRYq>ZI}6 z62RxDc)pr5?*BP3n2VIFPOHrvmsBQ4m;lp4z{+Ix!YhXZnZK>t^wWdh4FN?8V%Y)i zA{$!*c~q8(hf|1v&q38`Txu5Xis2no=|LhL`6r%KwSxz|^uA}NcQ@~SHp#7pdj%IJ zsP`2;CgYU>u`EQgYi!i3EB-D#*D^3CbMtE_Rp@jWFX@RYR$ja6B3y<9R^ID3A3FQu z@CT00lPF3#3hO8rS2AV$5(U$F0Hy@*g&vVRkwHIyM7?#KwJ=eJ-lk@!gRG$-Hx`U2 zVxhP^nk)vM1{)_O56Z6Hj0)UvF#fa$xH}m0Pk>t3VFt?J>=?dj)(wZbpRc{e)isUqE(rLA{cuGUJdZSbrp2=zOpZ^B` ziH_brL_>8q za?2BG&=@J#2k1v|-$k=Tet6Vk}0Hlt^l{gUXE#gl}I_**tg#&4@~iP z)+2BwgivC{TE0|{5oPHYPkKEi;pi9~j~})?xjUr(pB)HQ~%c@A5=TboZBh%AaXtNj4%S2{HMo=#z&@ATe4| z;5ahcnhGDoXpV$1YJVAj%r^G$hZyTBzcDDABV3<}<}>5R4ZpxsIK=t~ORLxo|#q zH9dWKa$Kb9-W?{&R&fyFB}afSFdfcVV32>DFcbh$Oy-ce$Nuv}rW^YK#lwIl*#scx zI>4fmJN1tKo^RR_GBY_Qm6*iY! zZSp(gvsWxWiu1W+_A%A7EBb4-mM`}^kH8q7?c3);W+x1Ujt=xvLDD!0U3OA;COJr1 zg>-M<&kx908pZ`h%7Qj#B-x|=bH|7tRk~eBKtUqs#E-$Pp(l1Gbt)FjST!^#!rqMn z$#1o-qysSp0EhiG-{!I}Yf|#nQc?&qBWyEcmh+TI5w6|2Yl&1z&xDjE-vkhZ@nXe0tD2CxZo z)TI+migE>tm<*HOo#Gx*8v}#mki6u5V)zV6Q5<64Z4YhEb`k`M`sIdjZ>$z+==F^q zpG{9mVh`^7CDQfTb)Qr5T$q_9bS2yl@2nkm?~; z#H8@9Y)A}_yRd@6>BQjlDsD97X}hFPwF#C#2E?8-Am@lPYDSP>%|xR@Ponxj63U|V ziks8b1*5`U5v-sq)-%$qkhWx{D!CK%AKAuZqEq5QL6ANeGOmttWMT53fD+l5Y0ZA4 zTry8rx?&>>!xU0nmmsw9>WiK!`7tl0Vu+*TR~hf{J*feQwh!o=HUnIxfRb)((0sVY z0qKywM+wJ}=IM<$5Fy!v0r&dq6wVhs2%=k-G2vvW7@nvS)5=0m5!WW8?s%Xqtf^h6zt$ z0>OO{<(dlKJ9Z&sw=$amqqCn;$DbUULm{_7;uWt7{`M5*M{5E~)b@oe0Fyq?cNjE* zoamk)n=XieeUAi3b)SGWBtP3&QMXKlzCJJCV%1&`V3+j%iUrSF6q-=)&W^oqY%(aC zK)SARf)L@Rc?@7hnO)~e1Ugg3q&ZIXCB;dfg)#LNW=FsiSW%7Zg1LuQf0(Ece=Zdy z9{|yxD9u((%Y!4WE;ruh&#dIP9-KxC1qW0Wh9Zl1qzO7eoO8%<+O$`MH*kdy03zNw zGmi3?(4Gz;?bw(&q6W>;k_P&Q7l06CFXqyvgG!^6;{;8h=VIi_^_`s8g!W!Qboazj z0*Ch7FMu^R)_6iR!?GpK!6I z-l!3jPuBxqHmkg!)^Ee;*#}Z9QAD;f!_gB-5WDJoy^^!c*d21J?7V;cS*oeZ%WVI0 zjf_(n0lm46tdm}cEX$+T&v=GF`5=^BscRT2MS@+X2wBQHIhs18Bvwoju{l!M zmICXU!C@0nq-DB=t*PG^BdL$C@-ZB~|H|v5QGOcc(9xWb0u!U@cZ6?KOuUJFg>E6N zI+~q7|5^}(3~ zYO0vH#yppU29L$1Iw6+D$?vR^JC7(62nDORlae-u4{f8rDBd6EviTf@>Y8Pm(CnpI zMg5(I(`7UQMZW$}Vh-LWHxW=LK_FFiJt9;mll}mUrU+7jUnNdL5}MsJo)gizUT%Ua zWkcKa34)Ac$(==?R!FS_{=#=Sl;M222wwq_q;aez^}Zqu21xXD-6gC(=U!?%Ob8&X zVcZsTyTIr>Tn{kxg|;C%?q~M_>-{{7h$oGMqpZ)T-Q3S)-lnLX*wD zScwzItLr1*GtQ|*%mT=4J=3c62k5l4zatm-y>WO|a2{e_?P-o~G^1wN2c*h6eB!8f zXCfA{&DHPGzVT4@(a^RSeaIy93FxBRL}3pBj;=XA2gb|fDE{3!6uqmfm7ZjEAEiXc zr?Dw9lc^}x>7ON>Sr;xjZ)UhM(*#{1I!Z-7Qu?OZ#bkpn)oypRn$8AtKmm~hVq6xa zRnglZb41omvyc1EA){mIfB;5kkKjRnlAvhlE{~`~uBj}2JQ2-v8 z+fnDA^9eCKxA-3c)hlsX+*k#dX@^zQ`5@5n6*uwE3cknk|1Cr0{ChtYBXe`}_rsuJ-qPA? zc}!yoD@e{g-Ju0oD#ov$P1?ADQhNfHRzCgO@F8qZ`P&e~XEKH}qL@?OBOS8_NcF+( zw0f#A9|QjL!ofKEPT=W3y!QT8(rIA6%#qbL=d~g)*><4+X_7PL z*ixk>LJ7#U%UeqhBgc}b{I7UR=ouP^Eefw=c{6>Bdt|?L;kUCLn$b!SWi9bO_s;IdclgMGUWw@66G6~adl`|`$ z6udK5sQ7Dx9Z-;gT}9?4f;_It?%0VMjlf<)u_YOP^R?3=CDF9^Sg8 zO%I-=U}L~;l6)2(T)VV#+(m~@-=FIW4GZE&ok-k_8rdO(bzxvD=S?mm`K=VQ3$a;p zr{Faaw!?#uqmvR=p0j`ohUBm!t4ri-bi&}*bgUCiV>@`EAbmE}l+Ens#n4$-B37vI zDsB@Z4E1L0y~~5F0b45u5d>x0y@PJan6)Mvk*% zT?l*}=?0ZguwhLJ$#RVohu8F((|)=BDlZxqY}(5`3z`R^DWETjb>e0)FB;ArSW^;c zJ7uA>!g#FEWyc%1(ZHKxP4O7D<%Hk-1h8h_$s~`W0i|NgOe*y)57a;?XAX?KTcJ4{ zfp{Yi`|*xiZXC4K9-AY>_LTkh@T4>^nxn!Syt(k8q6Ic)@fxWoP;XtZPWbacBWtUe z3!?KYQ3NUvp!P57E^ch?+Vzd7Lj{nU4C{p38a-&I(`l?J zmxp*wptH-cLbK~g#W*zZJXllgg4i3uvyfRkqq49B^? zo$%t9_1KSvX1!uCoYvSJwT$-I2*8u<*c{2o>K%j!<9V?$TYK_K7BqXv7W@1?01FGgGo=r`xiN(R+F6t8dyCvcRHAJuI7+O9Z zfsY=oM%1P4Qcn2XTWRSF|Ajd;TnwM4yR|a&cl4R7E!HtSU-b|@&U{awU67*haR&|0 zLP5{j1S!2=et`9`P>`ZUEkViWH6OO@u{ST8)eE`qzqZy}0G1BV$UxmMgf<2`^O9kCya8LH{?0rdCUb?!79ss%x;)lK$%` hhSds&cdLqqE(!2ns%UlTedi+hXQXGQTS#$=_zNJ|d2s*$ diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.drawio deleted file mode 100644 index f7c6fe79..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.drawio +++ /dev/null @@ -1 +0,0 @@ -7V3bcts2EP0aP8pDgPfH2ImbziRTt+m0zVMHpmCJMUUoFG1L/fqC4kUkAEoULwDkRC8WIBIkF2d3z+6C8JV5u9r+kqD18jOZ4+gKGvPtlfn+CtKPY9M/Wc8u7/FtM+9YJOE87wKHji/hf7joNIre53CON40DU0KiNFw3OwMSxzhIG30oSchr87BHEjWvukYLzHV8CVDE9/4dztNl3uvZxqH/Iw4Xy/LKwCh+eUDB0yIhz3FxvStoPu4/+c8rVI5VHL9Zojl5rXWZH67M24SQNP+22t7iKJNtKbb8vLuWX6v7TnCcdjkhWVoPJP5zF3/w/trOvG+vv70+z4rJe0HRMy4fw4noeDePhA5L5YmC/Afn+3N2pzcfcfSC0zBAh67s4dJd1DwuO3+22U/3O3oAgOtt/Qxnkf29R0kapiGJy6vS288vnP9eSK4aHFIhrrOvz6voLkEr+vXmdRmm+Ms6v89XClLat0xXEW0B+nU/QziTgUFb1SRkjYCswqD4HqEHHN1UU3pLIpLQn2ISZ9fYpAl5qvABise7Q6swymD/F07mKEZFd4FxkA2LonAR00ZAJwkn1RO94CTF29aJBBU8qNphssJpsqOHFCfMbLeAVKFywC0x+VpDcNm3rKHX9opOVGjNohr9gBz6pQDPGUACkEPSBif0OWkfHGEayyfzMqlWj2QaI4kUcCK1eJGajkikYASRrrboX/K79Qh+vYe77+Ef8RMBM4+TaECCp4SgYClDoJz0BDJuF6jFCNQ0O8oTGiPI055D4NsPc8+Yo0cAwMy0OJHhOfUDRZMk6ZIsSIyiD4dexnTUZDdHm+W+H3SwHNTE3YXZne5HwfH8Xea1souucZz3NH+v24+OZqZ1xrKHPDpfCY5QGr40naFI9PtT6a2jXe2ANQnjdFMb+T7rOMDAAoxaGdBvOqkzT6Bf8nsQn256LadXd7whz0mAi9MYQFVi6a+zrsCfDsTd4ZhPhKwL0H3DaborEICeU9LE5x50JcyCCG02mZ9rYBEcQ00upCOPWdAGOt4Cp0eOc8ZG4SCDypOdmkE1ADdTpVGlPGFNtTkTUuXQI/yYNTfUvobx4tO+9d50xrKeVhPHlsDBAyiwns5Uzsg5Krt2Dy9fdpUMVMgOuCh4QLZredg2fedhBji5MQT7bObckZJzBNt498OQ7HKm3Wm4jW0zXsbmEWaL6LdlTqWegLdesv1MC+Hp72T8SSgMxxkoN2yhquUYuZubjDP4nImgI6JohtahRmbVYsxqlcBR5pLKkPMtYb4U6uSgh23xmSTQlw9aRz3apJmNT5FGsIeedrA3j1ExzfMC0G6BnZS0gFieloCivcGYDXQN2oBeURu4mLCNtRXqozZwMWEbSy80kJ0ol6ModLv5GbqNgjIuza9B5OYp9zbjs1hJoRub7qVs4tqofWBzwKkp7UUEcmx6TD2hrQrkb0gDJqq/8PUSnk8r1IAKjXoHdWx2XQMVgAKuwerEoXLIhAd8dw3neBum/2R4vva8ovl137SL1vttgfZ9Y1dr3OMkpM+X+eWiNkmfNR8LOGW7NljWPIy2b+3qLXa8TurVllE/Hca4HVWw4fv5SS/7hmZc2KyxYzNoailNCkYymJHY2HhqNb/kDAS3MgFUpFBdDgL+IDkI2DUHAfXKQcCLyUFwpWMABSuZJHu3i8lCcMVjHaR3Mg8hbY3mzxLyVCVkv3Miwp0MZ9omIg4UtuSsX2vkVsxfB/goVXXnAxGRxeMuImHBEzZDoCxybXKZDdRPV/rj3pSUsuBKz9Jxb15GmoKiTD/g84mKywn9gK9f5GfysbRy0zJF5FcuwD8Z+Zn22GZo2PzwkbmmkV/1opk+oYt5PGzWKPCzWFOrgfD4qPln/fnC4z4AtAv7LNEKddYB/Zilh6PpmNOOrGsKU1H9AVg+g6neBQhQJR0lMXhLVIGIN4QCVhuXwr9TKqTvIm2fzKdYGr6f1vqiZKXxdkPhT6h7f822Or/VZnXU7IEqa9sN/Hjsy9tTKxmfHvoJlrPB4koCi8nSf8Pyr53Dx5WLHZ75o3V4nacX6ewFT9ch0chWM6badQSW2pVpqUvd11DXpGbj7dELwS3qw754LjspafPhnobJeMC9YK88Jeko8Uo1j+Oe5XL0UzGna0RTsu7JKwSA8WU+u8fKxLs4OKauxrd1lk/zEElvFtpmv7k7OdCe0Hjm4WNLtc8Onwiu7POMzn2WW9DGTHM1U19Q6QCmVDMtWgS0D9mv12WmcfZwiiHS50+bWjOCtNglU1WgVRMWFMXpk70U4vBxOi8spERYM2hoJy1tV64McMqSVqFwhQ/ZvNfhsww6FuNN/RahlHekcxKUyxSrz4G6auOFqtGtejEtKZS31o0tfPVlhTPTsBlEWdkrTwda6HQyX+fuZMc/QQHa9hvltrLzGmc0t7IbbQM6vjKSJd6Uswb2VU31rMG9JELP5l3U83lXSYJSiRmdPPdosablaKDb1VTyywfdPgH0uZaSf5rjhpJbBi3HTvLhaNNOqglF2bWxUs2keGNnTk7Vvs7ti9+02dfZZsEld19noUQhJ1EVlvSsFZ+MBTwZ0gqfu2AmdVIqPM4aaGQHTc7RV1tHXu45ENoMvxRuZjJZRNo+c5KWew4SHrcBgHLRqdkEY0TtFhSRhMf5KrUb8gost1bYY3WK1NnJNxdUNT181nuaEvi4hhf4ULn1UJvTOrcG3r++PYoy+BehDNLy4sO0wWTLtOq1QZMdPUdELOjKnZUittxtUpkVgr2sEKjZoNKSyTBDnSd1aEDUK43DRheGb9cBcvL4MhvZdrx7/PjBWZ+jIq9ZBmo4E7KlkqHgNUH+2tGpF1rVcw4otfwoliX//6mUqH/FJdzuZKI3cxlT/btycqX5EMGmlhdKNaESrtl5lod67l5GnjPC7P+QZIuaFjx+xkRmmw8ML8Jss2km9Ua73GjuMhIgvWz7iMor2q7uCEDHXzbB/vMJg90zcrzFWWIB6OHjVUwpHDqlw/SUf39Kx1QYYMtr6oN/qDoI7ctPFJm4zpnhiUycrdrECZLOGubZ9FO0Mu/3hnxD18SwWtdwZNe+KdatjVws8UTAtaQCF7414JYb2p0mNbZK5Ir23dMXuRy38UT/JmAk5NJmQrLtlw6uLUHr5Wcyx9kR/wM= \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/Distributed.png deleted file mode 100644 index d96ca216b2fe23de6ecacca6544f5b0d0ef86778..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31547 zcmeFa2UOGBwmu4oieN#JBHacSS_nx%>AfQ$y$PWO0--mlBB&IxBhpj^l#ZYjX;OlU zfYLz(2~FuC0s#WN^$YHEJZGOX?!E8bcmLym$9C+YkgUGunrqJa&2Q}+7j)J3F>*4} z(9rDDP**mfp`pjq(9jk#>;j(@we_#k(Cq%|qhjjg7T}1%I?$YiD{cRDQe4a#=k0S6 zu6$Bl+~40{#NNx+Uj%~#zk#pZaP}BSjD!95*WzO0V!~oDVHoTp41N->0G9-RiNQrs z;^OAp40RS_a$ps7=)FxW}BBKS!gS&)7R{}p{F|H2aA2kQGD-NpS?QZJ<{!w!F!nt95 z-9R;zl!%xJTuK5Vf|B~<8&Kt+KR2{>wDrRL)(tdI2OnFf?Kzq|iYwW=I_WwE*(>_$ z8V0&~;xxAB=I7w$jlsEZ7lVn5AVgr>U-$%iIBb7v@8E|)gFeMi!d1Wu+hc5k?qj@ymG zjXmtq2ydjy1u>YTyS}=H$pvLIg!ly?mkT}@b-i@p>V7DgrmCW%i;AD%Kx@altf&%Kk>PGe+QW~zRZYl_GEh%SR2|c)q zj~n~~`lPs`zN52)zqX=|i=%>*D?;g_fr)|ysN||DW$WZ&ucE7Ds%)Z$aWcb6Xt~sQ!@ocgp`2_T+B2;OT$w|(LMm_6(EJcs2G`I zv1WR%L0V8>pkZh803Q{1aVd;G+!TCdBo(0NYKzql0z#ySfhjBaIEiV%UExm3CiXh2 zDvkjtCvz|+gr-T5x}T%3qPM-hBw7=c)iP6ZRMB%Z(Q`Bx_w$!Pt3$#NsOad5L92PV zp_~zh4j45_arGeZvA=tehk_&0&f5f3L}&oXQq))S(DMmWk~>QCvi6;9ajVM3nt2LeoE&0>Tcd(R}?RJ zz!eldkU>gVe=mJCZv`i9e|x7O4YZ*a%)=F~V&HAAfW_#djFHM3rYfptzFrs2;R+2XKfEJjE9P{ zEdp-jpx|cWYhtMFYh)CN!}+N=1}W$nX@CRn>@TijfHd=xz^IrgAPsO%hOQW8Z(AcX z37iTTs6AFM&cp;wloh4w~lXW@hU4M&j!3=7AW0e+d;kgbo6%rlO;XgaVj}k``P; zMO6~(s9}N*K%-O?{ro&|N=_)Wx|^ASii)N=&?1U@V&{err(ma2=CnSs9| zRtg*$RY?VJWdzz6p`eFyanUtFJ4m7({0&@;%u%*xYCvld;J*1lc1#o33!e9nINVI*BuTvnXWd|u@(;z)%Wu%`e7VRtMY^Z34 z^2VTbO~jS718x00T~PME%1Ao{RS8{FaRUhnaXmdyMHg#mrvo?fKsv*4$Uxm7Pai+5 zpNp*o9PNp43{n#Jzi5gygQLBJOpqFIW6-U(x}7ps3JINECr>?$DbB?Nu5O|Z^90{{ zcn3)+2RN$e`0MB>J9ryQ1}Y%kOpSfDz1_@%)R3y$3c3>BfoM-~vnXD$ceHcV^a;|} zvzIWC1h<%~p=5xcDa^sn6s~S4W^dL;q`CCLWvdJ>74YL9_X_or z0l)vc$>Ay$i<+f0H2gFg$_f_)tY^ROxpz|K{sK{cIrGTQi`?{_H_wTMKP8-+x@L4H zW;gokbk0Z*wXU?l3m_j|AB4ZA>|AD`W}|@ZfchO>?%ELy3Y)| zRs5@iZi~*vC*NMNnGAN4{qeEZ5Q)UPjS{#0*Kg85-^&-&{oEjV9liPj{23(XNQG65 zKZs>1m;^ zeIU=T5RNL?qt1OL{8o6`(u7-$qC>qH=!Axjhy5|Ehe+=kNd1kW^x(I6S1#e3D*SqN zUxG-;;i{=`Sg5-Qb9(2v?mMRoSfKW3BIs#{$_4m68R!)0hI*3ARvGW_X@J^e@UaZX zn>MpFjvs}7qR052(hX558kr zcs*3riYh!O$py{wF&pUlm3_>#^8frI@>jt8eq<&_^Y{B3rB zp<2qK#^^$QT4SREb<+3uEUX!u)t3+E?2OJYb1kfXU12li(Xg)}gLmn4G;RRg*IF8a$2@-psKE!y{FsQ!fgms zJ#975sKyuKgk+IoH>6ME1ePLVc!^vA=ZS9-u^L!#;HVZ>5 zH7M!%z;-Rp820580{a!IGN2vaTlV1)e%x62*2^L5mCD{I_L_w#+w4?7M$y3cTJ`6L zh&LBfCZ(N*0_RKGWk;?bzsYbmuc-dx25BE^kXcu9vu>jdb^A3 zYFYKH+sL=b1N#d@W?hrHqRAG8ik(8b;y6vQ;ke+mgD7JF1i*qA2NS=q>)9B+lA7Zz9~_)F^fCE!os4IFix|5-dqlW zOb zAMG;7K69(xSZ?(s%93BUh%n7x9$tTRc}Q++wSDAy#!W^!%E*BRXw{20*QQbFX_6BU z(T|FaZ9eSt(YtI;s^<-3 zdJPT%LNAWTqmH&UER5X1$1A(^LJtw2Pj(K#T3UI$-DwNPu-C-O*NAlRBl)5!Www7N z-B3>kfh}%gYeh6RzeRtv)qC93M?|5C7-T3_*D`;T|LkcrJ?Ws_hRA>>=aT`Qu>X5EehSnImcuvpPg{zHLI zoitjQxF$4uhY+%cpeB<3^O+z*@21Z1iH|k35BDwNQ8h4Z&FVyJ*xJu*IUd=cPYy&u zdSgc`0r!~@-x$Si{rty=zU{l=A;YsOeN=_mm1CcjBJM4*C0|$>x{Nc$RWH?-q%Gx5 z>?!IiUt4Vt;|(Ro+FX6rYyD_y9~Dv-K5C2(tyGlY{TTR(9B0_C)alxyv+ISvpi(oR`n$8#HNDd@h-eOHRCE zICLE`e1I*ib1C9L@MDZe{+qeV5uhF%NXq8HAEl9>2(jyCPN}Q}8+;tPIr(az&-w3< zBkRpw^Sh-(dBbWbO!c}oyK*=i^LZ({M5bF7qs5M zxA`f!3WlsF*jxx3JI>e7(WocgDENw(cwJ3GFFs@;k`F5@du0CZsL9pFiJpy>VLofp zqh5*OCa(0pnA)!Ru%oh}ipPf%n{AB4mP^vzYE(}Q`8OvR;A`plYDI;H4m7VXNVb&# zb?348UJ$iHAPOQ01esMl7jBSJPo7A|?JpY&awQ>7m254J`@Add;2 z@de-0ZJSByaqo8fw|})iPQSLMTAjjwn^~Rx`zRQTl*|_Q4XQbGAi^32jhj#9gAi3W zfpL>nWkQy@Z^)ZP$QGdH(p!3%KU2S&*%|bOWAvcMI)T7Q{on)BPhxyfpvtjhw*)?w zE#Wu3&4;8IspGbxtH#EG#jB0E*H0bQGp3)j@j+`Jr4B_b(uJ5q11{t{b_`k(AEn2M z+XMFeW57GteyUbi@g6+rEchuKYWU5dw*=MP3ZoC|1%p`FJS+&O+NaK{Ej?}4&e+Ts7Tkv|X;qa>Hl$93 z`MJeoQC!z_8=c9#%B75WB;%mm<@ZPu)l~bQD?gvcG41;FA^Wz8cbZNDZ*Wg?7wr++ zp5(aW8Pxd!MJ|v2XpsI(y)iH?s9JH{8)1H^7QUn!xLxEzElqs!n)kcC+nqiH=JC0v zaCs@(9t$bgW7{U~t!X{dba+)h)R?^yhLy!+&h^?1M4Cuv^-@5??45)l?*Nx(mhLl^6p)1Fn8G2mb9 zyt%K?&pIhNJgf7 zjwSVocY5cMRRd7#lzVK6H`IpgxsU9OI1DsM%$*I`*n8RC68JGMd6^b7mpJ86iHl3k z&tO?NA>fe)u;IaV=hF(&5=JJjx`cM!yh@2KkQ*0H)EE&Z2r(bD~s;rNG^`=2{W zX~o}umk^z^`A`D?GhXF*(I;i8rrpQoX4Q!y!HM>gdYm>cgit*u$CFs6gQt9)pI7N1Mm84|i)yLG7jKZ`z(QEjp2Th%y zrVt`;r~5q%cttuBBC&cJ+Lo&KlH!bXr|I&_4xd~{zq=c<-#PC6czDo*k}i%L6zAtt z2^whaVN(e@CY^hR!D3+J4*#|%f8IFScvuDZg?6t8oX2nT?K9edVd8#p#j0LFa; zfNJQ#Z9;cj?$6I-*`?*$(u)G4?@lp1V<;LjxHpq1LbU$`F68|Q(sPCIC1U}tLEJsh*D(Y)9{qOX`^EwVWkDhtIebw- z7>JR_Ohpe*lcOqPuaPEPWo)L&O-y+n^1)1zOi{;iinsPg%3lEzL96kN+0|*9Om{Vv zw?4UWDL8-Bzmj98$bK7I<;bJXajdFk)~9-iOy2AVCR=-hYI=yV?4~2(WVT)GjA}zy z`H$=ZL8TrGx;u48d)j)4I~mT)Tt(STubMZ{`@k42xohaI?^622aW>Aq`a<3)`-BK@ z+jcMPqDA$zMB%+6hi_KxQ4rrtw+Dy_{fP*rywvDA5QA9jb!C4+Y| z?~4YJCyuW{PfVLdKUztrZ1*B+eJN@O!Ggo`6n7xY6?+c)L*SI`QK!3RdfuX$oqy&h z^H6a9q$^KtXVWPUPckDv=UxSLo>=9QV)0Fzhi?KTw|lXvs$<;USSD6}L2^-m{=FE( z2_Q3vZqe^A_IrI(RKD-W(W+JR_TF=$*|GZH2n($85*%0XrnWxQQFc7FV*W&rU%doG zu)l8-@|P;i{-HiFX~hZAiYW}^rh&sXVf)~oDFvtqmM7H z|K7vYbS~6(jxh487b4wRZsy_oZ;B)Dl9^95@ZaJGnnV7OWaB{pxf&YV>}w0#Tbe4O z8WG!ILi70&11CD_b3S{FFQtC4sUdK?7s5_sN&cFsw^8-CQAgFI6+l37=|T7jkL#~W ze1mE0bq|beZ|QlfI6C%gg)~p!GE3kYGc5i$3QoxX4~OhOuW=(+3&JU-EeC#6%Na0% zQB&+a5z$f*8Was)ZL!%8g+?Zq$lulEI3eHGqkfOz^>QBHF8vV@KdI;okYev1r;L5n znjYk=Hkb~6Xf}0@OqrD9gCb`8xOB&dT|Xu;Dmz5p`4vp73(7qnV%26i6{0c~qU54l z9;SPLYRJ>7U{b;Sg|Dpkd0!rnEotpLVK(N#(se+59*|R@qT>&F4DJxysvIxsyV$;a8ySj{gYoD&wSFa3l zA^R>xLeA>7rCuAkk1O??8}nguRUi`JhBtG#Z&dHu%)?HYTnGcc@zvg{354wzx3Yau z477Zy$09i_wzmmab>=L=Eb&WJ5bwoo;v0%x>jp6)Y;SS#QWmQEG!(kC$!eQ4KTw?H z`}4EfwcNs*bB$aPvt`4w+#pUlvQ!urQaS8rET z&c#0+@6JlA2;;S6H(&i>eR6p^#yQUDfnI(To7_P8_yY^1PI0!}#*Y!!!T=RgmTZk} zf?mEf;a~y-h)aqlqb!r%D>3CiJG2^r)6UB#Y~EG%d27m~ma|QAG;TsCG}vwi^5&=W z%dE*i^uh)t+J`6;DAZ)=lwta#GT8E%pq$i9#bla}5+T-xVkb%d7MYx&VeQ*(q;q_v zo=Ft@2wiMeG+(oh>{SMPeN5yNhgSaNeXy{XQt<+PAYjI|U-DbH2UzVW6o_Ezu#jsv zr)wRjq>(wh@~?sL`6v{F-D6_usZz4bE@QQ{Q`dEq+yq5dionjGT!jmg6nw)*<5AH- zl0T2khizTXKz^6ZXZ$pPD=kR$#Kh_EV7SM2DP2fd)?7MYI&%mI&Oq2u=_1_xmCu%t zaA8-_#AZ^^+~yffSd;{QAUP@RNyS0DV2OMANVH=p@y7$OMyG=bEa}dhD`>v;zJ>dR z!I_u`P0>cdK_@o{11D2QY!6&ECE+*nO4=S_I2yy=jNUw755*ft2~vV-0e0ozpT3(rKMG3)U$8B@-Uo##Ee5dp%u+5#OdHBITAae)(Kpeg`xHO>btDkFH z)*yfi9(fWB6FsY&@O_UfZ7N~N@8!2y#Kx5KDb7}+qnk?MRr-4v?y+2|zF*RIDo!fLY&9`EqVL4?cP@J!`eUJ(R5moQrk|JTEu`6XoQqCX^d| z@o{|FaeT!oo2MKo>V2g2Ey~1jIw@sR!e($QQ#9no>N`gY*#R5c6y5i8>#OZG9>)UF zv=R`0Lv8V<^Jc($ZY*L$4)!c@rz>(_%r2g@+i1?NvfHsNGasne+4TrST(@MMWg15z z{J~@DMK)5T{qhj$ksvI)R(A24MEAIT=L!(Pggxe~8hhJqk2BsX zJ2)b_FXA9DDvm!slJfMv;9R=Hofr4{l5(eqPMKT3SOO3P1@Yv5`kawnZNYV*MOVAb zonLU-V&$7q6rjO+AKXsgQ%A+=2)zPV|bA>F%8YNWSzb4h!LWY5y$CFa^4qM>o(yewgUK-eZm??O?}wp$d3*xXft>aJ_~PNM&6OPqotm}Aq0kZ8Ix0W(oSy!}o}!@-W|PVtA6Qn}rOeE{ z3XDVT3koi0I0t6-z*oR7R+gPvECh3|vHg574^>aj9I?O_tB|Vgh@Bu9tA@7s&5~Q4yT851K`To)HZ4&!;yF+ zg&d+yeE*2-`I_ALQTP08mjstxUcmlgm~kn+N~Bq@cV4rC@7iKwZPjYzVW2FmNctn> zFU91~@B1D zqMElRP_;(_26J)?&OBnD#bgQ>!s>$eOB{8O}7&sTiVAJyfRID z!PL7->}C8NggDVw@0AI@rnsxcQiu%`GJ(aKc)pR47$-+cYR7KcSyT3BlG!N)8^Yz! zvDRI|d%^$$)^I>hx-mf!U;ANY;hJ0(#c-^tl0ApX7wssa#U{0D-8wRD1*E=@ zoTa=E0BpAlN69!;?8z->Oqp?#d$Y=0O+GRHxH4hicQU|G4v(X1i1Cg*A79B5JUQjS z^-^w(w>$>6e%EhXZ|H)KTX*8zBenGACy=&}8}KC|vv#W^v3OGx@!J7B=3KUR0VNFt z{~Jx&ZG?H6MRdY^kav>lgoNXg8&g~I6Ll`a+0Oy}R6T6hFb(Dd{6*Csz+ zrF}VP#-kUSH%20KaI}zIL;NW3E>h^$^}`7M?mA%#o2Sr?wKI}17%WQea@8NX03Tjt zO*XPGlMj9XfM(mzbJ06jApfZ0%+tBB72|eaC)fAgcgt$*?*w)MtNHBRlXECl?}^Po z3Dj)Kb0;_3FT_Brq9s1Wx%guJaaHMd$f4l7oxeJLR|2ov-Fd#fGA(a(`n@08KKRY; zYp+cdh6Z9hrRg%5iiT9nT)ne^?My)$mn4jD240l*7CU>QgSi=q7?AGkV+`mbXN+h+LenS5>g z;1)?OwI?tE;dA!Ve|Z;wxuyRn-O|y~QClxBud(M$>>_((*+qF*DcjjEu*KCB$=dL; z_*+49D=`bk?IG_40;jbElGOGAFJ9b?5SkHJVsscceLd)PPN}$Ob+`8sqm5JlwHVh& z|D9vmR-p^O1;XNCN1E+2iay2YCmg;`DMdH@6{q?uIQc&ioUA9410JTN9Ok+Ec8ngt z-Sv%)R|mso_-+Kv`CWN2=|1W7soPV@_&*b)KAy3c`CIhuj_-GAmIkx2%l;x=m@w~_ zkCniqo3_?n^HAwB;(PgyJ8S22CzmI?KrR!){sqC+{&=2bpyir4T^C$MKa$4RT!}}NHj_0{CcbhXwu?{YeH9(D|ok>N~Y)x7YmwOABqh zE7#Sek8y`lh^f`GB6}lF)p7Yw(L{IwtIDe3juPEwAqYDHD+=;3~efJqK6Xr&LsF=%c~4kfF@XeE3^bD!boX zFS}Fps)sJ|ao&i(%gmt>zJxr)C3tj!pISj^4}BiUw>5JLCs!YW$}d~9O5A;65FYaU zL#gNI`yfr?j1G6=*VEL}sb|zh@R>C6utbbghdEtU5vjhw$RaLQK8I%gLeAmlqqjus zf?81a^z^1`gK{N|%tdUEVUDS^gcZ$jc0cRB%SNBHvovX!pPcE$tC*Ytv0@2NOTTPt zY5yGl3XVjO31XR*s^Pk4p}vjjjjy3^bFo{!0GD4!qi28WA*l4=iz{PxmW-b`yp#L{ z@=w+=ofn-kf7MjZ@QktOK&GZAH{B{&_+TYf`EcLH4R|gMtt(jbo+JFBh4cZolTpNh2Q;EHRYk7dY@^3+ovD+( zcc#gcVGMYbi~EkyQkO7~?ym*^Yr#`BwDt&@m!9GVd9c(ZX8>wAJ+!{i%zGKzhpXMF ze{zkNa~b4szVPUdi_}8AAShl2Dk6?o;Qnb}Q#^V*+CG99;sQMbKP74QECa%CwI}K z9q&s$^mXY2GUiTv)-GWIvaS0pBKEm<_5 z4rssv6wR~whliF5{G&jyYmji~+(DK^sI~{B&aP=VeQ>19L&1aSOhoEJ2!neXGZ*V8 z7IRqvzUwwszEHr>I6Nl}(vc7NgJkZHC-bWoKa50kxqGaZ_DRr*SiQJV(2z`n>#BB0 zSv3cWNNDMXRSC_?4R5CdiH~w0xfYs%VYT*;4xB$OwqAA~1R75Wm-}QXS1_y5Rq6ZR z!)CdN)CIxyXxT3mL)8QiB*w%((ke6t)n2_At$%akk81F8pBI`HY@(pr${ox^|4x8( zv%joEbe)05oz#%o6Ejii3UryV_j38N?jA7i###ZEEym2rc{Yo4r^|hEv@1AvL%rUz z&*}qdY!*%iZ=)_!tKVqI?6@-V^6%4zs?UI3fD*ucHon?vP3}xAFgnxQ=}$ZKd_|_= zW1$w<1rdix*BAQGE|f%T#dm*1^a_D|j8m7leRTt8iLi!0NGrpQNiaHw=Sqv6dF`mG;0;03WS-BIy|RvMmH{Rar9Fy12N+3~=a&b7dSH*_@Z4 zEK(p|#V)3RFE&-Ji34hN1^`6PPT&g-q)UmXp);o&T6Rj~V97awi#pzjgzpXQcp3*t zAD!THb{r|Q<6zO@OV#5)Mz7hV(KsCs4}TC|wvmK?c;RH=S?;4qPISjDsCWxQz?byu z*2FvivVBgp;{CCFkE?yoaT-eEfC2J}!@|9S{FUJ%9Ua4A=5L##2ad>57U`jpmeNYqsPqe)>J@aFjDmu<6TpmU{x3&13*dVGG4hSvsT6JGGwb9zo?^Lng zWaf&8Vbt+}d&7yAz?<%5ILrbXPT>6C&~T*(FTfq5T?;A%q}M(tus!;`V0-iYT)9UR ztI1VET`33hTcw*t%Pna%I{=BvX=l}}=+MNM{`%2+OWr8)F9cmXL9{t*h%|0APy@OMCi4u(Hg`AbbV@wMUV~gfO{{ zpPk9Mmp>S$9g-#9(7TH0wS-eZ>ia%i@F-WqeCW!XA|jsanrQF{lP#1~T4K{Tyi&6g z1>wabGbQcro9hq(MRxIa!c~Y@Ls{#s-H!`wv8adGBgO#mU3hXJsAfOl5g0>g=N;2T^)lc5!V!Yk8q(At^CZqXNNbJ%Nii8vJGHcML;*bHs)z6^kvos z45`Fzx%V~e(yoMq^ICN=j?lb8Iz-Z^EQ;g%8Th}c0GU$+GWSyLbPBv(8qOU!cH7p@ z?if`I0|+@7K&|k4LQ`zAYENdOH7BI17jjIhb5^g99aQ5!n6_|L@M`1%S;?95(VMNX zVF18FV7*u;pcdpD0OX00J6a-pT=R-msoH)TV51X#0mqA1Cz7x2I3O)n1t3M-Bdi|a zCN&g>F6B;OUIOH_a1~cPvJ9{gsYa;~faWqr7LY!iE!@jTuG{@6t1m0rozt2aV zFG-)#Y2~Xw?vX9HhD^L!A$E#s$WnL1G{|7cqJ0g)Qd=7UCf>U~TV_KZ=&k9YtXSZx zU#-p)-xpBXCE-ni4Fnb&;*AnOZpwPk8rB1HCKA)tyXiplvEBO>AUoP+_+^yvu4*P;T}8#BjURWXeQJLdXnyWVakyfppj+ zIlV9L^7@zIAqj?6DEs-@PSyVO%)%#Q0YeiO9S=+ygg{0^OYRMQN_p7kHITj#_zIe? zSZ&>@b???JpnhJWG)J(2a08K;TsZYg!qT=Vlh**v#ciS%qDA4-m}B`2Fqau99=F57V+GTM*yiU-#L?CT)do zu1;Rtv0suucq!M$O_nhbbco;!sRBf{NAr8X06NtpK%!uA5KQqd4l2czC3+9O9a#N6l0L<=ka!EVP0>58ApS-_r#6jANW47&P}3|3B$YD(uFR!d8e@y0N%y~xi971 z%Aj|0b`u1=XPL3J^Z29^(RYc%qlo78*YU+ZAmMVssK*h+fMe12+cjN;kAC&luuf%4NrW=|(%p?Qw9tSAQccL|itXb!!cc zHE$AZTK?)kynDmw19`X%5Mi?Ru+@gmOyw53Z=P|WNREvH;+oVJ__3`}(wNe6kJz%1 z&4u>NAyUXDr*R-xW@7XKv1JS72z;3+yoj&W4J5UqP&PmLxV+EL6e*DowkYkFvTvLI zxN+)aLO2sE9~gCA6;+t-0=526!nDeGrz&R@@J`haf@$dc3LO+I9*n zO(z?}ISG-5fl1W=CD?m9l63GL@ZiV4f9BBo4Co^&Hvk7l-n{M$AO^#pFfJNPy7dDR zNj^t2Fr@Bn*UFr_>dDLjQk#)619!X^l83=zs9Ga{ec-U7S~u9A=7FD*h8VN=aV3P8 zK^$CYAg|>vCl~rui}3;`ttrl}^nnap?OW(_?q&m4ntU47N;9>t{+KeG?=b+T7yuEB zX=pLq8>rdKGuP}Pg;yh4g;qku=;Z&+291UGFT{|7;+dKCaqi;$H zfanrJrx?l>fD)>vdiBrH6sl!DyAcVvEw%`cnd0W?jpZ+*(hGGvj?U?T3$-_r(|*RJ zfqvB=@RsUSe_6I|RLl0)5_pEyfI7*7jagiFKwasv_=9TuQ9}V4YlwS$>!$TJ-0T9u z^{}rnyu5uVnAF-DaW=oS12haQM@Nzt<2J9d^5nPKrFdY&Z~Q)V!Y1WqVzp2Tl!G#K zdEO{NjY?XLSlwxC>DjbEV6T--37klhz@K6R1AH7wH?+nDG<3`-$WDhrB=5%}V#6$G z*Zfz;)^ZileB`5k)nk3} zTfIvK8%edAFWPiz=q(vMwoqY@R&(!(JfOX+OcTM&_)EeYhZxna$3qt^t#8EY@?;Jjj5tj`qjE}H}Jr{v{-30Ri16(NhE&a=F&+p|2hxhM)+na5LmBY?V3%tNA;~g_5E~R_p03XgC z8Yw2u;XYG5?5OPa0fdx(ZiKiP9m7Z9k=i^nOh_+11+)qco%psE5ch3JoM(~(3F{2} z{KDUsqO1mP69EC*jJiDgz6lC{2!K{DZu@j=e+74-7syMe>hWo&H>Jm+*5YA5IKkAk z)?v_d29HmIJ;?$}Q{!I`8{)P-FySSSQ$6+nu=u~3Wy_trzpF#)O=Tp?Psb0;zWiN% zgkALL!Dy+xELV5MU)9ETgFs z_K(i_FBSIpVT&aId#O-*p@jq)9slgh|Ec)DnPuWh!OKt};+OuVS{b?4^7Qf`ifq2G z$mYdoNErBUZEw*7BN3po$lE86WnrzpVAlt5*2Ip3Vc*u3`4#(Mcn3u@Fmdm@_Sw{k z{%M{O4pf5z5&kF9QbKFLyG_+77}`S7nU0%KXhZ`4%oQkeq1k4tVEtqK%eb`laNF5&*7Fo75{g$)Y4rxmQ=)UZ$D&RRkxZ{hciHu`-<~Ytw9DP4D$TjTO^cg z2{bQpTZaokXJX$ypiwSCD&kmb5apT5kpn=oZUNZ=*4^C~Ts6Tqf1YOx^)h#*`Lk%@ zAKp4n-Omm>Yn#4I9;h`C3F-w$%xoZmDp3RQ88M(!_2F2X71g%+pWQu(4OrCJB6ng4G0 z`EtuML$XJ~!zTCPo(Hc(qdNDzyRc`vt;JZz>2A7TMLjjAC4UjkT2?yWvC`fW#heBH zFX!C*eQbeYcPMU%zr2|WoJ^h z37=AnST+$$4q)g@FRr4|Xb=Lk8zV`1hSKI%zWl(nggt2^P+%lu(IlKvi9L)Xz48(e zq0@&h!rjKy^OryEWYK;9{y&sFN8SvqV6N}#>blqMdy%g<$0Ls*^3^O~Hi9QL+&5IK z#1tZNVdguCdBOSM%sAM*J|tM+M7_HU@+o(bF5Cu+jSO4b-XuRf`Z@&cRr`(7IE&zqIXrM5U;I)-v13!J-bP_erc`^YS zZ?Hy-$W4cFSJvJ$fTMbKET6IYjELxrVieq-W18|HY5dM9s8O4NH$Ku(@0lU}iTRB; zrp>6z+V!klZuv}S2dl(NK+mc$Tx%{}>%2u%Nsd!)c~6@(>_HN3Zhdh~3)5xCwQ{4xj%B@dBIp&!4+>ztG4sS0dnd?N+o{64L_Qyy|CZZmGjv)A!D`LB%t<-<-Qi zEiS##`0!Sh(THi&c$C$1kLbPV)M4?GF_d*?YCgfNyTr&6*JeyQDMI%EQf(OO2q9{;gop%E&eM4D94QIq4Mk0IU%y)U?8e`A=j&E)? z#%+x%`~W^$oT~fKentd@@Rsfbz4i??EHs>wgo-D6%}hyBi!au(pcNOlcirzv{Somv z-_VwicZLJ*`@N2FGHN&Wtd_E9O)O_HrCwqAkRW+&30Wz4Cpb~(vRP4DVkDg#^g70M z_9F{A=}6HT?%eXKA}2O&!jGO+oht3(hCIMhwAuSIV+SN_uQVgeR?VeY*g*yWh%@eh zb_MdywWj((@oL={qtxObigQOzq2eEQ=*8`MZ?P>uQH)OS#HgDWI%+h~eLyb6KD4Xfr0}P4%BCcm>ysb8xJKj?Q9znwi**Y>P=0 zQM_q?2_#*xcQ^OjQ>AO)(1h!_wk7>j$PC+`N1bzuiRcR_P<-iJ=1pqx)6E4p(bVDx zqyb`pGm`uxsnqNjOcgLjYNlq?HNKnlCQ#^%eI4$zPxWioXj?)HW})iaf9h9H&LF}Q z-W}Ssp&B|@DSgGr$}H(ZyYZp}!5m1*pm=)b!$Ws{C@Zi&uXym^lx*29A$=>R*gh0wz%c6+B4+oV+A6O*t7n z^jb|lL>~M34C3!qtyItNQ{(ZyNN%y&JOl-$pG-dE6|)JQ13~(Qr1oF|2+erWki=K! z{P}4S0Cb^<^m9w5C25pvau9e8tfT?3QqmThdOWHDFlmn65zVETHnA#j z*)rouJQ3FonVA7iXI#H$%A~>9drKPO4cH~!1yAr{00xe8C>&5HJH_FR~jy^iX=wpfCxp zQ4g?Cqzq9RZ_l=r*z80k3!QMN!#zUhj^!u6k0)q715MlQ9v4SE!-y>^f|VkYiJ>Qp`txRq%pgm zumruFWs_x402U|<_PU<&>~kbO%jQ#p)Wk#l8D!Ib5MRc>c#sY~$TkCjj**Dnyv{uz ztuN1>9N^DLBTY#m@ipsT=cA#Qn{+gqUM)cZ63U!^Ez4G+B9rqNhvtz46+nL zaIOkUkL=OOn1Uq)YLoQq`T}Bb_|f>f+iJZ1!AW7kjAugQrsLpk3=qYRr2m0Rx!c;P z-C`eFZS#+Y-iT}6y4hMpp69|)E5BNc<{CKX{{UYT{h&LX_xLKzG4DE-^;WEPufP zd?eZZ`d9CEnN~y|pnHyh$Aq{~&p!}sng&l_B`0f{VlwY5bJ=&12B+Qc1>Ib|G5rIa z9Z$)nE<+Vf)w6O9B5h~pil#f({BfjiFMG>h?GzT%Yn9#C;^Jur{TG2g`7+EV@LELJ);In*yY>6@qcL zcnQtZ?%?<P$2^TjJ@bWEPuG)K}AJ!Fyq0;4!&|T1rdpRfrw8xEjJOr}U zDg44|E`2hGEx%H|@Z(E0-S)%;1INlN`;#CmP>gh}w3 zld_**b?Tmv0~ zw0X>zE^vO6JeoXVKrywakkORd$O7*l^Bh{MZ7?v`$HM{nAXjAs0FfW^1{brN<#feD zzP^%%P2{KPou4gTczYnU2qWDrcs?_}-++rmY1Hze(F4Zt-+sP2Kj2p0{a1!;zH`N6Hcq^aJDy?b) z*;|)`?+79BcBDz3`2aQQ^NHYTvAKzqzE3fHH>7_&yIT*D+k)>wdcvIq`$%py!NxTu z=;O0L5%hxXu(86gA4*#$?svR| zvDNAcZT=iTe~22jJU?bP+r7wxPMeaF9S{5#u^Z`%2;Kd7ETJb9KEs($*#AZ(KWqhQ zBdms3*?#Io87*Y=zHUbWFDL1 zAFQ=uLdYya;&8KIn@A0rFtODnSm%hsLr*G7Z1L9a77Bg42~e^DiF)Y0#EIBtw31K_ z8IS*{ug23IECCPgHKLpi*0OP;=w{8n{!$<%xaso*hP29|7^N~N3tC(l>035^F(DEIaT{KfCF#WL6|!+o^L5G%oo1dIDhOic$qCJwPtmZ#VW&! z(vtd$0%d}MFh8&D+bcWIBx=h{c9U)hru7A1lnQP1UDm78PY9DZx}pY`BUvRI4O$lJ zx3BzDnBq}y>jt1JY89TDOMgRMgR0($f)pK)FvRjm^p;|x=MW;+JM{Cq(hFu4ZedZDJk5mQ=|TF;3=^G zUegXT$Ea2*aOhgcMt{=M0UI}!12WY`XRXeq0cT>cqh_Y%@8OGA_tT9mmoYyWA6=II z*RD_EP~zX3{ckmPJ4u=UC12?=?19Y=uwxmpLu_Z!|A zr`!PJB`j<206^r$;g^ggjXeWx+l3xBcIK0k1Cs2nnE^MshQnTM_shjsF|PM_{geA` z>O&KgKc2hu^hZ zC8`zWoIT6(53b+B2Gtpbys)K8c&Ab851@T=e%C(ddD?$#>$z`j4p38Y<7Ng>Fzxq( zkeY&mEM4Z3udMwYD|4h$L0p#g_qZ%3&g=$DZwUx1tDNfv-b&Edj@9X@0ML@-?=5Me zwN0z2BZ}(m?H_rk_onL`_0cKg)#4b7fkgbnzn?yx$nfHGzGusi=(|K<_4CuB)r;0A+LkUXY$-E}x zCClkeX%}R5tN%s8HYIsQ5Hig+&E;F+3JmO({W2A*blKW`)Ue(BrTFMCcw?%QWF>M{ z3<3U3NzS#Cj3wt-_5*UKV{vQGV z-{4DufPV=B{@;P7{VUY){|K7)ufex}hZ#OdnfWcD=08qj07yDvJF!Ej4j}2Ar*<3% z34v5?y+qcCh4RAr`5}=7P`V*1c(vxwsNn-v2)^#6`7=-pQUKJb=;*VZAO%3{{C1Z4 z-2!m`mz45RGXSWm?*Bgf;{S?d4f0~hpXVub777X%(Eb^y1+%?L#ehLxSBPz*-*zg! zfYlBF!(-&A836y7Z~rTghpIQWb4*B30{Mp>wbF9b43Ph*_`gX>G5dd3vii215+eqkw)ZG-~#K8e(+4XDQG4=YXNA*hcS3=^vYw5 zH5wnD{>JoYL>Q=b8q18Cw173Yj3j6o7;qikuS0roPXH(8fy)bau>n^PT&e@j*>hw- z)|POFPQvc&XP{+%Q`v$2OVB0?g359Da?_I(?CWT7EQ|r33@HFw#L2*v1)52}>Hu2t zkp^7Cp?_)Raf~$@4^Mw@#qj5bHJ}W)i|qr(Iw0T@0E}fZ!2U`JFL3q1(!Ua*6##_R z^NcS4fv+e7l{?#if>$lkr!J+e{v2KYGrIf-yo7UTE&my9unhLqrLdz{q#!G8S(d=g zU%65+SN{0zUZ3Z}hgiQw0XsR<EXgV3qJHRtMMvH>c zq5!EVH~?G#0|Z$`MVs7%leHif(hp$?;I1d&y>I{2&h-cy2uR4w^WU+TJ|HXvtY(0V hmmM2l{(kv|4&bHO44$rjF6*2UngC#G9S8sb diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/README.md deleted file mode 100644 index 0fd4bb63..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP1/README.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -slug: /MEP-1-distributed-metal-control-plane -title: MEP-1 -sidebar_position: 1 ---- - -# Distributed Metal Control Plane - -This enhancement proposal was replaced by [MEP18](../MEP18/README.md). - -## Problem Statement - -We face the situation that we argue for running bare metal on-premises because this way the customers can control where and how their software and data are processed and stored. -On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers). - -Running the control plane on Kubernetes has the following benefits: - -- Ease of deployment -- Get most, if not all, of the required infrastructure services like (probably incomplete): - - IPs - - DNS - - L7-Loadbalancing - - Storage - - S3 Backup - - High Availability - -Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well. - -## Goal - -It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go. - -Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions. - -## Possible Solutions - -We can think of two different solutions to this vision: - -1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal. -1. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other. - -As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details. - -## Central/Current setup - -### Stateful services - -Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions. - -Affected states: - -- masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences. -- ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice. -- vrf ids: they must only be unique in one partition -- image and size configurations: read often, written seldom, so no high requirements on the storage of these entities. -- images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images. -- machine and machine allocation: must be only synchronous in the partition -- switch: must be only synchronous in the partition -- nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period. - -Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently. - -Datastores: - -We use three different types of datastores to persist the states of the metal application. - -- rethinkdb is the main datastore for almost all entities managed by metal-api -- postgresql is used for masterdata and ipam data. -- nsq uses disk and memory tho store the messages. - -### Stateless services - -These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements. - -Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip. - -One exception is the `metal-console` service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup) - -## Distributed setup - -### State - -In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each. - -- RethinkDB - - We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: [Scaling, Sharding and replication](https://rethinkdb.com/docs/sharding-and-replication/). But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future. - -- Postgresql - - Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data. - -- CockroachDB - - Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure [Follow the Workload](https://www.cockroachlabs.com/docs/stable/topology-follow-the-workload) and [Geo Partitioning and Replication](https://www.cockroachlabs.com/docs/v19.2/topology-geo-partitioned-replicas). - -If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability. - -A simple setup how this would look like is shown here. - -![Simple CockroachDB setup](Distributed.png) - -go-ipam was modified in a example PR here: [PR 17](https://github.com/metal-stack/go-ipam/pull/17) - -### API Access - -In order to make the metal-api accessible for api users like `cloud-api` or `metalctl` as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail. - -**IMPORTANT** -The NSQ Message to inform `metal-core` must end in the correct partition - -To provide such a external loadbalancer we have several opportunities: - -- Cloudflare or comparable CDN service. -- BGP Anycast from every partition - -Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, `metal-api-router` must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses. - -## Network setup - -In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are: - -- Allow https ingress traffic to all metal-api instances. -- Allow ssh ingress traffic to all metal-console instances. -- Allow CockroachDB Replication between all partitions. -- No NSQ traffic from outside required anymore, except we cant solve the topic above. - -A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue. - -![API and Console Access](Distributed-API.png) - -Therefore we need the `metal-api-router`: - -![Working API and Console Access](Distributed-API-Working.png) - -## Deployment - -The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. -I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers. - -![Deployment](Distributed-Deployment.png) diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP10/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP10/README.md deleted file mode 100644 index 6811cdc0..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP10/README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -slug: /MEP-10-sonic-support -title: MEP-10 -sidebar_position: 10 ---- - -# SONiC Support - -As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of -Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last -version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a -different network operating system is necessary. - -One of the remaining big players is [SONiC](https://sonic-net.github.io/SONiC/), which Microsoft created to scale the -network of Azure. It's an open-source project and is now part of the [Linux Foundation](https://www.linuxfoundation.org/press/press-release/software-for-open-networking-in-the-cloud-sonic-moves-to-the-linux-foundation). - -For a general introduction to SONiC, please follow the [Architecture](https://github.com/sonic-net/SONiC/wiki/Architecture) official -documentation. - -## ConfigDB - -On a cold start, the content of `/etc/sonic/config_db.json` will be loaded into the Redis database `CONFIG_DB`, and both -contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by -the frr configuration files. The SONiC community is working to remove this exception, but no release date is known. - -## BGP Configuration - -Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set -the configuration variable `docker_routing_config_mode` to `split` to prevent SONiC from overwriting our configuration -files created by `metal-core`. But by using the split mode, the integrated configuration mode of frr is deactivated, and -we have to write our BGP configuration to the daemon-specific files `bgp.conf`, `staticd.conf`, and `zebra.conf` instead -to `frr.conf`. - -```bash -elif [ "$CONFIG_TYPE" == "split" ]; then - echo "no service integrated-vtysh-config" > /etc/frr/vtysh.conf - rm -f /etc/frr/frr.conf -``` - -Reference: [docker-init](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/docker_init.sh#L69) - -Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration: - -```bash -{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == "unified" %} -[program:vtysh_b] -command=/usr/bin/vtysh -b -``` - -Reference: [supervisord.conf](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2#L157) - -## Non-BGP Configuration - -For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces: - -- `config replace ` -- the Mgmt Framework -- the SONiC restapi - -Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update -operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the -Mgmt Framework doesn't start anymore for several months, and a [potential fix](https://github.com/sonic-net/sonic-buildimage/pull/10893) -is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images. - -Using `config replace` would reduce the complexity in the `metal-core` codebase because we don't have to determine the -actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC -that contains the PR [Yang support for VXLAN](https://github.com/sonic-net/sonic-buildimage/pull/7294), and we must provide -the whole new startup configuration to prevent unwanted deconfiguration. - -### Configure Loopback interface and activate VXLAN - -```json -{ - "LOOPBACK_INTERFACE": { - "Loopback0": {}, - "Loopback0|": {} - }, - "VXLAN_TUNNEL": { - "vtep": { - "src_ip": "" - } - } -} -``` - -#### Configure MTU - -```json -{ - "PORT": { - "Ethernet0": { - "mtu": "9000" - } - } -} -``` - -#### Configure PXE Vlan - -```json -{ - "VLAN": { - "Vlan4000": { - "vlanid": "4000" - } - }, - "VLAN_INTERFACE": { - "Vlan4000": {}, - "Vlan4000|": {} - }, - "VLAN_MEMBER": { - "Vlan4000|": { - "tagging_mode": "untagged" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104000_Vlan4000": { - "vlan": "Vlan4000", - "vni": "104000" - } - } -} -``` - -#### Configure VRF - -```json -{ - "INTERFACE": { - "Ethernet0": { - "vrf_name": "vrf104001" - } - }, - "VLAN": { - "Vlan4001": { - "vlanid": "4001" - } - }, - "VLAN_INTERFACE": { - "Vlan4001": { - "vrf_name": "vrf104001" - } - }, - "VRF": { - "vrf104001": { - "vni": "104001" - } - }, - "VXLAN_TUNNEL_MAP": { - "vtep|map_104001_Vlan4001": { - "vlan": "Vlan4001", - "vni": "104001" - } - } -} -``` - -## DHCP Relay - -The DHCP relay container only starts if `DEVICE_METADATA.localhost.type` is equal to `ToRRouter`. - -## LLDP - -SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface. - -```python -# Get the port alias. If None or empty string, use port name instead -port_alias = port_table_dict.get("alias") -if not port_alias: - self.log_info("Unable to retrieve port alias for port '{}'. Using port name instead.".format(port_name)) - port_alias = port_name - -lldpcli_cmd = "lldpcli configure ports {0} lldp portidsubtype local {1}".format(port_name, port_alias) -``` - -Reference: [lldpmgr](https://github.com/sonic-net/sonic-buildimage/blob/202205/dockers/docker-lldp/lldpmgrd#L153) - -## Mgmt Interface - -The mgmt interface is `eth0`. To configure a static IP address and activate the Mgmt VRF, use: - -```json -{ - "MGMT_INTERFACE": { - "eth0|": { - "gwaddr": "" - } - }, - "MGMT_VRF_CONFIG": { - "vrf_global": { - "mgmtVrfEnabled": "true" - } - } -} -``` - -[IP forwarding is deactivated on `eth0`](https://github.com/sonic-net/sonic-buildimage/blob/202205/files/image_config/sysctl/sysctl-net.conf#L7), and no IP Masquerade is configured. diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP11/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP11/README.md deleted file mode 100644 index 87f48a10..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP11/README.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: /MEP-11-auditing-of-metal-stack-resources -title: MEP-11 -sidebar_position: 11 ---- - -# Auditing of metal-stack resources - -Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users. - -In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of [Meilisearch](https://www.meilisearch.com/). - -## Overview - -In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. -Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled. - -Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id. - -Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. -To avoid data manipulation the S3 compatible storage will be configured to be read-only. - -## Whitelisting - -To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. -Other requests will be passed directly to the next middleware or web service without any further processing. - -As we are only interested in mutating endpoints, we ignore all `GET` requests. -The whitelist includes all `POST`, `PUT`, `PATCH` and `DELETE` endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes: - -- `/find` -- `/notify` -- `/try` and `/match` -- `/capacity` -- `/from-hardware` - -Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the `Boot` service, which can be interesting to revise the machine lifecycle. - -## Chunking in Meilisearch - -We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time. - -To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like `2021-01`, `2021-01-01` or `2021-01-01_13`. - -The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices. - -## Moving chunks to S3 compatible storage - -As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match. - -When the backup process gets started, it initiates a [Meilisearch dump](https://www.meilisearch.com/docs/learn/advanced/dumps) of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted. - -Now we want to remove all indices from Meilisearch, except the most recent one. For this, we [get all indices](https://www.meilisearch.com/docs/reference/api/indexes#list-all-indexes), sort them and [delete each index](https://www.meilisearch.com/docs/reference/api/indexes#delete-an-index) except the most recent one to avoid data loss. - -For the actual implementation, we can build upon [backup-restore-sidecar](https://github.com/metal-stack/backup-restore-sidecar). But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar. - -## S3 compatible storage - -The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. -The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation. - -A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a [lifecycle rule](https://cloud.google.com/storage/docs/managing-lifecycles?hl=en#storage-set-lifecycle-config-go). - -## Affected components - -- metal-api grpc server needs an auditing interceptor -- metal-api web server needs an auditing filter chain / middleware -- metal-api needs new command line arguments to configure the auditing -- mini-lab needs a Meilisearch instance -- mini-lab may need a local S3 compatible storage -- we need a sidecar to implement the backup to S3 compatible storage -- Consider auditing of volume allocations and freeings outside of metal-stack - -## Alternatives considered - -Instead of using Meilisearch we investigated using an immutable database like [immudb](https://immudb.io/). But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb. - -In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage. diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP12/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP12/README.md deleted file mode 100644 index 65532c57..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP12/README.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: /MEP-12-rack-spreading -title: MEP-12 -sidebar_position: 12 ---- - -# Rack Spreading - -Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis. - -Spreading a group of machines across racks can enhance availability for scenarios like a rack losing power or a chassis meltdown. - -So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition. - -Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with [PR490](https://github.com/metal-stack/metal-api/pull/490). - -## Placement Strategy - -Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition. - -The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks. - -The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project). - -## API - -```golang -// service/v1/machine.go - -type MachineAllocation struct { - // existing fields are omitted for readability - PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} -``` diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP13/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP13/README.md deleted file mode 100644 index 2dde20f5..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP13/README.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -slug: /MEP-13-dual-stack-support -title: MEP-13 -sidebar_position: 13 ---- - -# Dual-stack Support - -dual-stack support is required to be able to create Kubernetes clusters with either IPv6 single-stack or dual-stack enabled. -With the inherent scarcity of IPv4 addresses, the need to be able to use IPv6 has increased. - -Full IPv6 dual-stack support was added to Kubernetes with v1.23 as stable. - -Gardeners have had full IPv6 dual-stack support since `v1.109`. - -metal-stack manages CIDRs and IP addresses with the [go-ipam](https://github.com/metal-stack/go-ipam) library, which already got full IPv6 support in 2021 (see [https://metal-stack.io/blog/2021/02/ipv6-part1](https://metal-stack.io/blog/2021/02/ipv6-part1)). -But this was only the foundation, more work needs to be done to get full IPv6 support for all aspects managed by metal-stack.io. - -## General Decisions - -For the general decision we do not look at the isolated clusters feature for now as this would make the solution even more complex and we want to introduce IPv6 in smaller steps to the users. - -### Networks - -Currently, metal-stack organizes CIDRs / prefixes into a `network' resource in the metal-api. A network can consist of multiple CIDRs from the same address family. For example, if an operator wants to provide Internet connectivity to provisioned machines, they can start with small network CIDRs. The number of managed network prefixes can then be expanded as needed over time. - -With dual-stack we have to choose between two options: Network per address family or networks with both address families. These options are described in the next section. - -#### Network per Address Family - -This means that we allow networks with CIDRs from one address family only, one for IPv4 and one for IPv6. - -The machine creation process will not change if the machine only needs to be either IPv4 or IPv6 addressable. -But if on the other side, the machine need to be able to connect to both address families, the machine creation needs to specify two networks, one for IPv4 and one for IPv6. -Also there will be 2 distinct VRF IDs for every network with a different address family. - -#### Network with both Address Families - -Make a network dual address family capable, meaning that you can add multiple cidrs from both address families to a network. -Then the machine creation will remain the same for single-stack and dual-stack cases, but the ip address allocation will need to specify the address family from which to allocate an ip address when the network is dual-stack. -This does not break the existing API, but allows existing extensions to easily add dual-stack support. -To avoid additional checking of which address families are available on this network during an ip allocation call, we could store the address families in the network. - -#### Decision - -The decision was made to go with the having both address families in a single network entity because we think this is the most flexible way to support dual-stack machines and Kubernetes clusters as well as single-stack with the least amount of modifications on the networking side. - -### Examples - -To illustrate the the usage we start by creating a tenant super network which has both address families: - -```yaml ---- -id: tenant-super-network-mini-lab -name: Project Super Network -description: Super network of all project networks -partitionid: mini-lab -prefixes: - - 10.0.0.0/16 - - 2001:db8:0:10::/64 -defaultchildprefixlength: - IPv4: 22 - IPv6: 96 -privatesuper: true -``` - -In order to create this network, we simple call: - -```bash -metalctl network create -f tenant-super.yaml -``` - -This is usually done during the initial setup of the environment. - -Next step is to allocate a tenant network where the machines of a project can be placed: - -```bash -metalctl network allocate --partition mini-lab --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 --name my-node-network -``` - -This leads to the following network allocation: - -```yaml -id: 2d2c0350-3f66-4597-ae97-ef6797232212 -name: my-node-network -parentnetworkid: tenant-super-network-mini-lab -partitionid: mini-lab -prefixes: - - 10.0.0.0/22 - - 2001:db8:0:10::/96 -projectid: 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -vrf: 20 -consumption: - ipv4: - available_ips: 1024 - available_prefixes: 256 - used_ips: 2 - used_prefixes: 0 - ipv6: - available_ips: 2147483647 - available_prefixes: 1073741824 - used_ips: 1 - used_prefixes: 0 -privatesuper: false -``` - -Users can the create IP addresses from these child networks. By default, they retrieve an IPv4 address except a super network only consists of IPv6 prefixes. In the latter case the users acquire an IPv6 address. - -```bash -metalctl network ip create --network 2d2c0350-3f66-4597-ae97-ef6797232212 --project 4b9b17c4-2d7c-4190-ae95-dda44e430fa6 -``` diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP14/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP14/README.md deleted file mode 100644 index 47c06434..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP14/README.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -slug: /MEP-14-independence-from-external-sources -title: MEP-14 -sidebar_position: 14 ---- - -# Independence from external sources - -In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints. - -So far, the following components have been identified as requiring changes: - -- pixiecore -- metal-hammer -- metal-images - -More components are likely to be added to the list during processing. -For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones. - -## pixiecore - -A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up. - -## metal-hammer - -If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from `pool.ntp.org` and `time.google.com` are used. - -## metal-images - -Configurations for the `metal-images` are different for machines and firewalls. - -## metalctl - -In order to pass DNS and NTP servers to partitions and machines while creating them, the flags `dnsservers` and `ntpservers` need to be added. - -The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection. diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/README.md deleted file mode 100644 index dbfa59d6..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/README.md +++ /dev/null @@ -1,332 +0,0 @@ ---- -slug: /MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller -title: MEP-16 -sidebar_position: 16 ---- - -# metal-api as an Alternative Configuration Source for the firewall-controller - -In the current situation, a firewall as provisioned by metal-stack is a fully immutable entity. Any modifications on the firewall like changing the firewall ruleset must be done _somehow_ by the user – the metal-api and hence metal-stack is not aware of its current state. - -As part of our [integration with the Gardener project](https://docs.metal-stack.io/stable/overview/kubernetes/#Gardener) we offer a solution called the [firewall-controller](https://github.com/metal-stack/firewall-controller), which is part of our [firewall OS images](https://github.com/metal-stack/metal-images/blob/6318a624861b18a559a9d37299bca5f760eef524/firewall/Dockerfile#L57-L58) and addresses shortcomings of the firewall resource's immutability, which would otherwise be completely impractible to work with. The firewall-controller crashes infinitely if it is not properly configured through the userdata when using the firewall image of metal-stack. - -The firewall-controller approach is tightly coupled to Gardener and it requires the administrator of the Gardener installation to pass a shoot and a seed kubeconfig through machine userdata when creating the firewall. How this userdata has to look like is not documented and is just part of another project called the [firewall-controller-manager](https://github.com/metal-stack/firewall-controller-manager) (FCM), which task is to orchestrate rolling updates of firewall machines in a way that network traffic interruption is minimal when updating a firewall or applying a change to an immutable firewall configuration. - -In general, a firewall entity in metal-stack has similarities to the machine entity but it has a fundamental difference: A user gains ownership over a machine after provisioning. They can access it through SSH, modify it at will and this is completely wanted. For firewalls, however, we do not want a user to access the provisioned firewall as the firewall is a privileged part of the infrastructure with access to the underlay network. The underlay can not be tampered with at any given point in time by a user as it can destroy the entire network traffic flow inside a metal-stack partition. - -For this reason, we have a gap in the metal-stack project in terms of a missing solution for people who do not rely on the Gardener integration. We are basically leaving a user with the option to implement an orchestrated recreation of every possible change on the firewall to minimize traffic interruption for the machines sitting behind the firewall or re-implement the firewall-controller to how they want to use it for their use-case. - -Also we do not have a clear distinction in the API between user and metal-stack operator for firewalls. If a user would allocate a firewall it is also possible for the user to inject his own SSH keys and access the firewall and tamper with the underlay network. - -Parts of these problems are probably going to decrease with the work on [MEP-4](../MEP4/README.md) where there will be dedicated APIs for users and administrators of metal-stack including fine-grained access tokens. - -With this MEP we want to describe a way to improve this current situation and allow other users that do not rely on the Gardener integration – for whatever motivation they have – to adequately manage firewalls. For this, we propose an alternative configuration for the firewall-controller that is native to metal-stack and more independent of Gardener. - -## Proposal - -The central idea of this proposal is allowing the firewall-controller to use the metal-api as a configuration source. This should serve as an alternative strategy to the currently used FCM `Firewall` resource based approach in the Gardener use-case. -Updates of the firewall rules should be possible through the metal-api. - -The firewall-controller itself should now be able to decide which of the two main strategies should be used for the base configuration: a kubeconfig or the metal-api. This should be possible through a dedicated _firewall-controller-config_. - -Using this config will now allow operators to fine-tune the data sources for all of its dynamic configuration tasks independently. -For example the data source of the core firewall rules could be set either from the `Firewall` resource located in the Gardener `Seed` or the metal-apiserver node network entity, while the CWNPs should be fetched and applied from a given kubeconfig (the `Shoot` Kubeconfig in the Gardener case). -This configuration file is intended to be injected during firewall creation through the userdata along with potential source connection credentials. - -```yaml -# the name of the firewall, defaulted to the hostname -name: best-firewall-ever - -sources: - seed: - kubeconfig: /path/to/seed.yaml # current gardener behavior - namespace: shoot--proj--name - shoot: - kubeconfig: /path/to/shoot.yaml # current gardener behavior - namespace: firewall - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - static: - # static should mirror all information provided by the metal or seed/shoot sources - firewall: # optional - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -# all sub-controllers running on the firewall -# each can be configured independently -controllers: - # this is the base controller - firewall: - source: seed # or: metal, static - - # these are optional: when not provided, they are disabled - selfUpdate: - enabled: true - droptailer: - enabled: true - - # these are optional: when not provided, they are disabled - service: - source: shoot # or: metal, static - cwnp: - source: shoot # or: metal, static - monitor: - source: shoot # currently only shoot is supported -``` - -The existing behavior of the firewall-controller writing into `/etc/nftables/firewall-controller.v4` is not changed. The different controller configuration sources are internally treated in the same way as before. The `static` source can be used to prevent the firewall-controller from crashing and consistently providing a static ruleset. This might be interesting for metal-stack native use cases or environments where the metal-api cannot be accessed. - -There must be one central nftables-rule-file-controller that is notified and triggered by all other controllers that contribute to the nftables configuration. - -For example, in order to maintain the existing Gardener integration, the configuration file for the firewall-controller will look like this: - -```yaml -name: shoot--abc--cluster-firewall-def -sources: - seed: - kubeconfig: /etc/firewall-controller/seed.yaml - namespace: shoot--abc--cluster - shoot: - kubeconfig: /etc/firewall-controller/shoot.yaml - namespace: firewall - -controllers: - firewall: - source: seed - - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Plain metal-stack users might use a configuration like this: - -```yaml -name: best-firewall-ever - -sources: - metal: - url: https://metal-api - hmac: some-hmac - type: Metal-View - projectID: abc - -controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - cwnp: - # firewall rules stored in firewall entity - # potential improvement would be to attach the rules to the node network entity - # be aware that the firewall and private networks are immutable - # eventually we introduce a firewall ruleset entity - source: metal -``` - -In highly restricted environments that cannot access metal-api the static source could be used: - -```yaml -name: most-restricted-firewall-ever - -sources: - static: - firewall: - controllerURL: https://... - cwnp: - egress: [] - ingress: [] - -controllers: - firewall: - source: static - - cwnp: - source: static -``` - -### Non-Goals - -- Resolving the missing differentiation between users and administrators by letting users pass userdata and SSH keys to the firewall creation. - - This is even more related to [MEP-4](../MEP4/README.md) than this MEP. - -### Advantages - -- Offers a native metal-stack solution that improves managing firewalls for users by adding dynamic reconfiguration through the metal-api - - e.g., in the mini-lab, users can now allocate a machine, then an IP address and announce this IP from the machine without having to re-create the firewall but by adding a firewall rule to the metal-api. -- Improve consistency throughout the API (firewall rules would reflect what is persisted in metal-api). -- Other providers like Cluster API can leverage this approach, too. -- It can contribute to solving the shoot migration issue (in Cluster API case the `clusterctl move` for firewall objects) - - For Gardener takes the seed out of the equation (of which the kubeconfig changes during shoot migration) - - However: Things like egress rules, rate limiting, etc. are currently not part of the firewall or network entity in the metal-api. These would need to be added to one of them. -- Potentially resolve the issue that end-users can manipulate accounting data of the firewall through the `FirewallMonitor` - - for this we would need to be able to report traffic data to metal-api - -### Caveats - -- Metal-View access is too broad for firewalls. Mitigated by [MEP-4](../MEP4/README.md). -- Polling of the firewall-controller is bad for performance. Mitigated by [MEP-4](../MEP4/README.md). - -### Firewall Controller Manager - -Currently the firewall-controller-manager expects the creators of a `FirewallDeployment` to use the defaulting webhook that is tailored to the Gardener integration in order to generate `Firewall.spec.userdata` or to override it manually. Currently `Firewall.spec.userdata` will never be set explicitly. - -Instead we'd like to propose `Firewall.spec.userdataContents` which will replace the old `userdata`-string by a typed data structure. The FCM will do the heavy lifting while the `FirewallDeployment` creator decides what should be configured. - -```yaml -kind: FirewallDeployment -spec: - template: - spec: - userdataContents: - - path: /etc/firewall-controller/config.yaml - content: | - --- - sources: - static: {} - controllers: - firewall: - source: static - - path: /etc/firewall-controller/seed.yaml - contentFrom: - firewallControllerKubeconfigSecret: - name: seed-kubeconfig - key: kubeconfig - - - path: /etc/firewall-controller/shoot.yaml - contentFrom: - secretRef: - name: shoot-kubeconfig - key: kubeconfig -``` - -### Gardener Extension Provider Metal Stack - -The GEPM should be migrated to the new `Firewall.spec.userdataContents` field. - -### Cluster API Provider Metal Stack - -![architectural overview](firewall-for-capms-overview.svg) - -In Cluster API there are essentially two main clusters: the management cluster and the workload cluster while the CAPMS takes in the role of the GEPM. -Typically a local bootstrap cluster is created in KinD which acts as the management cluster. It creates the workload cluster. Thereafter the ownership of the workload cluster is typically moved (using `clusterctl move`) to a different cluster which will then become the management cluster. -The new management cluster might actually be the workload cluster itself. - -In contrast to Gardener, Cluster API aims to be less opinionated and minimal. It is common practice to not install any non-required components or CRDs into the workload cluster by default. Therefore we cannot expect custom resources like `ClusterwideNetworkPolicy` or `FirewallMonitor` to be installed in the workload cluster but strongly recommend our users to do it. Therefore it's the responsibility of the operator to tell [cluster-api-provider-metal-stack](https://github.com/metal-stack/cluster-api-provider-metal-stack) the kubeconfig for the cluster where these CRDs are installed and defined in. - -A viable configuration for a `MetalStackCluster` that generates firewall rules based of `Service` type `LoadBalancer` and `ClusterwideNetworkPolicy` and expects them to be deployed in the workload cluster is shown below. The `FirewallMonitor` will be reported into the same cluster. - -```yaml -kind: MetalStackCluster -metadata: - name: ${CLUSTER_NAME} -spec: - firewallTemplate: - userdataContents: - - path: /etc/firewall-controller/config.yaml - contentFrom: - secretRef: - name: ${CLUSTER_NAME}-firewall-controller-config - key: controllerConfig - - - path: /etc/firewall-controller/workload.yaml - contentFrom: - # this is the kubeconfig generated by kubeadm - secretRef: - name: ${CLUSTER_NAME}-kubeconfig - key: value ---- -kind: Secret -metadata: - name: ${CLUSTER_NAME}-firewall-controller-config -stringData: - controllerConfig: | - --- - name: ${CLUSTER_NAME}-firewall - - sources: - metal: - url: ${METAL_API_URL} - hmac: ${METAL_API_HMAC} - type: ${METAL_API_HMAC_TYPE} - projectID: ${METAL_API_PROJECT_ID} - shoot: - kubeconfig: /etc/firewall-controller/workload.yaml - namespace: firewall - - controllers: - firewall: - source: metal - selfUpdate: - enabled: true - droptailer: - enabled: true - - service: - source: shoot - cwnp: - source: shoot - monitor: - source: shoot -``` - -Here the firewall-controller-config will be referenced by the `MetalStackCluster` as a `Secret`. Please note that the `Secret`s in `userdataContents` will not be fetched and will directly be passed to the `FirewallDeployment`. At first the reconciliation of it in the FCM will fail due to the missing Kubeconfig secret. After the `MetalStackCluster` has been marked as ready, CAPI will create this missing secret. Effectively the firewall and initial control plane node should be created at the same time. - -This approach allows maximum flexibility as intended by Cluster API and is still able to provide robust rolling updates of firewalls. - -An advanced use case of this flexibility would be a management cluster, that is in charge of multiple workload clusters. Where one workload cluster acts as a monitoring or tooling cluster, receives logs and the firewall monitor for the other workload clusters. The CWNPs could be defined here, all in a separate namespace. - -#### Cluster API Caveats - -When the cluster is pivoted and reconciles its own firewall, a malfunctioning firewall prevents the cluster from self-healing and requires manual intervention by creating a new firewall. This is an inherent problem of the cluster-api approach. It can be circumvented by using an extra cluster to manage workload clusters. - -In the current form of this approach firewalls and therefore the firewall egress and ingress rules are managed by the cluster operators that manage the cluster-api resources. -Hence it will not be possible to gain a fine-grained control over every cluster operator's choices from a central ruleset at the level of metal-stack firewalls. -In case this control surfaces as a requirement, it would need to be implemented in a firewall external to metal-stack. - -## Roadmap - -In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required. - -1. Enhance firewall-controller-manager - - - Add `FirewallDeployment.spec.template.spec.userdataContents` - -2. Enhance firewall-controller - - - Reduce coupling between controllers - - Introduce controller config - - Abstract module to write into distinct nftable rules for every controller - - Implement `sources.static`, but not `sources.metal` - - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents` - -3. Allow Cluster API to use the FCM with static ruleset - - - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion). - - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist. - - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance). - - Add `MetalStackCluster.spec.firewallTemplate`. - - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given. - -4. Add `sources.metal` as configuration option. - - - Allow updates of firewall rules in the metal-apiserver. - - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress - -5. Potentially migrate the GEPM to use `sources.metal` diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio deleted file mode 100644 index faea3e3d..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.drawio +++ /dev/null @@ -1,4 +0,0 @@ - - - -
handles traffic
Firewall
Firewall Controller
node-exporter
nftables-exporter
droptailer-client
Workload Cluster
droptailer
Configures
Bootstrap or Management Cluster
reconcile
configures
reconcile
Cluster API Provider metal-stack
Metal Stack Cluster CRD
Firewall Deployment CRD
Firewall CRD
Firewall Set CRD
rec
reconcile
reconcile
Firewall Controller Manager
Metal Stack Machine CRD
manages
Admin
Kubeconfig FirewallMonitor
FirewallMonitor CRD
main metal-api
Firewall entity
kubeconfig CWNP
Clusterwide Network Policy CRD
base config
controllerConfig
user-defined
network rules
reports firewall
state
send firewall log lines
controllerConfig
controllerConfig
 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg deleted file mode 100644 index 853f8175..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP16/firewall-for-capms-overview.svg +++ /dev/null @@ -1 +0,0 @@ -
handles traffic
handles traffic
Firewall
Firewall
Firewall Controller
Firewall Controller
node-exporter
node-exporter
nftables-exporter
nftables-exporter
droptailer-client
droptailer-client
Workload Cluster
Workload Cluster
droptailer
droptailer
Configures
Configures
Bootstrap or Management Cluster
Bootstrap or Management Cluster
reconcile
reconcile
configures
configures
reconcile
reconcile
Cluster API Provider metal-stack
Cluster API Provider...
