From a6c4b48d41b1874959567f313353aef6507a3c3c Mon Sep 17 00:00:00 2001 From: Saad Ali Date: Mon, 23 Oct 2017 01:51:53 -0700 Subject: [PATCH] CSI Volume Plugins in Kubernetes Design Doc Design documenting all the requirements for enabling an a CSI compliant volume plugin (a CSI volume driver) in Kubernetes. This design was drafted [here](https://docs.google.com/document/d/10GDyPWbFE5tQunKMlTXbcWysUttMFhBFJRX8ntaS_4Y/edit?usp=sharing), and is now ready for publishing. This feature is targeted as alpha in v1.9. --- .../storage/container-storage-interface.md | 488 ++++++++++++++++++ .../container-storage-interface_diagram1.png | Bin 0 -> 69333 bytes 2 files changed, 488 insertions(+) create mode 100644 contributors/design-proposals/storage/container-storage-interface.md create mode 100644 contributors/design-proposals/storage/container-storage-interface_diagram1.png diff --git a/contributors/design-proposals/storage/container-storage-interface.md b/contributors/design-proposals/storage/container-storage-interface.md new file mode 100644 index 00000000000..133930a4279 --- /dev/null +++ b/contributors/design-proposals/storage/container-storage-interface.md @@ -0,0 +1,488 @@ +# CSI Volume Plugins in Kubernetes Design Doc + +***Status:*** Pending + +***Version:*** Alpha + +***Author:*** Saad Ali ([@saad-ali](https://github.com/saad-ali), saadali@google.com) + +*This document was drafted [here](https://docs.google.com/document/d/10GDyPWbFE5tQunKMlTXbcWysUttMFhBFJRX8ntaS_4Y/edit?usp=sharing).* + +## Terminology + +Term | Definition +---|--- +Container Storage Interface (CSI) | A specification attempting to establish an industry standard interface that Container Orchestration Systems (COs) can use to expose arbitrary storage systems to their containerized workloads. +in-tree | Code that exists in the core Kubernetes repository. +out-of-tree | Code that exists somewhere outside the core Kubernetes repository. +CSI Volume Plugin | A new, in-tree volume plugin that acts as an adapter and enables out-of-tree, third-party CSI volume drivers to be used in Kubernetes. +CSI Volume Driver | An out-of-tree CSI compatible implementation of a volume plugin that can be used in Kubernetes through the Kubernetes CSI Volume Plugin. + + +## Background & Motivations + +Kubernetes volume plugins are currently “in-tree” meaning they are linked, compiled, built, and shipped with the core kubernetes binaries. Adding a new storage system to Kubernetes (a volume plugin) requires checking code into the core Kubernetes code repository. This is undesirable for many reasons including: + +1. Volume plugin development is tightly coupled and dependent on Kubernetes releases. +2. Kubernetes developers/community are responsible for testing and maintaining all volume plugins, instead of just testing and maintaining a stable plugin API. +3. Bugs in volume plugins can crash critical Kubernetes components, instead of just the plugin. +4. Volume plugins get full privileges of kubernetes components (kubelet and kube-controller-manager). +5. Plugin developers are forced to make plugin source code available, and can not choose to release just a binary. + +The existing [Flex Volume](https://github.com/kubernetes/community/blob/master/contributors/devel/flexvolume.md) plugin attempted to address this by exposing an exec based API for mount/unmount/attach/detach. Although it enables third party storage vendors to write drivers out-of-tree, it requires access to the root filesystem of node and master machines in order to deploy the third party driver files. + +Additionally, it doesn’t address another pain of in-tree volumes plugins: dependencies. Volume plugins tend to have many external requirements: dependencies on mount and filesystem tools, for example. These dependencies are assumed to be available on the underlying host OS, which often is not the case, and installing them requires direct machine access. There are efforts underway, for example https://github.com/kubernetes/community/pull/589, that are hoping to address this for in-tree volume plugins. But, enabling volume plugins to be completely containerized will make dependency management much easier. + +While Kubernetes has been dealing with these issues, the broader storage community has also been dealing with a fragmented story for how to make their storage system available in different Container Orchestration Systems (COs). Storage vendors have to either write and support multiple volume drivers for different COs or choose to not support some COs. + +The Container Storage Interface (CSI) is a specification that resulted from cooperation between community members from various COs--including Kubernetes, Mesos, Cloud Foundry, and Docker. The goal of this interface is to establish a standardized mechanism for COs to expose arbitrary storage systems to their containerized workloads. + +The primary motivation for Storage vendors to adopt the interface is a desire to make their system available to as many users as possible with as little work as possible. The primary motivation for COs to adopt the interface is to invest in a mechanism that will enable their users to use as many different storage systems as possible. In addition, for Kubernetes, adopting CSI will have the added benefit of moving volume plugins out of tree, and enabling volume plugins to be containerized. + +### Links + +* [Container Storage Interface (CSI) Spec](https://github.com/container-storage-interface/spec/blob/master/spec.md) + +## Objective + +The objective of this document is to document all the requirements for enabling a CSI compliant volume plugin (a CSI volume driver) in Kubernetes. + +## Goals + +* Define Kubernetes API for interacting with an arbitrary, third-party CSI volume drivers. +* Define mechanism by which Kubernetes master and node components will securely communicate with an arbitrary, third-party CSI volume drivers. +* Define mechanism by which Kubernetes master and node components will discover and register an arbitrary, third-party CSI volume driver deployed on Kubernetes. +* Recommend packaging requirements for Kubernetes compatible, third-party CSI Volume drivers. +* Recommend deployment process for Kubernetes compatible, third-party CSI Volume drivers on a Kubernetes cluster. + +## Non-Goals +* Replace [Flex Volume plugin](https://github.com/kubernetes/community/blob/master/contributors/devel/flexvolume.md) + * The Flex volume plugin exists as an exec based mechanism to create “out-of-tree” volume plugins. + * Because Flex drivers exist and depend on the Flex interface, it will continue to be supported with a stable API. + * The CSI Volume plugin will co-exist with Flex volume plugin. + +## Design Overview + +To support CSI Compliant Volume plugins, a new in-tree CSI Volume plugin will be introduced in Kubernetes. This new volume plugin will be the mechanism by which Kubernetes users (application developers and cluster admins) interact with external CSI volume drivers. + +The `SetUp`/`TearDown` calls for the new in-tree CSI volume plugin will directly invoke `NodePublishVolume` and `NodeUnpublishVolume` CSI RPCs through a unix domain socket on the node machine. + +Provision/delete and attach/detach must be handled by some external component that monitors the Kubernetes API on behalf of a CSI volume driver and invokes the appropriate CSI RPCs against it. + +To simplify integration, the Kubernetes team will offer a containers that captures all the Kubernetes specific logic and act as adapters between third-party containerized CSI volume drivers and Kubernetes (each deployment of a CSI driver would have it’s own instance of the adapter). + +## Design Details + +### Third-Party CSI Volume Drivers + +Kubernetes is as minimally prescriptive on the packaging and deployment of a CSI Volume Driver as possible. Use of the *Communication Channels* (documented below) is the only requirement for enabling an arbitrary external CSI compatible storage driver in Kubernetes. + +This document recommends a standard mechanism for deploying an arbitrary containerized CSI driver on Kubernetes. This can be used by a Storage Provider to simplify deployment of containerized CSI compatible volume drivers on Kubernetes (see the “Recommended Mechanism for Deploying CSI Drivers on Kubernetes” section below). This mechanism, however, is strictly optional. + +### Communication Channels + +#### Kubelet to CSI Driver Communication + +Kubelet (responsible for mount and unmount) will communicate with an external “CSI volume driver” running on the same host machine (whether containerized or not) via a Unix Domain Socket. + +CSI volume drivers should create a socket at the following path on the node machine: `/var/lib/kubelet/plugins/[SanitizedCSIDriverName]/csi.sock`. For alpha, kubelet will assume this is the location for the Unix Domain Socket to talk to the CSI volume driver. For the beta implementation, we can consider using the [Device Plugin Unix Domain Socket Registration](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/resource-management/device-plugin.md#unix-socket) mechanism to register the Unix Domain Socket with kubelet. This mechanism would need to be extended to support registration of both CSI volume drivers and device plugins independently. + +`Sanitized CSIDriverName` is CSI driver name that does not contain dangerous character and can be used as annotation name. It can follow the same pattern that we use for [volume plugins](https://github.com/kubernetes/kubernetes/blob/master/pkg/util/strings/escape.go#L27). Too long or too ugly driver names can be rejected, i.e. all components described in this document will report an error and won't talk to this CSI driver. Exact sanitization method is implementation detail (SHA in the worst case). + +Upon initialization of the external “CSI volume driver”, some external component must call the CSI method `GetNodeId` to get the mapping from Kubernetes Node names to CSI driver NodeID. It must then add the CSI driver NodeID to the `csi.volume.kubernetes.io/nodeid` annotation on the Kubernetes Node API object. The key of the annotation must be `csi.volume.kubernetes.io/nodeid`. The value of the annotation is a JSON blob, containing key/value pairs for each CSI driver. + +For example: +``` +csi.volume.kubernetes.io/nodeid: "{ \"driver1\": \"name1\", \"driver2\": \"name2\" } +``` + +This will enable the component that will issue `ControllerPublishVolume` calls to use the annotation as a mapping from cluster node ID to storage node ID. + +To enable easy deployment of an external