Metal Stack Cluster CRD
Metal Stack Cluster...
Firewall Deployment CRD
Firewall Deployment...
Firewall CRD
Firewall CRD
Firewall Set CRD
Firewall Set CRD
rec
rec
reconcile
reconcile
reconcile
reconcile
Firewall Controller Manager
Firewall Controller...
Metal Stack Machine CRD
Metal Stack Machine...
manages
manages
Admin
Admin
Kubeconfig FirewallMonitor
Kubeconfig FirewallMonitor
FirewallMonitor CRD
FirewallMonitor CRD
main metal-api
main metal-api
Firewall entity
Firewall entity
kubeconfig CWNP
kubeconfig CWNP
Clusterwide Network PolicyCRD
Clusterwide Network...
base config
base config
controllerConfig
controllerConfig
user-defined
network rules
user-defined...
reports firewall
state
reports firewall...
send firewall log lines
send firewall log lines
controllerConfig
controllerConfig
controllerConfig
controllerConfigText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP17/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP17/README.md deleted file mode 100644 index 35f48970..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP17/README.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -slug: /MEP-17-global-network-view -title: MEP-17 -sidebar_position: 17 ---- - -# Global Network View - -> [!IMPORTANT] -> This MEP assumes the implementation of the metal-apiserver as described by [MEP-4](../MEP4/README.md) which is currently work in progress. - -Having a complete view of the network topology is useful when working with deployments or troubleshooting connectivity issues. -Currently, the API doesn't know of any other switches than the leaf switches. -Information about all other switches and their connections must be gathered from Ansible inventories or by accessing the switches via SSH. -Documentation of each partition's network must be kept in-sync with all changes made to the deployment or cabling. -We would like to expand the API's knowledge of the network to the entire underlay including inter-switch connections as well as BGP statistics and health status. - -## Switch Types - -Registering a switch at the API is done by the metal-core. -Apart from that, it also reconciles port and FRR configuration to adapt to the machine provisioning cycle. -This reconfiguration is only necessary on the leaf switches. -To allow deploying the metal-core on other switches than leaves we need a way of telling it what type of switch it is running on so it can act accordingly. -On any non-leaf switches it will only register the switch and report statistic but not change any configuration. -Supported switch types are - -- `leaf` -- `spine` -- `exit` -- `mgmtleaf` -- `mgmtspine` - -## Network Topology - -All switches should periodically report their LLDP neighbors and port configuration. -This information can be used to quickly identify common network issues, like MTU mismatch or the like. -Ideally, there would be some graphical representation of the network topology containing only the most important information for a quick overview. -It should contain all switches and machines as nodes and all connections as edges of a graph. -Ports, VRFs, and maybe also IPs should be associated with a connection. - -Apart from the topology graph, there should be a way to display more detailed information about both ports of a connection, like - -- MTU -- speed -- IP -- UP/DOWN status -- VRF -- VLAN -- whether it participates in a BGP session - -## BGP Announcements - -The metal-core should collect all routes it knows about and send them to the API along with a timestamp. -Reported routes should be stored to a redis database along with the switch that reported them and the timestamp of the last time they were reported. -An expiration threshold should be defined and all expired routes should be cleaned up periodically. -Whenever new routes are reported they get merged into the existing ones by the strategy: - -- when new, just add -- when existing, update `last_announced` timestamp - -By querying the BGP announcements we can find out whether an allocated IP is still in use. diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/README.md deleted file mode 100644 index 9c02c0b7..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/README.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -slug: /MEP-18-autonomous-control-plane -title: MEP-18 -sidebar_position: 18 ---- - -# Autonomous Control Plane - -As described in the [deployment chapter](../../../docs/04-For%20Operators/03-deployment-guide.mdx), we strongly recommend Kubernetes as the target platform for running the metal-stack control plane. - -Kubernetes clusters for this purpose are readily available from hyperscalers, metalstack.cloud, or other cloud providers. Simply using a managed Kubernetes cluster greatly simplifies a metal-stack installation. However, sometimes it might be desirable to host the metal-stack control plane autonomously, without the help of another cloud provider. Reasons for this might include corporate policies that prohibit the use of external data center products, or network constraints. - -The Kubernetes cluster hosting the metal-stack control plane must provide at least the following features: - -- Load balancing (for exposing the APIs) -- Persistent storage (for the databases and key-value stores) -- Access to object storage for automated backups of the stateful sets -- Access to a DNS provider supported by one of the used DNS extensions -- Externally accessible DNS records for obtaining officially signed certificates through DNS challenges - -This metal-stack control plane cluster must also be highly available to prevent a complete loss of control over the managed resources in the data center. -Regular Kubernetes updates to apply security fixes and feature updates must be possible in an automated manner. The Day-2 operational overhead of running this cluster in your own datacenter must be reasonable. - -In this chapter, we propose a solution for setting up a metal-stack environment with an autonomous control plane that is independent of another cloud provider. - -## Use Your Own Dogfood - -The most obvious solution is to just deploy a Kubernetes cluster manually in your own data center by utilizing existing tooling for the deployment: - -- k3s -- kubeadm -- vmware and rancher -- talos -- kubespray -- ... (not a complete list) - -However, all these solutions add another layer of complexity that needs to be maintained and operated by people who also need to learn and understand metal-stack. In general, metal-stack in combination with [Gardener](https://gardener.cloud) contains all the necessary tools to provide KaaS, so it makes sense to reuse what is already in place without introducing new dependencies on other products and vendors. - -The only problem here is that Gardener is not yet able to create an initial cluster, which may change with the implementation of [GEP-28](https://github.com/gardener/gardener/blob/master/docs/proposals/28-autonomous-shoot-clusters.md). In the meantime, we suggest using [k3s](https://k3s.io/), which manages the initial metal-stack partition to host the control plane, since the maintenance overhead is acceptable and it is easy to deploy. - -## The Matryoshka Principle - -Instead of directly using the K3s cluster for the production control plane, we propose using it as a minimal control plane cluster which only purpose is to host the production control plane cluster. This layer of indirection brings some reasonable advantages: - -- In the event of an interruption or loss of this minimal control plane cluster, the production control plane remains unaffected, and end users can continue to manage their clusters as normal. -- A dedicated operations team can take care of the Day-2 maintenance of this installation, which can be handy because the tools like k3s are a little different from the rest of the setup (it is likely that more manual maintenance is required than for any other cluster). This would also be true if the initial cluster problem would be solved by the Gardener itself and not using k3s. -- Since the number of shoot clusters to host is static, the resource requirements are minimal and will not change significantly over time. There are no huge resource requirements in terms of cpu, memory and storage. As such, the lack of scalability is not such a big issue. - -So, our proposal is to chain two metal-stack control planes. The initial control plane cluster would use k3s and on this cluster we can spin up a cluster for the production control plane with the use of Gardener. - -The following figure shows how the high-level architecture of this setup looks like. A even more simplified illustration of this setup can be looked up in the appendix[^1]. - -![Autonomous Control Plane Architecture](./autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg) - -The k3s nodes can either be bare metal machines or virtual machines. When using VMs a single k3s node might be a viable solution, too. These nodes are supposed to be setup manually / partly automated with an operating system like Debian. - -To name the cluster that hosts the initial metal-stack control plane and Gardener we use the term _initial cluster_. The initial cluster creates worker nodes to host the _target cluster_. - -## Initial Cluster - -The initial cluster is kept very small. The physical bare metal machines can be any machines and switches which are supported by metal-stack, but can be smaller in terms of cpu, memory and network speed because these machines must only be capable of running the target cluster for the metal-stack control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point. - -In a typical k3s setup, a stateful set would lose the data once the k3s cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the k3s cluster for the PVCs. With that, k3s could be terminated and started again, for example to update and reboot the host os, or update k3s itself and the data will persist. - -Example k3s configuration for persistent storage on the hosts os: - -```yaml -k3s: Cluster -apiVersion: k3s.x-k8s.io/v1alpha4 -name: needle-control-plane -nodes: - - role: control-plane - # add a mount from /path/to/my/files on the host to /files on the node - extraMounts: - - hostPath: /path/to/my/files - containerPath: /files -``` - -Into this cluster metal-stack and Gardener will be deployed. This deployment can be done by a Gitlab runner which is running on this machine. -The mini-lab will be used as a base for this deployment. The current development of [gardener-in-minilab](https://github.com/metal-stack/mini-lab/pull/202) must be extended to host all required extensions to make this a working metal-stack control plane which can manage the machines in the attached bare metal setup. - -In addition to the metal-stack and Gardener deployment, some additional required services are deployed (non-complete list): - -- PowerDNS to serve as a DNS Server for all DNS entries used in the initial and the target cluster, like `api.initial.metal-stack.local`, `gardener-api.initial.metal-stack.local` and the DNS entries for the api servers of the created kubernetes clusters. -- NTP -- Monitoring for the initial cluster and partition -- Optional: OIDC Server for authenticating against the metal-api -- Optional: Container Registry to host all metal-stack and gardener containers -- Optional: Let's Encrypt [boulder](https://github.com/letsencrypt/boulder) as a certificate authority -- ... - -Physical view, minimal setup for a initial cluster with a single physical node: - -![Small Initial Cluster](autonomous-control-plane-images/small-initial-cluster.svg) - -Physical View, bigger ha setup which is spread across two data centers: - -![HA Initial Cluster](autonomous-control-plane-images/ha-initial-cluster.svg) - -### Control Plane High Availability - -Running the initial control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed. - -Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice. - -Given that we provide part of the local storage of the server as backing storage for the stateful sets in the k3s cluster, the data stored on the server itself must be replicated to another server and backed up on a regular basis. - -The replication of ETCD can be achieved through [clustered configuration](https://docs.k3s.io/datastore/ha-embedded) of k3s. Components of metal-stack and Gardener can run standalone and already utilize backup-restore mechanism that must be configured accordingly. For two or more bare metal machine used for the initial cluster, a loadbalancing mechanism for the ingress is required. kube-vip could be a possible solution. - -For monitoring a backend like a Victoria Metrics Cluster would allow spearding the monitoring data across the initial cluster nodes. These metrics should also be backed up in object storage. - -### Partition - -The partition which is managed by the initial cluster can be a simple and small hardware setup but yet capable enough to host the target cluster. It would even be a good practice to create separate target clusters on the initial cluster, e.g. one for the metal-stack control plane and one for the Gardener (maybe one more for monitoring). - -It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided. - -## Target Cluster - -The target cluster is the metal-stack environment which serves for end-user production use, the control plane is running in a shoot hosted in the initial cluster. The seed(s) and shoot(s) for end-users are created on the machines provided by the target cluster. -These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the initial cluster management network. - -## Failure Scenarios - -Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. -If more than one fails, the restoration to a working state must be easily possible and well documented. - -To ensure all possible breakages are documented, we suggest writing a list which summarizes all failure scenarios that might occur including the remediation. - -Here is an example of how a scenario documentation could look like: - -**Scenario**: Initial cluster is gone, all machines have died -**Impact**: Management of the initial cluster infrastructure not possible anymore, the target cluster continues to run but cannot be managed because the API servers are gone. end-users are not affected by this incident. -**Remediation**: The initial cluster nodes must be provisioned from scratch and re-deployed through the CI mechanism. The backups of the stateful sets are automatically restored during this process. - -## Implementation - -As part of this proposal, we provide the following tools and integrations in order to setup an autonomous control plane: - -- Deployment roles for the services like PowerDNS and NTP for the initial cluster -- Stretch goal: Deployment role to setup k3s in clustered configuration for the initial cluster and update it -- Extend the Gardener on mini-lab integration to allow shoot creation in the mini-lab -- Steady integration of the setup (maybe something like [k3d](https://github.com/k3d-io/k3d) in the mini-lab) - -## Appendix - -[^1]: ![metal-stack-chain](autonomous-control-plane-images/metal-stack-chain.svg) diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio deleted file mode 100644 index eafcb514..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.drawio +++ /dev/null @@ -1,535 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine01 -
-
-
- - - spine01 - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 01 - -
-
-
- - - Initial cluster node 01 - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- spine02 -
-
-
- - - spine02 - - - - - - - - - - - - - -
-
-
- leaf03 -
-
-
- - - leaf03 - - - - - - - - - - - - - -
-
-
- leaf04 -
-
-
- - - leaf04 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 02 - -
-
-
- - - Initial cluster node 02 - - - - - - - - - - - - - - - - - -
-
-
- - Initial cluster node 03 - -
-
-
- - - Initial cluster node 03 - - - - - - - - - - - - - - - - - -
-
-
- - mirocloud (initial cluster partition nodes) - -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg deleted file mode 100644 index 99261ada..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/ha-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine01
spine01
leaf01
leaf01
leaf02
leaf02
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...
Initial cluster node 01
Initial cluster node 01123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
spine02
spine02
leaf03
leaf03
leaf04
leaf04
Initial cluster node 02
Initial cluster node 02
Initial cluster node 03
Initial cluster node 03
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio deleted file mode 100644 index aae8a12d..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.drawio +++ /dev/null @@ -1,1133 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Cluster -
-
-
- - - Initial Cluster - - - - - - - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - -
-
-
- K3s Standalone - - - (on Debian) - - -
-
-
- - - K3s Standalone (on Debian) - - - - - - - - - - - - - - - - - - - - - -
-
-
- Initial Partition -
-
-
- - - Initial Partition - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for metal-stack -
-
-
- - - Target Cluster for metal-stack - - - - - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - - - - - - -
-
-
- Target Cluster for Gardener -
-
-
- - - Target Cluster for Gardener - - - - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - - - - - - - -
-
-
- Target Partition -
-
-
- - - Target Partition - - - - - - - - - - - - - - -
-
-
- Gardener Seeds and End-User Shoots -
-
-
- - - Gardener Seeds and End-User Shoots - - - - - - - - - - - - - - - -
-
-
- provisions -
-
-
- - - provisions - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - -
-
-
- CI -
-
-
- - - CI - - - - - - - - - - - - -
-
-
- metal-roles -
-
-
- - - metal-roles - - - - - - - - - - - - - - -
-
-
- ETCD can be clustered or standalone, backed up by sidecar -
-
-
- - - ETCD can be clustere... - - - - - - - - - - - - - - -
-
-
- This data will get lost in case local PV gets deleted -
-
-
- - - This data will get l... - - - - - - - - - - - - - - -
-
-
- We can work with local PVs here, too. -
- backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered. -
-
-
- - - We can work with local PVs he... - - - - - - - - - - - -
-
-
- ETCD will be deployed in HA configuration on local PVs. -
-
- csi-driver-lvm needs to implement auto deletion of orphaned PVs. -
-
- Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot. -
-
-
- - - ETCD will be deployed in HA c... - - - - - - - - - - - - - - -
-
-
- More sophisticated storage solutions can be in place. -
-
- (Lightbits, NetApp, ...) -
-
-
- - - More sophisticated storage so... - - - - - - - - - - - - - - -
-
-
- TODO: Evaluate how to persist these metrics. -
-
-
- - - TODO: Evaluate how to persist... - - - - - - - - - - - - - - -
-
-
- - 1 VM or -
- -
- - - 3 Bare Metal Machines - - -
-
-
-
- - - 1 VM or... - - - - - - - - - - - - - - - - - - -
-
-
- metal-stack -
-
-
- - - metal-stack - - - - - - - - - - - -
-
-
- metal-api -
-
-
- - - metal-api - - - - - - - - - - - -
-
-
- metal-db -
-
-
- - - metal-db - - - - - - - - - - - -
-
-
- ipam-db -
-
-
- - - ipam-db - - - - - - - - - - - -
-
-
- masterdata-db -
-
-
- - - masterdata-db - - - - - - - - - - - -
-
-
- headscale-db -
-
-
- - - headscale-db - - - - - - - - - - - -
-
-
- auditing-db -
-
-
- - - auditing-db - - - - - - - - - - - -
-
-
- nsqd -
-
-
- - - nsqd - - - - - - - - - - - - - - - -
-
-
- Gardener -
-
-
- - - Gardener - - - - - - - - - - - - - - -
-
-
- Virtual Garden -
-
-
- - - Virtual Garden - - - - - - - - - - - -
-
-
- Gardener Control Plane -
-
-
- - - Gardener Control Plane - - - - - - - - - - - -
-
-
- gardenlet -
-
-
- - - gardenlet - - - - - - - - - - - -
-
-
- Garden etcd -
-
-
- - - Garden etcd - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - - - - - -
-
-
- Monitoring -
-
-
- - - Monitoring - - - - - - - - - - - - - - -
-
-
- - Gitlab - -
- - Runner - -
-
-
-
- - - Gitlab... - - - - - - - - - - - - - - -
-
-
- Services -
-
-
- - - Services - - - - - - - - - - - -
-
-
- PowerDNS -
-
-
- - - PowerDNS - - - - - - - - - - - -
-
-
- boulder -
-
-
- - - boulder - - - - - - - - - - - -
-
-
- NTP -
-
-
- - - NTP - - - - - - - - - - - -
-
-
- OIDC -
-
-
- - - OIDC - - - - - - - - - - - -
-
-
- ... -
-
-
- - - ... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg deleted file mode 100644 index e58e783b..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-autonomous-control-plane-full.svg +++ /dev/null @@ -1 +0,0 @@ -
Initial Cluster
Initial Cluster
metal-roles
metal-roles
CI
CI
K3s Standalone(on Debian)
K3s Standalone (on Debian)
Initial Partition
Initial Partition
Target Cluster for metal-stack
Target Cluster for metal-stack
Metal Control Plane
Metal Control Plane
provisions
provisions
Target Cluster for Gardener
Target Cluster for Gardener
Gardener Control Plane
Gardener Control Plane
Monitoring
Monitoring
Target Partition
Target Partition
Gardener Seeds and End-User Shoots
Gardener Seeds and End-User Shoots
provisions
provisions
metal-roles
metal-roles
CI
CI
metal-roles
metal-roles
ETCD can be clustered or standalone, backed up by sidecar
ETCD can be clustere...
This data will get lost in case local PV gets deleted
This data will get l...
We can work with local PVs here, too.
backup-restore-sidecar for metal-stack databases, for big ones Postgres clustered.
We can work with local PVs he...
ETCD will be deployed in HA configuration on local PVs.

csi-driver-lvm needs to implement auto deletion of orphaned PVs.

Seed metrics get lost, but they report to the monitoring in the Metal Control Plane Shoot.
ETCD will be deployed in HA c...
More sophisticated storage solutions can be in place.

(Lightbits, NetApp, ...)
More sophisticated storage so...
TODO: Evaluate how to persist these metrics.
TODO: Evaluate how to persist...
1 VM or
3 Bare Metal Machines
1 VM or...
metal-stack
metal-stack
metal-api
metal-api
metal-db
metal-db
ipam-db
ipam-db
masterdata-db
masterdata-db
headscale-db
headscale-db
auditing-db
auditing-db
nsqd
nsqd
Gardener
Gardener
Virtual Garden
Virtual Garden
Gardener Control Plane
Gardener Control Plane
gardenlet
gardenlet
Garden etcd
Garden etcd
Prometheus
Prometheus
Monitoring
Monitoring
Gitlab
Runner
Gitlab...
Services
Services
PowerDNS
PowerDNS
boulder
boulder
NTP
NTP
OIDC
OIDC
...
...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio deleted file mode 100644 index cd5cf007..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.drawio +++ /dev/null @@ -1,404 +0,0 @@ - - - - - - - - - - -
-
-
- Partition 1 -
-
-
- - - Partition 1 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 2 -
-
-
- - - Partition 2 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Partition 3 -
-
-
- - - Partition 3 - - - - - - - -
-
-
- seeds -
-
-
- - - seeds - - - - - - - -
-
-
- shoots -
-
-
- - - shoots - - - - - - - - - -
-
-
- Production Control Plane -
-
-
- - - Production Control Plane - - - - - - - -
-
-
- metal-stack -
- kubernetes cluster -
-
-
- - - metal-stack... - - - - - - - -
-
-
- gardener -
- kubernetes cluster -
-
-
- - - gardener... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - - - - -
-
-
- Control Plane Partition -
-
-
- - - Control Plane Partition - - - - - - - - -
-
-
- backup of stateful sets -
-
-
- - - backup of stateful sets - - - - - - - - - -
-
-
- bare metal machine -
-
-
- - - bare metal machine - - - - - - - -
-
-
- metal-stack -
- and -
- gardener -
- kubernetes cluster -
- running in kind -
-
-
- - - metal-stack... - - - - - - - -
-
-
- - Manages - -
-
-
- - - Manages - - - - - - - - -
-
-
- S3 -
-
-
- - - S3 - - - - - - - -
-
-
- Needle -
-
-
- - - Needle - - - - - - -
-
-
- - Nail - -
-
-
- - - Nail - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg deleted file mode 100644 index 8f88ba14..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/metal-stack-chain.svg +++ /dev/null @@ -1 +0,0 @@ -
Partition 1
Partition 1
seeds
seeds
shoots
shoots
Partition 2
Partition 2
seeds
seeds
shoots
shoots
Partition 3
Partition 3
seeds
seeds
shoots
shoots
Production Control Plane
Production Control Plane
metal-stack
kubernetes cluster
metal-stack...
gardener
kubernetes cluster
gardener...
Manages
Manages
Control Plane Partition
Control Plane Partition
backup of stateful sets
backup of stateful sets
bare metal machine
bare metal machine
metal-stack
and
gardener
kubernetes cluster
running in kind
metal-stack...
Manages
Manages
S3
S3
Needle
Needle 
Nail
NailText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio deleted file mode 100644 index a75ee340..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.drawio +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - - - - - - - - - - - - 1 - - - - - 2 - - - - - 3 - - - - - 4 - - - - - 5 - - - - - 6 - - - - - 7 - - - - - 8 - - - - - 9 - - - - - 10 - - - - - 11 - - - - - 12 - - - - - - - - - - - - - -
-
-
- internet-router-management -
-
-
- - - internet-router-management - - - - - - - - - - - - - -
-
-
- management-switch-and-server -
-
-
- - - management-switch-and-server - - - - - - - - - - - - - -
-
-
- leaf01 -
-
-
- - - leaf01 - - - - - - - - - - - - - -
-
-
- leaf02 -
-
-
- - - leaf02 - - - - - - - - - - - - - - - - - -
-
-
- Initial cluster node -
-
-
- - - Initial cluster node - - - - - - - - - - - - - - - - - -
-
-
- mirocloud (initial cluster partition nodes) -
-
-
- - - mirocloud (initial cluster... - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg deleted file mode 100644 index a9d29f05..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP18/autonomous-control-plane-images/small-initial-cluster.svg +++ /dev/null @@ -1 +0,0 @@ -123456789101112
internet-router-management
internet-router-management
management-switch-and-server
management-switch-and-server
leaf01
leaf01
leaf02
leaf02
Initial cluster node
Initial cluster node
mirocloud (initial cluster partition nodes)
mirocloud (initial cluster...Text is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP2/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP2/README.md deleted file mode 100644 index c7f2360a..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP2/README.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /MEP-2-two-factor-authentication -title: MEP-2 -sidebar_position: 2 ---- - -# Two Factor Authentication diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP3/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP3/README.md deleted file mode 100644 index 5ce36721..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP3/README.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -slug: /MEP-3-machine-re-installation -title: MEP-3 -sidebar_position: 3 ---- - -# Machine Re-Installation - -In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. -This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed. - -To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, _without_ actually deleting the data stored on the additional hard disks. - -Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios. - -- Storage for the etcd pvs in the seed cluster of every partition. - This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes). -- Storage in customer clusters. - This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies. -- S3 Storage. - We have two possibilities to cope with storage: - - In place update of the OS with a daemonset - This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image. - - metal-api get a machine reinstall endpoint - With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do `rolling` updates. Therefore a additional `osupdatestrategy` has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach. - -If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data. - -## API and behavior - -The API will get an new endpoint "reinstall" this endpoint takes two arguments: - -- machineID -- image - -No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. -Once this endpoint was called, the machine will get a `reboot` signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts: - -- unchanged: PXE boot with metal-hammer -- changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present -- changed: if a allocation is present and the allocation has set `reinstall: true`, wipe disk is only executed for the root disk, all other disks are untouched. -- unchanged: the specified image is downloaded and burned, `/install.sh` is executed -- unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD. -- unchanged: distribution kernel is booted via kexec - -We can see that the `allocation` requires one additional parameter: `reinstall` and metal-hammer must check for already existing allocation at an earlier stage. - -Components which requires modifications (first guess): - -- metal-hammer: - - check for allocation present earlier - - evaluation of `reinstall` flag set - - wipe of disks depends on that flag - - Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. - metal-api **MUST** reject reinstallation if the disk found by PDDA does not have the `/etc/metal` directory! -- metal-core: - - probably nothing -- metal-api: - - new endpoint `/machine/reinstall` - - add `Reinstall bool` to data model of `allocation` - - make sure to reset `Reinstall` after reinstallation to prevent endless reinstallation loop -- metalctl: - - implement `reinstall` -- metal-go: - - implement `reinstall` -- gardener (longterm): - - add the `OSUpgradeStrategy` `reinstall` diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP4/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP4/README.md deleted file mode 100644 index 389a02d4..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP4/README.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -slug: /MEP-4-multi-tenancy-for-the-metal-api -title: MEP-4 -sidebar_position: 4 ---- - -# Multi-Tenancy for the metal-api -:::info -This document is work in progress. -::: - -In the past we decided to treat the metal-api as a "low-level API", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a "higher-level APIs". From there, a user would be able to only see his own clusters and IP addresses. - -As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those "higher-level APIs" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own. - -Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for: - -- Becoming a "fully-featured" API -- Narrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors -- Discouraging people to implement their own scoping layers in front of the metal-stack -- Gaining performance through resource scopes -- Letting untrusted / third-parties work with the API - -## Requirements - -These are some general requirements / higher objectives that MEP-4 has to fulfill. - -- Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...) - - Simple to start with, more complex options for production setups -- Fine-grained access permissions (every endpoint maps to a permission) -- Tenant scoping (disallow resource access to resources of other tenants) -- Project scoping (disallow resource access to resources of other projects) -- Access tokens in self-service for technical user access - -## Implementation - -We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes: - -- gRPC in combination with connectrpc -- OPA for making auth decisions -- REST HTTP only for OIDC login flows - -### API Definitions - -The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api. - -This repository contains the `proto3` specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the `proto3` annotations. - -Client implementations for the most relevant languages (go, python) are generated automatically. - -This api is divided into end-user and admin access at the top level. The proposed APIs are: - -- `metalstack.api.v2`: For end-user facing services -- `metalstack.admin.v2`: For operators and controllers which need access to unscoped entities - -The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions): - -- `tenant`: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `project`: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload) - - Available roles: VIEWER, EDITOR, OWNER -- `admin` Admin-scoped methods, e.g. unscoped tenant list or switch register - - Available roles: VIEWER, EDITOR - -And has methods with different visibility scopes: - -- `self`: Methods that only the logged in user can access, e.g. show permissions with the presented token -- `public`: Methods that do not require any specific authorization - -### API - -The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework. - -The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend. - -With these tokens, users can create Access Tokens for CI/CD or other use cases. - -JWT Tokens can be revoked by admins and the user itself. - -### API Server - -Is put into a new github repo which implements the services defined in the `api` repository. It opens a `https` endpoints where the grpc (via connectrpc.com) and oidc services are exposed. - -### Migration of the Consumers - -To allow consumers to migrate to the `v2` API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. `api.example.com` is forwarded to `metal-api` and `metal.example.com` is forwarded to the new `metal-apiserver`. - -The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api. - -The migration process can be done in the following manner: - -for each resource in the metal-api: - -- create a new proto3 based definition in the `api` repo. -- implement the business logic per service in the new `metal-apiserver` without calling the metal-api. -- clients must be able to talk to `v1` and `v2` backend in parallel -- Deprecate the already migrated service in the swagger route to notify the client that this route should not be used anymore. -- identify all consumers of this resource and replace them to use the grpc instead of the rest api -- move the business logic incl. the backend calls to ipam, metal-db, masterdata-api, nsq for this resource from the metal-api to the `metal-apiserver` - -We will migrate the rethinkdb backend implementation to a generic approach during this effort. - -- Try to enhance the generic rethinkdb interface with `project` scoped methods. - -There are a lot of consumers of metal-api, which need to be migrated: - -- ansible -- firewall-controller -- firewall-controller-manager -- gardener-extension-auth -- gardener-extension-provider-metal - - Do not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces. -- machine-controller-manager-provider-metal -- metal-ccm -- metal-console -- metal-bmc -- metal-core -- metal-hammer -- metal-image-cache-sync -- metal-images -- metal-metrics-exporter -- metal-networker -- metalctl -- pixie - -## User Scenarios - -This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal. - -### Machine Creation - -A regular user wants to create a machine resource. - -Requirements: Project was created, permissions are present - -- The user can see networks that were provided by the admin. - - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` - -- The user has to set the project scope first or provide `--project` flags for all commands. - ``` - $ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1 - You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1. - ``` -- The user can create the child network required for machine allocation. - ``` - $ metalctl network allocate --partition fra-equ01 --name test - ``` -- Now, the user sees his own child network. - ``` - $ metalctl network ls - ID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS - internet Internet Network true false 212.34.83.0/27  ● - tenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ● - └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● - underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ● - ``` -- The user does not see any machines yet. - ``` - $ metalctl machine ls - ``` -- The user can create a machine. - ``` - $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86` - ``` -- The machine will now be provisioned. - ``` - $ metalctl machine ls - ID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION - 00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01 - ``` - -:::warning -A user **cannot** list all allocated machines for all projects. The user **must** always switch project context first and can only view the machines inside this project. Only admins can see all machines at once. -::: -### Scopes for Resources - -The admins / operators of the metal-stack should be able to provide _global_ resources that users are able to use along with their own resources. In particular, users can view and use _global_ resources, but they are not allowed to create, modify or delete them. - -:::info -When a project ID field is empty on a resource, the resource is considered _global_. -::: - -Where possible, users should be capable of creating their own resource entities. - -| Resource | User | Global | -| :----------------- | :--- | :----- | -| File System Layout | yes | yes | -| Firewall | yes | | -| Firmware | | yes | -| OS Image | | yes | -| Machine | yes | | -| Network (Base) | | yes | -| Network (Children) | yes | | -| IP | yes | | -| Partition | | yes | -| Project | yes | | -| Project Token | yes | | -| Size | | yes | -| Switch | | | -| Tenant | | yes | - -:::info -Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed. -::: diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/README.md deleted file mode 100644 index 3b7fc45c..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/README.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -slug: /MEP-5-shared-networks -title: MEP-5 -sidebar_position: 5 ---- - -# Shared Networks - -## Why are shared networks needed - -For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. -They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service. - -## Constraints that need to hold - -- a shared network is usable from all machines that have a firewall in front, that uses it -- a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future) -- networks may be marked as shared after network allocation (but there should be no way back from shared to unshared) -- neither machines nor firewalls may have multiple private, unshared networks configured -- machines must have a single primary network configured - - this might be a shared network - - OR a plain, unshared private network -- firewalls may participate in multiple shared networks -- machines can be allocated with a primary network using auto IP allocation or with `noauto` and a specific IP - -## Should shared networks be private - -**Alternative 1:** If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as `shared` and produce shared services from this k8s cluster. - -**Alternative 2:** If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network. - -Together with @majst01 and @Gerrit91 we decided to continue to implement **Alternative 1**. - -## Firewalls accessing a shared network - -Firewalls that access shared networks need to: - -- hide the private network behind an ip address of the shared network if the shared network was configured with `nat=true`. -- import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no `nat=true` was set on the shared VRF, the original machine ips are visible in both communication directions. - -## Setup with shared networks and single consumer - -![Simple Setup](./shared.png) - -## Setup with single shared network and multiple consumers - -![Advanced Setup](./shared_advanced.png) - -## Getting internet access - -Machines contained in a shared network can access the internet with different scenarios: - -- if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!) -- if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.drawio deleted file mode 100644 index aa7af045..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.drawio +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared.png deleted file mode 100644 index b0b47f0324545ec159effc46f153a9b5b0c2450b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49790 zcmeEu1zc6x+V`OZ4ygiyBB6sIB@GAZ6lv*}?mBcygGj5CbV#RkNJt7wsURqVG@^t^ zNqy@e$3dOB@7#OmeZTwuzHi1k?!DGtYp?Y@&-y>PCqzL`5)XP73V}fIq^^nGfIv`T z5D1Di)(OzUv5?FQfpGOYimN+XyPB9=8AE8;MZaCqu(6ogIylm>i_x&L8M5)P>vM9j zF&T34a58b|bD1!~40#NgIC%_MdDyu)OpNr|!DC>IwXKo4iMg@Sw{dJNY%ENy;15ih zm6e8Fn4JauaB?!kSU5GmJ+E(SY;*JyPG%M`0i8PHNfB@*V{YT*3jTKG;nL&cxD2j@ z?d+_K)r<|K%^hjjBskf*nc2AzL!_@M%gWHOiGph@b4z3Jm!z?wr7dEJsI3vWmtbY) zWMO7S+?&B|tr0Ce?94389IPzt%&dnC7q>DtbcEa5fG!v_+u^fH`X>5t^J8y9Y|z+I z-}Kw&EG1oGcEYTR4h9aQcGpc+&3UZA3J}jY8^ayU!BmH|V`XRNV&+72u!{rg8ky^x z!u74eQ|3oRQqgl$V!Cc`p>Ja#%%2GIu|kp7m&)sgt>pvBS~2 zzm0UXwY73IxBIct(ALHVkn4vB_2F<^mmeQ9v9&tdbe6C%xa-5C1N%|9AipgF{Ksw{kk#o2H!62!jWB>;T*#`;e2^+Bt%wtpELeV8!3& z`|%y1`Ph5^9TpquJD44c1A^aw&exwLL0niuLL3H0AciaGJ31P}5%>cb%Yu*(#FCFm z2iM_0p#5)<4p!LzJ@Gg~w`1a=WCkSN2<%$*h6MNpZ2fn5@e`5%XO0^y+m8fgN8TSh zZ>&hf{<{wx(5DE39i!+k6g0Lm5=LM>5HA~B0BAn|6o5y#n>y%XVP@k5U5ED?hmv@7 zBZfc~1k@dNi6KA*ardW^=%^1jH3p{@VTT;?+t}y_HS#NP9itRdcN`}avJGx*rSE9& zd<4)(xcEnKb@T=WTk}ICL82y-F+T$%ata4qC%B>U(I`OH@7m?(iIDJlG!Z-U9y!rB z8vHWRA$oqt>%&DJHvI!Y<^KEl%l%LB*VxtE@ta&64g+@xsW_AaaQ(YbAa0N{@dFh8 zF|hrq*nFe?H?cX=BLBIP#D>(B|E?sladIfX%jXp@ZLJI!hFIPOj$Q3IKGYkf7 zY=qpigC7K}95Z`>?SW9i$84J)b=?uP97o`zCVeY&Q-p3a1OQ?T3?UJOC1VbZNa3Rn zYjYzbgmv|Y#?+7I)(;YfP?ASBF@V>907-w{bb=ik{%kBrz9JcL44^pvz;r?a3zAR& zis=OVQ;q|BOC#s(&TkH~W(1sW;yNMSxkNThx{u9T4w_-_&N2xpF&FTeW>KLOB>K=4ocUH>DL zWJjU}62AW@Dfz4Cr2sc~)^|iiSH9WSM<&}bO#ja(DJPPI|A3_bZMHS*ukOk(YVofc z*Z-95_3bTx5Cb@FBq2fQxRu0uBnAH=2KUe0<3Mr~i5Y*@;O0aE5K;_~_sEIhAoLFbhBt5uf;H z;PMcS4}%&=EItOZh(OryVU5E(1YN#Iz7&k%<{;3H@L>OO0PMJuKC&QwfZiiG{twa7 z?8uZ1QV5XYVWevPt2+7@>lb;hkrVxWIvOdb$8_}f@bR~k4I&x96#9P`ciH}eD*`)G zS%3G@Mxx3w?tG8(%NaYm*upJ=Pa=g(|NNd1LPnr~ijX)uILDlo|0)0l+~V&^wBu1I z(EdFS@OOry{ssVM{V9gQ#&x8!jsY+$$B_m-&ZfV^_eMl8z@Ou(gWo;I?|k|>X?LVI z5iCMR_y0K_eGgsy%p;_W{vXC8P8POr)d1gvg8#Ez`qi)hMNb+!!JWTnAdfkuhF1Cx z4(5me(y^%RpNj2&h(7vm`Xlub*OA4DR3rbgKKgm0KhZ}ZSEi3hrX$~Hhe#qhAjtN| zStWL)!aQ0q$B{z)J!AfD#^2LD|6B$LdCZQ%sf{gIpPaDruMqlci_+n9EaoO)h>boX zFXspcB@UpF0+i0MfU=8k=~o*hF#i_^p2ZRI?n4y#rehHh@(&T{po^J;r%Z~pj$!jD53Q>-%<->=M?veSt??&-a-~nk>|85W?Vh~7s_)jt9 zxarGwq|5$8a0O9abExl*jwu_@Q3?#nu)m5c9Ech=gw+4pM1O)SKx2Y3Fl0^5?`ZH3 zlD|k29y|KT1MXm_e|Ubs*CiqAU<|)i8zJgr;HCz206f7TM5W!atILQ+M81p#k)UBR z(YH3Y0=q$s0rTry+Z}eYvm+`|%#5v^jS=a(UwVF=M_7eSM-YSPK1wnor$6jA2lZNr zqD4eM%dw>$b~?iKZ5&L%qL9-gO1_TX4@^~~AK!j_xPiW*rRiY^o#`i{vmv4$M`Zu$ z`ghVBnLF570ZntbEOQ&H!&);WRjh0gQ2lMchy@|J3$6}pr_8PGY~haJCC6=Mgr@ig z-$2&B2?(<2>AytjA5%>KGs)aPg^|A=Ut&i>Ch{=;kp+$PaF4?^f;|YLAW#3l1lPYN z(Z5Z4OdlSD>m#E6fYpC!qJc5T;Q2UQBVhSYsrH`&v_G+go#k%=+FvI68-ezZqEX+D z(*FnAZ<^x&1MOinAHc?;R+{~*?*dd9U1gOPW1OdJyMX53DfuJLJpFAPGUF649$or#D*Vx4+Bxm&@5Gsh2n6R>| z?#E@VC#>2~0 zepGZb-i=Rf-fG+2O`M*MeQcV78EE8eI-6MQGR{BuEQvJg0`xX&_6;h_p~7Kiy~d;g zW&gV^=nPSumP3niSM+*+yL%foLud=yhShZEB_W0w3b)e4r#IEMV}(6~I$FfHPl|e3 z_qbFS`AP9dstO6vQSk4vx!$9viZUDwQE|K&WjHw!lRlz_;!EzqK)-n!BdNqkC}M4n zYSf)7>a_J>cerdWXuzgb37TGoVok@pVk3Uw#%9iHLR6hgcf0Y#QF0ilqNcuFzTJqA zH7%A}1vg#04CZfy#heU5MTK3`MFT%6+GG#LhzYyO>a*aYip>jPE*>vvMhWN}$SHa| z;)$5tR?b)~!>3cEH(NGQq1@y-Aw!zkK*sAz%QKUmk(9ID>h;b{5$CT4`S?H*RioYw zb%dWQ^VqbJN#uH-y_lgXMMawr?OspG0xPC{UKRFAiD-qV%WZ8I&t|+a90l#f&5=jO z(GTWsi^%2OcxX4#i~`ns-KO>$k=<>uQ2c0(vnMgg^Mxve^h=r2XzM+!Z@F?YX}_x3amZc5|RW?Ft6=^5ad4DytDc@lcZYo8#VUQBQ&&Z?LG| z6SnM37Y%07e}c~E^;KC%QbDu9wakykPrlJ}d*ah4Jdvk0_EXB|E=ooy+hiZ?EqklJ z*_sT!!eaHBE#G|FJ1M)|w4>G>#jvwo_!kkgW5iF;#>UROV0eQ6qvwucZ>CUEMrLM znJW@+E)aEvaGB3^Tv7%S8gP$Z^s_5Q1~J_E<7?mhmz4~j#j{>Z;weM*Wz=|-rc$7K zed}$lLjh?F(d8TH^5{i$i^C;q!)0$Dd#Gt#yL(CY&K+Wg3#x_cP+oPcGmdDhF6g&y z8@DAi6bdU>XX5k>0P(LSauvx&i9#%2m!?1ZD3iiR#-LV=i-K4z_6f=e|JeLfG}m)k zAKBrOzX>B_7ZJkWxz=nj@Se6#HC;%~@iN0EXC{z8lOz?gdpQh*MNzH6o{x;45>0!4 z8IY`TTQk9eq~n;c%|547$_{%FTxQrg8BBRgC2oP-ancwJhkRV`Q9LuHsr(@E;e7&Wy(DM;4D0M7H&^>S*jlNcW}eMG5gRq~Z5 zF$Y|5pIA*`Hx*jMLyIKy7cJ->$dn|WV37-^QmV92d6}z-Mk}9!UUKm! zOU;PpIf*W}t(EjUsrolLsIOnC62V7HBJ-4SA?$o2v@rWTacXOID!*yD=|JE{j$F~r z@G^d4dSwNa7q}cG(h-(kkSy*DpJISLg&2y>o=|X{ctq&WUpIRn{ka(R)V+%ZB1EM+ z0BGM--hGhaQ%?tI%FIq2atk^wCc;tMW(d%6^>tpHZ=yO%brAXKzEGW@OHqbr$Yw54 zWPn+NWh!uAWP%;Dt~%oUJs2!T3Xd1?of})ZZ(uVv3*(Gta(A{#2|xYHLu2DTpj56_ zbun*Lr0LMg!Q096;4ofu8rB?wPlelz)jhnSVrN;$53SB{@Zgtsi?BM`6;cR?C({Dm zG8IzJY{*rQ8Xc6xWj)%EiPu-Ek1C@Tnv(ox=xcOQC;1JT3bK)+S@igoN3mCQ>Xd2T zaeO$X$baE#V}J4KuCnS3xF9=FDu%NoF=cM~s9eJMN|*Zm?lEa`IgwJX39-teDN(Gv z?-Sj2-Aay&i@W}~S@dA5c@D+(*;pF~j*Q*Y-x7DpiUj$n)%$v%%S<<@2?_ahFSf~y zJyUFVK7mi3i$75Q4B8uzDEok;#UGR4<cxl$?vE#yEo`8e4`w;xnOFoYctJ~{O8dR+kgCQqQoS^TC zPFdZJ6x>&k5*|52fnH-Z!WNTu-#eC3BV(zxf&{z|-(KE?YmSqTa6nVgTB8&dR+amk zlbA0R20Gk`<~HiAQuC!Q>bK;4t_lxjC(sh?(nayvolo0gF*zEpqR4YguYY)@5|Nvy zl#`Dh=Xuk6bIgVQ{Us%~LiMr>JUOT32`){uIB+}2u-0?4$FfUZ687;iN+519?umuo zQ7zFeVsmF-rO_9=!aH3mD>5W6xR_7Ax6XP>pNC@w4t+K6 zxk1!bCQg%g5vcX9vxFGW@`Y-mTEF1H;L|=Su6JP>@rh5dU>H!MW}ug1B--x~D-BU- za>iTu+70H&Q(|zUV;K%Oa4$rO_TVv{uM6~FI2A8?r#73h+^;Wz9n;Z;6@`}CZ{fVz zUI^ASi!?9F9r5MR6q=+xS}Im-+A-}4mNMIPV(G2{_7p9Da?S7uoR%l*2Gq?y>APcV zwtX=OAh+DBFcyYRzs|V(@+5-nc(+kaRH(GO^hKV@3vB;J3ZMU)Zrp|iLyumY>%$bq zKW#VoH8T#V+aRAadvouF<>Huih`RbO7%}P30+nGu-%tH4RZtHl;$((Z*|hp>bR94h z2D4>D5qR->Zzw}NlrTyZ=M6SKW7yR$igPY~W_ULFz>`SXlMbC~E)is9VeL_=)J1uT>^9YOob(^n@!( zO3P%3h4kks(asbPQU@zsvpn4rWG^Z+|1_TR-40Mm3fSTcjhTTTTL}a!ES{e1vR?`o z)7-=b)RQLj+BNh?vYhykfLwHy$xlLwvr9Vq+nuf__c714U z1TflshtAYF=c^QuBqb-_Ov9uo7jU5;fC`@>nsOwaGc6kj;oX>kbZh!ynA zr}w6bW^yj}Q~;JwLx+0X-6;)9F|wjH0LAwEF>*f*MK+9%Nm0NBm58_kToy{}@foxjU$G2x4 zh#&c4+~-T+NWIp%QJYRT;fRrR0@hJ(^s&fq^~?LNcZtEcw>CyhEebr9rF)ZLuSmAL zE@6dR?V!S#kzGmlWz=0AL!Mae6?CgPFd`} zr8o*ELOnsEA7U#uw?KK&;jU*{l+Lb92+Sr-E;Lq5uPn=iG^58q>ud8=l-Yk8kXYCw z7E5#eKIFyK(%vGi>X$8^&&=DkH40x;+v>%vJ=M&1OnGL-==OP95%VkS$+;K?wNj@= zRj2D^GkdO|?UH$&UZUIzIZdl-y%J!MZ88z^jL$m3&;WWHSc>_KbE}i>N~)CEmaZEg zHEuuq$hQz5OFo-xa0fHOS4uXs{x%J59dYbVq7f8CIyBt zCsf=8H+L6b6=0?;Nyk%PV`1mMrmVJHQsnIOX}u^UESSFGVy7Tg3mCj zD+uG<)6q1!UL8PQCB*|AhC94c3B#uf3&$c8T1JMwb~f@}Bw}l#6V)ZfTli@VB{bYS z7%$cLzwXuI@rV-dEC*I}Lh@4n-p*zL5s|O2Z&%!vRMDYSp$Ji0DdUVxTdn)L1qO6`ZH}OKS#08_E^VFLt-W=%n1clX{iyG+1(Wl;5K{+Bad>%p z`bnMwEcbimhkQkm4tOqen+yvjn+gujGH-vv_P$}G8AJ$`7#OrKnP_1}7 zZ&ztE#*3jHhRrs+c42zuR>ds2;4N*9NODE6uJlJ0`Xq>TvE5_CSDX;U$T$xt4Q4a# zC66&r3@kpYX*Z8Qcu)O9vv4RD`@I*OVhU--0c20Zv3a>|-xc1yWi#>!!+U=_=g|We z=T5LT%UJRru91|=9k1<~IA~Q(YrbNp1bvFh_U9QWJeEl-yHIZT9=EM7q0RhVLqRg5 zXRZ{|UDSmGD&kb<_}wc+htmFllee9_^tGOSd`_AOc$Xh6Ncp*gX_|Ms-$2CfTB^X~ z?sk6tJuWEjYM2(4O> zi3{N2N9Me@3Pg6rs2b%akDURL1-AUj`-u zJ4{aBT#Cp}4~%~6vXnKK;X_B5n#YXxVEAYk)1c<5pR5B^bDUI zhMQ-)-b;05N`&+7gJ+(kFz1Hp5wV0KysZQ&vS7N2TBsNqd_LQNnI5v+htU^vLxLF^ zFAZ?S;dxG&1ks8ZMg}enyu%y5wetS`WcKH_nTv*8<%kJVbjT9vCdi;-*kFRso123B z6D?@=N^TwQ(TeU-;0X$j5jJJT<}9e#S$LbQ@gOmE>nRKlusoy7AZX)L&p>G2b&@-# zUjFeHJt8bb3`T<*>}z5PDh7pfaK8${B%mOIyP#wpfYzG`*Fl5qsGk%}IJ2b0ymtn} z3ZYrJlCxszsGv2)s3(KSVPE>3XqDVAL0>C@F&_DsH&21UkSQG@bys?#1@M1q5fKP` zC75AVmaJm4FW@_mf|dDoB0`J|ag;=A$+yY_8BK4MiR?7MVzr$uvJ4Rm$VBB5ji|}9 zQdZ6nLA|61-um0=%dLbMeCjBPRJ1HCQ8xManhy3ogb9YO2Qfok?;}XSImV{0*nA%v zfCHP%W}9i~NfYz61DXz7?Lr5i3{oHrGL{yjUnV>Y`14ZYYBbA;wz` zuydCb{srJ>K^1%z5PNzgB!<$b3YJ|yrzdd*8ZV4e5S3Y**I4g;a0`VU_eKX|Jtu+U zrk#B7lo&y1O=treST?)}`|i8jsJ%D9SdDJ!dIT}9V7&89GHAcEXFuH)9sMY=TlZ9t zml(<>BIdw9C+p4x<~q1chzdmGtl+I(m(8WI)7&wIrxcr8!Om7!FsNG3V92Biu}t4i z>_#uYEJ}#+5fN!S-+o^!1PF%`5mpd6*r>R-`LBF{!i~6N!Y!mY6`TDL+GERl)ooGu zLAOGtlrQzGIUb|O5=xshRRcNAZ-DW7(X=^-C3#j6M4`) z4|R^hl8h+M%-2-diQh5-b2|IR+Eyuxv8Q>o-OO2T0H%mt=aR3Tw+6U1(=T}Xc@;SO zmtIJT0*mnO%AnOW0G5y>n-n`0;1U(<)xsa<*W^88e}f8}O^`MXZ>xw}`_h*~%5KCM zLBZ!2cV)jNn9>VtS@oUSXjRBy-D}$RGWZU3_sTuPXK8`u#2wjaiBW7$-GmNfSrSSO zTRRx4%j$s$03I(}CWb0Emq~X%(LTdnGS=olPC;dx-r%e!n7%&zx_@+Lab>-ugw^{w zUwt*@C>{o!{8A;yZ%`f`6jRX%weY)J@4ra3g`NB|mc%Dc&tdt3jOop0X})aAvyjrM z6^yLw$;?ki$7-B02yWF!dIsJZ@%$9+@6n$jEH0y0NP4=`)t80C>fxVra0Jt0)QrPYI0zngtKd`A?mymMX|cVQ z^qWRN3f@;)lHQa6?|rurXPvJjg>=-$LYrK!SDdXpz2?a$+uZbYEE%R9&2-Ows@v$C z+lG$3HE|`@Yq}Nwa4iRWI)GML*?YXggq_3UeIR{h0s8odrBC%>>M}nHO*rr7Vps{u zt-$f+g9wuIn$0;{TG^}}HR)5On~9HI*JhcZL`*&>eQ(`f*JX6H7$VbfFlx_!l{j&R zhujTkw!I7GqW#880#^`|?5}Y$m)&EK+)AUI?Dk2tKxrZg!KTKo{jJUUfo$4$p?ehFD$K!X z_4qfJ7x?q7n{M5zaa?7Kwbsqwe|~G&MjZ#^4zZ8k_{kdA{R;*iw|(=S@-swB@bl$b z7z6vOEYCelZG`N|EsH1g^`L8|T#8HyOZ9FDFb~ZM+FH3oLz`cqTzm#Y%(s-tjDj`aSvm_fy4z^udZKr;p1xXbx)S*W+XDaByRhndIW1J65;D_jq%mI5T6 zztQilu#ac6;kl757kcVpQ=6VQzi{&xnh#&Ew>wPsGXEZ}&F#SJ3pvXvI+5WN`(2#tXrMiB2J&%3);j( zfdv#v?cXc&T!gnp9-!1!FZlYkLo=ijJ4j(SiEccU%43Ahe2(q>T+|aqFH6sn`&uE~ zX(aaH2T>(9Qzd3LT;;Fh28ZpS6o#-i!`0wQ^>HwCVH-j>(pSGIXt0j@wSd; zZs&APOoTKSa|h$zU4Ygd()&!t@s2#~{~L0io2EOhqb5=*u;mkVgN` z+-2D@9nM^}tIEZSdMG&33A>brqfaVpyf?W}CGgvVbZC|L>SCaoUc>vjng!HB1oL;4 z%?IhF@u}(hy$MyV`2z?hX@%mr@Dys)%>j(foClU{|0A)|(S|vq8(G&+Ke;<4n002~ z^$TPwoB2sl5rAM9Q{tIAMZJW}_bL56@lkn;_}MX#V|{bMTr zd$g_f5|=qP7f7t|9KN7(F-g$Rs!60)nx7(Y#@cgGia zzMePOaBU+)z1$LSFk9ZgDfQs|t`OyrDbHY*bY>wRdRUU10FE<(3ZweTDbsMtrH0y9 z{HVLAD=nCmbgmZ44;AfXp7+FEiRKm+Fg7nEx%c8lHKsuCK5Kqlu5bG}5^9alMlGx` z|2hJRY(}zyItR;F9lm3jWp*7RjG9d>=+n3#c?oHH;zXkF1`a$FSHp0sJo{3)>>3&` zLGy>?0>zC`IP{4?&ssv=aGT=2mA;<1`MF{F1y;im$LXhWl6w(RqORw-t@uca^aAeZ zDK(UH0cEpi?_}e#Y}Djv<3c{ZFUT1M*kg0p;5;JB@)t$ z)BPARm!-M39G40{d>Vgze$7-ypT^^9E>iCKc@0<&A6lPeCNtu$VHxm)=ltwh9PeU@`BjD)}nL6 z6JrhME$;UOzfjv(@aY&#vtZqFTnP4XvB_KQ)vMLn(+*CW>r16}i2az)WJ;_g8o^Be z+&V`-r6VduR53@<8Ur`hxASY$Y0r2YuzUa|~%GDh_RN2#HF-)&B`S^wPdL;3i*o&gGxGhnqxpn#4K&!j6JiN%zfQXTlq!FtSkFH^2?_h+d{I(~eA4i#=DmF{u5@r0=G_|E0h zTXP`_)N{*CshRNAq<9Wfnks8;Vsh7K0$%a+7aPv(Cb@^ubDnE<5xa@iwJ=;61JxC< zpN8Ctp^vmqRLzv?iGZqGyt2*EHsBw1Gd##EXz?<8Q^VU>cmwB(USspZa)kbqurxw! zU3TjySnH=`E#OTW?y_s7B>h;y4v(k_)6+KiyW0k5w{o`(#?Mw9_)&NX*QNaY#&E;{)<#&&xujmOlF26f(+LzKk z{q)`|(`v~`ik9^%>o-9lO-Oxf7erFaX%We;$#ISH6Z~c(_3uXeMs)p8;ISBY6R8n( zzed&q5PS63I+)&P)Ho%dDj>eUyKN7W%~^8Env5`z8_3m}hejFV@>P-JQ3o?Wz)g4* z;6uJtJXuV;WCJCIK~P@A(QgtmaeJ=p$R~xWml?EF=S2FQlTG&W7_(GW@~0pp6BZ)T}JhF&MI5& z@H1ETJ3a@p$DI4vvb-4sbWu;FpCS9A3UkKSTXVzbpxs~MDK_+%dy7`qam3cX>e1sU zjyeio>5pK}4oKoI8Bc>pcjpeIUD9;1c!(PA{n$;b{pHK`Vt)yybAeEpZ|0@RHBUEX zDmLF-%bwy~^~_W5_#aLhJ!KW@eVsn_a$}j=5R*YDfrU*0gUs~cw?ydM^ZeEo`Av2m z7i7qZZ|jU}L_STgzdnBAmeIkNCxHX`Dhw)uAlXaGY7lT1B#t-j z)@EhNVQ?{FIS||@BqU6e*#Tj|&IqvJ3m(&NODQ~V!v;b+=_FKY*=`khv`|mhUbUzGz z?Y1TP@PeUbW0x9f5$_k}tChS}g`xDEA2K(oyjh%s>NB@C`L9;p{2Fkwo1a)vSfo&s zSIuj9*!(qLn-%Gp%GWD3pOUo(%&9L-v-BsZro1=InOZMUBNc>0@`u+Ydf&P!mU{|( z`MfUql#SSaZbR15d<=51zeB*aysg_liTi2zB&$J3TemFc%eiP)*!emFp>^JHyVYF{ zjsi85`pAPYrbSiYM}H;xJfhSwvC_id{cskyujDdy@IBcxc!owbI1A%yB~ibbpL)5G z|8UZr&e1G3Ns@pf-8&A2{$?CWBs`|)N%am@SOV|ab85Cw6j74EJ}n1ihewseXRaH|E)17YA_@*T z%m;6R^foA5DMCfl6y5mr2GiTy8<(7i5Cq9powhxmhyz*kW8xt125IV25Q)HmJ%7O2 zdY4AHo-fS1$?iQWD2fOHDLNt`0m?&^Q%xW=w$;m-J{Bstxv`--jzP?z+E#Ab*AFT- zaL;k!f+UB6?TD4X0&OfgEhATvluHnKUG|+BsS?zX`pt925?}V7X3oEP7&uB3vlEJ% zt5AFCtBY;Xq}e-fL1y0S;u2?uflus~pUn#O9xHn-n||eCkdRNx@w*e=es(%Z(BnD= zhr{L>YRON zmf1-0)w&Jr>y*w5liO)yDv=ZyY~I$)a~mbWt(mk~_?5fT3&P8;I=YqNNuGHj5|J5r ze}g>Jhy27mX>w6zhG=h^uz#u9zy%Dl-JPK#t!O?sILNk97O0h|Dky<6oR1^rlEU~! ztO5c8D{E^?!-1GEkW+Z_y3FuZTwzJcm2A1>{5pr#N%1WCR0>e8qeK!Hgm*4ziyI}7 zrecxFJB3OZ)wt4abu#e7#hthd;!tDX>-XuR{fad!Emp@Ti{XQh9Jr==%wG={o<~Hc zGUMR|^N3KL9v3*=->`OlP!8T|J0}-mH;5Y$pWu4XQ3qX<4L!X=P z_&OhM+1)?&DDbV~^`Rs}7aKmn2_KJU^QjZ0l0MpK#TfIsW#&t8Mv1#i-+ojURR?dQPeGQ{Zh)LfG-3=TktGKvmU+-G$H}Vq2Tdicb&{@vj(&G_P zUcYUZ`uzfRez61B{LkI(<*%rNmu|G_5O>QY!`x0>JP{@~M6MA3U#VTdS;nAXZ;gPjX$YAOW>1yXfi>D zUi6_#WGCg5VxB}h;bVP@q89$3n*%|C*S;uTaI_k|OlK^HQ-bv>@gxfx<*obI)&pn0 zUKt*!)iC9A`>agWsUwg#C|`cLnU9GNa$D8WL}&V3*EL8}qIH@gS!BHiyhhw}%cr+1 z_9E@6-(-kT;b&hlK0Kw*rh=wK6}Ivz;xR3ALDAce$u4)=2#U7JS|t{*7ENV_WX$z* z)v9kAn)pj`blz~Z4Xn8+;}@jOb62j2wPas4eQ_nG5loBe= zex^WMrHHpmd0mZ3H#{>qBLBs`@W9~BhjNL$JZdBk_Dl~d)ms$BKAh}!g-mpg2&l$Y z7QTVvC2}j#Hwv%W?!iQ^a)54Z)=Tm+Q=VV3Q0PMd^UdGDZDIlU?jWX?T#pfT5k&F34W8d z-$t2-t37wuK#pZcn<6z;Fy<=W!thD0&1CG90g6xOGOw+&ne}JMuJn=Xl-!ERAmw(V zX7ftoZ@X^TSlnCmfq|Pu{<&#)aOU_@tB?NFtGv$1V(5(jf?RA;KUHuJt~>=lSwZ7A zz3ctPu@lrgIV1grI^`3otV==W#0^@UergU^Jj=Jw;ePypbC9>+{H8jdj7Qp-Jn|&_ ziMr|!zQIj`3QyU?AKI^9G8-Plr0Kzk7AO*}?0MO;+S6%O>~eD$#q;rkWmp2&iO2)j zuuHEJ4Hjn8UKnA(`F61{w7O)Y+N11dx6hPP_Hi)0A$|T}?QKG`Lrm3kR9G;5iOM+^AOdWZ^N)K*(L2qPldkkyF%+u=~EgozFy_4tl-rm)wvu zKE3?99_>yn{hd6+9D|*Xl4u?&gZp{v5*jY5HhL#T9#`SL$#Bl(&An0Z=qqe_xVL`q zYHU*Jhj0oGV6=Y~o2k1HM$D*6$a(H%GYDgW%v+2td?A>YzBw6pSJY*!39`#s^M3rH z88jXPPFld8=5g*Lk0-UO&DF~M;2Xvaffds{rMi>9JuTfyd`^1RSlBK#zU0oHLC|M5 z;{5#7(;d(=4B?u14<;ie3ErND8{xRkk6(^mqJJX1?MZC6HL2egzSCG&s##`X5ge0Z z^kQ@@Ub$4cc<^4{7)HAHV{~!vp zI8Y_BIKQ@Fmdg0UeR{zd3P~~P7gLgv(LCk`R#ditcxpiW8E zv`_|kkpoqhS|49OLc1p^-!d#&J+-~oRA%{x`K7tC*4V3h3q!~GR}}5niCdqAl-q5* z)Oe-=)1q14wOFN>(c!>o8u#`gsnnvn>FhHabn8<$=dSyjnlYIHe4z3Cj{ei^_G?ir zD5G3o6yH2gkQ$41r|Bk9W95srVcC#ngfSnC+{b^Q2Y^tCerMHs+D=#WI(=Ms_{`!am0S1A{IP7O?sUa9=iD3R z!nvnuW0UNLDz4TRbl{VPmXH)ZS>!HJ!IdpkU%u>ezvMvZ?PISqdsp$Ax69{No5B`Y z;h*U|V|SD=C;$|<5mb9CT(`s7y1joy~58H6Eb&ci_64ngBrB z$6y56H!uuYHgw`CsaYIs;18o8~kY3TF7I-wVh1f=IG%ElW#^#xPQop;^ql-QezwI zIPESCmi!PwV0Pf{taDn7x+sZ1{VYLgY;J#VXMU`n`}0gsFsR9x0;XF$pWCB5DvO|w z(vII_H)+$hKMe(xv!Z5OEWE8{N0cjr`nn6=`@1}L6A(~Q%CyKj$WFcy7(m{3n+*QO zoTHMan)5I}7e|m6GN%@F3Cbf1>dwcjL4m(ys(_b5zVc-ZbWqjT4$8$@ZQk;{EYYLX z)z#(k-shX`O)h}Ym=9*TZmm$GqM<2*qP_}?SJz+lrSM;s2qR4ovIq5DZyVfBOGc0@ zM!iTE#Y9I(&;3;N%~6%X4x~Fs+9Vh7todLHO2F+vwKaw|D1UGFK|x!YetH_0f=`{Q zlPpwvlnCPjNL_P*+OMx4KP?-HKL^9O;Imc#T4 zX--C<C(XS}B9AycTIy?Ms6BgB37znGY3`#WG^^w!ca7M))~H z>7WjK5)_5czbZI`Fx^kn%29!`Y#z7IzhT)MJdKw3qnr4O;O9QM6oEKO^$nrmBw_y( z`U4r_-R*5nwqtd~Pw&xo?ryJ@A?jE-XS!orQ}{iIru)xMO--Q*3JN;uxJJDI#cg5d zud3GG^Yrp!b)rA*j;6ThhA3oyH4CZ$^5s9ugX;eK?UxlZ#GsEXUgfuY_iW~970E0V zg2GqI8}dm`WaV^(;m`m~m?Oq3P}qFtimoz?s5HTp%lrwD3FgzRFiXGHXxu~cakNsp zy}h*mQ{~MT)VFm`IM#2f#EZ3SS?njp*01^zdH0G~Dk|R+0M(^34>+X8?%4}nR?1ek z7YaX%G1CjegN(3&8lUN*3?HON!T@sR3X;uDc(TE2CAyb|;<>LF-8tp*Qno6peyUI^ zm0uPl#pM(2$x7%5pChug<;`#pFs2ldEKhuR_fCe7Ingz&X3S>v7h%^x=CQu+Sn`%gwK1W|lB7_Gi<5xqiKDTYR zbi<`yS2|c6<%|k2^2KQ->S&;^g?;-OVUdvEDqHtvNPwV$VuuPao|&J25T@A7480~3 zp<{GE@vyK0;j`GVU)m$axKQHrvG`7dGyEZ9Ksp#;!(%>ZtVneS+699t5-Bi)%pA(5 z0wQZaE9HLqaLeFPPzV4r`Luq1Qci~(5kmog*%2U0OAJ%8;tt=BcoiL?Flf6#7q5(% z=jhRYZ#r!X_-@r!L-<5|R$V9^OV(HNI6Xb)3o&n;G94xawzY%UEMK_CMmsHEV9*@O z3zZT3txmtBFS^H@6dUG*;}{+w1`lB;R(F9zGsxf(DDzko9<4l*Xj|u-1vT%sVva7? z^h%W#wnM?p-JQ0NlDfb#iYt~lm zc#@SM^Q5b83c^^r<%JD7jZ!+Eh{9rS$O!pJu=AN*$N|!%uB}GgOb1~_(Z-l4di5O3 zXB78DDItUa%@ZXJ!zZ=kU~^#9aJ)09+Ieeb{=;*d>#X!F#_iPVp0G%im2*BqqL1%D zcu`2PCeVEnN0;BBl@bfNd>Yqoio_e{M~mtdu^)O*DMCAp^G3@^F?g|sK*$o3hu4H- zd){PVDF(e6<*2n<&>D5kwAUOMB;TYW6D}ORQ&a zy+r*3EY9Mp57Bby^e+{FD$+^4Px_)*(ik^yzZVf8?S;_gwvhT35c)LXI=S{eINN6R zl8P472RhnHoqB??l99IpQ|RKSbdWC+hDcXfzQc?nYZid$p_!qkF@j^&_<|zk7G`X9rx>{#~D?Z;I29-44_*t0m=_VjuQrHt(5RJ;>l@>u=4?CACA9B_AXSj-p zD?YzQg?aW^V@`1RsGYdU7QxqOqM`4>JH0~PyvU43rM;?e?AaXi^47R|{Qzzeev5zL z6^daLqyBwag|CDV>cAmd0Tzv|je{nIY+u_hONh)6#r3affvV>oe;H* zY2F!rbIt*3+6Jd<1*dkT7^tMtAiH5?dh}1U78`m;O~v#~1M&RXiZzObKYYn?-h;^& zl*VSg8V3?lYQ${sD-}naI==Q+C3#a3M=2F z5{T7{xB81HMg+zU74D?ea~B}D+}3a&G>gQYdNV97`e~EDg0kOQJoMz)HTU#~!NtD` zkPlll(e|Ir`V#!y9^!bh^t_>Y0Y4Qs*T*wBiyzX&T`--d(Bfjr1$MvOka1Xy!L|ji zWow;Cx+m;~pNK-XZZTmQpE>#lAbFo<&dpdnXQ|Q=;J}*QA%1nkHM!zS^X9UVVO6{35#x2 z@b2Zd_pJy&O+A@5ubZD$8&9fbsA0CAp6Ij67jSV3O}wOMV*%AHbI-?i0bNX!+$OL( zf9AcuPP#&4(zXI^;q36uSXHjNhczVTl@n**Yf@+RS3Y$mBH@20VH;+zs=}zr8Xot$AY~tYHfQ!tPm-AaqBaCb6?VTa_C=X_DKlxARGS3_GvDRI-}=Ku~yxU zi`quX66$PmH9!r}WDE12j77!wBd@b3ees0bP$Zlp)1YFSMfZK~2~1q{Do>9pF5E`r zHN3)uThc38;?c3^dn&s~>FWy2+V#s`-8Bq*qaTLT5{t5m*l<;$=o4Cu;8y5 z$D_>i=i+$%FTQd~6qmtI_fy4LN_&I>-->-+Ez|L$bVW7^r9J@KQ}iNMZ^9~cg;T^o z0ey7oWQRyUXO>ow>-ljx?3)#D32)RahNu#uVp2MX)u+D-Va7k9vGzQ6Rlre-2&EsT zS#s3L(`PkZS&pxXWQzOpB#@ zpX*r1owB`IOJdHcpT;v6W_d9qN;IBkqTj;&ty8Yc5Ed+~HvK9`p;L{pgBJyAa}%an zv3y6%0Q~Gb%^a1O_Rs83IG;Cr)HxItY23;tvyus=L(9IX1DLMKo1+UH1?BCB_Mjq` zYI;TgIVM^WQ-y-MKl!b6_TIoKp?)leOTm}Chi1+(j#sUVa6@#kJueR9ES@wYJ=cnf zr6VNCaqWFEVO@inBK2!KQz)fS1(v-Qth(ZKd`)GXPls#b=Lb8vL_VN^n^4s(F#W3k zl#vV`B}Ky(7a_8eDbf1`7lvl!*hO%Q&^*&hnd(HhNMzN}T^#H&aXO{BQ&{`suMUUR zo4rebySai7w#;DlnHs}2_=Upw-W`Uh^Nj|(5daRV8FBPeJ5Tl(nKL?Y(wS(JG5O%i zZB*-@AAC}+jiX@dd3Nl{Tc)mk2M^d-9s1|ep}HB<0IjzRwDV7MUY3_NZ zJ5!Y5(n4%7h$>$#wA07|KK}BCBCwv;HvX)RFLw2zP?`K4!nEk!={JqHn!SSr~;gHD& zN=%qwAGY3sZ&wm0JEDN@?ZRi^8l;Uc(kR6~d+q3B+WlB--*cBXpSU3CQB04%tB<|E z;>!-ksMDN#+It^z`S=p{~_xwfZ__4u+d$dV8Pv;;K41p zyK8{p5@ZQ(OK^85NFW6F;FjR7!JS0{1P=~*hunMr_x^gRQ>kKW&P-3AnV#OKj=&8!cM}Idwuxuk75li`!xAk8qJ3e_9%})Uk!304Ek0QlNN;|x( zoTopRs8PF$(HL#28`~9^oKJc_4bCw@QaIl%F$vh`zYD?5{)#OkfcV}Bg%VdDJ` z{BmwD$-VN|_leVc*KL~ly<4sim)e%26_iE<-`s5{CKBaxyhIwVIT1m@viCGj?aj>( zGgb{%>qt*pvISn5TN+`{*<7k(MEwxnzB#JBegJHx)rg6iBMe1AB`zn?E{^*YwcO-n zG1|aot69iQ!sifi@W%_pak|x~q)f?=A%{uP*ShKuOl<=|=BPm|6`d9OHE?PaZ@!1= zkk;OAFtq;-m_!yVlX*Up-Fo#$!`th0q(P(Jqr^b%4c1v#EpTep?X)0?idyQ^$6)~2 zI2%mg8ufe__VD3e*6Nd?*eq6VXH|Fbp&O8w=Bkl1Iug1|{usK^T5SsNyuLM*JOJPd z+k46?4`&Lz-y>4w?Y+*WCTUFT5aN@``anGCKqd9~arnX}ut2`5VF7?SIjy$_QTq#r zfvWQYMZ)LSbhsQxc~Yvir6g2s^OP(Og)V>joW4E;U{J>oKJXWMkO|q@XdtZRbu_Fe zCi!+MnY#3soXhq4%7jieNnZksP4Lsbd%qr9*N>CyK)Gm4wvCxsQaq?iIlsj?3=g?C z^?z6ZL9ah2UGks!c>9$pgSG86&Ce?Op7Dk3xm^*OJ4&CIp-vg1c9@M7i|D-(K|knU z6y}+l_QsKuhF_ES4+a&!d}XbyU2cRCZOzeN{7AYEPVE1gonPf?GHchXzm%_8t4?oa zzWK;X9p2UD{hOgIwIr^-X&hQ3qogWL_0^o7Lpg&S>OHet2;{y?jFShdr8|Jo&qPYE zQ%akH!rVV|JdcZdA?f1(1|+)tJ${dVuu9SO*MstGdte}6BRR2296RNKhBmEgy>d;z z$=NV=?Nj#l?3eHe!V`Gb9A50MwbmdBTE=&mlWPl)W7h5d7f6WFX&(bO$a;NFM1j!! zTrt{k{d1ja@OPPd*glr~;~wwuj!aW$Pa=zo5c>Wa$sz=%?a;73={lTLA28sGH}VM+ zxw9*bPJ!4HGlpyy-gUcQiep_vcYgc9An1Qk#Q>@PXLKT$Thbdoz`tY7lTl3R6Yqk) zBp_b9J`GwWnk^^4%5BGSq+YG@LDl8Ri%-qQgw9a|cnbFpVP2_S*2SsXaOWcG@atQT zzw9@+9zEkdE4{>jXcBNGFw#d2qHY20y`OJn(rsnpwwj6$KxxIM{tBra9{%n2cz`j> zVuCinLEZzP%QP6&46HWg)2YeB{t#CYOisE=)%ZO@MqlKFrY`H1t^ajyA| z*l(VY_t%P%Ul6=PIZ2CEXE*hZ$q|6-8^-I=i`F%t?bcZEx1SeIsP|YjbX=|>N1I37 zaS-v};<@{891B7k49q(&g-j8sUchgraU_(6K@K3hc4YW$YbC>Q8og!FLMyWun+^1wUKlAPZA%?6(`L11W zRWWp`(;-m1@~1l006Bp%-91sNI|&8sIi=(u9-}k&=}srw{Ia(N*uDhE9GCH}>1edb z`p^D(AtY6+{1ngie$x<9s-SY9>=puKY0f-@mqa$r7s5`Dy?#Q>0%{=>!1C zAnXRUSqo>O(_EO(?;F@nZwzr&*txPA$= zL?cyJz#|elTQW#%4gI#l(CEqMj!5CrZ;Yk ze5%`2Ew8}u=Q$DQ=dQBq0oZ945zCfzy1_Hq}p5lFDU`c=Etcd zt<&U`jC#lVySgs7dj^*D!B7CPhvH%Kvs54DF+6sll2i}>a`Ncy-pEJW+0UXB4<1+m znnSu)o1Bvh4&1%R+D%WosPWZa35@w3L9dZ`Fo7`y{O9YivXm$Ke zJ0>>#)3sJd5CGq1etnkb`uCW8wp^RYrs}D5t{59KSD_CDva#mCt-+v3Ld9k?ecBAi(xgHz-5z6>z)ce12T3*yykoXZJx;Z(Sc#k z6D!gW2&nk5hV!zDr}1+DbUEBQTRR}m<46MghH~g;=cq6roX6bB`4R%a?!q#o=cu;_ z76I2EPEaEuvDfzwW{3VuP`f1*h5jD`(XJqqf>Wv`TR->VR=TBPw>tAH)!wM54VRPb z%N7sEX>1#{$9z!K&Y#11`7{w`q&Sk23a+-!`xEhHzsz%s`^5LU+tzm;N8v|#)>8Ez zW9mYlnJ>XpX=!AwSqJ=;@jkKM=Yk)pZGKnr0?EZek>MW#*&&f137X#SFMSUE1?<&d zR+aw9KRSkQEAaNU@W~pCWJ}8#{I$!jC$oc*X2AE$1+)fi(Bp533XnPTGjLHf#emPbQqU()kdR%Evo^ z2Ihg>BK*3CBb}p+!@8e|$L^;_=C3}J9rkket;d*Qp`S+e=pu3WuL#7(uTYWhRK%Yo z`&@s0MSDSog2xK*Bs>gArMybPkQ-m^uNbnJbt~9|Vw+dV(ZX(cN`qd1jic>E+LM?_ z#nbOf-eV49ov(f?+c7MoZKSlP(xdj~33@j35xP8WBBM{TxlF$9=PS1G2Y+sFdLfDa zvR17A8Vq%wRm3ZX|tuu^)2bY+Cj6C z128cH_m8N5P78j1)d{C)_I@mT(OCM75!nLC@uvIEzNULji~i|f!%;JZDr#1@ z8y;?kkeL4qn0H(W0Q0Ckau!N-zmg35y+tbg8mlYZ0@%cm$U?Z>*2L7(A`sKS_3DI#dhplIj8Px@l#Ugvqwigk-Qbno>}VVyrGAl< zJ}(Pa{Gd1{eVIuC^iHx$cUh?e^>u`sWjE{2$Ik|Nx>>s9K4lyR{aYdrkDV{jcL+r- zhyh5P{$p+}O2dP8sRm^S@@+Kz0LFY?rAZv1VnUeTH%m;+`N>Fh|zyJ6ob9MUGj z-*!GR85Gl89W8wPg)7T+jc1}#o;EIXB;cz4wZPrs{=n*@#(kS*r8NNGSJfEP*OoGY2a6jJjd* zuglD~@k%vI@?l)T11xVGSNq*-fg~mCavh%C%xm(gHml(bW_=OgNFh?Wc;t6%4ha|A zEtFFYvaj(6l0{@7*&cdlEBVvjird-S>me=-YjkwKs;+UBo5jdT=gL!vRufv5~4I59eR|uBT-h1i{ z5V!+}zJ$=pMd^Pe6y}jikJ#R!XHJ&Rn`u{#$M9-!05*PJ{rG>04%N;MQ3?uG3dsf@ z=LwEI+h6(NtJ-s=zN*clZ{#RkiSm6_>wT{QNL0rjNBi2p9k{Cp2&OY8?0WMR)gg~x ztZ{7^P!vwEN}z{fKN;Y}V&ICQ9_*0<+#TKK3N6o!FP`_nRzmK@u0{vJAlIJ{SjS|| z6V>IOlLZ!nTxcJ#&7DzlswuX&22LpAz8*&BmrsCOfg2kUKtubxJPP5N5fDYvsHht zG&rQu?KPaB2Z6Se&GRAHqw3OEs~Qv(fXEFLQisw1e;HRlTx=A9{I$v?rTT+=oT2tz;TvT9;I943*~-ip_pzZKH2t zcpE*m5WTFwWp<(?gRP#4c6=8?qO}&-FLWI@X%v^cNU!e5hQhgED=T1ia5v(;TIPxd zo{KP|5IE!5qazJ78ZNg0WXc00rWiMl7XOQ?O$m)h610Ad=tbfkYa{1x*5c1yT)ZHyP!T=ne;LVsDT*Y7R4-;7@5HW2T}PsBZrZE_$y&XZQ0=G zI8x=aK(c^9WE31V{2$>*X>ImH)LA*8C$uF6Kvs*U{P~4pZ(x(((gJS0iO-f^2WSpB zfR7>|2YNsC5(0^hKf0+iw0 z|9vQf>~l9SNcr*#r~A#4k0H7lJd~1b8h+l+k{LPxYHe0cFJfePrq2jNy|NtK9O_@; z7F$I6G^*cc!0SF1?wXPo9-NUg?xU{IH;YhPGA`DMe zWAnQA=TzA&Ww+YWPvgUo>e;2Ny`f!G(9KH_8)rP|;YI$3=1PNVP9kxI-l}3QgC6FHn1I@?J@%>SI&z+i!A>1dXi-~OIVHhO_{DXil1xy;Q zZs}*i?7eMyYyg-s_)0t-f5JElKA!@L4~ zYl-xoD(NMcZz>FgY3n@hCoj*{1cwhgs=IjU1}{)0p+F3J=m{4yw~#iWKU})k^bd=1MrergY)~s1BqyRJ10Xu z4CtGH`7L-4tEl4-L(C* z^=ncSpapnli|9f3B7vQ<#XFU;@!4+M=?sGxw(Wwipl1Z|E(=53Fq?y(av$X)?7F%~_nUN|t95rL-0X&5Vg5nKna$z{IU)BxEFmjT>LEaPjD zhw02vqvp)x{5ES0S8G$6>Bco@3MQf{atmxbxq~P;?B_&3QlAJaq(t^~?GsT$G)t$d-&D~Dk1!vN?%ZbsnqSN)fr*8> zU4?aAk@SpR7}tUxzv>@$$rcPwHmRIkQX;xniUx0ahT~~;{{)Vp*P6?U09d-q!Bv77 zG=OI_!z8GEsftdIg0U$Y*TYuA(h%|32NL>Y40VNMyxtv_fvT5*{Y%RBxv?5P;8iaW z$u{`NUn~Lxr%fewVJU6d-D$?+m#ys!PCeY z_YuCs#9CDEWz_-H1u4P>!r-m4@F$*F3?DC_ROg0_FBZA%Au;O(FHWJNKQJeH%ny)q zm6i1pX%&6gzUts&GFr?pB=rqF<_!vwZtuIblNsc?W1a%uE*%}14 z`*THYjD9z~L3kCQ=3?;?cnzRR06Ja_yyjKM<#uIUBY{;)^P;&NPFZ!xaoL(F6U=!= zZ}E$$UW$-q)miz^%hVsn??pZ&yzGPJT{M8U?==95hF32Ho~d?7L->VZoC_I2At7Wy z^O^W&WSCfPJVs*l#nxtGWh|g$umA#(&37}bf!I1#W`MkS;Be2l-;kKsf#6aZsPL&o(ls{BJqUwhkl9YQNn{>qR0j8V-Ds zGDkIlKf#gcjf2RFFJI>0pJ|>mM=Cjy2g=xs!U6;G8$26KbL%nmXVc6Db>iEn0!*`~ zHnc6tso7%S%fvI>!|HjBO_&@_xQHe&^BM-~j$+z~d%=mhhXTswpnZnLh& zVwe*{Q)pTlF3UVk$^+nTa#>bpu*j4cp@?tToN7nROk@5!d9cgI2~7P*%bp;1kh4`r`9ryO8%zqufC+4ifPY(vEeOi@qR#ijRnY8tYYk=KklnnwGA!S!n=Esj|uPBlw zMo8HL$&4&O)x7f7;;pq^Iclp(QYiE&ubE5n{*jJ^dA}xwrOZPnPe)Xv{P6}0MFo!B z_*veGI3Znnk!}n(1!~5*Jni94NkL=4@GJY){%h_pG7uFBeUqCfe zFJPQ`_*m!L`gX*>K1+P$9ju+3& z_ge)1!Tqwx*!p*$p%AG-{P%QR#m3_z=3Z2S+(;cZWPyD(9w9CyOD4{aL11sLztlly z&@#}rlD6n&$XECcOidHdR;Cu!IQ!F|5~RZSidDnJ0JFxc8wQ)O@jh+-;GB}hC68LiDG3!J(isLNBnDkaR_U)8A}eHl-i-v{{PZ-;kI3kC@eK`= zLhhRNot!4CPZj<38F zzsCJz6DUZ~_}$Nxbrhzmq^}_rh$>hK_WS&pm?1L|Sp0kOGvIyOXQ4uF5PQVskf;^; z%t;y6!vL2E)}t9^fuFAvbWCaD+bTwcq6%zpFolpAI-^{Cn3#l!D}g8>AB2BJvf2?- zM@%AGVGS01xeP)Q`~b!-n+ER}NX*fo4Q|@?%66MkW>{OL%*m}L_1sTKNy>ljQ}oos z7C}J^$w>pThjL@2C0Hz~jezW1`%#WVh*mqk0t|ld4MmB(M75%W@AO8p`<`$hm#qjy zSJ52s{gQ_-O)&+qa`?xi>0$d8yY8}swS20N*A2tioGpAPBD0~o!mSr5d9nb5QB<(kt-M$t`wE6vH0t*gke6nB;a02WZN!z2tOd+T#y>4J}7CDWiLMB zMJ}1+x|iXKCdj6OV2323^uNy5i({(P@kC#Y$V5HjZ;(=UEyQA}-8a#A^00IhksT)` z{s*ec`#cKt39W<3;4tA)?AX)Z1tRVT-`K@8T5^vVvq%DB?c1W1&=v}liW4aMDS*T|4L@>s+3Q`a!UAxL2+&ky-ivzCHhh0 z^$l_UsPDNvTI(dSz}SWD0zU=a;E6HtG84$6pbA}Rw~9M=qz7tk;qr|YI8>qeyim`D zv`Jw$#ay^F#J?vh*N)7BTM7M6yGt)iXD<}y&g)4+KTY8>HLp1NDcZKp^~U83Zwi+7 zM+{F}*KEF~s*A}s$)#h4jyEfnJLSIxwrt{UCXaYOq+z)|t>qA7)YI}QcSBBK zJ19JajKa8#5RTr{#=la6d`98r%P$dd1^?WiB^S@ZO{pN{zr+_83!ILnIH-utDya!Q zuf>a`^Wb8*+87d@c9Ua$$WNpu`wKF{+*dumHK)pixlGEhkiVImda+|s1DL9i zSE4p)0sRS96pY&yGV?d6EGxq*pHRFJ$lxfOA}@@o2@JcQ*4Mnn<#hbaAC@t|T=_II zQ4u`&H%e$aMYbSBJ26`KBx_lvv;4Mm>` zj;2HLBw_V$OV4sMD(bNlAME#TwwnN5oAX-s?ds5Y)Ad@WxA=(>gjS*P$4f3IRs(q| zdN@2mrx=VtLczM8+8ixe1w7|_c)C?LyPRyWn!IXmvz^Zuj0f@SE_Q_9e2kK%ehI3MZxb3b-?sjx>9%yHx-}IT-YuHOJWEhOQH)zk=!gp`Pp+>Q zg{bCKSmH_0<&ynEMnf%I%hNPi zZl%|^z--Q@2Q^SVaRtZWxsr3YVd&mp=pcSmfs2!BcT{cEBb#OCw{$-=+70UNYeT^F z6Y}Ryy%x#F*iUtP=^;n@@=zK^e2eZpnYbf3mNRETwD3@bhg2vmf3WE2;Cpkrzbn3A zRk)TSspVg0K?H5-u=9uJk6{OQ%YcsqhT^!Rpru9}jS6lNGB^~)Sq`(5n*%OFFrnftD|7&u>LCuTJs-PDz zj0&q;t_y+xBm;>pnwWlrtw@7OztSfO$BdoN_^iQd8oAD$h{42Ebk^%MD4mL8Zb%4* zzMqu1E{noGuV~aE9fu%4j%p%#FFjqu+iP*lDZR(RGmN@Ag>z*~ox%s!Jq3l&m0pH) zrMe8(f~w-0~hGO~Soj`wDr~$*puEO4!Z`A)dw)Um;e>NsI&D)@dP) zNx}mP=axwXrkAGU)hw81Uju%$Txu+_znbaIrezEnc_a8yYJ5A%ZIDh)4)f=Sxnx>? zfMHspfgnD~tH28;>GL3SGx3@kvQm@U6-Ab5`K1VU>|S`--m3(69&41=ef|N$0VXNR zswhbc=Ae(%=bK7FFwfNf#HcfZT#}Q=D}#lt;3fZqk^a&xvv-*$xh@CBCWDi{lht$g zg4rOKZK$8y;BRsDkEB8gSVei!g#OoPdek>ci5IQX2?FWGBfTfB+1`pYa?&9eqpSu~ zsh4DodY7F?T{$ZB{>iEK=k;{rZ;Ar3Us^-ViW}ra6lsWLdLs!3zO7lXD^2WFup1bp zPPdpM5lcGC3gPAh``@4^7D(LwI_8PTa4qTT9zC5n-1D=Mj=%(2;mm#$MRwcBxc;M; zd|VRlNnSh+X{1bi5idRzK^}_GPA#6ejl>&>Cy2w6i0}i|=`udOh#Wjrn=pwG?TIir zA?#Ek14rkQ4U&l?rTxAx9aoW+z_vxNkxc)HGB|Cnz?5oL%le-duXCRZjXtWt2E~Z$ z^yCQn@A{R1Hl80UbyRg&v$;Vau3(+C&Q(qV{DZ!HcOJ^17)RX{#f8hmkiFw8RHF3f z8XC_S6KRFRhlvI2x{%ONZ)m}Sf1^h}K2AX#U!xMmKNsP9E@D(S(r;2X!WGShGU(J) z=T`0r@Fe}~y2}X)(AxJUQ|Y)PN7e!s1%XaNMxM5yxb%G+lJ{_@Y<3ACRNz_BdNy7g zSA>bQ<}3yVR<4C=fJKOr++YK7aAFNG?V1V8Q{_L`Wv&{CE!YLWU*!DhShmRv6_qGV z-0o3?sfQ;5gBpy3g7REZ#uTM=TuwNxjm{9}|C9o#W(9q+l4}EtM$UsTjeZ+aLLPmF zB9JaKf@Ak=DRHQRe5IhdWc&izcVkmIjE}9Zw;dg@gD-~*r`snb)BAygSt^((9ZfsQ zVSGJN-9y=hx+t+VlczeWEF+D*Lka`em*0{ZRjmX5t`6#DdzJ;3XpGILf3-1!E&j;Y z36)<=6zov+edKW#oDvr6Ao;$R1VX*Z?OyKDBeL#%@SYOT_9^&uBK&KIyzAFh4)vZA zJtRvf=CaNx$mn;tiUw!hpx~y!RVnJOSdatw#HaDYNJHu`R!GsN4#@Ge3i)|>m}$e& zKxm9~`0X#ID@`<#^@3>_S5JMf&7#Oon!k9mAs_iua_uB$4Bsb$Pz8XYq7FkCH4UDUiG#srG2a`EkZy404Qyj;LqS^vq3QsVMB0raheNslXFDq5O5t1pKu+r{|>(NGTaD2}{wY=%FLLDJu zerq~^rwJ>vP#wPj;owyNEuZkq1LXe;j0knu&3cJSL7yz4V5x!#ftso!jm_8=FKTYi zlL=COe>886&zb!t(KI>XxJmbsLcQzR1HEM@$7_-XKh$`9fAqZT2RP>szVLzNkU3_J5HX0FQ9BU_ z3|~4mC`~vGquCQ56C}&btVsf;k|2sOYfdLO#~C?BdI#uQfe#|t?L7*EOknsma%XrZ zu1$e{R(=o{nkoM zR^2Rv5?>#opeBe917D5_0=IiYJ1H|BS;&~kETHwVgWCpEwkc?J<6ww*_C4oP`zi@y zG+uAZ>pkp0c6ee>2ZbS%I+ytxUbVN;0={?Xn1B5dVhwqF2PLKyQ6ihZ>ON-OR1ECx zPxEVrcG2Ob2`X9tQ9eTvO}U_+tl~J_-Iq&~fMI7z6kpl*hCY^YqR3a{CAjPxt zRYcfLN_iAhIa19y&Kg22v09{H`abr9nT(8aWCC!9FG(o|&%`A^k#bRsrJL4vJszLc0_enE1$L(*9RO%i}q3)w0 zU}Qsjlt8YmSP>Y zPoH{9)<08p-toMcm@5r?{dGKFHCbrb&FxUvPm*GM6tzBqc3w)1Q1DlV7a6BT9ywrA zakXeyuK(NlS}4{)j_fE zzsVGEe@MaM+oDb~&QT&{r>@W-iW1Y2X2VFYNpBB)ICb?S6eU&*f5LLlp8HeE7)~>g zJvA-_*tO%Ar?Rm2=@KMWGU2G5Hzx`_rsJOk@mJRzV_jzmH#14hk440$cmt2`;GNqI zDa)HEnhTHj6MIhQ*H(!HR(8+)J4#==WP_sy1wC$v!s71Wc34uC%+5WQJx>R&-f%M6 z=TFFte=DDVrYo@=$sHpl^)e2p`HGqpl{3SrYH?LW>H2i!{b#_iQk7S`OhcnK_0heP z@*ZC7rX9KNO$K>6VfFXA#gUXfIY=Ppv2e*6)-Ya(9AzLL{YY9j*0xQ)_q{bs(GKH1 zY!-Zq3FQZqoq4I(!l5QWO>s|kVPwL7D73Qv;peHj3j2Sv-<$S3FE?#ml+*$r3OL#* z(VoTeSA|1f=@iTiiNbpoGn)B&yO5fa*@JMxRC=byn(4+%LR#8Gn`ZC&eOIArd;oAH z77n;l=VLt5wd@!B)Y(5uyX@cfg1deIMD()`TLprr^WgTMyYG44|HOOEFrogr`0r^z z$(1p0vk#<9!~lQQ$FncVTghd=+nmS$8*>9Y_CaTP+EWMza-6zCRXhO;aFqIv`kJ;y zw9%O=nk?S@MkCa>rj>&`I!pDZuirzZyv z*7qc|?K-}_Dir0?vF&dkTUuTIz_h)%3D*FmZS?L~cLDtU)Wc7Y{n;HU_w`hzJ&XPB zxAvW^`X!u5@evZoa_8R4uc%~H!^eM5odiGWH(Hh6d5BpID<9qY6F#lflBQJ=&_jM4 zHi#ca%-ODd#->Z*h3w0Zng|mz#^*`b*H~w?y0Dz@OoTTrcLblO4i{K|%CgmHqQApD zjF#QRz~<+|tS_GE_jF^R#}WLgC=yLj9bPyRZsM}FpwO=V3(@h$O_bfFJp}0|>AS5X zRHi3w*O+LE@XGAQt#U3?Z%3ZO=$u(P3Sab|c$O9T#BDjA1#Mu>HpKyk$A_Z_u{*z0 zf`FwuN{LMF&3k5x+KcPo3mw~fAC8xdB6HFYwWXIM#mt5Btbu%vn+RJT_Z zEQde3ZY^Mon3f9g{q-hEXMZc+aqzbXwpf1JtM!GG!AGFc(J#) zx1GxkQDugBw}!kcB^(~wJqvvvC&&XoyJa`kd>Ba*mX3oxrg*i6v{oG?Pf$52kTp6k ze7vpS?Gf@$@p&BHdG)e-q7mNc=c6dFpyy6rk2n*Znda_UOGa>C2nU z7hgj@!${6x4UVU*jmM(pZ`V7v`F9o#T6U`cBbHxlMQhboatoK+(8NN!ImYgIR@A~! z6Jf;L7C+PiwcQ^l$n53!zM62r+!po2d&6cFoBJr%?SNrq@%`@B_8QWLkoY=q4o;a^ z7_rG|O|z=OB=G1*wOl}7MxsTn=R5^^6iG^i#dNR5{JKex&el*ScOW;#tA~uTlL!CB zk2^OW`%QyqE^#6Ez};-v0G?N(N~A@kmNo1C z1i0x^aHZISa+s9eWmagDn#8&-GzS5 zohNKOd7joD{0h>Wd@i{|Sl~Y80w7P@m&=tt4l--DGacxZhM%PO7s#K{2)G_09B7vm zO2>Htw7rHA8p(zDgJ^pkOw}WOXoR?xRp;6;$My491QRAP)dMo#miaLD;z0%8A0JvI zNJ7isB6Cuk2=#^oekR~0+XJ;|{$P0%q-x@`H9LgsRXq@s!Vix z_nAfbnQ`c6MOXx*&058;h)*JVu7J6$IBzv>ccGp-U{RA9Z)78_wLQin5_FO+yG5!P zWHxOPY4tpaV)=WJN0xH;D~F#h&+jkzlfVi9B`c&4a}X*(HgW@X&Cw zWa2g|+qQAGEX{xbx#e>}GaU=`O4WA9et+o~uj5)XQX%6+4=(*vIu!)6GZf9I(o^HJ z3`PLjuLn0uQfr}%3ycFdW+6;RLHTJIE0^9C-D|>#hDe+m|0@;gv>c6`lM~p?-L3hQ z8wiik#euC6Z(1$b&F03}L4`%zkzH0f{hqyAr$r$V+^ZAJ+}sTB-H^-!<#I=?8xLfM zuyT=FxN3SZ&S?lp22&=Eal3DF-dZ}5)<%UbtCk3BZ#by_Z;s6NTr4*Koi85C715L6 zE!H{yXne)>dN{Ar+*W2y*#YOc&7qjD+^2 z71ssU9V8hyV{{GPZQmvafXH+r@jMK0jex75$f9zfw-%hOg9_2T+kLOoHv)H*r~?Zg zGKAeJo;hO?*Ez(qo0d!91qq*O+R1_Dq^lt5ZChx96$ zH8^jby4$H>Idi^jSF;ldo|8#s@?+*b-P_h8Ntg)YhTHDu%@R#JB`N~uf0`y9Bi4Wo z4sC3bXO(O9F$M^ujxF)&gxfZHm-AlzUilg_981dob2F=}VmYeJT&I@GN#e86PFYId zw^#GeQG?%`UEf)>>hNE+Gr*Aw-=nAZ{D2EpBqC*_mM67i*fha)VWnWDs;UQ~^;@J^ ziv~h`mw#aq!l*6Ze>!cl>}fs`Cwjp76E2=m{3@KHyX>}HJzqT_N6??(kI`(;-41C2 zy^{6O`b87Y8-+u%H-2RFBdOAzA8$Fu?BSMVJL8z=O1;|ksonhsZruoH70$m5uXpy( z)2Gr5%#Uq80#gw#;`s}!cBAjb05K(r^Y(CFB4eNv9uO_9FYw}TvUL5TB~^r@OAz}P zxlG%@zI@kWhCmH)ZA$UgsTZZDp)N}+(^83AD9{}6IRhwHDV2|5(?o&F?7zJ+`)_Z= zIdj8l7xGc_YGjD2i1?XKHL*$A3mSs`+v$K@PVUpx*Ius<^FAZh{F-50YO6; zuc)xQJ(`coj} z58U*RtYZ3wG3$EfHoGj3uAWUIXYS0D)vfLA?0DeLhVM?Bo0}5ArEBUQZUSU_$_!dY z*<+2>0FTS7dRFa3mW9*#u@?6HzYOG!$EC9*Wd-PxT<7lscAh} zoX!6@<>GD>BnIZh?Or|jf+KUM<0%JIMmR-=*0Iybg@lNcekNtE#vEQu)&(7aY_X`c z2`N-QY}V@{uc&l+H7i}0AKs_U!c)Op(t*D57;3fw}}B8BhhN zMx6in0<_kq)Nxsu7p6AH!}i??sD2SpB}QaK#J(eU=J}E%AMr++ZPwhdCHK!-!^+>n z9!Es>+?ir=k&$-qYV{p4!!0VutVx|~^;1?WbR9mf3V9sqi!w2lH2t)%B*eznn6~7O zZCG@y@<{ewpQ31q?|YZXmDIQCg6Aqg_UhfccLe&ZX>*w2+qe1o`PaZl8fJuVGjqLF1AG>?ATv<(CC5TnYebIK9U0?0i`J(*2-dDR zHs3O6@OvOX$PrGRxSKxRchG?x?1)U2*XDL<6GckE%Cqu^4rs9%kl*tyTL9zi z)scs9FK~I(wIM43c3w~Avx;eGXi`=I)ujLfR?DM)(Gj>BjK1Y+@DM1!WkACEmUQo1 zRxxwiCsE%T1B#YLl;1`Ln3$Da!e`nCLM&l8>~73w7qQ)=@2E>; z_)ba@Z58!22-(dH!~fV{rJ6PllnE>y9rc3+Q0{m|Y>j%Oc&8GM6!wowYt?0@w5Ez$ zWj5OVPTxkz6KVNzoFmHz7g6(HKreh2BwW+1Td5!TTv>*%>kJD4nQ zrGUjr7Qt91uE=QcVHZ!3M$9rGxn0BNwp#Gi%Kz9siY!ty0$2Rp&o~+d|LimZC5huf z)0iAQ?y%!#ysL?7y7(tTZraB#WOr?4&M1*~EsedERN2`04akcjltIZ+bH%EPMxGs? zKa)tYT@*;-Mb#&r7j#i6XwfJeCmSn)GK$g2_UKsb1X#MDUFuDi|w-NvddADoB)edh8bR1K4uLp2NZ9G9R54x zuyJs3vXmhZnu#RX_QLP03P2UKyehuTbaa+2vvvTd*YU>2h7MnLr6r(yrHrv%JL~!u z4b3SSlJ4$iGdMCGm~=(NU;xO7g)O0}ADC5SD1wonj_j5nfs^U`r3&wMH1&3#*%HP( zw2aL~4>w5Mk0S@AV;)j{h3A|?P#rSqLHJD&Mxo5G}f&i zqz+H2WGi^3QRci~D}|~MnV*=POA9uhHE~G7W`7IDW*zsTk)^{mNlNRxpp`8}+t3h& z(S;eD)V&)X8fqCBaeGhzU(nzA$Z%g{9DK3-Mh6}9yY+_n=}|!TJWlnT5x9)7*x*Ljr%Yp zmlgqQGcbJ*fclu)`g(h3e=pQ-7k>Z#J-x87P^LNRMu84OM>*ig7tLrBUTmjDjycet zk&zJzm^F@UWd_tp-k*SlT;{c5G%-6bcuxCl2nH3=$mwz^upij_%gm^+_GlVo(GKnH zt?r6vzM)Sv5L2=`i}w>#Tq}bu$rnkBtZrc>!7L3b4_K?>psII@EN3Z%AgY$iP*99~ zaqgZdpFW1CbX+%%1g+8<=HXhpd#gZVjAJBn*x{DUJKz8;86u|yAq)5Sq5C?(l$a}^ zY*Ld~h!YTI*5|I6CWXtS$WND{;6>sOpSSV0LJhO%@_1}?1J>j18i{J09x?#LT(|UYNogAkO1@+> zqNCK=Z40;~;HXoH813Nx`gUGRK1XTh3pvhE0v^uUQbc+{!*NW4L+^}HyAlY5CafSW zp`FabAL_H_xM=IxEa0;O4--TH2`&+I;Q}{Rc7*%9 zZh1)n87q$b+86(GT%l(`(uQbV){*-E{6Yx4*ADGx38SU*7N~nCjANY6iH(G^@y8lVZT>^R0WU-Z7?GqFr5%`}ZDBxZ{zaGXTEUfZB z_ZrB+FrL02r2st6XEDWr;4d+mdhA&569v|W)N%N>9-oB;5MRr8zXT*fH%H>zVn@gb z@7a|2SHlKA5Uo|$)Z+XftxY}aaaGch^8fsz_pHYs{fc(VR3zeoyPHK^R%^M>y@SgE zq=AwysI^^}vO~5W8y+3`{=EeS1G*sUMsWnTvi~C&^aQB(CYSjH$bbQp7I@4+fWDD9 z;j;5l03VqQH1TB%`X7y)q5?AInZZ>2#Ko_AunXLVkgvDc{;NVz7@=S?zg*=@;ZPvV z;qE!A>2We_q^~Nz;QfkmOJc@@RLLSOHqgcOU-im!zyWVCk`0LQerH`jH+YEXo@SfT z)r8$7e*d?Xii08!2m-d%ru{Gk_Fb1#zO`h&Ssey}Xn~yqY}S6he`?(TMhvP*Hpyo> zrzotIxg`w^_jxB!(ii{im}DZvh2PNBcqF zqzejyoyK4V;>JIk;nC0ZwngN;1@&`b4ZQh1tP4!L1n3)}#WO~STMeTV zoT?;CSS<+i|LN+=!=YT;IOQahEz+?}W1BHbj&4! zt#dGE$yFl1tBfYceplt`W_ zFqgTzhF!Ws9gEjcbIPD#cGhVWU561Tp| zpGzPlDl6iI5o9`-B)ylbe0BN>lhA_p+6W!;uz2v?$=@gIOL;t5XVYcWZVD1!c`&2$ z?PP}~u+K8xCHu%xK|u?R2&9}T6bRHJrBDBv5%?JhwZ9*dFakUNr!KYOrz2TC%vF~V z<~=#f_w>|x!Omd~lV$5BoHAhSgcLjJJC%~e*!}|QZ@nA;IEz_3jM7SSn_FtJFoxqS*tQ=&+!3=n;`G6E$UY_l#gqz(cey8S&7#+=7DrUSWH#Tx|=4(0i{cgZ71 zcCl-bXf$MTY32?8rSQX@WplBUG|zw4gPAXoJ@dgRFi;mk+A>6GB083327bE{Eoy4< z&urc8w!_w$S3Gl)YG5Op9=POqIZH9a-6c}nNa2^~Rgk2UN2)TPR(($Z(Uc3Am9ryX z&a=JPo_o`x!x;J|QJv7oW0GCzA-V1M50EzGAiKAnrW{)g`pKJPkAHtW8PPk0W|NoqmN zH6`r_tkhv&=W)ZvCX1GUurb`BIYG;=XNmT@_xWNFT2YZ-PvNFp**0i1G`fval8M!) zwYmIq)-fNN0JV-UIwyqwr09S6AVH|`xgMp;dpz2$IOaI8_s4GKrqXfif=ebS60!p+ zm&vU3r0y5&z@}>R!g|U#6B$$`-aLF|vap^A_e%RPzUM3R(dYbI@{jgQk9o?Eyw_H1 z?tTnb_xq()d?#;uRTkV?zOGKnmCd>6fmOe9d}3{Gg#2Q?lu@L|TE>hmj+pSt@S($9 zj~OmDyS&efOoBSVGrQh!+l*l2l_)Q-_uCEX_y9(Q5lC>6@vsSd!WN-8IN8xk?Rn)F z0^UTm#T%?{bc%$x)8Tfn)LDr&l~toP5+Qhc6))>2jv3rLDt;5(l3V^P7HdAsyMbuT zp%h)MzV460#wj3lf`heu1<$4wIfW-?I8_0*;W@*;o*#_6(rN_dcAgQ}#~Qs9CVKD@ zvD?)h^S;O7LkPx`Bg**twZFanf_nn^I%j`a=s#H8Boz9qdB2%jV!ZLUQeKci`8kQE zzaRnWyw8oA=EbZghI$^mW6Q8BK9DbZVZuK_)vcbqIqn<5@a}A-?j%1n8@$~zaLTX9 zF0=pXY1@}A+8L6vUI$1Ki#^1x0uaW^vJ}4d(y-_i!cOrLnl08TYnNWO0-?qQ;@LC% z8AgV3BBh?AF}bXuZ98y5|1ptyQPrpZtgf|;P%>YD0`-c;DV<+f?)xNw;8YVDMBT-8 zBvO%+;o~aCubWGj`_ezn4|T=afIB5D6;vwH-=2=Mu#EYL!4$$g4F*GJH5M+8rY!E+ z2q@2h88B%jcAkbvL5M+ZG(2I;G;jyiW_vn%Ud6_a(hRATO`sL-PhMl-j`a$-uzgzy z`k6jV)2rm#&7`b>tg@ipBiif5qZ?pZWD;Ab+@_29y>a9f`#MxiDuOA|vYaGSf|tT! zhg-3E8qtH!%N?k;BDPs@*KAo`V3#Nk=*5Y;ouOT$Fiun8{x{-7+f`Q}uRjwDvfJpg zUgoxZ7n8E7j`c~X_;~xNT#F-+bD+}wqr`^9>dU%%KJ)zSQUfR`u4ZQ-yWj4pO7t2M-asCS|wFpBn*<;FZP>#F)9OG!4IH^^a-gwYNeck+A~F$gKpM(uXX&{x=?aVTZ2JX diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.drawio deleted file mode 100644 index 6f96eca0..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.drawio +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP5/shared_advanced.png deleted file mode 100644 index da9899157d390e82e60b50211bfff24637e8dfb2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 90372 zcmeFZ1zc45`ae#mNR5b~fG9Xh$k1I5N~s_z zp@@`p`2P$uqZqq)@4epr?e~AL>&u;U&Ybu>@qXSLzkm2CqP@GhfJB@>b z55d8~lO!Pmd)OLOJaKSzJ3QodJsf?k?HsId*!WJMKe6%h*gCs=u<^;U@q#}hRw8D? zB3y#zfUsZGYbnrE||Hnpg9kZfUu>72>2Q}$I;o+&f3n(5_298FAo)V8ggvmKF|;+#*|XnA>P={l-u3&EXzw3UTSPN5g&W##5>2QIZOI~X6gAh!VO0G~XNuBDxs zjhmSxxRM=4NM}rZHMvf?o;7nam*Lg)^yaZrP(@$I$qYQ|_C?@8PF&#mF&A<4QFJqN zu~h|&a{yPe^ugW=wG`A-TKb~*2#ai=#LHvjhP~a69h!E2nCruU=uzj{c-mQ7xnr(| z-sR!!?BHSN^6gFwXD25huW!C+=H}+?{q5JRogFZX#N5>dtmB)LP&+g&%p88)t7B*B zVT)OX0Os*f-&V4+v$4hA8ODP-;%J8bGG>Rnt(m2>H~ReTUE9)kb9M%&%5Piw2`dMb z@UU`0pQrFUN54G3+ZTKN;}bB7@G^7o#H>x#%)-{r3D_P=(C!|-*fqO3dpcQedkpXn zS#MiA4=YUpRI?Z1K2|O1#nV_6V49KZrdy4vlOrrw&Vx<-GS}eTkSX^ z%xlgkCEXMiy~WiIIIiLwJ()B!H{Z7+}kUl4Wyc!NELy@<1m2k>RHFZTma zjK1Et_W-+h-1py6v89>2?Y23f^!@vK{mv5PWfTiD zk#|^!;PxM|{})&XOyvKadGP;W9-6km(k;QNwNER6e}P*69bJ4Uk(xaEOPSR{$K^-qzc; zM9hX93RO^0w|z(swMf(!`ZhnoDGxI@8!O^?Uu z2Qv>lFAP9qaPenwg}DRV*=`$2u&9Yu3`S93fDwBMcV|yG3oFc7K&)S)%l8+;!Y5Ya z*lp~E&@%YpLfh#11+TXsa(mYw0IJZh)34A!rC%!_I}fy7Y@Y_UP*$;R2jKHpqd;w7 zZQ>g!{5i1wuGyevk2V`j6#4sF5-&DZ{=1gMDRYM!N`t#IDWSjZ(@?iCfRlp8_;{OSC!U79c zPyY&a!enGSkQ}QK0CfLHHS!;%F}ytAs|vII4^)K>#Q%<}K+5}l)cucS3uacr))v69 zzx6aWUOqt!VJma%Ut{t@fN*ZF24nNQSbn%ekl6UPGbm#r@ZS<724{8{{nvcqI{^9? z2>!{u>o1X{0PI^yeqq{wg(QE>yx?wjUS=Ms@(P+;V<_7WO#l0fR8aUIi}XLnt+DFd zVVysO#Xn1~|0(W;zRORz^-hw61)-fR35KzPzX{>~UVC4l1&bMfmT(L4eQO51*dUC( z(61xhFiaTv1xg3_{3V^@0X0Qz3ib1Z3QM?AWdzh`JrvzWpY^+h`_CB)24w%nh9V^L zoqn+~2&>;eYbe6Jus`6_yx;S*UuZTzCgOm;q5cEX|3Av!e%HGGJf9YVVQ4Kjqrqxm zM@Yo_@=kJr{Tf#P{|cdo{g^v{34}Zt<^12J*1teG0>a-?=%4WwVT}HED(9C_=pWM^ z^on-SlRu8F02ER6iGKzzx6ydJsDZ`e9UzM;gncb*Y;U2A_DkgpZsleN3hk&2_Kyo- zJA*U^*1myW3>^PWVl*GNC4=?Qe-(Q9u(>k!LRi1X`tYvE%EQ~)%^u_=C$a6HuMHur=D?#X zU>s)$8vLUI6iAD|G|_fep}_txeSlwCiuwfr4CCQNx0=5coOrRB_6|M4_%SfOQ&GPn z`$lE`;P1}n!PlJei>AJB+hHOnN=exI{y(RsFU5=RwS-O5|7KbOy|?eQ1mnX{i@!um zKW6qnL`n-!H?J=}$Q@zR!okel-40bk+EKUtUBmsGL?nUla{e#Hc5EQ|v&q2s^_U+n z^g9s=bj!?qfnQ+n=Ynb@xueAP^S+XRz<1dT#)-f7%+Xi;+VJ`3dO%n=+Y#=ZoWb*{ z$!PruqCf7@-2NVqoi#Yc$qdz*^Kb)04q%i5OwaIu!3%T))(H#E|G?pSJW%(>Vl~D% z{}2KGyg$2Hf$qMU`Sz#stW)g5R>@FIKbD z*|9La6Oys~2WvL}O3uRjV;cE`v;Wk;-GME8{85|NQUQ#jVEFR(moeMej@}nqj43@} zdG%LHjH*Il8S(F8$WHRhi$Tf13$9>eCWaHi1Tal7tit{*t_Whu)bCyBcW?znOfU(C zovQhY27l20#for;>th|<-NkI%f4@v7VJBfM(DO#92^lvVb0`SZ;4f;}ZpWvisGX>e z84s#O!)0yeXy*V{gE|LX-^|fv`yd}EyMfSQ<=|z7YS{g7?7Ra8 zAW%1Oa&~h>&FAbq?2Va2LLKKvKj`+;Iar}4W4ORtE$p1YAm2~UNAW@~48))gW7>?^ z%WogH0~1@Qxkc1*o*j?2ebB?r%*ovvJQViwsG%>+!vV5t`R(0zo^EbtVQ;ftMCbZW z=)3{|L@;9i?($wR!=7d3(V1zX*B1CCV^?pJc_@I@GU5UhIU@4r275 z7{RcDf!dJ}u>WtPBd95f2nz9;{i1j4H1=+u`p$Lh5 zr(Y~`{;`F6q2hJe2%RKFX>|9pW-Pzbz@jJ^(*0b#4MJ3Qz=)}+O{<_<0W z5Dfo+*8T%;q3rkrm;j0lU}P`wecA5M@|W*3gC8#RJAvq*Zw7uBM+MP!#$VM8}Ne}w)F2!A@gJE41bfnNC2BzVlkcnU#?Mq7aaJ7 z!2H>cKWO;E2I}8I84ykX+14Odpx;=>|0>oyTZ{jzSffWFv1IMPyg<$WGv4-}Y7O%L zSPlGvx9tG$|C-j|cW5d2hiLg{$(`W$FN6N^Wq%S$|=ZkpJH(g!6Z8*h{4O2-+H&~ks?X@~@DJYl#6%S|f?+xie=lbJ z<=sq-#`&=0>sSi>XF*-yyTT+*ED8Z&?|0gmX^f=~E<`lOFE&n&?_>blsvGb3pvDB{%kO6(L9KWD_YJTU z>Dw>dVhYndUUp_XrXvAHq9gCuft?@E{u-sfI~%zE_h)1GfZP3d3|eCQy;uOiR=9Qm z0PJU#Fzh}oYX2*(3VuvY^(P2`a;tAfTd_v6?Qj3cf}EVWtb8zowA-&km^*_XrUXC8 z34XQE0`)_J?qK5&-<;t3?!5_M59mkwoxxl1zJ&|w2h70lA2|T?1r*_DU5p(Q3@$s~ zJH?!|<5g75Fz65M3|^iehy>>4l`jM6Uw$u=|GQs3`q>;8w(P#M#`%4R_+Qa1){6e8 z*==+9#hMl1!7yMf7sHBsr_=r-)dIu+`g5&dFVNe|Ai`X8lN&>Utg`iOLgBcMUHN4vqAtdO( z!mJl1{Fj*HnWfTRX;__^_s4tnz(&eLLe{Aonmt?5jh)^kVb<`N;Zu-mD)v38c{DIR+E2JW_Vfo2JRXu zI4Y$_LU96hsvHXosS=#v?R{TCTT-%i;de)=FCsgbw(t6H-@O5WFN4G!&y^iIKi(GIYwS;<7`MM}c`!I$z`kb)+*Pjcp`+_aBk9IMyVPV~ z$?;=n?m|e9(@uN7?;?E^&-`dG_;YNUgny>(^Gv8wIltG({>Z7`{4BXhniX(L+eEQ_ zZ*#oVR)k6L<{srl&bkwn5)dn9-}$#PV^6PK;xUu${2X^ctfR``+v8)uNapAMGIz!n z{6|eC>-$Hm1J`-1o4Mjnrs>7JIP(n4%-?HVu3Z0Ep^yZ(eA}MROu;BfKv+BZJWG`sJflF~DRuEVxyyl- zv-RZk!Y(XlyKb8`KK}HsbEW|P5|L?A6Qq>Pf5$Fm)TqSiz%A7jx|8sN+|BjnQE+4H z{n={QWvc^L3(j^QvusQ5ZWXb4mTKF5cMq@4vzUY<>d9pk4E!YiOCRchv1r`4Jh@-O zkN+8+A%gW;$K7F;Lo71XmgINep*?TqvUDn0)Z$d{A)|5+dJ(t7r*Em)?SAv>zSW5b z)@`ka)BQh+&}v>3bbK9gvQxCcZS0h0{Mc2KAei%(=FL-KWP6UWXk^NbhqTw96E})n z;bZENT764vu`l9o{QOvp#q{gq$4Rg(MFhe;+qlZF*&Jq8PrzwhDf}DqWs#lc`Nu=z zwxParO?%t+>j@J-b9~=*=Mn+oBPCdaIeBcUzAI@|DQk|`xmci=g52BV7`-UtxgLZ1 zAl0sm7E?pw#pg-X(j^bPD^M4@5ihw$V)gVg%$-T#ETnpMoKbxBZNhk4wf*W$&1d*S z2R$AlbATI4za5UGh8R3_kV)pZYsF2&?S^pYArOJH*RC4-J=s4i!lcd#@yN*(+e6s2 zGB-N6wLYUr193>mgL8V!+$SXDqUPk#zQ?o4i__OFJIrvIOJ=wwH?LZb#Sf1L^7;VE zcu@9}8lq0vWDzexG~mA1up%eZ7jKSb47X}Ylz-pXJ@(ERff&u0 zqIq-QHp6tkVkjPA%*DsQu|-F=4NVj^TRy&sYtx=qbqH#Js9$Y9qe?x?4gk#gg_Z&O z@iG)@vk?gGaIfjt*QBk9#QAn-7?!zRO6rq&MZ9}IPA<)^r`D|mxr7y7)4b*g*F6x5 zGk3LQiqCczc+VIYFi|e-+K9VLsUzb$HzH3vQ;T#ZqpR>a2BqIKb|yXq6eSi6Fn_y?s~fI*Vv+<--GWBUq6s4y+0 zI;nsQ$F>Y!mJnhNE#i=?knaa}SWF3ITK6|nmXt%+e z1cryp1(kKkH5WG`jiNuK8Ainh?vY8JZ-n~S3U#qo~;ph z9)XDq;lSR8?wyHIJSIbJVR@G-6X2q($FP7SI;`ZQ!U&ndX9qb%y;QG!*1QyWx~&p+ zhD+P=OnQhaq7X?h>H$qsN4(1QHR4#17Urs4EB0G_&t7Ka(C5b7a8vmzJV%==!7xtb z;EGVbr)nbSwXEUS7O{Erz%pk0oNKO4*;Z-zY;xvzS$Vl+%OmQKigc3;fE#5z97)bc z2TmbUVLAwxeo?8#{#I%fXvRO%xvO>5q3>ba=)`r&Bt9Fp4}B%=hnw9`L+R@4>kC|l z>uqz6>lWbj<{6#ixSBNY!uznI`x0_iP@{P7J+MlIrj~WCL%2cn5?g7xzP-NFR`>|ps zx!tzg)cW1WHx*ej=ZJ1=-TBSVzBLJ!BpE15$EANB#DZ%7_JW^XU`JsvlR0hp4h{o%}+YvxBM~o#ZBduM(>AV=G}MCm?Fv*nFArj zluZ05KLQ}PxUUz_B=K5&d1W*{1?Fxn=JkPRRKo8Qw0di8O3D6#&zyOu5bf)*@NmXx zB@ks|OV>7+2Q{)3DER2ui?g8Dgq+h>`GU6sI@PZ6T6NR}e^zqzn(V0SGIOiB-Tdy! zIMDj}-_odYr4h0f+kq9BODZjp5?m=@>6MMrRqpE|8}lsA9k;HFD!>*EKy8Dqy&?;Nd>e${-@4Lxos+O6s(0#8H0(n#J*`R#9>O8>v zLm=%$mwQglHZwZY&uxT;{a>560 zeB{DYnm0d2{mKoHS*3JZmhU2EQ~ZoGjb3O_6(MLwvdD}N%+y@)-{yd zyY7V)Db02`)s)S2-Jv~o85(+B%$vbgBi~r!5RT7E8q9)dlK09HbtZSyeC^!i!n2KX z@OvgT0}*@Z{5c`)5X${hO(eMoJ+4IELF!g`aq(KW(%(cP1#Y;GHX}Lc$aCo%!YPFk znJP-jqEHW?`FjuFgd!^0=|Q5h@Q%O;=M5t+i1;UF;JdQ$*6U)urHZe{I@P6O4?{k* z&#*y7y*}8=;d34MkOg2<0UpCF#ROz2>C|5uI^9=dvGn1Uf=VeFUEkO{Cpxln7S%Ly z5m|VuuxoupNPhL&vHGwayUtr6!f_ocLY5|~rU>pclO>OJ%rNb{qnWJ$D3$7v2p2zu zW4{m~;XVyZc^yN-uytWaSMU6=tH{#52R97~oMKeq(U9;md z-4&J-hS15L=aLM=$BzPx$IkH93Q=&+J-z0;wLa%`jD4FLck?KOgu94AQ`#4r4_6yy zGt!P8qrW=L4W<9^roik(2ckZx+~XZW)bqVuYilHOC?z;9Os3ak$~^r;_(x^PX$T=? zx5kyW6rmIx7c$Cc?Q{?b1=teGM6iAUcFf+9(gWc&GbC=Jn<}LvCEHAn3Yj5Mg0I9C z`_Z5yk0c%wY1B}Pmu;&Ow|Yk5vt+9eAT%|mW$0rlwGjYtnaZW#i(9DuLx1tXId-U_ zyMRxMNWN)tLaT^l3h6>x;F6xZgp-5v$NsXm;?maA=@wR*VddBFIWD5Ip85B7AJFQW zQ)NLCGyxf@)>ruNaV8-fk0T)`=hLgR&=ek@Nb^@iunJP0(IFT~0ugmTzBWe7GOD#l z5Qry3l7K5FoX-Pr&(6Wm1=;ZHyrsGVl8nNjO}~Ec!9d%t+tl19)edO~0G%@qn3MPT z@bbC1`*`cV1j{_lY&GGajZ)uRfacsjeUnT(&(Q9-hOx(&@WmUi9yb}V{N%;uyD%>B zzD*~AI?&~#(VSKxof$A%-Qn#@+k{VT!vXFShlAf zXuWV9-OC`qy+2j`jk1X3K^aiPF94-gWYNyw~Uxmt5Z!%P7^{6KEOi?r10>s$K=xUxi0T`UcQ3BBc0$-c00H*A{fnah@%ST5v(M18k%UMjS#|< zq=o>nY64k#tj}$o{Io){Sr_#jLdyO_igEmjI8iwI_|MX%;y-V#w{NrwtwSJ$+|&!yDz;pthuDMiuRy+3JJO2cBIQYZE>SwVkHt zF%2n{YcODeLULpF#GxRloGrD8=ljd=u8zJgbf)3t=g@rSK zzwEJFq@4u(1uu|LAZVMvgsvPOqLry5WfJuuX}Nm*5nv8&8I{tZc;mCzMLo~Dmj=JR zq!^Rap)R#~9t4eHK)DFRBDkO+7MT%{Hq|GnOGawv>dU)iO?83@aNr=+XT|0NzIo^oLV1}Z>DYVi1;Zee`{ zW4Ww$MIYNWC`(DH17iZpr!TF zN68|Uj+>7+UD|~<_wicte3Tczyb${t*sv8RF{(?1-)yF`CZ#;hSFje+0Rbc7j@FiV0aK(t~7!h%7%ModPk zFDI-zYfG{1D zMk1(nt0S^5A|px$IXw59qAbCoj^7Z?WNTP~B@F9;45v;Be!j!p{%#>FNC-Fr?s9G? zYE&aA=IetGplxpC>{(-wEexMYJ*$E)^fUs9CzwMh|CI+XlK>Ffd^Gwf-e&g|5dd(T zZwoCRRq_r3R+DAjmV9LM8uNrdsy>!+zdAXaL>TqRms8(IV(Md))U(O*w*bKo1{h+& z6EfS;aC=|0v(=P&!^YLg!E>m!q4GGjkDlofD##Nmv_kc@oh1(;HA+<6eFP;nT_ed z_~;Mo9BI#(I!Qh2jY^NIWf{^jq-BLNRF{;jT$F-YGGIB3eDB-$Z>8+-UW$;uhYFSq z84PGgpbEWsa7Y*axcjK(QUp5#0w_t=<+*?r=9yfSY73DUa}rLB+-1kZMfng8-N_RW zO#M#k;E)nrH&4x<+prY=Qhhwb3=}+kE`eq3HM@HhyDT?67#+mTlWhJ##=A%y98xkz ze9R##Ty@e$T{z&S*|v+RBm~?5-)oJ;Vhy*ALYg2zl|=!8$WsFV*uOB9U-Pv4NiWCE zExFoo@R$K421Zy_gwW1zuc1~)zhQ4EJxCoRa5*K8VI+1?t=2;3piVZ`;L+qDC6s#Z zjP+Qe%XV@s+9)nGJUr~-`Fb7T)1Ig^&M1?mqC(lX`89qe%)`!-<1ItLI_9H2U$Ds4 zW}_Y<%HTTo5u|BLv$xeUc0kN)7cLc32VeIPxQ949uo~Dg2`Khq)Q3P7Bu_0%F@C^* zYs0rpG;BkgIs}e#mQy*oW#|k&Liz)V90&C6dx%)UT`s&(6(ISGI_egCF_IsoiO>d0 zds0H4F(6l)jv`2%XKgt#{BCHFAQJ*f%;~&3(Vl*Maeo~Gudr2O z6%sibV6=Yg(NwtSurpA#^-aMtaj3lYN*%^VkE~=cZO#p?GNnN#)9u`+` zynEoxZX>)3%CzQ>&OzY2Z@7@xFhUI>InN802saL#X*ELBi|y}@`f`5~g2UiYh@oH& zLlHrk30F7~x?s0m4y$IP8bo9U75}zk{n_}i%Eb;9an;w4I!fhr?I|$aM>P^LX2X2qY08EYP#J0+%kI1#4~T;sOa-A}C{b8^oxe|i zkZFsk?Y&NY#M}e;UBjCs2qEVIx%%^@u5D*)? znd--jOgLQksE?A>?!~%_kvgG#AG^Twa!qIP^qPW4fdf-@j6zPPbswJ4K$h`trhkze zz@J75++bSBlG$~{L5B|d%8OiVuRY#}UDIqfUEk7#{w9X69dMsqz=Zp}qseB3qUKH5 z#S2SQ2+JqGWf=^b(Zi5pfBhzh-~+~*aJEM2SNpojEO6E96G zj5MB{^;=l7?YJRet-=%=nMHiiXf4L4(8G6QCOFu<_44YipeC9!jp|dX9u$mtQ8(+= zvl}iPuWrhp2&yxX=o@*_M6TpF7&yrw2(fCZL6mhq8m`C+cX`_pbUEk_8I$T2kYA^+ zj~(d>zInJ=<$63`m~!LhE!Qa-ITE+k(EAf_095Pg_~zRV}wnQY7QM$NvqgD5xlz3;=)qhT?+r!h2mp$GAU|R z8aEXrc9Bh;f5dCaPe(=;H#@vpVADhPzAC<)#eP-Msa zLNf8-Z(-&u25)B9Z<5nX*fDLD29OH0>}@Xc<+wEUY65<<%blK1lJ?H&Y?;pTJ%x75 zFvIc{Mty<1*5jq7W9$LmZ(01j&PJU{|0sXuwD0q3dy~r34pW${eNVBA@1EQ%FiKmaOb@xxeJbN*j?kfd;?)C2G>~fcye$ka4RI3yw(iLR!DSnI zqRwVavXX!tT9R^`#7XYWkBNMch=f1?4f@GLv{iRS<9y3SF6cw&RfvJ$y{4`*4wsdo zpvqVGB?W`#4!mq03^o#A4ZRs0|M2n33T^ZKp<~d==F4mbyNlj;bc&aFj*7OXiT3QD zH6rJN%&0Jgd0!2TI%z>P+IojpLAbPB{0i6Q1EaT&%MJvDsdQ_c^B>+?*F;(@m#`8L z8l|0@Xph=6Ra2|u?={jPWMbBGK|pu)i4&(DKe>(CX2bu3W=nFBG7yt-(rih!hD~FY?19 zUhz1(>GF)AQEehZ!loC+>4)5VK8*Vtz&on$7!L1$={swqlFmaD!+~6<8r+I!=pvWe zFLieJm{ht*m_pm@45O>nsPYSehsG&0Qpz6n>+D?GLFGsEW#&NInQ=O@pI*uW))Q24 zm=&60;Ws&~cu`oxT=S|c!*%qBd8z=k9OD9^yYD(o+xh_N(l^(3B+E4wWVqQ9FVnwt{d^GE61#M_kqqy(|B77%*RO`ci-w zIrh<6G{?X`9<1_TZhreDq0ODk;9(=6(6gYHXa-1mX~3%6jhVrqb;kumkHt4qHq7UU zD0oMoT{=XpmL_i3_$&k$pNfv|0$43AsPbM#Mnt#0HA@NQgbt)j;io(5#m~eaXv!9g zOWMarHxjlX-*L}T$K67!Lg;LUTe0ZmfU_|DRINes%HplX9GKMys?m|lBca5FmUSwJ zPbNe1d+cc&)Dvc1fXYfl^1c1?EgCN)2CxgR?VK*QcRLRoTcP_Y?aG`;`A z-F(5?=O;|ET&J%Vx-NU`R*h7N5rhRgeh{NoG=F515@Vnp;6r%|?z7Tz>k$UiYWETt z5;lQqTI>}hXm#n<1WE8(J`Q=;nQgH;KQ>PFtYic9ACJt!ArYwc82@YhnHRbJ)io?3Fq8yzMp(kRu<`BI#X>q*-;r+CJ>o-qVq^h?bDm& zE}J!$Ko4_DBrWyg(jbjGVKT#4H&7WCg{beJ@5)Yyj71`$n{InP9T4v^6i_a? zA=3FMLwTmor^=VuqHQSl^ofBqYfi6K_Z#($xnfzG@wm78EEFlnxkzLModwsVV3TBk5n%eNhMO3sUu#5yZXYLsR)$E&!W8HsvZyBWCxK#b zBDc|50y$7KDX{BgKLoY4LbZ&ED487Izfp!4IS(>rDa7&;Cxa5c`HLGTt+f>6ndEP& zT$>$@mts(st@2xB4OEBK(ijCUw=??;;abG5fMJ4GdXZ{S*n&E@%t|2ir@L){BNlB8eennQS~%&dLgIO)qV2hQZ~Z})6HYJVGOxnPgj{_91cCRYW4D$sR$^DGLgb=vpAx~_rmwKXw`;LmyDj*RZHK%l@O~6 z%_62`vAER=msT9oR5`C6R!=Ir;ezK`!~FyGukI`H|RPqAXZnUX(5$# zUT|IFw~wzdQi`v*9F}>G^gCLqTQ08eIT^{t*ki6V`0QonL}^)dck#-6nM8$TLj~Uv z^QWm}J~us#yL@xY%3d!nI5KwJk(c-&>OuD;VbJ-4_k6g8?VD2eybWJH1Zz_8JANTd z5*vZQnK?a8Im8~q*fUtTDf)2H=n?f(M_8YpzI|IBuF@{kN;Xbzdm;Q#cBtCsio}Z> zfvuJ~ThqM@)QFLhFcXbDm)#%MKjP7_jq~CI5*<-cXQ6T1_DRIerA7BqMGEO;kNAwB ztVG?pE%C0qgZ$aMT+}TNXh?evh{8Q)*9}ZJ z;~J>#`>OREFCR02-4Ck|Z@(G9FMvu;6jW1bVYg=D_7gnn_Er*pT4~r6pf;>|!^f`c z_PS_LjmJSA!mzy9?wX@ttY1c92p1>jQYl`D_b8u}EE^dfSddn&*xnSdmT8{}w{{i;3L3(`o^sEc|@ILWsS)9`Ey`L!^{$rKM+XsqDLQ2D`^)%1|J`0Ci3gV- z0{RzhBO=ZL&z8UxPBf_NjsQM3*^z;NDv>jiLnjXj>hmujIx@b$aL&`NY7^-Q}*J%_sjrl%+8nlVfuqM5Lm9cj)Pv)5%o0w5$oCz zT+sJwNDtnM+}d0RrQ#2}yK7H?