containerized CSI volume driver, the Kubernetes team will provide a sidecar "Kubernetes CSI Helper" container that can manage the unix domain socket registration and NodeId initialization. This is detailed in the “Suggested Mechanism for Deploying CSI Drivers on Kubernetes” section below. + +#### Master to CSI Driver Communication + +Because CSI volume driver code is considered untrusted, it might not be allowed to run on the master. Therefore, the Kube controller manager (responsible for create, delete, attach, and detach) can not communicate via a Unix Domain Socket with the “CSI volume driver” container. Instead, the Kube controller manager will communicate with the external “CSI volume driver” through the Kubernetes API. + +More specifically, some external component must watch the Kubernetes API on behalf of the external CSI volume driver and trigger the appropriate operations against it. This eliminates the problems of discovery and securing a channel between the kube-controller-manager and the CSI volume driver. + +To enable easy deployment of an external containerized CSI volume driver on Kubernetes, without making the driver Kubernetes aware, Kubernetes will provide a sidecar “Kubernetes to CSI” proxy container that will watch the Kubernetes API and trigger the appropriate operations against the “CSI volume driver” container. This is detailed in the “Suggested Mechanism for Deploying CSI Drivers on Kubernetes” section below. + +The external component watching the Kubernetes API on behalf of the external CSI volume driver must handle provisioning, deleting, attaching, and detaching. + +##### Provisioning and Deleting + +Provisioning and deletion operations are handled using the existing [external provisioner mechanism](https://github.com/kubernetes-incubator/external-storage/tree/master/docs), where the external component watching the Kubernetes API on behalf of the external CSI volume driver will act as an external provisioner. + +In short, to dynamically provision a new CSI volume, a cluster admin would create a `StorageClass` with the provisioner corresponding to the name of the external provisioner handling provisioning requests on behalf of the CSI volume driver. + +To provision a new CSI volume, an end user would create a `PersistentVolumeClaim` object referencing this `StorageClass`. The external provisioner will react to the creation of the PVC and issue the `CreateVolume` call against the CSI volume driver to provision the volume. The `CreateVolume` name will be auto-generated as it is for other dynamically provisioned volumes. The `CreateVolume` capacity will be take from the `PersistentVolumeClaim` object. The `CreateVolume` parameters will be passed through from the `StorageClass` parameters (opaque to Kubernetes). Once the operation completes successfully, the external provisioner creates a `PersistentVolume` object to represent the volume using the information returned in the `CreateVolume` response. The `PersistentVolume` object is bound to the `PersistentVolumeClaim` and available for use. + +To delete a CSI volume, an end user would delete the corresponding `PersistentVolumeClaim` object. The external provisioner will react to the deletion of the PVC and based on its reclamation policy it will issue the `DeleteVolume` call against the CSI volume driver commands to delete the volume. It will then delete the `PersistentVolume` object. + +##### Attaching and Detaching + +Attach/detach operations must also be handled by an external component (an “attacher”). The attacher watches the Kubernetes API on behalf of the external CSI volume driver for new `VolumeAttachment` objects (defined below), and triggers the appropriate calls against the CSI volume driver to attach the volume. The attacher must watch for `VolumeAttachment` object and mark it as attached even if the underlying CSI driver does not support `ControllerPublishVolume` call, as Kubernetes has no knowledge about it. + +More specifically, an external “attacher” must watch the Kubernetes API on behalf of the external CSI volume driver to handle attach/detach requests. + +Once the following conditions are true, the external-attacher should call `ControllerPublishVolume` against the CSI volume driver to attach the volume to the specified node: + +1. A new `VolumeAttachment` Kubernetes API objects is created by Kubernetes attach/detach controller. +2. The `VolumeAttachment.Spec.Attacher` value in that object corresponds to the name of the external attacher. +3. The `VolumeAttachment.Status.Attached` value is not yet set to true. +4. A Kubernetes Node API object exists with the name matching `VolumeAttachment.Spec.NodeName` and that object contains a `csi.volume.kubernetes.io/nodeid` annotation. This annotation contains a JSON blob, a list of key/value pairs, where one of they keys corresponds with the CSI volume driver name, and the value is the NodeID for that driver. This NodeId mapping can be retrieved and used in the `ControllerPublishVolume` calls. +5. The `VolumeAttachment.Metadata.DeletionTimestamp` is not set. + +Before starting the `ControllerPublishVolume` operation, the external-attacher should add these finalizers to these Kubernetes API objects: + +* To the `VolumeAttachment` so that when the object is deleted, the external-attacher has an opportunity to detach the volume first. External attacher removes this finalized once the volume is fully detached from the node. +* To the `PersistentVolume` referenced by `VolumeAttachment` so the the PV cannot be deleted while the volume is attached. External attacher needs information from the PV to perform detach operation. The attacher will remove the finalizer once all `VolumeAttachment` objects that refer to the PV are deleted, i.e. the volume is detached from all nodes. + +If the operation completes successfully, the external-attacher will: + +1. Set `VolumeAttachment.Status.Attached` field to true to indicate the volume is attached. +2. Update the `VolumeAttachment.Status.AttachmentMetadata` field with the contents of the returned `PublishVolumeInfo`. +3. Clear the `VolumeAttachment.Status.AttachError` field. + +If the operation fails, the external-attacher will: + +1. Ensure the `VolumeAttachment.Status.Attached` field to still false to indicate the volume is not attached. +2. Set the `VolumeAttachment.Status.AttachError` field detailing the error. +3. Create an event against the Kubernetes API associated with the `VolumeAttachment` object to inform users what went wrong. + +The external-attacher may implement it’s own error recovery strategy, and retry as long as conditions specified for attachment above are valid. It is strongly recommended that the external-attacher implement an exponential backoff strategy for retries. + +The detach operation will be triggered by the deletion of the `VolumeAttachment` Kubernetes API objects. Since the `VolumeAttachment` Kubernetes API object will have a finalizer added by the external-attacher, it will wait for confirmation from the external-attacher before deleting the object. + +Once all the following conditions are true, the external-attacher should call `ControllerUnpublishVolume` against the CSI volume driver to detach the volume from the specified node: +1. A `VolumeAttachment` Kubernetes API object is marked for deletion: the value for the `VolumeAttachment.metadata.deletionTimestamp` field is set. + +If the operation completes successfully, the external-attacher will: +1. Remove its finalizer from the list of finalizers on the `VolumeAttachment` object permitting the delete operation to continue. + +If the operation fails, the external-attacher will: + +1. Ensure the `VolumeAttachment.Status.Attached` field remains true to indicate the volume is not yet detached. +2. Set the `VolumeAttachment.Status.DetachError` field detailing the error. +3. Create an event against the Kubernetes API associated with the `VolumeAttachment` object to inform users what went wrong. + +The new API object called `VolumeAttachment` will be defined as follows: + +```GO + +// VolumeAttachment captures the intent to attach or detach the specified volume +// to/from the specified node. +// +// VolumeAttachment objects are non-namespaced. +type VolumeAttachment struct { + metav1.TypeMeta `json:",inline"` + + // Standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Specification of the desired attach/detach volume behavior. + // Populated by the Kubernetes system. + Spec VolumeAttachmentSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status of the VolumeAttachment request. + // Populated by the entity completing the attach or detach + // operation, i.e. the external-attacher. + // +optional + Status VolumeAttachmentStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// The specification of a VolumeAttachment request. +type VolumeAttachmentSpec struct { + // Attacher indicates the name of the volume driver that MUST handle this + // request. This is the name returned by GetPluginName() and must be the + // same as StorageClass.Provisioner. + Attacher string `json:"attacher" protobuf:"bytes,1,opt,name=attacher"` + + // AttachedVolumeSource represents the volume that should be attached. + VolumeSource AttachedVolumeSource `json:"volumeSource" protobuf:"bytes,2,opt,name=volumeSource"` + + // Kubernetes node name that the volume should be attached to. + NodeName string `json:"nodeName" protobuf:"bytes,3,opt,name=nodeName"` +} + +// VolumeAttachmentSource represents a volume that should be attached. +// Right now only PersistenVolumes can be attached via external attacher, +// in future we may allow also inline volumes in pods. +// Exactly one member can be set. +type AttachedVolumeSource struct { + // Name of the persistent volume to attach. + // +optional + PersistentVolumeName *string `json:"persistentVolumeName,omitempty" protobuf:"bytes,1,opt,name=persistentVolumeName"` + + // Placeholder for *VolumeSource to accommodate inline volumes in pods. +} + +// The status of a VolumeAttachment request. +type VolumeAttachmentStatus struct { + // Indicates the volume is successfully attached. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + Attached bool `json:"attached" protobuf:"varint,1,opt,name=attached"` + + // Upon successful attach, this field is populated with any + // information returned by the attach operation that must be passed + // into subsequent WaitForAttach or Mount calls. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + AttachmentMetadata map[string]string `json:"attachmentMetadata,omitempty" protobuf:"bytes,2,rep,name=attachmentMetadata"` + + // The most recent error encountered during attach operation, if any. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + AttachError *VolumeError `json:"attachError,omitempty" protobuf:"bytes,3,opt,name=attachError,casttype=VolumeError"` + + // The most recent error encountered during detach operation, if any. + // This field must only be set by the entity completing the detach + // operation, i.e. the external-attacher. + // +optional + DetachError *VolumeError `json:"detachError,omitempty" protobuf:"bytes,4,opt,name=detachError,casttype=VolumeError"` +} + +// Captures an error encountered during a volume operation. +type VolumeError struct { + // Time the error was encountered. + // +optional + Time metav1.Time `json:"time,omitempty" protobuf:"bytes,1,opt,name=time"` + + // String detailing the error encountered during Attach or Detach operation. + // This string maybe logged, so it should not contain sensitive + // information. + // +optional + Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"` +} + +``` + +### Kubernetes In-Tree CSI Volume Plugin + +A new in-tree Kubernetes CSI Volume plugin will contain all the logic required for Kubernetes to communicate with an arbitrary, out-of-tree, third-party CSI compatible volume driver. + +The existing Kubernetes volume components (attach/detach controller, PVC/PV controller, Kubelet volume manager) will handle the lifecycle of the CSI volume plugin operations (everything from triggering volume provisioning/deleting, attaching/detaching, and mounting/unmounting) just as they do for existing in-tree volume plugins. + +#### Proposed API + +A new `CSIPersistentVolumeSource` object will be added to the Kubernetes API. It will be part of the existing `PersistentVolumeSource` object and thus can be used only via PersistentVolumes. CSI volumes will not be allow referencing directly from Pods without a `PersistentVolumeClaim`. + +```GO +type CSIPersistentVolumeSource struct { + // Driver is the name of the driver to use for this volume. + // Required. + Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` + + // VolumeHandle is the unique volume name returned by the CSI volume + // plugin’s CreateVolume to refer to the volume on all subsequent calls. + VolumeHandle string `json:"volumeHandle" protobuf:"bytes,2,opt,name=volumeHandle"` + + // Optional: The value to pass to ControllerPublishVolumeRequest. + // Defaults to false (read/write). + // +optional + ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,5,opt,name=readOnly"` +} +``` + +#### Internal Interfaces + +The in-tree CSI volume plugin will implement the following internal Kubernetes volume interfaces: + +1. `VolumePlugin` + * Mounting/Unmounting of a volume to a specific path. +2. `AttachableVolumePlugin` + * Attach/detach of a volume to a given node. + +Notably, `ProvisionableVolumePlugin` and `DeletableVolumePlugin` are not implemented because provisioning and deleting for CSI volumes is handled by an external provisioner. + +#### Mount and Unmount + +The in-tree volume plugin’s SetUp and TearDown methods will trigger the `NodePublishVolume` and `NodeUnpublishVolume` CSI calls via Unix Domain Socket. Kubernetes will generate a unique `target_path` (unique per pod per volume) to pass via `NodePublishVolume` for the CSI plugin to mount the volume. Upon successful completion of the `NodeUnpublishVolume` call (once volume unmount has been verified), Kubernetes will delete the directory. + +The Kubernetes volume sub-system does not currently support block volumes (only file), so for alpha, the Kubernetes CSI volume plugin will only support file. + +#### Attaching and Detaching + +The attach/detach controller,running as part of the kube-controller-manager binary on the master, decides when a CSI volume must be attached or detached from a particular node. + +When the controller decides to attach a CSI volume, it will call the in-tree CSI volume plugin’s attach method. The in-tree CSI volume plugin’s attach method will do the following: + +1. Create a new `VolumeAttachment` object (defined in the “Communication Channels” section) to attach the volume. + * The name of the of the `VolumeAttachment` object will be `pv-`. + * `pv-` prefix is used to allow using other scheme(s) for inline volumes in the future, with their own prefix. + * SHA256 hash is to reduce length of `PVName` plus `NodeName` string, each of which could be max allowed name length (hexadecimal representation of SHA256 is 64 characters). + * `PVName` is `PV.name` of the attached PersistentVolume. + * `NodeName` is `Node.name` of the node where the volume should be attached to. + * If a `VolumeAttachment` object with the corresponding name already exists, the in-tree volume plugin will simply begin to poll it as defined below. The object is not modified; only the external-attacher should change the status fields; and the external-attacher is responsible for it’s own retry and error handling logic. +2. Poll the `VolumeAttachment` object waiting for one of the following conditions: + * The `VolumeAttachment.Status.Attached` field to become `true`. + * The operation completes successfully. + * An error to be set in the `VolumeAttachment.Status.AttachError` field. + * The operation terminates with the specified error. + * The operation to timeout. + * The operation terminates with timeout error. + * The `VolumeAttachment.DeletionTimestamp` is set. + * The operation terminates with an error indicating a detach operation is in progress. + * The `VolumeAttachment.Status.Attached` value must not be trusted. The attach/detach controller has to wait until the object is deleted by the external-attacher before creating a new instance of the object. + +When the controller decides to detach a CSI volume, it will call the in-tree CSI volume plugin’s detach method. The in-tree CSI volume plugin’s detach method will do the following: + +1. Delete the corresponding `VolumeAttachment` object (defined in the “Communication Channels” section) to indicate the volume should be detached. +2. Poll the `VolumeAttachment` object waiting for one of the following conditions: + * The `VolumeAttachment.Status.Attached` field to become false. + * The operation completes successfully. + * An error to be set in the `VolumeAttachment.Status.DetachError` field. + * The operation terminates with the specified error. + * The object to no longer exists. + * The operation completes successfully. + * The operation to timeout. + * The operation terminates with timeout error. + +### Recommended Mechanism for Deploying CSI Drivers on Kubernetes + +Although, Kubernetes does not dictate the packaging for a CSI volume driver, it offers the following recommendations to simplify deployment of a containerized CSI volume driver on Kubernetes. + +![Recommended CSI Deployment Diagram](container-storage-interface_diagram1.png?raw=true "Recommended CSI Deployment Diagram") + +To deploy a containerized third-party CSI volume driver, it is recommended that storage vendors: + + * Create a “CSI volume driver” container that implements the volume plugin behavior and exposes a gRPC interface via a unix domain socket, as defined in the CSI spec (including Controller, Node, and Identity services). + * Bundle the “CSI volume driver” container with helper containers (external-attacher, external-provisioner, Kubernetes CSI Helper) that the Kubernetes team will provide (these helper containers will assist the “CSI volume driver” container in interacting with the Kubernetes system). More specifically, create the following Kubernetes objects: + * A `StatefulSet` (to facilitate communication with the Kubernetes controllers) that has: + * Replica size 1 + * Guarantees that no more than 1 instance of the pod will be running at once (so we don’t have to worry about multiple instances of the `external-provisioner` or `external-attacher` in the cluster). + * The following containers + * The “CSI volume driver” container created by the storage vendor. + * The `external-attacher` container provided by the Kubernetes team. + * The `external-provisioner` container provided by the Kubernetes team. + * The following volumes: + * `emptyDir` volume + * Mounted inside all containers at `/var/lib/csi/sockets/pluginproxy/` + * The “CSI volume driver” container should create its Unix Domain Socket in this directory to enable communication with the Kubernetes helper container(s) (`external-provisioner`, `external-attacher`). + * A `DaemonSet` (to facilitate communication with every instance of kubelet) that has: + * The following containers + * The “CSI volume driver” container created by the storage vendor. + * The “Kubernetes CSI Helper” container provided by the Kubernetes team + * Responsible for registering the unix domain socket with kubelet and initializing NodeId. + * The following volumes: + * `hostpath` volume + * Expose `/var/lib/kubelet/device-plugins/kubelet.sock` from the host. + * Mount only in “Kubernetes CSI Helper” container at `/var/lib/csi/sockets/kubelet.sock` + * The Kubernetes to CSI proxy container will use this unix domain socket to register the CSI driver’s unix domain socket with kubelet. + * `hostpath` volume + * Expose `/var/lib/kubelet/` from the host. + * Mount only in “CSI volume driver” container at `/var/lib/kubelet/` + * Ensure [bi-directional mount propagation](https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation) is enabled, so that any mounts setup inside this container are propagated back to the host machine. + * `hostpath` volume + * Expose `/var/lib/kubelet/plugins/[SanitizedCSIDriverName]/` from the host as `hostPath.type = "DirectoryOrCreate"`. + * Mount inside “CSI volume driver” container at the path the CSI gRPC socket will be created. + * This is the primary means of communication between Kubelet and the “CSI volume driver” container (gRPC over UDS). + * Have cluster admins deploy the above `StatefulSet` and `DaemonSet` to aded support for the storage system in their Kubernetes cluster. + +Alternatively, deployment could be simplified by having all components (including external-provisioner and external-attacher) in the same pod (DaemonSet). Doing so, however, would consume more resources, and require a leader election protocol (likely https://github.com/kubernetes/contrib/tree/master/election) in the `external-provisioner` and `external-attacher` components. + +### Example Walkthrough + +#### Provisioning Volumes + +1. A cluster admin creates a `StorageClass` pointing to the CSI driver’s external-provisioner and specifying any parameters required