@{IiL8JsqgZN1dakb-7(Q}o^}z|AMSbN2S+o5X`A zttl9R(5((A6S=&Q`#F)zfG1$Z1&o3bqdJf6^AqAPQ4@gm^RvF@$1n&y zEj_$A-M2S^U6t3;e0>$4Qrz?&_2-R+_~eJ`v?o1M4SYzMxptYL zKTPhlJ;`3&8%vumU0JB_G)jSj+lmQ(EP5P;#f5~E7)~MmTkSr#$MGIi&bKIh$?#b4 zT$NBxK77}18v{a-hp4WHjnIT>$p{&!Dxn@)91LL%;~th^#jpY=0?3IBu7jv8Irz`wBa@$L9O^ke)ZSdC8~T` z3q(q=f_HWWeM!u}ROz5_Jd#koMu(|Qqt}mf1Qd#g$Zrp$YjXs|p}U6-oCqJOR7yoZ zF>0Bt90|M^r{5*%dA{xVv8J(^OF=T5=8*y<=(FKRYR~CsUpRh2^n%#9)LhlHix^2P z!7N9J%hhlW99v2xWrzfhnt_z^E>nt-XFbb%aSXlgc<+%mE>TM7dgyk}EEhkQx(b-m_0^HhzI0?Du_<~ajYDK4bs$SEO-I*zr zh0reX?ZXKeov$*wLOfr?iMvp`c(AD!7bgs7gWNPvjtwYuG__HB- zh|Dxk9xG3UY+r{fhR3=QzzGlU|FV|EGikt z_GSTL6AO-1d85gVqW%;Id&PaqD*T>ypX_reK-DyT0omPDRSHJH5-f3Um5KW>?hLAPojn+wzn6E~mh zcx}E{pXX(>w|0Th)ZPVYcn6IPIUyIr7?;jb?Hv4&`mi~Ak0!qZ(iAwKh2OLRdwSC3 zECK9kEPnt45w%AMJmArVNF;~42u_VIv9;h3H`JCQiIOFKQDHz63@mwc2t=48xaCab zVX`{pgcgVC`(&nY@pHU!p(G)R2x8n++=8cW@~@o&C5URBa9-hdyood)If!%OUOsby zlY@CG(WrD#N%N3X#!#E~E~4xdh&*{2+>j>-p-r#vP9LF4PIm6efxXk3k0wWoGYRA? zM|38zF3E@|db>#%egoH~#}B{#M6ebDk=|Bd8156BlZ_Zj?PeN<`YcZMIc24gBB3Fv zi2|XaeGR$x#^L%p59amtjAx$a7@6R8)RXNuu{7eSppzDwVm}g>uJe?4+#=GGmUi^G zty!u08=@wg$@0dO8&FZ7MNUGB{NkJBwCPqENl17`OBalT=zQ<^i#^f3)33uuZTeux zUT4GV$AlouIPGk$WSYX+~wYmEL2>$0~Z=hRdohk*qhhdPPI1KAAiSMFFWW^?l#*)zjlYu zuD6|=Yhi0cTjP_QH|^S`iosE5DTXsWChGSI`8asjN4qojADLOVq2VRUo)#QGpk>?adMwA-eHv_s%z;_TiNtX8MSFQ^MLY_2a zn%Bzdf5M*#-PkiVG`(f0r58MNg-bZWQyv;d_SyMaN&x-Er@Nk1u7(q@Cgx31!G*DnXK8v$ld(NYx#>i=)(r&k_E2``t<*-r0m=bt4 zet-^=J}qUpdv#;0GhRwMotvxBthZ#`lxglmEMsl1!OB8=i_+?3758LRvN~wKwH^Gt zy75s2FKYr!cTGK>T}hbi37^q$x>}RBMJc~v*{GPZG(5qVJ*(aBbxH1-x8m+h--cuK z!fw3AcXiuHq9%im8~J-p)D6BGcJ^!lb!M|A^MMQd*I8w#{V$xAK@+{RcpEi>_!84P zrme4AhBTRe^F0@rgES=y)ZvG$2(apA0C)13@vd#f+p5C~f( zO3JU@?Q?T1Jo9|Xw2z^=JG`Q=&T6TvkeV)P@BN!{pvA@G{*>NfFqjP0{@N@rsdEPX z(kRH$4(FEyZ#i@!Y$lIm2swn3g$k!64Wm9DNH!fTj8;n92x`49xm)VGNLbK`M`n#7 zA78FKQ7rXbU?M|AJUI%sTH6t1bdgif&0|W8^XaCrzn?IB9MgG^ zcYK+saunzwsxV6JXXZ4pf&)< zl7-|mzAKlT!f`GbRuwHOP`O`ibHPGKhl71{MB;O$WI~u@$NW&xZ2Yknp8TaE6XzE+ zGEPUh=9;F&r%(60QH;L%3_I3FoL}CZbEccVyO4QF3l3?$LRZXK9SRU3`NZkitK>+t z1i{;Vw+VMMtMC3H;t$<=YzB)I?#P^>z6E&$B)&LAbTarc=5V+R9^N z!z@}mB%8U;J9gjIC2$m7RJg*hco@1r*W6SqN?B&^)Vs>b)gGut@omkU!U{1dkx#p) z>buA8$Tu9jt(Cj`Yk_ZPK^4Ks0o^XJV6sO*U1IyVy zwWV+O95rT$HSmZj!YLXloQ7#mWSLSk2!-DAQs)&v@~B801k{t2J_2kr6E-UNxqCh~8Nq#i<4SUbT|o3+IIYDa z9m1^#q3~$erwqwpsKJzxaxDE{HDmjGL*H)EU@4K}p{IgE}#1fT!>w_Lohdk0> zk9wED4L{FF1yuTp5H0)CGI|GxFVv*UPe;kS3^g)aI|FWJHPcp?NMR52{7AN6vXt5R z;XUX6IM5E>Gacly2Lh^aEXoh}+jeJU?|ar0JJmY#7;%NaR)Kr?(Ap>{hQb^^h^;L4 z>uEvfI3=ZA7>+XebdW?@FLGSV*W0S{YSUGH?fLGUU;aY+(>@sF`KEFClI6nC45Uef zP=5TL2#@0cnPt$iaGgXj?e(N=4r=0eb{~BQc5ecG>rO+bYv8DLJSO==8Jzz zkg;eacOZA)ai)d(bIRSxiyGBrCrq67GBuvQspcP!)Gc3fr=5IqLjU^HCRW0`TZ_GC zb}>j0`p%Clg65f7U6iWr0Ft*^)#Q9=m00HBMVHa7qK#3bQja;I7;LXt=F?Hz_8v-(h^p<0@7-0Le*$<=hN z$uZ9H0q07N4APZ+L1TWGQ`o?FiF}x?R-)32HeZ{(>X7{Y(!Z%q6T0j0`I| z3`@F}r&-c}47}*!Z$)n1iZ4$<`PrjJ-$i`S^EP+~SnZvq`U*Lb*kM_A7S@`}h8*-|GZYbG`O_)aBX`)5mOdO*b%+yIZvfp?ho-vNVIOp}2z*(fj5;lRUu#4#mrWvZj)dc^NK@A;xDHPPMI#Qyj-P z43E3!)SooTAUk#9!9%0A&#(&f}S8?W%Sj&sB2LP#N0y{6pug$YWcY;_};*hC1{#ADM1E#(n9%kr~-NG#n{4A+gb3 z1*bZ$b2o0_dWyxT8@`jzGa~2VjT3p%4b>J8)T`K_(4c)So#htCJw7%m_qgovF$E|%C%c*YlD8ltYrYDEF8rcBnqCyHcbzou5q?7O2-cM(4D1R0v zib_)Uh+U(^tALqh1LVz!uOX*`#~9^$$T0+eRWUns)dUH8Bzk zq(AFWyxz1Z^H{NyB-yD*9pC-v=-RSUV5p&Yc}WdRP%I(nltV6pqc0P_7Z34a_N(3 zCn8B&<>R++xI-eHum-K>c%#2L#6EkQjg{V^s9zH-2&3mNGzSw(vpHG(jC$ZScCxx(x@PUq#zRCS@quE{r-h_-}l6vnP=wA z%tITGcP8(84+UbJ=Tt|M(PZTxnCT$)imtaS`yzFm~{mCpSQ) z5qjdkmjI`Sb2}U~(A4x{=djPus8NfDixLB5WDKok{D|K<9<huhkHZ=Y4pERC!2{;v4z})TqhLa zq^C3Y-j%`rIvW%R|GNQkdbm2B##{k8_QeN%QkxU<4Chn|w;)p>l)8uu`8;ZjzsPt_ zUpl5*59xJ)Fo#T*Nt5_u-{KE4eE(f~N?xdCQ$(V;-dkNWY5gckBZ}24U)q!ZrFnNSQ zxN$_bEmfew*eeTm=l?8ZZx!^mF>+Z0h~Uo{xpyRUg>r=3XmPIu;snx;zzOCjwG?O+ zstHGdv=31w4~hnr!%ZO98_d(c+0@UkK#noC1zl(U#oUO{WEGhwe7K_60&G3o$-Vz> zgAq|vT@-Yo`)##ziIM4rZ>l$pV-KnzIS2Wzrh>jA<#~{=CX*4e5L%Pib6be2=_H{k zY`*R(s~;U49uH~4RY;^N0(I#rrdbIUkf06|c3XagC2rm5?F?K^Fez}W(9iDn-${vv z6ADsIu=L_+sRu8&H7{1Fw?2}Cq+`SD*C4exaqHEFO~>OQPlzCw9VfRPpDK7HTp-D= zhje?B22~WdkuMUU%^@A_#3TtZ5m}2;b|G$NFk4PUAz|G`h|1>|i)Mze5fE@uBxTO^ zpU<)lLDx72X7i3>Jw7_8O*5_-M)dT1L;TEei^(8oOE~$2zpjFsXnYlXh+DNZFU~5| zlMG_<(%2GTp$alJDAZD%Lu}28{tDq~8$<;YSc{0Zf<9V^D`)kA^D~Dn)Z}vSJNev%^+j!h1N(P-7!g0ef zwAgZ7o=aJ#S=RMMOO7qYi@w!O_S+P8(oW(fjFVn3pY#pTSu_MtQ#amkl%j&eC0Wgo z{j@wRH*{0t(b)QXsX@>vNBKhwoS`^A^Xxc&y#1Cg}8K(kN z?Ldc#u3^_b zfG<-vr-OwGM-5!-FxhmTQiT7Ld>)XYz^SFq)u=ou;32`X?8e>dZe=^}V+S$X>gSYJ z)TQrr;-A8=U3GK*)K!;%hYn8msv@7-I}$a%OyqVvRXGZ;8FT zCa*gT+!%Vck^e_%6}WIU%$GTDn8hmd*y+VH;&zQT^Pz7UK2`a+5A(0iYF>5@Ud{^58unG>P@+NwC|B zJ3A=g%y;jCK4a(37|%b4D8!`%NG70{3-#dwm4B>q}fsx__M{a*H7doMU` zlfb>^%cgJVM(DVy(S?wJ5RvE$-WHW{3T(f(PxF7<2W1a;6_S(?Y>I+r6h8(Rte=Ax z1yQeVj&7KI>G+ho{rS~2ouKK764ezLe4Il}W<0N*OFtr3 z!4M+&)IK1o-WbPP9Gy{LV9NmcCK15T7}?)+lQKplVNS9T~a*e?&4= zwYZR*Ywg#l!iICGgxm!+?8{EDRWSoJ>BXKzH{N4Ig1tIK)8Ugnrbye|qNJCsu@fW; zT97H6kA!Swy+PR@}Rhy-T z)*S~j_WHzH2dHe=K(e=P_DG{Cm|MPE-s{h7=X)XLn)0DuKBcV6UJK%6=dkQ2B^!`P zb4a$==Ho9-`F@WdJNE4V9OVG6)ETT=mN4a#7+wj$E!iN0$TiofJ-hWuFJP+U^8KIG z2$r0qO;VT3H4z-dXuV1CC$*5pv2VNG_g}fKSg?uJ9p8Ih;w^!ug5+chbu?U1xYWwJ zd)wOb^y|j5GAcmY(1R$U(ioFTHT>%dRONd8&jYOa%~tz&C&B~RQs0s^RT%V-s-I}f zCUH`Bz9L`bg!~k6iP&I5AhJw3s(nECG=9+(Z`#8|k^sa{dCb}wf^Y+RVNh@Lub~&L z)9%~k{bWTLBK&Ag16kAY>I7N%s|UR~amf74AZJO>*M=a*WY!Pvw@W`W2rKYia}XyP zSB2Ez7Qc_q${U>gXn`S7+2DncK;mu}WLpfOz>V_8uSUaPO`~;lOpwbs)?3s(V~o&Z z0kra@F)z*{t7*s)Q^w{FNBEH8T{8$-{fr4@kqlzG!g8k(^$x1gDsSq!Yi#a(!IsD4 zFfhyC2E)WOhPxQJ=KqpofQhlme4-T7{)}KThFd+h^IrCbvl#+$l+zixVnBQyyG2vl z|1J*>D{QeOmLnooP^Ro)OzxY!amTXRUdN(5xb&cZRLH*(g+gtkMjv`Mq3bB7?m!e+wIE5& z9v_>Pr8C8sZ}!O`HCHpfw~xKOrJ^{zGftwSs4#IAzgLcK%g1{~?t=sIgBGEcW{{)* z;R!x^5^=xxH*VkjA8y~q!8s1pQ{UdUCnfIgGxWN_#);;Gd^PjH1bUYHM#P3Re6qffsPD zsN~E^^C|X4icuUCTp7bX#|`*^U)5Rc$@)b`XzY!_(+mf%;&E#UHUzY?YRO*Mt%P1GGnB$q6enTquiO$4^n2Ctw z`|IyDh27wXei<7~X$l>Wjz76-IT{@@J((V#6&)*C`C+BJ*ol16d4s~vSsynWt5BLV z{#7Wz6BBC$$Ti`n`Zl^8CW9Mnc7u*10k?Df{-cslF-nSxRfEu%7=ZVF#^e)fnlc1H z9F`cvSdQ0+24QB3J1{h9R&g;S6+T%8m0vydwJgXW5SXlq4NMLXKN@%{Izvm+qLm22 zCl(Zyeb>01Iu>~qAH!%kxnDWbK}vGy)j^p3_E`dMPDGy{Rbyns2gzy*GR-fWc1>-k zgo_0ZCB?;cMdikeZEZp|(S{TqVqVOArW?ybh;LUL3$emf_+!l3tu$w4zPOEz&a`X| zrdsj^)C1*Vrb$hGzU|yZku^gptBsOg>Jpp(J`*?ocP50X7Zn?xadVNIAR~lW_~zMr zBiSk51mnGK-3h*OqbPJp|5X#H&4ZyS1hds2&;uolCs!$AN`{FqQXxaomU0QBpOtx z>^u>f`nVa`J@@_Jp7&}&1JF&iq2*yxpz>wyNkBH_JZw0UpJL5tujC-s;~=oI*$(k- zHa|e2qRp;OXoYZXYw*h^vgoAsDcZ$@l%!*A92a@W*uBYO%{;mO1k?JX30FCLr-0DT z)Yi$tE5vN<8s_SDwd@yVe|7?|J#<*lCsUO}#MEq+EeFC0$2yo0Fa5kOBIo&}1!{bE z$l9^{^vhDga_q{d=FS?USC$(1ov0{^n~5V=?T>|3F+E zJB}&G+RR`u6oiWzt^U~m-mu?p6Y2jxDa+QoY5~F(I>6o57Wo_PI8(#Io;-l1{#N>U z(&2VJ$(STM``}7UY$^E|b^@i}e{FsHb3^YbXe=Um+EzZr*9(`)mec8}q4yW=Y=~UTBI9Z``pU z^;X@!b?H{|kB3sZ^1rO_$P{YOAH8y&Dd4RR=t@iInv{10b*JC)hj~y83XxnJFvO$g5^Hs>j6>Vuwz}JnqrYAW0D%m5+^+Z`T9{w( z;9Sj5GIxd&$<9*H-cojCH%Onw@)AdY9=!I}C*S7lafZ_!4$pZ8&B~5VC0RwEvv|v* z;%1@=-Oswx?=wc;t;&2k_I;8NbK#1DaGkrzGEKuto>5(cFfC8cN{|SZqRXzrOZz?s)Ow>8p(1t_!Y_(O0Q+;`2Pd=RS(CvzaF)!8HQc z0!nnxB89HXTH<*Qyhs%Ncp*3A=N?l(zhz*^Wzw(|7F+0206#GBwq95y{P<+ z?VPUU{zL%-Wj1N7jysHjVy^XSprk&UJfT$tu1BRL-keMT#P*imEXPt_En6jT?Q<2a zUIUbfBo4*?bu{l{L+zkr^s80jVtH4SA4EmK~)InigG&p=a7BvBJz=fnQIY)*Sbj+?6h*)BIBN) zm}Jv3b#R8*eS)&HelEAZL1<5ldL1_7 zD*)xVq*!DdLFn2kqRVVi4E{UCB{!gSS<5G6`+O%Ux0uZaWC{63mB!?@t{V>4271;8 zP$>4jT1@IJjRt!$q=Sz}P zqG|FLu-vvA|9`}__?Y|hHP)+UWpx{k588f=^#rV?#g5mRD0R)JpC{vCiiE;38}kFy zCgy@Yo!mAj4hm7uOD-(=ZKX2#2G%j)0e%25$*n# z&|Pr0BL;41aek8QF@%24S{vG!dAX~?zr91qYWL&vZ2H!mXj>~tS85FonLZu>F;pvH z)l9++ltE?vMtC0KvLudJ9ZL{lFUf|2$5dIbHIECeT=uXuYF7SH=jeBcadvd9dxy%Y zTL`NKtB+1;bi~-(IgqgtG33`;Djs1{{DJ&X@_hS?pSUMG~ElR{^?RV73Kb< zH(5|dq-jiqOEZVE_FWME-h3b(tNSUNCMl-sf+c1!jk-SQ*KOIOaXf#b1plG2-mea< zIK;5xkwleo7f+qw=3o3i&J#4CV}NSA=BGNh0SVXnu|#Qf-!p=h>4_ENBPwCG@QePh zgTzsF0g7Z>SD|VY%qsm*V$`Sid``3X&aH4r9Qc#69++DH$h1CTi zC@43l=joBTlpdEJ-M`dBTViyNP;^M`U5hdluX=s98oQy3uWvkf3fX8h+!mv#`>3Q; zU1d#(XYAU3QS?^0hhZT>-ADt+Hss^$uV}@&;Fzn|1N5lv{OIFeM~dQ=2QtF#F3_q@ z4Bvpjd0H2aAX85VdP0~5&r8Y=`h_NlN#<(?A0~B0$4hEWl=evkJmXhMcJY!91K5>N zg*KW(MMisJPf(KA)KMyBkHz!uE8G737N-|q1dV+7%kFa2&R(n7xIK$kURk21X%q!> ztOH{fhhhY@(x|@Mx$Mq8&9#qRSA;CvqH?uvahNpx68T!KdvyBdJH4ng^sMcK@M~6W zti~P>!-THTxfZ>&J5fURrR2jef_-&z19e^tF$jE>)=-OjzxUFhm=^ks;2?<$fp8rH zmHH|!wCpMgzb4vM=-_;oME6X)VoE^OuW^je5K>oYLCd)57CXz!ZThc~T0|_xTw^)Sj=QkGvc*fi$$4jp!+I)y{7|FSWcXqb%J#JvHmnAZF zX@_hmsBa*6t7}ZPjotvEkK>^e#yIxr?r4+ft!?^`Vdtl+m1312**FN6LEGe!L;FxW z#W=p0QkMmx0KPAJmB+T?U7fdCZa&grrc#=y^$xRto^|oH%((3Z*V&_spKm-!4CMc! z3WJA8A1FT0)+}*)&apP#ltG0O|7s{%&uPQlU$_6Z9PtZzl{295^~(Th>yLFiM~5@w z`wSmnZs&A(lI(tdL?)Am5 z@V?4FE*d*=jcA|sadv~M#J|Dlc2ZSuDTF`8-x(jE;Lzph_|ZRjMgNH<6-||aa!Sj! z`X#N7SMx$Y8{xej4_wM<;ABrN#qLtc%{DRHRXhXj!e+#8JDNXn-RK29-cqHt`8X-f z1>vj$KOqauXQORSn+uJsCf@d#^2DAM&=GMkH^XtfIm}45XdU0~ali?2$2(l_icxW2 zRqcz;0bQ+rRE4jCevx>SB-lUC;Kblvsfsnr*+8S&10P)TA>--z@hcc$L=ptc_){hL9Y zLnN;2)(0bP^MPU(JnfJlMS@0tV(u8wXaS_gNd01e>WMm7FV6;aJfW)LAdsC#Z~?ProXz=CtD@FwaB@x_GMj{8kGL?-%02 z>y-wyA%3HeymN{_Q)Q^-eED+YL9Ew6fBn+SN;|~buD#W1hxf(}vaM^-Y~fRPC?@N` zOvLS**ei>xQ^urOg2uOO1#iErvayv)=hD7CG_NSN|4c(4t%!)I!# zp+%q+M9~LCM4Jp#6n5flD@btfVq8BriP|MZz-z&c_XrE>vPa36Cn=^tJ@U3y;$o$$ zyu2wFJ&_An9_-^5xaj(~xd{&(V38^B;Zwp^bhgM`z4|B&#$ZGM|Ds_b_BWqEY6PM!5jt>Bk3Ow^{*WmQN=%r|i`Uekx=>+DeayXzM> z$V_D4;5_r+zgsj1Fosl}m4=;&pGeX$4*4<#cGZ9;$?s{kDPBcCG)ZQ?qVlO|u^l!N|k{d!d9 zy*MfHG}1o<5eaVt{~dgd7~=oW+u2Im&W=`(L|=FDI0aEyJ)#Nkzs;dY>fv{ej}Bb^z4^L6G)y1JO2nbWCy6~mD&54b|W{^Xp> zx+Lz)+g_wi6w+(+jX0SPJ(r&!!!-czh^v=gaGR&sj2b+l<-k_cCHT2_ zzKlf3WFWse`=5o$VZg3pvJ`1_8ZqYQ+b^PCt6XqCQ%dJI756yc%+)e|r4{%=`|HV( zcOyhTI9&ECn&ECqG@y}wkUtu|HePmZ#?LwNUX_IH`{no3cMyO%WU=tbPxUF7W1#z3hP!#B@F4=Rql5_!b2j-obbqu^7p!IVeR_*80)C-c90w zi-nB%w(*}(9H~u8z6-3Ba?2x6(7W%bQy5Q%S)YBx5nZZSPCzeVlS3I99KEYXqS6~9 zxV^LAR}m7bYx~V+1Ksjq6V<9=v2)tl`aRxtD17gic=y)ZVI3#S0fxJghjDk;&|Mj7 zH*D9AN{|8I)EyWj)+;{Vl!&O1aLZDT@N-}OdpK2<(NU#VonKYoanAW*>|Wc{q1Ix` z1#XMdmK48z{N;LXaO@pisqv|R7sXfrf;(``a1b-`2lp0xO2D`I1!!H~b8 z>*7I(NXtgV52%e=FL~RT_wcNw$3%&V+S88>$alj?_C%|DgCwO-Gt-J=Z~9WsRS(`y z+Hm-zCI)~CiOZEIjkYP$deG`FfK+thSEZn5{`9FQto5wYvNI@?3?JvA%7+?G9*$KF zqOTG)k)(Ze6E5mH`i)Ow+V#HJ{`$;3k}8UKTfCCHf!3w9HokwZZxlyx)2zfRQFZy3 zevzKc7pu$gdJ9R1eK?%ogiP?8DSGfxx(c`Pti*8sln4A0yvxnCpeOHuE3NWj%lNT& zf&UKvA2BX=0%9xxPY6YeUzj(Jim)8q0N}c8Dw)IK1-$f^wqRbugTfaELWgEd3q4`6 z2G8@RgU4A-&R;Qn>Tn>L=NK26g`>Rl0FJ-oAdw7-7khwE&l;SWKK zdXvi=mTQDE1N|>>NgW0IqZdiHO*i6CWe)8gj0L^2*b1j(7oI40pu2upAkE>;kjwHe=sJ*?ygVY}^`rtv@s-UYz3dXAMjy zPxkY&?fo6Sq_u0XY+>^ut3YqNH%yWz7Ejs&p0~C%3}J@p@JVNW_%6q3*oG)SZ{WsU zg_|@u^rd{47xCLRhHhSs0?09*OgTTS3AA;z^kC& z++5Wux19@v<&AWrGa>uJb_2+gHLFg6bY+z4axoWd-%9Au-dmUcUf}D?6GnNcoWWwm z(+t^9#F%%NVV023cx_MXY*s!0m>@PPU`XpwT>W<3J$xpJRY@Mr#F41z{+p((x>jx_ z2YTiASchN!F+TBX=;(-Oj-5iGi|=0{*~|J+P6!?ZT<~F%vgIX4#o3-vqqS|X=|4kA zjr%8DWa09JE=6v_ zibPw1aYZi?uL5iPOc56UHijaR^Eb#4!QrNgt3}C%>{B+qO9yo}lVu)EG)1k$zFhoX2je zMLQtiT*!3RKivB~t#m%}ZmV6#EF$>)2Xp)0>OiK+{7AZB=cLjgvPArHcQ}AO_>@iv z2d)?D9ExT=F??+9wMGIypwE7$f~!;NVs%L zfsP$6xM85|7#r$jGfO4Le0ys@e%g1Rq)`5D#An|Z10G+zPI5UVgM6L2FEclP6<4V` zzAxe&!)w~Kjy~Xjw$x*TKZ(zh%mKfj;Gi^nBbi?84hOPOPIXf=+Vk^}RxnXWit2kU zYi$Ke61r1HExJ+V?RC4H9{pd9W+n*xlkq!FK;)dXi=Sntsb7j8w5@hoWc&vwp2R2w zN847ugbVC?s>QlLvo?4{)iEuhaBf2_GT^5F5EcA$_u}((?%4MBtCmr+(FV~cZO7Y< zsZn#YC-vjQR>~@GbJrMNpr*x}2iwg&1`p4l1!>p|kP|HYR6#gBP~A!2zsQKHSEoJt zel_|EZ?g5qXJ6y4Tlq(4k5X7s-Rif@yU%ss)oR<6jK|PgfrEr*BIeRFW8G1hIreR2 z!uyo-S0#Rc!Z_e5taEDP-OTi#r19MH-}e@-Oih$HY^s+`w*+1@6f{G#F7za>YfaUd z_cjk()d%$XjN`hRx|CR!3coNsHw}3~?SKewWmPE*#>Z?vsXg2xLJ#|ZW}G=!8)nAG z{inT-E;rbp>Q#l?mW-3oS-k?INg^8W@q5OdJ1ywIMg9^YM;`rW*OQVIkWmqrp}u@{ zG2Z7?0XwqLNHy&Qcmi&8LaFAE!GH^7 zgeR&yjMX8V*DZQEcw6J!%-2}_my+B8nZ^iMQYt?UD-~Og?FrKtVXE|H8^# z{*;re0m()yi()r!wCMO_<})FS8&6A63lfHACF-D$VBVxaq;Gg^s$>{@JtDaAJ71Dl ze)Yjf1Ip=Mk_Q+}uL9Jmic~r-`AqAP$=jkY1PRgkf9*UqS1PJxy60|{v1GmAT50hk zxlhijDk)-59#Yx#8uNSX4dQtofxLSi=g1$9{pw zyFaghAWUSvI}6*+LDjVbS;k2YJ3e>5s01wx8X8ogU+nw&#S zFCYHmrfO+47ISJv{NwB3d;tCj@VVxcp5ut(Q1gr{zfgtiQOE1>yo&4`{iC``*m{wD z$P)B$rjk9bs!nku7fgdIEiUNWqY3{anUOyaY4ZGjX!T3Bog=O$PwLHdBI)OXJ58Uqz{G*V~P1hEe_9e%xLg3u?Nc$TW%Z!|o&^z|P_ z1$1q(H$ZICY7E}d0`MT*>XlpjZ1CKN2UJ|tY5uZkUS3YKa4JOGOgCw8S6B>GfaFqlVnZ z-Nr$|6<`oMoFlxrO}R1#URsiC7kEjd3l%onE;1A0pAM*OaE7Xz_0+uciu>O{^{{QX zgg~y?INatw>Koo7F52>&r22x9Rid%QaUdszi>nF0^FD(}dfXm_59f$rQ4IY8B3Egl zw6K8#61$JjcN891cR@bljPvl7Lz3`P8G98W_zyd5JI2Ix9mHAg%2eT$ zKGyWPpnbm-`2nxvbIrc^gHwI{UWIj+ykj3LSj<|1v!iN9PZk_c+nb}WjmJX$LxvB8 z0n+x+&wKw@lKY75r>X#^CF8s`Pwxwyo)5V8k*ECP1)2U~k zrBx`LLMh*ds7fY-&oSJzAW~WDM75^+QqSe%cDL+_-*OAGZirdtPiGIet$Hq+k>j(ekmTLU-QHy^ zDZUPM;Hr#l+N`>5d8?msmEm8F6+TU*Oh+=K?aYH7cr&WGAJ5}JPNJcgrm5A5e2=FP z#!FmG0rkc?B4X1wU3I&(`O(MR)J{Y`#Kyp zwmDYuJNCcf4xf=Pcc3qrEs775%6EsU{V4dbB)7mE_W6ifE-~11Wk%b)Gx&m`uS@ay z$k}$mX0*bBAUgNr6aCtVrJ4ay7Jr%PnkPI%wY^VP118q&obahoj!3HQXLk14kJr+@ z6%Q_$e$b;8Ed>`YD0}kC?lq*Me3<7UPM)Dh3@OD}&!KoZt9al|@0m1|Js>F$!xSXeA5zss{WV|^>bOLRwo55@6E|@E;OxN zZB_%(>_e5=FkC5IbW3LWWqbvGXLdhc=MX%>hZQb{I8GO=VUQX3Nt#|$h#Stk`+okV zZu8DNt+!=N6Uyk(VGxu=gkP~KhxW5l7lcv+jl%Uq?R!;ankQGms;X+!A?y2HxU*iF z;R2t#uF~YfPm(8>gQ*^{l{mdCP0Nw?`92!bRQUmy*Q20!s@6)k%ExWzc}R_HyGZC7 zG$%LL=3`U6@iTjI+Sle$;8-RUZ7#I4Hu8@3eXXualRh{XDIQkPZ>Ws&v)I&q6l`%l zPn?RjS)k7SXHeU{I|K8J*LsLBLk5iXuft@reyX^x1aG~&O162GtW)PZGM!5!^ffB@ zEaF3kwhoy3$cW89MiwP(UyMZ#hzPS zyOJBC^E6RCf_>(BqmNn_6I`-u*iA0aY+g8`Jf`x^e}@@~=NvqEA`bUSF-bq4)CI93 zzKZKA!dJ{4*^CN5)@`^ZZf|>v)l4dns8k3vk@MMx6e*Vg{kBxbQ2*9AFn;<^!L2jUJapLML*Dg<-`&$piC{Ae2Vucu7d za}=_kiHIXJuO)xx$$nItO2cPkV>42~O|9B~4`vc`&GF2vOkd6l-&G!zE%}lU1YJ-| zTaKQ1{+Rl9))N|s`hfjQI${=&wTC5~=H_`ywVic;3|;FUNxyeFpDKD%<>6^$#g#K7 zry#h)4Y`mL&k@NpN8SyFkXMgcXiaHn^h0z=LR{xsZp@lDIDU|IZu)N zu-FXahpUk@^`+sd)mwiGPJ2Kse{ zdoi!&c7mzHZJQTemu%G@gSeet*6j6fSNAp;NRXNrGlOWpa_XGPA|nt(3&i*#3nkT@ znpu~^LphI~x#5w_v2o%oVsjeLP_uhRuauUSqp8LE1>nT}!;*gj7T7uPC}7cGWC5zA zScG-{E<)}={_d_o_xVwHQtstahgsUSiPqQ=(-Zd>dU+t7qSMY}+~h)&s!j1r$o}RV zo$L2YFR6S*DsG}AIIWe?(^Pyq;a#@uev|Tz3HY;Hb`=S}Bodo$b@Ptb4DoA}M?W?x z&D3HB=J4bS`3FBxKRICZF}U6-Yw^s7hB@CKwjtDD|GIQSNXJJ=?e!b+`n}argkD+Y zg+tLT5uH4^((nb1aiT^P7ZK|MaBu(aK@J2sK-Vrb2t^@vO72{_4V-}^uYYz23y;5n zzwGZv{RPLsR~JRqB>$_QMWlc4-%aq2@JX*LZ@Xd#9A8ODv+*hq8+iWd}67hw;4G=6=3Q=}v99`PRlm4hw?_eN{ZN8rm?w?JL5kOYUGyttf;=6tQ~ z;(tDGjhn#T3jkq>-5)?m?RG)ML_>fNFNeUoBsqWOUp$C)A*6nf;PT%Q^q6E?Sillx zZw}esPtO1J|DL4({UqPtC%wMyzB7g;uBIEiPI~SA4`qX+XRm`50BocP3x-t(-0aqK z+)eFvG+~J$(&UlH+*_=6!upcqZ&OoI zYmYB|GYN&YC)g|1KM6c||4_H}N=t5bOAqg9c@l<2L!gF1oNbE<$RYz3Lcel+4zOkK z%D-ZmxH+!^SdKgV_ddT4evw$fc?*}Aw|F!0X201g!@lAoF*@iC@26v@l-Z;E3YRaL zDe9FNYTE9g6-9A)tlvQU2L=v)d`Q=blu-Wi`qdymO^?wrSqI4oraxLT3-taka5eZJ^Pa?w6`Ke*hP<-7d}ICO}72x)Y~u<#`C z43h#p+g-e{Hw)Bhr9vYVi)84egap%H*6Vs<<)JUE%weQ?>8ckKug>@veFqY(Py!?u zF725Y^%_}1%-ua?3^ss%Y9yIZL3p+ak(1a(te-wu`jCrOYn53@4J<#J9Qey?kW%w1 z;Ky%_c$yyrf4zj_#j(qZ1Voye-8fA9jutT&N)48H9SDQEbx5!bSovKbg6s?R8lLt* zKd6q-AacNKoxL0`Pn6 z#ihvdqwwhdIKu2sT3&EBC`EPYGw!kdU15kYM!8^H!3c*Qzc;7FZj&t@6QUtN&dWqS zg|*+;iE^HzpipS5%i%aM>twqTA;U+ za&V9D#$?;wL!mK0o71ziWhRZcjGqOGcZZ(x9Z&Uyg-OZ0brg@+lTu2PGH*9@0B{R6B!!{* zM5DozJm|}QZk`4`d*mlIkJJz-ywt$UBt|Xbh8xcV2V~%VfT97Tb+XtOi6IRHt?jAk z>Ei%1`U>d8izHgZmVq==YU^lT&3|%EQ6oVYN774OPHNFi~S6lL`U+ z0@_WY&TqIx4c2RW&JybHfi~T?fb0RVHbtkV0aE$X^b!;?2Cz+FndfySF`Xg5`~=L^ z&)=Q$!u6-xy}xYltf)~91HuR08uP11zkXrcBbSZ=wu$hvGS1!4uM_VcZpC+NgGR}K z;k|#h)dNdSYz{a*CJGg36O@%+((t3fiNGbeluWsS>q&@G{Am$yM1hdmgP||EcIIir z66bHnu7o7fiFd~X=}@9n*DslFcA*0!CGhw6w;xGW?DC-#Fs1~gGSnf022V1L^-=*v zz(}{ApEc;WyDZ12QzS=IbmI6TlNgZ5qublt1Nt5zg?Gj7$Azj2Z-AD_@Z9j6nM$i3 zxfZwC7(j)1n+wh*l*Dvi9n{DhETui+S~QuxKK5|P!iF*imT zVEY|XM3`+4O{FiIJ?2&8zY8T}47sQw@B|ox1ty$gXq;etGyY#I-w?+uaSK{S=ZTifSTrFF$;Njo!2&-a9o4+o)=>SxAmoX6*&z7 z!xs`a$&-k4B*2jI9hd=kIXCU)w-Jt}v8YGn56XX9=?cD(3pwV+z3W-A+#`-FHCB>M9CXxIK zxUQ8GRUn{N@!DP0pz;76>{74Y^o!KMnXXfE3P`!sTDFQG|=3Z=x+awCtS=*x8Gq1?SLh@;0M z4gie2U=BIf&oj)sk8-E;p$(*kC_*%GiQbx2zo@PRk|uT`d9#}z`h)P<8?Y({T!)DkT=Z9Tb?kmuw=_riF*r5|W}brw1R zX~@(RCXhB#t}mQ&qmdU^26cJJfk7Hv%A0PkNT;=X>n^VY>lCfA+JPQx*w*X7NMU5y zo7J@y==NuHH_jAmY9 z!4@`UX`BuSVMv;Uf{Xy106nVxA_lz3H3nIwu%_&q*AJ_FZ&BeT>Slv18uX6ORR|KV zKT-=ycG|GPew9lOJ2pqxI$C1{Sxg~g77lpXMY4!2_Hl`NM##7iuaGV=Sz6n^y@(fV zL@-{(5kQ@YW5LnRBU~_77*fHd1j}x|CQB?mm)GJ_?#;Gr=Cont;^N}fW`W#DU>Vq$ zs=1#Vkl)3_TkgjS~iOAWpH(4D%(gDGwq$4Hkt%qe@Tl|3+R3<#ch{L>zU2F7*eE6ZUF@koL~S9B?8 zCEnu`H5#X$&J{nz+|&T_>?z&ivfIi*t9K%Da$3R_%%fC+B&MsdD#PmI%}vmEeh>s8 zN=8-8Sa#wCTke9i0qx8UJs4O6?t6yHPsOg4M>Gv&?3R9s`=nV6L)$+wauhi37%90n;WTVAErO5_WQYSE;+K zAQg1AVqjaH?DJSr3ef4LfW#@_=We-_ZvNMYLHg0%3xMR>Yw=?o6(_3kmbTaS13smt z@82n;i-iDRQJc?ty433EhYuzNx30O(hMPUK^5&#(nad>QMr&~ zkd5Qnle7G8H5d30Q7|jJrvNr)iZ}RhNIVc7ziwjV-9*BHG6RR?150MTac%MRRec^d ze_RG){P;mY!;~s$Cb6@tCA`a5LVqo&DU}!o%_C6}ek*412!H{pJF7&WM;{~tN|?Cp z70?BK5iBviT(A@%0FUen+*_W1c6a%mGc2Jmk`POAEakt&l+L4_0PsyhwtG62v{#qw1`Ab59d0<6wJ7HC^GMA9urtEN{t&W_yIA$K?tsDVGH3#RwBBs6;*v!F<|3^R z3P4kdl?{%=IO4Sj3I#|-lkifN#00u9J|Q8Y5kPDWFR3)H=Ky_EFNM0>*swRy?>mPC z1hi3xgGD3>FV6NofLS0AoQlGmPjt3^9c&O{L7j}>^^xcY4<1lLf`0zk-Nn_;9+}MK&sG?#uGos!{}T_exS_bE3Zbm&bC|ti~fIHeRWt=UG(lS zbl1?`gP?Ru4lOl=h=fuSqBMda-JK#x4k(BUh=O!CqI7qMNO#^n-|yb%x%d7j;GA=2 zpS@SS>wVXX)q}$shKdb%1`PS{q;{YOA#@*oimpYr!-}|d2?)cuQ_twF(K%#R(lrAF zUxj2f^u;%IuLq7=I<)-IWrykpPHIxFa!DH*^W_{tj0Va`12}LWu~r??Dg@ZtEcv=u zqW~Wn3IGw8I?DLxi;Q&Uk9WYJ)DlRO=IA%=2D@7r=)HgTYbt>Zoe>_4vfVA9nq!I*VIi05lAh*N68EIr0lkISNfj zhO53s<<)}C6bpjo=&LD*}GuGH~CU7g9xw(tFfhZ zur0jR(7q&kats~~{tZ#LUgIpW{6^PD>4A-S?Yy8R<;~T32R(FZGD?{2Xz1!bidNK~ z%x$HcZHysH+LPc>sTuiSLi^9KhRA@6BMmKW_MW`IIWn&)q*kMZ=|oqfo@_YWA=6gM zKgK^AVljt*y16{vjVV^zoo`aBd_KzlG2ALX0Xc9HDf9Y(m6H>zKSx#x%xX}X=EMPW z41&vccT@ILEziK*rhz&yXQ5RM^d3xAVT;Q1WUg|ar#7hiw1b{>_HwGiih%Z+KUfzU zsU3dU#Rb*EtJt@|Yq+VV>9m*P2I@)~{Yj^@{!k$%pdCh#*v@V>hmCe^qHK9d$bq7* z($Z2Z6EY3#hWcSE+g|DcdV*sj?3dXOa+gvh2ZF880nM{$xfb+b;qE&FJ|SS5M06!) zg=*lF)`v0QH+`mrqU6kr9JDG*gU6l$nBQc37R1^}oUkc6Nf*|s3KW+gIhPzlG55-V zzhdKkp{HKv2#NMn_9S**R@cbl?fIss{1Be~ycfr1^Ol#p3ZISjp2AZZkq{Z>USFx~%7LSm09j3M~6{A9yPBH?ac=nty zf(_gVT1(ToeJbAPaKSQrRxjYrPfK2sFr6ij58`Zr)GY~aF2RV}P=41p&el~}>w6+;l?H(nw#(HNH49$d8L&>2@I?2rD8Oy~c5 zpFH$^j;w4Q2H@4M++^}l;*aa^s9lFe;kRcG+q{G@3fKTCSXAlUQO)@OK@k)MCLk7N z9@0M*G4))QBQPp36>xvJ3K0d3B^%eLvYIHGUY;*HPsp zEx5bebW1(G%w3TR*F(IB(d2RZ`vYJHDdJUJ65tu#7?N(6P?Y5kwUpO?FCI5q_R0xg zq-N>-S+nwnnsb#`g8(4c#_3FG5${M-K@YKixUTEEU~Z;DgHW_n11?@aiy$WvA@uIf z!{{(}HnQ_4++?KSy8D5JMW*(jDgWgt@xa_Ip`FTsKQlhAUj}kgzl$q&pP}IzL9ENCtI2dxC%A! zw+=B<7CBf%AIO|Z!9-cuI1z(55g5bP0uDg?q6-KUa2n7N$J4Bhk|$uG?_H9jI-lb^ zz-@(#@kSVZ;WgL%S*rxzIE`AA3w+lq@UFRtD9$l z(qP>9cs+np+88OOL{IqvDXQh=$-ku!FYW*{+X;{b#o;8|zVx7h0i@w)Lk&Dc61z%! z!{qm8lsvjA>EMt*Pf^YT^J|u{oNC{3au;4~z?`FxK~AV}!O&%7x&B zuSf}cVpL;(V(s69(NVp0@KH=kV(=OW_!QMaq{07$&g)%`7q^yz0AdgrK43$YyF-9u z>?RoaCHw5|M%eW1tho(T9SUb4qo4=|MmOemi06_MM#X0Yo5b#Q0!6R(pk6QyvO_Zf zm}8gSIoW;L+Hg*8Zjc}1&3<`)2ttsi5wGnDA#xs&q1^}FV0pfiH8wU@d+)PDq0rE) z#7Ly-%FT6TKQp`(%#b8-KzZ}VAi_fP0hWNU_!Mw)2UuhF-~YOkfH`1P!`{Pip>Ae; z9bQ!Z$zJa#6U4DY#Yq}tJ-I!2?C~d(u1j0#+4Y?Fc<2pVUjOD?SlnqQl9)j}^4$U0 zCXw%U!3@2acb8zMP)so*fmyZ{z%VY?7oLfcpF&%QhV=39dl10?ENpDhN-2vT7lTnw zppYSOTX7P^X}dY}k=@kg>dci*XmI+2gW=%cf@p{5l=#@A)*$$>2``;4w~pw3fRv}^ zH)a*4xRbPhcu47{WKafwvi0Ku{F7X-ewNH@eH)b{J%HFMW=tpYp?6^%5jt5miM>|! zU*r|euYe$^=xR2x%?&AHRFjSSgk`a2tU0(7LHYA9PJMm7;2X)i2Epk&N*Va?^-#1WDHL|I_2`DD!{?6?EB;veEYSGmV0LgT}7yCj6 z>D6gZMMchWSJD{xRp5YH>MNh`RaG>9S&Yh_+zquF{rr$U6A{q+mJgQ#zc&(@RRPHy zdkVHJ1;_gxO3w2W6I)zPRpG@M^Ab!gbmU@pH3RXz112v5r*p@<9&yFiw~{ z=6Fn4q8*DOK_Q+dA!K2$3)Q_h2q&+Syo>YsP)SLnx^GE z)f6BvBO}93<323P^Zw3TzDM_xT=Qt*e-$#wk||Bx$y1O6V!%$22Y*cP1Z3@~)0j4~ zU+66Js&j)VkbLNz@*pOj!wP!Ah13MlZ?m>lxlYq>cSkLSBCI2Jm~>n^-!K}9?fi6x z-~ir?txWMFWw|WI)!njhvE1+950yTak1bRy98OwGHVy^3>~D|SKeC_`D)26%>4SBx z2+Q`6U*<6>5JHu#$Ri(&o_40qFpV|Elegl4U6Gy@!Y7*dFVXJjiO`J9pi{SnMR z|KH~@{`IJ>>rQNys5nL9!*iQ0H29$a`6piWit@E+2WA7n;{Pu;K6g)&-*4!Ffa-tQ zbr$5=Dcn>spq{gQfj@Wc>g>Tay0*aL*iZ$k7G5hed9eUZ>9!WM&zvBJ5Oi}e7R2Xs z1ztdW=sg9rf4D#9EY2%=_b_64|D2=noWJ|~IJ&Ih3$Wz+??m^=g8^7G&;SO9Z+vJ1 z0ixosw7a`K87#-Az@na0U~oO^`JWmIvyw7MgxOv#uad{>sp%P0M88&@)g0b2^M|y3 z7#@6RMeg)p6w=I!<&lu5vo5k!P|h|(z)UoZ#_-ghr!pi;{D)bGpmaInV* zgXK`*<+au`?=|jw_?xGQDMZGiymL?l1q!TyQ? z@|%c-K&=@oHd#STgP%adYSB8iVMRv>w7V>ZksP4&%AjDe z*WbeIz*bzgsI-We9;ioY&l;ujT!UYn&eOTZU8{Kyi-I2pd}u(xN_P^z%xKSENDsLn zpn!nb=Hxt&vRni1Mk`K~^1@F9;sxQ+`hHqC>%gGFZ{H$bQvSbTn>=4ApwhhG5`BHJ zk|OZ5aiv(NmW81-34a59Vs%`fo6|K6=+mK&v)?Eo@GEe?VMBJIsmSEshNc)!>e~la zu4Xmni`^N4{P^vraPQA4{9P#_R?sGp+E`9RESFa-ll2pdZA-fRE!56S;G|YeHZ~J} z$vET7ohJg_rzXhR`tU<&Av!(q33%!aZ1>o>0mKVwrn;O(#6lV<*e2p}>Ve*yC7jf! z=_FuT@Y%@(P>F@o**@n7&sMQ2|DemFdFa^3N9kHqNp#khBakYbFvt`qk+7MAy9J9A zx;fHrmBvXekb(aEK6_pza?h~H+jT87J+K8`nz6;(SSS&J2-6q7c6!K;By1LiP-Wmz zMyj$FaZ=BY>dfBsrlJ9(=)f^V3+{wN$2$RA=y!B%myQC9ECShZPG75ehz|5Qk;)V? z+{wm!ybbih%fHegkP^T)m9D9)%k{arlG62D>WaXJ$AXo$#Mu^ym_k~@9db+ot5rc0 z>XCfy0!U-!dt(Rwjam5V>=alykrg40O-vfWD8db8Nd01vzUtd$8>kSPBeHAl zN*5>+$Z_#9%@mL)6?Cz1fW-vJeZcX^J&87~6?Il4R9>-;L6MFu69q-9LH3HI4TeX@4(5;@h6xj3UD5)9ud(1E(%D2fFiF zgG`VfTkKj=Byc~`!s(p*RREPVL?rx2+jvpD+khKhLDC_%e{7bFh~G271m}{>^}raPr3YNiz)o+$Bz0|JfS;19ed*g=&y-CkfEXSOwQq) z%d!5f726AQ3&*&R;T56Wx4#^GtxT%5TeXJs)_UY^;uG;XBbx;fEe6>X?J3S+ccV*- z)2Kmh3w~Jb;-_7c)_r$`_>b-7vlkO}8|yl8h(_FA`(d7 zMjfUq9P9wB&}oo;)?x`&1uU7?ZX8h`ua$eSitv1=*LCmr>2P)(=Dc0j+4}nOTkK9pq+;V`^B!;1>6+tfVM9}a{l_CZS z8HQ}@+sjM7;3msf`0(G0mjo{!B&~uw`(fpTDk@(dzzu4S1Pacsr@gMO&MA5IZ>sR* zWMr;r&IeZa{_4ZMiNo%xsS0^|f+V0YwOq0=y;}+i&R&o@dh1_B3Suk+Cbi|vGM_I> zy*vL!FY-zU9=|O|k%3B|2%vZ_`ZcJnj?_B+5?LQ`$&B#@N_Me>nOvk5U-(LU?@>^b z;LCRT4Y^PEg`fS7)U>;2xvVcAoAWOih>;dI<_f$I5AMF75bGqF&#r#8NUx4Op!&n} zofXs=F@UP`R(P|_*AGI3=>muYF&B>SO|78PT&$tN;HB^yl*ZzBCxdgrAEDx<*dwci zB1O3{h|;az?JZFJa>1@76fgue{P{VQV3coRzoE;x(nT!1nmGKn_cz@5E2P(uH>A1J zw4p*O)}-iPHMbb#HG+1&9`K#2`D{jT7E zT|X9x>M##G32PHKhb{t4PBn^xD-v?uPc^K<)}PbQQsGmdkwLdx0qN3Y~+M9>MOHWFsQ56kKh^E;**e`vFe%e%B<-%d&#De>S=| zbqRR{5N%_``)jL?GPS3)zo*68f_n(VJdo4{w$^-FOyb1XJV%rUpX{X{9>983GE+Cz zb9rUI(myUow(pX!)>-i+>hu~V8V{h-D`vL|!#lBH2-f=Nqo2zXSmbv)>!f?!+tuL& z?|#Xbx=hv|5G58Q%LXy5?<{ssf;z%?mSQX%xED%&BY#`}?SsW#w*WQ$d?LhFMR5Q* zK@oX;cd8gA^Lzl2u9v`vUkbYp@rufsa z3?YmRO1%EGy9_KAJj;q!sKosRIHxEzK^T!CqD}M_YQTmV`x!h-RWhoQe0RP+qARq< z>ZP*Qv$c)KpB&9;5_aSe*3+u#B6FB&$NYO29gZW8db&28{#ST0W)h1{RwBYSI%V#t z1(ivBzk|4wo7QAw(Uf+p@WGSR`-R?6Y(naKFEFi^TV_( z-CXPO;%vQFx05?fOiI2aZA-*+pG*oqk6HU1UT8~B-nYE1xo(=Nd(q-H)8L6)Dq>z) zDj_G)Z4N&w4@a28BNw4nVc)(w2kBF3M#Z-MJf0rRFQ`oKtmx@t5y)vEqfpEsHMzgP zc#S*a@B|k-dW~kfWoU%=;{1nN|2LmS`c(d>&|}llaffiAnv>J5)0j1QLP2;TpdE4` zTs-G)hn6egV<-`ZX-BL{25icJl1O?`E|UlZ z`?}BwJZV(uaC`z%}*(P4uJs z^3gh*Fo~N6Po`lr;@c>RXIlS<3y?uU7{&?HWs&VTQn}50@$q|-^>~r{Q?nWu>=fA< zply397tjJWVj}lT`Z$)2P_u5tAQUj+o^@+teVq#Sa-PFas`z9V^gxXL&*S_%Fi6;palJ%E(C)nGRbi^iK_7_et_uUUataZPY00c{39Qj;r``J-dt(YZuIK@H5 zLBl?)1y_`cjt2i&djUx!nmR$r#fppCuo$Pin>pwz(_9%)mKPEtTd4a!%tUNUIiBDp zrfwZ?qt7)3-H;tDVEiZllf^KA^W;BDXr!NifDrUJQsC5nPjm?-WqW-Pd7J`j6$x_Y z1Jfvh-n7Dge-8to-LyRa{1Nz@mUG9ur9ttF;#8Lo4`rXh4`}*$m=gzg3OX84yNJQh z@x(wiPaNSd8;UfO3!p1)GXvSH?+5iHXhBhRUb0H);?86(u6to$OObAF`zid;<@S%? z(ar>J$y8-)p;%_9f>zchL5vACTARnKPZeT@W7Ypt7HIRxO(v^?t#9$Bi2-r+$E zc5}_aN@x4yQlQL>F}f~@i39#K9F@o5{f-BlI86re@=g@CU!NLXjKb^C4m}WqvD!i1 zC<#V?`A~?6#L~%ObnsD82&}}U@i+Hi+UYg=XkdMv4=Q}QwR|>bVbhzgvA`t%j7Yyw zJ!%nC&2p*2b)q5Qon*}C=N-?}rCo7!vZaD@FquMWCw{)*E6w~Xg_{ZWv&0cGHY|=W zZ{uNo{M|+`JO&VD&)Gj{p5jKs?nKMQUk8v!gH2*_^dU*oYmpya*17kut{}vmhu=(? zRAl`+ME-|u#M@`uq5gOsS;dDP*Oi$@Y6U*pf)%%T6;AvOfm)ll{ycDu%@#7bREhx;dFEc|5mF}iDLQE5!Iu7mn zEe*PG{=O?t&F9Pjl7Bk>)v<|u})eYPV^H23>01|Ra1JsbbiYQ}Y)+_tQb6+JPpRCW+ai7Jy* zNyxELP}`;#pi`MPqKF{_#HMbz_6k()+aVWC!w$>(QwL;P$)_peUaO~>R5Y~W@^ z@g099%7h$y&FcM5skL7+SnSU{gBz_lkNha*E#v|W9lC#Y(~Enhl-|b|RJF%jk*T}} zme+3bW_7MqA*v^oLc_<`J|v-@%W2iFf1g&om?w(x%4tsfce7_KN|-tB)b_OI0DP4m z&r}8zukWg-@$pHInf>Ig_+iONWO(zmwa|85r3%pG544S8_=O*nPhz}9Yci>NQn-{T z4mrKa51^iWBW+<3>*U|qAih8Ub;#t_SY6pmQ<^K$MW1NjUl=J#S-O-col_`_Zzz}W z?iT>KlxXx@e(usQCLieEoSw0tDGUB|o+IfOi)lZV_q)RCwasb@(D~o0%(OS9t75PN zI>InjM6u4)^OG!2YCG5zX$ryp17nAjEwPP`e*2%_9!(AOXuvnf+WE%s6{MudQuiIH zzKwp^!E^eH`fF^K@CS-$B{dR@rvuF1uld_nzq}i8OynT>Cv%S^>-y-NQvX(zVk@dh+PHzu?HkYk_V{tH|G9=3!nUyI~7mLYXad(r&$e0YCh(2tE| z%OHoJ!LV~CfI9z0vD=bS)n;k_HAVxD8Ys=Z{%leO{pmCjC1R($JTyu;;p-v*ehd<8 z{G!spH2q4oz{t~eb>w%qXT#koF_kiAzrCYL%I*8rxP0|v(c*@P{qsYfm3~tQrZ1_` zL_rq<#SPPCmTf`#MF_QeN=`}q4P@%7D$x9OF9}iZcS!Qp{3o@17II$hpR4(K+>9y{CH z!+$c9D6f6ZsPwT15jXzh)DkKno9IKJzG0*|S7UOOPq0OGc%Fy%CY2-iMDm=WZe#?< zDwC5xRs#*Hp4dB2>*cYc_MZNrIzL#UdHMxplM)Y|jj>x4X@vS6yd(9VxpaD_T2>U8r7j`rXcOnkVOD_Gv7mR|(Yixflz{Si$cME0deW6M&-e=nb9lx^CjV&#$;}Vz*d$VdsQY3I%uKzPXkO9MJS8Bo?uK zdW6a$Bj`nLPt;S!jPb)P=9_#4zT=~Il?t{GK9nHM@ERj$O}(sl+!Cx~ zVKVKR*`OE4T>BK39;4A_RU9a(;;ip8r zb+6N|BfsbUV`J3J%*;z4%K&2ya2s(pl)eM7n-vbn17PqvQP@w+l7hdhtgx+^?*(2l z;PsuaT=Rk2c^+tMefn{SiD^OZ7cpqCMQIR=u9Y7RbN>!~P2o<&aG$ouedPw!KrU4X zs7LMJaX$$QCZoHPWZzXcskVJK7WEa1rn%nL;(sV_XpjS>$wC&GPP2_s z);tLoA5W#RcJP|tl|B7t^;>v*qJl=?X#*Ku^e-M~<$KaqPSeKiH)lN@Sq)^2H8>%m zR=X{;wD+x`Q(jdn3m4h!l-7~0=u@(K=Up3e9fc=H7pvkZ1A6M9)KPh{3gbqz-)^tu zIK_0MA3Oc{_F~a3tHxJ#o5JShDC3u^Qq@N2x!{BY9?&P7{a^ZIF_V!OK@WqzB=Q6> z1ATIgGb<2Uj9fehOmzATekZ`x?GU6jC9CjBDpVvky3e?qUGAyhbM5NtitqL6RVS$V z0D>yllb?>`rE!46XbtjP`{6?3sh=-n03)PrdfK#Gp-?MhZ)=pVFH4FNAkK}{SLFYLc*X)oG%$b>)z3WS_z8qNw z5NpL99LwKcag<)pUJo|uzSK$=RBSh|cCnnP^V049Q|-De=(eI>A8^YI*e#YQ!3Cu+ zHYno;ORnJf?Jm&#%f(_^PjT?I0%@v%0S1YAR!6)Z$#pHtA!LnKs2jUtjP3Pz*wU^q z$#!d2m`J&Q1`F71A;74$2XBkt-Oi82DM2A=2rk%OdTLJhzj7Ma#_MP=URIbStSUDk zr#`_nu+>7u6pF*oy?8~x7so7Onj?q5Q|HL|@h@GTT;G4?G{rZjQ>{hI_OoxcT3F#q zE;;bXbBpvZcZmz|a}!>UaZ2}fEe?&Eo`xbSUv9r~CS{cJH`e+k+`g?y9c_gOJaex8SC$-Tk}usOp78iW?mCW(xinw$FZ?#y>W<{jpt3;`#WNaL*pq{568uT)rojz3nHC^rr4@S)tM%HwSNbt`IOa`TI5CF^ zDQpMOd|mez6xm?e(w?o+RD8+;Be(vmy;Nw96QIJNsemd*O4om%{Ytxb>)+kV->q^S z*Qs9+wI6`6$osbgdajWFl{cCov9`9BPfP*-gXA2-{HR#@fSTa_oMEvo-I2#e2%F#L z4+_?^D+eORLEUb}jO1r}O*$Mz091Rt!>pbpgPnzQL{`T=IKuY+&MM6}jQM~og&Udk zj#ft#my#z|6wxt{?nQRYS%+(rAr$Lm0O65qO!W%yGDzC!SkS2*tGocF5i@?ELObPL zJ#iiNosRk;ztFQQd3NhZ`47mCHdZ1P{lcSd%jT=OU%mD@OndeE0ropKYh=TFsyAc& z*CogS@$Yy4Wkx#~jD$B55{5NKF?^DxCcq5RwfIpV&K?9gf2EC=n%JHX09^7qO&1|r z5R1ez%hID+RRTvxr=S4Lu9?Pf{M`m${KW(-Rz9dJPgFVQ0-G!>DJ|VPI{I*i<{k2A zXO;nAgj52efEAQ}U&3kw&ET4;abMnAwMFDyodP@;7HncsiiIyWyB~V3Sw$X8>WD=j8rF8Wea?O6hK;4|WhOG2gBIeLz9= z%Ji8>`NOyE`H`H|zv4)tiHO?4 z`EIYpz9Z`S925|}&-PI1V}^h}-uGTi^D6d3Sfg&(lY`C6ig$9OYQrB!ni>H)tvdcY zm(VQB^<_>@j@1^d5-?Z+$&Gu=bz<7UjfmZ}g^r+2E(>rnSDlGUejsVv;LitesiWtW zrf8~JJl~IYmiu)fOLWAD?QeXdZV3WFnosI5w0W}Po^t>zTU^Mb0MkM^sRPul%7rXP z_h+XlB457ak!F4Sq!FaNUtd;!Z_25P6PqC`N78~Quc8lO$I^3OMXv}-=mr;& z=Bm_0?8y6_iB5SqhZOiGEcIsvM2DT}GRu%p*UUB@LrUrD1ty0kSC;*pmKERt4on;ig zT<^_b7&f!ZGs_@oiVZIuAB@A87PnkEvrOL+XNdbN5$9@S{Uzb2MJX5|8~;x>WZKIa zWR#ZG7rPH_erI79gvY8hm=NcWXcW1YnKVILB2o|g`E_6G4+y+LAl}v?IXm;W|I(B$ zuZ?B`CMveu+V7}}&0#isUoy9~o}h7o`MmO%9E|e;P+on`uG!4fP-TK z-`D?;uq04z%#=}%`IIWn1;5?{;>3F2OJ>k=s%3tay>!qMcycklQe9ju`=_cG%Y0EC zOiUv^4+VqT*%dDBhA@;{c;sww>f`Tn4(_$dY_wxB6ROcnPz17peX1IlP$(j9iqwXaJRTk8V3Y6Kl$ z#s%~m6sgQ)T+JB~S|2qsFP6SW-l1~fsEf?s^z^vP#Q*54x~nU@7jB)75P^!>v3Bl# zs>dRBO82Kp_Ku$>h~NFkzFZ&z|9QTH$eHmFB^&tZ=s5VNx~JeVoap>l526LJU$^dj z*!$axr*Oo3A^z%zG-Zpn!QgJ|_=u2y2Y}Lr4Mb>rNIy@y`o$n?v4mK+J=9@gz zoTzeQIhWNgGYH_H@~i^hrv2el!b|RSsY%T9L#oJw57|u~B!8~!Vv3O!_uQ?UaTxEv z#wv)2rzv{o9^M+*lnzh=SaiE_>dWRXq@DH;c_JWuG*?^P~~_Xi`I%~cJcRrew`)Y%NUW4D03OMItbab9; z$U6`5_+pzYKeZfA;_fi3=It#xSML`WODAmkbb;-|El0z4E=R%is>VsXlmd95^uSFr zd-f>o-;=on7BQP1*}iuup%t_HZ!+51rv<@M;0fN%0T7n3&;6s0pXNd7;$2LN_v052 zi*zT-?HFE|s__)4Ix9mN77;8o0o&97Da9G_W6vXgT&1l_HA?6 z&B#rdZgfx~CK5%dQ>c#1bvNZ_{UtQ8wCUcpMBydTtsxfzD;_{s%WJEvT%ErM2loR& z-AK;X*4ApKwYAkm;PH1(w;7OiS?2&sppX;zV{TtxpS17m*Rwl7_ZR;`BZb0I$O*8} zcVryLzQUK+(1b20aDiDFS=oYEQ>}fZ)}KFrUIW>g6c<1Li`bf)*Qu_D2M4t~3kw4s zeSKQ7nc&+e6crUcucr*6M{`cJ1Kng(Iq6%Z)vc6ImgcwuL2Yt%nH{KFA&+sMD#k49`}QIXwB^)VoY)dFQj4ETuy7dK)FEE6FhnvHbD*{r?u{>03~ z!{ei>9~u#{PD)BDzwqy0Lt9Tzv68p9_e*#8!xqr1zzzV>CQ~yrSC@dwDR6srKJ2!? z)FC=&mL6D4(G8EnjuO|vzFr)Tsr075y1Ht09Q_wK#SxkyPQ2Om@kXwFZ^5VZ)$1^o?rpUN6`w( z=Odr~<5_+}VkjyqcIU|6w}UT9)Vt29AS`Wd#qa$gJcj}zYtY`_9)97G=7TOygF;jS z@cK|i>CI#Az^@P}hM|$QYLiU@27g-PDWv)7P)s9cplPz;fTn{|<>kie2`|KX)0b1Y zLM?rZm8sXnCYfXwrKzJ{^lI)cXP7W7H4gcf90JcoOwV8M$Q8VqxDV2MX^{L|&5VRv zHG%DvQdG3AZD+Us6)aiM+}s@4;2Rt8&fmX&X~t$26f9$c_tylppd_F;J!}cu8si~<6IRV0d zMk234p%zGL@|Ds)%~8q++*APWxlo)0V0v$19jIF=c1?b6XYU(9*$)NK(7bc8TfeRH z;_x_P{I`)2-izsK6EuB`haUTc45b}wa^t#^F?yzXC@74e@xoMu*gch4MI`TU{v zn|Z&}S>sv{UbN^Ipjl{v>qLbE<(XrgRUUZbXV<6mLeEFwhF^`zK?*2-sQLCz*v<82 z<}Z-X(a2vPQ3Az{C6)@n#e}Td@sMvk{*Dm~G+lkqcsF!^on$Dc1{ zjr8(Ydm-c!eiuiIr#rK*8v|@0Uj!2vf3@XFu_tz5v1=g7#2O$@iY;fe(GZfU0giBy zL6HR_YEs*DZOXqWW9&fZQ5?twi3L$$5u~ERszb_&F)$25G0hD9RkF^Oi1Bzbr{BS< z(^0ZhNR~DRa%CY4+dkSPx?TQ$rbjTl>L-^wDe*2(@RFK^#rfp-`k@~U3rlW=vyhOG z?L4T1a!&T_fV z=fJ3$oHKx_1?63(Zpzv(Uc9IQA6CJ~$Cn4vmhByYF7W)D29k#-=Roa?3GR?r=!x>R z@mSl|STNz^|NPi;U;m^&uFtg66p4nXbmgx_YhV3~CY8S;>xiamJKJ9t@;!NBoqAYu z3$ji@`vKOYjX}%=*^~5)U;Pdf^S-+c8acRgEkGhv{^s0`0}j-fQ4Yg}84QO9mACsO zWda)Fts zV9E4I`s*FrL!Ptn(&Bj;`lhS?w72?_R|%Sjn2AgzM6B?>Mm;28`||hzX~=vnHg;1L z&_*ok>FL2@Z0B#z*K^&#zp)QjdPMHsxw91<8jAJ9d4GRD%R0P&oq>sps&a%2E(gw= zzYTE6Jtw~dWczZ})zxX~!I^n64>zHppeW52v<#k<2!E=grl#AMecvm)+`7xHNes-} zywMDlPw6X%zYN1Z{-gf_A;=LvM^qKtg^<7J3zbo3`-f1sK43t zP;kIEp6#8#*%&X&mAWUUxZh5xYq2qa;^r&{z#*+j`0h|(YGZ%@OmO?-+S@BAHUX`3 zJGf`x`|2FRd)3X}`T+j5!P0KG}|MBpsK1Sgu2bqKXhZ|-BA988v1Wq0t1mI4Z zmNbVGubo<2ir;>H7yN|CPH!Lv8%Jw z=z+Sr_Z{$Shxr$gLqTU}-v8}oO+aUNCP}Q$?z3*aiUJr;wv=USXt`W&*(>mucL(W4 zB_^OU#nayfUdc1y?+v7-r7wPOY-~v1K)GnC-}6DqmGf$;sI|xzV$!PEH|At#pFa-{ zUQ`AQ{SFWa#JS|*hMZFqanS>L9JAk%-r+R>=d6Km;!X$(K^dfQYqtXN!bXh>VCC<( z5(=dE!%fcoNPHBbe)0e$>WQ~Yf0%a;fM4(Z4w~Om8D6f7VKndS<8WEDUMQ$KhsnTl zn6b4fg7|sJHo^Glr56w)#?^6b2oaV`T*+FyOM2If9PGCDaOSCeY^3D>;Q~N6APa(! zMyX7j1{e(YkE`gF+El2Mk7zhXHEuH(g!ZPjy-mREZDtm3OYw;^#sN+sHY6R(Y(D&< znEGNhe?TIl1`?o1PDwc|1UBvV+1c66$zLc~BTQgy7Fn2>{FZ^0UAucZN3G5$o(Sftj$;4E1dxhLt!_ikLSo?wQCv`ejNUY2Ls|nvC8~+xdp! zUXBO_PWxiqr7_(<}28=U6<@ z{RKiy$wX&T`8jjfp-B0AXdr$AjDrCq7I!a$ijM`uW!(_@VNd=S!Bs#jcffrvorH;@ zA8&qBZd5Z)`;Dz1a!pr#`t+&j=HhP|m0iwjZfvtC@G}c2ug`gd-UtzXa`O^kOMdnT zuYMQs)^{s_bqJSYl6-w&V{K&ke7tm4g-0h#eX0sXFF!Y@t9E(UtAWz>1}tszKhrmF zu2ggTCFH;x`cYk7Jq|75VPmsIzIjtWDUsXnReaaM*9n0Lo~#1fxfNLNo|Atg#Rg2= zI$7z~r+3}_!?tuplA7C$jQ38t10EfCIVh9jM@P>2&(`CGQU$3~z$~$!#Qe|L4|Ph6 zw6nsl;E#2@{OJZ%r6K39`7Cpv+tAe*Y6DF0^+p$$fmUCB3#9fmOM zFGpd&@)9>JeR0dN?zu0EqDKU?c7Y+q-Q}iV7$`Bw$$}Vl17ADqjK54{&i^KO{p7p7 zBqErt^6K`jRsMa5(akWJF9ZIQra~}#ms5$87JBM1dpP893eImV+U5}dZX{8d5`IP) zRe$on2~$#@vb0PS{TK>q=)34&)mG#E_ahDk+#yWGoR44CW}!yc>+|GKEXiMnjy9xF zzsDKkzWfirz=HO8SQW`{d_Pb{g9`-WVW|ajHEotxj}j0XO%SfC_bBb-2DWn((f{|I zL%>X+m4)A^KV`trXAtuO@@8W~?b4^#P+sri{yW#dHO zjv8E$16qBZiAO99OChwaG z!6jX4!DVTmw9Ac?nDcJSx&qBOS~(JAg8xld6@Wl0UDj9p5BP`;jsNMa*Z$REe`Za; z+$FzBl~eZip>xwUb%NXl{N`+#)DYNN>#q2)CZ@jSnlaEA!3rFJ>eV#UJ}K{i%(6ZU zF#?Uvdy8#~Or5))|9V?FqLx8ug#ZQ1{q@{{dkvOK0WylNcaG0&$Y;D5G=`_;7S z-b2Mj{LpM=auJ|)8AvQ5%gftyYqC*yHOyDWANlgAA1@j-B422{+!1MA0o^ea-`;tc zoG#_~Ada$Q%G_%<%%t*p#`RMWJ#*{kFdqG&A;SDkgn<^bN!8mq!9-o}&*t zt8c(Y+3yqS2Lqp(gZtOpZf{QIvm{+xX|J-DiEc6vH$3wc88_&6W~F_OKE0m4J@_Sn zUeO!iCE*}3KiQpkp8ISdD7l=XD<_oOpPpo_l4up^UhPj(8snJX(l6vV#{cGg^&PEr z>TMS%2|+3_pX}V+omZJSQpCOZLDz$7 zEL@Z@u;B}YwgnoF^sj)t*M8y~N@^acmCy-+^~Nx~=uv1aXatnIy~vetb$(a?T6Tov zpK?@Qetfh9o>yXgd4ZWx+5-=)uJBSjc`(cfM8Op`G-X*cF$}^sk>nDfu1k6`8PlDM zoUH%`#Fnypgdiru+`LNH=7ilt7Cl$1TL-t0=7=$Z>?C)4ju1~-&U6L|WkYAap(E%Sc6 zBC1VFhju*MYtCWK?5rM-KTS}Lqo-pg8eHIlzqYWSpGesJfnoZKS0ed3SDW?=qE%1a9 ziTvO}yk64ep4gNJe^i?Fnon1;#c}__Nm0ma$Lz3%1AaD^n}fNg<-#cG(i|!w1-@LM zRWMGKi1e#%`!&ftl86!*}3 zhAe0Wy=mZZdk8q)=U{h$DzKRI!fy34iFM>K>qpDqi3|aXEfVLCp89!4UoLvXudu`1 ziJ#2NUSVSs&w+HRz_3_<;)h)VK7&cQmC6vC=$~^br9??9YwO>PjVfL^*qx{I0nRr) zuYrWBJx?(tS+1zuZ>MJcy|t8msDTX9SWqIw8nAfnrz(ocDeHOYSB}IbgCje|!f+3n z-GF@F!zo%MItwi;~+{Iarwvm*wEJxmg0?YX^_k@|FN3g=)U3wle%6NYxwZGY~%z%%;SvmwDRny zkDhhF6si~|&2AHHI+ZpS>3wu$6$plT>5koDN2CQHH_epjZ@(~L6g&z;1V4OxHkOTg zaAdW2SE|hy&TJpqcsypxjg#wKcTSxXE)n;fXQX@acRv{95SLoI*d%ZR!to#}2+)*@ zw=ROW%H6dLT$T7aHXt#JqGV;_!=>6P&%$$FGksN6)`iBsE`592QC2f&>f9j4`!(iC z2xu6_uuITnOG`1oa_GEfHgMT`IP_)F(B$B$7b_|DIx1+Yhp*JRPidwO;nKdUmHQ3oKkX zm?Rj|b9j^r+G@pJ(gTxTC?8{z25gQE`6oMB>f0Z!OCiWPIpWHxl3jvTuJ5ZgG+HJ& z@=Eqx!)zE|-Dd|ZATO-WNI5bwu59I(Z{;x|TDUGuOh*uZSEjD;2swGdH`Coit?N)p zg24SDN@%kqB(QvN72}Pyyj?Q9jUoN4|G9`+ktsaqS;C^}*gS?PbT4AQ=A1f#X-*AF z%d$}WHMy-8{unABmvWMeS`YT@?az z3q;HK>;@o%dkr!dA&_fa^SejypZ)RFSGI7akAz;q1Lb(e9^=j@ii#28>#$Fe;C9V zPRb;49&2KPw+l7vIU>%tk6)!Rr-K-reiu6a%X5g;_7i!W7jr+s1IDjr9TX*Y*`8@a zshcQ^KbVIsz>n$a>PCp9Q!bXm-X`beRikK8k3yM=)R2Nr!8md%QjFvMqT7$d~!}$-iIZN4$XTp8RA2}R3H_QiITxq_<=bP zxX;F9KC6qD!}{xZOj@gsP8CRwd-l7Jag%&u>zC5liu*)-YnU4t3l!t!T13Bb7al-< zZP%V}f46yN2XVwm{V_g|weYGi3FngkuM}~bv3Fm;zG7029BeU2_X{2_^!W=KlDa%G z^eKj57|mP6chG={wm;CFI~x)H-cHdKC3c}X#o>e_I79zO_X3|l2bI(>ad`CP12-H8 zDrqkZ`x6{J@x672z~a2*bcq8}&yB6%1bKt0p^KqL2{D^)(k`axz_u>(GATU_=99%e<}k`C}Bs^14@gL3^_j-AU-M=Q)G?TCkU7fDO5f7n8a#BiWq7{ ztNk_)ui*E9{*WpN)nCqdq=F+fL6PVBfWx(viaN?^+k=Gec@RdS1>Rlg03jrWc2g`r zNN$k+)QJ>(eoW*j(o*@|Yckl6$J(>~UtDUlJqZa2vcn)w6}SV|h_V)rQpy+4p1tNX z*=V@^;{&@YYw^_tGqT;Uv9bTI-d_sM!4tNUed7bCtzC`n6({1?-uLv;89oomQHiiC z&g;(i9eak}2I!qIgTHsTeAx4n%5emTNp7i8gYLN^KEWDhYNhjm!-sj>2D~Hc0or-O z1ue+ym-ZCI0c%KP;MGd)5JTx6+&{C1@W_f&KrQ27c!L_&SCfa^3Sx{2UTzA_2i)<* zkk7`7iq2Raa1~u2Z0rVhn349i&Job_jCK0wGE)+iNkfK4xSsSoRNp=)*jk5cOB6_+ zh*}OSqFpsQTV%&*d|UXm-HYgAl)DWA~lK%N`p$5 zbPt1ci6S92sDw&4NDir_poDY?C@n2@AN>0LU48HS?|aw1tXV7;GxMBt_St90XU92~ z7!j2LC&zd>Uk3+U4$DWILFL0_=OZ%Up}8Nqnqb!O$WNCu3?}0>_DQK85^QlZtR;*b zOB^_pzyolUoO~%yI8+hx-R{l=@(ipH`!Z=(*L;Q_icZBK5Oo=eT{3>{5YjURFcg0E zvNo8?h-pIdLMNhft#0+b=F>8l)L@G&9;3c+^%vPdI86nu#utMB)cYVOS>#xm4BSqa z^ma-MFKWBuGTu79FT;vqn0DF2NMV;RQCOt;mMGI$BR|7bS;P=2$2Dz~FsWmL_W0s3 z7a)v?IAGg;nuSF2>Cz0o!V`j<K4Icf8h75G$VF+wL)Nox+4FkYEUy}J{NFz?2)~X-nhny zQR6%4vt0Gxl;$6U!*}zYYp><1i6_^9Jtf3=Oh==FzG_Jue1DdGZIu4Zq0G7W-FvYF zw%r)qvtaN&(REZ7_icZ*+w6`};#2>f&-&WB;Yz_Bt_Ai69S`%W#vewdwA+>Ovuk#c zvnz~mznb2w^*F97#!EeYCS*Ff?PezZd62B|S@ykAK3ta>zoAK7hZK*u-aAu|sRtUS zh0pE>jBcg|^PulUN_eh~hYsUW$UU|v7R>4*pA#JG%5euhR`G1FPmK9=t zEe&$8bVL*DZ3AJdWZZ1UCr6#oyJnXeZHTff34hADLw$7gtPruHmwqfFK?Svm>K}Pv z3N5l6E;P=uYOyQI{&_f<_9T@5kkgCNKDph5#J+lg2=o@g6%n|IIgcu0fH9Khh@kFG!%I~sq5Kg*+0H#(Eg=Z02?^dHJaip2YO;=FJJY)#E zd)uHGfedM@OIXtleGXIg@Y>x;dk|*)bDgQ|Cd$Zj!kt)5n4gz`lmQKPue1Q0FXWW4 z%3dFSbE}J?SZu9NYL0YJDt02n#t5`h7jwqMQrkd4cTg!td(?WvHCA-rsrTh@5P=KU zuDYZ+o@FYa@#sgF1_ncLA+`9K;2mnPPm`q6XMTpX&G&qn$$eJcSbAzTQfKnvb<&I^ zviT7~p~qOP693(Dq=m&u2Z7qB{*8ql0HqvK9Xs1x>s^^G(7tsHczzm1iG zX00h`VK*z^7VF`6us`HrzKaun`e0W@C_N;FvWF588eW{mXm?2O8sfiF{@Ej~m|?Lt z&2YGVMpW=oOe2)6yK41)*sJPZGUX^C7JWz3|;^B2?&f zPQ;{sMWF6@&ED_uxQbyYE+$FT%1FNiLDyKuLP&lT)FE5Z%tyl5kXacYABy^N8~bt` zHn5c@vv{x)rQ6S$lj05OikEa!7k$=k825|FdtcJHrW42xW6?GK{W2)kQ-m2Dz}|M zEM1#&O^#PoSN27Y@TZy!`31{^eNekI71_a1WHSg(*+%!V%6cUC_JYQ_8ehycrW`Os z7QCa(rfDnYI9bGUVeGClOGixZ;0}$G4-*pP8v21lxGsR zz2_x-C2CJqL=B=6N0K7FSLZaP(1OOq2Jh(*=;dCzDe3~N1sP}in7aQX=VJ}ndl~k8OHL)EIgDSBHpxT|hW7t>j0h;q}e(df@5( z^ybIh9%2irJiACU_p~<<1NsV)Rjo*On5vHqwO%#KU_*gl@X2IAb_ePu*81Z%)u%x0 zOrYb;x@F+pd;|>=g*6+nYF1-|9gtEhZ5kFV<*Y7`DQ&Bdf3KMHl^}^S%_@ z$k%TBz`;C0l|zGu!K+i950y*InxRI1n{B-6=*!LT<*^*s=90}ta%m9Y36^MgZty#Z zF6n#xvMuUqlBWku_1duWcAA9*hN6tJeIhS zMQnrr8q#Y#xa1vz?`V!FGJ5H%7D*5ebINhUz+NLR%R@$aCg7c6&SecbszJ6nQ`V?k zT|?&U4fRVWN1`LAV*!@k+p8jgyzxqVLQz)ve}=X`U*U2BvUzzyRv3f!=W6np;&RpIb~ZexA!4fzf^N~frLCWnnf7YEiCLCX_S8qGvt+D?Hk8F|n!Yzi%*8&Z z6?wJpe6!H2BM^qKn5+Nt%kiy^)zD0(cqNJudgaZTCm~B8_wM*rT0c8rbZsA6H7xe+ z6Uw_?p;qfD(*?pL(_4Ltr;3;t_M@c>WJj!?b#GQXbick`;h$CBIQJEgq$DTxBUKDFI=xz45I~@oa9SwSA`V zTFrt1InxY+0zuc^Gkw-({JDgKZ7Xa&f5cEnAzp(@do5|1?Y}}P?gSwtdsBRL5$F2Ap6k!+XkruA zJbRvt=a;%%nouN@2?Cv)JmN=h4uywT6H1K;ryUHlc>9mX*Z7b(mIb@vGSTd2VP@@g z!uAn8bp}*cvS^XrDZ%t_Ji9P6E>ZG~;0!`fT9y+b9jeQ^1aG&cFq|)CsJA>{ z4zf7?1g4TbC_L>Ga^!cs{=#roUS>~Xa_x}mb5lzXTU&4p+a;$fmS3uHi&3}d zMi(>MS)aXmp`5O^B#$L*m@H?Tklnl7_M@tKxI~=kvx5aLD=eBR9N+1}rNuXc<#b=# z%GJ{kziXgg+0d7DC}&ZFfl$fGfD4uR2XtkV84*eCjc9LC`so49i@{ux2Wbi)rRfCd z%J7MW?bew0H(pX~d>7EW{%%v=dV-UHY+0gRcD=7H%2M58)Hib`4li(e=$%t*Y!P)! zou1D^`i6iN{e#|&AWypPHs+^y(isd6KQooD4-6goZH(@LvMuTUNK|l%%N9X*#)%G! zE%HR=aC$l`m_cNt?Xf(}oC^u|9(|Swl)5}OjB1=r}~{CZk;uE={*4o)y@FL zrB=?zA7Ph2`zL1*o;dYRTPJqjTY<uhQt;TyB9@2naj`fSz@ zg?v1|1!o4Fd<+kV)Q3%<@QQCb52_cRR+(xqsUFBWH4PkOCZirVo}6@fNl4WyPT|wj zzk})ilzEVcwH{v35ZuQcPl@4zlvb~i#Sblhy3^PgHoIi19wXA=&>`85&iwh4TkuW; z!{989DePUn{j)by7>yz=)o(Y3XG{3lnveH}M6v?5<>ud~64tzMH9svnM7{R$_N$u7 zy@#1~>+@^-k>7f_4tDBwo-J#b7Nse@LV@#Mq-_^nr4jJ@k*r$vpS}QAj$1?8oeo<{ zQm2#O_p)^NP98KoRk^-jhYOGVSylXzwd$4#hu&Iqe-3UjJ1jew79&$tTIT^3~2TR zMiM4o$llbQ!HvV1I*piJA;^13PJ^JO-7zOg&M-BZEv9|Ckgw(kyP3CMECr=VxxCP* z%vm%8<45g-AM3nbX(rp|?kK-MDqWdm75weDg_;>iA^8~t}w&prCZq%&8K z*guI3+02V3ER6ztvqH!^4>}JW)lDS|d}crC;6!L+N2|4!TbcMtdcJ0FBP050wJ~GU zTi^uN#BxPK-SR#KZ&BDQuFa)bJ?ifVwmCMwHshZPjM*z}i!~n3POrN#@jF^ZV=UH| z*JmQTz&_cjlGw@M3YU0+hC{G*C$4ERboQrR7e|hYK%Mkghw^RtaFLddtYP%p(qMsN z#`j(BN$)xTqmzzx2C*0H4HGpjM^m-SpnX;DZC4&xrxyy3j23$|0MjSr;d*?X4eoiv zqruM#i_@;MXmV9St-P>ML;2O5Xx53X(7HP8iGrSst5j}(jrG>meBz$N*_RcanT^1t ze;`{1mo4Ds3&Lah)y4gNL0p!ylTh`AjV}u>=`tB|RtN@}&J( z9f_ZBWbt{ zzhTVk<&x}pPaW~fs5<#!Rx3Mb){;WEWaMFRaS`hUC-kZ)7Q?XeV>2Fk0ob*w*N;_eQxw#h>8`cV}>+)Gc@mrP(4M zyL0QrWi5!$M__Owk-IBn!A$P!tvS!epbEve)(Re3$+)%sj9K0=8V+bro$=jvIjUY( zmm7QiZu6>ehW`lq`a;1*S)aSwrbQbMvUDdd@O#vmX`CjHA`dzIfI#HmU0@gi)BpNk zHU#^oZq(LnS#h0YzvrdTyH*g1-Ry;H`c(=HBTw0tfe)2|=Q(s7GxQ)>NF+&y>_W*)Q75(hmA}^>bJi+n=X-c_-pM3Y+yZSEq)y>4<`h!qI%B`ijky-~)3z_ovWAWwWVltllzQ-w^Q zFRxjX;J87`W%DuN3p^*VO>bf>6)r=MsG)Ru+K#y|Dp@e@_-4tkCV(vC`%v>d?<8th zZCtM)Q3P$m@Z-sAc(ww<#8bhyN3+lMITZ%8xFniKKbb6ww+ss0gqAJ0IC6uU1(Gzq zB^EuOoe+JsY4EafFW>feIg4#M7fdZb>@!NeGs{9`9w^C*%w}^WONmb=q~EuGCJH_7 zcKA|C1-edlKQ1yX%vXG%>3i?TZL)k!G1bBzcw&yD<{!EPaBzjfRMk+Qq|cz^GxWHd z_}-%|x`nFboUiv^aU|s6FJbS&w$mQ;5pr?`#$tN2Ix{-UZGRJ^GXQok4}Y=@lq{uF zdQ<@dL#|8#zO(mL84p~!m1jb#7tYde&QfIPC?99>D#zo;8TTiBa%B=LEtUdtbiqpH zsI#!;S>&>x`s@=_U-$$qdkYuEETtao-r+`GO06#B`-L2zgWge6Is=>Nh9=f(w^_L%5eUe|^F_vp8D%UB+PaO!BBzJhsz*wl?F}G{6`G1j1-bjkvQh zg72>(pR3G85{1W[(x6a8Kj(S={1$nwWsT3GSX5e>C`kg1B{EQ?t7`4_{+2Uo3u zy4P$;zs<9gMi3(?Nd6d06y?y*`7agAe|_T7E^$|K*|KyGLu`sa9dTqgZ{hM;!q7hi z!Dc1mC-u-J*-Mtz_}GNJ*ZDfX=++!5o#$`ZBFvG#+0~hs$#pFJ;AnCw`uE7cFm&l) zK(&75>&@L8=!fksh3|e7@D~|7y}%S9w&ZIlFZ3(^Kfgq!p@hM;RBHae|Hk7G*ayhS zFTVBAPK`vO=9;nnAy|FXjsw1ove`WVOolIdq=IVHi;$acK& zz8CTz?{h_=VIg71iP#N5L+{^BAtCmon0^SH;%!i%rvNQ{(7_+RQ(c%}z3m2;QCMfv z(hrMsJvsZLL(+fw;x?q8RY_r(33<_ai3QKukvD%;12Bddkxe`K%KK>6LiXEF-qp~` zs1_`FlQhKuy#z{qICda_z}bpvc#K(z77!ossw1ZfDyMvm-B8lT;PAM$|4H_u3=-sS zD$eZ#5XE-bWNfv8V@sCL1Kbzzh8aR7ispUZ2!xJHfQ#=+^{e2Qjlbdwx^4am7>Cg{=2ifM@I}ovoNlYp5z+moF z0#M1{3(9zOd+2b+2!r9I2iVcFE1QlKZQetAn@F_PaUJD1TEu5aof9ZCsL7~0wa(be z`Y-MQv)dVVKjA5v05L!v`7{Sm7Hp(1&#Z8ZN=X?IfFzVeOd^;O7r7wzTbe#OSSiRf zH`)$xt0bP)>7-Fr@fMKs7%gJey$mLvkpYQNYrN^zbL+PTRnKvOs>=(DRGxu6$@!1? zps8kSIxhgML7NoCifu-8;T8@EggB(UqT>j_BG9YA#j+_d@@x|1QMe_8v4En5AfNDs zzdTdfBt{1S3eXK|fcHtGS)A@$Y&E>e0tf~+YMD46)1L7a>hIkqC1L@DdwtGVrx^mm zo8E%x8Ma|{(8*E?YMLQ}`*0g*M83?T73^gR=%Ydi4qwwHI2FzfHlYbMUoAEvV=^Uu zZ^4rT|3-;GNU|Gn%n;GURpr@mKF&HDYC7RB#?m4dCidY)3juOp&0~UK_#rUnw(D2> z%QjwIP+#8ltH#F{YT@3z3^3v4;Z0v&zA$4|egP@GM10W8>q_`E!5G@~u5vw8KWlzw zNL&>*aOI2-B>v(9Tyj%N+(<`!;qKkq5xjHlyLHYwUxkp#$vwik z1GoE&;e))x?ssN)5a=LfI6TxtBq7Qq>AHEhk!BRj+5Yd|{flkwmC#>}*n$2p3wQ4Y z^Y9tYPE z5dZ3e-=gucHgWM4!H~8p zz-RQk=8UtzN_Ee};uYiO9h-2aYA}a%qgWJN_&J+@GA=>&;R@AqTeFMtl!&xk56@?i zgf3A`+XKdk*#ufctR2Cbl*JSNYX=?z5Q(Ul#b%8W@s%&dTVgI*A_zAG(R8;*iibl& ziS7}ek=8@wFVeDHLD#bx;J=Bu&?hrm6m~^z@_Z4k-6^V-6w(ws1@f)&*%=w(|9hZw zK?0ESlAeuZOA*2*KS1%-mPr&~h9?hCyae!mnP2w*CRapGAC!L%BwSGKU$Rs>O^Ma8 zc1Hp5h4{hE#L+Pl@v_<$Sld(wS%MA^*30#t|b3 zoY~N2K)--;kPBrK8z5FKcI8~|uYD-{Yaf28&?~>*SpA=QLn)SL8jlih8iw`*YVr2_ zZ>^QbFZVV=oMV=!HY;zQ?|QXR@hor z#M_?}>lnu0&|&IZ4`g^+I{J3DP%I;EqC}D8I{)YxM9xvxCD+Bf6M5V3!Fi|`Zvn|i z7jrNb7}w(QC!0z?Q4#^7?7csojt0Q>9NypD)x~<5%~d_yU7NsgQlQx#7(X9EHbkxJ z%u{Rp-I#1CzAWc-Ecwwkfw?=^k_Pq}lx{Ur+{uo}HWl@KrHb-0wo@aDRLaNPZ{3jq z4Hr5?gFa9M7R&!ZNu^kB@DlWQfMe+-Y)|_JsvFu*-joi3;WIb4LH9rSNM`II!E*U} zCNS%&369Yyw3Gyr&1JR9PVw5{ZM}At>n$k&OI*iT<>ojgaD3zuo>{^;K?I0`Iz?8W zzM`YiEXIUQtw@;!P>1v{U)I%j^j&u>d8hyuKRH4ut}U++vO zR2Y3Dv*2?&J*?|!i^nzz38AmcItbu)*O9yKB=v z;-&wmFq$`j`q@pkGDWSAZk!8M1j~M){mg(o`O4ACE?87V0_5W<&DGze1Vc~Ksko1L zIJ@c&A3#1IV6Y)uy9K-fk_n~>05LP0dxLm5;mkpAWB}kSjrQ3!8R_{61-76>kvbAA zQF|XGPgV<**Yf)=AfW|Y+QTuZCNMQD)U!@vJ?L^cW>y0rC3*9paSe*L2zJ_Igtzb9 z*l>2%Cgrfqqh;(bD`ikp_YE)!^Ho)L&(6e7yEEd{<{Gd&V$UE=@>W~&r-yC^*ZW=M zw=Z9(M7cFUr#0z4Lu)pr4{-4G%EBEP4&7~gahQ@*g4!<6nRs0Xb=JS)HHbxf+5)J6 zh?P0D*;Eh6DqChwLYT_LT2qRYs2)#+${Itah0#T;V;(*NQabcMu287jVqWl~{ejw1 z$@y)a{wB~2;Ytb|yh?r>wZWDmgj*W|bsm`w(@ve$7s68@Z{~}4pz=&(uhg(nXry~F z8zG#`V=#w9mn+q;Iv^6tG?oq#W`ET4qgu^}a>@OUWj)*oukDkB?}=-{(u%{s0WdIDevDZg_(Z9pn)c8-`iT z_C#YIMSKzaE^R$OD4dJ6#y9hYzgrbT9u0rXH0s?r&np9_ICEI&+>j{JUdMYn&@o!~ zY!2AHO96%$MUyOomS-EP3G3NNZDtk5?e^MCQBr%|bK@A!et((F!LchM9ah1!7^9^a zi>nMF8K93Y7F9#Py(G1qjb$*yr>xiS?)uo-aAuIKr2nA@9&-`*3%}y%k?i+l?vtE* z>!8yHOTuC~jw8sbYI;MtJ`z3XBqb#CXx|Z?4{cXhBZ=$+geijB1ysq0yXq)-6ZG!& zyFMA1cF|H;9P{a@&dJi6X*D7Ug&xDu9CF)8XN9ec=SSo)?+a-N!74O)hWjzjp^n$f zg(aI!Q5#2MUl^IL%qV54P{37^(`pd*2#R6DP03G@JdrYMkT#kSV*F@&O zrxf#B2r1GFb7f6Nk=4|XqQe?W`ST7%zSD=pc^qRKBR8*%ym z(uYoeNb%pk=KrXoL=(LV2A(#gX!V%T={ynb$}4>*L4zHgYnr%_nq-k=pBN_Jm&kL! z!;wj1t(m$~>zvh%;=uQ}do{l?X(d0Px0SH9tT?}GXoe?q`>F*kmsNK~%!0wiVfhhJ z%(Lv1jZW?hdwq7rHLR-$UWKw~Az7QU7IA?aBBQAh^Y)Jx*-WZk6#AMK=xF63xC=NR61qV#4IG^n1SD`&tUx4G*h3?N%7EEMlY z_FAR3mk?((Vx=a;4KkkjQ;$@c$I0{g@)pyGcfBsv#UI8s&?8`u%F2C^)Cvc;oeeLd zCXF$A%g5}w<>QJDG>KmKPszxAta>Z=4oT1vyN4^8F0Yq;KvK$RHb1;5e@QS~KsmlW zO!hMQQ_wE>_!mdLdWtqg6-z?Md?d2xuzb_%cHLW3EBAUNmq@#2%q+!1`9)eg0*l#I z&MC(ah>x@c#mwy2h>qC!N&~y5(={VPm>0n_x?KSIO9EUd5Z*Mk z65i{x{MKx~PV8ekLi5OPBnczW$`aJ}z>}2NGLxieJgsnHCBObMhBIB){T|Cjkd~Q$ z(~=KTrQE}7wS5i@2F%D!jinKrEEq9Q&VzYYKM^!y#r5#Wgu>?2y%f>rabogFVjp#+ z?TB}(x$4pLP}!KZL1MTE!J=V6BvEWq{>Sx4+BL&W-N#!}3#rA2;wrf0DHl>DibMIx zk_r$1uPat2H6QU*`nqHUp3i4pT?}T0gn>Ttf3b@PG@2YxgXh+Wrj>nrr2yA_<#nS_ zXz)a}v{X^Pc-}t~+Tiv#0_t$CBvFyA+CxOzFS!^zq5u!94Mo z(~6k-z`f0h0(wlAd9N8cF?h!S!JZVWB(M8AP&~!fq%&sdU_h@@37XE7XHHdL$RDEb z9P}Iav_u|bV;?GG%)x+4C1hVMLz)U7vI1>_YrX{hY#Z4i)2_?PW-m(hV%{sxf1_rO zbdv%bj89u#lIpN#zS~;08>Ds(%&@$)WNhw*SdWV6$z5R%jLcMe|D}2IG*#l;b8qUm zkWWx&5p;+B32{AV_qw&6fOvW=v&zeBcQ>aSbVJ?WtHk#b%0kJ{%+B|JvsXMIAnRUC zJoL_?=2j?|I8?YP5wl8YmP01`B4~_2$p#S3r#BDMZdjmB{?sF_YJZ>iq~|CE?>1Jr z=6MZ45q>p+D*;lAY0UQ^6O6??EYIJ*vK}IOgBno}5v#hD{N`>PL0|KaLP7IoHk9QFZaXz3EI5QyEoUB;6Li=sHo7^o@|^Bp#P1ByeEb@QMA}w0 z2xy`^z&N0yQB~w<(6xE>qLk_%|f>3*Jrz@i(wElsE28 zBL8n3@$9LTv7nIv;=r3VpPv7Q3xDC^rNrO~B965Gk!PFoC!9KSRS5$MA(l+d0*(Kx zkG~p)wH|pvzPmOR)u&(-0+tlNlJ#Fau375OW__ULM^mN$hFUDhLAF7;YlN`G_M85x zv_!xUsee)co$mE7YIi|w?UU$iWz_zh_bkz?TVTWKEt2+VhB!kZG2485Ty)j;kko zGgCU7G#8P)tA?^4DQA;EbZ-NDlg0~~Dr~QdgB5Z&CAJg|>VOtCigwdLR`Dt3Atyw` zsSDp-#gEiIOky3(PK}PR*8Y>1sEQxy&c4VGx9bQdGS+N*HwO#ZKfY2HmHW1A-TQ8P zE>3v6O?iKDU$J`oNtbZlDbffvkHc1JU^uPs$@~-C_#NV)KAUQ5rDIseaqUbLk6pa1 zzGJtKFRw&k8RL}w6lS+1JsO)gvCmfSNEICF&Kx|05{hMwxWDcn>VLTR;&#h-ue}%w zRJpZCtK2BOYWybK=Ql%5$J(|Q)>HA;s9Y+Oz-9673`r8FJ}=1>u<+v{qui%gJYY~S zwEl2+cK11LvCCHp7U_o!o>QjyWx0JSub&K?;Sx3twm#do#$_P3hrlem7%jrz=;tph z?h0p6IXu!)cMm5(V}j$NsKgoHdNY$Hq5bjT{l#|KX`)ClVVOgBQm&IWo#ZfZBJA4d zuDN%^x+jGIKp3ZSMfoO~qWP|DS+VoxVeTwubQ{rdY?!79yv|#l2VorO#V?*F}(aY+FS@DsE6GGP$ zGcbfCTrQ^nCqr2fzfwmXl^$9N9^WJW>9!n2K=HY`gFRnqP@Nep#rK@b46_mCn*;mR zO1b=iRr-}N$~K-bf-y6Tv8pMvPuQdcS2`z;d2yso+uxvR2oj7ZCpM6E z*vME$1J%#fpMOh54=V9HXh~DK-SZ_K%yG@kGpRbi(3>15P=pNPlU0l@9X4@#h#bFf z8BB`+uYG8e-&w<@4NtbwCK=m2!A%8tO8neqpxnOw-?9kkf5s&WU9vFWlIBXSv%%@K7b`TNx)O zhfec-ne1REcxZ@ju?mLMz~Z^kpRzI@Ho%GGge1UJxmQZpuK&616QCG{awTA|?!C#ubI%Hm|9yqSKva|(5x^HHzb46XPVCkf9l*z!NAnfB3?gZlhbXfd4i1# z0MjmuHZV?#eQT$@O}7FOZVrgUWyzr%ja+}=RZ}%Rt-5=fw$u(xh9E7_5&VN?9uvcSYG7?40Nq`YCQYzDOYMZK&|Uauge$}O zHsy85qThPe(3mb4GVOK9>Za$YxNvs_)bee*()#;Rz!o~PB-426l7i-UO9D*|R>Sl= zfAZHhY#cLd1duwt@C*tLRcLE{S$IFX(v?NIS&pRlfa9vN^7SSZ--4xJX-6T{`R$bV zd1$h=3RVX~TI?U3jwYHvi+4#|3AywA{g7{QuR{(8tg83=KtmU=&I76ATesOnrPyljT~ EUl$_QPyhe` diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/README.md deleted file mode 100644 index edf52a6c..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/README.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -slug: /MEP-6-dmz-networks -title: MEP-6 -sidebar_position: 6 ---- - -# DMZ Networks - -## Reasoning - -To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. -There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach. - -For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload. - -## DMZ network - -- Use a separate DMZ network prefix for every tenant -- This is used as intermediate network btw. private networks of a tenant and the internet -- For every partition a distinct DMZ firewall/cluster is needed for a tenant -- For Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us. - -## Approach 1: DMZ with publicly reachable internet prefix - -![DMZ Internet](dmz-internet_public.svg) - -A DMZ network with publicly reachable internet prefix will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: null -partitionid: "" -prefixes: - - 212.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 104007 -vrfshared: false -nat: true -shared: false -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -This is currently supported by the metal-networker and needs no further changes! - -## Approach 2: DMZ with private IPs - -![DMZ Internet](dmz-internet_private.svg) - -A DMZ network with private IPs will look like this in the metal-api: - -```yaml ---- -description: DMZ-Network -destinationprefixes: - - 0.0.0.0/0 -id: dmz -labels: - network.metal-stack.io/default-external: "" -name: DMZ-Network -parentnetworkid: tenant-super-network-fra-equ01 -partitionid: fra-equ01 -prefixes: - - 10.90.30.128/25 -privatesuper: false -projectid: "" -vrf: 4711 -vrfshared: false -nat: true -shared: true # it's usable from multiple projects -underlay: false -``` - -### DMZ firewall - -The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet. - -- The private network of the project needs to import - - the default route from the internet network - - the DMZ network -- The internet network must import the DMZ network (only locally, no-export) -- The DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network - -### Application Firewall - -The firewall of application workloads intersects its private network for attached machines and the DMZ network. - -## Code Changes / Implications - -- `metal-networker` and `metal-ccm` assume that there is only one network providing the default-route -- `metal-networker` needs to - - import the default route from the internet network to the dmz network (DMZ Firewall) - - import the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall) - - import destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall) - - import DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall) -- `metal-api`: destination prefixes of private networks need to be configurable (`allocateNetwork`) -- `gardener-extension-provider-metal`: needs to be able to delete DMZ clusters (but skip the network deletion part) -- the application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed - -## Decision - -We decided to follow the second approach with private DMZ networks. diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.drawio deleted file mode 100644 index 7b83bbfc..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.drawio +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.svg deleted file mode 100644 index f5e58204..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_private.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
10.90.30.129
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
10.90.30.128/25
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
10.90.30.129 is reachable
/0 via Firewall DMZ
10.0.0.0/24 is reachable
10.0.1.0/24 is reachable
10.90.30.129 is reachable...
Internet
212.1.1.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0

import 10.0.0.0/24 no export
import 10.0.1.0/24 no export
import 10.90.30.128/25 no export
import 10.0.0.0/24 no exp...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.drawio deleted file mode 100644 index 544939e5..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.drawio +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.svg deleted file mode 100644 index 5e825081..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP6/dmz-internet_public.svg +++ /dev/null @@ -1,3 +0,0 @@ -
Machine
Machine
Firewall DMZ
Firewall DMZ
DMZ VRF
DMZ VRF
Machine
Machine
Firewall A
Firewall A
Private VRF A
Private VRF A
10.0.0.2
212.1.2.3
/0 via Firewall A
10.0.0.2...
VRF A 10.0.0.1
VRF A 10.0.0.1
DMZ Network
212.1.2.0/27
DMZ Network...
Private Network
10.0.0.0/24
Private Network...
import /0
import /0
import 10.0.0.0/24
import 10.0.0.0/24 -
Machine
Machine
Firewall B
Firewall B
Private VRF B
Private VRF B
10.0.1.2
/0 via Firewall B
10.0.1.2...
VRF B 10.0.1.1
VRF B 10.0.1.1
Private Network
10.0.1.0/24
Private Network...
import /0
import /0
import 10.0.1.0/24
import 10.0.1.0/24 -
212.1.2.3 is reachable
/0 via Firewall DMZ
212.1.2.3 is reachable...
Internet
212.1.1.0/27 212.1.2.0/27
Internet...
SNAT to 212.1.1.1
SNAT to 212.1.1.1
Internet VRF
Internet VRF
import /0
import /0
import 212.1.2.0/27
import 10.0.0.0/24 no redistribute
import 10.0.1.0/24 no redistribute

import 212.1.2.0/27...
SNAT to
212.1.2.1
SNAT to...
SNAT to
212.1.2.2
SNAT to...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/README.md deleted file mode 100644 index 14748fae..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/README.md +++ /dev/null @@ -1,503 +0,0 @@ ---- -slug: /MEP-7-configurable-filesystem-layout-for-machine-allocation -title: MEP-7 -sidebar_position: 7 ---- - -# Configurable Filesystem layout for Machine Allocation - -The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout. - -This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. -The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation. - -## API and behavior - -The API will get a new endpoint `filesystemlayouts`to create/update/delete a set of available `filesystemlayouts`. - -### Constraints - -In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every -`filesystemlayout` defines constraints which specifies for which combination of `sizes` and `images` this layout should be used by default. -The specified constraints over all `filesystemlayouts` therefore must be collision free, to be more specific, there must be exactly one layout outcome -for every possible combination of `sizes` and `images`. - -The `size` constraint must be a list of the exact size ids, the `image` constraint must be a map of os to semver compatible version constraint. For example: - -- `debian: ">= 10.20210101"` or `debian: "< 10.20210101"` - -The general form of a `image` constraint is a map from `os` to `versionconstraint` where: - -`os` must match the first part of the image without the version. -`versionconstraint` must be the comparator, a space and the version, or simply `*` to match all versions of this `os`. -The comparator must be one of: "=", "!=", ">", "<", ">=", "=>", "<=", "=<", "~", "~>", "^" - -It must also be possible to have a `filesystemlayout` in development or for other special purposes, which can be specified during the machine allocation. -To have such a layout, both constraints `sizes` and `images`must be empty list. - -### Reinstall - -The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties `primarydisk` and `ospartition`. -Both fields are not required anymore because the logic is now shifted to the `filesystemlayout` definition. If `Disk.WipeOnReinstall` is set to true, this disk will be wiped, default is false and is preserved. - -### Handling of s2-xlarge machines - -These machines are a bit special compared to our `c1-*` machines because they have rotating hard disks for the mass storage purpose. -The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd\* disks. -Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS. - -This is not possible with the current approach, but we figured out that the SATA-DOM is always `/dev/sde`. So we can create a special `filesystemlayout` where the installations is made on this disk. - -### Possible Filesystemlayout hierarchies - -It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. -It also depends on the disks available on the server. - -The current approach implements the following hierarchies: - -![filesystems](filesystems.png) - -### Implementation - -```go -// FilesystemLayout to be created on the given machine -type FilesystemLayout struct { - // ID unique layout identifier - ID string - // Description is human readable - Description string - // Filesystems to create on the server - Filesystems []Filesystem - // Disks to configure in the server with their partitions - Disks []Disk - // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto - Raid []Raid - // VolumeGroups to create - VolumeGroups []VolumeGroup - // LogicalVolumes to create on top of VolumeGroups - LogicalVolumes []LogicalVolume - // Constraints which must match to select this Layout - Constraints FilesystemLayoutConstraints -} - -type FilesystemLayoutConstraints struct { - // Sizes defines the list of sizes this layout applies to - Sizes []string - // Images defines a map from os to versionconstraint - // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts - Images map[string]string -} - -type RaidLevel string -type Format string -type GPTType string - -// Filesystem defines a single filesystem to be mounted -type Filesystem struct { - // Path defines the mountpoint, if nil, it will not be mounted - Path *string - // Device where the filesystem is created on, must be the full device path seen by the OS - Device string - // Format is the type of filesystem should be created - Format Format - // Label is optional enhances readability - Label *string - // MountOptions which might be required - MountOptions []string - // CreateOptions during filesystem creation - CreateOptions []string -} - -// Disk represents a single block device visible from the OS, required -type Disk struct { - // Device is the full device path - Device string - // Partitions to create on this device - Partitions []Partition - // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens - // during fresh install all disks are wiped - WipeOnReinstall bool -} - -// Raid is optional, if given the devices must match. -// TODO inherit GPTType from underlay device ? -type Raid struct { - // ArrayName of the raid device, most often this will be /dev/md0 and so forth - ArrayName string - // Devices the devices to form a raid device - Devices []Device - // Level the raidlevel to use, can be one of 0,1,5,10 - // TODO what should be support - Level RaidLevel - // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition - CreateOptions []string - // Spares defaults to 0 - Spares int -} - - -// VolumeGroup is optional, if given the devices must match. -type VolumeGroup struct { - // Name of the volumegroup without the /dev prefix - Name string - // Devices the devices to form a volumegroup device - Devices []string - // Tags to attach to the volumegroup - Tags []string -} - -// LogicalVolume is a block devices created with lvm on top of a volumegroup -type LogicalVolume struct { - // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname - Name string - // VolumeGroup the name of the volumegroup - VolumeGroup string - // Size of this LV in mebibytes (MiB) - Size uint64 - // LVMType can be either striped or raid1 - LVMType LVMType -} - -// Partition is a single partition on a device, only GPT partition types are supported -type Partition struct { - // Number of this partition, will be added to the device once partitioned - Number int - // Label to enhance readability - Label *string - // Size given in MebiBytes (MiB) - // if "0" is given the rest of the device will be used, this requires Number to be the highest in this partition - Size string - // GPTType defines the GPT partition type - GPTType *GPTType -} - -const ( - // VFAT is used for the UEFI boot partition - VFAT = Format("vfat") - // EXT3 is usually only used for /boot - EXT3 = Format("ext3") - // EXT4 is the default fs - EXT4 = Format("ext4") - // SWAP is for the swap partition - SWAP = Format("swap") - // None - NONE = Format("none") - - // GPTBoot EFI Boot Partition - GPTBoot = GPTType("ef00") - // GPTLinux Linux Partition - GPTLinux = GPTType("8300") - // GPTLinuxRaid Linux Raid Partition - GPTLinuxRaid = GPTType("fd00") - // GPTLinux Linux Partition - GPTLinuxLVM = GPTType("8e00") - - // LVMTypeLinear append across all physical volumes - LVMTypeLinear = LVMType("linear") - // LVMTypeStriped stripe across all physical volumes - LVMTypeStriped = LVMType("striped") - // LVMTypeStripe mirror with raid across all physical volumes - LVMTypeRaid1 = LVMType("raid1") -) -``` - -Example `metalctl` outputs: - -```bash -$ metalctl filesystemlayouts ls -ID DESCRIPTION SIZES IMAGES -default default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7 -ceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04 -firewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2 -storage storage fs layout s3-large-x86 centos >=7 -s3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2 -default-devel devel fs layout -``` - -The `default` layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility. - -```yaml ---- -id: default -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - label: "efi" # required to be compatible with old images - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" # required to be compatible with old images - - path: "/var/lib" - device: "/dev/sda3" - format: "ext4" - label: "varlib" # required to be compatible with old images - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -The `firewall` layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides. - -```yaml ---- -id: firewall -constraints: - sizes: - - c1-large-x86 - - c1-xlarge-x86 - images: - firewall: ">=2" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sda2" - format: "ext4" - - path: "/var" - device: "/dev/nvme0n1p1" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - device: "/dev/nvme0n1" - wipe: true - partitions: - - number: 1 - label: "var" - size: 0 - type: GPTLinux -``` - -The `storage` layout will be used for the storage servers, which must have mirrored boot disks. - -```yaml ---- -id: storage -constraints: - sizes: - - s3-large-x86 - images: - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/md1" - format: "vfat" - options: "-F32" - - path: "/" - device: "/dev/md2" - format: "ext4" -disks: - - device: "/dev/sda" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid - - device: "/dev/sdb" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTLinuxRaid - - number: 2 - label: "root" - size: 5000 - type: GPTLinuxRaid -raid: - - name: "/dev/md1" - level: 1 - devices: - - "/dev/sda1" - - "/dev/sdb1" - options: "--metadata=1.0" - - name: "/dev/md2" - level: 1 - devices: - - "/dev/sda2" - - "/dev/sdb2" - options: "--metadata=1.0" -``` - -The `s3-storage` layout matches the special situation on the s2-xlarge machines. - -```yaml ---- -id: s3-storage -constraints: - sizes: - - c1-large-x86 - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sde1" - format: "vfat" - options: "-F 32" - - path: "/" - device: "/dev/sde2" - format: "ext4" - - path: "/var/lib" - device: "/dev/sde3" - format: "ext4" -disks: - - device: "/dev/sde" - wipe: true - partitions: - - number: 1 - label: "efi" - size: 500 - type: GPTBoot - - number: 2 - label: "root" - size: 5000 - type: GPTLinux - - number: 3 - label: "varlib" - size: 0 # to end of partition - type: GPTLinux -``` - -A sample `lvm` layout which puts `/var/lib` as stripe on the nvme device - -```yaml ---- -id: lvm -description: "lvm layout" -constraints: - size: - - s2-xlarge-x86 - images: - debian: ">=10" - ubuntu: ">=20.04" - centos: ">=7" -filesystems: - - path: "/boot/efi" - device: "/dev/sda1" - format: "vfat" - createoptions: - - "-F 32" - label: "efi" - - path: "/" - device: "/dev/sda2" - format: "ext4" - label: "root" - - path: "/var/lib" - device: "/dev/vg00/varlib" - format: "ext4" - label: "varlib" - - path: "/tmp" - device: "tmpfs" - format: "tmpfs" - mountoptions: - [ - "defaults", - "noatime", - "nosuid", - "nodev", - "noexec", - "mode=1777", - "size=512M", - ] -volumegroups: - - name: "vg00" - devices: - - "/dev/nvmne0n1" - - "/dev/nvmne0n2" -logicalvolumes: - - name: "varlib" - volumegroup: "vg00" - size: 200 - lvmtype: "striped" -disks: - - device: "/dev/sda" - wipeonreinstall: true - partitions: - - number: 1 - label: "efi" - size: 500 - gpttype: "ef00" - - number: 2 - label: "root" - size: 5000 - gpttype: "8300" - - device: "/dev/nvmne0n1" - wipeonreinstall: false - - device: "/dev/nvmne0n2" - wipeonreinstall: false -``` - -## Components which requires modifications - -- metal-hammer: - - change implementation from build in hard coded logic - - move logic to create fstab from install.sh to metal-hammer -- metal-api: - - new endpoint `filesystemlayouts` - - add optional spec of `filesystemlayout` during `allocation` with validation if given `filesystemlayout` is possible on given size. - - add `allocation.filesystemlayout` in the response, based on either the specified `filesystemlayout` or the calculated one. - - implement `filesystemlayouts` validation for: - - matching to disks in the size - - no overlapping with the sizes/imagefilter specified in `filesystemlayouts` - - all devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices) -- metalctl: - - implement `filesystemlayouts` -- metal-go: - - adopt api changes -- metal-images: - - install mdadm for raid support diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.drawio deleted file mode 100644 index 0f0c6ab5..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.drawio +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.png b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP8/filesystems.png deleted file mode 100644 index 6d903b7ec9c8c069383846912f136127e54a371a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24073 zcmeFZby!u=x-L#hh|(!8>F#a`7bPK}z(SNxX;_4mQqoJ17DPZ05hO&qI|Uaa-67r5 z^&89BXP>?I+4ubJJ@@YO$9W!}^{hFWbIdWm`He5$@BLPoriRkh%hxWWp`l$>QHE-x zpqhg(zfK4W^8GqtXklJGhP0zdvc_=-^;s2LE>#nz*<)di?v#EFJBBukrU_PGA}T?k3cUyJjYK ze}7ib#vE?_`&xbx@n6e8U9N0lV`csO(P9F>C1r2&=i=WhakVxvcl7vm|IbrD<>un( z2<}w)`ATkC*r8pRS{w8`uE?B6dLL z@}@vuB37txU`%rhcktiNecgsBnAH*|CJ;K{*fd_{tG1edn^2v%4wSb z?H1sJTDaQ)?fH+zXm9@e@&7_46yp0mhd-w4ABc|s&$+)=!v6}ZQFmOY=3t0f3?7V+vC5|HBA#2xDDLK(czyhyKIf97y(GEL_pQF?>RQ_UvB?SN#8$KK@?*U&$6_`2M*_UClwr@*j%S z)!gh~F4Di#*MA_=Kd1i7x47W1<^PpP|6&^dmva4Qx(WpQuQ#3|e`7rVk+S|@GoC_! zC)xjuvVsWcpC~H`i~hy?|8E1Ie`H+$uPN*AeDQxrS^ueFbv3v6*DLE^l=HWz|3{Mj zFH%3z;>cSE%T~h! z@Q5)P0;sh3&{!hh4PANn)KpQfAUp}zl8lTLyN9ha2pwxd&=`^Aiou9YMDB`pkL+lu z+B$ce-kH;X(pQ-oSWY^Yh$O+^k!&nT(KL4h1ZzEb33-4mjR@D2w*% z5K0HZAb~79>9RA>VW9q^AA{rMO$>}*hjbXrMA1viAtkqoe?8p4hctSr!-tXx?ay37 zoRqoDMkIPfv%8A+U;P z`1yP~jAT}De8fYC_Gd-}=wS%BSRUE$2X;t-;~o!m^xxv}hvO>4vzqm@|2*(Jo-*9L z4j=c|^Z!Q#Kra7zEhwV$ufI4S<1QW0E^wHrLQo=A*GEfT@4i)Y?&htpIhhV59FL?H ze6TrLJMqcpt9FLx{)koe{`y$;g!>qG%+C4IBJEI>o9)5=m}50_0*t|h+R(2#gwVtH z_y@m6;zRf3Vj4lqNCU6s>?o7DwkXEL>?=SCGKr&?Lfh_mM93nsq>$SqRXr3*pVf^!TBV z7OEcWr9)Nmy7xO@J^r5TuruFjDXs6j_s!n)$$X5`xZBXf#k42qkE_pj`(!)}9BWH` zk6yd>ibp(@F=@i`I9|@F79NB(KXm;p?6COCgMiDim0S`# zweMipwD@C+g4{F>@ddK-IfP`DMw@AV$2J~d5Q%(lLYdQ| zleyypC?XP6E{9Ph32e(c!-qg8=N$t><%j@?`>tlw~`*;drc z(SUe#GA9mW`D|1!R@s-0wE1qgQaXTB@Wt0p>c(8Uxz&Y)YzKR!kLF_?-b9HApl=Tu zJ*j;2{HDa>p7&aD$gY7zKo^aqd%pBkcB0`5LV6$O@l{zf;gVEO)TS)J~@8)Qfs={=urUUTR__n=+bZWi!)TE-Wi}x2O!6UB;ch&Cp zO0pCjRwvSCGAP4So!h8cMBd(c?XXY-UVXvi-R}yeDGns)#B3<*v%Ln-!G$ttMrNBG zOn8)smB
xw+)D(Mjrp)Vmc+ZeAb<7x_eF6=MlG%YLYI4L!@ShPQCJLX3mr2J*i z4@rFQMiVY_d(wNeQh4aWSLyS^xec%YcgNbjg!nKto6%3X`s$})tHq|q8L$ec3|nMo zFpa1~s)756#lswpS8AX5*i5+T@0>@)e-EMc<8uyJq9cS7cD|;ih^9mGd+*x~6`9nRyZ-FdhKI`4MZ*{0oB=sC@Sc= zXt$eHVtCHKh9R-c-PfwyKWK)pb%Yi+UO;{4=81<%8(B=Ud-5|)Pv)&T`mHaV{zOx5|?hcUgA z$|r3NMXZ;N^`?bMvt45@`lpGM1I}ou+Vt1hJ0iXUyjVrM7wo zEVI-qf>yn7oa;_c@d#ETN-cgYAz3sFs#e}}s4DH9?t~#25n@fwXMHjkc6%x-=7_3t zARs^BMOWwMQOK{oTvy?LF2KOQv_=ycn)2j9qlyI^f#EZN8($8-MnnAD6waf-3^+!TKK z)bxAc_1so4TnPW|g4=+HG|z9;dHCCfvXKK9svVBjuQT73jb|i zglzm$2dwrluad~0gy=BQ)nTS77++Nr{+Ke1fi!V;O!+k2Dn~L9@10SuN2u%q$(Nnm zX=PuhDL$A*7zz1RNs6NHaqe9qe)j;pcoIn1o}oHHSjJ~~+lpSYgP%@a6WC13aHhdv zVR5EsB44TVj4Y~-bdD~A(2O1#1EU zs`yyvZHiHRq0_Iy-Aw*x@c)!pvKS;pCOyp#kV>?bAarVS5`Hw$0eL(hv(Y2i2X|W? zbStdge<`_?9yksnoa>>xAG>*6X??c*K}4nYsAKNhc-_UhclpZuyehA~m64Lz%}043 zz8~+e+sc^qv%dD3#U{M52AoEjLdB)Cn`)EJMl_W56|Xt<{0_!lpRW#nNHKW45TAE` z3T#=$L-&!^s2kFw-1VnB{?B6yFF^QngxIg&>EfiUyeO#Na6y^Gy(j%IRC$)mru@7; zP(g$H`Y5^1g8by0OaY#f6pmb@cxnmnR1nH_w;>;TOb92m&rKNHIgEa?SvvKUsXITm zMa5mZ6OvZF*N3uHNDr3YJg@ptKIs)Bbuj7ec(D28VhngEUMu~|9sD!RDtax9+%N)( zTZ_G~J_x8qhd|tuZbkB?Uu?J2ZsZl#xvb`wXndf6puCWQb1V4=gk#;&TXk!X$;UZk z_T>|o9p-`L#$UM&>TiGm<$jRCmreX$F@Jnc8y8u4gBzHa4wE%6_IFG|sV}d*R&xD= zcJ`)xG6U;t_XZ6THeWwEUv{Wmpb#}~Ks#uoajZZEQSb<|og2ZupRPE*%ktBCc4$fo z@zE4;XH0E=OBdrb?%ZB^w7WQVI-Sj1ci2?==v$XB2$FT?toL@9B$~=(kB1VWa7}dy z4#-l9W1aJB-+le~>_E8-Ac-=9_Qdaatf|vp`)kXm35c2IkZNK^#R{bxk6Xx`wb=_A zKbOD{6>$1c{;axof3*AF2?(9nZ}=UWkdmA}0P*X7dB&}fs>L+#UY6!E`>`qzQGWUS zQn=e~Z5a8=XQ#6b<=kEEM?dMW9l#Lh=O>QUh{9(QZYves<>UQzReCU!OWw}UK_DmU zwsKF@tnJEBwTB}roNa$5$m3Tmt(g|-5{9@Vb2fkq$qSxboVQ`GVx4UPKkhQ+d+@4Q zaxPMkqFC&6ifEtT#cTv`m5#1{s~=UgtG>i(X0!LFTLj`QT>cN9^JP1p9%oAtM*KiV5ik`#mqCB{7sYix3v9MBI8cC4o)`f zt8e-q55opPFm_^W?gOIml+Tx!^d%G#*O!5Z=OCqnxf1tBBIV``qLq!+#w=6p*UaFR z3kiZ4Fm$jlR7D>Ruu=X#69terw9=90X}bYtnOPmOQ4BSy%cG zx98Sh%1q zP_7GS$X&tMhys* zMIK9?td-~_5Y&rLI4*BpoCo0Z@a1((cud*zLSk9v=Yi&aaw)8sz3efdr9{1YRb;r~ zY^#}2hxhS-9zBnr*6TOXC&ZAG_43zwM)h^uCjHNFNTqZMMk5ypu`^1C49B3OUaKFh z0-mDx8{9B=^1V1am@13g_tMblC0R{le@i=gzM>#W^A4ibDYZkNtw@StVd)ja?l+ zO{sy_UNgaz;{liOACy>rwo82_=}~YNb)n?ca4Cg7;^s=%@;}>Qon1&t4msLi)QkcE={Zpo}RrC1JT0 zgsFN5SlAl%b2W|{Xw8qwEFvbJ06!28d!Jxfa>qf_xTqV5k=q;9n^oUGr;JS9@W*8lpZZ&fKCCZGLk`G9@tH(iJ627i&m z7etsah0Ej+ScNBR(W5UH#5WC(j}~9s(^>HuCdu%!nG72~< z@jJuA$36S(xNIERB#~r0_3+DK!X3C;su;2hWYbn_jIqT;=+T?vM-?1U_!hx-KGRLR z5vAGMH@L(r4b^>0BiC&6wOZ%K9P5R*{rR*w5VBxv#71Tpq2DiIcmAj~2+Q z%Jx8YvF+4t)Fx--1-{X_N=gv$dI1S~H7vKxi^7OWY2Qk+h>Aq)TY0@ z8ca6KHtO9-Ai$>2zhQWx056go9jg!WoUtv`MEZ9qS{HqKW)YAr#QQl-dQ7D1<58TS zTpg^f$cYYqN>M-nk*K&uC_Uh(e5HlyT)ht0o5bkD0P$U~?5x`>dJ7#w%J45C!v-xl zX^B*3`c=)>!b>q%xx%(X&%aYbJjR_v@a{X(Vq-j8AZpu9-{yY3Bulg_H*X{{FWr5R z3X=y~Ws&3&q<%Wz>fP+!Llr{RUNsX&knpM2%R4jhAk7{PHd-6xDeu(LujSLn6SkC& zq(0@t-?dnzVsy=j0fuB4;$koDK_+H# zyO&6}0qiZ+JJ>T*eGJaP@(2EWTTmQKK^nQ4&m>nZt%HozGXrh)bJ{o*su`J!g#5wAgndoJXjrJR4Y5{KeBg7LHnt!MZEm63_L0mClF z*r9LmZobLRmC|bWGO8NFDO^7Q#eqC)934wwh1g;TL;TqtUD zq33&;RqfZ!zp#EExe=5ki-IDi05 zbn!%Dyl8Hn`I6;9R-3u(qYrr#$goZJg<^&ynk}`CC2dDxnx2j|s9e_eF1GoL3+YT+ z^6sJ2cvfVKA&Q|k$&!OxS zGyRn3^7(~6Xr?BXO;$Dpt87N6b}I*tObfnSSo^>S+ic>PJ^pgormeBZSmKue;~4IC z2C!I4cB`sf-!dgXSKk)FRvkkXHE;0`3JwXPJ(!E9;_>yP2Obk{`)M5Hcj(BGTBmdI z`x;jrkcWTCQu2OyV;dc%GMFS&$TbPj>7qH_xqo~oi-a>CB*ke7sFcRw=fwt@Zyp?@ z(c~1%mPoa0Pxnf0+EH9hkc@-UT|o~c2t)9lF%OiIKr)<`XE8upM2>qqF-(@4Bzg(J z+xZ5MT$HcazZKN2?}G2WSW zBhY#sKQVXR%p3UDJcfhsdH6RjIdg7aqRh*kOzmr@CvcX`%zAg48TYECc41&DZ>Vo7 zXKS*9_}29&#DzE)v}ri~OchzLtn63yRCYNR{b))zf*=j6A1Q?d*M^e{eJ-{QHeq}l z_)gs$;uI0br}{NAFP73X#6uoVFx%Zj`WIsMDwA%#|3c=*(5Isj*T`)I$-K$Q5U@K} zIevBVy%JFQ5ZekY7Dv-(L{E8chd1%wu2h*Y&^VJ;hEKo7%s?a>FnpW!MyKU5M9a$> z&PsMf&7|blOgwQcdv>IJ!p(|ZKLRRe z{K-O$(-;{MmLC8(DndW|=~`K+Qr4{nqm;p_6sky`)9BAGkuFpXQ=S-$+uaY>Lbl~Q@xzkHD6~=ndHva zGxgg_f+0b8HVoUwA5Evkc1_JydZ8q7)te!+S&5@d>ZF^LzV`!s=|#*!4B zl0HDsC{s$Xje}e<-5M!}LvKuQm5NNCbg0sV(W2kk$+g!Uq$782A7E?bW2TiWj_1r} z6Y!?M30U+t8e6&R&I1{)Q9PS}q6g$uBcXYbZq@qAL6hv(_yx(2t6$mnnwUju_+xhk z==Pl+ex48TQ0?u#%VKyx%%b^%G&&3~TwtpuWU0ZP|KbiEBguORzXwu*Qb#BC)R+Ug zU0)Zi_+-i?1kzJI2lAvxvoFfz;nSZf38O2LSl(WqgajTBgc38VY3>-27&;Ks{K&q& zBk^+cVbqS{GYBTf*|E^EeTs5;|EEQVGTBQ|A-Ai9sydql(p=WyJAK z4almoA!OKC`)YW8r!WxJP6wN5-4EDnvsy%hTv8vE(@_;`Kdao6ngz;&<|v^8-(+(j zsliAyBxg8eoNB37g3lR8nv=&ZFq2A~b=-upf(Wf9PEB5H*#JdUOuH=bBjWi^b*wAz%g!#K(pF9SD&sx22Ups?1KV3?XqHZDn=ELl@{tQhn z^lSOf9{ceVH)JEFqy5N`)|xl<{#oJGp`34ycy!8K6al&T{=PgfrCL(b6BPzSmyn7-X4yM~msz7t{<_G2X|M;D87Ghh2NRyYY{ zO|M~e`sy>e7-8pl8WC-l#=Io+5zblPT;khFFp8wF1UC3@{uX8ytmj=K% zW(2=SO9NI+K#G)9h8we+sO|M%=FB&qtDyW)T{PIap`!p2A<|djXxdrn9WSvS;nT2_ ze!U*ciSDJ@!e-6l9I(#EFOVT%L!umkp0GfPt)J=h@k%3{&D_R&bhAvpxyfm4Zv2^)f2OIWB zv%ORimsejHzQ{I1roGU8k~1I=#R+uMd@XPHF($6zfzM-sBoI~+_CfZg*~(WVe0jS+ z+)$CZ^YSdA%6QK*)l&ZwC$>CgHz%zjSKytOLY<~%MW>?P`)dkNrMiw{ANVDOE=wuK z6%p0v=fyFLo#bKSYS2wOq+GJkIKWw|bVWrzlBnzD@?iiWuyAn^B<-slG1xwfit8Mu zCC#Grjg^a4iM}ccx9(~4seGIbA+aJ_UB z0(KPm&BL(ruo>QhY<)kIM29jDJM6Q+wD-Qy*Bfqg%+sDs`9+yqftTA!f}L)`=|(+O zXhiI+Rr#*hS`ba=-Opt7P|X>c!Y78nWPr9~%NNjBv92!Q67-CgGLxSe4kjE^-hVE1 z!rj-RL`3@%HncMM!S;ElrB}j(ng!E+w;q5$B)Fd?5ENVuzn;RYEkbO3v;+|_4^=SO zZ&Q4(wWr);!r+AyMzG&e>`dn0N7dENM>}*on3(N0oGig@!6>_t`#w$hA0RWYYl#}B zO^gYngq^o>bk|8~SbR&!uIsW6+wr;`hLBp%0GC^l*IS>$%b`ly2mXzLI4RjLzjB=x zG4-)?XRrMZ0uEH+|Jz`v$-{dxf4Bhu1APAf#e?sKAubn&+%WoGeSoH8;GX7Tq-i~e zC1X+WJg6uVcrDeKGnnWlR542#^?HNCUz=o$3zF@F9skf9K-Kfs2I?=75;cbkb2-%t z>2av?hf4i^A~!&*iM@FfmqH=A0%ZOJD5AhKiP%dj0Niew+-8y${5#`O@9>EP%eH~;XdXroZ6*Jfe%Q>&B z@Odie?rE7E26w?I0mp_3Bn6DlEy+A|?nrcXF4_rNsG`FczF12hWFsb>A1Fxk4iy^7c%TRtpo%;kge9YPcxu1&C1ZblAkTiROt(+J z#Ih0rk*oqp&`1RUa=i=GQ$!-pZgeBT%d#JmK3;lLpz%t=p_{uLu4ni-yI39#0^k~l zm4RG`wn*v%kIl&qpbMfRlAARpG-6KaV}R%|fr9Z+P*C+VFGnD_p9t$JK%y204IHJt z>i|h2*SNsskUTY)hYX!qIT&mcjwC??Wrj@5mse>-;C}%$q3y&<*G)(nW2btO1=sV= z!TlddATXsO0;#PAOp#7?;0#%oP~h%0wk5y9y#xaX@stV>I9|(@0}A&|0mn3aAx-*V z{A&wZ(=v)EfTC+~-yQea{p>K`5yOHYf`F2^%Vy0k!r)PE_IOF(O#_SNEnZb1_wy+; z{{{{hFqvxR#0ULBm;M&_v~3v!Xt;5v)!sKfQMpEGfD^=Sx2^b7&3oOP(IDf!DNE{n@^2UjE1M zFoa3-vt$dbj2Z54eC#DdfnhJn;PpeEH1?ljszHfn4gcot%YrsunV72q9!9Y&>T1@; zHgu@c0KrT{|5rdWag3Frz+DMp4m@MaqH`wxaROL2DQ;GqwFhMdt2GQe~`A&gb3ccVHSmabi*z;nWo?t0W6~fE?TIH z3Crj71@b~4sA9Rpgk5qrC{vZCHd<;Wa1lX_e71wDfgVSYK)8ZYq>TbV^l+CMAEr76 zq?VT*#&~a?=h}2K1D}}f8E@jN8XGnpZv$I0N|=y?;>BR$hJ7vqkhv46UpO=>H*ax@ z-F?UgNNSfs0Dh0psw{d~0f%%fBjm=)XsNB0D&zSA8jI1sfKyd)7~%{A?1w_{mE4^7 z8imG_i}P6BTriPgqb;CEFw9F6^#JW3yFuK7!(bUDJQzBV4p#CK+AhABYUV~G<5#2a zTjZyfEYMmD_zMvLSc^%Tp8}{is&&Bz0@j&N}#E^wKmGi2^~If-Z8R zh7Y?0@NEDn?lERp5=Fyj{PfHlltP4&o`9@D*&}qNK0xqWFsQxfqPTUJTrKg#6yU~D z#*B>Zmf`~4H=Y8%%19b|JwW`5VtyPC5HHjY&nDfYeeunO)B=ssn> z#lS>NVJQ@x*hudy7Y#JD^}J*6$++6rYs>BOI!E!7@6LYp4B|2H;d&^F0A7QI!)pDXFv&-eL zA~0WDz14)Tj`fvtS+wT4Nz0=beK|Gwpp2{~#`%ysP1YPqT-V{`afMo-g{9`Dk6{rq z<}Q^DZSqyUl%0x~j3p>&Q2)ga^XXeB^Mp<&wHHgcw>U3KORV}tW~6BCjYCp_6a*y! zb;DxZO+%GWHkIPqI-0T`_p7juJex>AdgYUh(eYwGHt=3~{%**Wz4^EuY1
s|)TRD0vGs2UKyg2w47<+D+~{>-Q++BdU4Bq^moVQKCMDk3 z=Ip~2VwdziRP2boRSCGBn+aVu&KMTF61S1oFNNM{QG$T>{nY2Q8~bv_k$46Pi%F*! zn-}MO3G{&obxID2B1Jk`F_+$txU5NH>TR210#U9q`{y<1$E)twQ?dtCc`93=J;2;s zsXC{A*)cGEKa_F2?Q~~tUSi|ng!~*OWKDFoQY^P^^4-PhqD&e4HJ;mlXmp+GU_LmM zAm%cp+>U7D9hx{SGMT+NsK2nUb4Y3#p^e)dhG%33nvI3x^#fLsBL!~0F^qC+sA=*> z0=NF`3=?UXFAc0gY`bNL)jM%GU9HKh?Yp^%2PhgIv*^C3CFGs21ogpTYmG_6CcGO* zC6p@cH$arO?R1Za1aj#BUH#>yH(if2K){!{>L9gO2b4@FMNt2kZb4FHJ&XYHq2$zm zih?AkQS8+`*rs;=rOl)eI{{0T7G4P=F*_ow+~6Qr@r1`PMB~a+qig%ghoq`PxJeJ% zn|Gx}S&NGbh`!=FH?wnU7;LA)L_8fxRJmYQMC!I5N_9`a2)=v+RZ^t6nf<7{KL+y? z%V+D_JExi3-EN{eRrfzxn;@n|Cg5K=68Db~>Hv$!OYtRC8-)=9ZlVcmV^b(W!rkGJ zMs31wcEE`&o*Mxy$dWVKRBe;aAYa+kw{m3Lj$P(QIaPOF`t*IiNuCfbHqmyIyXA^S z45iYx_~(*ux&|Zsjv~;zl-Y;Cj<>XHi*swFvmqO?1teG|InMA3<9#5-m3hNKuW=E0 zJA3z(cLu#{jcq5T&p*2a&(GDftYlH&3rV-){&B>oH)kAqHOTPZl+VF;v*^4JPM4p# z@`<1+s%RZ4uvd#rb)P7nIQ5K5Hl=P3e|qAGHHg2#j3IywB*r&^;U6+2mW4`L` z`C$PbOBoyTc|0|%@mk;|tZvLrbY$eVwZTL9y!S>JDeEZqAgbKNK=0~vz1<^}KqS7T zrsbSs@^K5^Bs_i=#MH#JstaVXOLQ(AwhiAz5enpxD^S3+++(mU6BfQ-8HVt23kAS2 zv8SU&5ib*{FpA~MU%$RH={{ypxr?WztnVCNRfI`9+o!yHxy z6c4Gwn^6=kr4>Hsj|JWQ;^(v_+%ju^?fs3GybqoTW+20yhdw6~t~MokNk2~nCCJ)j zyINUCPu5nhRbQRrI@PBFEYO`r&eTFWzvr@zr{QkFg*V3E3exXh*wxHY*X&L4#YgUB zYitP>5*($G6J`&Pu3k#nHEt8!4esFA*`%T~%B~Oz5$sI}jcvN4X+BJceKfiPBA((x z<(>l{9bFG7`7_9n;tXXO*TdI8S=paTQOxR+`?mq)l@-*?=7YV}Jh~1Ftz2($jXGg+ zd?mAbPuWViV(Bi!A{LTpXk!DPn5d27>hslMG_;+zE5lxbKI z9wIt4Lx}DlVk4zz4imY8&5!$t^Fo_y+Yz9JG2don_bB`?E|BS%9V>V$#JJoNPWM`{ z+OoPV3;Z#0bRS=bN)bgz*$%I7Jl72m4k~myZ=)0@Wwk9^dtv39(1I<#&$+eN7gJT~ zy7)5B%IDIS+jHv-sm+e-L(X=Dta7-J!B=>PiVR<_*-qPp6XYuzLXs*1)5xc=rE+8x zdjQ+jb~aFgzKG}n?o&M@-)|y4#kXiT4ux^UuS8s83zgF}P=Pb;Jz_T^ey0YENc@OH z{LVlI6z7DzNW_y=oRqqo&XCQ^y~3=M&Rn{ittEJiWFysitY=$PB;FZPJzjj9PrL*@ zN@Z}DvH`1?sb~9UP0UBhv|)z0MM{$E$tOGAyz20t*E02wNICiG#8{HvE^Q5=`;-01 zZ&7N@Af`E~nHSfa4OX(=UZZ>nkNFld7d$|SPn1BXUC>bkUB7BdG@uKnwex;OT;Vq# zA4Hg7g5G4IB@O(-BsprhQmsRxv5-Mr7G*?pF;{~dG}WRWEx z?GW%3FkZ(;If)rGh5HM4xZ-`@x!kR?1#Kuc4-O8*N&z&9DGhuqg=fLeM1kpLFP1t$ zuH+RV>i|T#LajoA%PbK(^|Te;S*~eE?h0W(F^r!GOAOzXVb1PmibArOzQA-I?P^G( zQ)%QJ?Y?g`s3y{xv0?cV5_NS*R<$L>KSsxp*wnV-1MZVbru7ogr0 zTFa{nZ$Su^UD4lQ;-hKG06}nBP)Hw5g8WEGYZ`aL5fQoAtm!fdveDTSkxtqWRjYg& z6*cK8rl5(6l=f+z<+<5bK5#*bh0QXlfpUk7?k20EK#g+}@PQB-yfTvY`I$rNfw1G` z_-QLqTokFc-Tpqw$*19@sHN$5l7mG3>2iT8bM+p#ngxZzgYlFK2YF(*#B*?c%fZvtt2!y~uIB=N#w#B&EACV-6pw^2k? zwev=ME_;Gbk?C~J^SQCZ#Ky7BES1=vsb0`=u=XR)2rdOu^#bpM4FV%Eu0kRC1z+c_w~kEJ;hf- zob+9GJU7DyXtIay4b~odHNGZ5>^Ti9F<26*@}%iK*ms+rCM2xzLpGM$DO=oP8!{!P zmtmk=jJVP5a%GULU>*5J$pXFm%h%g*^LNFnn%{m6AJrrfzVt4Rt;Fx=*yRHV?-AoJ zOHI>@>4ij1%plqZSH8_aZFdwMH|K+@*4HnYZ&Kg%d=DS*8qymkQ-H_W#*JLUrx?bT z?O9|JAu%mB)=TBk{W{C_9MMh(C_Y zP*AE=O#Vz+Sqi{}jL{qzQma?XGHg!(6I-Vlta#VwPz7LGX|hqcjEJ1nUk{ z+Cx15b{l5ZuiNxBW`-H+$Z#`53~Uhs2pUn1Oh&cEFQq63wK9BQ2b;%vPd*Ic@?0Q= z*Tt5qw>2E$f)G%hzt3={0fe6_cR!e!T4K$1~CRz6S)w*Kw2 zBAa-l{3YepqpsTP+nfg!{kvhZe4w1WhhPE^m`~4B5xk#B`V%9@je7xR%Dy~w{*hUN zNy2n<0ic46I?ouQuYqu4K-20Y9jc%_ELjIoLFM=i+$=?)X2Ju>T*|1b@jikVNi3;t z!G@6wc-qQW-B|E{ZTdOXroTrWF8c_@p1<{~Gl1#m@Q448hffbq&M)QQ{z)DuQl2(4 zWkh`?hssh2>3=cZEclq-iV(7T_VG_sRSU>Iz`E)te@vwUaVPKkzO_a;JlFBH1c! z8B{h_4ZYWeJ-*1{RDx~`u_6vskJHaKsU&_git6tu9wcCqxr1I0H_pNumtHADzaxv2 zldYL%vqo~u{?qf5&58GU1uHAx@~kXe{}+_qZ-whq_4Q+b4>PVIxgIB&V)W$f8^m+k zeQ#=@m-#zKJga`z)HPIsS=ftY)I3HfFM#3-~dXq_J%08EmjGhLj859ZHN zO%V_P6ATinfOIfx%&z>N1?l<1Dek{qG7@{?YiRe;;N1K{b+EjH8> z{S!4_-<)VU0jMG;lKB0>vMJCi7Z#%GrSy-moA*l}Eda(S%>iKC>gY=(*&%KoTZ=w9 z_i3l(kt)sCg4ka06|-WXRCF((mlJ5>~l77sLb|VZ@!EUUn_2}%DtOYMJ;GqF!7<3VJkA_<4Vew z1xf;w(q})u4z^2mL(Ztq38jBTqi|d`wFZPwk*U<-bfCLqcLMhWC|uZHDgLM_nidhH z-~^iU+%G^7y5UfFWSK`8wx3ZWy+6#z>a8zvdE-TuCKfbZ4HqDr?+id=&jgs_VuHS9 z@_V`CP)0;iSj;batsJHO(_qU6!knFEbpR7$yP?XmbJCNGD3Q^Q1Z$Xk#)qO_q(i6( zNqq>uX|Fc|g#!WUnXz0mR+)I$4HDmV!zX8Mwm21%``*4woCAFNjr>Zb$4BIo#WVtl4*=Rm%EI)(Kf15)QZv1d-!?r&wOdaME6?^mI z)HTG(czGF6R?9nIcSaubCks%=1hgo8*&Hi(bTn!L+{N;VJ81(DL@2^z%6AAA?4GyP zvrm;s@n^&yLX4Jxb;u}H87g?Fj_bJ$$l`+N%f88!O{GMt?SSG7@Sw`MPS)3OK1Olcq`gshGGLK@_K>W^3Q%Ch8N8v^iX?cmeQ zc%`d)7Q>b`KCe39#~up~7ClhOd=owS&KCI2t}t1^U+#2_;4Ulb#OMxu!pI(rNr8s# zo1j@iq1BkU4{B+asyseNjQ6Qdsh5heJ=urO(!^g{;MQ&E-wb^L`UcOXA?F{7sqNBQ zf~G(tZpyt8uC7Gh%)r72YMZS9e3DNROD0lrn!`T^bv2=wMiMmuK;=PkF4|TaCn@XF zYlHRz!(P*J-9d3s)!Udvngt$zc$_f1h|BP ziEXttNWiZQ2B3Zy020cR&xNbXVw#VQ%b37iB;eUij*EE*PWN;e_jav*W~0PYv^*8K z6L*SPF+n3Oy&P=~C=!0?>-Qk;=JG8j#3U{TjVA`BMxHa5yl+0KcA_;6TcFl(biNjP zCWd=u^r^cUd+wdrHwSqJa7@%*PogMWj{^AU9b0f`N$Gn(65=(=O__-E=)K5(^W{eF zDoVwIWw|mjZLwmpFnNt!)yV9!%wCPkC^O;?;~s-tf2{P%7q!&$s4N%;%&OhISC7y3 zL=F4Oq}%~!Y*;`iQwJFY+cOoQnq+sS0|KuGO>S$l2&palsp2Hiv)uVvSrG2TK1=&b zwH9oAbm^`%DGTX8sw%|tsiL8(3hF&uic}xvV#A&Gf{tkVTXs!(or{-@I`Rv1e9c9ck6B}6lq{34 z7c&8xQ(P)fB|x8VNh?wzDLCftJMnuf5+%UIcOc0YNBEqfh@Qa!MLiH*W4*_Xt6iGT zqac-8otT`AT3K&@DQ2{IUQ4SrDuy4+l7O)f#ae&Th|%Oi(bQ5xM%E>Se|p&>W>q2~ zxM&oRX5)&!6h*f5-_?AP&3K!0$q)o1+C*&LNUh6kf9e63YXJ>bQyW#POn(5f%z0}( z6qJzzpbWjG2@*)~i+n;fURZz^QQ{rjK43MK1hZAVLpN_<{(g}X+LJB!rA<}`FmSW{ zBtO~0PcQZ`E)JxcIev+E;M028as*FiTL2|>S-lGMxu%PtaLO&gr+Qkc&I=Ly)FNIv zluK7Pv&8W6!|OWr#0ZkN8p32}lJc#Vr$bpMg|?lamM}8}l0bRv!U54t>T}+$FD0hS z4Y%0$TD<&IoNH`$@>}MolQ;}@Rj$8kDHWeobS4WvQ1=U9Xr7h0p(Rf}uO#W2Krr4n zR}ntUdwTU|iw^xc9w~Egh0|?aL?+`0KO9jmGFYsWKO!5~h`OcEAJRBc!D2K<@|Xh0 zqvbxmQyNrhSX6TekP!xSF)|czVo3%HY>)Sqb0JhIN%YPT zXiXk)N38*q$23qym~E7GC@5+Y&l&@ij5~*(6fC7cX9%( zrFl?sz%r1jnOdJ18>()3>$7BM?HzkP~wvNYUFqI)~!>4bSJp za7V@7*#qFB#->Ua=$|c?JRqZS8ryGS&!k(whHhV>sf|t7Q~S6^PQMUdr(#E(@UUj5 zlE7pefT=H+=u)MMC2E3B;0gC@l=Ff`9EvlWjc~BEfx0+PR}Oz#X6`vyi^;HSN+o^s zJu`ymqXp%-rJ3|>9`OlB zxdz2iWrT&ik3giC#V@h_;Qr|k^_hrn!;28=PMovu(E*vhBrV)_KQx*~1uIE%1=)^S z3clcNv{p&{#DZ~?%4?cFUhZbc;x_BIa%Dm)H@`Ji2&pGPwY5!JF)Lmf#18P+BCLC- zZ)j4&K6s@CU9RJBg{AS?(i^O+_yAdFyA{_!n7EAsl07p6nOXDMVIf7~L>)c0s$Fb) z$Qa%FKsox%!0g0yKVW9|?Z55;%cIW#rubuHVoW}@Bqk<~chqWl=@s!j$;b#rPD^g67PThIlIzVvTR7LF%!={PF=Wp@E!F%vig^}t-Bsa%RhfT1i%%~ z0W?G~2<)w!EDA#YQq3%JnK}EHU;Tw-_-dh$3~|A@KR=rj3hn^}GN0Pzdh!1wID?E? zA|UhCF=izB$+%n$G;k+^@uU4-%^QuE3uIS?)uJmaGBXtyCpFRYmXx)%QIe&|xDB*!CdfJ;_j zhY>s&*aU=-?{NiMZxkt5Lp&u~TEis48r1I{fpDKm9aJ4>6eQONa%1tsAKixb0^&ll zm8LdG**;T~6TI8X?JAEyef7>tQNNn2+S+3uckyJP;`F$C9;Y4-G~0^ zYaVg>Edu^4p)0H0O3y{eTo-#wmuf(s^iKXR*mdd!!7YaL zpM2}sNm2Z#LwJ#o!l~%IIQ)xO zh6*>2e=M6JjrGszibI~tT47>e;lo$jQ_h^Iaw|E5fS%~AbtIkB7@)z~5?hXBDKY6{ z5jHN?eA#>;=y&Ql1llV}MIKhWyMe~e+v@Nv@~fpuY&Ec_M2{x1l@i_@Uf_|kfB;Q7 zf|KqtG2|$-hXGsPFYDrKVXPVnM5SM65|}R)B2evmuOzwPACUQyg#FvtTIk42qK%|| zyw4h@eeHm0Xk|2(l%5Ba=(fM`JfQA)j87GtDOK0K?I?p-m-X97o|yzjb-$EGyhnhzRm0*+gq zZhhDNGY>d8D!SYVc$$buBe2YxcjPY+p#3GUv(L%%C1@E~5%B0O&`53k6yQj0<~bhV5H94PE|4CeM120Qe7~VJTq~wF kXa6SPfTYKS1OJ)lrK(Ngo9!I|JmQ_f)78&qol`;+05laSKmY&$ diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/README.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/README.md deleted file mode 100644 index a8cae83d..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/README.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -slug: /MEP-9-no-open-ports-to-the-data-center -title: MEP-9 -sidebar_position: 9 ---- - -# No Open Ports To the Data Center - -Our metal-stack partitions typically have open ports for metal-stack native services, these are: - -- SSH port on the firewalls -- bmc-reverse-proxy for serial console access through the metal-console - -These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack. - -Therefore, we want to get rid off these open ports to reduce the attack surface to the data center. - -## Requirements - -- Access to firewall SSH only via VPN -- Easy to update VPN components - -As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition. - -## High Level Design - -[](./architecture.svg) - -> Simplified drawing showing old vs. new architecture. - -### Concerns - -There's few concerns when using WireGuard for implementing VPN: - -1. WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version. -2. Coordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself. -3. Headscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency. - -### Solutions to concerns - -1. Tailscale node software is using userspace implementation of WireGuard -- `wireguard-go`. One of the options is to inject Tailscale client into `metalctl`. And make it available as `metalctl vpn` or similar command. It should be possible to do as `tailscale` node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update `metalctl` to use VPN functionality. -2. Would it be a considerable risk? We could look into `wg-dynamic` project to cover this problem. -3. At the moment, repository looks well maintained and the metal-stack team already contributes to it. - -## Implementation Details - -### metal-roles - -`metal-roles` will be responsible for deployment of `headscale` server(via new `headscale` role). It also should provide sufficient config to `metal-api` so it establishes connection with `headscale` gRPC server. - -### New `metalctl` commands - -`metalctl` will be responsible for client-side implementation of this MEP. Specifically, it's by using `metalctl` user expected to connect to firewalls. - -- `metalctl vpn` -- section for VPN related commands: - - `metalctl vpn get key [vpn name] --namespace [namespace name]` -- returns auth key to be used with `tailscale` client for establishing connection. - -Extend `metalctl firewall`: - -- `metalctl firewall ssh [ID]` -- connect to firewall via SSH. - -Extend `metalctl machine`: - -- `metalctl machine ssh [ID]` -- connect to machine via SSH. - -`metalctl` will be able to connect to firewall and machines by running `tailscale` in container. - -### metal-api - -Updates to `metal-api` should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace. - -Two new flags should be introduced to connect `metal-api` to `headscale` gRPC server: - -- `headscale-addr` -- specifies address of Headscale grpc API. -- `headscale-api-key` -- specifies temporary API key to connect to Headscale. It should be replaced and then rotated by `metal-api`. - -If `metal-api` initialized with `headscale` connection it should automatically join all created firewalls to VPN. - -Add new endpoint, that will be used by `metalctl` to connect to VPN: - -- `/v1/vpn GET` -- requests auth key from `headscale` server. - -### metal-hammer - -`metal-hammer` acts as an intermediary for machine configuration between `metal-api` and machine's image. Specifically it writes to `/etc/metal/install.yaml` file, data from which later will be used by image's `install.sh` file. - -To implement VPN support we have to add authentication key and VPN server address to `install.yaml` file. This key will be used to join machine to a VPN. - -### metal-images - -Images `install.sh` script have to be updated to work with authentication key and VPN server address, provided in `install.yaml` file. If this key is present, machine should connect to VPN. - -### metal-networker - -`metal-networker` also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface. - -### firewall-controller - -`firewall-controller` have to monitor changes in `Firewall` resource and keep `tailscaled` version up-to-date. - -### Resources - -Update `Firewall` resource to include desired/actual `tailscale` version: - -``` -Firewall: - Spec: - tailscale: - Version: Minimal version - ... - Status: - ... - VPN: - Status: Boolean field - tailscale: - Version: Actual version - ... -``` - -### bmc-reverse-proxy - -TODO - -## References - -1. [WireGuard: Next Generation Secure Network Tunnel](https://www.youtube.com/watch?v=88GyLoZbDNw) -2. [How Tailscale works](https://tailscale.com/blog/how-tailscale-works) -3. [Tailscale is officially SOC 2 compliant](https://tailscale.com/blog/soc2) -4. [Why not Wireguard](https://www.ipfire.org/blog/why-not-wireguard) -5. [Wireguard: Known Limitations](https://www.wireguard.com/known-limitations/) -6. [Wireguard: Things That Might Be Accomplished](https://www.wireguard.com/todo/) -7. [Headscale: Tailscale control protocol v2](https://github.com/juanfont/headscale/issues/526) diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.drawio b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.drawio deleted file mode 100644 index adb09214..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.drawio +++ /dev/null @@ -1,324 +0,0 @@ - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - - - - - - - -
-
-
- Metal Control Plane -
-
-
- - - Metal Control Plane - - - - - - - -
-
-
- metal-stack -
- Partition -
-
-
- - - metal-stack... - - - - - - - -
-
-
- firewall -
-
-
- - - firewall - - - - - - - - -
-
-
- machine -
-
-
- - - machine - - - - - - - -
-
-
- ssh -
-
-
- - - ssh - - - - - - - - - -
-
-
- bmc-proxy -
-
-
- - - bmc-proxy - - - - - - - -
-
-
- headscale -
-
-
- - - headscale - - - - - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - - - -
-
-
- tailscaled -
-
-
- - - tailscaled - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - -
-
-
- Internet -
-
-
- - - Internet - - - - - - - - - Viewer does not support full SVG 1.1 - - - - diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.svg b/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.svg deleted file mode 100644 index fd268d2f..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/MEP9/architecture.svg +++ /dev/null @@ -1 +0,0 @@ -
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
Metal Control Plane
Metal Control Plane
metal-stack
Partition
metal-stack...