by the driver. +2. A user creates a `PersistentVolumeClaim` referring to the new `StorageClass`. +3. The persistent volume controller realizes that dynamic provisioning is needed, and marks the PVC with a `volume.beta.kubernetes.io/storage-provisioner` annotation. +4. The external-provisioner for the CSI driver sees the `PersistentVolumeClaim` with the `volume.beta.kubernetes.io/storage-provisioner` annotation so it starts dynamic volume provisioning: + 1. It dereferences the `StorageClass` to collect the opaque parameters to use for provisioning. + 2. It calls `CreateVolume` against the CSI driver container with parameters from the `StorageClass` and `PersistentVolumeClaim` objects. +5. Once the volume is successfully created, the external-provisioner creates a `PersistentVolume` object to represent the newly created volume and binds it to the `PersistentVolumeClaim`. + +#### Deleting Volumes + +1. A user deletes a `PersistentVolumeClaim` object bound to a CSI volume. +2. The external-provisioner for the CSI driver sees the the `PersistentVolumeClaim` was deleted and triggers the retention policy: + 1. If the retention policy is `delete` + 1. The external-provisioner triggers volume deletion by issuing a `DeleteVolume` call against the CSI volume plugin container. + 2. Once the volume is successfully deleted, the external-provisioner deletes the corresponding `PersistentVolume` object. + 2. If the retention policy is `retain` + 1. The external-provisioner does not delete the `PersistentVolume` object. + +#### Attaching Volumes + +1. The Kubernetes attach/detach controller, running as part of the `kube-controller-manager` binary on the master, sees that a pod referencing a CSI volume plugin is scheduled to a node, so it calls the in-tree CSI volume plugin’s attach method. +2. The in-tree volume plugin creates a new `VolumeAttachment` object in the kubernetes API and waits for its status to change to completed or error. +3. The external-attacher sees the `VolumeAttachment` object and triggers a `ControllerPublish` against the CSI volume driver container to fulfil it (meaning the external-attacher container issues a gRPC call via underlying UNIX domain socket to the CSI driver container). +4. Upon successful completion of the `ControllerPublish` call the external-attacher updates the status of the `VolumeAttachment` object to indicate the volume is successful attached. +5. The in-tree volume plugin watching the status of the `VolumeAttachment` object in the kubernetes API, sees the `Attached` field set to true indicating the volume is attached, so It updates the attach/detach controller’s internal state to indicate the volume is attached. + +#### Detaching Volumes + +1. The Kubernetes attach/detach controller, running as part of the `kube-controller-manager` binary on the master, sees that a pod referencing an attached CSI volume plugin is terminated or deleted, so it calls the in-tree CSI volume plugin’s detach method. +2. The in-tree volume plugin deletes the corresponding `VolumeAttachment` object. +3. The external-attacher sees a `deletionTimestamp` set on the `VolumeAttachment` object and triggers a `ControllerUnpublish` against the CSI volume driver container to detach it. +4. Upon successful completion of the `ControllerUnpublish` call, the external-attacher removes the finalizer from the `VolumeAttachment` object to indicate successful completion of the detach operation allowing the `VolumeAttachment` object to be deleted. +5. The in-tree volume plugin waiting for the `VolumeAttachment` object sees it deleted and assumes the volume was successfully detached, so It updates the attach/detach controller’s internal state to indicate the volume is detached. + +#### Mounting Volumes + +1. The volume manager component of kubelet notices a new volume, referencing a CSI volume, has been scheduled to the node, so it calls the in-tree CSI volume plugin’s `WaitForAttach` method. +2. The in-tree volume plugin’s `WaitForAttach` method watches the `Attached` field of the `VolumeAttachment` object in the kubernetes API to become `true`, it then returns without error. +3. Kubelet then calls the in-tree CSI volume plugin’s `MountDevice` method which is a no-op and returns immediately. +4. Finally kubelet calls the in-tree CSI volume plugin’s mount (setup) method, which causes the in-tree volume plugin to issue a `NodePublishVolume` call via the registered unix domain socket to the local CSI driver. +5. Upon successful completion of the `NodePublishVolume` call the specified path is mounted into the pod container. + +#### Unmounting Volumes +1. The volume manager component of kubelet, notices a mounted CSI volume, referenced by a pod that has been deleted or terminated, so it calls the in-tree CSI volume plugin’s `UnmountDevice` method which is a no-op and returns immediately. +2. Next kubelet calls the in-tree CSI volume plugin’s unmount (teardown) method, which causes the in-tree volume plugin to issue a `NodeUnpublishVolume` call via the registered unix domain socket to the local CSI driver. If this call fails from any reason, kubelet re-tries the call periodically. +3. Upon successful completion of the `NodeUnpublishVolume` call the specified path is unmounted from the pod container. + + +### CSI Credentials + +This part of proposal is not going to be implemented in alpha release. + +#### End user credentials +CSI allows specifying *end user credentials* in all operations. Kubernetes does not have facility to configure a Secret per *user*, we usually track objects per *namespace*. Therefore we decided to postpone implementation of these credentials and wait until CSI is clarified. + +#### Volume specific credentials +Some storage technologies (e.g. iSCSI with CHAP) require credentials tied to the volume (iSCSI LUN) that must be used during `NodePublish` request. It is expected that these credentials will be provided during dynamic provisioning of the volume, however CSI `CreateVolume` response does not provide any. In case it gets fixed soon external provisioner can save the secrets in a dedicated namespace and make them available to external attacher and internal CSI volume plugin using these `CSIPersistentVolumeSource` fields: + +// ... +```go +type CSIPersistentVolumeSource struct { + + // Optional: MountSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver during NodePublish. + // This may be empty if no secret is required. If the secret object contains + // more than one secret, all secrets are passed. + // +optional + MountSecretRef *SecretReference `json:"mountSecretRef,omitempty" protobuf:"bytes,3,opt,name=mountSecretRef"` + + // Optional: AttachSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver during ControllerPublish. + // This may be empty if no secret is required. If the secret object contains + // more than one secret, all secrets are passed. + // +optional + AttachSecretRef *SecretReference `json:"attachSecretRef,omitempty" protobuf:"bytes,4,opt,name=attachSecretRef"` +} +``` + +Note that a malicious provisioner could obtain an arbitrary secret by setting the mount secret in PV object to whatever secret it wants. It is assumed that cluster admins will only run trusted provisioners. + +Because the kubelet would be responsible for fetching and passing the mount secret to the CSI driver,the Kubernetes NodeAuthorizer must be updated to allow kubelet read access to mount secrets. + +## Alternatives Considered + +### Extending PersistentVolume Object + +Instead of creating a new `VolumeAttachment` object, another option we considered was extending the exiting `PersistentVolume` object. + +`PersistentVolumeSpec` would be extended to include: +* List of nodes to attach the volume to (initially empty). + +`PersistentVolumeStatus` would be extended to include: +* List of nodes the volume was successfully attached to. + +We dismissed this approach because having attach/detach triggered by the creation/deletion of an object is much easier to manage (for both external-attacher and Kubernetes) and more robust (fewer corner cases to worry about). \ No newline at end of file diff --git a/contributors/design-proposals/storage/container-storage-interface_diagram1.png b/contributors/design-proposals/storage/container-storage-interface_diagram1.png new file mode 100644 index 0000000000000000000000000000000000000000..eb42add78a849a78a4e008a64b1d71c13b280a03 GIT binary patch literal 69333 zcmbTeWmH_v7B<+pySoJq65OG25-fP|1ef4WkOl$-cL?4<@Bj%O++7-X4;I{=%;CQ8 zz2D4QGk@k+uhZvLpQ>G3pZ!#azg1PhLMKNDfk0TV6=gL*AcS@h2%ZuZ9{8qC@+~_E z1OdI4mD2KBIB3C9Ht)+iUL2?+FgHVSJQ1s)Y5l0rT>o3|GS)VgK-ig&*>Ru zuS4u7F|W`xIz+3Jua|55qjBs%(;7C14t@|DGf2v(smxhr_pH#VS;vQ1nB$SjS$}2( zKJ=oH^%Uh9zI}MHay?b4roN*lxU3?`ck);=CE}-=CE{MHs_i#={P0IN&>cNQI`=IL zA$mx{55#wfz~?`gaOwYkElmg3e7^mBiD>=b+aVy8e@02?;zC*fI|`mJ67v6R*nj6B z4Y9=g&t#r|We;&zvq+Wd+rM8Ne1>$RTF&c`WFYXFo{IW{@3@O=Mg z>X5>J1_5(Nh5c{xDQN#^RS>5CEejR)f7S(;?k@HJJ{bLfV?iT4|3@bO&%vO>mt|#T z=WkL{Q;ovR|4vLy=Ay5(!CY0 z!n)SW&G|UO|GQum2sJ4w>YRp#hAFkJz5R4pX=&+1a!XoT+S8LiyjuhaD_oZTzjIIe z2(s?)>5FjZAm1r^b$qW>$+drGL% zn>QyE=pp8R3zSk%1euwOpwMQB&}#=N@^S&9R*`&W@nr5)6&z~*xC6uwRCk6O6D8?kuWZle=4Gf*Gcb6P(T1( zkc5aR4J6LT_YF@K!%P3%!Pq!^-`c=nu~8wUw00R-XHQSh_ES|A57sAI5xAqXGncF} zKP=dLlM+x8`HEOGDEb<69s#~rbt?0LgM%aa#!F!wFOD2tYqt1BP%2UG&clOmIIWOF zY0JMBfC}sC>Z+n6w^-jE9aSZO>gwoxj)ij+LTtc) zwfp$^=vPyYc3$o7vWzBZy12R;B)^xL%3=cB{pcNktO%6<>EY(qFYpHtEZDq+j<8IJ zlp(!4ejtONpMMUSU|$V1=g2fMJG-OdqCk&V87=mY4Gc=4?B3pbOL4X1*I6+C7(v|K z+OqgT{7N@p*VD6JV%c2SnFTX*|L_n=+%Cn{Mky>b)O-xsM)TOOF<`_belW&MpDfyA z1&I95hzV*g&SJD`Jkv z0xr1nhq|UF1DoO++1n9|PC6b@QH({qpS*>085TLRSbTDaTE0BiOI<>Wch#m52zgN zoy646_V(a69w~MbaBzl7;uf$k1kj?wLPO+{s*A8X8xOb|o7{DLb>V%~rWVc#OxS*C z_8hzB<5Qp~t=|z~eD8#3XJ$4kzb=0zw{B)m3#UzQM!@ni_auY;Ym4UOP$>odfbV!S zh`R#=ugk9yOT)Xc2%sS|y}iBq1_mmE6AQn>FrXHtdGB`a^2p&tn82F_-I+gFEh4fs zypxlY7c#;HBKMAtjO*>8fl~`mJ%b5F`UOk=^bVZ zkU(qOs?yWR!{5VSY;5F_!qPF^z8;aqrAIb>E~@R-A4ZWC5fPbrq*P)+vhPrW#Gscd z=%hRA(Txoc_xm>oe7#qYmnWy7P`CGDlrHd5;W}{%mMO+*Cfbuj8Ig6$t*fiEWt?*= zPnG#cOR5~<^p%-tgWjc2DwDL|lwD?jfh{bsy+=mw%C4y3lqIF2N=5~|(&6D@ZEfur zO%oFw!jvshS@6Wj$cRh7JNi59d*>-xS=_AOR&5CX4K$2Opmgc~MT;6dDB6Ex4Iw<= z|H6ed5NfKk{|x~^H2SX}ehw)A8w}R;paJKIxc{NuT9ZmbP>PcNAOpm(q?!w1#9eW0 z*mw05(vZ$j<>#jYK5C!Q^WEqBK!ARJ9B|zK zZ&%4M{{|_GmaWF0Z^8E&UlGqgxAVggh8aOLj8ynLX z_Jp`6?TN#IFnKW0hgQ&c6!R>;BGT&O;^N%g4$-`+sj0QMFYxCt@MUCVz6c8or|JKy zsjXeV=-!Nti8)$pcqzD#pQP>Sd0jzmR#;f*L;^em$N1~lFF;NRt{NxeJUsYqDMlK4 zdh^rMwaG4B`H`}7zkX1ta9BDzIyyT$w-bvcTK9V;j0geFJlqOLoH<=%LxqVFd#IqS zv=o2O^0e$aDmHd=9S1o$LE6~Z*vxEmW5ZPAMo2(_SQ5J;C@JxcfOCmf!U8xhXn1%S z+Tf&M=|@CJ_(Hpf@JbjEj+<7qpWxjfV2cL|u_^tG$jHdJ^9RWZ_+--fv6=eJ85Q`6 z8FJL6m>r)=v?