firewall
firewall
machine
machine
ssh
ssh
bmc-proxy
bmc-proxy
headscale
headscale
tailscaled
tailscaled
tailscaled
tailscaled
Internet
Internet
Internet
InternetText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/_category_.json b/versioned_docs/version-v0.22.4/contributing/01-Proposals/_category_.json deleted file mode 100644 index 2e7fa4bf..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "position": 1, - "label": "Enhancement Proposals" -} \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/contributing/01-Proposals/index.md b/versioned_docs/version-v0.22.4/contributing/01-Proposals/index.md deleted file mode 100644 index 0f6eddc3..00000000 --- a/versioned_docs/version-v0.22.4/contributing/01-Proposals/index.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /enhancement-proposals -title: Enhancement Proposals -sidebar_position: 1 ---- - -# Metal Stack Enhancement Proposals (MEPs) - -This section contains proposals which address substantial modifications to metal-stack. - -Every proposal has a short name which starts with _MEP_ followed by an incremental, unique number. Proposals should be raised as pull requests in the [website](https://github.com/metal-stack/website) repository and can be discussed in Github issues. - -The list of proposals and their current state is listed in the table below. - -Possible states are: - -- `In Discussion` -- `Accepted` -- `Declined` -- `In Progress` -- `Completed` -- `Aborted` - -Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR. - -| Name | Description | State | Progress | -| :------------------------------------------------------------- | :--------------------------------------------- | :-------------: | :----------------------------------------------------------------: | -| [MEP-1](MEP1/README.md) | Distributed Control Plane Deployment | `Declined` | | -| [MEP-2](MEP2/README.md) | Two Factor Authentication | `Aborted` | | -| [MEP-3](MEP3/README.md) | Machine Re-Installation to preserve local data | `Completed` | | -| [MEP-4](MEP4/README.md) | Multi-tenancy for the metal-api | `In Progress` | [releases#236](https://github.com/metal-stack/releases/issues/236) | -| [MEP-5](MEP5/README.md) | Shared Networks | `Completed` | | -| [MEP-6](MEP6/README.md) | DMZ Networks | `Completed` | | -| [MEP-7](https://github.com/metal-stack/docs-archive/pull/51) | Passing environment variables to machines | `Declined` | | -| [MEP-8](MEP8/README.md) | Configurable Filesystemlayout | `Completed` | | -| [MEP-9](MEP9/README.md) | No Open Ports To the Data Center | `Completed` | | -| [MEP-10](MEP10/README.md) | SONiC Support | `Completed` | | -| [MEP-11](MEP11/README.md) | Auditing of metal-stack resources | `Completed` | | -| [MEP-12](MEP12/README.md) | Rack Spreading | `Completed` | | -| [MEP-13](MEP13/README.md) | IPv6 | `Completed` | | -| [MEP-14](MEP14/README.md) | Independence from external sources | `Completed` | | -| [MEP-15](https://github.com/metal-stack/docs-archive/pull/232) | HAL Improvements | `In Discussion` | [releases#238](https://github.com/metal-stack/releases/issues/238) | -| [MEP-16](MEP16/README.md) | Firewall Support for Cluster API Provider | `Accepted` | [releases#237](https://github.com/metal-stack/releases/issues/237) | -| [MEP-17](MEP17/README.md) | Global Network View | `In Discussion` | | -| [MEP-18](MEP18/README.md) | Autonomous Control Plane | `In Discussion` | | - -## Proposal Process - -1. Before starting a new proposal, it is advised to have a quick chat with one of the maintainers. -2. Create a draft pull request in the [website](https://github.com/metal-stack/website) repository with your proposal. Your proposal doesn't have to be finished at this point. -3. Share the PR in the [metal-stack Slack](https://metal-stack.slack.com/) and invite maintainers to review it. -4. The review itself will probably take place in multiple iterations. Don't be discouraged if your proposal is not accepted right away. The goal is to reach consensus. -5. Once your proposal is accepted, create an umbrella issue in the relevant repository or when multiple repositories are involved in the [releases](https://github.com/metal-stack/releases). -6. Other issues should be created in different repositories and linked to the umbrella issue. -7. Unless stated otherwise, the proposer is responsible for the implementation of the proposal. - -## How to Write a Good MEP - -In the first section of your MEP, start with the current situation and the motivation for the change. Summarize your proposal briefly. - -Next follows the main part: describe your proposal in detail. Which parts of of metal-stack are affected? Are there API changes? If yes, describe them and provide examples here. -Try to think of side effects your proposal might have. Try to provide a view on how your proposal affects users of metal-stack. -Highlight breaking changes and think of a migration path for existing users. If your proposal affects multiple components, try to describe the interaction between them. - -After the main part of your proposal, feel free to add additional sections, e.g. about alternatives that were considered, non-goals or future possibilities. - -Depending on the complexity of your proposal, you might want to add a section about the implementation plan or roadmap. - -You can have a look at the existing MEPs for inspiration. As you will notice: not every MEP has the same structure. Feel free to structure your MEP in a way that makes sense for your proposal. diff --git a/versioned_docs/version-v0.22.4/contributing/02-planning-meetings.mdx b/versioned_docs/version-v0.22.4/contributing/02-planning-meetings.mdx deleted file mode 100644 index df10177b..00000000 --- a/versioned_docs/version-v0.22.4/contributing/02-planning-meetings.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -slug: /planning-meetings -title: Planning Meetings -sidebar_position: 2 ---- - -# Planning Meetings - -Public planning meetings are held **biweekly** on **odd calendar weeks** from **14:00 to 14:30** (Berlin/Europe timezone) on Microsoft Teams. The purpose is to provide an overview of our current projects and priorities, as well as to discuss new topics and issues within the group. - -export function PlanningMeetingDatesTable() { - const today = new Date(); - const dayOfWeek = today.getDay(); - - let daysUntilMonday = 0; - switch (dayOfWeek) { - case 0: - daysUntilMonday = 1; - break; - case 1: - daysUntilMonday = 0; - break; - default: - daysUntilMonday = 8 - dayOfWeek; - } - - const nextMonday = new Date(); - nextMonday.setDate(nextMonday.getDate() + daysUntilMonday) - - let onejan = new Date(today.getFullYear(), 0, 1); - let week = Math.ceil((((nextMonday.getTime() - onejan.getTime()) / 86400000) + onejan.getDay() + 1) / 7); - - if (week % 2 === 0) { - nextMonday.setDate(nextMonday.getDate() + 7) - } - - const blacklist = [ - new Date('2025-12-29'), - ] - - const amount = 8 - const dates = []; - - for (let i = 0; i < amount; i++) { - const nextDate = new Date(nextMonday); - nextDate.setDate(nextDate.getDate() + (i * 14)) - - if (blacklist.find(item => {return item.toDateString() == nextDate.toDateString()}) !== undefined ) { - continue - } - - dates.push(nextDate.toDateString()) - } - - return ( - - - - - - - - - - {dates.map((date, index) => ( - - - - - - ))} - -
DateTimeLink
{date}14:00 – 14:30Join Link
- ) -} - - - -Our [development planning board](https://github.com/orgs/metal-stack/projects/34) can be found on GitHub. - -[//]: <> (The C025PB1EUKC in the slack url references the #devs channel.) -If you want to get an invitation to the event, please drop us a line on our [Slack channel](https://metal-stack.slack.com/archives/C025PB1EUKC). - -Planning meetings are currently not recorded. The meetings are held either in English or German depending on the attendees. - -:::info -Note that anyone can contribute to metal-stack without participating in planning meetings. However, if you want to speed up the review process for your requirements, it might be helpful to attend the meetings. -::: - -## Agenda - -Here is the agenda that we generally want to follow in a planning meeting: - -- Possibility to bring up news that are interesting for every developer of the metal-stack org -- Check `Done` column and archive cards - - Attendees have the chance to briefly present achievements if they want -- Check the `In Progress` column and discuss whether these tasks are still worked on, there were significant blockers or they can be lower-prioritized -- Check new issues labelled with `triage` and prioritize them -- Allow attendees to bring up issues and prioritize them - - Attendees have the chance to briefly present these new issues - -## Idea Backlog - -The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item. - -We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out [metal-stack.io](https://metal-stack.io) for contact information. - -:::danger -By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list. -::: - -- Add metal-stack to [Gardener conformance test grid](https://testgrid.k8s.io/gardener-all) -- Autoscaler for metal control plane components -- CI dashboard and public integration testing -- Improved release and deploy processes (GitOps, [Spinnaker](https://spinnaker.io/), [Flux](https://fluxcd.io/)) -- Machine internet without firewalls -- metal-stack dashboard (UI) -- Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises) -- Partition managed by Kubernetes (with Kubelets joining the control plane cluster) -- Public offering / demo playground diff --git a/versioned_docs/version-v0.22.4/contributing/03-contribution-guideline.md b/versioned_docs/version-v0.22.4/contributing/03-contribution-guideline.md deleted file mode 100644 index 2c0526e3..00000000 --- a/versioned_docs/version-v0.22.4/contributing/03-contribution-guideline.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -slug: /contribution-guideline -title: Contribution Guideline -sidebar_position: 3 ---- - -# Contribution Guideline - -This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on [github.com/metal-stack](https://github.com/metal-stack). - -The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people. - -Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality. - -If you want, feel free to propose changes to this document in a pull request. - -## How Can I Contribute? - -Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small. - -When opening an issue please consider the following aspects: - -1. Create a meaningful issue describing the WHY? of your contribution. -1. Try to set appropriate labels to the issue. For example, attach the `triage` label to your issue if you want it to be discussed in the next [planning meeting](./02-planning-meetings.mdx). It might be useful to attend the meeting if you want to emphasize it being worked on. - -### Pull Requests - -The process described here has several goals: - -- Maintain quality -- Enable a sustainable system to review contributions -- Enable documented and reproducible addition of contributions - -1. Create a repository fork within the context of that issue. Members of the organization may work on the repository directly without a fork, which allows building development artifacts more easily. -1. Develop, document and test your contribution (try not to solve more than one issue in a single pull request). -1. Create a Draft Pull Request to the repository's main branch. -1. Create a meaningful description of the pull request or reference the related issue. The pull request template explains what the content should include, please read it. -1. Ask for merging your contribution by removing the draft marker. Repository maintainers (see [Code Ownership](#code-ownership)) are notified automatically, but you can also reach out to people directly on Slack if you want a review from a specific person. - -## General Objectives - -This section contains language-agnostic topics that all metal-stack projects are trying to follow. - -### Code Ownership - -The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[^1]. - -As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging. - -### Microservices - -One major ambition of metal-stack is to follow the idea of [microservices](https://en.wikipedia.org/wiki/Microservices). This way, we want to achieve that we can - -- adapt to changes faster than with monolithic architectures, -- be free of restrictions due to certain choices of technology, -- leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...). - -### Programming Languages - -We are generally open to write code in any language that fits best to the function of the software. However, we encourage [golang](https://en.wikipedia.org/wiki/Go_(programming_language)) to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see [12 Factor](https://12factor.net/)). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document. - -### Artifacts - -Artifacts are always produced by a CI process (i.e. Github Actions). - -Container images and [OCI artifacts](https://github.com/opencontainers/image-spec) are published on the Github Container Registry of the metal-stack organization. Please consider using Github Actions workflows utilizing similar actions as the other repositories (e.g. [build-push-action](https://github.com/docker/build-push-action), ...) - -For OCI images, we usually utilize [oras](https://github.com/oras-project/oras) for pushing the artifact to the registry. - -For signing artifacts we use [cosign](https://github.com/sigstore/cosign). The private key for signing artifacts is a CI secret called `COSIGN_PRIVATE_KEY`. - -Binary artifacts or OS images can be uploaded to `images.metal-stack.io` if necessary. - -### APIs - -The preferred way to implement an API is using [Connect RPC](https://connectrpc.com/), which is based on [grpc](https://grpc.io/). For working with the [Protobuf](https://protobuf.dev/) definitions, we utilize [buf](https://github.com/bufbuild/buf). - -The metal-api does still have a [Swagger-based](https://swagger.io/) API exposing traditional REST APIs for end-users. This API framework will become deprecated so it should not be used anymore for new projects. - -#### Versioning - -Artifacts are versioned by tagging the respective repository with a tag starting with the letter `v`. After the letter, there stands a valid [semantic version](https://semver.org/). - -### Documentation - -In order to make it easier for others to understand a project, we document general information and usage instructions in a `README.md` in any project. - -In addition to that, we document a microservice in the [docs](https://github.com/metal-stack/docs) repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software. - -## Guidelines - -This chapter describes general guidelines on how to develop and contribute code for a certain programming language. - -### Golang - -Development follows the official guide to: - -- Write clear, idiomatic Go code[^2] -- Learn from mistakes that must not be repeated[^3] -- Apply appropriate names to your artifacts: - - [https://go.dev/talks/2014/names.slide](https://go.dev/talks/2014/names.slide) - - [https://go.dev/blog/package-names](https://go.dev/blog/package-names) - - [https://go.dev/doc/effective_go#names](https://go.dev/doc/effective_go#names) -- Enable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation. - -#### Development Decisions - -- **Dependency Management** by using Go modules -- **Build and Test Automation** by using [GNU Make](https://man7.org/linux/man-pages/man1/make.1p.html). -- **APIs** should consider using [buf](https://github.com/bufbuild/buf) - -#### Libraries - -metal-stack maintains libraries that you can utilize in your project in order to unify common behavior. The main project that does this is called [metal-lib](https://github.com/metal-stack/metal-lib). - -#### Error Handling with Generated Swagger Clients - -From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the `metal-lib/httperrors`. Ensure you are using `go-restful >= v2.9.1` and `go-restful-openapi >= v0.13.1` (allows default responses with error codes other than 200). - -### Documentation - -We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by: - -- Document in short sentences[^4]. -- Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect). -- Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "` to `"). - -### Python - -Development follows the official guide to: - -- Style Guide for Python Code (PEP 8)[^5] - - The use of an IDE like [PyCharm](https://www.jetbrains.com/pycharm/) helps to write compliant code easily -- Consider [setuptools](https://pythonhosted.org/an_example_pypi_project/setuptools.html) for packaging -- If you want to add a Python microservice to the mix, consider [pyinstaller](https://github.com/pyinstaller/pyinstaller) on Alpine to achieve small image sizes - -[^1]: [https://martinfowler.com/bliki/CodeOwnership.html](https://martinfowler.com/bliki/CodeOwnership.html) - -[^2]: [https://go.dev/doc/effective_go](https://go.dev/doc/effective_go) - -[^3]: [https://github.com/golang/go/wiki/CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) - -[^4]: [https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences](https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences) - -[^5]: [https://www.python.org/dev/peps/pep-0008/](https://www.python.org/dev/peps/pep-0008/) diff --git a/versioned_docs/version-v0.22.4/contributing/04-release-flow.md b/versioned_docs/version-v0.22.4/contributing/04-release-flow.md deleted file mode 100644 index 62021ebf..00000000 --- a/versioned_docs/version-v0.22.4/contributing/04-release-flow.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -slug: /release-flow -title: Release Flow -sidebar_position: 4 ---- - -# Releases - -The metal-stack contains of many microservices that depend on each other. The automated release flow is there to ensure that all components work together flawlessly for every metal-stack release. - -Releases and integration tests are published through our [release repository](https://github.com/metal-stack/releases). You can also find the [release notes](https://github.com/metal-stack/releases/releases) for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes. - -If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too. - -This document is intended for developers, especially maintainers of metal-stack projects. - -## Release Flow - -The following diagram attempts to describe our current release flow: - -![](release_flow.svg) - -A release is created in the following way: - -- Individual repository maintainers within the metal-stack GitHub Organization can publish a release of their component. -- This release is automatically pushed to the `develop` branch of the release repository by the metal-robot. -- A push triggers a virtual release integration test using the mini-lab environment. This setup launches metal-stack with the `sonic` and `gardener` flavors to validate the different Ansible roles and execute basic operations across the metal-stack layer. -- To contribute components that are not directly part of the release vector, a pull request must be made against the `develop` branch of the release repository. Release maintainers may push directly to the `develop` branch. -- The release maintainers can `/freeze` the `develop` branch, effectively stopping the metal-robot from pushing component releases to this branch. -- The `develop` branch is tagged by a release maintainer with a `-rc.x` suffix to create a __release candidate__. -- The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests. -- If the integration tests pass, the PR of the `develop` branch must be approved by at least two release maintainers. -- A release is created via GitHub releases, including all release notes, with a tag on the `main` branch. - -## FAQ - -**Question: I need PR #xyz to go into the release, why did you not include it?** - -Answer: It's not on purpose if we miss a PR to be included into a metal-stack release. Please use the pending pull request from `develop` into `master` as soon as it is open and comment which pull request you want to have included into the release. Also consider attending our planning meetings or contact us in our Slack channel if you have urgent requirements that need to be dealt with. - -**Question: Who is responsible for the releases? Who can freeze a release?** - -Answer: Every repository in metal-stack has a `CODEOWNERS` file pointing to a maintainer team. This is also true for the releases repository. Only release repository maintainers are allowed to `/freeze` a release (meaning the metal-robot does not automatically append new component releases to the release vector anymore). - -**Question: I can't push to the `develop` branch of this repository? How can I request changes to the release vector?** - -Answer: Most changes are automatically integrated by the metal-robot. For manually managed components, please raise a pull request against the `develop` branch. Only release maintainers are allowed to push to `develop` as otherwise it would be possible to mess up the release pipeline. - -**Question: What requirements need to be fulfilled to add a repository to the release vector?** - -Please see the section below named [Requirements for Release Vector Repositories](#requirements-for-release-vector-repositories). - -### Requirements for Release Vector Repositories - -Before adding a repository in the metal-stack org to the releases repository, it is advised for the maintainer to fulfill the following points: - -- The following files should be present at the repository root: - - [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) - - When a repository is created, the metal-robot automatically creates a -maintainers team in our GitHub org. - - The CODEOWNERS file should reference this team. - - The team should contain at least two maintainers. - - `LICENSE` - - This usually should be MIT with "metal-stack" as authors. - - `README.md` -- The `developers-core` team should be given repository access with `write` role, the codeowners team should have the `maintain` role -- Release artifacts should have an SPDX-formatted SBOM attached. - - For container images these are embedded using Buildx. -- The following branch protection rules should be set: - - The mainline should be protected. - - A pull request should be required before merging (required by at least one code owner). - - Status checks should be required to pass. - - Force push should not be allowed on this branch. -- One person from the releases maintainers has to add the repository to the metal-robot in order to pick up the releases, add them to the release vector and generate release notes. - -### How-To Release a Project - -[release-drafter](https://github.com/release-drafter/release-drafter) is preferred in order to generate release notes from merged PRs for your projects. It should be triggered for pushes on your main branch. - -The draft is then used to create a project release. The release has to be published through the GitHub UI as demonstrated in the screenshot below. - -**Tagging the repository is not enough as repository tagging does not associate your release notes to your release!** - -![](release.png) - -Some further remarks: - -- Use semver versions with `v` prefix for your tags -- Name your release after your release tag -- The metal-robot only picks up lines from your release notes that start with `-` or `*` (unordered list items) and appends them to the according section in the aggregated release draft -- A tag created through a GitHub UI release does not trigger a `push` event . This means, your pipeline will not start to run with the `push` trigger when publishing through the UI. - - Instead, use the `published` [release event trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) for your actions: - - ```yaml - on: - release: - types: - - published - ``` -- In case they are necessary, please do not forget to include `NOTEWORTHY`, `ACTIONS_REQUIRED` or `BREAKING_CHANGE` sections into releases. More information on those release draft sections can be read in a pull request template. - -### Pre-Releases - -Most metal-stack repositories are installed through the metal-stack release vector. Therefore, it is safe to release them and wait for the release integration suite to return results. - -However, there are certain repositories that have an external user base and can be used without a running metal-stack installation. Examples include [csi-driver-lvm](https://github.com/metal-stack/csi-driver-lvm) and [go-ipam](https://github.com/metal-stack/go-ipam). - -In the latter case, maintainers should create pre-releases using the GitHub feature "Set as a pre-release" if necessary. Additionally, maintainers should use an `-rc.x` tag to indicate that this component version is a pre-release. If the metal-stack integration tests do not add any substantial test coverage and if the component is thoroughly tested, a release candidate can be skipped. - -Once these components have been integration-tested, they can be released as the latest version with a valid tag on the same Git hash. In this case, the component in the release vector can be updated to the release version without running the integration suite again. If necessary, comment in the releases repository to execute this action (let a maintainer unfreeze the release pull request). diff --git a/versioned_docs/version-v0.22.4/contributing/05-oci-artifacts.md b/versioned_docs/version-v0.22.4/contributing/05-oci-artifacts.md deleted file mode 100644 index f9e46796..00000000 --- a/versioned_docs/version-v0.22.4/contributing/05-oci-artifacts.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -slug: /oci-artifacts -title: OCI Artifacts -sidebar_position: 5 ---- - -# OCI Artifacts - -Certain artifacts of metal-stack are not shipped as Docker containers but in a more generic registry container format following the [OCI](https://opencontainers.org/) specification. Examples for these artifacts are the metal-stack release vectors as defined by the [releases](https://github.com/metal-stack/releases) repository or ansible-roles that can be used for deploying metal-stack. - -The OCI artifacts have an expected format convention, which is described on this page. - -## Release Vector Artifacts - -This OCI artifact expects a layer with the artifact type `application/vnd.metal-stack.release-vector.v1` including one gzipped tar file called `release.tar.gz`, which should be marked with custom media type `application/vnd.metal-stack.release-vector.v1.tar+gzip`. - -Inside the tar file, there is a `release.yaml` file that contains a metal-stack release vector. - -The metal-stack release vector has a free format but by default expects an `ansible-roles` key at the root, mapping the role names to OCI artifacts and versions, like: - -``` -ansible-roles: - : - oci: - version: - # e.g.: - ansible-common: - oci: ghcr.io/metal-stack/ansible-common - repository: https://github.com/metal-stack/ansible-common - version: v0.7.2 -``` - -If this convention is not followed, it is not possible to install ansible-roles through the `metal_stack_release_vector` image as provided by the metal-deployment-base deployment base image. - -## Ansible Roles - -This OCI artifact expects a layer with the artifact type `application/vnd.metal-stack.release-vector.v1` including one gzipped tar file called `ansible-role.tar.gz`, which should be marked with custom media type `application/vnd.metal-stack.ansible-role.v1.tar+gzip`. - -Inside the tar file, there is **one folder** containing the ansible-role to install. Please do not include multiple folders as otherwise the `metal_stack_release_vector` module cannot alias role names, which is sometimes required for deployments. diff --git a/versioned_docs/version-v0.22.4/contributing/06-community.md b/versioned_docs/version-v0.22.4/contributing/06-community.md deleted file mode 100644 index 98a65b28..00000000 --- a/versioned_docs/version-v0.22.4/contributing/06-community.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -slug: /community -title: Community -sidebar_position: 6 -draft: true ---- - -# Community - -(Slack channel, community events like FOSDEM, Kubernetes Community Days..., blog -articles) diff --git a/versioned_docs/version-v0.22.4/contributing/release.png b/versioned_docs/version-v0.22.4/contributing/release.png deleted file mode 100644 index 598b118221b61d55a2de4b4c1841cc6416892b6e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87019 zcmdqIg;yL)^Z1>R0Kr3W4<6iImY@NGyR*2vYX}xRxVr~;*TvnP#ogWE-7C5GKIi=Y zf$w|HEN9M8)6-L3RbAEd=^$BYF(i0g_*bu9A&GwxmVfmM3IzG7zJq~W38XvdeD&(% zD{;88uCkwW;aCVIm4cDEKIbCixj+Bav2LwExc^$4Ro;aAmZjhZs}a_(3Jw(Tz zm@b;i9M7IkH-kMp!L;cdgg18}UB;iKGe47(!b7Uw)UwY&mr&*K|J&$Kk&j}Xr$?XI z9P@RErAn}@R)_774{_C)S5$YAV6w6{Y;2vn76zDCVl?2X{~fSx_{}fagbhr7M}Y1m zjX0<#@8QbpLqa8LooSh(X;i%QAMt_at<-hs%D*i^;O!7F{S;x z)eHfIO>pu^lNAjOSz}xOHL_8Jw z`nq#L?cDgtwdMt8dHR1uI_ZBJcb1o>6VyoZs}9hRs|}{lD!@s(J-)M#gtrQ%M-aN% zIZD17LIP1m*4^IMAtZWE)`QDzQT5yN6_vD$R5$&v)DkJqIt#W0|9O=LGDxGRO;?YJ zvTFUoI#E*SR>w1l#Rn3j5v8Zbm%ajzr(bOP_qAyY;7iy=!8`7sc=#hPMZ&0OX?NPK zSmKl=gX{Z)bVi}f;)d@0q=iIRk9Ga66ZfZzRap;&B+^s|^H)B1o=z_INB;B7JE4y< z{%dJzdk$bsd!165I(hUKoQ}co4>517m&-Wq2IC zbZR(oA``p%)9!RW@l6TJPvHobjmgiZ8(g)PUfm0;scQP#2dI1fS}o7UovAt;e}ZT1K|f61C5=><46y}*!l^BqF^t7K zp)FldM0Bv6`4UE>BaQ$0i7Y=~s%W=F=~Vg1szEcx;v&z*^W$QUM!_6MF5(6h!(^>H z&ImzMf9ar^nWBCE7dK{idc%b2scq@#z7GNBY({6T`sns`z?Y9 z1_e8n^dfQ#mHd@d602F)Vp*GCYOFt3w`ga%nr3CyKeGovdS51^#q)$&4;SbrPy7>Y zOfiv4oW8qN<&z#v?yvf)OdkR*4zUc`Pmn3fAjhnN>Zs%K7vp6U;Wi6%Fpm9`;zA74l`B zbQ1p0LYj@Q#oRG!esPXxr(xx{AsLNCP#LjZDKM1887BD!f3{3M7j26$Idj9Y@~BE{ zUpZ2nFTy=RQ6J@i^Cd#rsJ7O~b9y9FcZA`fPv01O=ELVtAE~e;O1|ztrjRT$ zRFSww`zvC-M(rzu;zAD?)=@uNW3=eHyma2|`be}d)goFM%Lb657p*c?X^6JUP~syJ zd=95rSQ%zzUNSP~Z5#O{-m9ikpO%piB(R<+>s{Aej<|8KMdVHCD=Kp-&km%l3Dn9m zmGo`};Pe10xFwYBj9o2h+=wJMLc&Lyd2ZOLV4#IG?kXR?a1ycJ81_EPTIJ!o)C6E{ z4D6X!aV->Id*wv}H(22|`pT07wjGlyOjekn@UJ{rD^ZM(z(&2*n9T}p2zWOqy`vPV zgh%S~jgz$epQ8IBn7|I^r_A@E!eHx(*dv|eZmGm4R$5Y!5nI(E?eF>JCkpiWS8T5* zBy06XBgSKsN6(({;SgDV@*qCt0-*evxA_^L)n=d9o(x=54DjSkU?O7Z z9i2`hx+x~HIk>5Jy=OKukTH@;lsW*~Q>C4vRm~oPid-EvOO6yVgQ-)7!9W{39;ObM1#Mh0c9x7sZf@I~gY_A7; z7p{T?jvUh0saO+x!>=aC^PVu^CttR$n58;3ndWtVPp2Q-;2_f}yLXbXmoH0xvkV_| z%5cb|mjMC-I{};j)%rAeE!(!GLfPnI^<_>;65)6a}T9 zkUy1n+W*Y0%_Kibf%T7L-d`l#AN6A{B(`)Exzg@4@fd!6i)aY8 z!oB1P-^&L&oAYNd#wcRUf__gj=(2y@BU)4-Ove|uysjyWyFhyogCX1hQlK0rUu%KC z8oxthsq-*VhkT}DpUEjpOU|b5KMg*T z{mce(0zQ9H`}gGp-omGU^IPkj-Imw?EeHuHK21;`0&;2oO~k*wLsx$d2lB7o%U%Ch zl^_3*LixWd#q}XzV?7!Y`?F|%N0UDd)K&eDgfgwP0$uvIvHv-N9>agZjw}7gh9M`i zCJ-~mTF8qJ{wKkJr~@L!|Nko~J6^;C*8W|`y>FRgB$D0#wI4fW0aIX@e=cbTPZSa!0AO)?2*Ax_=;lInQFi(m-gjU)e6ZzS zPk!#EcHwr{b$-`Uico22)#^N8zI%5iSAjlwcdgnn~nT{6q++6X)H*jGg?S?q~>f+SC>ri2W*T>(DF5c^$(^7_V6n1tb7jB)=<;GP3F z2??pK{luz?wf4t2#*~*u9kYMDO7HiI({X&)`=r+S@SI~;1%FM%)9V)q+&T=(w!Cib z88e;o6X{w%+VRajca0^v;4KWY?J~DKwSTaVFmCuIUDhjjxBLCTQQZn0lx@H?x^w(U zYuM^s%ueb*#!1)hk&=GzV7rF8y6IDt+O3dI$^$D3h69aE!on66r+@Rc@?S?=6?3yd zH#1k^#jl(_skE2c;FojmEI&K#IHR&sbXj7X>W34~Ej+!c9<2;HyRrhFdFZ?~6^H98 zEIG9wy~q85jL^HVjApJy9oY{b?841kSx;OibV|P-kt=d7MtGe1>DK8}n#f~$|9olW za$d|6MBV2V0s*)mCR1!|z3x|3?&|L&Xx-G+ad)%NRj}Eell|%$f<9 z`p6fygWG7+k&8uNra8FE3*0d?5LWQlWd_E#Qkh@ox9@XIL}3Vxjzg_@dsoi#%;|C1 zQnCnoCf1eGEiQQoqTNv_7K-4bd#{LhmkiCC)gpH=V7=zAa2B%%DqPw%=0AnpHIc1w zi`}@cRO;X9c9v;%Wqwghu_SujmO(~YZ+T9>wK^dy9s+oV6QQ2p*aldJ=-(_|8)-=v zNpCL=qyLJ(FuLo4n`6fpjHs)e1RH5l4313RBX3`=U6`nXk2_Wl9ILHo(z$q4P`&gx zP`zqQuaagbbv9AOMsPVp<6(yKOmmAnuGHv1c-&Ju=~NlIG{tkh?BEP27D=n`D!EC$ zM3tDs^3Ar|-LERoEPd(>&aA0KckL(##vE|?t2n64T}P0UF1DQipf=qF7gJ8omQb{V zdYY;6E*;FLBgWH9aw-=u+(eR9-p*^h70y_FX8=Gv7=P;zS$k_2^dIO&$fdsE`?R&G zqS~ee8+&Ds&&sqL1USVQ89o5mjY&R@mhEa%>mIzU5Q8(MN!M26RomoHG+x9|q#v8u z5Ja%O>L<)8!bCNiP@Yx>5gRhG+Ok*nlP!|Qew5d*d{=v#v}0tbcK8SukmC?-rl(;?&}uErzXQ9&tMwlkfW6;uN_$k zDXMag!`;QV?+@NaQLN|}% zC3QVHP*xB?fiqW>)XZ=kL?;i~*ZbAz-vzVU2jbR6S{feIJ!P$Z!!t4%C#KwZJ(_Ku ztJ$A4)a^(FpB{z`h;=T~+Sx z{r&`V{Aa0(Tvq+cGOE{`HRsMCnUVJ8Uc6CnPYvK$AzYYrcZa-~umk*Yt9Cul!q2oA zfyxeC6iPfs?02nb{@$nzM%bX!vH6&)a3N!$Q2#pk(-k*&Lg%SOGaH;qNs3KHjX-qT z!0_r9TFWCU?MV|bEDRXpKz>qb6eli!}no(k3lGIVFz;^K7xKWa!*kp zE=kO; zq6-y0?OSp_Y_@xt?xi{$2%0kdiYJDt3-e zj}?;(YMRanr}l#8?wAoN1Cjw!>uFs{;@M*}$L;{cK&|`ma5NN!onf=vg`CQ*Ii>K! z#NGz2LC!oEUt32l6RRN_B96N3A0P|g{jk~l`k+_)XR%VxgJkF^?Q1p z4yWdBBbr~PrvNzh*C-PAO_SbVte@vwe=vYj3l*jVmlu&)Z0CDFmAwoU^qZS5H4uQW zarxC=_{(1LjOE$MKenbIKY<7`>i z!>rMKfg3G8TbhP6hD%F5fezsV;Y}TPrAzw@vv2BWnRH}d>;^YDLjs3tb8zxNY9MpT z#vr~r>KBs+_Lz51NwENmvEvpA{1tb~i6+ytegLEd593Owz3e@(j|h0{D;IF$H^ z3J~RDuJ?wuI@aix5kGFev%?V_ef}D%L#G^W))!7rWY5|ceq)Xfys6C&Rb@=(kmOI8 ziN-ubL29JS-PS0R>luu?YVtB#JeFzjJY_-7RWa5snleUtb6nq|VX?_L5I1a*O%RV@Xm)lj zB=?EPLnA9ZSGy%M#{0riyJWNXdK87pZ5+yMA#l>B3n+bz8wURd%^h*GMI6DlxjY^f zZ&dyzRi#1_d2P&9zeTj__PEc+KY=LWDVxq5RwZ8~u#nYk^1ap}fwbmKrL%~R8~cHe z{hdmoatSNt4dG_0&&FMOEdcF4%*U=w0ZhOTxaCOZ8157ykj}oIG@Yy=7q2TT-i#7t)!f)7wR?JIki(^`F%lAUGP?1&_KH`d`8u5f62_8wq}G8x-Vu=S z^%!1T^|IPTM_M5u8J|bQ?73mq8D0umDfQWk-mAQ1xTYmCz^w=hmh2fk`uuL98|I=- zn&$R?6>)*%U@#{3!ZkO6h6)Z&m4{pZYAio*uHap{bML%pKOnH~bPqsSOfb9qS+(Vq z=4j`!Gl&i(hkJ>5uoTZtY9!D1gt)AtwYs?-nWwY4Mx4p%;-YV!yW00F;%>5pcyb{w z%hH#hcCG;#MT*n$p?KrLQ=!sBDkU;XKsfk=H;Oy6AcKPSDt+rRhyQSN?|X%8JpCjk zK?1ut7*b?g11anM+JuocG)Y^fj#}udyXjJ=IMWY-aU-OS67JlJL%Qv~E79oLh7Z5M zh^7EPAPv8s@B=aJd`-Z5sdCp6r^sN?%IVQ|+Egh^(y~rz$0GQ<6bnV7M#;PJL+4$gyckgRN+)7doEi&oKj_Y_R&O9n?!cSFy5~8vuvD>gA97(utKRaSEmbBj+B8eiiS1Ze=hL+Lw#4b#Csn4bQqv@1i!14` zW(tXZ<%7)t3kHDI@vyrTMa53Ld`fYQ=ED^uT0~xzxluA~ChIv7c)va_z4iX>Mp(Id zekkdYcS`}LitnM z9+k73Bmt|Ky}o2Pu{l(QxNcvtNPJpXJYXfGgNI@HB_q;nhc--RTo{IWJnjar%06Hc=pTsjKT zm*LlFCU-{SQ-xH!v`2Fs-ng@mc#N5nQs{0-;yCb{1cV+Nc4xO(Z=X#^@8#G`$8^aw zP|7-%*)O7H)lXMgu^Z$0k||cLtVJ9wpa_pqJn^!_b7y!!b1p7)L|mdLCk%#1G)n?_|^F>|%IUf9x_JXl(} zC^jW~GM7UY1-OWUu6GFXbmr@m&yG`AqZ#(}{v~B^fTRKIOrFH|7qH@AseOBSwBLr! zOSiAD$*|Jo0OvTFH5dHst&_TZWJ2u&t}ZR6!z#>`(Ht!ZdeO^Rvh^LWt?pBh9%M4h zZF6>hf?3_OyF68omKh(9BDsVgFDO|6U{RCiB$fRs!}HZ`RRHTxd%GQ@IKujGZDlk` z39`%*vxXqQyqi(SyFlMiaC+x6G{IM$bb3Oj&~MTkUx6-D9b`@;=7CUe7ULOqLRN&% z&g_V{uh}Fxh`K_N4Iu*0BaSX$B+$xHvf#Ggw;{UC^c8God#tq9<2jn@M-L^?&4Y2d z=>Ya&5>lo@7>P+Xy+YfI^mXa3a0}tV-QF0jLdLV}j=EDz7}`g~{$*E|UK7(QNSk z->a(~L`Rc_hV@X)2pu;_Cbum&jSS#1%pN25vKN>t#E43Fd2OrYlB|Axm6~Pp?tkaT zj`zcQo;eSNK-9dY1U7y6L?#`p9jx zS3j=GhW|NG{)`o`B3?fkcCv8;(djrX;z`J}6FtECwnEQED^4cq$I*kYlzl)niItr7 zstbU@)c#B6rp1W0lDWQ65}w=v%BR-4hiS3larda zDkh_In6ZR+qEUoyaiZCk0c)aYn7ZC)A0-*wE6o%=Who~!I%L@ipF>AQjYn|8m$-a~ zcdBo>jcesZ-MB%bxVrDM<9qg%9=ud%|Lu$bS-9%FL3O0_Nf{# z5rPnU9c)SN?Lbh*tWD91aBvB77pMJ5y@(XP?{dcc+=F^lvnT38REezid`PQ0k0$j) z)bk=-)=jG5)}F*YQU0k`Ej~Ry32`A}+KCGqs}s-bkO00QKM$OMbVJh`F{$X?rhST= zPMflsWt=8A47pzZje>Qgyz0VGY16RS2?38e%OoeAuJMf!+r~xN9@7ujj_M;EVn&(b z;=TRjm{OuJKG{9;jf>a|ZTso-@9qtfrtrE3T8gOFExI}I;wqU~KT2XFKODd|(%vU; z;K3w{1_XMK#V>$Z!~(b27y zA+@|O6YComH>51Pm%?hd?vRARd=uXNS1Tv!{o7Rf<(B+@(q+p?peH9A8%v%2+B8r+ zCFX|3>qS5sh=IMP5-gA}mE{;1QLvxC?Q2SOc9SRb<(j^GPn7}l$~8#z1jT3?T!Zdd zNk)ImkQB~4aHH`cTh{RwnNTCBg$WT>n!H(J$J-yc(Ra!WNmS}P2057@t#%@~?zTwq z>2zm1xinABzsCOX)uf+@u`MY|S~s_ophiY^Qrp(+rOaJlHwjeEHkvL@%$eSW*C}bw z-ul$oVwsYs_mPSV36@7PiDQ3oeYuEgEu)i@h*znkS2=TSIZuDyn*p(mF<>n&)GF%E zXP|!h?tzntwsENc%2(>Mn?(BSW@ZD-VVWk!=0#nw*)#G=pj)Mj>=7-)03;<{Y4V|` zI>$W00iDKaPg(MY`HID@n-mI{&Hl_(&@;YT-4@ixE?xFSXv0r5hwn=tO%$9O)N-NQ zCTl{YKJWjgUVuhYFzo>&CPT{-hKO~-8h2b1k`)BEeS}POF}()uaXZ#`dc{moh}sar zSE!`Mn}G}?#jW$?k?3sJ;K)SK8|;zGD2I(8 zf==21p-6!~F-i%4x?M<&d&%~Y%|J0MZ6YoDjC>3#zg0Do4QTn7N%T~+>$Yq&*Ef2F(6;p*A z-;cy*);BWNA2Ww(ZwG^7mj~so`v_Z~^hl^LFU@D8uZie5!VtYLqk~iJ7ZdjvOVq3b zN;JFs@ANDE)*Q1T$i$SWg#0>*>7)}$5lV@!*@O01ow{H>LUv95NSuJ3>gybZRa5C= zyl?WE0?~27odakUxs$DUmHeL(8Z_gFL;92_5YKQgDY9|P4I}9-*yDx6Y^h4t* z-rEQ@iO6Y$AIW@hfpXCmUnIH)RuDWru%LE?dzTbA-X4Kqu5aZL?6T`s zrr3H`_U7#p!6)^20a(yk@;SCeCx}opZ@+WLCG+Je=pFb*uGP!r>B%`WN-OdGNaY~h z;(3w+&Yjx1r_i{evF9)xPsZzQAriO1t~S_EX>xwm)7xtz1uec)~eoi%y#&=4UxzXC#jjLE{@|MTK>wMv++bMe5xGkT2tA6wNN(WZ; zVb2Z5v-u}(_wjOnL9TT&SkZFD_f-g|7q@33KuF1>*5`M&8;S&%j{Auyxy;_1q7AS+WIL7B=$ zg`ufa@p+C#D+~v5T$8sVazX5D&3D^@lO9*guvrFJ>0Kv@G;1vQFH2(D(N098;Hj*I zAZdIW&!O}M-)t`jcAl2D7y22(f!rvrcSAH%**(VA37S(`EJJ~}CAE`#b2UiTakd5{ zVt5I4ws74wbtYhAa-jg{4r(U9tq1yY_hlE06AJbgiZJcvo^$2J+L*IyqlX1LR&1uk z*?QrfJuz&)96Is37htb-zlFv`I@&>8`BfI1r+V8!dT$$9#b(o2GZp_vnRg&!Z-V@z z`lrkN=`_7s@genl4EJmLu4U1Ff3zl3fFmH;xh!iz==F+f*}=-8{%W52SKOKKDjpTE zj?}srHki$4S|Q(NJdfnaEPk!;S}VqUI{w&^(1QmE4=UN2%-n%(mLCdEv}do<>$N-d z^~wQ-Mt{WtN7(~j+DAxdIX&!f(vk6p0CD8IvxW3K()gQEPesMpcWI_wC1D&`D zPvkrZ!XTZ5TdH#o)}{k{^D4d`vji|-X`IS`BYoho&erQCHfdYwqTBh!>QRE7-^M>e zSI40?chbRo`v7#Ypi^(24P^Iy7;BcJ!!P-GK0)O+#6NP%A2vqehgyFvc72ivdNO_N zVbp8_u&LK(&M%Uyad~4L|P)aI3Mml$7Z|aIo#9Th`D;}1qGBIRwk1k4l0-{ zMk+(EG2E&o2-RYZkbiro9WN3}u##HfEnVex!%)0X_j={W%5K{^J`dn1nlc{SW8E76 zj~MZB7J3LCWO?sf$FN)TDV5iTXbP+86-QQ{Ob2jRRepw6w8ZI^Bh)YWnlm${)G_g@ zj*d5$DKIZwq(73l;e6ehVn)(TWL|z~<$umO){40K&Q(Ag+f|}1d`?G4?M^dcE%LtH zZR9BusCCNqJ>R;sF$Q4JrMFmsg*l6yQ8oj!6U&YvDp3}&Tg_0YFYVOym->5{Be%s`gE9dx;ar&7A6 z^9wzx{@pryI0Tra-0VRb(Lw4S=}z6B9$32_TY}w4ecUPYQz#T~Kpcy!Ip0_;3DhB_Bk-f{z6=w0N$k^$0NgPXixy_R;1DQ)G% zm2bc(%C=zQn7sRt)p>h&>F6ODlV=8p_565%Ye*AMxxP&o98cqKJ9fHohv1j1an`27 z(ss^a)l;VH{cvSHMePoDDS>h>)e_O)2}&k`%S~n=yjIST+UX24p^l@|YutE=*BMRP z=4#XI@$GYvl(^?jV6fyh_AtO+Go>DYb;+9j#pQj+jxi9=UXp938NRjPFR2L^oGW}c zp~zU;Z82uIruQC$I)-%^E*J^nv*k|E=yKUm*v{8rxSgpxo@V*%g{Q6Q&}2_&Upi^eUa3pu059cAn|GWS`Re|EJqgT zpoDUs6nJvZ3+R=pv?!Hfs}>14^H)?sZX#P$hoV z@OaUq#FA5 zU{?)e117q$WMDD4OBSY(V+Zejw0pblu^MpV1kNfA3ly0TqKtbOmn?39>_ZlV^F^pJ zMe0FOtk|%(p-e>$TmjZh-MfW`)DHH`_q6a!I}29?WY) z$tYY5iN-M4))8g0UeU9~#G<)I*E98+3Dsxwpru`&jz?SmA6Z)iYoZ^J`MYIvd(q;pIHNPNh|oh>#y3rg!tYHrAkTeFfopU0l_aK`DpuQirY1w} z_?*&$?KjYoXvPrBQG#yo%>ovm);*Jo?K7gbt1qJwMlM9@gjnlt$TC$1>JFq+u+^W%v2J3-TvuQg^{ zwpA*&Pv?%oaqO-97zSiLAM~i}5Y!#1^JR3%xYcB~eqnstj=g)$O>&EAOdlZMtjSe8 z9pn=K$tRW~h{idpP<4T0);m+;^&g+U^95@2#SN<5U}|t4o+TYe01v59G=M}$$v03 z=r9m2?4>RC!W8=%(>P+?KXX)q;9o#!wE+%0U%V@ybA3DMPM3K8BNsU|#yBT`^U@@m z?w@$f(~5oMNva@_k+1jU4#F6&-?q^xOhjaDJ0^G- zbg;I4#Yj6z2H%UIY)17P-#YbxU?DNYK-`oR&+;nwa=*Qc7KvxBWc3mX=5yrkC%Uf( zEym7+SCMPRYU*@Nv47GEe?KhaBfLRDjh~25Nh(4(GI9Ye9m29*7;Z^iObmL|hmF&# zDSh*cF*BiglS@q$5M(&;O30cZ8umnm4+=F+xKaBW+i7tykKBszM z>!he>X!soH^T&Cy z5Y%|6Jlwy8&wHPI)V@DenU*)diT&Sy>=6GA3Pl*j*#G;ckit6*($4?0GizNxh-@7$ zgfe9@-^mvG{Zgd(9uGpZx-jN%R6;7$M3kT3(w-qt0(kL$w#NWMyl<& z|NH!x_hY8hIk`EjtJ-`T(hw>O$&F21t_^r{= zlQuow@bmq2^kSK9MU2;7&P`tPGwP?Zcp2@D`4`o*oYn*aNq>2Ne}95c$499xyeS|c zr@Q~pmj8LqlA_OBa5OzIEQ;T=bmfA`-JT6zybck%Y^r2c!6m-r)) zQ-;+S{XZ5d{C}&fcC3i`IeC#OQ31;NgJF#rN#@k(@Wpg=woY~exs@)NS2JccU0pp< zNpayF8L+;40Cb}`lBV81FPQ+g!7rHtx$O|3h|rACllrCdZx#f8CvMQKr7Vs~zLGn$$f`B~NFZ5kn=s+yW%ZI#8H zMEjicr5oSb+1aiGw}+>PY{G*$h0e4p{BL+w4cd+j5l_rdVUpR#&Q5@;O-)BNoh5vt zr<-!^;3(X-nlryHxz6|W?3z7{b|CHrI!j-#ysoCZUtILZg}1o`(qBeUNdtkeIeDqs zFKFCDupVMPooKXv-bj9x=op#7)xbNzFEJ7gNZOrKZRX{(zvQ+%$D-85#|aM&%~2gE zVK~mRBmdhN`V9Y|pq)FjPaT{+iL;{{4&!&|(=%su#|~^A$_K|QbMx{dOO-cvSAS;D zMn<=(`edx?O2mG8)?=Vn`Fmf3k0v@qX@^^DaUs*x&G8WEI0!czRI z633>O9j1y!{maS&AXaMeaVuXdjU2IPa&kPot7p5PV>LIA-xGU8wkSyEOBZMuBP1|y zLb$gJs2S1;(&GQJrJNqkn4)oRr}bygeU?5z_Ko0&#Rnd+OjD7P68KMipc(8P<(V<9 zQGGnvrb|`!70vG*7{J}qKPG0Of1StisoZ4=c~tRyiBC0qI%_hCiP>W8Z19Y)c;4%+ zBqd6*Lt$4Q)!vNtyDJ@&T`QZ-hH(RWaPPoU&l;ML~oh6G%ipAHL=biY)ga$JJ z^0jh-rH5Lj2`2bDPAyz2ytO;#46ULV?C<&p%wVI{UK|PZ4ZpId{Hgitb&JMS&xD|l zV4*;ATs!3?rEJBrOH!-+Wu&MKUI2(ROSO5OCE)r*e03e;?MQ-&I-cu%QdkU?Qp#NY zTX}i;z4;oUxPxQ07q~Xs+*`jng}4bl7M7lxft4GW88U`UACon!Ry~Pk} zM+gQ)R-A?ouV>zvS<*hidI-00G;6cy%*UBI-QYVx_0n8N2nyV>5e@ zaJppFm5brIhd~p;GTTg0*Onxl-7-F++Xpyu^9{~etoD?AG@Ehpzb;8i8u8v6aGbH6 zw^A>vSD6iup}*Tru3!KDV${?e;2dfcsRF<2_M4v(MWbM*x;z*6z*A z_;4X#+ec?f2Y2l~4Bkn=%8*#;2xV91d+h1G)oGK6QvcjwXZV$fI&`Pi^$8b_%B(pg zu6>s7LKGBJ|HUdmSPy6^wl_g8ODW9wYxLuSRBG>Htb|_XtliVTl02&fltgS-_Xxa} z882#~1hd}Bs&WqEh!a;`Ose17&W(Bu%irUK;)4$ll7Sed33#7qOcdQ{siyqdX!YA%Ycd#3O`b6}v7ARBI?)ZX` zm2tCk;?{YlKyAK&3a3eCLX4I)CxbckcM9@}yzZ}wMiZlQEoUs2g4@ba!uH!9=2T=f zPt}Yp9yhG8XDS`86_<*pIz~VDJ~Mb5?+=NaSf}cZ%n*GdSe1FApsRPYK-!sTb}5NL z@J`_p3zo#lyDsj{Bfl8GSI$nU!w8IcYR|AmtAAR2UF+c)CT*E4$Jg%DKoh}is;5Jk zCem_{-HMN3pKW!7`*_-IJcsF>D53NV)o%Yi)fV@MxjMokikq#!KH zAvEn(?a~ayGDx1ZzMJ=DeNU@Wbp$je^}anK+hxyD5(t6~D_c@(ViO+y_8I;^nW?=lYp+|6ls zJFv;eFOXIIwx?QmCWRS-eASwJ+C(<=WHDa!qZ861azwnSyNqeDs1)z#ta#)h75W}QUjY}zfbB|tqYW6 z>8r=+u1_$)rSOiic6w~zVvc%tZ553U{s6}i7?2k@Y@?ozu!sMec7_M25 zc<^T<*kZM24pMsC*bJNKb%M&BuLN@aQW3=7s~Ns02wutAc_f-^HefEjRwg6QT|G3B z?9HP~s5*Fc30n@mv@$>T_IRcuI~=HUc<#RiBC5;cP`rdXsrUF?hi2QsqlANh;1hZgu4*lBaUjo7RC90v~ZHdN8&z^%a>K7LA` z=Wd{}qBEMj4%4FmyT0L(Z9RccQhB;Ta^-Ghv+gS%MiC7NdoZ8gBO@oTFy6ATa$_@4 zK7n~DON4j89yy*c3oziW!|zU7CYo$DRB<|5^bg~Ym22Tv$XwJ^hv{OpRAG#4_!aS+ z1xODcmHSdTt(@ zqeIgLq-3$6&?;Kq4?{zlCFABFu$i9GFo)6ua-jqnJO-1}CvmhFedN*!Grrma6n@Se zRNpF>3Jt0dB-S3QU_KjT6AH)=6JHi6q_wrGgBC)bX$h8o8Mfzb`Cpk>?eTFl{3LszP%IsCFc%S3sLh;*V)_`&?OWWIqLqe zCbNgGxRJIFt~106-v=BA86Pb1zud*?^BPU=XmDL`!S#d@_Dd>Nf&CIvZ)o5^^Kwz1 ze`QGUQ39m_KwtJ$6m{oKkaids?qTou*I~DwHy%#C%EaZP54vMxg|7BSR`Zfn`Q9sJ zv5p3uZ1g|4Af9ijsiO%0QCm_7F}QOAZ1ZMalX( z7Q)<}7<%coQ?-?1suGWPSI3M`gAdEu{VdWCwa!xo$RP0Y6Eg+v*#nF^iu?1pI=3xQ z0@v!3y&0Wn4Y$MgLMJjvZO%XKUndInhuYtO%0DM}%rPk>yywJHiT&OdZf&IVlTu$D z-FQ6;jW&TDdjnlZN)#6+772$bz6v$qAzINs!IXM*g>trX`#TdN2ie|0ghRr^8y+mD zoX`2DDV)u(HFAAKvbnR1*n)^pFod$JyGJC%?Jkwnow2(|e4F-WYhz6f=1334)MdE( z;?qYt!d@BYP-K=@Qm$QE1snzKTu}M}v$L7r2m1SO?A)AK%U9;pLdqQJ%J@GEM}ZDh zNFw&Q3E92-E}|r@Z^_d8^lZkn`OrLso&5VX!GnCABc;6c^N5lmx$@V&jx8eoo$P2g zcIksoYq8q1hcH#-<0Xlb?W41EdWrOKB%GOSmS2@ME-l3zu(j5i(rpcwZVcZ>hMSnY z2bGtqAxTeTM4x#+7lxtCM$%TnN+ZvfXB8lyxs0QQOR`8r>n`#01G0E;=FRYtXl>%ai%;VoD5tUSm}>_vG=a+3{8( zmd;Y`kF2}6^sxt%<<-I6y@Cl`#cc41hc6byvv3)1wqhe`d@?CQhIv=Ty~ZK@f;h6i z10n>F&!DzR*ZAV%i>jid+A^V1|U$Twri;7?;cs$I)sgX@Zk zN|Kzjo-$Ak-llKdmmK)1E9t57p%_^|`5qtPMtyMe8Eu2pn_b{S+?xxn4CBwSPriY} zUm&QPRX;Pc<>A+<^IuE%5RDwupGO9bE&#|80Yw@341X@O{9Ji!_X*M1I?2zJjD;>z zBeNpUu;$njhwALn@fs>FTwAe3b%FJSnUp-PT=>)RfvCeSot^^gr_c@Ko)<;-7<%ou z8=qEVCF9?Ph*M;IRSSM_%@PXz+Rnw-qUEGM~XcrBjFR6_cVJv8Hpa zYu*k;#6y8=vP)`^oI#6DF|w;*Rc}>{Ze3nndrpu8ZrIB3NRjZ8M0L~5FnQ=QD11Ur z;X<7jLIJycXp)YW7Pg@F0w+afs$CY$R+3G_0jV>7N#^kJ!2dpAJMcW zVP(ZHwix$M2M(@KQ#iR}`AUP1G&sb+jIR^D{}xzf8yw)nQ)m6Nv^?LhjR%N&cAI!V z?n_6^{I;cqvh;c;hqCuWv{g`BAgP-pbscFGmE2TF*Dg;=gUy?^4_j1Q8}0s*98^lB z_(74xnk}{nc*Zi+%AW#LW1+?6Iy9Rxq+;WXfVrcq>j11jsQ5fV5szhp@q9`7=5 zv^PhQA795}<1k5LrKXf&Rik&fSm9sC6Om!G*SnH)Q%wQA#tA8=GBI+I|C)5R-$Aza zjy$u%*~8O3@T>iSS;+7&Zrr#mn10BMRBs_HnYmpJEk+S`jXQswt?0?UF4f|dQPre= zojZVb3MHy)|BIf>QyUJ%MMt}X^;cT3GDu5J8na}3UdGlE0T7I(+eH$Lu=D8#` zeP0QU<6kwOON;=rKM)6Jq~tgbQYQahdX|>Z(X5hS@RU%nhzr5afBb$|-O{L!TBBHHaO8)nfVgvOb)i52O?`90EW{Tm| zsYq?9bUr0L|7#)!=c+gw_atUqF;r`4=;Y4wSfvq|lYFXleEn7dga41Zw+yRl>)wZz zR8r{%>F(~3P5}Yw?(RmUySp2tyK_^U?(Xi8?suc-JjdV1|Ht>b{NiG+xz?U@tTFF# zkJ2Xwk%;UZz{44L9*#du2toU6B@|ZO?iYMFr?N@Wr#Lm`EXnR`Og+oxtPiQ-l0}l#bQ+^n35 zg|=7K*H^PFb4u#8SS7R|33uFjGv_$yD>7SBq*c(f$;LW9yN)L&Vx&X2bO6Ucs;Q|B z@ou1*yof{RMR}pnKg;R0+}K%*z1!I_%oUH5SSfxfB!&J%TewSu1%a|U#eS;PQe>Ji zbHZV?k=7HlplvEFf%uR%F%t=M^AZy_)javE$wRHxh?{Bi_WO_hw=Z5dt0F_AE=!Ai zj!*55?Uy#^O z;}gHOcGmD9+U=#kI?;>gh8-e%aK6cvP$`vwoW3fun;c^=gYTxL2L9>OIy(nfTbr4H zit#(uv`=MT=NS)-D_U1u^M{XeRc{8Ad8S3|Hd^pWLbg3UPRQUlkYzX@b~8{YRbyj} zXutea(UeJVkqMfBWC&@WseYL4puyfhD&<>02=bEXzkr6ISn5yjJ#o-mr^~QCuj9*; zK<#{FTCt#G<&G>KtwjNXO2`y@E)OTN_W%wX z3QZp-&IpG)*X&I^_oxg-jOz2$2+h{k@a*469+UKp-wZ!q`uscqZ}S+CA#RDc+Dj7B z#Y~ZY?$FHC7m;rs6TUSXjkay{4v^rrDs&JXSK;ay)<{N#IniPd)@Q7J>Q57Ew)7?i zBK=%8pjFeVNd9p$3xcPuBN~|!ik0FnqL0)MToCUW7_4A=&q{I8#Dz$QwpDfqN&yYwoa1pBR{*_NDtxQKu&~-We&)~wiewr1~KjV}*9GfM+CsNdx%`+i6!YLS0~V z0ee_6%4Ww*m`XFJ-Q$))D${O(Md=Tz%QT1)j=k|53S`kyqgX4il4qn2G${<3G)p0| zO>M{n^80Yj?ufhP2KyV1ykeGYT}x=RvZt8vQp)qia_q*v8zi*=#Tt|O4`hc8JPQhL zv(?TwBtNIE1oD;nSq=Fo>!xcVJkJ4&?%hBbL|-8= zwVGVoG^e>S;1p);r=Vv% z-W5RlDHQz+)PmCizpEQbbG_x(Kn?+pf>EBvqzP5EM5*L!Qa-6hHjw*WiAujF(T&U#fe8vs9JLyt=Kw2<&V4 z3GR%Sm7|vso?FePcN!n2?up?mluTV?Chv15x_dh*>$h4f>03mzKhw%XVX-l@98(Os zX@Gw^`vgNVYe>r}6+wEi%5mB?J)qcnFg9f7%4=h41U{EaA;Ekk9%rE{{D_Z*Fh*#J zC0hu;`h1LKitgzwVr;TS8k>>QN5z5g`*m#_*>w-kOh!beQklxm={Z32BAULGwW;BNi z;huvyGiMwmKZS)DxXB-GE_QT!NUNO(6S7o;l8WMh7aq{v~~5m$Q71vnhrwvy;SCuxW?lLVU6nrkwq zl}vM5n+>WTN!I6ztlJM^FopYrL)lmWs3(;7#L{cf;BXrw*K=GiW`~C$H#Y$ldg>S_ z$1Hf|Q2;SvdXIvqflzM;Ohy|-z>%waK%Z%C~SCjp$mV ztV`^6D2wL8(gN185p;YHaC-N*=k~Z;em<;$&zejaEQ9C?w-)2lu!eFC-w?ZGtaM*E zyg0890ZH(7{g(>Ztiu^Ub_wYGL(>L7XCS~`YxgPd2KKm2%L^2C1GsU%-HnkoA6j8C^J{<2ty$;(W)g-Lzf~@ z*dB4um`;+0C5>rRB?CjGBb&%U2$RS)irlqsLc|vMS;!T-`kWZ0QQX?LvQdOwv~+BQ zldfen)jKGKGZ);qdtJ>%z!HaZYRAk-get<=U&@zv$( zE1|Q}C5p@>Yq+>r^X^kQ63X7+;>vq46L}=i>l-_v4JC`#G-87{O&M%8K-ya<_=_Kw zF^pG}M9@9iB>bYIQi;lXKUUBA(Lew<1bC6ZLR6`|`v+-?n zMq>-MCI4xF{d9!8xgmn+6J|e#GlauPvLZ#Kw+}X2*2q`vX&_6(?6G*KVth#oPY@W5 zCuxG+5}vvKmd8vH5~H&hCVd-cvu(Yn)H%GOQt#{-%{z>n;IU;yQpD~f z)CYZSS~Xt`H-DX`G#;w_xNkh#wi^^|#W2}oQiAOslV=XgDZQgcB+r95}U zaLraoyx>~a*$D8GotEO1DkQ=N9BZw~;00A_YjU!G_f*Q^mKT ziKyuQr>T4c<$Yy376v`XYV{aAh7g-%!}>>O0_5WiD@NQJBJe#N&$GP|boguP_DW!~ z$N8W4&3(C0*Zc2TE-@zpC~`zL_6^_wc8PnF=ioZd4EOF1A~0?%iCe8iYg2+Op|+G zL?t|_#;7~R-qH%46L_h&6)YKgq;cZ_95|#u@=9|d3u{NBlU^&GENRFlaN2qw&aJR! zYUVGK)5R)j1N4&z($pb!YXBGuA;DPZG{1J9NaP8Rf;pQn)3yO9K2;Y zRMx$-iZE6fxpPSR+|kPS&2B!lWt@!ta*kiZ%&w;Q*^pe&=aKUoB*hwekGE;7fOB#u z)%d%Ut49lU`Xp|LW?R!^FjM<|Kv@z|;hYIZk_NSlvm-uNdcmisYVd~HLxE03rIHj> ze1DA<-*pP?GNu+ai_0$pmpJX|LCaM1o}%s;p7u$=fX%M6DrCxg7AjGxekOlfUa1TT z6Dcl0KK)TbG=hOVgVVTaHp&djLl#(E`{<9+%z3yZ_77@8#6GP%4DQ)vGw1DTE?jUo zSoQuUM9n&QxSz|#)e<=~u>eN+diF0(B^q_1ivp&$+f;%+rUrpti=c{!vC=nZC#o?a zZc5dUv3&b!r3~>jJ#z+GR;W&sBi5KHhmWo-(NouGd$pD1>UNXWN|tCP3qf67KgNu1 ziY6T2Kq~x9Y<7mH%)?zxppb<`gl)Q`CJ|-Tb4l<o{lI`EGCf=p{e3!)A{Eu zpBkE79NpO~0i&mw->O=)s#~^dtaSh z!VS)1$IAf~w2W_7QAI0iYBIHavWFI2-ts6p*Od(wek8)!V@d4P3o}4U!`NuOq+Kv^6in1+{lfr>JAm(n!%-C!(3S(2&!rS>tRA*5_t=xFwah(~{TE+uH0eE;km!{Sr}4 zB+jYBsqy%J1gEvyI8|<~`9osBOo@8fvJ`n9pyB)XF;2O?8xZ3YDQV~~Y<~|ZH}&7_ zs)(*qQg(@MB6MgU{VszYBBK)&=kh4~2?WG?>09icQMeBr@~yGB;-$|?tR~-DU!ya- zV9QaaFopDnW!lc_=sPMgS{+#rIAQeT7aJwDMDpyhD}!C-(kcc$vPP`H0{B#xw`>kIijrm6ak3s%I(pay3~UX~YEvji1g9bu%FQR>UI+Hj+~fC7jh~xN zuITNpVn(jASODu1P4D}82L+6>m=g{o_&ejTE8wj%VZGWT<1CZnUw-oB@ubc*X%iMv zIp%6(F_oC(ju+{v(CbmwF4P*XJZgkqodhF+e;lu5pPSE|G-Y7&(pY{3IZX%W|FEK3 z>I7f9Dk`P2Z^lUU2V$W%@W&718wof{@sX0UxLIKG3oC+T6~$43HX2@EGlmzt|ed0*>9DFAo-dR?(yj#8U8V zbeso14>%l(_K#m3wUp*76pK(NHb)BxHR)VrC9l^z`D^*3=OP>Txt(iCkt)o+G@ zhAx9Q%OxRQeStkp5dI;CCXVH16yI=reQ`_bwBy*Q67Fa@SU9FnH-Uo zgsuiAbEVw(J=G0sUc1y6b?KzahUk`jL0#3dZk}2^u=N>Da?EKYM4}N!dvbJ>BWHzL zv<%s^DQW8(RE9P}n<6n29N!!mk~@bt9R0l-vvZZFrKD0Te++SOJG;K%)v7v?I4#^F z)??NTVKG4!r;<<{;B=O$jpx=YL<@c#W)e0G=HT{qhbK>?A@M{_q&1B|ER3!bya!(7_`vXUHBJo-!H8V+KqStdy& zO&s0f+##vkKY)Vb@GKBF0Sp*T3CZ^O19PgLWwT|IkKYImWTRtT&y1XH4hAIEUO?fd zOzU3%(vZTPze-D6|7aIJ-Y$-3SjMGmdb4u;zMP zLoP~b#87eSit%m9yzz=0WwZ^Kty9fu?J?vWc~BtmixpMA zl9^OBI}?GD=QvBd!?@TRtJr0*<&^)%0`z*ex?-;CK`}{EKmVfg z)EhpV8fH5`k%J6dfujm(u)$u{`l&LU;_$)iQ<_MarcQWIG46HyrFi*dw)|m5ZIBk< z3w?xXEf%cg;EUIyV2+*C(aV$P+0Uf8M2w-*60H~3t>c}SgP%cR!a8_29-;+I+J^ZZ zx4hwB4#m%vUTU#eIAc}55xet{+20M={G*;V3B-NZ=|&?Pc${sYm_fojoc(;+XrH>uBK-@CMy4DUCN6)l#Mb>|g4CK7Xg zoG^LK^4!;#U5f7xivM{4VdN61+$Y%$X6*Cdi5X{21iFJrB{%po?3)J`-Ml zhsMgHMbbY4?QOIF4ve-%2L;hC8Oh!M@vr`2f6ss*e+FNYjLhHhx?(4x^s?81&Cu{+`6{4`K$X3 zDAO?{B@Uy8J&Er}IPajv`MYTIYAAoU-+E-lyD3w63i&zhM^ORI*Xhn^-tS#ODOQ>? zW6>0;r+twie2&l8>IF3thzx~5B7qa_>qh#B8W!UNDrgL`u3v+fTMW7_<4cD&{RiY6 z!P4=K_=$Zc&2O}STz6-UuQx$M_^)Xjg)}za?H&}U|8|&0=Y41R01X)swJ`jR6*_tw zPND#`nr)7+rnKyn7HAeszem+GGc7(wUQmS!hp^4?v;~3v}1h)LStpme94M$#^ zlnYRW^Lm8<_?}oE!xPxPjLAAPkE!)iKGo$s+SL{zX=Q&+8LZG*uaU~s1lUC)Tnw&jN zC(K=t@aK)8% zJ<$1;nhO;e6O)ouWeAOlTQc4UF)mYeXus950%V&C#*A=#uH#c#$z0P%Wo(jBx}(h5 ziAClS>x9TIo_%?W2oouv#p#@binv(2dN&>sX>+)p`1qPqJPk_qx}%!HHkV~ka)hqbirYl;-Y z7^t-T)*I-wmRe(hW(d0Rlyr8aa9txCPXV6l3$1cpXI@Q1xeOm~>mYNbHWt&pFk3+h z5)){*KXfo2>5j8*eyNq+Qw=#%w3F@94qNnU&&c1+Lp~U6C3?h0SC%{1Q~ec&+#YXj#j3u?#-E zN>33#q2Ib!878YM7V{V8l2w22C+w=Dn&>-lY&-L9asQ&r}Jbx~v5Uh&S#lTvWB z3klHqs`93wj5k}o=+x!vawo8Z4CnR<1ucC4wn$LCWEkZ$1n)*KEO?Kt(a!TU6E|F_ zrw5%56E^e!3RR#CYUjD0*BLQAScJRZEw8L23Jgub3%m651_^x#{O;}iVEzMa-*WF9 z|4CP#*s=C``KRsQVFhPSAU$qi@v2n$Cw>cA1!GX|AR*6d1cdh}8G!*(#;AN5@$29W zwb$kA8YJeu`M%`}xRfc1U~8HO6(J_A|q3iLccnLJG{su$#vK%IibFmU_n2yMaVs$`V-TFC2?Ht5&h_Cj2`f>%~n ze(ot0J3gRp?pmFD9JB^~e$f%2V?u|>+lGypkP<3Q#;U2nYH83uVYU6vYEuil-H>}{ z+RJM%)fex^k?ZBuRqMj$MgNW^LStr;uYDHDGZ9o2fmjC~2Xr!^u zoc8y?esWOK2ZOd48taasAv?#Mj*d<`^*vSE-zekO>2rWf`~=TW zUGMPIN~aIr!65)TSI|I-ATNbqP5uqv_$@_}??K=>JTzFOcrwNDTg;+lIosL`V_;2@ zJZZ{@jHS@L_E)+5^Dk2IRXQKq-*pX7V>0D27KL8q+P4XhxkG8>3>iIdof0Y~Av<^W- z$RYOMsOaL?$+p^<%wYhWJQU{JLiRuh9m)3p5Ea3vSLl^V%msM=jng*tKm0`O^@LF}KjZar{cBB8UGqrdcQS6!EX7L=Rq}#+78WS) z%2_eJ{~G$6$;VeC{fPVM8wBgf&|M50-y1N!uba5Xl_bIgwU$27``OWWS$%4CI@`1} zwEVr(5O%NKjiG&6a!6!CCwp_FJKBnDDP}mFXa7JLbmwh1j~^1Yo6*3tN_a^TE?=Wo z(;T_KtcvewMVlDTv%bjRAdr{*b?I^jiEGwDt%6ca)UMZ}Cj8Hg(2Hg&$ZC0v7z#B% z!8NHQE0_E4PNbnonT3H0aahr3c6=Am@fXCF+9c&ISz?DZW7?#xe4D0Z1e0r+|MJo> zTj0N*S%7|~=^oC|iuJvde{7O#NTmwbYBefXTF1Yr4~l2tHXsTEl>DeeJ`{`L1x3HI zczZ0W+8XXFwY)tv4Zvzz45 zv-(g8?(SWd1d(CHNk?ECk8?>K-~+DIb=5G&c;1ZY@J>OzI0R4Q_nTmfjUMrAB@`Wi*q7m`1Qfv2}FROqdvOuS5`S8-@`W_CI? z(3Rdl4-HYko?YRJos}{TsoK3ULU;QisJl0n15GDewrg+?GesGlG})|NahDuzlU_O& zz^gy^18|FAZnjVu|0g0Aq+wt6@5Ac{%2y}VHAmCFX|~sT!m(&{VxSqyY zt$zr0a+287Qe33Mm`fQaG1Fmmr8J=Lq&K}_a0|8C}f|{7UiQ6YvpaUchFOE z7QENUXj^e2^GpoN4h%wB#^}Wq>h1Uy$3=uF<4-eq!gO_mIlA4%x%N*_{!)4aTi#MQ zM?%$a0l*W}!Hbl>q}mtA^xCDQs@V(%4N4}vCFX4E*vq3u^p|Qkc8uttvgr#F=Ox?B z|GpDcX^Hf75O33fog& zb%n%A8~Kczt~3Af<8RKK(e@*C`Hk-GH>^VF<^`_azI=H1tG??Q9<%FF9AQNkRBF(a zUyH@Fj*1#>v}qoQmi9HuA-p3-#=IUymY8z8-WX>KR*v2gX%4p=WzM3wy9d}g4yqH{ zO=XK{D&K?3C?#6jpECWpOk(OgzC2*z4y)2zNp!ru9WtC7E0a>G@HzOVm!*x2cbqJI za^DJ!nK@BYn`Hc7>k|+LuXxo@5g>5ppd6q)sET4bmYk+sQ-U)S&DE#Gv|AF5y*OK8 zI?K9L(zOXV^Hf(L2fcr^VXOsLics@Tg^?>hZGqK5W|OccQKFhk_G6&D_oy=Ixgj2? zfC_&sbn5{M$>rTwf9m^~eW8U!Q@=1e19y*$y1dB>ikU<}aRR+{EFyycUIRUM9eR5D zCdLjIjOd}V!x#+p(69=t2N>i4%BDTP1lG<>#l9|F#7KIV(bOAr-Zp*C&Jaq(Dp!sOVYP~N2oMwaHy)N(Mc9XS3h*gVxce-J5d<+skL6l=;H zdPQZVi)|AF1!|DSYXmoQK;R#qI#}a3X;UTUO!>&h1>hYlr@wI+K5N#w)sBVcIYjBn z4AN~FRry)BFOqKWc(mM*OpThXz+KFg6+z4BId3(WKR8+;Gd)(6v&ZC&rH~J2u-F3Z z)-UB>j>cQ!bxJ%ukOG}hfs1|hpuqXB3)csdZ;fd9B9euEn)_i+REpSYW&CZ#iz&V; z`wV#|a~uQnNc?KAdC3&ZG#i#==G8%3e|eMytc9AvLjQDd$p#HM_e*t z2dHwUia5N^k#3`cHiK(2wJ;==tjd|;F!~SAlT(FXaIs;*MXyh~D3ncL^c|lIZ3a94 zJC@H%U(fL88W0>6dMPqM5;uaFK>i!`_`X7+@6o>NzSOuJf1Uo(?XO}hOA{kTnVO+W z8l`wo_w;|_GZSC`UY;!_SWe~_=Fo+*P5$?^`V^pc7vPhm21r0#8p&6K{Lj()c`XML zgcBr_xWCqx%MrZ@a+bcK**)njlKj&b)-?3uPQWOFxJ}VW4FBq_eJ~_D$E)(qAy^wlEy{ zmoS31J5ug#m{NcQYDkU;jQrdJ@g*~8J&ReezeX;_bI-peQfheWW3e{_9T!N$-fg>8U~AfPSeM+kY#! zR*dY7i6YT7MS;vrTZAd|A?E+QR-`&aH2-g+rnM7PAPv;lAjkPC_k+*d4g3*MlB66Z z-(x01scM*#RmV~nm|b;*+d%(rV)xj0vO;PN@lEq5??FttzMl-49TNl5%0$l2H>^d= zJQb`l0TJ%u9Fb<=MWj~_pMX~<9j>uxabZ&ds zw|(`0%AUhX_zx`&L5#BIbEt4Hgh2W9={eiSYD6$j{A_tpv&%8EkJvGWt?g>|aG;Kb z(G^UesNWr}xk-~fr>4~&vw1neCCqlvABx9C=c1~qjN*o!*0l;;)8QxIuhJ)r(^Dr1 zdxx;rxrwea&$YRp{&rL3aDej_|6HB`>mZ>m76|bK^+*-Rl&;| z2vwUrX4q|h5POdR2}O&iKAK6gJJ;rl)QbJJ;O6n`+6xL3wy3S)pgznQrvseR>9T0v z*GP^OXqh@RjHxf&2=Y4Rq3cmz?@SmCNNVk16f(59&xr`Ap>E9QozJPiQ-5R1?&j}^ z3E)PA>m!kdV$2I_E=^-4{lSHZm!*&x)5C-9IJ2X*sG4y8*Cx7wiPuXBVh?wZx21AA zg)7cq=w`hK&?ySU9n?BouRD!sH3>hvuYSBgqLrvWy8MMDv3_aels5*snk$u~gL7-a zQ@3L!0e|TVB4RNyYNU=o}UL z2@gGO*5Fo!h96^JtPSy|bHp1;wEIi#FGoJy*KASC{g4S8oGkg~gjHh}!MX;OGAdf_ zu}^;Ou5EO?6BXxd0i!!u($=EUpyMu6=huj-fu+de|ymJd!l zTCX>FyS3vn3R>#B0^zWYBaQad30!v*RZ5ytY~~#GnCm$+@H>NDVb-#=u;bO(^!|sx z49Ye%Z{iB3M=w)KH}t$P5zXI0F47Fjl+Ag(m`%A|>lwvg05|y_hylJZV^MwgEMM6)I8#Fq@ zv#c8$yh-Rw^&9!7MqT!(+z=$zP4lHWyu=WT0|4 z3LcA8D&4_L7wfb2i#Akxtg3&et7qyaBt5q2VWLSmTb~d#%Pg;N`-I#UlnoSe)+t)C z`E|KeC-M3g%>D$b*Px|&)f5b0!alN=XPAsMvz7@&_#LV&wS62tX57@)GrWJ8Q-R#v z8P?BHR^VL8m~AOoV2xaPn$aCcj8?*! zr7V-ek~Mbi)@C^{*kV~2qV|R@-nV+ivQCax-yGAo7=uH%EJhV=>tms?X%6xms}ReC zUrQZMCgNxq$`LuKUen=r@>+0^Iy`@r_T`KFS#LPp=8^iskD&yqo}(M{sbr-poSN2# z1^6?v@A5JkI5i)0W`4f|ZeQMYc4q2$se1n1qWU3wtY@N1#-M5Rei+3cJCvtuBoD9w zu%=O!UF|w~UkV)8K?{S)`*gcb@v}aB6|+n=fdace2H1(zDkJGD5zrd1YySb z>qmRDi9pMXItBK$>H3F}$f*CJC3j>nage$>9VC{qN(mXhDeX5v?>UR}+E~m9H<34l zyT}GqocpRT1BEqoOi{&eR`l;yxdj5+^vD(4uo@W)wmPpuaGEazvyhGCSdAn^Zp=d{ z)gT9UrHAjgsZ3bhSyw5_CJYy}0B5A?_%8z387!B36RBg+yX?-R(c3Yeh9axITSuHe z2aOZ9hi8=c)Q$Y@GjZ&9eH66mk3NQ)$d!#v;cEMGFcW35fmf9T=ZYVYO<(HE4k;B{G1Fp=*U3<|= zEUj`^yO2SF=}FanvbMJ^e9#DGTU)_4)LaGm7R&hTtyWC&eyU>y@}^i0SmK8WrIq9U zj8^BQXjUqcSSc^hO7^SW%`#B`tG*Sf{~L%rkd664^YqPd&`9_suaWbVA=um;csyTn zm`oH1<9-ZW=|xRxZ#?%FK?N>1-<)}2iX_7&^&h0ar@CnPZZuZZ=&*@3Dx`bfpA-UD zgfsp#$N7@bzXVfVx{urA^381Mi3$b5Ru6L7vg`L!1*~6NBmQwo(H%yfDvgF6D-&~X z!JW#r)?E_)A0aRF-g$+4HKfDQ&JZyXDX>~MlnHK%Gfx0JKvwZ zwM?qgE|SX(d*8z+sB^Gt*RHnYiX%9}eP>-4xIVI}{mW2x6oCFk9~e1cf5O!M(2zU& zqqgw}nJ3~qg?+JviQokb(JHT5q!Na+?o$LOJg7)o1tnWhZ-*uYVQ1?%Y*s4*dX|!9 z>Wwy)FJm52F+)vp;eQ>;MjyqhK%BpU{py*pCH^9RyC2#4$z*cOBKk#t9@ykP>#e`A z{@#CB{j7~2=^fzZ5rQ+RLG~m4+3g6+h(>#WT5l=}-7W5U%0`AQ1IJ&D0NW(Ii8V;i zzXlIxwpqL_MXOHd8FM-g&eG1ZS`-xd*Rl}j2lWMPh&!Km=2ldFm!5l{s zt&VgU768z=RZRIMj9=~p+Wv%~gfcTC-uJkrzPnZHfyRG9Hpd?!QY-cde>=ePnV{$$ zIhj<)kQ@1Zr_fj!R-9rJ$-kDRx0Ncv`&e<1)swHhR?p}h26b^XFW2H8)O-3VH@KOu z<{!7~tHo8qk2HrF&lp7443T^FBFJxZMzHg>So^jTY+= ztQ`bjd*hRD;=QM(``0S)rlWhE4`i&~84&P@NxfyVvWi9S&B12D0%Z^c&Bv;P8n^v1 z64r=by@EuYTh%d!^QQWWPYR?pY?eP78{hqjIR{BCDD0g0ga7u7skphcm=kZz z_oM={f&Ixb>7?K`r_)jUuZ{mB%{z8c#J~)YKy2l%??7#IAiq5`S`w3h6kPJ|v$j>n zXHL@P|FHzlY6S0(K&HMgHLzTkztM!qa5y=uTp4lMKTK=&jlt)C1tjjbmBaC${*aN~LW5Y=yZFaj>rbmn_|LmcdB^au_u3Aq>_`ZI>e3Ru!sEpRtoz46NlN9|7x%q@2vDJt+ayh zaDra#AU&Ak7dPC^DtcN!)w9oqaC9f&?YKKrUx^>-2IFNbekap}MS){@&@Zj=xR_BBQG8~N-mXRj85$&qi3H2>7~{E zw2an~4__hM#+&ANXU2w60?%~zkSPjY?j=xkvs{CI&$!@VM+Wq`)i0C@6;c8YuQl7s z(K34N=l6!82fy~c?~#p!(Xj;!99z$mYTw<&&Tz9g`t+Nl0(XDvtt9j9&-@}AGn=cn z{B#)ZS7BYorUc_`V}j^GR_cX|R;$WV+Z>ib7CK;nhOJP ztMBN#jS1HrzK*k-cN7?W+y}3?4XoRe`*%raAfnAdvD(PMxytH_K#x$D{A^Ik)UjHD zq}dBQ#|LUdEs0^ma@TXOf;WChuzv9s7`WFn5?y+i?DLC>ZFnEig2Q}}cTTtX!F94e zeJ-w<&Q`+bqSz&CBn+ht;#;hR((y2H&!JR{3=;*sQj(Ry=LX{Fa zvc_^BB&gKXapXVX;P}eugcpY>ES04Th+50hWAU(aHfvkx_zRSO;#Lh1#Pw@zWvWAy zAnXzh4E_?+HTB%gl~s8IqK@eR?_u9}jsr0rq##rlJ|d&}s+M<<7)YQrVeG)22$r$N z+%j015&{HmtnCR|DRE%cxCjM9pX4?U4g}Rjm_Fd3_-g8ShvdLVQSu;Al&rRpU1A9m zO|f(2^OsM40Dbd#enlRVb|e^=zW%Qwe~1jNthnv-ng+tKE3&v$au8|I@FMA?*-4~{Kx2+N}huc7mt)Ii{XYhCt-#7 zX_)|DA#>HeiUqAn(p)OrGc2%E|p@kX* zb#-|pG`yggR+dB3o1Qu;zMp8)k|9m-7*)nRkdt%tZpKDO#qe1kcSl256UZSYtJRJV zB-d6cBV^A<7o{F_vFCpXP4}EXnAFUlNGN@>UX)H~`ShKo z)&;g8&=sy)fc4lKcCN?(S60g_3^z^Hhr9L`D!KMyVtc8FBKrKzhi;C~l^SN4irn-x zn@~EYd*X@QZq5~^2fDR;r#GPspD*lH<41<(-Yz>^rp1}lTCYvon4*7n)SuM9%AkRHx+t8=-^!SecWcBQc*spwxNy;^h~NS zJsZ(}E+BTJqzZqsiP{fQwzfE?w=^`Bd`adQ@4i*Yxs$uL(CF%UqQY$4fIyYp-rPEE zpETT4q(tvO>#WZbD9`pB?j2gKLRB7S@{dRxorgsSDi;z&(cx!T$w)@L1@s@A`ZrR3 z52op>e))>wc?c>qhBf-$Q(J5hf2_M#o4%US&sqAG=qKCW=!^z-MfKEVk$}ZL?VJ?e zY(03BH^&OkU0V)a-OUZX!cE#mBYR)o@jY>e*>WsvRvUk%D^jmUR=YOu z0Sa~w3$@cf)~m$BQA_5D0B$W-IdO(`J{NGtUa3k2UkrYGVkTpHm|-|Rxi(h{xSpK( z!hT$QFVC~tJVmAvB3?s#*jYa5wUcPzkZ)h!UF#v4WIGZhF1>8LR~z}dW@glx1G{+ZGEKxPyMILr*G?O=C!0fgm3V&W z89sb4B0Sp^da9m8{-UOMOz#8EWwg0mMGN0+k^R{f^2&6|=)Qb$o~a5x%kN=ry71jc zSy?%+F@$Tnn_SgxL+aJGkSWI<^VFq))=Cl;#>-=R_h8PI=6T+7wzxwlqv?E9efyfu z7od>(q+zbc)4^qOW3+D4@;kRXIHrdw98GReL$}5CZ&c`5aeQB~+-&w{Ihf181Vm9e zt*x61tt}JP;Jt7)qa(hoRZX`w2*#Dc&eyvrEm>L|NkR>=cW-%1t1yfNsHW#w2d(~6 zhF&QU9DHx(=)YNB7~vw|gO>hS<%xNnuL?F+M2NvY7Ndr!H8E_&$P(O?^6YtcHi9wW zGF~P)Gy61d_QPaWk1?bGG1K#+4RjaBh>}Ej$)$m;l(;*#+nL)+v?BbOk=#u7Wve5Y zvK>j&oG~8vIolJcdAv!8n~1V2OPTng_~9LIHBr>t*`jGZ-Ul}6%rAEXaGI?ty8Fi* zE&T!8vQ?Gt`f8V*h~%^8a1S@shL+{MTc?Z(!Hwoc3OS!*X3a?oicuGL5DYqB=9&j@ z$;)WJ172#$-*;*RH%n$UK-ItL3~A=-p|JE`>!g8@j{KmmR@2aoCN1`TZ{cC_edJht z8-El@>eCFP?TOv#5|5jm;Z7k>3OeE!2^B(o^-TEym!r#zNXDR>R5$~s-)O-5RG|ZA zfOut-1Mp%^7MUlddzQ?_ToU;pJ(>sn8V$B^QKMm<<}lezC2rP^#?qKj#Y)vz>ros) z^kYQ+ZWr@tkzM)j<&!eP8ml|(VSatCYry=G+F=$k{buttnH8HXm@>SI-3GQ)=@fmF%qM9pbC8-sQ>qMM(X%B-oH*nn?5 zl{vN}d^6GpC)-nx3j`d}y)V58X=E{fxpCFsYS6Hy4WUb`0_Av|`?E8!L8;mJY9g3$7l21h*MQez&7BR3;q=17R zOj9RSp=oxU3fY!kb&$7fg+3|GyG-|yL>GD_fc1I=1-CP_I$CU?&I_tkYCRP8uD)W? z>JKy)&yAfT9yolym=7^LB$PAxYQ;_F8Os@x`>NyhB6WNE4bN{J|39X#Ix6aJYriNd zCEXz1HFPT}E#2MS9V61+-O}CNQj$Y=Bi-H1H@^4k{nna4SgbSg+h^C==h@HpiryZq zZTOtYiils(`r{{}4c&8+JVon=os;MSyA|N-NK%1Fh$miO;5HmWvyq6up%9DDqj&4= zzRWuPV|#`kEo7 z7!8FS*7xl0=^l2gtCq6B0Hb4;ZPb6iFPOoX&v<|jmeP2VSTJJ_&@>Zi@D@uYuFiBu z!OsGFggUUP8BTO<{FD`VQjIJW4;@~}AImRCPnV_A4dAP`d~w!Pt>`6NAM0zHuN|~v zfg{qvn`(w0=%VQL;2SLzKJC-ysgLd4PTtIz2o(0Ht$r#+?qqAD-{!pR5i>DyFRFrT zjiyHf3z~^qH2izE>vp5ohoSE!xijY|Fuf-krg$T7qpBLjICP#Fzr5eJL4%N;nY-Ey z^GhD%%Iv6kf-j+JIy-Z@J&~Z|l;|dJdW)bOS0&N%#HzlBl+UW>4+D?{8A1Dj6@1^x1t$VD6D~(b=rmiMyvR&4n#tJmmeY-gmYUcJj+?W z+!}lDYI)0yHx%cUx~_@WNYUHiyC~d!iH3_r<&2L7$`<(U*2Y<%-uTU1lCY*`5*_>T z+oA{`M%NNEMO%Bo6>U0ej;kEmH)f^W3w0FR>m1Xa$5G9uz=Wh7x6%DbQ)?Hyb&7{a zOQbHJgtV7=j17UP>h8AkR3W0^H!hMkR}omtRa5P*wC}KngXJp1vBYbhh6D2Mg?#s@yG4!fuyx8a$2F?ul$*|*an* zveS8*G)wzjy4F+lN`}CrN)%1gx-19J%aMJk#m&Bj+rIKO)6WG0r zzhY7Jp49-JQ7d>)xiVAt6l?bFIC>#EP+AjdF_(|gHLe#VeJ+`XdTVe~OUtckd##90 zL7vyjKKMFVsLY&_#)A>0RQ^IyY7+Wg>S>WMBoRqVHAtFUut2U14T+F7;Qnzi;^un5 z>OvcRp+jy1qJ{!tH|O84%Mv%QO7JJ^JWsjkd!^x&b5pg*EnSGDZbij|knu+BneF0& zGxLW6M2@Q|dQ&d&=ltlIC@l^&zX}}Td zp@C!&+*6&crc;^=zWn;@s)J%MtLgsdAdp^P^Ei>kgw2NojKx~#L-;V4>klvS|G-wX z^rjHs@Kk#cji9XkI^XRtPn}8^$ko_CRt+;+Zg0Wr!tB*j)$d8^q$pX5PlHkFw5Xyz zL{qVH>9xC}v*uvAn*^nbBH24s_ zLg7-cf*#QU7ll^fly7_hpr~89Bsp?AxmG|o{wYC5O^~(H`O~RQ*;r;*#(ctuNk~QE zgS6CjE@+|7OX!n=Wmpo!7^-AuC=&8kU&Dv6oiWVJqI9HZhy4%9b^>HRx9ymq?30td z-5?kT$TeWt?nvK-h{TXeKCT}ZNIxVy)>)E>RV?u0iA0T7mw}m?WKDlQ7ZHpMV?T$v51#aLc4k52MVVw^dI^4_nbzNx6YLl;wBK~Ux zISz?J`A5!gr+OyfO(oIIk3CyLv8;iJn?0zDz;hOPy|kg&uJ;dhg$lmTgo{n->GHj_ z8kK~Qc|4ngWH4V+Wixng`OK=;$X#}|6Bsfu8l?Ig>IQ416T@c^);m3Hoc9JWPXYc? zix>_ETa>jXpn-7eCe{Jz(C~t!73-~^x$6kwVZM$5I~YP@;+JNUfs57~6PxjvjH)Rq zH!jUS2ka8^dg6NtDN`m=aowMSS+50WSK+E%U(gBlX0f|qn;q>LjeM$DOM%pilnzn8 zp5hxuwhUUM(J!z@Okdvj=86mx?8!XZ%Ml6;6r|rd$fbSz27?$&H(B=RSeGhY6n#1P zkWL|=9H`iTm8X=>?Rt+36NafmjDzd`g#KyC*jO&{pE|*a^(ejE`{)OFplkHWliZga zQ5Z$O^o0&5u1~S}Qi+VxVbCZ^5?SX@xxJ!?k;A=7jOYl{#-#E=zt;N$s3QLhaq~mP zs{UqtzdcMLSf5+_0>(*M>OwAk6KU~!2xrqCS+75_Qq6nu6M(+J<`62Y0rRbzPi zd5!=5ulVfw2vEXn`_I`7&cyFPq?enkjYC>&CcUu-g1e7K(uL(M<}DU)HKK_6_UrJK zR$H_A>3II4AiMW4?oA>603<_qUdBd!PL0+}eGPD=m~;xUaWDYzOQe}z>|S41WXd#F zk$zBLHs!mQ@ZjfA&k8cVOBrg?NI`gx_5H^R=!CXKMb8q zObRz8lmPnvRU{E83{>6cCQ9)W1*42Y0n^h_FS#rkW@Md40a4WU@GsbzP zq{=^k7XA+(|9hx1oa%3h1|@inj|yZ^uX$e&&kgDeqzsu9p?iDQMJ4~%ya_P>6((`T zEwZNcPY0QgT6I*V6|cD7FDzg`zcZ2F88-#qt6-2Oq1DcG(f(9EteM$$ z)7j5RCx>#c0-pao$$Ioxta2oS7ADKTd`Vq-XD7WgPd7xbaj5!G;C3>lSb@x$2`#@*ZFd2FLaN4ey9lE z#C|5Y>bm&G9<46J^#?VxKf-e)wA)?7F%RnEs7eq?fx3n#cEG7p-xfEak^$@8o)c;7 zWtSK@dH>LC3d$Y&mN*WV>j##gt%I7Fxz*N7FcX21F^$sR{X~aXnVl(dL)yg$zmRS> z3VoQN^ETBWS!kF*2g6nFIAs!X-a#7e45D@Cv5H=T{mygP&MQx?+3haD{sq={Z{a}v ziVJQ2=!}E7D-xwdd9*1=*?gzhO8J02e)XvE`;+LD@yq-WU#P*f&{YrJX6lNOd~n~V*Q?F( z6P=-W;~kpx*+5g3QZ{dsfABC~uB@upxpE#b#Fg5f{z1pJ+g`GVh9XFQzN1j$X-OT@ zA=o@#N*=&M+%Ug7^B;bX-M5iSfH!})*CZ^|YRT}{n@N#HD@|>PrPyWs8IUhD4!+>} z`EmtSpX!|wh~X7SrZ7r?2p&6y4B4#Da)AQlt*#~Chg-YZpRhl_tpgNxlo<-`B!8+W z;Yf<9OXoIyj@5*Tv%iQD5}_WYVvuxb93?33bFn^hQm=M^b8T{) zu$`g9pQ8mqfg_a<*@FfO*w`BEv;eKBMW#LMK&#|M-2P*SUiYnp$Xyru%`J0@h47E6 zo*u&Eyw?uQ{&aLPrIlkEn_a2Uu3$kb246y?E6i9y8qvZ2?DSkl*#ye-@>P*+#m<2=s0plqUCyrd~^Zi8=6!{?ZF+|TU( zWh+~`d_Dr7l7ZQg#mPFEx$G^9QTzw2lcfeK9Ycv{HP2WYE6%xlBGTXyX?`D+FBQ5z zLDx2eC7A^3b=x$W!J_PTt4V|w==NmY=@ZbY3#~oLSpsbv9T#r3%>f(WCm8M3<#_&U z!VylQ5AqsZnsW>&g`b~Q8BNYEMz|?KqRCMel85<5>7X}?n9s41BdV99`=95D1wLml z_)QeKrE(00dy!Hda@xoqvM9T%4O@IVY+fXv8 z?GDoFixs}X)R`)FxR@z&ny z`oxHSys3iGZpHaLu+ncaUC)W;HeP)yLsL<^i&jsw0 zb>D$G zq!&G|(QiYiCmN)^v~{&}MeclymG+9fnoea-7Xn;GB&toe#hpW^ri;Azww5j3J+BCz zuq(DS64K~y(v@=csj^o2qR&YD+S{vx+if#x5_v)$*ASoPCOwL&g;Y!Bz$gvo6OQa6 z%W9@4mD|R2>V8p?j38@HrwJhPksFB!4l`{9Up=+7qnX^9ru3H|-WltgW3xq`X$@!M zxe=_Om`=x;?6tRp@%#`3m+NWwB+)W$jCe5Ub{n&5E#Ubg8!%|bC-kf86F##-k%{h3ZmNycr*QwD$uDB$e1E#kg_s7a1Q|Fx76*JYgDb}{G~&+v8Xyk;GHH{^rm zti{-~i`D1iP%@fxR&oJVwt9K#+sZ7lT}zvv=}eR(Ns!{LIbcbKXP~fUa>)J|^pGi? z0$lPd={RED-_ukks!c)1!??Jd^ssbJ9gO0bh6mb5c?w`xd(0}oK0XbY9e#{}Nmrsy z#&FtY_*F9LS9qh%@44qp>#=r-^<@VX}R z!_)7MVh$+!&q3=tRA|mGG~{Z8WMnic7V*J`WuXriz@rf6)m^tPkmHX|{t7lB!)sk~X^Dm(xM(tCnvCkz2FTk>b4AL74$AZi zNiF29xr~#MaQGhMY9=;K~*Ljr34IFE5Y4X!4_PO z9O?6;hLF;LcDP>5C!+ND8LDrVvca|Epzs(B-)mj(EK1_Hq3-r+g{y@%b8awR0&R8I zapZY$E)?NP6oI8~{YHK`E!#o`L0YIwk(c?poB8a;>tQ?uP4DaN(Ac7iQv`EZ&6+$} zZ@APsO6cP~o1G>Ps0)$Id;4v4-3e<9W}B1h9m*uO4eDqzq(qKXb#U8^v9tzUyS0lc zPb@J_m$xnmLq;59wAzbkhH`c=+}E->otSER>Tq(3tU4^OGj>K$qM5#w;*5=OEU(bt9nCsN5XS4Z})Udi9 zpF2GPh|H}UlaQvpXgkyHxH{`|d|~D$sV_MQ9a?iAwuJu?@;WxYywCmhN(z&S&y_P- zt&uRE78CO0LDF*vn^}$Vd;Xqd>kYv-tI+2NYpv`c@^+e(IlL+aa@qw$mVRJ}1|xs7 zCFWqJrGc9})xdY6eQklRIHX|AQ^^tG#u?|MzGe?y;|RM#r!rONtlEJ74y_5FHQ1@* zv*~&lX2eAoTK{#*MgCftM*6@h=p5wbSghra+rP6lT2oR`L4*V2lO;dDV7;<4S+7l{OhtR zZI&k;h5?FQ+)|mkP7f|K@L{_{-{N=dHj=WL6gFq7bdrZg)Z*uE5ekOub3oTH%EO5% z#AEnVj>EjQqJ(*?GaU?Bw}{cqrvLRA7? z0&;ZL*k|23W}#%zSYZqK!J6wbyXB{0Yq$#5uSZedwG`>KCz z{odmlYHkd#o3ko*^a}hodZ&}(U6-)GV0h|$*PDjcQNy`oJY(tn!HQ2_Nw!NrBN?+8 zxX&Uaz*H+Qz1gqfa@%}BnvNs29~o7w9a^(}Jcpdfp5sOrWT@79YXu(5e(n_-(qZm3 zdhD;8>(sz3#GL8pk$X?)LB+IMQhmNIoyhOjul3OPHo1zKyfY;#>F$k|S$gYY@fQ*c z>~<4c)Bthl$z}^K{$wW75*yqbx>=*fGu1d=3l@ohFEy4Nt|=njHIG-O;0x z$LoY5B;M(}BJCQSC2uRzU2+DS4~%7@b+npt?4Kl+XI}h(%B-zPvY#7<$24jdqdAnG z-e+`T``{;=$|Mg^xSohyz2jMEH0I~i-8HZrbX0ae8de4OJ6EasqhR2~vbDTr6Gtu5 z-czvm| zt?gb8bRZRD?LoUNO1w&msByO9ByyN^Q`9ZxAFW6h>LFTQ$pFhP*ea%ennnE&%T15^ z50gOq0~*L&<^nAR0Rc7sZV0p3=%Yk}+e!D_$x+R8vAgdTs^zV&Tz6Q{Ov!xeY`QAi z^PuKq1@K3lU?T0wT)dvdjhZg<^YJZOI||<7{^DMRadW}onY9K#5{D_j7bjWnviTdI zVDyC9$ajnJwDg~pf>8J7v7qiFEu|iJr_GfqU>;+F6Wopl=T4+GIE%3kr+h5-(sUlM z&o*@fALCWg_Sqt?4)EC~Drlf}bB)6cu&#^m=XmpspIElOAm#(Jg#DyCG!tp=-GXkQ2w& z;Kk4bY=C>hLD})XY;~^6I*Xjui{E6rDWw}a4|FloaL|08?O@-93;0 z7|JZ3t!5VNMD)-(wUP|dq38TTt&hPpT!q9o&z!aMxC$2_)G>ycJ$<~w5)YZU7FT#+ zY`H60o*;>&+Zb3bX~WazLQHIi&RSld)#xP0ns0MWcUZ$1jxfF$hw>m|A$S45jQw&s zr}uHx6vKA5jLqtW3Z1}CsmBJFkCR!XENIaOKkoY^g(Z&6*b6~&i~S3V0kc2eUW;F5 zTl=Cw9y2w@oQZk7p(qSk(xd4W`dB?^JAJ*~G^nv$A{8o}Hj^|gY?crGeKkHod{)q` zCBSo570}YXfYLy-W<}aETV&301Kr8?)WH!BDc(OZ2#K5`4KbSZN&zzXB_xBKi_0i_ z`@NX+#VZ4#S9zpPbjud&T+!3cB@(J0*^Zu@HVmtFAN;44Pq?!MtbB7F3tX+2PQ&x$ z#wsw5@T!?YRPvVFd5RX_%dNuNXw@tK+rBTi1aMk3)%!diaDoiD~mrhYu%Mnza`Fozzgq$rfVc^-b? z93_%1(RC_LJUgR=Be_&@H9UcC&)zjKgp&@1Ug4=vs=F9bWNc&f31&9?5rSfe-seWy z+f|h&`qBN9cq0R%0;qU*DWpHWDXvd3`~A%uwfP{1g=2X-xRi<6$c#+>k|cpgW`ZP8 zMPAv3R}8}ZJx;0%6WVmEx*;oTJLHTq=pMgyik&1dDxOU@RIJ&8ciP~qj4e3eTH?=h z2$M+Pwq57M7RpX{jSBkGSwRg&PyMB!6LObK3(42W$&|$KRm(nS5vESi&KHH!?}6;E zUde^Q?W4ywcZ-dV&(vie;26Oe8%V=gXVzC0>R#}GNB6&&N4V-~P)-hJGm0ax` z!Q+)vf7J@I<25`ww~R5SE)53Udp25v$j!%EC}TU0P(Y|K&9-0&X_s@~z~xw}q5**r zRso_}cp{Qr(dx?8{n%-Vcjzd|43cbr55ERi$ay<5ZIWPaZT5~*zB``jot1DWq+dIZ zF*gn=+3854`?g^8XfdJBMPj;K`5KYvv8h-*Fn0w0j;JRyqvBvI4K7Q!P=+4W^?qEu zEG$R$=JEdif!5~aSU0?p&AX++lZ5~*Bgb|3E=7cC3OGmFSOvN5iX2*U<>hdsqPhp= zvEw!eB9k9|X;>C^eUt-Uz3sz&&3Ko%y3bym9cQd1XsKmJm%#8`I3|@U+GcTld8PdN z++wzA|4bgvR$~O?*<_#h`k5JmCF^T8SwXD&Q4!sm&E&hbXE2Aafs4OQ1;CIYU?I%yW*xFPmb<-H?Y#=s= zMHLtDB_t^0C_4TYt8C8ujp$W(LCba&AnvdW84GW_($^W!mHMk8#JeP8t$rFp(G%<> z>#01_+j0_)*F+zYCRus${R@}x6mibew~=dG#W}~|dBykW5Ez)D6d7fgST7%pW#Rd>q_ng89PLSv zTvD4H-I^_rH^pxnRIJdf0?`WC_Dht@*!UXV^EeM2suYqP1k)ijK&IA3yqHI<+5F%* zq^>dD%*2@ufi~)izQU%x;izj?>__Mrq z7Dt-a4W&StAjWN5@$6m9XAj)?La#dWFO-i}9v|lh(`nX>=q!YzI#t+K1}gA7upd~8 z0tqyZT&bKc=eHF_LN6)r3kxcj6ci4<$)u)jOB*GAN*xc6}ra-DM)e7%H zoR9D6#~w9ccc>VGCIKq8Ea)S7i3j4JEL8g-GvS{f&j%>W4k~fUA99iEU1#^u79Hld zcf?Ig9!^v^x?VHC=1aX~-9Jfe{UdsO4%dm;tA1;t`+N|{T)ByoLo5D=xgyXk4_0HB`P-eFg zuP=D1hRz33$QI?HI}M=9nBwp6jJfBA?Qyu?Ij7%L4cW)y6KQmLkXv9Z)atAA>0%zs zj2X{EJW(k{uc;E|DTgJC@g%GxrOU?3IOTJzQuJLjCqHjpq@Xki&H0AEY@U%K>jAH! zl+$#$^u}1m7&NVA)@=4!yi;b#kg}JrSYRPtpcAoLjbQ&!HyzeU6}`so9aOAX>P$oK?7lKU0_P5!gTuTq)stR-jx=b?;bi@A$&BlE%Kjduk&!6! zqW^8Fnw#0KCD4{|y(b#Wa>KZ6bBUBh+&Wx8qHH7`5b8L)RPB1?iQWl8bWmA+?hpmC zFnmBiyC8xGdZ&iXE(5%@K9&Oz*hVB=KCrlHwazmID3ALzk-x$l{ zMITkgZBmk_<)ZpXC2BHiw7Mc6)E0_?kMWGCZFAJ7y_L;5<4&}84b0%pdJ6?+ij`Cz zpdgSxAtoxfBKgb}XhB4B$*p_4-;kB+0$0z^UT(zr&d&?pNXTr0d8YFZ)|z~8B`U(| zy3VK^qR=Varl#{f;G8`<>QtFb=SSBF+sr<=y+E_{pSjhm0Oe2OS~XG=F*d@&>=-HNRxgSa$obJ*C5viXJx=v8P|s~TzM(E3cmtO_XSksS#gJWpr) zr%nSDZ)QLti%SCGHHZ_cW36~v=IF(b4DzcuR4`dUmnsOCn8-A0M!qm>qQv8rnD}lg z+X~VZ@te75X$SK7b3)hJ3X9OGp7a$~991jDZ6YJ70@6!NPf*X_83#ww9tI5u;TsDFZ z{OD{{8RFxl{uX|iiM?U=9j5rBp#ETKXf5CwnVJK=72Z4I_st@3g<#*78^lCdRKn) zAvF?djc_H~+Tw;Qkd~YgXH9jJ#t0(=3h5BqF$sw|#_VRwZ@%XV$ z?}mkyWGVnH`b{1#hX-AYVZ|FwO9%jIU34yhitNX?P$|W)f!ki6jNiX)z1#4c#8cW= za!jxq-e{anovFj~;FZa9R2>;UCog3u4p`rXS&)F8u9D!&+7RxmlXzBc!dS&mGL4t8 zJKecYjY@Q+H$lf*_NX<9EQ&*#FIx@Sv6_c$U{m3Z`A$tz$oej;^Tnqr3YYK7k&pM| zS)cn|$wT?M;~6Tblo*34@dU-ENujK>gaX!|ciB8AUA2!@D1K_fM&}ZFc@>HP z#7QLxoAUaziGjf5l;#YD;5#P{HBv%U z;y#`&QWdR8gSs<@V->0-ndiVrYLYniPUL727nxK+ykH4xb6#r13ySWlzz41XwtJzy!{WH%wVd7%_{y@IxAE3w~8hTt@7 zNv0#qX|dhptt2DS^P!OjUZqAI$B~cEgvD$Iiu&iO)a9QkKLUSLx-9N;1fmOpg-NFk zf-3pN_n>+g0F@+N3~R;Z5YFh%n1dn=mL@yKxpCs&S|7E<^mpVZN^C|`@IP#ibGO^2 z@8wROlRXATt8~)r85Tkjwp*w2j+8m8^l~VAuV6XJHC}3dv1RAoyk`dF%St7ES7~l_ zA(fP7FDSl+R*UD#H(T}I7a`s_d_^R9!Rb_?Vy&&ovPGmE3nxdnnxQWm+5KfF2JodE<*9mi$cuPVwB?;@doC*Tm%0)D#>$KC0bEfq zLOPyMG0#y^biVN*DaB+7i^Q{J=8}!O#SF$ZSs3(q6#G6;(5=el#q}_0TI6ESZokMn zzbY%)K6Yl?HEEx_aV2 zECCMFrZJ0)A7{k{F0Qn?YbRe89B5N0?hx>3AE889)>*7Y^2=d* zO~%gf22LWF%Lc{E8K!BRxcn-$Ai?hW#E26EANzGqQ0lui`+IBy*4N~#e%=(pEgotn z{v7?aQFDYM-y6u0tS&X-!cag~cyUce-5i&fFIcU?9}G8ZEw0synWV--aC_RT{hXcc zWE~PlF{S^g1?;j*#=A~>>6u)+^>OpqbA9{?FJnp6$Sdm%ESr@Aii(RH8d*J6aUp0d zp_$ZQzj*Z-aAKgDbdTSzx@{8N#EPb}FDzTuM39b5o6lB-kAa<}jZpO2_gTy8&B2OQ zFEvH(PLYH7BP3qscgtt9&GijxzBBDd7+7dg3I+YIdZX)S-c?Ni)^-u{;p>b~spXUM z?;a>f>Qbw#_j&GI+_F*54PRSC-ET{tnw0okd^0-9_r8=nGQKmFmNh@eKsjFPH&O(6 z7;`y;_n_vIUf&@{d+$9H`S_$cI9Gc)ofe0{PaIZHYF1+8U5ZF%{kWC%)I%YAvknQC zkgnHI<9n(^O&R^Vb?ak6!Q|&0IUi?JoJ<@Y!?Bt1^@l!7)1$Zp_Xpyf?cxLFQLL+? z7t}XCph(8D(GJMX=?X1JAr7i!LKjM2+uQ>PWU0E^;m@f=HCm!%)a;Dse0g7RcZ|Mx zOn?UO;~v`Rzsm+(6D8DL#W^n#nHK`bXSY2MU$orY8y^arT$T?^(Q9+rNfVT3x^ynp0OC%V9$Nx62+99fc0z5yc1rVfyyN|+GygdiETrFX<>e;(g`n&?S?RYidCC;zuGdmE53m5b!_7`5S@*4lBS zh?TNf8A$# z+0Z{P@7^dV>`xU2#^_&j*?qeFrAG?SQ}B1;Ja+Xr0D@#t*X@UUVo=r6VRWOZ?5Ikq z{zCJC7ex%`Umx?2YBd1DTLwVyYX7=3JMy3S*RTCt#7y!vpx2E$=U^V^W~KzUNTz?L;mB>?*P{B* z@B0V|Eff$wUedRhi0=Y|^Zx59$8|o(Y#?T7%l(<*O{Q-HF+~F#0kR8kRj9-&=A}p5 zl*5^xX3sG*fn>tJ6vEw)Fcf%=uYz&#LWy5@BAxnuMP0U_gVs?En3VUGh%}=9atoYC zzWbco$F<~uejAKfT&W|H&WE$>e88gJ`n(ATxs&{(wObj#Pm0oG_89~!s!Jba_vDKA z#(MWzk(KtwRq+b~{{F&q%Kz?(&kzdO7KDWt$|UBnmNtL$uV7gJV=>i8 zKS9hnx4NN)9!@f{>4w_%_gC3p#vvyApVzr8{BO4kQE&|M9W9h8V_~i4_oZxREE)WP zJZhD8Ega}=f8^Lr{TqA>u^1r(;BfBir;jcN=u7P$EM_Bx6urf>TmO#(FAQQbKR9=%z;jY# zxW8rq@m4124o!9iCSN^!-mnub8Cfo(Z}T&={?-5YeofF6cu7!bZZHgX86&B0XCnz9 zqlr~5gLeMz#)mim(H4;mtS_1Tp^fHfqaIg=+^+oNjY|0cV@A4o^IJ__*x$YoG=6ksN;-2vF^{@kC9Gta+6%+ zi%ajq{w(?m-~KyJ8{7BMLfzztn!}>>&6IHsTx@SEFXyxV?}zC^9G1Ktoy4=|8*%cb z2s{M=kBH4nEJy|htoZz^{qMr{kl$XFoQTrk6$mxk>0?fxFsR*%1mP$GgHdV&|9ow? z8}sixOOfq)HTs7<)NdcC2{SvMiTnJ*s#bnY8$~zxmlz~u`}fIVByV=>9`^|_=5-CP zGk_FBgZ4Egp>OXLqC+@bfRHphFP(6P>%4 z{taxy6y-iK>OS5I3g*Di(R3{Ddr$aM;wkGMV<|}n2ry7)a zdn4!>0?r(ZFC7e4vY4s(tsmw^3F6_5I02C|#FFW|~hJ@iirUJCD8bUGWb^Ry+ z6cm@2mm%T}3;ClF|4!fd?JXf(uQw}q?Mm+4t;)1L`X7N$Q7hbc0?{xQe>~Q+#P7Vx z#N=M+cGIn?ZD|lrcA6?>WtEjl>vgq35C7ls4!{NQ)=oYokQ?F{%j6wqjIplk-x z=XQAGRJo$JRqlxL=c)a;=^)s2h`a2Ythv!hD`<5_usPLEar)J5zeQorp1s5G_=o=E zJ){HSw-lp&qu45D>g}REH{V3)>ZbVG;+ZW`BL5Z7J@4;5A#&q68ia3m_hZu0G?9OK z5$aicHHsqpeIWkxBC|i7kyI>r@Jkp%???_Aw&qMr z%4{#sY~oc9>kWbIx_@+OqYEK}-y<%A#|izCECKQfUGqH@c)rY3i~CLp=1#k!E+=$B zN=2+@pw|{T^1HYgBW+YDu*w- zqK6x+!E2YnpF+T34I>%7rn6U`qWe}>4WsoA^1H_{C%J3(`*o+Pn3(s+Cnt~*6`PMY zR*uTzeX(uCj_>{oP?k)?Xzkm32v6QehCQ~nffPSJ>}yoVsSdii zDt;8vZLfExN5JT#W@m_i%x!SiWE_{faK|S6He@|8G>KNB+FKX1Cv}}JRMO8E+Ze=Xa_*usGF4CHS$Y2Gdyu7DgVa(aV&>{H>m5-;YvU+hd|Ler zQzS|5j6V2$g~_?OqT>DBVlt^=S6_WoT3sm}xAN6ldFU?!Bt+XCJlVtv39BdjqlPqU zqN5}urM>sKj3}rI_g~%ls5lU`Gd%F{#f_B{rreTlH6O=~IX4MGXo;FHg=Y-QoqSYY z*3P{Bw4N)z>M~UEse8r+WhMq$KFNhvdy96iJCkUy)8Y9ok7+@H$gce)r~ z3_>NVxXu9#$E$Kx10nrGj)Ef%*aG5)hPCz6v{^=@4VWMWo-9hLkwM2u&C0Xt5cqoh zNJpK4KI1CxE@E;i8Cd@*xFlDNSH9iHMwQBf9J8bg^Lu=JanYH!UBZ#($Ses4*8WkR$!$*VUxAK9T9AJ> zV0sa=<020?T+e%)-!%KMq4M(3URhsfT+tO)ca8GcjrjvZX%BC1h=`^kA0n-%vHN|2 zwLc4vaenHk)5~hygM%wLFc5>-ir9NTBX4v}A?b+EbR~!%7}~!Lc^BmKAPCu=r>z_Q z`%4p=Si4xDVrt%eaS`Ok?B1vX-IeO~V zIX%5~V5DT(B>Fl}mZ3R2e&U%O0YRo?2Y8)l&qbzcH{)JTPO7U9@(f0Oj*R`<>s5x1 z&dQEq3s)QKyBQ0ti%ajH54~t_Gcc}v(8AVo2FK^H;dY+*JR@jWFK+qot5_{Kq?Xr5 z{eh`Yx_Z*s)LP3;d!PJ!x)DeCi^E=ZJuk=-iq%+YuQt+CwrGK`s2*sUO6rZsh)vq- z3Jc~g+&ukh=|(#|tgK?R%UxON;IzGVyrzrHL_r_EB6rDzwXd0!pimc|uFO5}C7wZm ztV2*6;fkMNk;yG0=?=(5UGF%gqseN7tz$yYfB#2}F z=yHS|G@`~*BoFS8`rP(6dlt<7x&s$!a?vfd_Hpm~b69LN{Ikl(-24I8egSD8W(T zv(1S&zAuaV$4c-ao_c?($lv{9V!aKOHa+S~u%v| zFVo>=M9B3To}nc7zvI6T!e_v<&&^%av}PUN3F-kPIsCRcWio0p<;_f^%Og`Sd%Xk47F9P&*OT~GHzx3f=BxBbqSDp2rQeqeO5r#g#qZE+o{4BP&fE#}Se-iENd zWoZGj!D-e9PmZed9wUnTQ;*$aufDH^JA&?dBPgUzAXYEP7(;e&^9%SPUwqfgQ?W}H zXKUF?h>mHLD(ZNBtRa}0M!lVVaf-rw&p{@LCP+4=_x#gp$Z3xouwJF?`%(>2@7zD5 zSg)&3=Sf&8fHp;b>F?22y>O={A>Q5QARDBUtE;Ezrk^Y`oVNjRYlgbrDxMq_*M4R% zm+2CL!QX4#AeH!(&R0SKO*P=zZ6{U*YZ!bT3ZE>6k%Y|mqa3{uGjjRphf4uEv)?BV zzh+W>4~nI)xm}n07x8zNUtZf=_SZ^Q`I;KOC2ro8;R)7xF)lN~#4%_|rX`Q$wsUXy z-C~Kpd`bL)x3$URf@0I^Mv)bX5_%7F~upPuFdba3nxYxLmra!># zeKR_!c$0xPOUB9G*( zZ9k>}@Dplzc}2j!wTu+Eh}X;$D~gm;lNEpKnJ3B9IQhOq{#brujJ#aXW@~S_CFR$q z82D9SvOlQ4T7A5X>-#`ow_XvOud>jnr+{VTJAZ}1NICz>9JQ_bz8pmFFs5GA6bwqL ztu3(#-c*2M&kUundCLFV-*J;x5586n7{t!J$ZTiWGNucb8xR65PL> zbAIRlo}2F~x!7y3J+o|Po@dQ)on>Ys4*58qK8zcJ99_UUSQt zo>2gvRc|@{P6|04+16NO0fIGIoU-t@W$Rikpw!J`+&`s}Mfa(NPfvyVG%LadL6TeA zCVHh~y7-uuQlOjXd%BjZEYAZW|LyJsB2vOALwlKmspb>**gpx2EN6)a?3{*|CZoEn zk(ApTu%Ae@ujM}BmNX#+69IvP%yrgtf&DQOcl!^NIG}`8HyID}i=+)chyC@I(+}Lt zASJzqEqjjY@AGv>ETPP*#P07oMIA^Gr8|001eqhEC_-+)0eac7E&g!stNZ}TqdCxZ{d2Gr! zOrqt)Cvi_wpMa+)PsuynzmiF+CehcwzyKTW}4;^^G(sXd- zVe$RU!MDML6J;#>Ad4QxQ%@{jjnyZVTHYg^2D`rDsoIGWWJmNnz*t?F9Bjs`_q^L8 zby^;!RZj0YKaaRQHVEW<*)^hNeGX0;li&bb0ER0V6LU@_x*zdxZ8BGvZUkAZk8gqg zQ~}ve-3Ol+!+}I9Cno*JMw4{_(Q-|cru$GuUl_8Q#dz0O293M5E%hbEIAD5{IFMr@pTnf-&mb zAesYZ*DR+HvJWX7&y2}4RL>*1yVzvhr;Xj2E3FY|3p{rKa<{ECaf2)Bd8}uD1fj%n ze4q&{LQA+iszh0wyWu2zlP-X;!VQbi3y;l`dMdh_6tE)`Ft>p9rY_wN;hxx26y#ZR z=RBpyG!858NA&O6~#D0afU6* z-DCPjNZ*rLu=%FmQ(*{t?Y_kl6Hemmdh=!cHlZ{=Xz?5>{0Qid>{wThny-eY_TN7 zj;g(^vzw`s2CVsRk-+B5tr`caU!xPJ8{MsQ;?s4;94J^6J0V*%Z`l+r=YNZT6)eA` zgyB-Pvu$uqw}a=deBNF{3qKqqb&;QKHTekDIuH4d|9+gp-`g%<%T9f82ZzP2o9r;6 zv^!vqzxU><_K+!>00#AEIc$cs2y@zAxl@O(OWux}*I_~jY}j_4+EHqDvcc#5Ri4Ky zYr*r-KI^e!&4&liay{-o65GSj-kh)4AXDzT(%MrNyV6;|RE5a=Hx3 z1c%P<9Bi42h?)twjUA49`=iy{dO2@z8r8L)dc$0t1#0~%{g7kxZE0%wnneD+Hh&`7 zPzT_0K3?v`O&(`w+pRYn;I!Xdo^*}Zxh7bSf#(FdWffkcnxaxPB+#QEY0Nhe82(BC zo9T!i+{rHZR1&$kH+mLW= za^FS{-D5gwItN6ws4uQNh8p-l6QfKXm@Z(BUm9ULwK%F6DNE(;jTAa*1 z{vmWn%Z}b0_KHUtFOjAQk3ukmQ9Tu#P&^=iM^ESWim@Bzk}2l+%CTs3szQ8CZ(+Z) z$gQ8ZBnS;+8XQoK%`($@KBFfwHl~1u!B}WJ>DE$_~lj~G=KM}^VhbR z^Cn*{c^%Jw$UXUdP4oIuGqX_r!3&*nY6=}QYUg4h0TsfVbXtM11l!|^Me-anz*F0oVSnP~y;Ud2c$ z0=L-8`xB!h{G$YC7&!RpqlLqyr)#pY9LMAe?Kk3GOV5<9*K?o;(`b_M>2fr95enHq z2$-jE)QQM>;}7Feqr;VR^QvN1HWa&#i!4#AEZrnCA_0XAU+tskSC*X-opjT<% ziA^OAxSUVoq_j36l+E3XGxcccqraS46(N8;t_Bs1_wKp6NkzA+2gxOkZkP_Zv80b!=r@A?$#Q~WnC&-?=7f_D4FQqVppf5 z=7=PoTgTrfB{?(V^)R@XgF)r}myYRGiirmsN@I2Sq}FN!Du>u0jBGFKxA)vWUT29{ znWKLIBUx>p2MyQ1J~J1|jq3U*+;&wq<*VoC6OrJI?cWe?%|VFYJ$vTlu4L!ghC4!e zl~Wi7X6j#%mgg^Mk30GHeSJd1i(5Dt-FW}x8{!(VUGxp}F9G_MdzR}L>)mLof(M{| z+v%$!-*N4OT+PUqNAoG2z3KpL9cg-;x7qWHtn~ECI-i^$t<+3Rh(s7uCJdE|Tsk7^ z$|`6e$M`4L?Wiv_M#c_LL^q9S`6Zi3@fRIt(u=ujIk65;87em|&`)T$u8l#TMJ3Z8 zmMFTBSGByyPjkffT2`f7A3vdx%~R9&PEZLNi(KGRABqd5d~zgb1jLJQvxPPz^J^T7 zOFw)!Qq0ohyekzbit|EGo*9b16`-Kx&0a{@#}?y7pu~8*U*f_m`^36z!s z-H9lhW`QqT^&J%FGqi9f{Sh$77B}kvn2*9zLRW{5@=oIbghu&YND=J3!Enx5g zn*tG^8&e~U!?F&-kqqU+sbtIYH?@TTXOIv3hXjQ{_uvELHfGwP=sHK88uft#1_wkL zs(3s+VnV{92L(d41Dr2E<50vMmwHwYadxu=I)BG?>~0<+G_Si8#%;_c>!=U+I$e^2 zBK-G&{d8=W(%rJF8txW-QWqzSR{M%7)FOPyDis-Zj_c;B3s)lR5Pi7od!b-M8x8-}{lEWMq) zk5hep^D!kU4_GMQ{(F_lBJd`CN+$v)`FO97A7P2pedPFY+~T@@P=jZ;Qj_?sawQeM zTM}%&ySr4gMor*nvM#;Ko z*Yn_ca*s^5a*ZG5&xw0s$KS84C*|Dz@zRD_{G~2re1Z1^@RU%oqLAoWvlP9h_k7al z=;wVO4zA%*MYt`ec;CVTC^}j{Fz~S^1D3`~7ZMN;n7wwAvbo+8m-BQ);byp!gs@Ok zQ%8jVCCViBk=6Nw`0bRKKC~mST~Qo*mvDHy_DtQ_@Ydu7ezFt)>4JQQPj`R7m~3JGYZpN{uhI`k#Eh1bkz zar@sdP7haO_ZZwO6;@D(ZWuRu@Vn`S(*BnVAo0iFwDI9eWToIuI?D40;2!4wm!ycT zoDHKN_szvkrRm~1?e*dIG8c!!R!H_XKFOF9cq<*IckXZfPceUSi3kA&U5Zs$7(&;y z`Gn(@Rbuni4T5R|gO3I%hkR_Qj1QI7Oha?Klod4)3TWs#M495JYSc?izh3O={h8XB z#G0G`CXh6IPTxL(X@0(DU!9}GV6(*6ZFulydj*uv*FdT4!iPt%V(Kh``#Rf%zUub9 zPKsP~Q~E*cBVeYJjcS{lbdvU1X4TO6;nF#PjKJRR6XCw?>B<7cZ^R_Pd)i~?D4iHSVHA4NuQ9<3e zFq7Lm)e~(_P*Iyvo^1)gvMr8u3-b8s_wkV4^Az^G+d>8O)DuP{$(%RS_Ha)QZY{F> z%Uaaf2y1Gw#6oTpkuH5Vk&)dwWjY|2-Vz>RDqU@RLm_4aPavE|AFtH59FV;2B~>J6 zXZXO^vMO|;Khf|@+QIM!b7hX)%65HJD{QNjA!oBdY6j})g6P3>Wj1v0+RTGhD0@7f z5+h73v~7Ove?!p%6NS3%f5$rM?L^7I<_4n`g+BS2d-|G@4Y-$=aVSwg_GPo^abW%N zr|}&ETjlYaqKFOJy6kVNRtXxuuYCwk9x}}?-u>mpX(_N(;dnTkk2Btiw|iH&m(1X( zWf-iW6yE!?Urg+zr9-D90P=ETo>_m)V1tk*y6s1ESqjt|Y039ir&)^7SPQwWxOOGw zgf(w|3=S9kn_bv?#cHq1lUp)4YOVAUN5zdEaHN04V;ixy{Q=Smuuvi%8$GZJeXo*u z@Hk4lJU?H1eC#26(;knacMzeXqkJ(x##p}t~kMf4eD zWa*x%!ff2Qz|JCV*>@FUX@WbHQdTRmL@v%tUbI1i5vJ*sl%HQX0Z860jKFc=4T^U# z65yz4rjW(o|?da!z*)Wi)N|S!uXIU z;_MFzW3n+-XhEu@>2R8iPEtakD93w``Yf8m79#Rw+0)pGTY84zuC`&O=m$Q(z7|r< z$x1Io%oF9E{V=24ME}<_1Z^r0u@C{T@BCve;{9t7*Gj=297LU$b<#q7Pwb;&bMTga ze;mb^t^n3igSLPMrQ_P;PxQukp%)iNcPAY87w6cZgG?z3w@JpeKmF7iIU@H{VERdOhq+^FPK zZ!d6*T+Jf-a`j0X@a0=TY)1~eiv_LW z<*H3}-SUP?B6b-?$!x|u{MLj~fg%A4GP_6QJG5${dQYz=Q&uL4 zog$e6XA>@xnw|T$cg3)V4$U3!CE3=Hk~vL%#=Kn*6JCTp46kH7P>;?datB@kCuPep zhNFr{pBNxpdwVRDz%fYXa2S*Aep{CcGm1lp{MOT_xyVkyZZusih(SgvHx_(10@8_6 zB#O$s_4fH#CK=8Tu^*1aHZK$1-6Q4neE3+#_8wbYD;l#*MFyB%Y#iTC}sO(=~TPO_o+~UH*X>cAGjjIy5SQ@Z?v$d&+RPW=|Up z{4K!|F-NEmAx-*5F>1jr)aDa{kKG&j-peb5$QOM$lC;|$kY&}lTfM@fEfd%GP_I>^ zk|q7QW4*U6r$5Q~#+YXXdIgn$r*{_fBG`(+0}!Dl^S!|`7N(ZQc8>xw?b{Q!YLE$g zC;Z5LwOZ$no1Z|8M;erRh(!6M)49`FU%nYPr}iaaD!90dw5^hCrxjrp19>%hj%Rov zHZi|jVwCUv`kF;=tVj1t`&3|D+-GAd&DoC}8Obiazlp)u1=^*O6?0#Ix{xGWXRcXF^A2PaSgyIcIDV6RFDF3NN z*zh=XFMYLuET=5<2xd()lKi67n86G zj-W$sLcI6O;WIMuLQ?8M2lMb$Cm*BeW+Ws!wSQbq8o!I;lGFYJD#WQQ{WxsQje{c? zc3#MVp3I6Y1S!{V{jq~-RJV`b3R>~N@^_!%Pwj`FzkV*IwVB;I`d%(?;VZ_eVW zIPS~)!$%)W5#3c$JFaQRL<14l{B=mYezWgy)*~)@H`#Ee1H04A;61l|k;6;u$LM>& zwSO+QAGx6WR}d2(%M9>W$R!Eil4q&7c5ExJToAT0N_ z)ZmGEBVFemH~ky@Vz+pho12TxkEOEu`~2AIsyHXt>x7f64elxYkuEJH!RNbwM^CUz z3WZ(Y4}iqe-o*&a35l#3*kWmcB{dwBq}7gbKw z+R6lsQlG;ZdH6q{Q5NAP;S+Bfy=qY3dB;hs?V&SdjK5&{7Nx<+zh|lbxPCX|QtDrF z{70PMoB_;+#9{!ZpxjR{Hqo*fnsZ1R4>tw&3j~%{9~H8p6dYTK+FvDw_PfQbbSBmyd7raP);`Zh_dUH`Tkr89s8~)DpXx)36`sW6%4S5EPoGB;o5k1UaO0`8nn^_m;A_Kdii5S)NTbg9?%T*O{r;;Z z`%iOL4>vu}y?Bf3K(M%j0UyJE1%R9UF+cDaG^6I~lYWO$7}d;L(Zw<0_2m1ttW}1a zl#NxE?=Z!YeCj;x1z(>YOuNV5JRz4umgim-|BCwW2mPRR`h^;;_ocQ> zzVH0SM*sPVg!X4PW`&+)nP#+c+$W$Ik5#VS#OUG7<`&@Yl=Y1EA1M+(;bZ?a`TH(+ zeo>Fj;9U?(3sZMK7Yo+^zUjB%YsSzrFBAjb{Ro@tH0H+zqn|1J8QlNBPuZ`*t8ngJ zLyT7%%KGiBOaA-eA5drQ5Y*5YPM$k_*TpZ;%k@#2H9vI#Q_tFA%Ks?k1F8nqzk0-W zh-q?jV4JOkcpIM{sB&lk^NvY+WQG2{m;5WbA&W4V@Z){YT&-RuR{;TQV5(6l4$b%V z*0NDg>&pM>)a+lK?yh%`wXfJ!5`r-)T-!tz3WxUombHfc^B8>IqXsY$_VBeBEJZAx zI_0Y6*~J&zO`N#q&zDS<%xRbNY5dSE{sweZZ*WA;QjYq&e(031RyJwFqg}zb=crqO z43GrP71>>$6wNT%FGBLk@r5do%f^aWyqGK1%f9`Bgg*#HuHZnJAd4pgAxbv9Br(nU z!n(nL{48A17h%j6N$ZWd*kfHl*162$M?2gb{0_n!HmJevj*~$01ye)8XC5=W?b=)2 zttiQ@BDF`>ts=(jVhLf);@T&-2&H_bEmJR${%YOu{NlFZul5yk0V!d+=nxF$Nh{ux z@%lru4f2kc*!_JFATkvUd>HH7Hfc{?ycG8(1bn!E)b~$%7EGhLLUBp&(HmYB#0VhslRG;*esH2=uM=5sr7&I>fiRg@&c4= z_Uj#{u~D$&KTPvJkHjeu?x4jHh5)RE&3BA0_x!h7tXgPu7`^(pG@P{$Z(mwO5dFoU zqg;LxrRHZPK-ry*bcFF;62kqvDqEH41P>p{^h6AwWn%H0s_a@b;d%M}n3s1+@WA_v zkzOyGciR=BP3dkT06HSi3Ku$b&L>_?XRTmuseb=dQ)bZ3L`;=G z#0N@L`ST$Y-uxoRbZ@{sgzSNTqUI&tl%2znDaVvqY~Y#gEVbXF39K-50eb{1;NKZ` z|K+h5_hKUiJJSsqZVI|@ksU|wB&>SWfESwt8#GJ}J|#XLlRbDuPh7Owwd(VCuxoKC}y>PK5#=4D#2~ZyS$+hRKq`ot4S>yeoU{aJRp3kmer}hXC zN)})=w_}9L1g$HD4QUkKvOMD4Fq@y8R)%B!VxKTCpJ5bvjs;j7+3?CoC-!!Xqn{4fvqAJo|M^B-YQilODSQ?W!=i;T z!wiPFw}S$RW`23?uciSOm_vS`^(jV()7^-A=)ddlc9ha5_*VMy0cB@W0te-5NfkPmJ-K{Lw`%-vcvcXu?WxIa!cnOU6;DSbCF0 zDpe6IC-QBliB?6cvqcz(0~bmPrdj_vX8w}A{rJtf{#cI-O4Y;WUShoqUZ@5dX@5Lw-r0&g6DCU9s=SFcVB( zhe_qPAyThK9DR&xmRJm=s!f2DuiWrj&i4O|7x+)EG%ogx6&F`+sTM=E+Ot*!5nFnT zCL`LeoEF{dxljzNv!jTMhLvi+3&^*_ARgU+ET2jx1QX0Zab17Z#=k`n5zNq{8zyt- zs%Z`<{w9AtCW)1A*oe6T&e>_bX}7V=;gS8Pr48Hbny*2I61O&%`E=tK|6$r~XG+dt3ofx@6n(>tyFj`Ccb!O}2J1XN7h7 ztIltp2|}DWN_Obi2UcXNQ(Ac_(`Nsp-xO3cv;D6(@{z{olCQn=K}eC2lf3o_>FL^7 zfy)U!{`3_n+eYUBBy&=4}tIcB*nO;i+nIRVohe-m3Z{uu?@ zfZuc<8q6w3Rp9`Ma$*Vkec1_F*&74dx9{Ko{oVaKS+8=J=|U~zf4*2nz@S%wm>*2Ti0ZQf6o?L%yr|Itfj=cVNspb{Ib#T4wUEdyf5erz7V~A5)ae z9&u3-mmb+ysw!lx{ZI4^K5aKMsK0*a**eo}5@r8g$dw6l?49X($_Ug=%u*#632$&? z&Ws^7T}eiU1&y1dh9Q_z)yOek`fTG=9xtBOuBxwp`9~37$R{FJlGkE&*ecvv-{f0d zTFs*Eo92k344iK*B-m=rrmAs1?$YQle2&~=UM8*u{Aa8KY$HEOYht?dNfgzewzwe~i_Lh51BOq(n z47>w20+b6w2w>5gzJ9IG$)B5+1aEI23~KfITlH64eJ8Ei$fGL;!id69Wo2I6NHowVI_O*>DH*I4eg^&tjbD2YOF519>IO^!*Dw#;z(_gYmVTdLy zI>ldXWLrZ1OU^zTI^+C=W61bH4gZuFjG;(2=5@_YoGoK?2A@>gwnwCI~GruZk6 z{z<*qbYTY=SV70*FojW+Ev5>A*qERYyd`=Pq^CayR10mQSPClxhigsaZ+wOiIk-4| z>E-06@R5q|c8yq`u0QlVtoaN{%pcbMvD#A0rsN~4Qc$B(P8ka?9#J>7-k5wypn+7K zX+bNR=z30%U59S|E{4dsKXq26*L&6alqs|~&LzoI&c%G9TH>fpDJ(MVhvoUa742rsu9++Z=<|=_?ABIV(s2^fl;x9-ck>Qt}#HK-9jMQi8GUSIm5;}sT`=-nG>9wDfYhxvL&wLul&t5t3O z4XnFIDQZpgOT0l)F+4HLRCE|9V-*3<8%w1%67O%dO4Ixdnw`ZZMQE*<)8Z1`@4L2I znF1FPuw)SokO$F}oH?