@_4W0eX?>L!p9-aO^Ya-_S8Qx-&{U9LGm_FQg?5iS-QC{{ zPGcyJ1)JPPrfUD7^?5dOn`$67eSruhH?UFJqhRq$e8~63Z_78AGybMYimDM85`yHd z=YpjjuZUQSoM5?`hYRSv0lc-!Som&sJq=V7x$pwM#!j~5)#TC=JEVbvMrDl$c{44I z>^Lh_I=8#8Qw44zWYf;h4luR3)x||6Na05-8D!Pi#|cF z(#n6ek4UOGBqU@`u}*D_1ssWr(Kt-{tVBaXfD`PzwDB@3`5qb;wpIL##xweptnWvt zVtf!at2#+)l2`3Ai-)YdZAEOq2tQ%Ep@WCV41W~h_;0ZtZ*OlazBvUe!cCVuDzF!+ za}`s4yh%5|fv-uzxtg7xw%5PE({HHZ*>F4Tb1fhv#42rVHO@BB zEPrW4MlD^#)Iu{>nz^{J@TbZqJ2O+(yhf$kOqQ}+*7pVD2m!~!H2B+A`to;VYm+jZ z7YP{|2FAumivwTnb=ZsIQ5|0CWDr#WD;Ge4N5$`GfqJKxysm#GB4WGJaDn;q%{M!j zmVyirN8MTlCasiXRRYhOPvGz}yJTtJeWe--(gkvIa$k3GDk>@#LAG4Lt2`&6R0`Jz zJ%qU5j>5lLDKLjfC>oyzchEMzs8+xTk%p52DK`#z!11lUZauK;lCXzb7RDXu_Sl20 z$r30iC@vL0rt3zmhrO;47Z+dHes|~Tr&R&(fZXJdqok;+lk1oX3q!tsCbpC-Bo8mtws~M@P!OmC%70>(dN2gFupJ0KOGuJbn%B-E$ znta#Ns1)&hGaCast_%|~6#J9>E-T7S=X8<1ekKp>sQ@kN53T)S?8a8O=FoUsXi2pcwSt4{fNfBytfpqxHpLL~ z?Aw@8VCmUSjg8ID_;A)8Z!V&M1bWSET{4{gA}XJ>3>WT^P(*V?*|IHsl*;f+rlLuB z8;_E_C5z=RWb%3@nW~S$en{MMmyz+x$T+-Igh3bgUiR&A5QD_~gnUv*Ct`Y9yl*K* zvKQL4HiVHn{NWKu2Qi&}LV*bi+#7#*-u}|)vJTYfp?-G!1NttRt}NObb$m3CLa%#ya308O zeqp^+Oyi0a*zgl-A-8_$VOUsQjSZv3c|ndu&ZM8hqGv>IjY_ThEp{fNUop3&1Pu>{ z>BkRy4aavzD;pz#A(EM%epaVbH+)DZh@nn=)8RXfT2bR~p>o5S}94N1>At1a`apeMH(BiQwo5=Y@l=2JgI zG>K8-?d56#F;dhYHDya(rq6$>0()hSw2$(r)*~iPjKoq2!IdxDDDy61Id-ssbP=09 z^Wj`A<6w7&2uFm&+Jgkj^yQ$2Bkn$To8+@VCG_rO)GsteiixpEuw7q6BRB`j`e0qc zB;-Mu1#1}n@>KL|Ux<9gTgXR~q%0(BlSy{5E7JIJTV-akQ#{5kVH?EVZ!eYk$cib{ zQG8k!7~x?R)G9Tiq!B)!K7~ANV~xurRrnLIGtz7-!_BSl%^QIZ$%{_kfWFS;hd_&N z!Y6~qr73v(wLu*f@Pg49?!R(3n$J&UsT>L|RnJocM?^j7af(@|vYw>b225)R9&5^M zFYGjeK!^BZ?xc{*S9|=cgjqRaiqdQqjx&JgMYP7YGze#%siC!j6ZOuYJU($|!V4lC z-wPKH<^m7pi;9ce3y`TxE6J?TgCl9nb`{4hdt#)0T*`l)9Gcfi&`W@un3xr@)n&J- zALKIJ-7(sIY?3u-IW2xfq4F4a!&_?w*1tT7@D0bGtm1&LG4xAqRL?v303r4XZD4wX z2dzeestew|{N+pR={^|_sKk=Rdc9TU;z8!Yj1Aj` z9}b+kOdFWp3-gbAfi$}lpR`P_feJJ3h|Fs)f{XNn)2B~LN%?b&oY#JZWDRF(65sok z7$UHW*zJMA7jB7PlsNv8yoeyq({ff__xh!{aVE6^pbA#!@}_WZzI}6viHTmq<6O6S znMxR7=B?Z8P6_5oP!_v50d&@LCVKhc;5#(iMj;**+$1LXMY{rdSMdeU5#C<8AyDM` zFR4}0Kzlac9?*lwcoK3cft*8K2+|V~fldH*-dtHEtWF^WEi@5BsI@i_F8cdX^KR?Z zel8Nz(B?IqS-uMxQ|XA#x>lb`IbA_{t>Hu#2-koHqa4=wGQY4uKD13_gnKimsv{J&p&wNfPg8g&R?xYRKr%Oh5y5uFinJn3zbwr1|M{ zAOzyrw*LuQuuHV0M~Vr`K4l87K)Vk5-h1qe3QJl>h5g+1c5|Du7z)&ZSX!uhcgni3JfvvT zD6UsuF57L)D*=u?tUVTrn5C9-UCQz;bC&}zP7XLwK_eq0fmmTA>a3nN@FLB*TriM_ z`Pn_t6)M-CTy{iNs4YgNwItRM+Fx)5F%?pzVn7QLr)t=OUgjw!<&O5anqryC6K9B+ zK&}M5383TAip-ln4058FbyS? zd}7q4DXTmI&ZY`EInD?DsFaN=uSwl}P_|Ol%3OENMe!ghp9pD? z=uKBR8!Y8BmNQg(C}Ld2q(>P)BbhRg_{?)9vG zslslr$HF7u1aW2)tj)MZ_VbK-!;xo|e$`!1UgXCk3+7C(K8Ttg*u|dl?2Rlzbat;> zi8t_Co{H^1iV<}d2$dm5{Q(A|GpJDu zZIOhL0;InyJcDl*4&qaty`i(T2_jxdOLjnllJE`4u1KQ6!r^P=&D9^#OWxzy!c(Ow zdwX0S?AEGt7b{{S03{G3Bcl&b(~V(btiu;tE^(hfBH5AQjyo~`*d4n~EBW1}>%W>Hi7KWYul1@BOP zL;WbnD#gp0T5CdxgB?=~ zGo|P8Ao68|%hm0%o-k!Zs0tXLg85eC#h^-Ry{Wf}%F=K;=&%@bHAY6+jGqubsAm)I zuC}#RqPcbru#TQ%CR)svqA7y4UNzJG+BIxd|gsg{yhfT8M+6o@=cc9our>W)QI za0%L7FC$YWq~sFwN!G^N=u<#In_Iby@DfAli_Djg+LV&875G{A-!5Ycxd(tZr4XgI zyzRB~cT=H+8o5q%n_{)3{irGi)qF{B_grHFyKYhZ175t=hs=Vflhi!PLafTCW@aq^ zGJhPDfZOftlzv2KTQwdgqQFPAPF>LtfFlltW))lDS`|;xkWEO!FtT><#F|Id)S+`y0sm@fh%PS~Y@YJBe zXf0bTgNBh)yvc!X1xi|pOh7(bTAYVpQQlycK^7AvQ z9t{o+S!ioH|1g8+!^e|6axs;W3C<1|5*B7X3T0zs!gpmg+)cqT4Fi_S3sX+ZH<X7^RHUSeoB0!SbEKHamsP$^NKgQHW@2VmCrsru z8myD68!z73*(qp^Q~T&B!%GJyfR-~K2jfUIc%5#P?U+1DF9HR zT7qg#4bCvcg4|rXt&7v*-GWj84V$eB-4ATpbLpi}DO^g0w zXBzUbreM=;;oX?zxBaBEq22fIo)0z9Ln=XQ^NfOt1k9(j;FD0=eSx-P}AH%qu%y z+q|KwO2chzZ5!xI88Ysf?)LV|1Ms^FWYh!F>b%*zHI&-b*A;NRu)2KSA>J{)=HI)8 z*cI@&+eYoZ*}u*Zw(5I6a?ovEGPBti(>!B*-N6;9^H;bb$62`JM1Ab2!bfvDoejle5Kqg5!VtpEaux62MMlrh&%b4v0#NQ8iOW5pC08X@nF;@0fjT`s9q3v3PTRzdkE_23aaFlb z?CFuitZ^Pqepn;%2G?X~QyY@hhq}cr{QmtdCOn?vhk>qcn875?3`0C>sOyUu8AWp= zJr%F~w0!orptp=6w4ib&dbVdG-I*1wN$eS!}-P#=ky&n z{p9~BY>>WS8uD`4 zOV~8Xwj=>GX(r$C%uxJ%sJQJoDq+polpOvD=c%ezzmcgm@G&)Rl6y&^O! zka)8Ntq@4aNb6rsn0axsu*9vCF{r$L{o2NcRUS2JgOu%aZU@#Egw{O({~8B+lHwJ+ z&dU#x(E!H$4KuXeD>mL(wXZ$)k@OzP?+3vmX427oPptx5)r&FypuCX-%h?jU@Jv^R0O91 z@eK~@mrqi+Ysf~RXtqRs`Ly?vb?O-KcVB{CofQ-b@J`;o=H6gm!tlZ)da;EN(;Z1h zpI`HnfTV|E2T3A{0v&yiA*{if6~#~MFTWkZREVbR02?@1h=tP}4etks9{&*BeajZe zR9@H&rz%XDzHGaIU))SG+q}EOE_g{5KqL?ivGLyeuoygk>+#X5K|^`kXm#Rrz*RxM zmDT9aUP|Q?QJ>%7!dD2E_J6w#Ae&61a--Fh(5-Un`nCItFBFx<#jxY62ImX?V!tFJ zho$BwpjS2puhC`qRTjLyOY-UBeK8WW^#egj5mw*YD?8bN1e@RS0$ofuf_< zu_#~Xs%Ok5BRX@KW9mvFo)=^RE@34uL(sAHX?tH%;&Kx~7aKRE9{;Gt=U7cNpmbVV z^kwmk;NQz=P3G)|voZwP_43bUJAdm(CskOr>>9~=8Xd`Q3i|q>7BO(7?_u{Cwrg?n zGEv<;HD<#z@}Gh3wIY`D213oYWEA~P8On>OFSO-=L5EjXhDeQzCZp^2;g(@wA+pQ& z&Y9@w6!OoL)`P5!mB-sTHo13Yfn1NWa|;N-KLdvqDL?pVC9b7DVRL%V+<7@S>`&`7 zDhq)^(lO%ETk}JJ00c z)(TFPN1@mG?f#Bw`4j3=cZSU_Yp=fm2r7@%_})OI>D%?JBO3`eCLov3E`aoDFTM`G zaYjXor0C19_=%4bHQ(SCWZ5;W4i);-wf6Hq?&`V5zGc9*Z70TLrlsCHRiSye5U1-_AcP2k1$zSZQ&-0B zG%{ufX>gg@K?j&Ie_?L!Yb7zdu3)+FrOEh2+GZJ(FiDyXr86TV1AVXJ?-8+=gy;hq zp|6YA1iJfL_60z_+GoVggyjD2bf>m)W> z(oerJ8Y=X7V;*`A-*@ewNw-SxN)v$HE7Vdwb!K|hE|Ms$>G{1Q*4C=hN zPyX81?PJqX9l@t==q2FR()}}#*q()&BDb*{j$CWUpy$p%@QFpcntz?sFvr9L1DxMp zpl6@XcS2Sf1Kl4?-&{JJI)oh`7uiC;gx(wb&3o!tKDCUtx?dtKq z475 zQ2T;j@($nUYZBgqJH`s*>V`7?R6yW25G|pZo*vm1sGAoZ_S2T2KV<)neb5U-0Qx2h z$=n?SEdessp0ZSRs;+Q3N3!PPE+T>Y4RyG4d3E}!2z^!vlwx6FO}PO@D=6~CLtc4X zDN;g5FoDJpso}4Psbnnk>4&<+S`bG_^`5MRyQOQKrdz=$xCK6E zDOcPfvhzjMm^^nysvdajwJP1psB5@#iMaj3ZQ&$P%Qf8H_DIH9mS4q#=hp9K<n3$P3Ku@Lv!A;ym;p6R7g?f2U*jbke?C+e z#c=~8R7O*Y4QZp6TLlps(seFzh}N*+R+19g@ka*7GjS?~cy5)(PPjZ_z_)tm)uer%y6Nx# zGJG|u9i@P}wQZon2_o8#W9D@Qakz2L%Vft3a)CEnRMn`#{vd58@TbEy3(i7+apKGg z`K#^xyhSq&5JzRn!eJC)s<5aEX3fQ-ivU7R+)taxEe$axgw(pVt&eGLWeg1~8bIvP z8`Y>=nR#JCy#cDxs;KNQP+4RKs-p$EzqdyLGdUGS%dYZW9DKfByWzHIeuH_Et|1&9)=llro_K4aEVmXwA?Z6cvJ18CfF>(#Mr`kUC?U z9BTd?(HzJHC*F|v?wglnJO(cGJskJXH~2PrEZrz+q>5j7K8nKW+iD(obeDggVk$*o zgfs^-ZCT>c^t>$0JZtEM-z_O&eG$^HA)yh~nBJWq9{ zr(w|j!peJfaUV;(RD0uyr%P?xNf#|gt)FTW=yeDd`4VeD9EnkRrA7F+L8_+v8%WBXhu%k*hp~rE6$QcaXSw3yhXzcN zMktxlfwUTuN^l38o-)FDX;L*cx_meeBsgll`^i{+gf8 zVwEig-|131A?9nkqHV>(RKQlrBo5@(bJ8Vl>PNJu`A?D6ONBTrZ&`P=FWfk)QW7l- z7Oe6{*j|5z%QCPOsEMfH_A=zGbbelcAP$Ce9Q4A7*dpaz1nIA|tL(7p|7M8wTEnyC zFAA(!w3G|#H$b$$kZ! zX&THPXyCc7lz-oB83AE6AhMtYcL3GY<7*U5wsYFrkSO2fiA=0UA_MaEDMUE^wzgj& zAESBpw5`xtoL_m?lp9{_EL>a)+m{slE8jsIa|{BCK>l&jSUF1TCgyfOy%=7%NYGmK zkX#famTbewHzE1tc4Pb7Bk!=T{HM$B5~l}S6*C!Q0|OaP8k5S`xd${-2K^%=$+sXR zB&0c~U-+x;8)uu@k06c+59a~QBSHi6c@OVtT+gB6{L)gk4-WQIKUu+%ZDK8*zeu1x zGm1KYq$rc<>Mq3sfksK4(;UN*TX$g1C@D}49WwmAyJ}ncyZ!ik!CqUs&G{kAb7f$c z_x!5u@6*Ut8{Mpfl~?}x_|0_sN@!F?CO{ar<{oh|Jd*Or8Xg%*8+tq-2EeJ74nBT< zpez}nPcFZG8#{eOhhyGf-S)Pk_ zsD3Q9Kl`bLW+%?a&sCq;^~-N(db5ud1WZzo4mN zSGF`kH}ui>?g?mr6R?+g8JSga!JNI^?}Wa7rext<>fYDX3T!@(#Le19Pvp*6j^wAS zk9PZNv10BwYZAmu{zGc%W0}I|cl(tlt-iN^rprX<##WoXT`eswt*v)ELonKIdbpk$ z?Kl0c6vf2$4 z{#3X%Sc(0O3W{-zIkj5bEXUm6sM>$H1B_Fnyx&BU$RhREK z`9IzPL~nqS7GKo4{MX6+cQQ?@=TYFxoud}=UypaUT!%Z}ISr3?ZNCmTO-Q1y#cq6d zIuaGS4vW+t*Kq>oB6gOi8psg;UW^y1d1U)Oc*g3s89dJN2Ke|Nv0ihZ?MkWgzWGdqauIdI6X=+`2yY#@0K~6F zc{2)3EJIES+>x<`koGlA3QcOpF34p9yb|y7wb%P?Ii)6cbIHF-Fa6K2zqb{({@O&D zq1LR<{&;gSEvou>;dSNaC+M)$;Cp*^T9{w?2yp3q1{;{Rwt1yYT3@;}9__|6uRaAl zQ5B@_wNmXq9PC-ewmCh7r3QHISQ!r5wuLoGH12oIQj2+Ayf3O4Bm3jse_6dYCpJE1s}wpy7RE`jTe4H$cF0eG2fj^j)5P#{v=R1y zq14!Vy&BMVStKcZ{g9Z`e3$xS^LI*0)Y6mwq6~8^)ze8A4)2s=rBM@cxNNqA-(8@j zMEg@*2WGuV%VX0{+x_l<0-%in4FBv6It&G;s(zs))>Dnznt2-sOu40gVioup zN`F(pxSj!s+wF{^bQ}|5Pc9pwEvGGA6n%0UzsHAPHD!5!FN!3o#Qkfo4)y^vF!hL&}*9AP`Z^P0^I9##8ym?qTUrOso zl$qdR{rLDc-)jh`p;o_L_xo$B|5Hll_-q%o`RzFpT*Ht4u<_annMhQ~dAOKVt6vca zxNcgd5_bPRs%CRE9Cy-baO`^?pBUSGz9+gD5~d7tdqrAva2JL2APX=rf8zq41`rM{ zm>CWhuTU<|FcLEviSrQ++QZ(RJod2k8$_O4F)Y0U`2O4)c8!K$kl*?CNOcz1!%+`P zc(V=8aqESyfz|Hm>1kIH&JO#|k83kUwukAa0Bz5zqX56Vwkk@f+{hBp6cL$PUCjX~ z896y>0DJ5|i+>HOQ6^*myAT@qxqB5IEGWJ!Z~U{bzsa2d;_#{er|Zq<+DX39l@`$B zUE4*A?;nNF%fsAmL*czi_QFpOJCb3sq30FbKljZPqjPD5ZxyTRC>JqdK$E7bYQnBZ zU0YjQS6BC&?6IMdQH$H2hMnEZ(az(OlM{eAPpNNcNJ&cCeheHH`SeMYUX~s&)tx`) z>hcmeps>yo=LgUx-PK>rEiFZ%HViiEQ!Q&n=hFdPb^!qadTjb#C7ICB(71)AB}#0% zE#Sn$bF6!g-DD8?-A{&TeN;bgYM&&AoZyEWi6GftGjCo<&bs6We&t`Sg6TEO4s}a$ zfe}_aPF?m&cJf7MIp2l9(@&&1aDeznlIza4ev1=; zA3x~?w*dswj`u&n;rv4dQ1F-(B^6ZHOD!3WuEqe=p~gzp8bwv)i1WK9RKb zsm6YYTz_^)Q~PQbykHE@3>`|aZ9C^33jtKBW=$7Tb=1-QAkz=@cdX!&7^QV}Q!gKX zl&jp3zKZ_Fr)Gxm>Fn%mxSu>Vp2*^9djKE=&1f_5uDN5uZZHrP5Y6B353xP7 z<1z2yq1PW+S{7a6QY)rB5TRlIf15Ch{-Tt*P;~CJm`FTbB+>*tIB(RtUjCV8j*;lF zKq8yiNZnjd30r+SIsA@f{juS@(1{=+I@(uT$PsXUWxMgkl7307Ovln#xKw1U}Bg>6b%$0Cy%q?PJmSCiQcU0EVn+ zN?}&rpfF~lfCqgDF0qEQP6c-aafVakjo=i;ga64?*<0K>D~cGw4Gg0z-Wjx z4zwM6hGh(*zMf#EWn@f(IKD4UPV&B21lp(I1nbYFeq{Iy2XrGG1u8{d zzvZgW&lY?IYiqe(`rCoNT<27Mj8V?qsas+A`kTkI9ZNbtpmBcfj5C&rS;<`igypP{ zQcPqQ0qEY(pjU9@vIf9;oVua7goFg3N7oJKEF|jGa*TuQHV*5xWWuV{H-UKpPy98MOz>FKu65?sW2(7Lz zF6ij!xF0Mn^eXnz2d+exL?N^YE)wUp!@+m213#T+b$0=|AHAr7 z;a9&z{>2=0X6aWdPFcGnCnAFqc#W}=r+#ox`u{P7-`vi-K79Rq3SsgX6RB;Q8B$%{*M<2Y~vFR zwC|~Hh{RtfO<%_>*U1-xJhhSZEy@_k=SlV|uH=pKyVXDU;cVz~yMpX(HgX&vHfjEn zws}+-w~&jFnVR&)T{+DvcxDOt(c8i4e-}DCKL_|>{Qb7CveMGHvu4n^Bbh}5w*knk z8dN(eqNt`8JNN#}m}MFd(2l-b;FLJ#0|UoU?~09vR}lqgzYDWgKN9%D})d?Wk2-bA(nt0Dl*r^^RLCk19aiF!H-*i5J< zqz7t$QZanENC*w=+4x3=8Z!x;HU$4M{mKnc5#j;*d$*YWgLu;e7zYb0oMP_{VS4ZtqjySE+yorzkF|9 zu0VVzT9~h7nV6Vi?NVg4(JbB=oIC+>Jd;R zZ!?8uvV(_glU&rrT)gY`2e7HCD_*`l1IKY=!M;E~zQ=KaUq}(#)Ya)j)Y#dPPc5D* z+gUqRo$n=IPc#YGni|vJoE=T8w!$_P22TO{z(T{-=Cm$-1#-Jmbakzcg!B}5{l5P$ zEd+ldfoz>?_4#Kv{(u1FXgTe{oB~|$FDX)hsf+-HyMxFf#?}Z1Z|QQp!~1dcX(?jn z6yar%Qknu}r7qN$#qFdwqz%~cO{4)|XX%i<2{X8wk|iR)YP4?XiVB>*qAq+f6%G-E zlxM-Trvsq+ifp6c{#Gaox5DSSHB_ds7R#JD@iyIbd+|=Ut{|fKlakW;=}oO`&DO5{ ztOLUzZgcvFt-b*7?O`(b8eMZNr|2OdK?5Kc;3$cKiDn#-(5Suy+xcWG3dMg!*j0tE zk?YDkaZR(wl-PpObTB+Lx=p;drcISd1+~~?dB5Bi0a$+<#yMYuri>v1Bu15*t$Hd( z#|ubGXjC-N7W}?2WNKa~5B~}T=&9i7i_QX9VyD^Fo%eStvk|LHczx^4fLu4jsEbgn zLotz>GiqyUaG@slBX~j!MXh?WX?&d`;!|^782DXgT`$?Ck9L`1q^|fSHU2;|3U$zuMKVKSsBY zio=&Mfdz|KeaSG1ZqjRvO0Ra-i6&a}wx{yIw1lWh^QEQ!?u4SEnQY%Jt%4Xw5h)H4 zM}V^u2RBA+N^tI;39tQPUtY2PVylI`@%HybsF}+USfX)N&0RVAS;&KuPVH7q>PIq4 z3qDqZR5Z+*E}6rLv^HTje_cPszQI71e*hAH1srfS8m!`?1tdQ4-6v8;-QH~w`wSI^ z*<{Uh*NU{e9O8ty>xT@J9t$M(7z+ovRcN4X9-GoaeOu+}-1%`?bQBa0+Lr%VXTZTA zYv@FDd0zy+d)2p(VmkdYEL>e=C1gXTuKw#$l7DzLZE#o?N$>mivAnv7Xp~iUw3bzm zN7B?vo<7V&5F8m|O;3#mnq)*8Pv!z?fCyKS_)%f^#L!c6OAae1PGN!=AV_E;UtVLq zo*Xu(2XW-+m9~B0u4&k&1@rzJTQ9EQ-O_Rc$}g%vC?Z1dqw~*^L$5x?&`+^h8~=n8 zS>x-136T1XG3w13+h3C{ifEM>yt}LpK3i8R+ z6nY~(YTlv3WQBk=_#h}p+7lgAY0Mythf)Gs@qM(O4ObKSVC4r386+lg?FR~!*-T-E z2QN5M6CSGkonLb!r}gFyblX4&eK{5v>PY~u7dOu>8XBuVDITI- ziL!ABmi=je7fZlJ_Jv`U1^u`tsl)46gvAFg)~}p@d{<}Og1}aB7j6oC6jd>?j&~|J z`iUlZ!^wn0NAsokJKvFa^OiATA9nU8IR0D4WW(?Nuu=mYv@)d4~)XQV{g(-I_q8T21#LF#3(fcIphoa{58vucg-j8qJwRg zdw)#}Kvi_$V|vI+7#z4w?s{wy5w@#VsKs2}Y@uPO?i2W0(ouThPuG5(waC?U>U6Gi zte;#Es0BKD$&^hC9xKk$l+dWiEkZbxEyLOOpmLNy$QrKILu-P*OT!Qjv#)r-xY-OnaF6(OCWBS*Cd4lO? zlIo6mvh7X?8|KCmAymQMQSoj@+QUC0>QS3Jli`vy=gFMhCuj0~dQ~q;=7fuBD&j;IUiRG*Ri>kMdi|YHLhG%F=0qF)o zx;qC^LAp^=y1S$Y5u`zot^t(p?