*vX~jD#Gu++XX+xCJ1M4?;T|Yh_Xz)c_Ft3ZXmz+rLq6)XR zPTcWz4z>KjwYnIT&A2UdD&e{HCjHvv5PQC4QqTNUvS6(biD*|_sxDpQ{EMb39Zk>d zaN5V|d@AsM^x~ps$pHFcTctO?W-xZx;d8+a6NDR38lLnDVw)+ zWOA?-+LJv2k66<(NPRR}wBu5c_J&c^&F8Cl$88x=GUEp4Q_@W6|J@fW)BLwcXauT8Npb^2^@7=b-7_O z5dhxOyia5CBxwZ@j=pNCmxapxn%kne4a7AiX%p^m717Y;_eIa%1@D>21XaZyll?33 z*%^YWZOJAQ z-Otf_=+vm)Y;PjWda5&y{BR)cJzq+UEkP~oL|pT0!(FlmG^K-z=mQ^H#y3=<42t0l zh1T4Gh);`kUMPqIiqx~UalO1Pa%4+ki|4dQbyfj69fT|V4qG*;{WHA1ozqKWIbaJTu5$ddTrKbV}gh;!?ep+mZlpr=U7(Q3-ZzhfqGgs=uiJ~_jnwQmYRk5;&a;K8moqUDW=PLN-O{L?G{plpX55eep-#KQIm z8iOj^zIai8-02FexQ*%Xv?0{lclOed50nj#YvV!e(SM|EUJIP` zGO-LE3#sMeTKwaJz|FY)D@MOZde*xKVtvQjl(aoIl#5Kz!OhomEo#LQiq0VHm;4R*TIK zNIMMCy=$()2X{G>MXCmwA;e@{UNeI#QHG}G$6W|T(wH(vLT$Ztq1+-8Z{MEp-L@Od zc0f7r*OnsB#J!`8Vg;>LCqNbcr#ruD3Q(PQImE6ENbaqhPRC`eDulZOvHXh_!uB7p z!0rx57a|^Yj$a*k1U)UM?8g7j6$Hd(C<(`LaN408rVB^-T%h=h@UG5)8Jl@r#-3aj zM+@nTHy8fmd)tcnOi1je5en4qk*4@1OBeISEVlUx-&~VQFG%03ar!bnX%Up)1&xzu z)Ovt1;XNUUF3*AEUi8M6vjllCuD^rx^yxAD(iR9B@2BCI@zuk<(NFCKquv z;83mdS19YhI-k~As$&3^0t%*xRJd8qQI(e6dOi1FHFUlJPTd- zMFG$~p*9}H%S--(MRJ+)E1kBawGqVgVMb!W#13@+^KJwCA+g%{*@?J>b65e{9RyEI zka(0iZuN`twY4)@_AJ^t{f#F{%?LlI>GVvma_r7tn&*+%@1>3%kJ+o`YD);5Eah$~ zTNRt;jL8k0PaTc&iAcCFON0B@t}HZoiEppwF>#LW6@A|_GqtU+cL!5siGI3)XMZ@HvRXC{}sO%NTLdAP51vG}{_jR(XyiD^QqG3Uw z8@bOl#ihTrOC61VY~{fupzU|QaKZb_){6py3hdynQ<)Dl_bNwj9RgJAD!^kA6&vSA z>`lSqUWlf+MwZgfJnKUEIcLX!I%73!zi%DUyw!COekb;RbOS=$0WxG&vr?64s z>5|di`49fYY)Hgf=Gd*ATy#uCu`z2Z5y3#{H?%>A$5(z1Z&i!r>L9{_6cs^&O%DwF zFF#dgXYA9GV4RGA0&F%1-3LBlR|C)5KPY%bRmStP(1X$R=(jm?kF$(O-a@i(<4m;8 zL_QnR8L>AP$$4&Ei(t9EVk!9WUoHSD9e9(k2>4U^aYQs7`vrMOF41Y>({daoykPb* z47L_SOw1iuIYgt4YVRngMZ--li;^7XSkM|eT2a=ZGYOROkJ@kVOSQd~;r?L|B+ znKRwFp^11zB*X(ABNp3$of#2d$&Vd=b!i)95Td8WF|xHgR!7Hg+;>Y9b8J;|L9_u! z5^#cas!&%wlese7#$(ka{XHF~_Uq&)!#93}?Y^c-Y$t(g3Q=Ukms9hSqkTiSYVbys zF+|g-l{fBD3WHLAybAtr7smp{XPcCESlyi>wb|>n5)HZK^8GTL{zOfwtGyqGgylnTB3(lFCUT?Xj1Eq zjmM2!wXO1Pz~gB!@XSS)>@;Kh&&xvG-KG<^sRK7Qblg3GLCj;^^%VoiUwZ(>=qYwx z_{WO(`bgHooW*Ro)#LGkR<>w9dDL(YoV9>Q%p11*cPcuEC`9YKfw_Fhtxv#O;$PJ` zZbqoRS^|Sc_*2zJc1T4J-s(ag-_R7N2q*BJU`Lf%K^tO_PkoQWxaG-i6D=JUgSQEj zdeOjkp1RBRX4R;UM=0Z7Uo~$kbjsXBz}t;vCRwn@eZT*U%gg!4XYH)+{uvwJHK||$ zMiw4Ut4jgC4*s~%HfbkYZpQ}SnrNP$n9GhfUWV)E(PQ!S2$IP^LWNw`L9}1(QT3-F zX?vKib9`(}_G#XC&OAZL+n&a+uIUt*{IW!#-AKwgL%Hrw-$TTo*LWhzPsq>>v;Q_3 z_`*6EFE|n{DlHb#u$aGzL$RNZf;~@1d?Y;#8x{bQugWOt-6e8fbQOR?^!eNm}olL z@U5J&UaVHM;vVVX5_AS>sJjW-8j5nRfheUE`idRqsw+u3Ul_HWVm}!{;rMoTp0R7W zIxKIDE);YPj9Ae{-uWofRr0qnjn@rVs(40Dzb1mff#Glc%g2m2Nq$j#JQS9N0*<f@)lY9-)|(S4E1`xn(BWc%rA{hvDCr5plSjWUjZud_<(& zkMR!Q*=e2C$a<)^tu~D;9HltPda@+*;n>=!TX8tBmNAj=>66Xu*S&S+7V=q=QNggc z{#U~L%0QgRV4`f9?%5I(PO>gEyd9=+Fr=wc)F<(1!0~1egS9Fz>aAO%1 z@ z`yH&Xet~{FQDp3Y9`;hVUOdKku($YrOgOUmjU`m&^eO$98v4jU4DER%QZM)XMx!(P zS1ovK@V4|15{hOe59>oM39ggCr2A1glPLMhHMxLZV`Zqcp(uTpkYCE-A42B=d;Xb+ z=N1Kw4sG+>^LSGh?dD8UA&>mC9xVOYDGW*$Z_g;^sMEscXd^4jA%Po`Mf_i~&|NQ^6*v`rc3<=MeJ5mAtpk9TPdQLuLI72eJ;zOw8*KAD8r7i1Q3B zAFwvbNGb2K?EzU#H>sOENWV-jbFDFA_NrLc`;cN^F-v|&?_rX&7gSGK1+POCHaRQ| zs@Cc-&BpH8w@W2@1`Rvi&Cz}_7dVAfD5Cj9{$iYg9y;-_=^|aMfhni|T8cYVqM0UY zCH@XKzV(B=YZpA~Q@?TF+l)1mW&SJ>J+W zE1(eZJG&yoy*N<1g7Y*8G+8qPYMx_OSMv!R+pfeU>7|?=%NCaM9L8uoT=y%MhJL}7 zASlF9qKzJxE|OZxh~o=gMz0NOo^JcbI{&=!5`VZ3XQMa3Z=hH+O<;J%6Pyb6wso|4 z@+4-%bIJb%H5+(mkS+k3DdC0Us$@Gd1;z`95xZEF^X)(Iy7wp^OlWfg1+G zrg%!6+20w6rmO2Rp*{*DX!%<6y2QVU**CFGd=>`p&V5t)RBwv1eB82aw?VN|H1=&{ zlXpF^M8Xf&_X2%V>6qS`2OV5=iVkZv5#siQ1!Ei5MlXN<+{$J5>b|2C{Y+s)2|{0S z?#^7iPbT#U&(LVE$8Qdvuh3q#ooX^iRGlMl*g-m}+pJJt9#E*q%JjW+tH%(kS~Em&V0Q&99g z$Ul@A<1O<$hW8{5WaHh{IjDtQ)`{|1&yn!QL_S92nJu?kX$*u(`ncDgePJ70sblzR zNe!7K*5$SDgz5`dNc3vmE4!bqOJ2-ZB$d8lz=Y7)zo_~m98H$`m2E#{nfWXOBPXY8 zmGnrEG|OL+Ew!MW}a7o%`cK$ih}3ewHeq*#%g1@p6({S;6e3)|HEW1 z!$q(0HRVLn=S1o9G|{Z*9g`BUmL_pS`o*2!h4K-vEn*V`>O1?0&s7pE7!5CqI2EJ| znwp;%8|+ci-)LskSxL>@zh0~efd_DM{aiTlhlj`4P^{OALe%W>0dv(}%$Iv9b;7{! zSfN5n(5qP{b);*uv0q9T$l<)dURK+KW(4UaKn=NGR`!|m)b0@B&nxpW1{Wh)%9s!Z z%d;(Yq*-g(um+{6Z0?wG3%2hg^WsB|pFr2-C3+)h#e#8b12C(Z^2ZT(w#TL7*jmx2 zSIQL(_RICZ8ghzjCHkK)c`(T)K9m4Il7D$n7H*lonQ3rC+iRBe@%VFdZVfNb_Gy4m z$v~Z+Ow%2**fm7PZNKc15Bx!BGSn>2cb5Noq(PfIPQA+7)=qF>2yl;$ds5-+LX}nz zKkU8^S(|4SIRtW>gBN_BIo3afwSdCT#g&jLU@@;NH>^@)N? zu{*qBR2BIy6&!Z@g#?4eAZ7l+eC|7k<6PP-D}^2{B4|S+z^5}*tNR<7wjxJ)864?HiOG12)Fkw*#h;$ChX`i;0v;Ba6D`FOQH(Dwig8;`*tx(KQRaL9^ z;R_!snOugfdH?uN`kb_FH|O*lok+?fKh%_+YsrVpg^oGGZ8qA+*2 z*M>1Ze5`TNF>E8hE zOdjfIG@O1)<=g8JEj^mwdxEpzHcgOfYh6moHJTV(zNrz5dC@0!>N>BimvMfXt7?zj zPsR~2^hSMH_0lRpn_IS6NQ$`feVK98-}r^6*YGrC&%e<*(P2+5@bO2yq)`(7md#qw zw7~yiQe^?1_&MBm_$zORc8+MiHx}5hAkXDVE>6z?_?Xfuy{?+nvRDZMZ+F<|FM3ou z7%d|2dajP=wvwrwZN9jj@>_%c11xsVN#+ikd~=tmfWw2yTcal;zO8%Bb;*Z6j$C7H zX6Wnq-QZ+6<_04mK2wEIx`)z|8gTeaTXQ`zuU&5WTO)N*maO>yaOD0bAe~^MoF@DF zSHRidncTi~Eicn6^CD1zqd2kd_I*jRHXoz=nBC-L>JLcJSc4Ypxz_ae-O1GSDhdB( z*)hp%MyezZ4iELLd|>WLKCZNJ)|7_hp-TGfO%#4q}5e_Da@p9=eF*1;lg21vC9v? zua0Z{?uo|@@f&g4qFIOZ(7lb zW)}IjUnvm~s!zpV-H)^~FLcza7_$F^FDG=;VgFp=G(xD$@Qe^*#8Fa2k1eq}nVRCo z3Aohx2NA90L|AINLqgH-8a|JhNk{rN{lhl;X>KpJFR;NHPlK3PJB}i#v$JdjXkGD- z%4HD;A2pD>0-jT67`&=R6#tzHB!$%p8O2oC37ZENGB6UYy{`N}B4P(bkCGkD zw+9MOnp=RGRyapWakV}oFin+v!_0WN6KYiCdO5At=qi5}|3Bm!P7wI|gc`mEuC2W& z!P75O>(?COK~>FYSUOQd*ZPfC*(s;V-25~2>(@E8Z7&VrUAeHFa57& zBwc{Y&riN?NRix74hQ?`Dx&!B;Q4x#8O-)}^EFFROZK8_CZlgbaQ0AD+-uH?ZU>Le z9mube+wyY#J%a63>ZpIgT6H8C^^bmoLt`@Knp=B^vBhD+#5zp^S(r9=58KtkgG0=p zDl~DlN8%n4XiOY!JlYJKJS;RZ-NW$2DG}jWoZ#C*ureW-AS054AY;dH>{dIl zBM9v0!9kB0x-)j`gJzN+H8I*!d0dfP)&r2u8p6U|Ga2jPfa{~&m0u{0x-cObwZ zY7D94IPQ1}CEGvP(=1}P!{dqLYtv))gjZ`tYMJ-%M5~5kT_|_U-fuanMBt!U?vld0 zx20X?+dj0TJBMpv1cxxi7ZpNm#n~U6?1Z+oXxm%yg6B*@#2lDuz-|#a+2Ggki)hnW z&(^JZiu&sKF0(L^-qTc{%e=^f3M5;}3%(#4(V!O)dMoajc`j76db zMmx;?6M)enawvQ^ck_a1{S3H`3<#EB=!?#Z@)T{*rN+0K7@1A-+m5jZviv7 z+QZvxG^~0J8@Z`=Fuqo4Bx0BEx7gat(Hhb(Hhs;!xKubsZxV@MP>;gcQrdP%7TPhC zh>(u$7>&kBtad6i1CFaC8IBP!k(P_6!}f_Mg|U$JW$f!SA-Raj(T-HT3QEagZ55IC zhv`se;$d91zZW91rRYz*&I@5uk7A(rj!N9oAb|syz0hUGJP9|I8gMMlIV0@7*ip$0 zCe;t)r+qHkZ^6r{7!qO{8(|}DcXWW4dZ95d=*gPIKiVtni2$?qHrs%47fPvy;aO#* zT;Ug+gHM|&R1R^8%bqA{^PE+}4a(TQWCr%i=1e`zu2#9375(J@4#Xl>4O3Gp`+Y$g{sld2yvOrw)fvqVh-| z=bO}p;va>&awh+7!uDl)>+>YPa-5;GVLta=Xglf)gB9aI6~$Kdb(0PwRp^oK33uYN zDlS{E7716wchV9lc_gI3s(mE;a#un)y>64_+Y8mcp$Fc9#Q1<{iZQH-*E?vRNAfMmJ^h7v7Z0A6sj z1mT|mp#QwF6&!!xEB^7d?QZ>`VB?}6aC4Zt-E^(`?=C>@3y%use^Ww9?2T4>@mZ}R zWbn?AkL6YT+amBj&!Ph~Bo-i8to6lY_&Nu6qU%I{gg$8fcjrq$j!E1|MTHj)?%wRJ zG=fFIRZ(tD@|ODFeY*iN7rPwxozmrIx<_v)FkQ0T$MXI@3GzrvH6LvJAK#(h};j zjLVHEHmxWy3m4ui0f~*XN>E`t*_isJ~nm-62iSU87K6|r|CT3 z7^jPBzB#+xIZchEo*bWc_NA|g!-cRfKX#l#S-x3sLVvutYt{2W>_^*c9dler-a6wM z+cVFdm_+y|)8spp&v+21K~sI)&sSX4D zlMMTlBT|?bJ%;%?8|g4wsJmh9)r-ku7E;-)zV>WY6dLVo{{%jc^C3!0di(CP5b7#~;Aqc<#7pdQvw zdp+6RmDuPGoG@cQ`^$oyk{7xzj{~>vGI9%b(_jJzeSTh}?Z#6A==@^4 zuL~y3*xZi02*yK6URz5N{!uiB5|`|K*M!JZRbS5DD{7tVX5H3SEG5kv`s91ObXO3V z8g<e0y1R zI1U0nt~~L?-P(*=Kf)U!mJUOaJgIb&s89qdxq|NAh1F+M<@wp8n?eRHp2MJqs58dPs0PLsu_VD-u%=2+#>qGjADZy*KD^6cYY~ZCxROfs3ASQ}(+W z70h*Ce5Gy<-Qn_3^Jvmv*LowcBP6cAIq|-?s2hBi_SLgx&ib6_G<>`8l2YB7EE+xf zGc3~Usm#hktizkxjg=Y$oKyn0SkEKAW}ti8L|OYS*V?ut?3m==-X}^BE*?gBy1!S* z76}9&SzBC~>MUj+hrCR#A0j9^v>n~n;2bsBDEYIkE*@3P=VIAfyg_eGNlcHjMxTR= zhtJl0Ba!$Q+PrD|)kaKyA$4TeR|*%@0`7iAxV|YqHMFc>lgYdZh96M1_dIxijCEFBU*(OQ$pQNwC zkdtM?#Q_^z{n1<2TJ=Y^^#UHZ3N6kj9Y~<$vc}f8xm@OB$%V}uyOR01Z#9oBZKimf zs|t?KoxGSg4-s{Dtd2%Q=&94CgH+ZM%!lC?I{dYX3P-K%rApVT*dH7HT*^L1Xtwz4 zG|Y`Vck9(#>j$?S@|4u$12vDv?CQL$mVd;q(0Q*LeGek>YX5qjjL2h5J@A@{rWe>V z&)iBk(@pC`;LM0KG71I4zMld(6WnafAKS>xyZVM+C5Q6_m;b{BP^$Z^W^!i^+Sq?S z*5-+gFDaPxy1*DE)C;|_^qpEWZ&lT7(m%9rYCGEi3J?-tT*@ z~baDfw{}<>C|uKO|TYBbL3g+Xty1&gmM4+(`?ES;~XaUmS`L*%x3r=eA~>h>?NR z_H}d6O-X@fJg)D^(spxXuhhVcrN4J2o;Ol^qQTJ;6X~?`m_YsF+KwaHI3R!@ICp&G zsm&4WDf1`!q!{rET<+kookh}@9~MC#9Q573V3E(8a9bs8n}J1-6z*ojkC@mWKAvyg z-jvX%^JP30KjSYj-x<4l5!wa9fmbUBpP3dl*#%21f2&Ux@Ts2JYl4!pY*}>60B88U z&3K<;hdV_&oiku!oKxm-F+vo@?F~6d^rBoPO{7fXT=`96S*Y4iYsI9}eNVBR{$Oky zbfLrBiXKUl#5q%fme{~DMCJ0uonOJXEiaA(uOWv`B%eR)GV~T*wPnP(za6-JTWNA} z&XnTL9R}3K0+`ccy|X$#Uf}XUo}(%?7CzUnAV(=saWEV(ap0m6U$OXBIC%uqSAQpg zMKlBqMmiVp4hgNnym;8pGiq%8{$&YbzRd&YV{uPER+$w+Wp&KrhSSqQa@3!!nz^IH zb`IU=LJaY)C_zY!xFTah0UQ2!{p0!GUJkRzpMee!^YvDkbLip=Rj%7Z)j@NnK^dbA zz%wRO9F9UN{+5w(*zg}M_FSrtd>sfNSqnAFZXm)*iHYIMY}>u$LZwA7so=nFlIs)s z2txmYX|{d?(|nz$U`M}EkLj2LXT(W&0=SFV0|8%${74XVoYDbgFpgepaB_k}!HX4d&D%7G4(nd7VQ_sTUuzSmLl5YRe$g{7O5de#hOx@|A?S=`)=D5?bue&D zt1i!s(FH8n8G4!ay4_~~@`ea@Ubt6{wO~In@&A_ef3Mz z365@1rATzEm|~=_ff3*MX7~L*{jvFCF$2Y=kyHa$yOYenohk!Sgc@YK+WN)Qli#B5 zaYqZpq}K>&HnXy#CnO{^8clxy5e3fou)>}(vi-P}&AXc;np)bEIbzQeczT<&nn#{3 zdtcJf5wQKjp;7)nf)M8NU~|fD@yLX>o?6gv^#xk7&|95%#_PqHxX4v@st67Br|`Q* zm$MOg3_9qiJO7e{PuvUtzCMH@U*&|m&x75;`d1>O>By*;#W1I*c8BQOF&M;x(||cQsaj65)a`22jD~GJQUKIpT~fOGizexQivy+JwV`jqx**gdIA)3{i}{(7wv2 ze+E4Q`q{7h*Kta1(76Y0W6V!t9ah&??WC1zs8r6t#~Z+ld(I|MagiHf2+-XI&d!4C1Q{R}Hy~iIyC<|HV|xhip836?bPLRnw#lF_^%Mt{2^+5pp2(?Spht6I!`3y1xe^xp^s3*~UzKfQ> z;oqi78nw}A^9(e&l*2&94+u}=liGQDNekY~malSf=vAWV*r%|~HDdaYx$5hJ@mU!# zj~)}0{?p8`k9(^AmhwJdD{&Gn@Q zP|$a(Lnz0pYI&GY$dBnUqVu5cCg$y!G4oM{8S7~|!XWwH(x2P^x?))p?uzVkx{B3l|wdI%d73)xaF5%@i z6(4^U9JioKWjH+OXHwE`bFy)*8o2H~4jhFErYft8P-}CuE!`0o=w%EZYj6fD?2)Pr z7zfW%FuAe5dQ}QuAK@Rjc5F`JI}fy&;I14s5aq{ph!epX-#?vag;ezJbraAg&~}E3 zKGCRUAL4abwM8?QznN18YB^>9tZ9AT@p2vF_`MF+4bgx1F8g2F-l;*7BXS8N8=a|c zHI10YU+v!7HE0ZQ*gY`~`#w@`zj8!nbojPOa$2a;2C`Cqx5fe%?xOT{JGw7og&OyR z=DI5t`@2L|bNhA1@aw10hoHk>%DRvqh@#$;Iv+ zPh&p@@6DxjyucAGHsn}+V!Em-_-OStL;f#)&kLSl^^qJ2|9qWB_vBWJK}BADlN`~P z1+RT_SX#W|xxygcYfiMiSE<0DGBce#?%~XlsqQB1jw6J+BQ9|?C(KI^H1{Lkk2qHf zEh37i`htO~^{Cue5njP#$fhdF?MlY2I(ksybOq5lmDRmWU9q^mt=#VW%-&;Y)F-;3 z{3-Y;%r>L~U=b5mlDHR`DCF`fg*+_`Rvt~X7y6jCV0l!_afLF8Z~O#huAWz{RE%rA zv%T@Ss)K;MX~&HOq&dRixDo}}LG-~_)_dG7;JnA}yE;1b%~@mp(KXKqped(?d$Mo_ z`}?A3xQ+Rd55)A%0zSuVz8k@sznc_#({ex|6T9 z(9L8zy#?}bT*s2$2Ccc_7GwkbQ|B!cmRp>C<2%-R2gvX^=)9zK_TQfhsBgNQkjBD! zq|TQ3?O4_{zH4B-kU97jIfPX?8soo+5q@#~iXnokqSJyVan)?h?eR?A@C+JA>7d>T z-|gORb-eSgRb%W~XCqT^>$B?Q)lS<#i!cNsS{cQr4^gMsztanP(|TydfP#|g(c+6bd~OJ0T=4}r}flx zPSdkp!*3z=d_G4?$RAw-`Y_Mqd;(Uu*tnXI#&KoYcX-ZE^om$5pyN zm5Xgyz>sahh^S_)9joq>jN|bhXPlZZUOf}=bq;g+YGo+p7rm!$!3XFBu{A!BpCdFc zdMIE|6sx^Fo;|!I+VK24%Jfq+mAF7eL`r+=1hB(!@`t9=$sBwMw@^O4z;L6W^#PkX zPEBxqo_bc16VY@QLNk?&o{xX5ZZWIHDsSKQQAC~bX4-}m$~%PAx|D1$KGdso{_yC) zsSZVx-D6n5c``?ct5cGA|JJ@11sO;!!&D^NM8h2Q4d(UOm+9&bnq|GD`I*@U`Qgwd zN6Oo@Pww7#0~lQCwtz~@ZtE|5Eox%Z*fURvh{NHDDG=-(ot8l%CZ64(!0P&}6NGda zd3H;oLrRo^mjrlN#!)$%PL|}u+|<~>^VS!FKfCq%RTye;6szsIT6;Mp-0Z!ok!f1- z>FAJRzRgpR5JO9ewFI%o^!0P{yR{m-N27MU@o4>guxGyC#%NZI#e9`gB5J>D7DGt6 z`qZ=$8zQA~8y)DuWpF)Qhj20#Tj0WU8BoeCAkfuxpI%#>p2aYP8B_7eG|Yn{i65I3 z;@}4K$;63fs4%Y`;iVqsjxkesPc_a!6My8%?7c0k!O;7lhF_q0@nD?A8ir&fo3D3h zrqGP96iM>Zecw{W-dUOb&1k^cCEl9a%`@Qjrx>o8eUM%+$3A zPn@8eDwJW(=Ew?O_PvP*-So&2@e)7U{1f+{@6M`?&buF?pxOrFNvbMPqRUzL_dpS+ zb0}|)9z4Ji=^;P&{5R)B-;6Yey=bFM)o2)Kj`obWFp`ez^aDTor{D9(T#Q9$ie&%HP-RROJ0~9#1YD6wCJ!Zcpr7K@EE_;apFX}Am+@48 zD1S-H-A6Ag*wn@DQ*tG-lkV#O{Q*kt`4(l8G7VAXQ;TDExIz>UIQs)p#8)wp5mKL++*QcIN`@LE>lSbW* zd9ESyYkLF&_DJ9OppBobthUPvxb+tO%O_kv77K9TfWEP0{Zl>)OhGbwUB>`x9M((q zzQ{9Qsi%alElyVV&)O2hS_9jk*4puP-_rUuJVsIlWu<*d;(SH-*m6Axyyx#o5uU2| zUFq8_Obypr_4Dt{Z!hQPJJ(X0*kVZZXV{a!IPJ4RnBs9L_eJC`b)p0aHTSinC5KE| zG+mOXK9F?)wqwjag`BbLzn~dNv_*9pnzDLt{}omK1{==GP#80kk}r`%<>w- z9M3aV4~kBgDB8^WA$py7WqKgs09QP&eaz$S%WciCe#URwH-GvJPNINx)W2>Wf=KfKN_q#(MIZuUn-F?c<;egM@xaTx5@@=&vF=f=6dNdW-6_=ntf`$RW$L_+NudcWsGrLbF*eAK*DSZKiyymD=O z&f9tb(G3gYcZV<)BRlWmhkMmc+c%AUvVbomOomMP`EYrLn;p)9uh(+FKc0k2_^^q@~8-lpQ(>J2a7( z#kfzqSMI0}-W&J$IKGp9K>wn!^ zc-Ye5y~c|yDNE%Lk^z2Bv(Z=;9KP7cXCK5I36q9)XJ>fXcuq)6`mYBf*W8yKD@axg zK0lJm@piZ|*-9)$#v({o-#?x+fC&bXWOJGGHrRA)C>5&ngG3;z?4+on4_**Brn)mX zmb(aXn2;j^Q{Q_aqOM)$r5zCtmtM!r+Cz{YrDQIYg&G&wdWx0CnJvS;a)DvJKU(B(@k-C~LcErf!1h*T<2OG3+<#*2;A7zo28E6JzZ|>iMEtywYOrTk2jf- z0W`XXdv81YEBaGTc}*jy(|7*l`U)rlTn2=CE*$msB52?2~F$K`Tu8_&@O=H-eaAtnfuXqR& zAs>APCv?+7ekoIH19u40xp1EkN!29aO4`D|7%QXE%k8<}F6R*;~>^MO_YaK~VeB~@|lho-981z{@N#ToD!}sm)7Yo1k$>_@g z^KU*hf6Kg&$TL69n6om21NrDuvV`Su9L3Ll8EYoH!{MrY51%iSExhBdA;G_%&_VIC zsPc2Jr-wC^giM{q#?xhb5g9sisq+WP2@byr=E+h6P{Y@1_Xwv>F@iuSD^(U3)%l6O z>sI`sHHS)+@>OaHv#!bE6uV0;aDR!INr0*%duXnVCY_B1zc*;bpy&C$=TsF(i~8_( z_-ZK9c!~+Q8>fDzoFUaH+4@)-(mAt@<|uS=7`jMRH01~vhSPtX*eBXKYd@y zalsW0&|ba%D+8@1DXrTMru&Yed*VrY)LKs@(_zM5Nv!f>oInEc88tkYxwQ*D2t3Z} z&~$P(+FiXGNVMCIhEJzkPG>6_Zpu^_E1hQxHPzI0Bx~ky>0^ z6DN4-mu(_@wpx`YL-x3{<)6o`^&zao75Jpd!|#N0?dx*Vc`Kuftve{9wGCq2P=fmF znEF~ru*@~`xEscZKsmw$xQSBqh^~s1ERRwmXCO<%zxP~*c zKzzj^ov%8}0Fm!!Q(M*w(u@k@cGs*dp82>rWL`YsPmfcdUY+u(Vl`M#FD8ehCMey* z?cD}6?`g*5tRX6-P1Pz6)k})mvD86w6CzkyIMANvcAD^+yCx2whrmeM?CxRcOQZMV z4^p+eh3C%5Q>Jb^GtTy+Ojn<@dTFqEx7+MH`)$z9>`0>6YXW|!OqU5%xt0i|zk;v>6w3O6IgNk0P9^%e)MUU2^FolqTKV2Xjfu>qtR5V4dDDRZwu7Y9 zRR14maAz=G3?-=2oTqGkugbNNmjb%KaIXi4gL_Fk?JXS{Z2;|!nEpif*Y?Kcp)b8I z|Azg#nK`jkNq3h-JU44TYiL)^K2IYWO17e_@lCfDu={8D-hiP{1TJ4It4U|AyRw}b z($U6yfSSMTL!)ww090rqQThxc_Y%si`)jdhFIJKIz6@0sM^ESbhW&PAFw0m*&xl&bT+i|-7<32D8SnDii z9nn9=^c|Aj)p#^y#*$7{EHD^gd=|0z9Fr7V@X0qol43oD2JLnhlOG-)G|=12P9PK0 zK@_V+q1nosGKPY7fzYwOXLNljf<+KCF^LjM0{zyhP)d+KaC~4vm=}SKeB?R z-an@X#k>#uF`C6gk{_Ogm>VAki;JI)yA4;lEoq#Z!6u4RObDs>%$z)>l{GHrXMb;3 zP{2HO=6%X(pqS5;hGY+&eeKNG={{8RW~9=Ydw~nk;sSw}Cq0f%MhF5DXm$ch*9y|T zuI#}(gf&Bmd%1O37n+KX8TZ4rk4R}3s=O&(Lei~9do3F(Dt6};_wW`zDt<(G3suzy z31pze`u1*6OZe81H?|XOK>wkARYTv;$UQfH?j=oBER3%B?_ZB~mq(;~4{GhjEEBmG z&BiHukbw=IU5~2kY%>T#_7#0p{`h|R&dE`osGn8edQ=Ed@b~47T4U)oS+f;sV6QzQy8EE$ zHtp@?T9F`LUP5L{ex>t}C0RfLNC4a|DSeA(uZz7SH#-707HMk6{$-R^A@^?c$`GC$AEY{BFZ~vIDr?@T-&mrEP?C z_LGC*bwgb1gOdOK^f#+zC+Lr8FZkl#3<^v!sTE}+_?M#c4kd<}{_YR41$@ydNe8|i zkih+*@qcdjJpj-I^S^!qK`k)+PjoUa-Ty}_5BxPb!jQlp&FkNSuM=>ev0u%C^?3hC z*#G_-pmF-gI{?1$jaFM<3)}#6wYae(`g(j42G#ZH(7!(RfBpR2aFBIfn{|-%pzv60 z2-Dc?UCY(v^hY8b?5~jeU6o#QeE@Ajb_+uB?$mI2J?f&)nRb0A>+R6earF)9*5f7h zO%-qQ@mnwT&Z#~)a5E3PZH2l?h^^=HB+1~~nXGAT)yAkf`uM~uE^%Cm5&;IvS1OTP z*ufYR>Fx=5v_y}`{ymQnU&x*$zRMjwwS9Q2Xm}ZWylB5e8{+Z_$-8-?ZaVQ;yNmU7Uh^gjRUE_# zH6GL)e0#r|mA6?@y-!qaJ{SNf!<;@e%ClWK5P(xDhU|~>JxIoIxw~@(G$s5yDxTQC zxjhl~kEUe_%+F)X+tmN?S$v}``Q5a{TKrG~O>_pH%+yoK7F&7*>Erfwbp$x%yfPVgR>wWN@v- zKaMQo5!hTA>?D}|$>q*eyz3kp5yGF+XYzfcAb7-}bq@5n32~ z&NrC)+_vLMQ?JkZn6TVVwyP$rUN;neD@+lBAlp(0oTB@WLG5{gx8ZWNmTNUfhU{`Mn!5#CSQj*+X};$BOtXOxW>SF1|Nf4SdvELwX$+jggbg?H{^4OGk%tWv^GgSR?pV20 z#h>1NmH6#Lyc+>FB7>Eny02YMs@s^}QAnk4mMzTMqgdp@#hC=vd3&#)UbLrPbm>r0 zQi9X8T4s{`%ZORuLjRn?{2ZJ&Q~W%g#I4=dbgWW;NB1>i+`e?mf_^3y>>LqlZ0T4F z^88DkEl~y%1}46j?h0mH%RJ|w`7Lbm0X(-}L6a7V-d3Wm86+HwbbFrR-vvp1w=!la zgEn$mVau`tHiQh>5~U!ap<-3LD?Q8q{uS%M-_*O&AiZw8OBfaKzcQnL*mIvNAZXBn z-V`Vm5Bg_&mhzlq10W>nJV-Z5SLyo|3hie#F6jkvVWeSl&`8JMz9_3mAv#-7jG=A5 z&dh5SmQDO5(<*pT-}_SJzxDydWC>n?DI51csK@8O7O7FjgFZW{AaFX@hYszxZBYX5 z3A&72{+{ulgMU9*`KL^d!Ys6Bas#*fRCkB4>or=^%PU?3knAm87XS+DW81F*!jR-2 zQCVX;KP;#;vB)})7&z5!JUdx&BW=A2A?{t4_MYo}bmDK{&_}ck^jlL>wGXXQmwzp} z%AM|_K@Ey@cP@Jg90?vpE0{7oS(i)J^PBKN@Yy9S1;#XFU68Z_8T8$Eh(22er z;m|}ae<=XD1Xgs{2MoAxd8wPEhUGuHDf^lW&Z?Z;eM)Df z2w%K^l%sLhd;>vPCH#~Pkt~_XRCem%~;(PCl}ad&65R0fk!!m%-_Ke-Am0 zD^1UV`F2ObihJGD)0bU8em)dpTV>0g>b%2-Rxtx)HdEBlFwFM5Z{&936~IhVGox48 z-^?*vD}@qGwjxjd#$MJz(A7-AR#jUoa|^@4f&ddYL&vkhw@{Es@Mm8YB=%*;2-02@ z$Z0ss>`^G3uB;zGLRgtdaW|&2zq=c-LW1vIZ6^;OOvt8 z+EHF4N)JBWA+Pr9nla7!@}XN4N1P~&=s?q(dLdy$jMmDY4f1lOs@GHNT)UWtk!5#K zvpM-KQ=a`IV4uUaC~NBE90DOJ<-V%#FNmxa(1ajeG&mj1W}>0Wucatk$L)0+6-c*? zwjT~o2p#>!DT>zA_7g}7+HR;A4iT|fV6Ay#xzLmix}`mq$CxBlWe>w_8G7N*;|C)f zvuBrj%~5(%zRyif;E-nhj~QQl1K1*#3A-xL+BuWyN>i5O&q*`P6Tn(-WLOsiRBqs6 zxcUg0A}gDk`d<79un~t3h|#KgjoJqnK6de`ZMzf1{zBGNR-KwyJ*EOw8?Sa~Q(XGQ z`j{?^x*bCiSxM_Y=cYlUI^r9b9KTKohYrj3iq^K-BoOzd97^boOzz)5exZ>4Tgcs4 z1r_W)ZftX;1~L+`j8&RAGL8M}rnt9yqHb18>B^8so5#iUYZIkON@9?|@(S0S@gxyC zIUCqGw}UgX9r((0|G0U^1UmPVa7?LffzL|J>T5fynMXdy#^A1O6}GOzZa zgbswFOB)7^&z`yF`dq{zLy209QtiHanyfU1C7UwjqyOsO3-;~{iF-GbZ+~)0p6S8P z7Q6xV3XSQdmAdP(Yrrcy7lsDga`&DO5)?Q)h#9XiM0AuI0$%Vvow_ zm-W>)9>v2DvdPgoH|P)*#PsxC1T=H zBBOb_LK8*O5}t6aRV=~U8P1jG^8Q-uu^b7o62QrB_KeYC^MFXD%0GfvXY%^^P3CYu zU=~eXnK7A7@paF9)fUP_ZOqe+E_hW)eCnO$LWegcZlLdK*^xr=9uvF6U4hA*CjN3A zs&<{9w5jJWjY9m>dfHn?>|Z#0ln9oZVVsC*%+52;)zn0a4Is#mHjft>f|RI1YoXGA z`!0}uooHh6yU#rlw7q(qxTM`AjcK5&GxR0ago9+|&j^*qs+YPEp=3Bz7ORb zP?A=;g+0!`usc@~)01?0el)dI&nG(U?W){2TJxk)q>OcCA%nfJU+(ypxU$4~kv3*n zZ=)x-%|O&Q@|`Ag-1r_&}pT!h=;{op}%Y&{_cV? z6m+JThTYda*3x))$2AuLFE!{IHxrjDpA@d2WOA~76Tis5?~*mtcCMG~qT}N&tQX^+o8{yk{a*DgY0Q^()PS+%BP1N)Mmg!06uwTnr)9qyqM- z3|&j`wG?fg zZ(shP?65H^Q}_9cYhY9R+`wQcrFe4;*DItDjAp835Z}EObMOYm7r^~0QTO>5@KC@Z z0Y8tZS!;^O zQ?+rPJ`pREeb15_CFvWV$W|8a0(yDyE?=4@cAUrDU1>3C4^qk&E}3h;V-2<3lV6W1 zLD!2)&DAN*a|Av*r8Oi$d1+7B3`)`N4tBn5(e1Y|2FTVtA=?=fc_ppoHzzV>%JxrI zhOm_#aTsk^pKRMpmtt@x8g;xL8g`WMJvi(d-_jErF;-wN)$#Bwj^)RC{FN2C+FOo6 zrf?`ysQg5iWWD;mpe=~N@yT(q3B_OxpFA zzm54gIs|6dBK#E08fsH}mHDezTbhUHH3H6UDTeP9vP6UcJ9a6P35>5xgtCF|^qArc zS(4-1$%X+MhAAmCH_&WX_Xy9m7LQ2}sSA=48!1=tjwwC&cnum0cJ$$Lqw6;5zJz&v zHP=06m%B&O_AfY?YaOyv&xmI0iP3T`l2?&;!cqD!DMPU+Dr0LXcY7Whk1D+eXF&)T z4=81e8QBzvQ(kMXq=*APzF(vgzTj(e_=heLF_-F_^5e5Fb9;oOSdLYjzsN@%YGh4< zWrB+eVtb{N){ksQ9s>>S>L(}b?dc#APpwv3A^9+lb+{wSL;V3`D+4M4y0*4A{J;?`Bc%G+K?I zE*30VO61|&ZC0msC}UL#gd_9Y?(H|&;kJj9mOX^bO*Fdgs=JIN|F7Nn)tp1Vz;An2 zY!mJI{_V$%1x)I8S!f!qFTvfY!mr-=mFNmZGE+C3U>Id8%P%5XYX(>TY}nIs(<2G- z8PSZ2JRahsLc9@bClYP=80XbhTQ>U~w}Q>z6YH?DcrCb*?dEiVIt-HHo<#U$n{^lz zQm(4x)b|M9u%UFq+zTezildkFbWZp_P7&c7T}DncVkRONi10nDlxT>K?pry2%F)qV zc)QV3C&E{rb@pmK)hDCxs$CO6GsvAA1thzi#?|$^Hoq`#1=}NLKWOU0De_q=I>L6J zdce40$3LUOD&r~d=HW@4>fh{)hr;tmPi!XA5!Dr|bIu`1LarE&w=aeSngdYLHZTL!6bXA-oLmx!V&Odt8Z|nN2F7Y zk)t6&5f(x53xEeAT$5xk)EneCe7=9wf5ChYS5ds z*WXYoIH(5EHvtwzqd*zU$u0P-mMfOh6I>C~O86ODE;Ig^;_pa|15NO0*A5PR+%?_4 zTi}8P4a_Amr+d;ZDF3}SCrf_E7tjjTQOw@L--J@ngx58VRN z4{9mhb_xo}U?8&Kd0;2v&zYDg;CJnMIuFM=?62;Ovh{cLU(pP^Rx6SWvXw;hr0kBd zwS;`^TztkDzC0y|M@Li9(!$9jRegB^QZW1$x&MvPOrv~GWNtlNRx`=a59*f4;4Mq4 zd2RYWD~!>gBxAwMd~p|(%Z%@Rg;~$z7`8|R3GtgW>D<@1+iNKt@cAFWVBHW6d>ec` zBFQZ4Ep8(3_koF0CLzjC<*a@zUElel=*>A(5ah~3)k`%{JUv~vJw6^CFW6T$NEUfI zn%7L*Xle0x=v7d$vrk(AQZYE&h{gZJ@c2e6gU_v%p{%U5aTt4?HCL;OBAb~2X3Do- z6rw$a=P5lpyUBTFN<)<9Wb5F9BTJv1w;Y+x3quhGcChvSIu)KWmV zb_zbr80{aJ>Rtm13=6#h%C}os7!ueA^I}PYI8ASFvS}^ zXy;usJ1gbCv1z{SzX2CnL`gU<3GnprA3XSTMxRU*2G6(->iEyL8bmridUWwIDH}*O z*STGPM*Zy5e<76C;Os}3WN^G1()c#=AMhpm%YOi(6D(s?U*GkO*h~*vuRp&Q+1KYc zrbtxfMGP}Ad=A5^Fe&q==9?6lA?!o(CRk1fPAf$HU)m&?IVlV&`1SW>cXkeiWSXt? zx{zR+`i;O%z2={_o&4B7y?gwohkunLYilX$zHkY<)rj59WB1wb?Jic@qD| qJYztVk^g0_{P(;6UqyZ2-o5yhbfkH+uKor7`ywtURxa|@@BaZn09=Ov diff --git a/versioned_docs/version-v0.22.4/contributing/release_flow.drawio b/versioned_docs/version-v0.22.4/contributing/release_flow.drawio deleted file mode 100644 index 6ca6b34f..00000000 --- a/versioned_docs/version-v0.22.4/contributing/release_flow.drawio +++ /dev/null @@ -1,721 +0,0 @@ - - - - - - - - - - - -
-
-
- Review release notes -
-
-
- - - Review release notes - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- Organization Webhook -
-
-
- - - Organization Webhook - - - - - - - - - - - -
-
-
- projects -
-
-
- - - projects - - - - - - - - - - - - -
-
-
- - Publish release - -
-
-
- - - Publish release - - - - - - - - - - - - -
-
-
- Maintainer -
-
-
- - - Maint... - - - - - - - - - - - - - - - - - - - -
-
-
- metal-robot release handler -
-
-
- - - metal-robot release han... - - - - - - - - - - - - -
-
-
- - no - -
-
-
- - - no - - - - - - - - - - - - -
-
-
- - yes - -
-
-
- - - yes - - - - - - - - - - - -
-
-
- version in event newer than release vector version -
-
-
- - - version in event newer than... - - - - - - - - - - - -
-
-
- - do nothing - -
-
-
- - - do nothing - - - - - - - - - - - - - - - - -
-
-
- Github Action -
-
-
- - - Github Action - - - - - - - - - - - -
-
-
- Bump version in release vector and push to - - develop - -
-
-
- - - Bump version in release vector... - - - - - - - - - - - - - - - -
-
-
- Open pull request from - - develop - - to - - master - -
-
-
- - - Open pull request from develop... - - - - - - - - - - - -
-
-
- Update aggregated release draft in - - metal-stack/releases - -
-
-
- - - Update aggregated release draf... - - - - - - - - - - - - - - - - - - - -
-
-
- Integration Testing -
-
-
- - - Integration Testing - - - - - - - - - - - - - - - -
-
-
- Merge to - - master - -
-
-
- - - Merge to master - - - - - - - - - - - - - - - - -
-
-
- Review -
-
-
- - - Review - - - - - - - - - - - - - - - - - - - -
-
-
- Tests suceeded and PR changes reviewed -
-
-
- - - Tests suceeded and PR chang... - - - - - - - - - - - -
-
-
- - publish results to #integration - -
-
-
- - - publish results to #integr... - - - - - - - - - - - - - - - - - - - -
-
-
- Release metal-stack -
-
-
- - - Release metal-stack - - - - - - - - - - - - - - - -
-
-
- - publish to #announcements - -
-
-
- - - publish to #announcements - - - - - - - - - - - -
-
-
- - - metal-stack/docs - - pull request - -
-
-
- - - metal-stack/docs pull requ... - - - - - - - - - - - - - - - - -
-
-
- Freeze -
-
-
- - - Freeze - - - - - - - - - - - - - - - - - - - -
-
-
- Freeze - - develop - - and create a release candidate -
-
-
- - - Freeze develop and create a rel... - - - - - - - - - - - -
-
-
- Large integration suites -
- - (currently owned by FI-TS, not public) - -
-
-
-
- - - Large integration suites... - - - - - - - - - - - - -
-
-
- Run -
-
-
- - - Run - - - - - - - - - - - - - - Text is not SVG - cannot display - - - - diff --git a/versioned_docs/version-v0.22.4/contributing/release_flow.svg b/versioned_docs/version-v0.22.4/contributing/release_flow.svg deleted file mode 100644 index 55cdd493..00000000 --- a/versioned_docs/version-v0.22.4/contributing/release_flow.svg +++ /dev/null @@ -1 +0,0 @@ -
Review release notes
Review release notes
projects
projects
projects
projects
Organization Webhook
Organization Webhook
projects
projects
Publish release
Publish release
Maintainer
Maint...
metal-robot release handler
metal-robot release han...
no
no
yes
yes
version in event newer than release vector version
version in event newer than...
do nothing
do nothing
Github Action
Github Action
Bump version in release vector and push todevelop
Bump version in release vector...
Open pull request fromdeveloptomaster
Open pull request from develop...
Update aggregated release draft inmetal-stack/releases
Update aggregated release draf...
Integration Testing
Integration Testing
Merge tomaster
Merge to master
Review
Review
Tests suceeded and PR changes reviewed
Tests suceeded and PR chang...
publish results to #integration
publish results to #integr...
Release metal-stack
Release metal-stack
publish to #announcements
publish to #announcements
metal-stack/docspull request
metal-stack/docs pull requ...
Freeze
Freeze
Freezedevelopand create a release candidate
Freeze develop and create a rel...
Large integration suites
(currently owned by FI-TS, not public)
Large integration suites...
Run
RunText is not SVG - cannot display \ No newline at end of file diff --git a/versioned_docs/version-v0.22.4/docs/02-General/04-flavors-of-metalstack.md b/versioned_docs/version-v0.22.4/docs/02-General/04-flavors-of-metalstack.md index 7da427fc..2277ca6b 100644 --- a/versioned_docs/version-v0.22.4/docs/02-General/04-flavors-of-metalstack.md +++ b/versioned_docs/version-v0.22.4/docs/02-General/04-flavors-of-metalstack.md @@ -14,7 +14,7 @@ As modern infrastructure and cloud native applications are designed with Kuberne Regardless which flavor of metal-stack you use, it is always possible to manually provision machines, networks and ip addresses. This is the most basic way of using metal-stack and is very similar to how traditional bare metal infrastructures are managed. -Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](../../contributing/01-Proposals/MEP4/README.md) and [MEP-16](../../contributing/01-Proposals/MEP16/README.md) in the future. +Using plain metal-stack without additional layer was not a focus in the past. Therefore firewall and role management might be premature. These will be addressed by [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api) and [MEP-16](/community/MEP-16-metal-api-as-an-alternative-configuration-source-for-the-firewall-controller) in the future. ## Gardener diff --git a/versioned_docs/version-v0.22.4/docs/04-For Operators/03-deployment-guide.mdx b/versioned_docs/version-v0.22.4/docs/04-For Operators/03-deployment-guide.mdx index fc575ad4..ce58e0e0 100644 --- a/versioned_docs/version-v0.22.4/docs/04-For Operators/03-deployment-guide.mdx +++ b/versioned_docs/version-v0.22.4/docs/04-For Operators/03-deployment-guide.mdx @@ -31,7 +31,7 @@ You can use the [mini-lab](https://github.com/metal-stack/mini-lab) as a templat The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment. :::tip -For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](../../contributing/01-Proposals/MEP18/README.md) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). +For metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. However, we also describe a solution of how to setup metal-stack with a self-hosted, [Autonomous Control Plane](/community/MEP-18-autonomous-control-plane) cluster. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision [here](../05-Concepts/01-architecture.mdx#target-deployment-platforms). ::: Let's start off with a fresh folder for your deployment: @@ -75,7 +75,7 @@ At the end of this section we are gonna end up with the following files and fold ### Releases and Ansible Role Dependencies -As metal-stack consists of many microservices all having individual versions, we have come up with a [releases](https://github.com/metal-stack/releases) repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack. Ansible role dependencies are also part of a metal-stack release. Both the metal-stack release vector and the metal-stack ansible-roles are shipped as OCI artifacts following a specific format that's described [here](../../contributing/05-oci-artifacts.md). These artifacts are signed with the CI token of the metal-stack Github organization and can be verified using [cosign](https://github.com/sigstore/cosign). +As metal-stack consists of many microservices all having individual versions, we have come up with a [releases](https://github.com/metal-stack/releases) repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack. Ansible role dependencies are also part of a metal-stack release. Both the metal-stack release vector and the metal-stack ansible-roles are shipped as OCI artifacts following a specific format that's described [here](/community/oci-artifacts). These artifacts are signed with the CI token of the metal-stack Github organization and can be verified using [cosign](https://github.com/sigstore/cosign). In order to download the release vector and the referenced ansible-roles prior to a deployment, we provide a small helper module called `metal_stack_release_vector` as part of the [metal-deployment-base](https://github.com/metal-stack/metal-deployment-base) deployment image. Its main tasks are: diff --git a/versioned_docs/version-v0.22.4/docs/05-Concepts/01-architecture.mdx b/versioned_docs/version-v0.22.4/docs/05-Concepts/01-architecture.mdx index 709960e3..75298df9 100644 --- a/versioned_docs/version-v0.22.4/docs/05-Concepts/01-architecture.mdx +++ b/versioned_docs/version-v0.22.4/docs/05-Concepts/01-architecture.mdx @@ -152,4 +152,4 @@ Thus, for creating a partition as well as a machine or a firewall, the flags `dn In order to be fully offline resilient, make sure to check out `metal-image-cache-sync`. This component provides copies of `metal-images`, `metal-kernel` and `metal-hammer`. -This feature is related to [MEP14](../../contributing/01-Proposals/MEP14/README.md). +This feature is related to [MEP14](/community/MEP-14-independence-from-external-sources). diff --git a/versioned_docs/version-v0.22.4/docs/05-Concepts/02-user-management.md b/versioned_docs/version-v0.22.4/docs/05-Concepts/02-user-management.md index f1ee2778..ba742ee9 100644 --- a/versioned_docs/version-v0.22.4/docs/05-Concepts/02-user-management.md +++ b/versioned_docs/version-v0.22.4/docs/05-Concepts/02-user-management.md @@ -7,7 +7,7 @@ sidebar_position: 2 # User Management At the moment, metal-stack can more or less be seen as a low-level API that does not scope access based on projects and tenants. -Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](../../contributing/01-Proposals/MEP4/README.md). +Fine-grained access control with full multi-tenancy support is actively worked on in [MEP4](/community/MEP-4-multi-tenancy-for-the-metal-api). Until then projects and tenants can be created, but have no effect on access control. diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md index 8e7030f5..e327ec4a 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](../../../contributing/01-Proposals/MEP4/README.md). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md index 07df2607..24c1bc1d 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/rbac.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/rbac.md index 9a87b896..06c902bb 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/rbac.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/rbac.md @@ -31,4 +31,4 @@ To ensure that internal components interact securely with the metal-api, metal-s Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access. -As part of [MEP-4](../../contributing/01-Proposals/MEP4/README.md), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. +As part of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api), significant work is underway to introduce more fine-grained access control mechanisms within metal-stack, enhancing the precision and flexibility of permission management. diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/remote-access.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/remote-access.md index 0b8dbb19..dc24e82f 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/remote-access.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/remote-access.md @@ -6,7 +6,7 @@ title: Remote Access ## Machines and Firewalls -Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](../../contributing/01-Proposals/MEP9/README.md). Administrators can access machines in two primary ways. +Remote access to machines and firewalls is essential for performing administrative tasks such as incident management, troubleshooting and sometimes for development. Standard SSH access is often insufficient for these purposes. In many cases, direct serial console access is required to fully manage the system. metal-stack follows a security-first approach by not offering direct SSH access to machines. This practice reduces the attack surface and prevents unauthorized access that could lead to system damage. Detailed information can be found in [MEP-9](/community/MEP-9-no-open-ports-to-the-data-center). Administrators can access machines in two primary ways. **Out-of-band management via SOL** @@ -26,4 +26,4 @@ This approach uses the [`metal-console`](../08-References/Control%20Plane/metal- Both methods ensure secure and controlled access to machines without exposing them unnecessarily to the network, maintaining the integrity and safety of the infrastructure. -Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](../../contributing/01-Proposals/MEP4/README.md). \ No newline at end of file +Connecting directly to a machine without a clear plan of action can have unintended consequences and negatively impact stability. For this reason, administrative privileges are required. This restriction ensures that only authorized personnel with the necessary expertise can perform actions that affect the underlying infrastructure. These principles will evolve with the introduction of [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). \ No newline at end of file diff --git a/versioned_sidebars/version-v0.21.10-sidebars.json b/versioned_sidebars/version-v0.21.10-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.21.10-sidebars.json +++ b/versioned_sidebars/version-v0.21.10-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.21.11-sidebars.json b/versioned_sidebars/version-v0.21.11-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.21.11-sidebars.json +++ b/versioned_sidebars/version-v0.21.11-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.21.8-sidebars.json b/versioned_sidebars/version-v0.21.8-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.21.8-sidebars.json +++ b/versioned_sidebars/version-v0.21.8-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.21.9-sidebars.json b/versioned_sidebars/version-v0.21.9-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.21.9-sidebars.json +++ b/versioned_sidebars/version-v0.21.9-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.22.0-sidebars.json b/versioned_sidebars/version-v0.22.0-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.22.0-sidebars.json +++ b/versioned_sidebars/version-v0.22.0-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.22.1-sidebars.json b/versioned_sidebars/version-v0.22.1-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.22.1-sidebars.json +++ b/versioned_sidebars/version-v0.22.1-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.22.2-sidebars.json b/versioned_sidebars/version-v0.22.2-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.22.2-sidebars.json +++ b/versioned_sidebars/version-v0.22.2-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.22.3-sidebars.json b/versioned_sidebars/version-v0.22.3-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.22.3-sidebars.json +++ b/versioned_sidebars/version-v0.22.3-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } diff --git a/versioned_sidebars/version-v0.22.4-sidebars.json b/versioned_sidebars/version-v0.22.4-sidebars.json index aaf562b8..b99db936 100644 --- a/versioned_sidebars/version-v0.22.4-sidebars.json +++ b/versioned_sidebars/version-v0.22.4-sidebars.json @@ -4,11 +4,5 @@ "type": "autogenerated", "dirName": "docs" } - ], - "contributing": [ - { - "type": "autogenerated", - "dirName": "contributing" - } ] } From c44ba415e583e19c3b68aaac894931a984228ed4 Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Tue, 24 Feb 2026 08:41:53 +0100 Subject: [PATCH 2/3] fix: broken links Co-authored-by: Gerrit Schwerthelm --- docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.21.8/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.21.9/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.22.0/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.22.1/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.22.2/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.22.3/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- .../version-v0.22.4/docs/06-For CISOs/Security/01-principles.md | 2 +- .../docs/06-For CISOs/Security/04-communication-matrix.md | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/06-For CISOs/Security/04-communication-matrix.md b/docs/06-For CISOs/Security/04-communication-matrix.md index 341a45be..b911b146 100644 --- a/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.10/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.11/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md index 3f3c8794..fd5ef89c 100644 --- a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.8/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md index a288346c..7fa9384e 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.21.9/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.0/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.1/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.2/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.3/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md index e327ec4a..7988624e 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/01-principles.md @@ -15,7 +15,7 @@ The minimal need to know principle is a security concept that restricts access t ### RBAC :::info -As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](..//community/MEP-4-multi-tenancy-for-the-metal-api). +As of now metal-stack does not implement fine-grained Role-Based Access Control (RBAC) within the `metal-api` but this is worked on in [MEP-4](/community/MEP-4-multi-tenancy-for-the-metal-api). ::: As described in our [User Management](../../05-Concepts/02-user-management.md) concept the [metal-api](https://github.com/metal-stack/metal-api) currently offers three different user roles for authorization: diff --git a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md index 24c1bc1d..54268414 100644 --- a/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md +++ b/versioned_docs/version-v0.22.4/docs/06-For CISOs/Security/04-communication-matrix.md @@ -116,7 +116,7 @@ Please note that every [networking setup](../../05-Concepts/03-Network/01-theory | VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | | VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | | EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](..//community/MEP-9-no-open-ports-to-the-data-center). | +| VPN | Firewalls | Management access [without open SSH ports](/community/MEP-9-no-open-ports-to-the-data-center). | | BGP | Multiple | Routing protocol for dynamic routing and network management. | | SSH | Management Server, Switches | Secure shell access for management and configuration. | | LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | From c1ac0b1e4a37b0aff917771708f0af8574540c81 Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Tue, 24 Feb 2026 09:37:38 +0100 Subject: [PATCH 3/3] docs: update README structure --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 82c4c949..523e59b2 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,9 @@ The used framework to generate docs is [docusaurus](https://docusaurus.io). │   ├── 2024 │   └── 2025 ├── docs # docs folder split by different scopes -│   ├── contributing # guidelines for contributors -│   ├── docs # documentation pages -│   ├── references # auto-generated references of components and apis +│   ├── 08-References # auto-generated references of components and apis +├── community # guidelines for contributors and information about the community +│   ├── 04-Proposals # metal-stack enhancement proposals ├── scripts # custom scripts (e.g: resolving component documentation) ├── src # custom routes and react │   ├── components