(Q5wIt7KHyX(Dtf6w!N-uJ`*%)RHHv(MgZt-W@p z`gHSliifF3zZsHS=|n<3MT=OjXs3&eQB{F=cZ;R~e9A+%-6T@dlK;<3Uzv=0OE>;~H-N4#9$;jBQ3QdF{HPZGuI7ra9PYboJ@gwS()v zmBhSSK{ctuhc)jVs8OzX7CcmpNs8Lh5J{G)%jVnNTLtcf_wOGR%pa8HYqhf;gy=>^ zbIP6Cz`0{GM zJx6Nh;F{q=F#&w5OSp4Jw`F%C;JzU(fHqnreB!x4&HH6XCvWDgpq&woK0<0n!N#Y@ z16jZk| zYWWuZc2v<^o>-M(E3qKJs`W35V2?`52>f-;WOHtSm_LMz5(UAI;}@gHhkJ|&A9cGx zItyRcOC`qG?~Al_O?9u=u>ZsRC;9ZOcs+*RimjrXIzSdVbH%PJnMv}O=pd)%mtXH3 zDQRE~MO*1EJCUOkFWa8U24$acyNZ2k(Qy;;GAKt|b6&H`DQ%CZ~) zoj&PIGaN#?sA*gm7+mJAR)h*9FNlh%ebwEajAgQAeGp z%b(Uw`$MQJ7KbI)UNX8cR;2WE=2=L_Smuo8xSsj0yBX=OwvQQP$KxWCk9F(c&VkKz zM%f`MlsJJ;xZ#F^SSBbEOxZR}6;t?&ZQ6q%pQ#Jcvr)%lQh&&dn-|d;~q$AQ)omsj$?kOfFLBFvBk~QH?YB};_v=%HHu;tvzpK+ zKODa7f^lI!924#-(gEbx?QFk1Wl7T5St{--8?-s?8l*Pq0Uk_~2|rw~i72M+Iu2** z+5=_3+hHDrkPq_f&G`N-qqfht#|*q6Ht(=>u>iD*MJ(5)kkOr>y@HgBSo+6M%on&S z>lgBZyt|Tlt;nN=7(s9)>UxE#5I>Rs|0A_R1(Suhh;6mLUy$4OS$0wlS$6wTQ0qX( z8HcoM_o&&Bz6i68G*9zbzQBm?Xj0ZgUvv~>J;3J zo2TE4Gq)9DV&yA@YBdp^#71SU}-YI1fjm~3;)|C1*(Nu$boheSk7075YONGxmLF8OvFWBmUg`gofOOC>epb9swJ zXN@`kt&^KdKOW_9wL-&LO;=+%A&jpvb||#9r?6qxu9|3a{jOnjBc*I0Z-wXWiZsI* ztf~rQu5C^fhsZIlpQhla)OJl3cln&@$YZf)5``*0Q)GINTA2_lcY=WG4pCZ&)`hmc zW@%OJ=K8-}!`=~{tufXFC-{ZaLf+W{W8W>5-Sbzqj;Zj!0{*k5g|=S<$zK|+{wleR zYm58bldOKatT&HGmM>uO*E-wf52r1lJrujDt zQXU$|d9l*yC5mj^Z?l4e*h4`8w~Wn+0Zl&_BuvNRow%GxzatbQdn)n=4bkp>&wma4AychCU?I}|=4gjAWZ}j7- zs}sDS0wPCg-b?i9H-`dJqi)&G%!vxQx~OdmWFW*_fqyLuql`vjV0iJ)VGi#AwI=x) zPrFZw&aru8iPjcl-~JnKasOLS4hUDfO{Lnr#KFD77Q1fIb)xCkoU0GVTdqlSD$WCjm5A03J6r*jokJEvr@BuH^cQx7be;hn@RZ2B76) zx5f2y7T634=`pgE^Ui!(3)R1Q$r#obWN8QYwbd_=@A?0n#V?o#OmfbP#bd~HIiC*8clp>Upge9^$2FJO(g+^Fj6M^j2%MM92P!ZtvPnp6$A7&Pkk~I|5 zO>e>HNHxi@k_CVDprJnn9&W5FS4sO`v5Y(Kh;g7}YD3%jKDA#Y!0<0EoMo(!slOb4 zzgWDJsI8j~N@U{~L6tpqh_XqI2f~g$mz&;pgzgK~=$@o8`>U74P??(s%reG`=-g1W zZJ%^dhMPh8#XBqw)`@?AaBtPH3XnkjKW``=GDQ_VC!W3mGT7VlpVY&KRO}<*vGKn* z&?PQURboGBL7JlM#*$6xCl8f$nSDwbXOPd#c=Jn`quiS->$GL!KoSQe zXJNx9t*eA|MuAmakb19~RZM2Bv&e;l(`M}`F#O(!5EdxEdB%I}$&@&BGu1BQqZldb z(oXqn2e^0M8dOEsJg||gf)U|9xh!eY+??O%qfo5MZM#Blb0b{7(NthIp5LksTWH4C z*=C7REQh7WSqZaA&4TBF*n)(BN7LKg{c5QfK@bgWpt~wLBAu1hu72Jr%#VEpI$aEG zdZnQ&G$4-UQB^zbmEUDDEwV8`$I-m~`G{&sV7GTmZf*+{ZR+NrvjHGj0enrVld1WS zN{~vPtJNP<62i2*AMB9kAM-PxFQHNp1{d~}&xxRn^&F7`DowDB{vvE+e?Y+5bvwOx zXdyns_Y0}-5I(w(zSeu_3J;W%9zwAyl|&F)S7K6z5A)=4XnlORrSUtP0OHBxsnp}? zPy*Z2veqG;ebA=}iRBGU*3Q;c+B@wdtF;zr1ueq_^^NJ!AkC8dQFEFS*@C+FalH1h z{>wf2ueGbuWq;XkEaIVoN{J`;v9~|&mI`j8fkmx#Q=o*REe38@_ERVd(V`%JBN?W* z?7I8N5VPK1@32+%z;u2Kbq~&AMw3mOmir`jhP$7eyIUH+YrlD3Y{@#5s9 z%lVGh{1f|GO#qwyk=sPs?r3;w6A-vVPHZ1xd6;%zA^JOBn~Sost~MlPoKsJ04;2y1 z=km=yiGGH5I`dEdupz{`9J$8n^yt|z%eUB?;g`B+Q=%goT3lS0x5zcthhTXHGFY$R zEUHsdX5EsGk7XA=kR?h$F6a0vfZM_~ezYxOh?ip=T8(;MFGrWhlHnmV=P>emP|a^S z)i_4SEI{+c>YK@S1NDp+$zN0RgF0edn#N9MzR<)TpQscLud$dwa6+s6z5AeKaYsXX zCX1x$II0jAk1;}4kuaJ^AW7oWXO+}Y<1U`k#Nlc6y^j~gqnUh!6-wwN89Uh~Tb{#S zTb^T~JoTBN3~dpgi#<*)DMHvK4#YO%55cduAB1M8*qs;9XBWebPv80ub+1~35lk_| zEe<|%N2mx&hSO>r#Yx=l9dSX{(s%1VRIpwbC?98Vt}=1riL}!si$kU#($nJab=~ovHxFDw{?ap zZ_nf4SurXotIW1;SKD4;4FpE<*&<0+Wm3bCR3bOr#nzh!zea*zr3f9eG;Mw|?vq3e z2>NvG-!pkjOEzV>h-nU?0oJS@vqgc05ugkU zuj_wFQg=r(Pw}!D>}@b%2KTU3GjFM?7bB|Iy6_Lvw)2F^Y+oR^mT=MyZQ%O+I#zGa z0-}Bi54HB+jQj^>GV%<1pU}yjSo!9(m0b`AmVKx}$?&V1Pn8WKSbqJyQ5d$`)+d`w2dbW#P4~A{JklrU|E~IxWJ)w*$ zQRHly!5B^UtB;$JFT#vAQr-w3G>%HUTTLLt>Be7NqiRw8Q|=Ku)hM|rS%hS5smbjw zMK8)cvxo69kZ|gM1_*P2G((i2Bi!}wRkOXvd8cWVZsvXT)eSsS!nL!NQ%)Psts?vq z>gMh#w~5qzHin^A1EiPU0M!M~i%#PEYD$PEuHs^N0H-s`#I_3bIY z#R0V{bo+K4L{)u4I*$ec*Kn$FKd9+d9RsYwlGn3?PXlmWd@3W!LHp)Q$8%Jhab0lo z?nxm8I{buc9J^9-)ty`nd5kO;xi3j(R)Uxe^PEyoM?D|o^YnO>K^D?H)ZTZ=Di&zh zHI$s;Gs`n==$on+Pl)7WMshVeYV!T=zC3fe2K)l_k>Z9w+LE5%zPM79kJ8+9!b9>c)}Q&I0RfK?N^(E|aB4M^9*YJ?7Ekc`qbDgbZ7h943MZFsvwcjZtMc(N?#=^JdDlj|& z?G`OTt5Srfat40IgawbHmZPd~^>~R3-@F_6=w2qWKmM;rSFx2u0*$D3Ou{A2oJX5} z?=p6`CUBDpQh(FSk2AUf7$SPWx7BXrcv#{=8ODt+|AywPE&nIrXu|-m*)zc>CDL%1 zd`Uw6Egp-oNQ0N?AM_XQcX93+U?GqDI`nnJUOnS9_E~HsYESjTOgWuAQqG_J^QpMQ zKk$#Behvf4-!fi6@D@++-u*DC?e@4Kt~gDEQ8e4Q$Kbm=l<~Y;#DeG6MY;DdV%qah6NxvV%mfu&GWqd`u0MoHKalEJ^J2t#Iy&d zfU=+ccll2DnTDp=&q^Gsnoa9l%((;A%GoLVA_8LE{cR2j*|ISO$yj{^K~Wcx-INI@ z`jPyz_YPj#t-t<~=8sb-zYS04)PDxIPOzOV`;X1~AH5H3!i?`t)IRV0wEW?%MwE`j zIdP&T7rJA0(u>38d0-fcQRULtv=EwVu8%(YVY_#0u@~VDhlwXEKE|{RtRHac0WQi3 z5XAaDgGXGre6-yge&SHAjPjH500*R>DvyJ2;)xQ50ZF<9feq3QC!FCBkf|4)ieDB^~IM^Okp z)x3LX2my0V9g~Kp5iLG$?a5hz67M{p{%6MB(NUlb0?q5sT=zw_n&F4_{#>7rZ67$1 z5M|#=S@}o`@rwlQb2}Smnx0>NJQ7{TH+WWcL&1W?4{5oxogtFd%W-1II$q=QAYQTN zIeT4CMAnY#`2jpgpYh#-jY)Z2S?hlveT*6~0&MiyCx2SNUQnw=d4fS6@g0RKH;08i zR-^9RjN^>5Ot5wkmlb_=2*Go!rpDeCVo=DhHkC$by5ns#ngX0s_;yIQx2WfLFSCtsXc>t6MI|5rX${zwaH zZJQhzR=cB1BQP7D^x`ODze^0c7k#O*w^@Is6aWa&WUsnLxz@m9z&Gk_I04kgfY0a> zATu7fg^g!Q`1~6pddd^@z~0iMCY%?1-o#lKWilE=_Npkki zhEyj5nBZpAS-;j_&VNR(gCdt+ONKpK`7JQb4Hs)8cex%fgZ*%;1wmReZpxAa1?bGp z>!ZYXHYiY?)eYif_IC1&z1jte4Ejy=x2Em3taClpiIe1=sQ*HPBtlmM1~A(QfnBn+OieKbZ?n7|+;qyh^hgZ%RG zbQ2}CLP|mLBn7P|f|)CoOrV%x26-%o|Dk(Z+!`g#$S!se}-MEQ^TU>nnq z``;N0nQ){EMQkkDp<^04`dTcrq`RNP+}&02FH$k@cN~MjaFL;8A33VjR}fhV^zjx_ zRKywyM-Q0nQo@0!QY7p-1eO*34LDU#MBlQNpjSUhPTg&=gz62`)6~Vu(`aIY8??2 zS{M$PqOo&v9TGwTA^(Y0GkTr>eH*#kVE+6GyID zL)iKOBtdK{pldJ6>+lt~))fvyXd$_YL!Uk?)|ci9MtER=5)@O(Qy2g86fHdj!8KkE^e2pS;(NPx;|@YE%Mml=f2?Sthm_ zuS!Aa5-rcngscKq--p;;63^gI{cXWmB>y{4R@>PorLs*`A7v?3zZNl!_;3pmL&l5D z)lTiE{)+p&od;fx8X4AIxy1~mh)P_PV?>#B>p9@Xy!ub&G>ANOp*s=HrRG0s(y_zs zYXJ@Tfri3$gfK1%`{_K}bLlDn*1b$Cs%&b&OL`=CpYGdX*WecW??gtmqZ@wDnb)rS zmdHFxSro!pK8mZM4bLw^Da4Esee%0XiUd6jNf~G9(okw`4|7)^B-mDz`5@50n)9Vl zFt2%pHH339rY!vp(K6s2A&-b4;W|KvW~QWE_j38u)jx@jEomSzz2{ma>iS}(?9468 z|Ed<|W5prki-ZpgM9t%Kv+`hA+FtHyW`!d3V!r*Z=$HO)i^4Rdnz?qQ7>L?tlHbQL z(>*e_Jhsqo9Hg@gWPX`MKunN2zgL`{?Bw5|r`Q{tE|b_Tp8W?~1ow6Nc@%ZQ6U{>i6B4&; zx?y(4`EBX@g-u6w&iIPFh{wr8`y(h#y|e|dl#S|Z5^rzt;}@R5pB<8w9oAv>c_j=k zk*HS9>njQgujjmc$hwY4(ULqEjw!cnkc|cC&lY6U?nX*pi7Ofv({mkaKoeg%nVF%q z17`GqaSveg3;3QZXNq6nu0FOE7H$JUquD_kK&Ku+R>%2t5xB}CQdtS4t|&TM<7tj1 zxD7d?_pnm-c_5x9kl+%+(8awl=9X>OL9GR%_w+u(-y;(W#=HYT`-Z|Yzx!w{_7ecu z5RFg<^U#gm{M(BYhuX2}V)v33i)@dhhzZyKaxgbHgK6l5^!xlD`At)j)71j=iEX__ zuPCc|D#s7tm|B-UgW5A8IP2-Biid_8EIJe!mXN@`5_PX11sKY!*k z${HSXZ|NsY{zRxw9%X$iND-NvGvc64_uXs7waAof^-#eJ=={-8%rPL`yGVZ4-y1>V zj1?nsF?W5s<;k^y54#kFlv6yUDQImOI=D6GRmzs_Tv8;2oZ9qvx~_qg*VdM zqI%P-qSGAOqz@1RbgRHa*wBag@0Et8B@5-i_y$JQXmeG-iPgF7kHL@wBDt1^boqmI zwg|=|>s1gggEf!`c()_FHFg;#QO~;dG+GqrY+LOgB7{{BlxqnguP?kASF9i(zDGq$9 zd-FjV<)pJ%@I0l8+4pL+@A?^MMy}u8`M-)5A{AfW-ZFa+)eCs$mJ)E*pP`*847t1# zaY)q^Tf~NDzAwQ(xB1w5I~-+@p82=5ex<8!q;fGH)LO=#-TmjNta=p?P)PxJh~9tH z<^U#irYwBMG=Mk)4<0cj-n8)0!Zh4TOja~csaMFp7*#2SZR27Px!YA>ISg9<>uFt% z{Oiq~=s4>}B5Z2MaTWOtXf%nT6fqfNTJizmTqAO0JOqG^0>D-%RQ7G$?5bbeIB2yqroRtdKxbeIhF zS9^iYYb~;}e=~b6qjqGlEiDVy^e`O?tQiMPIMxM{9v0;rlZ%%*UnM;cD1o&Yy`lZD z76eROCCdK#&!6Pw1btTO4B2*OoXI&TSswvFg+E5jsL+F29?v&_9MjZ?Hhsi>tYX}; zGBX-&EdD@;-k0(IoT+Z@jdBZiNtty-cF;f)N(iNBR<>N%>cj2=>;VS-RSHhNz6C7M z0mm{tDj?Sh2K=g?Sm$cVr&oR2=^{`M5%G^+96Qm^v7`1syyDDoy<#&PzyLhZCH%v4 zBk5x-Bjxeb>&afGI+njx&sF4Y()ubAX5det*Kq+{@BRt&_D+CY) zD<3(p1;3uwfRn}-jb7K&9RR)Hg#be#i=IUf@nPylO;>2mli+9OIA^{6W9YGxg(cXq7iVi5}fkMuabqSt381%vN0P zdDo$Pj;2@w_O2C*&9aqX-E6#y$f!C|o}Mjrb6N+OLZs%4#hI`I)eM(TDs8LsN^0)b zCNb~=xS=*>+iNI6ONM?djqHLM5)&2mbfW%SH&J`g@{OOZCP&K@?>E$4s2f1$0czgK z^9%#d@1Oo=n-W`t+cDsaXmF5GE4LWt>Ph)g&g09j%|n*<){CG(jS?~=ythW(v@lCQ z`huoC>RoAqmc$>P2BQva5U#>s>aX~6eK?gYlz_`~acmeBM9Wfly_x#kVkgz$JckV8Sf%WdmMz&y^EPZm_zB;TP^8wSQENK9 zOvjZli=!W#Y_eCTH~Tb)4-H9|3ZMpNqJ%tc$r)fA0$?StS!z&G6Vzx_SMsS_wb3k)aPqr8b%*!|(2e1LIAjeYi8tc>kOjR%!X)Z*yuLD35hy7ZKyk)c_|=*# zc`;=~>fb0yGG)4d;0QA6T-WVbMVdePWB3MyON+HbU}`IZO7UIR&kn};4IoFE%TYo3 zr*$W~ZtCPNjLtye4l-8@2nWAU7hB!}MR~rQec1)Ll%x_UV54BHC@MnVoqGi(`vUQf z)PorIFV-;ON#*?X2|SfB%FytrB!4i1I9~o76i|MyVyT4pZjcDUUSvB#iFJZx3{*<+ z7B^1J+Bn{;l83f}u+oAi+je{WQ@PWS2U7jusouyQEclmM;c!|Hqy@P41JV!F8Cks& z{lM(EcpRXp68cdE6-)Sy$9Y!Jw=7?iBqV-JjgyM4V* zN$Xpf@v;ZAL)$5CMpd5FhpA|3dH~Dcg+)N1ECmIv2Gy{BR#@G(d_K8n6V*z?HF5-E z(?-;aDOXlD(qE+4QZ$IebP`h0>m=afV|zN)j0@|mZACBTWp8l}3IgONC@uJ53OLm^ zM;Gfw>_3gX>(7q{A_&3W{avqVE8;$kSl5QEB9zT|UtsXNM9wimC4H}s0Q9Ji3-9XVYr}(NZ38F70#5A&P+LCmOb_bJ!BSX0Ac;nf=RrC^p?P?qjk;rFQTrJSm%M~BTG;mYl zpzdc0DX9Q=_i1-#O59uJEM|6gpva$?2oGmBiu^w>_Ghg7shz($dmj%lI!pu5i*Y#e z)b&!>Q!kP;E~zMSZNQO`0>Yh?(MLq@RJ97!dKGT2hT|~xZaNqMMXhv(QjffMOviNN z0V8Y2ZrW-+r#$J&EHgbSbK-L z{kfs~+RAg7+5 zoX9JbzFp)pX!?r<2aGR~L)ILD$z0r|>6w}T(U+*O0D|kmr(O{UtK04%20X)-&pa}C zihr}leBtgY>y)6_gn9oq*=Cwbw-Kn_AG_HbR}7fpbM-0^4rh|NSSodm=D-vcvHP>_ z@M}B3QfA1)3_ElW(}b_W9wc$nCA6Vwn+Wwb{*M%w)f5X4&v$VBjyloFyg$8r z07N1i^Wi^LA!5m=x`s23i!=~tb1nV+9%@Y8EQ?Tcq?UrdcTdqUV-|kO`&RuHMxO4CQ4Bh#<^gHHknw& z9p?+xML&Ng%2S(W9ggUNUwzLm8yo^po5)wue`oreC*!Ls(3w~!RlVZTaQ)-Yva&6r zZU(5|Zx?LKjW_n|S62j~Wkp3pqoaU@5RnXS5~CYCG&8F{^L4rcaL-y|L5y0x&kt1| zB!Io>*?Ii;`>WPXqiq7s-9ZK^WlU61D(vqUv7G9I8VlVH-EpiE_PQMFc6VEnl0qNv zGQ%$*4rReNS@!B&C$we909a?1dj&NgD3*}=6mu)V5D3P*b3@ zFi*x$eO|9XMXn)^1Et19*?bYVSzMgvLXF5K$~AxgC+9pC`Vk$&uLXLKa5;N9Km5D> zmF48pvdoX;CRCrcrB`3Dd9m+$D6zHVD!H|^B_0#lB@id)O?3TP^R%iN$)hQqj+EtvviONvX9I#dMEs~aa{bqnHmu84^lXXt+2 z5je)k4JUxM`BS-@PXd|-G8h?b8VL^1i&c_pyd`u9+iT>2a|%EA?8tLxGHbqE{+bmT ziUz5vNsjFJZNK6v+L)D;0loWks2E0-UFTm8sB(1|PPPv0eU z5J`ZusAu;cxkw%0639Z1#YxTb`L3%ccpe>A%cIiYyH|M{Gy>Y!1l@OVEA3kFlZdSz zbxt3Z+BG`QLsBFOPB;_W_IWAW-7pBF6W)3BeflH1)O`o%v&CEb&S}w+{B&dDlneM2Zt|k|%C#WpWmA^_U45SW!2uo%7piPcYIk z_!ZLOdPV9b8YhT`*^uhjJAb;PSz+^+jLj(0HnbMA?NrH8hSw^qjPxUKk6h!OiAx(8 z4}E)mD|sP&5WH$@v?xYuiLuTY?2s-@>|gfT#ss>wj#nG2V^rj@sHn6c#vK7Pt6*D^ zOKFYRn|{mOUO9+92iUFY%zhKbA-f589U+=L6LG9VLFDAn--6r%0v^*vTsOzFxGs8n zdj~(TgS-JYRskJ#z{AH>G9?E_I9Op zhIHkPk0U~qH-)8NQt!0W`aw@HjY}I?Lxi!QiBdfEk`1=eTeAIE8y3>(Y7AfmA6j=< zZ_wrdrv+Ga2+`vDi$Tez&`pCVhD+#2Mgj-#%N64q+{wT9Cl>b5gPom|qoa=Yt4|uL zEG%Rd%bks1gDiDbG4utI;qX)eTc@8e%csv(3*vX9-Rc;3^&gA+?pFtNFNQ}%?5ok`XWV*? zflTYvt0^WQ{PX#IYbOz}s?j)p%A&ySgN7d>?P0Q*@Tfd&@f)1WN#Kcgu~&yA0SG6G z5`jd}Fk68RnVp^8Fao~eH$0jJ3{7CT8{C+x4~I&90SbX7`J*+1fNDdZ+B08QCtMNxj6_7PJ6LywnKKkNQHXmAKT;AiFPv zV%=jH4%gMd{2Z?7>>|Gj*{S(ZAm!he{4lZTrCKZB9GjYNIV$4>wU?{ z$TE`g9x&78vls#C1ywx7ASwb_Hr271;n3%>w3ih2r0I8@2c942KYEmjAM-Txy$%>m zw#~%}if>p;nEyz&aZVe93(NKATYEG+!9#0#9#T&F!T9|#?d+XCnTFGEiiyU5v!*n% z%eZTO%Ip;iLcShJ>1w|zN~rQEI?ld!rg!&#x`rE*L0*yJIthIa-4%jdn{~f%45l*+ z+l4V~oqb0>Gw)6q;dVNDCUfIvY#;+V`zIaX%M#)^`06aDKfhaug7Xl3N#%ix7#NVF z2pr0J8v!_KgvJqJ;!quZ1inTGXcTa&2So+KbdqQ9POg_&=S^Kp1~DfbbFzmKAGPLht9NMpPt&&QE!zquM$z#fns{C!+A%Cp1*ycCKR zFvRU{dfQDKJs~wUP=~r$yOj6Z-tQjzDhYt*pJJ03D@4Y-)nBFq&BChK@c{K;QKoKj z;WQ-01n0;vo@`-9Px`Cvz~Ul1m$m?iAL4amgk#sId=IHS({cZoTT zL^+=Xzo6+ChioJlH>0(9@8)pS@{#TQ{_#Sv*Q-~%{qnX$G@4|{2e6HkDG~cSng}vb zRfV>Pg@tLO6VaZ85x#mMjc)#LYik2qR#rBg#I+%#rXmDLi zSIZLb(j4`IuE%(JZ#yv=)%^0ZM6?!0FFA3G0K-|59iBZ$^VZc`K+FoEWR8gzGGxoq zi@hh(1UUv%3^Uew#CElJhRn&?0>g{JDj|{+Qt#@2w+xOC;AXMjznpOW>h!Xa)adjy z@Xc4^u^Vb9b3$B9SkP{|)amUH&&Ph#0qVB(W@f1~4u4LIa^Prv>IR?80~_B?kMU#X zkp&kNtsNL->izjMFa>K7o${4%1rJ1w0y3rW2)}|SwohG{Q>>da_%Uw;`4Pi@)>qlUYIdV}++WBx`1SuIA*;Q;}VjplMMnMwZ<|O9jmj;ig=~=Fk32JtvK6iQx?OxYD zTH4x0MVv%_nOnQHbgxDdOiLn7y5|@;+`=9ch1l9})EV)r`uolqyo)QYjoR^I9V~3a zC_ws`*D>>qgfc-1s3${&-E&fFf%dh}2&3!p&|t(6_AHZLDe^lKJTUx4vHF{a7opfD z)Sr=QgqNpjZwN^rfXmBA`6BlN?@pN=_GpLA* z3lF@YGj9nXiUV;RF}=KeFFl6tc-4LkWDNf$P8ICVwZ~I=Sr5FoNsc$|ADx36-VV=Wmz2h4z5~GZL26pHGQx@rbWMYfYW4}xI>x3 zwS?=Y-Uh_fb$yjNF6B<)t`2>!>hE_6%18rSc|}v+qKo%F>~?H@6^I#qH|4QYdRQWf z0$CKb6BBuiUa9Z*-M&J*R-RD#6Y^b1&u)BHiiU#1)&Lp;%m+9UVPNRST^o3cO*J5; zuGllVPW;0)uZ_Y5qtH11X-98X}_jj3<6mPX;ZUn65xo!2q+*#2BUG3$nwNMLheHA66?RMt zRySh6#EJYwa4NQ-Vz{yr$o`wWI?<_TVPWB>!YgrB%2LMq_?CGSJ;O%d4|)-5pqk{b z)P;=v$P~c$sS)`rnk`bvVEs+yM~rN2zjw@e$$93kM38v>TgM2wXl6F9-Mu}xhJ|30 z=@*-fyIv<=&d#e?u!Zj_|yX-{=}14lmUzsrwuoe}Vq#$W-LQ8i}Tw zRNIcH94A?Z|9}q%es7H|rgOIu3MM~O^caCH!jsUSljXx2k0!wUA1J@E2=cbqQ9x{S z9t8m3dEaeHdC{|)3+s0hD|VIlWow@KDp_@+kcjt)@4Bz~fb$N-)etw)WrQ|nwI*|` zp^=VG{)83Wj7G$z=cB?5Fk$`Xfynfb59e46v-&YxKF~eA?-k&C0(31NeY|09uk+9NGSVp`jRDTwFZo6jW3| z5PnWfoTq&1Oe8t5|2R#)cD{)JohAjp{HnkIjt#kF_RjZH0AhIc`YYOduGD){%W@y* zHRy>aJCfCG`#m+x)KEj+aii_<4z6~Sh|Dk93}goNUNNN(KhHy7h%8BhmVJKrF4|62 z)B=-9&qrZGWapo&Z!UB)0{-pqN|Z3bfF=Hslq8E&HN7a5p_~NB_KAoRVq;Ye4OdoI z$N!5p_OG%BLxD*W8N?(cuFFosZev43abX{|ArMf=J7DqqwtxiBKbAu?^sx`00}a)i z08{0$7|e>=g2r{r`9lby@kT8h8vM!17xcUAE}l!A?1{$7z` zrZP}krMQYm@u#7snuK#?o`URGIE40 zwn*p~@S2)*^2Q&D_d*&&`~sY7)Mi|q?3=ZRT-c$GUKqz}j)Q-SL!tx~hXx0)r?-uG zj*cys?Op$F8t)7BA;F*92zvli%JfL>+~>3-y4*Gnr;BwCmz!q+U+%a#UiY2fgYmC6 z`2Gv1HTG{~_*pnPqjy7sFgaY*)#JqP*(oispch9+4PK{AQUl#Z_wBm(tuv7em7a^} z@(!CD=u4^~5ES(OjkMh0$|vLP?Ql91~jAv7|L!foxM-}H=Uu`)#D+3Vg{%*5Vj0eGz#N#M!FS0Dr1Cf zua(a+E-K7!y!Jo<{V!kqtY3H$2TsjnAeWHg^H(o#s` zMEx+F56m?OO$GJd-`#1KeE1$43k?9|Ik|G&fZd6dRMx}(&d%#~Ho&T=&DYDyikbQK zcfbWHEhYvJ_qmkuQ|d1`(Ip)`T|)latoj}Qu_A7qm6yDW3$NtfYP%7qEE$XrsHLo$ z(Hona7cWO^DSrY==Y@((@UwmN&Yd(I_ix% zJK62~GW0lR{2MO%3Rr1r_m;1(X|zN+r)8%d=RKw+_Rmv`L2^%{qNDrjD=RC3p}7`` zdBFP^084puwv89ckhXw{f zc7F~5g55brug;FH#ze)#6n_DR8B{Xugw4qR9hfnqX-0}MQIQV}sb#0+e+IuI{u!5= zx&s(kQvz>!PunkRH#m1pU|P0M-_(!V9+#0K*~9{Et@K&OS|S5`QJgR@5bskV7ac9(I~ zwOsn+Hy^gDrA4`WdfuYna+T-~&<-pz*9{uP8{v7imgJ1++DHEb;Q(HF-)|>kW1m-* z@EKPo!st}&AHWekX=^&+sZA$~wC$`u4 zguz)lrMisyA!8U~zyW+?L#!Lm2XSrRJ)(cn-K`iw!Sv--Gd{S+${S8?ztS>4I*KDU z(GcqSAqJbtgtTfrRRGJ>8_ufBQ==-3CRT3PYSYVxeg#+(O*W~duRq-1o_t+Wm9}~Y ztFEd_AJ@pHqBir>QvmX(l6@F6mQa_qg!9eVyS~GO z$6)V%U~URO;%B9pO;PC_A9tkHw^E84^y1msutHlH$sqv-dGVvWmh0ArkB9*0(pqZt zU0Nml37^V@h@jziU^Q~tVJsYFc|K0<*pD%T$ZhQGUJN()(mV2Iac8{-M)Ne$oniGE z0rSx(u-#;3zg3o7aSL5MM^6J35=X#2*Wc5#re|CgTGl`3Z0O}B(xmCq)A>{j1-bxE ziHd(>UFbjmAqBjZ>aT3BPyU^8dF_ihuYZkNA^7_3+tlAT4h{#QEq>3SOs06@HS}EN zo9JF|Sck$c{Z2ha!~!IDNZAOzfJ$jUBjEV*xZtkp_l^KqI5Q)uwbQ42{Yx*UX|PcI zSSE=LaoMo}VLGumaW~yA5EDrRcqDFbZ-bNoFFar_8(@9-O$oez1c1d+B+baF&yosx@=XiIk@mi1 z4i;9EK|?y`uUPr`G@Re*V!ZK~mcx9;+9Lm7SQPJ9y^aiWngpqlUQLx`cj?j~OGY9| zTdzO+zC~W>5^ph@3gi^xFOZ3diPsO9zKn)&fOI9}(AKG`slQJA1XNft=E_Zg<(=@( z*w`2~mPhF7&bc?%H^rI{Z`l6{_Sxzp{vWE|JD%$QeFHzX?7hh-o9s=;2oRb6&6K^S-b9x~}`aaW+2%abFoLBg?Q*(mWu9(?g zx$X|{;GdofMjKLJ7v25rMz4jlUuPd0A|k1Aq&OlsH&MYu3V9>G*7KdF<*?QaYGf%X zDKRms^E$J~%XH%6;+rGx=y@m^1KBIz4!oxySP@D+)i*R$yT8-HcjzV{EopEI%c55D z99p}!Jbj1Py&}1s^=J!&?#FjJ7XB~=tUS)}nskU}(sAY0(@ycGH?y;rgqsEksY7OU z_q)c=&5M~>sL?52Pm{~)>(hAi@o;f9*NVK&$HTOYj8el9@#EPCjrD2Wt_a7m6=jfe7(*D9;(&4nn6kC`o_ZKuw94h|c>%3Dm~#f;D0 zuFp1zlYBVp^`{hN+xWnm?{+G>`OrYLS*xz3=IyxazL)|lickhiNzdWduaJ`x zRsmO5C@YQoX_Fw{Han7GJLadf+UB(TeVB$>RQ>LY zxody0WXk==Ha0e_;bAQR#|bXg<6|7pHFU;=ev$2`jJ8??pbtP*{p?+O_dG3) z?#jO51QZvaJ9_oO)?i(aN=CX{RthV5_H)mL-YE$<&umTH-PcEYUeoj-@xCF`!(@-B zlV&h!p8}#VGxtEdIubOJjluLYx+sry)njx}_%|Ll-nm$qaQcXXoIKBos#h$HBA#qu zA;Rv9aZZlP5VQYev2JM+H@?7-qc)3fBwJ!=m}>2(xDjTK|2{Dr8AhP+ZS@M~Y6rxB zNMeG@%Ae%s>#2^($VHJ(wymFFz^%Gy@U&e$0TC^(;XA{-=)JFBwZ`EkM+gsHX}B!W z?Zh3FYkL$Dnk=U$?l6*jN0PaV>2U1J&QAHXlgs1ZQV+^rzHGq9sD6w2=s*7@hF)k* zmZQnSj@{MNj$LKRhD;L0F-wCcOv4-gOE6}N%T{y`b@}pT0yCJaM^8^LZYdwh z!ot$se$!M_laMkM``NKSk@zSDXv%tGOWBkaXB5szafInzQ{8)qFr;n3MY|3p;xi{q zJ`=d0CVH+~l0l!cSulqm-5*^xkjhT;%yEiY@?Jl6n{I+#zpP|f!kEfXW%~`g+b-vj zceOd=OgKGnbd1nONLZtm8bueP@Q_Lo!*YIzk&8UB@zz{vfCj4b82Xk}zX%g9Jn&FjE^ z4E?~}-5T>B@ZB7I6xcJ}dSd9;<}Qed=~L6v6Hwbfd-qN!Ra4@2E6jC0fByV6@+?ZE z_~p@(X(xfG^2Wx8_V&*|x#rHt#vJdi7aa3gl2`%qXC z5zj$wll+$mErIT`!@H(Oh96{XVzOKu;pz6S_7yCu!NtYxkG$>ZxYcB(ZfVIPip&(w zAwo&aAtQCy+2B?f?2ET{IuO*3?NGCPvcMf9k!2?vYq*WNJIY!be@Igg^}rO#9C_sn zUc^n=>$vC?-&~w zQCu;xYH}}V66BP4yLq$4w?=7LC&3>v?2Etonf@fA&+Up3`FgK1OVvG7;y!SZPe`02 z9u5Q!$9cud#%5G=6k@M4*%&P`#_@C3fzCORIhx9Ch*7=%uT_s|k|>OHRtI2zkqTOhQQLdPVYwo$sqY7dO$vtQ|w>>pnhbrzfRZw+XTx;muO$-MEoq#K{;~ zpIUu2KcHxP5aHqw!7=DmUROukuC=OA`{LDjSp7f-eHa>jyZ)Z>o6>7cil2oA1h@#F z1Q8JS5S@sfvbj44{t@*x(+ko-RF;;@kv7j|WE3s=b?ovB%WiHQI^if8$>{`2+1+Um ztr2}I_N>t)Mv=a!uM(?cvf>@#gK(ic=`5RmEFVpFZiDNfB$uqDtTZpa$jtQBaD`pzC;vW+;Jx!OGv>ugVBAxSjRZCfhEL8 zDt9P1HqBO6R&-vbsPZwgv5`@g;2&`D@@npBqiSR-`y4*1@&gk^m92@JR@$dmgTWxo zo}{MUJ)GP5P!&qQc6AZ3+81ileEk>uRZ3k%#UI}W{PYan@9@>V100p0n7eAx_}Hkx zT}u%saL{`7^V_%8;!#(%TLkY4UQjQDcXf7NyMBE*Y^fl50*Ir5Go~&< zPbxrFL?=X{5zeHim)Dky+^;LI-Uhok zITb!UI_0c;cfIPv#^=xH{!+pWRA}zx<$E^Zt|k-DNoR_XI=RMouI)QSNgBtADzUQ+ zWo_GIjh8a0=S1w1F&U0@LDz)M>lu(gfBX;(v0vZVFmmQy4##VBQ{sEP+(}UTnKpk5 zJPLgGqJ#)huCK85x5;W$2iM`BjV z@>ct=GL!PCvs+eH-2pkk;#>8yy0xe_Mx0huRM){e?vWsy@=Vt4)Z<attkcE$16Jmw&kMr``j(56{rl4a z^~aWM%B6QKq&HAfEZK(eU~1L%8*AWbOnP4Idwl<$?o$@RcqsMjn^v|;o}R_F9mjS> zQpOr6;FS8I_ck{<``A1CVqq$#_!>P$zdirx=&0;jj9M-~XQt>oxgR7a@7tr_;T?q% zQHtrgdw6hN;;s+TU(Tg)QFC_wG8*_p^3nG}p{i%kpO0J8k@%11C&O8pwneW8nmw2J z>Ju!jNprEvUEkC+9Zv*7LP60hUH)+-?7Us1KA>kGA8FmH5wLxIdhJ6^P5u1&^R|;= zw+I4M$BWzg--3*{P&+fft46z(MV05ToYBtsaRw7A1}P3(Z13TOy!VD zzb@_(fa(FFr%PWzSBKd`p(T=%l7BaX&a}#>Ct?NGx+nwpL)*@F+R{JWry9$#dkkpI zK@O`LIjLfoU5h^6AxT4)A3z3&JkGYWGNAg(R+av8e}%#Qp>&ba9(wN70DGD0z_rYD_omBh8U0JBOzz0k zuU>xKS+G)p&RS!WslTsJYu(3+=|n|~_jGvilzc?n;$X_?#(?!T4)WKc2HnDTaNx^( z5W|073QoZ;4c3G2-#=emFio?rVwAzaeZP0QT4u@_7$c-ozyV8W7}n|Mwt!f3d;9(U zrJ$3ci`Uaz&VKFC5s~;*)YeMK$S^oNNqp;gv$nypXbq+A)76y~VR`n1#kT>nz8O&r z$Fb*CeD~Ym-N3TSt-Uz);wjILjh+Fw%-_i-*m9`ezL%NF6z-)Ug`IJoBjfTbGUzz+ z>FF9Dv@BilT!KBFeSYy@**7maS6KW9CCJ9MX)L|wwE?X&zI}zyvj5{p@ttVXa-Xp` zo4dQ;kB*M^_uVyqHJ%=Hy9{b&doy&fyt#Jm8r^uE+hVKkw+?OWMntcKDTFI3Oq@V`|0-ye0NvsfahZ_JYB_IdE2x3ABL zC@U=uQuyvzqk8Hl*o*W|IjbP>s!V+P^q7wNi+NW}Tq1$`&!0bkpPbwob$I$X0;j~B z4|z$s+JWuU)ba5#Vy7~bQLR+VQ`muJ%(fuW&hi!Gm5Bfc~IQStq zDe3m32W* z8dQ0>czEfj;V7;Vs|?E15$3g|eb9s)|xTxx&ZS6!6p4LsOrzH5(}Qz$=T`FL5k{ zT!AE6*bS%+KX-Z2ekhVc&-?6;k<@STH&b13Tvi$ed?O9P)@+U!<#R;N2VMtY3 zgn}H;52L|$59V5nqW7QPJOr9NtVfKa22>f3tR#+P4wXkyI7moMnOc2G@5XhT&HrOI z$i@<1)YYZl)AF5l_TJvwx_bRO?KeCBw+knG$*%g=0~!c&%Zop8OO+sdP?zTsV+Ohy zBWUYW=L63%HiNj@uDkp(1C~i7sofgWsn#p$a)T@)+I|G02mbugB_>9qD8@ZdOuTXM z$HJPImzQn1b9LN$1jWP8MUss%T^NfWb5lKCy6diV(p#M7!4o#s5H zRTVCmJNNaitb{u=i3kXmZDiu_`eI4!^+WegHoQgsc5~4qgH6~hOZRtvXs8@kzgoD} zm6gS$D+?eLfNcDNGaJIw(S(cn+;aoL=@*l&(Gf2|jf?uY3`{eT96i&Y{-sz1XZe02 z=`8QN=lzT^jl128_+uw0CqOP9Qc<%B2ke8r!oz6E6BJMR&*f%SD~$+yoUy~l1}J5U z7H86|TzI|)-KF36m({o;$*Uz`0c4M@!i(zRW~l|8~n?5PiU=)+x!Z0x2P5D112>Ti*|Lop{Ar4+Dke8GW;~ zwY3#i_8z1^nCDTM(M1r?OYGeOOYf(aH*XYYrY;~S4@g+aYTmo^qY2mHe*H=AAjDh5 z%?>Wp4&yB&Sf^0L(`6WiqYZ?*&f~|*zLp;0>NrvfeRl)|1Y$_>Vnf%NF(wkE`cOMF zFx(4NWBF_Qm*46W-ehn;NuQUt7CtjUhl8EnOkYYEWXAs@FG=!4!_@p|=DcqVEiDo$ z=$m8;$k6oJiwph=JDf?_2OE3cQX_s*@p@3^6k;I8kzqJsO61-|>tQ#n1 zX=&Nr2rqnwXAYSv5H+)i4|O6sJ)(Q+?^T0@eLgvwZQ zFXB%>l^_A<^#p0~gQ!0Zhb0GhiF|t;t|ckmQj(B6K=g#PsZP&C-(?WBin`lPqaJ=9 z{0`2IDFo}b|a!B4GiX=6i~hJQaK`igV1Rs`eX8jfW$?rplhD)Sm#F_Mtv zZ>hiyeBWUz=j`y=c|UNDCTNvO!3->rU_QNi_1uUW?Mxz>R~P4nFITm-5gn8CD^^Fl zARg_jpRz^k4{B@3tq1Hc;kc69jOT-mCoB3uz>BKI*&&3qH=0hBwnoe2pyI&r z;X~PMIqFIL(L=bAThTub4<+u>=$Ed*BbWs=4y(FZhMGrk}moYWI z!o#-z^3ZK`pvHY$UX1LyZ-OEs7l+c(Xaoh{J>j);B1!~XrpCtR9^T_KGjhH7!9&mk z(9{5^HC}TPOjf#2i%LsMwA`rp8}8@>415wQC@id`TnY!dzK1+A1{*=MHRq^kQgVuowX)bNdbgt_)G7!)8*pPk?p-bLV|5?1tgcat$_h`skovd zD?i{O37`fOp-S2fKxHjDEQ0d^(hrlqEXqZ^9PWKY!-B zoGg6U(Avsz5@$ek_(-k!xdVFL6u=e~k_KRr5M?D7XOud3i~6K2?Ew6wI2hpfle zCMH*MhY20A=Nk(CuL)PB2F9nRx(Pl_PhZ)K=kk_^CWc(Tb=X}N)&f42C8Cef=Sid} zFm_9foX(KHIyyR*>R`Bf@H7RR9P(QS?CE7rdinZwHj2r4cuH|kO#mZ|oI~GBqd@(J zgU5e~^ZQ7iB7{?r+SS$6Y;A4#i5Wri6wA}=+vUKr^*_1izfxS1s**D3cwPaRewHkc zq=)DZc{vaa6Cr|uNqOqkKB9%_V)Dj*Qe zn?D}pF7}N&I``45hK9q?FHN{oL5Bl;w~M2qqE`D7gARHaVXf+t#ags5S*nwhlbBPd zKFKRvKmeT1)+j79IQ*6v7F$M#c*51bG1FODUe3eAaOqOj#Dw9?T^{Sq}wz6qr>i4G+|w+=Ez*EvFn|BM`-%mU7SV$VkO7E-Kl_ykCv0 zK4d(3!mjd2PFVQMSb;hd?6)-gc1`s?R1RfjWk8(J(9#;n8X6h3{n{?S{AcS18R0hm zrpE_hOJLzL`|C_B3HC}G97PEd9;hpD&mmhTM_R^fb}bWD6t=V|MY>-c(S16g_$T!l zeEN*^bPmM_!h(WMa}6$#)nLyjpI+|qO6;X}!{Y{U<_%1ow0r{QV+RaL4x{;hV0Y|d z(BD5WY?A0XC6hwn>2Zclpx?#_dvl5ylNd6`7y#2At}Z^D%lgy}b5Jb8Kjv_TM|r5Z zx{5Y2KV;|N7#SL3<&)D*e5}>gpsMOOcCZ5hn&EUmglXSeckiYoL0( z71&Q$agdNdvib5W&yoz+>VW7YL^;4%Gaxt~fw~HAK}251dkEW+6zsUxAY8f5HIO^H zg7?BbLY%%|SX?|gq!RH7>RL2PV~!iaHR_ZY6>*g=F^M~DgIVLCy@;$(dr8U$Ej|i2 z+dzQ{m;G`eTUwl9`OB9Op=1cPi})X7QTN>fvro15q{BDFk(5y`6IxEGd;FtFNWHVB zaIQ-d*JDapx^>vkF|k}2c6lwLLCt2ufsVkLwL~aafU`dTRc~)E3?`&@z{~3xv#_ve zmz!ePXH%F(h9c*tCVriqP@mx7{AAYHCm%PK-KrZ^dBgdlp`k&KrfI)5`ODJeuU3I& z+g1*`m*f_zA9RA7q*-+HpQWjeza^!J&~OOT%#qlA`*T5^qqnDr>#{gnb%BOC2*%g; zdy%;%{pBaPNr$yO*Vpt1hOW7rvdQ3}o*?w?>@GaHhD0JYH6u*RO+OI+ zQ$x(oROtpiBJ1m(N+NSF>g$dFFsPD^J;2)>f6?4*;V=f2K^61Sw3$twEb-XsI40rz z9-M}HZ7$j0O@r5pearlt_Jl?Dv($LU!_ncSuH=h4c@-)ytQ2zrV0e*>+!3}Y& zC!96*i>x+FUpB1a_djT8&HPu8Yx zPIh*aK;w(B8y?tqlkNp631_yc>-)h0b=W$5zY(%As@tei)gbtGu-5Zhg(W+;8#qJ6 zIdQBWJbb8VpA$}<;d?(hFK_qgo}eIgv#dc~G8s02|NBkbDZ8?4<1t+WIF>SNRO-3# z-|Xycem;lRmx4Y6It5V$g;@dC3gA`zZGw|c)Yb7CmmU}aXE|uIfc;AUz)YoR?c)CT z?-v)FuwQNs@n_RRonl%u(JQJ&_u92i9|fCZW$;71yu#m7Sf*)8tI9OYy-`$Hhz;!k z*(%QAj!~Xh!B>b33(HmTiCOpsHU!0V`p9p1M?5_0384PIV&*En>=xcv1JJ?2sRY2% zR_lLsWYcm(n}0xnGMQ(HbSv4IFjh&fzgSjPMWp=D#|PUx^f0)sva<3vil}xalL{e1 zCJ%uOGE;QA@hcUbKYrII!}>K#91Fx~IL|wQwI!vF<$+?@COO))+#Va-#gTQqxXAlb zEHMa9EHJZc4{o8;Aw~yEq57#gI9`6(fp0R!z@q-gFDE^H9a9scQ&wA>5@86rpzL!) zG|!Y!+7(mNe+oA|a%pOW<#FT_P@)wIm&B1dOnYN2H;`V|)*Q`(u?Y#Lp}HZ1-_o6* zut{0IRfD8%_l~@$udiH*Z~=cD$dmy$&i{LN(gkXMLWo)F*ntyhu8{9$bAljvMF*c{ zp~Wv1XEv_?gAQ;kMVCu0E7LV`!M!Dz7$`fg@p)o)b`YETu#ge^W17)FUZuo*HCYt{ zFW*CIL*H*9rKkpyZJ)?5NI+0b2=2_xnDgBv*}}i3t9xZUEj?WVsfdGwq@gTX4|w7> zk4BfDh&&l1r_Ctb=bgR1R{!r#Qrq@k|tmTcZtqs%Uc2QIy|HAzh`cGNuBj;n#}=T^Or9vro(SVbFi+cHm=_7*e&^C!c(R-c zSR%xqkDR2EywtTLgy5(OUe8!+!eaFuydO)8eEGg1t$FfZ_W}c3wXYFx+^V%Z7f5QG zK6*UwHOgf#i6Fno$2SBi5cTNC&!3DL4rCbbi&ZU$F}8nUa>hQ01Lsz>ykdmt7~>RU zqN2pkjd|mE8a6q9;ktf*a03(?kWy}}F}dPw#=R?02Fs6-uyC3iRY3QPWEIf}ESZB1 zt0YdYuEkkmkmdG|@QF}y-2Dd8cuzR}bwdJ8nt$CR7xMg3*s1>#YzcU%>eZ^CKRXhk z$gCMj7&qVE-VPahX_~Vp9$))}f?G06x?O|)&$Gi!;KImy%gT`Pe@H><67W?bs9g=(&ILXSj>CN;k-3`v(~Zj z&)KCNGuuKCu`(N%ajQ(f-QM2^fgTweT8(zlqHBI)oD=IxxCy;NOKuqg1EsGY>{|9z z*=eNTNk&-SajU-Ff!mQCb0v%^ZrQiixcKwq>*>Pcbx~t#XzK>&EI%Fme3kE0Mj@X( zwzDK1UcY`FgNJIhP+eYf{GtRcEc^(|5pfCCWEUC!MR!uEh4wbt3*&l78EmY@CKT!L zhD#C>DVb!tPj)kP^8Dr&7W5LRjVX$nl#~Lb4%ldD3MaRk{`lxWNl!1N3MM8S(?g7< zXSyH%{w)-E(W_D%DMXWeVu&+lZ*Sizii?aM?Mq;1Wxxzf+=bQN>NrRG*4uV2A8W6i zlIW(|#xOdDtkYjE=-NyHgSGnSOkB)x3q$poGV%X?o}>Pyxc4#!2nyD>R;CUMg&ihb z!~6ggbtc#JU0q+2UKp6LE)MS(?wBpV>;qB;;Y?XK4wZ^qZ(!_= z10lwd*L=n-jsoLonK8pI{IdENG8-<4q~q}&A~Y~8f)X?l2 z($j~NmRDAq?9ONwjr;ohr)0&Ge0o}=$#tmY`xDE30+d9jKYqRS-9M?cIzfzZ6a1#9 z&nha&h=p{X4WQXPrpuEfX zz6gQ3o5TG2b1L7B*}kXj|DM7TK6Le%IXhQmZq>gu2_^Z~0OEmFGAz%^D6BQ|uyb&j z`{*V+^q}zj8_sk8`!F_aO1}E}B81+9#l34H6jC~_hp3B%%xFRl(VGoA9x(=ZQny$| zwv6zZF8ge!akE=(=!BvYtO!xHYYYPD{(-xn_z~IF9LP)Ql4=1z_vlBiVlfQ%$Aw=? zhkLJ)zH9b{m>Z}u1LvYit`~r%bzT}DAAe>g9C4qGAfcc-nQRPd4|u=<(t)=wpURGx8W3oAiHs!wkj9rPW_DjXWf;DC6)Hl;$ z9RFvCTNV~uD)p#nYp~|24DD;Rsa+PlRN2K*J9d#u$?x#OFh8Cj9v+_kp<>Y4DFkK2 zQCeP8vP%tHaTvdm$5ptF2S0yiIJ~$zBM`~b;V{H^KX^;dy4dgI@dXu?{6dZpREEe+ z-ciFU8SU2ajr@QFSLP*BVg^53mA-Dax<{l;7+ZX`8e_y>QwKbG4^DdQJ0(OZo|{hx ziij!ly~`Knx3h;0Z{Fl^YMO*u8W^b3j$$#`t9SR}Z#hY}I-ofOkaKFiGGpn)o6gSe z?^qbc)x@wEw$%u%{FS$1J@|cB*9W}lmw+>>cm$jC!NPrf?8{PfdlR>HV|$|;NU>)H z0&x6}%n`3&yx7We$WLC4`{!-No&giC`#pb5Z!SQW*GdYAn^W%M02b)R34>l)ihNKg z$f7Y>j652PHS6FZ*LjOvca44)Wa2t z0UDoSf%+Xm+VkfZKYkqe?h+Cep#w9Nus5^QuLs5k3QNuOFga(bdg`eB1Dn{mMPKjt zZM~^UZuJkaorh+?pMN}U0^JezVD!<~Jp*#A?a!{8&7*@Jo6{9WuZ1${{th#d3Cevy|)Zk|8U+t z5psVvFjFEbDoWCQ3T1sDOfz38=Yxr!%^Ue%US2sMGdAPG>{QtK-t(P~kumWD0Z86h zt3Y6W~wQ8klQsRXOw)w{{x^Up3SV?l?_x!0otREeyhX;}n2s>YX9vpb2we<9?+JXyUH)tC!M~oWL z6-~{u?z1P-)`g#&oubD6kxKvjv<(zUb&SrVCr_Uyjsks)?Jv`_8SrT9z_AJX^Qve~ zL?o&{h|}JkCcNa}AMA6=d}tS6C3dXwxPNE}%Lzg8@!y$Hgq53VY5lw-FczV&4Q6I# zWo2pO6Z5YGYH4a_%dVMRU0BI>+3P$7}42)paA-MGOQ zYyC|n&LpJ~FzSOJZRL|&YHDikhDUwAfxatQ7ZWRtSM-u`X3e3a@nh@b03ez;?i8!1 zGZz#=ay52x+6LGDe<{QX2X(|IfsA#m1Md0s(e~5}jfqQdk7&YqiB7lod`0^a##pW1plVJ@QR+GdaPSkZA=I0|uh>!L)wWb0{A@ z5FdS(+@OBWYFZQ=xS1{7*WUh~4_6c~8@vikE}r@ww!nfHr93MxmOz$Up(YWN0Cj(Z z&9K4cCJKdm^hoJU*=wE5d>e!iIrPB9K-j&OmoN8*F10~l(7Si<9{v6E^Wm47;EBFS zcsG@%L!=$p1D99lmZ|di*L<^A{7)e=$#)2EE34dnJ0jEGWZ+(7?pF6rPt!;Gcza`- zxx5IVW&28qQ~w-PDJv4~V=~G^z`z~kj&)0Vc2QK1cv=CekRr=Ui0U)Eaf6b>g;Sd2 z2Xr9le+SxLSy}nuAx!VTeP1evNgm6M!j_w+2fMSt==*J3x~QF7c_97_8LAht-= zE!sVRJ$$l0=hntfOPiXUjDwxZp-DM0H#hX;DHbiC{EmQjmp4sKNwf+UZ~<|@#&8ON zWZCZvE?4b>=g$fL5)u-wh@}QkB4UqYDAa#*tA$$()~?OK2j)zxClf7sm{fL;QU?jkQQ zhrB1g2+bHd!pzVxgpfhW%*d!nGRonVmPXgJ`-D%J((Y6FbFWGIE3BP72t|e9C0hIX z%3ULR%y10{%Y4DTXt;~+ev*ab|E1267iTs&T}{^tMok6CHkmH(Gb!oP_L@~$OXI)ZygUU6 z&`;%Iqea&FCuVL@rSyBK+T8Ul24?1HC5r2npf?@Pgdoo1%-elsrxj9Esh7DYcgn)&KH=bZ&yGeF7#$7aB{D4iVyXwR|o%D~w z6>n$|CVviz?5!#^vbudQ#Dc-YePaqL*q0iYh>s(aeFt&NlA^Y ztUWzzn~p&}^RU@e6(pJ#E5(XSv@bcpMn%VAxKHnkL`ZGQU%1d6tVE(?g^mE#8WdJZ zzeBs_09R;~g-)hg0ZE*CVYWI*QJl3kJ(8F#Dl6h7mx;h%$#)D*k1t1z5yjm#rDI^A z`DCg58L~t+KM65$X?gi-da^V(II?`1q!Lzvlx2wRLAc!d{{4F}Ioce^jHXzl620L3 z-K{GbP(rHpfn%KV-P?y>^G#^JY;J-FtJ(j%pbA-lSf*k3pN8aD+eQ)kdNvm?dAbHe)A;y%k9r58j6H`Fan(3phl+hPj+?jT)H%R z#&G2SHs6}Za{Q>WwifPW&O5bt8cBC*BIw^P4ULRI>cIXMy~%YT3k2U~u?cbGyOz9fkhT5x~vBK%soCIQfY~??$)fa_kRj;_q{U#?weJ4>Dk8#Gm zP+3t?|0&w`?p=>`10%N^Hxi>Nnb_HfU9~J4s6^^}>XwkIW#-uL%q!R87V82b?xp)0BUCUo& znK10gCr_TxMO~1S%UlV(X<%YvqAf2Y^MGy*^bcM4^UTbS_Z4XwgkVmHs)N9Pf0iFk z3s!LPwt&BE2B?j0v%9OSsHtftMu3l(m-}O~9*3-y6g~mLcz2y<(Q@Oqup-t;RO$(o zST6m)kIvRXme*=sMUCX)h!aRa^jfxMxP;Fhf zaDk0|3YNyiNgDD8RGP*Ljc<83RsRze-rrT1qW-C$@B9-<(-RaUyVx;EIh%MqfqXkwn`-h#?0?h{iQS)%@L5haehinZzl$RdTq zZpon$tkp2R%M&i6Et+9s=R3+0#*3z;qyRXBR0qm513P;j{C`dkurnXQeMCd_(A)d8 zk%xEZzW4wbOI$+8VsNO|6Weq?f28uCf3&Zklg9$@M|?DEsc%wS5DV+ z+|EunF8^)(Rt6T{;^K9{ssP6~H*^;FPcP%|-ieW3#g?%*Q`=s2G3(&0_l-M`fUt4Qlf0@-GmeB9)eB(Y11~pW&?;=}H1xzUQBmoene{af8b)VlXKzZ!s^v=l`^e7( zPPc9Zfep3^(iFJJ8(ik#cmiyj1KY+p<|N0hRsP}Ld`Bn|Og2b@#y|Rg20IG8BMoDF z`_H}ctn^7-m(C>fg9A769`64HA-^+M0i<%id{;qzw6U|ZgS)ZQU^jYI82%zi%cCDOM~W)n~0<8x%d?@Q`>#IFm@H5OSE?+qf9W8UV^&0*CUonpdNFie{#!n#rUE zy}g>$X#vj+$N<~)xWR!BpF)478~hDmOO6qFK7)>xl~jU3wdDW@8uDNu5wHW$lFu^7JlYNVc=PlKth(uuBcl36d{@V+!DHFQ*Wl$^MP2m;V0PznO6}L>c2>kIqJG-e5A0{=VW1rtkzN?r}*ojSs z*viF1hHncBG(cd(kEa|pH8e7tmq2(*ZS>wjls z3YWEOHN~s7ygW8%+`|~eXnGCkQsn21SyE3SW$conl>2(@HmSxeY%M-`#!F9Uf^&ylu`v5xOaXElHX_N60ud=k|)7!GIM@2a^avtgzw)2WN948Uoj8gox3z9{ z%Ej~N9{+}|G^IXFp#_A%KFqBp6RAu4Qy-lD{yOQ+GwcQXd1ynG6*IGe+S>G1uo4_0 z)#x?CQz2wn?Q~CWno!#4yo&bxkg_sUcxI-*|6$v( zvN8l3dV-X~*Wh+YOH0Gx;+aD`fx&a2B2>fT%M!NZoe~EVwJ>krKK6Fo|NZM%`)BP7 zLPDgDw#Ly$Fj#mw4r>%smOky5vmtonv%}!@;s58=I$~5unmZ#!%hh zk?SBreH&6j^41>YAPjpbb0z+id64?(Zw`Ez?aJ9Op=mu*&+Ug?E; zx-ju!G7?`ey~d!)M_2TQTU&2gbo;y;}GK7`A{% z%#_6D6CYe}BcsXLSNGxCYX1CoHI*0UaVd%*SNmb46fmctX;rnIWt;8Qne&Eg6@i+3 z>5?1da!883iA;VeCtz!8J6UHP5l#0iNWqA*%X@}B{!s^Ctc+k2a1%}lGiI266w*_` z-h49@+wD^FDT=UBCFvLV2-o(XC@Q`0Hn@JBwCoSqp`x`Al(-y3hvy@S)&OPtvgxSQ z&lG*wxqkgRcC!o%OLk@^vD$0T&m`ZZNMAqv3YJ28Cptk*aQs3I0WE#@emkT8MfYjq zF%n=2iP$gK3JVGCK-@x@xXm>TkB(BBR|ow)gC~pKA%?Z?Kr!&fr-+!V|psK=W3ByW56a=@&6_|e=j6;ujw;pJ4WvNFeR6_z z6_mbxX5ZF_)kCx$xN(p4fBl$q1D3cIEN;Mq2Nyt-;XoIAJBu=YN@3I_6cNxer1n0R zi64Nx#+)aHXz#v-DNGg{+2SP8*TS*rXO-gc$yVca8!IhDuo%yVg@qMqB^I*ad84IE zXB6^Wg()jfw9ds-G?9GZ%?((3@v+5E@+HxdXz%m(`)oziPSMqV;)SzeYA{7aLsva- z94d@^{JQ#{K*L=*IY&aG_P8sF3{R5oGZ>P9fOq?Y&9wC*_{Lry9$+_UXluK?>6fhv zf-?*rgX}k|@>_UUm2rK0J7yGg*t99=l{x@PH(-Andf}KcTAXp0kzB|%czgw+@ zcVjG9;$$A9w0`mjzeN6R(ze@aKP!LOZ|`R{ zxW@~$ULj%OFN04-Emu_VLcq~R7_*{Us1Fe|dN9HkjDd3e%+nRGU$dNCeoX?+XIQ|_ zh?JF_KAp>2S2lYym&;dU$KpmqZuGu`y@ zCImo(;2EROlf@o&9x||zt0YJtD|8lC!GyuzTBAm{XP!>{M%N!0;i3!FUk&d>^UqU_ ziMi_o{b5{z&=N#tvof%e-BEfl%o&$g+F3gM^Vu%P#Wd=9IH zS>1kN{{4PyZ7|2+c~TUPUZK1j*Y&d3?CC5y6{TonNt3ko&~S8{cb(K8H${5n9+lvQ zUDcbxO5McgPqOm!6Iw1x6k9$75As@@b=CR4_fN42^5!iF*|)8#t6Ea|n}J+n!aVg` z&jKB3fT)Na`XD*017NtH98G1t&IZ{S1y53;-h}j3{?%_O`m8GcR#M*_D&XwDEv|=a z)L!r%j!&go778Vvh9dl6ZmVa;5FzFHp4zED#VcQjM|*g9Sno^AEtkXzh;!FJ>aB?^ zvHm)mym93qm~q(b7=z(lCAk~PB1Bp9&e+(hy2;mXK0H9`WfE$BTI?TL25JBjrSY~3 zE-v9!P)26_zRZXdAi;P0$oj4StAS_MzRTfYIu?3hO9`g89#1j!J$cj>TWl%&10VI! zs1U&~ft-w!2(*=W;Xo#_Fz_FL1;#XCh9N)1?9dRY4)|Xp6_9s2mseJ5oj*#Pph1F! zN!5T>0|rtq8WrmpoIZjE*#DTb?0*bcE)gb?U6D{FAu1~AAt4dbW!M)2`bdYvqlx!G9;Ve_Sx6^RrN_!=W#M z{|wM#!$37r_8V`g%E5i;LEb&)0r{3Ko=exKje{NNnu@!+IMlvWR`WMP4&=qu3qd}? zA1_W*>jikfM-??4Vw(>G!I~zd7k4P!2CikmYKA>frQO>Mo{c4yv)%zaG*BFwI-lgz zZ4{CLOf_1?IU_FbZlEn>w|m{~lMl#pxK!R0W~*f=@`wOfHcDS_I9T|LvL&FC}e(NIKGP1oZd zGTPh#_M4&Siy)@n+Z$_0XP8ZrR3SSY@Qb>>3~=x?d+aDFV4K)98OMkLm!g%*S)uC2 zz5GVsE0L?!=y2mj7H3T&dtq=Zgz<_3muV?0Ow$-#>^gbY<$JyKfi&=up!pAj>R!AX zsKoZHai{~-|2>=XdT~AQs~^pW8vyo;5XJlM))I*3Mm`Rcs zy>V(8_i;paIj%@-MmGF?IoE(EgrSThC)AMSK<*8G@B;4+^!~%~NlfXv`svkzf}-M*U(%iU55XzZ(C_)*KYv_|nA*G& zH|w{*D6i)mI~8mBx}cPc9$PP9!Uhk|HoWJ7>ny@%fW%7IntAE-^#LNn93@XG1j&^s z(-tor&1fZdfKwqrR^reA2&NBx!6Luc)QrPuDPVUCiSa>GC6#=9LnF$Z3-TdFC@G@I z-!H$FMkwK-DXd?R?<53{q^8u{k3I4A)fasD&pl#7uRHkM`k3xnl)OMuSjreqjAasY zP89SROqdmSpzg95YQO#VMW9a#h+h?Pf%pvL3Ra8sT@B8qA`k;LUl%pn3@U#Pky(py zHUui8ccd4CIegU?w{dfOh^i*9QX9r@@^a;We4+BQmi=4)oh_4|E};qAD@X5VFw*-@ zxcYRQod<*57%E(D_Q;yY;V-4$M%reSSTMfG4&zc zrXKr+l2sQ~&g1u|m{Q*zYw=kG1DE9MArO^|+iI)jS``GcfZ_JMMNq zsRwy8)k!I+2k1QcJtd3cyw?+{H2e86#Q{s+T*yre^uoBdlzJzJl!9F380cDS=zHBC z0J_HGA94dLq|hI(Nt7*jHIEZ&z{-#Bk|T+vm48u^>qL}0QkuBC?*T}R%Kl&nq!FAP zH%yzO@0O#~%4$KD<;lV8PM)y}`|HLLhtGf7p03kWz2XH#SL7#@@y+yAXv~t_cseWc zxAH4nhEd9CymqNhix9SuP-U!>yfJM0!WB$;lpZWifM2*;7uMoNEL)%s-~S~za4Y;I zU3KIaM5Z|gOFi||;dcF4`ud^N_?`P8syw`f;J15&P3^l+w?`uR^Xs+hPjTExSyKe; zS5G;#h_tn7?nxF~DB$3S4Wv#6G*Q+YSu>FeWfjcS8xoI9Lo_JbaYNE2tZ6*){C!&6 zT}BPjcAKm9LP(#C(2RL4P^pKHk>Q%ZZA2~99?R?{LbI({pl-sRj8q=qJ8ek;-?r$r zzv}?p!Z_~Z%?B%3IU1qfOq0(uT_=yr^3qUIDC>~)WOMF895K3-OPiEAMtC#c_YNZx z@o+JH);k9)NAh5(wp)t=n|FG2UO^_g#cEwF1 z8cU}hW6o8bzSxorO)Ps$=22}j2X)cBfZZ0k2980ww)2SSSe#Zkv@kz`>^;8huQKbN z2)Elp1oIOdl&jyuCgxpiKG#4CdpyV3Y4|sLDD)|u`H5}cmrttWnX(rIrI~W8V1qDE zLzRdH;;?mD_`>i8$rN`;$9CP&+cmAvS8w_p%hoMl;i6q&I@{=xE_7BeE5#aNTsS{& zx>!SNsWG0CJ6I3%Q#f31y!TQf==}jjI3!W?3FJ_KKuHA5Eg&@}MDWB{K+*05r;wqI zGb>)#?rT;OOm6BA%1>B$5&iVDTN@kN473a?*v60Yk0@tsy!FY9*^tH&boeDlOrP(0 ziS_GA#^U%BW6kYRJ4ll0^91F0gP>1;GUPV17ZrMP1*?j6w65!oK>UeIZ-%3@t$pL; zxPG^6ZqoH_IaBW4&Wm$@>{bzCf~zCuKBU~S5Q1=qYmjvpp%|5rA&miot7fuHxiegA zxA4J~{E1CX$RHUju@JD=&Y^2!^7(K~>H>sAc@9ClKv=Zy3DQx20yH+e@)Jl5nYkZX zClZWRl?Hibj!2xps}bPY>Y32Yu^= zrDFvvF0IbqKPJ2+f_y880zs$m8&(rGO<@rTsu*;Y@RyKSh>wG1UhmxV0z0#j?dr%> ztg^Y|oZO3xsOPQCVIGSo^7;9GQBZFxOXiz4_bLZg7ki{51<~=5_i%I%cxwFp*WkLWfPA zXRfEb&lOnjQmp5lZQIKWO{+8V;>JJFD>JkCVIuNQ4i+;VO%gInUxD1bUBx~+6=Fkl z+Y1){rRQ-NA7?q#zGWZSU9$*>8AD-~DU%Z)6COyAN>OvQ!hvgua4#)G$Y@FNkL{T* zR{T6SXXmzW;WS`N2RwQ+nG^;ot0{3bk#~+M1vzj*AlzmM{4Q<%q!6$KrMg{F7QrVg zK(R+?z{VJhS6$`NNB8vcu+p5=#mS`r&sv|nPZPF5Qnwb0$(;PI)J`b8ioifyTk{sr zti<;225qQr2tYHj3oKYjj{<{2)wD7_P@s)_hCuy|1O!*Ad;RpM@~mlfLos8CuX(w8 zx?0BWyzaPNz2h@d4a=9cXGkbC9>5lkgvi%F+(dNq(H(6-1pO%uDw1_}(D!du_l=jwntH8R3FZZ5d=<9 zN$0dl-Vti%LgEyUw?m$8U3z02oybYTI|gGf+?oVAINNHlDB+N98Nv}-^bg&~w2@&& z71BQ5$G~thkDf~4RBrJ1$-)#V(X2Y53Mq^>)L5?B7bm)Hj>{Q05!H~5 zvtq9hHk;)4kUO(=$2=YDY@`mf6f1FIw97B}sDV7d2A6;;W&}I)%N?nfB9E4@?|o9M zyCxA!nT35Z0wGgJ5nT{__0ObUl|Vp@EE>5Bz6c5h5eI|f9BcmH!YIJD9BV>) zqk6f^a)5vZsZYV1NP*$zCmp_Vek-q6@kCb>Y0z$=mJk34v*$a`7U<8J8%?OJ@jz8~ zxTv*Q(RMK{#xhjRU2(dncE6cKKDk%AWHjAxKC*+HA}R%SVf*y`jM83NQu%ZfR-XeGNthaWuL(pD+Ml0KHL z(Nq-agjiV=BR11PO{sfp*taQDFqSm{=uPjot_GKxph;$@In7vk{SUzuK0cwMB)UjV zv1c`YC9m+Vf1~bA*&&n8+$rk}{VY{v73&BMd16Gn$4U!)0aj$MAuO&IN(1(oWBLcI z*1*mf!g!Irl=uknsWlIh+yM-MmGjR4_=^YGi{%>o_n3bN;(&$z`@O%T?S1M4;KblS z@G1B@_!Nxev<8l0ejsA`&+33tcCKz=a|YQ;>X%i^vPDaR=K z$(hp$D6KXR=o^6cHya3);Hocyp12lZ3jjL-fW&?S0?1xH${oPCr$9_09-Q>~jq&zu zLrg0MOdY^~ybsC(mvJ~l>aY($O1D{rBLE%yF$533ywLQvRV=sg-?(hNV)}tDSJcyQ zul+~av0iZI6@rjeXyK&_pTGtnkgUDl>&Se7oJt<_GdF$l8oEX#{vALdm)W*u$@LSz z&-R{|9%vPoQ359ZG9?zM8&=Inz&)S1;QRCf#{=MBEtXy30AS)XM&MR-fNBPyKuZYu z7l2Ly0_HoZruaTcqyaxcD3xe=*}NmD$T1M;9?PpiI_~qcqv`VZpqdOQLWrY(Iv=o? zBVbRMmJQbkE1lInal`^*Ji&+$LIs`YM>W_eQ2FTjCFPa9__Xua9B>sh-_pMhHb43L zim1%&Zs+d<(B6+8q`-o8mQZlfb2s=y1W^7abMZHC+JHBkHTDAfT1^kV1rTLdfK$Bb ztFs-Vf3}ge-}G z=2_^P_6J0V7I)^z=zzVG6*Apb>6i^IM1 zOgL?)__g`z62nEAEoJ|{Ytx(pP8)bT09qE(k%4jUUIvR~?E!Z$=kz+MG3?h0$fGvI z)i?yI1145L{VPy-ki~wh?V}I)8ghd;3{bsiy?DCZYI%}oUa~|!24TR|+#&rmhSrqg zy#O`H+PfnOH>#TE3w{(3eGVd1?X~wQ;8RJ&3aY^3Q{~kC0zlj1FXdM*>x-p@aCrhO zvBLigcqtR)1fRZwEvJx=u~3h<5>ty;!L4=H=r*UKFK1Pj4)zF__mASt!0wWuL^25^ zXrQE5`p=Y4fI?2;yJdpXOx}BUsL?oKN+IiN7@KVl3`b#s-M$%!!K#kVP0*UA)}v(K&%fnOH}7BrUs zUvmro0#*~)(#y|KcKr3g1pgiV=d(-O%*Xye9r4%Bg3)y0n2i5&MDL&TVY!Cng33jD ze~uO)d2B^qufQFXBL3#ypYf95OCx|6De{Pa$%8 z`svbG&8*M#1L_Z1F&F09Pe+eNbOG}C)!6p$t-0Zf8Aza}4%&MWYaZ(--X`zTyZ+wn z9PyXnrL;L$3s;+v)rIy4W*tE4Y{2vP+?akehC!D|T)g!Ij{jE8m=UO0%$@${=5YL% zGsJwIUVX05<$SkmKT>V@&n@Hov|pTCi2r@KIJ4k={C%!}H%aiLwNR6P9z7VH`})q} zgB0r$k5C-c!Xj^zh#{K>oG9d+=OzYJ7v*mh27Y2S`!}$nfdqm+N!;K!1+TGQ9T1?5 zfr>O5QfHWyc&`sQ6fU!fjZpo0pdx0x4rHjR>A9Z0R7u4k>@x+0V&3-Bs_$)Y(_+5q zk-+iN@*nXU1IU)xTIs8`s`jhJE|4MXg!56dVbLfi`AXVmEa3khJa|Ag609oU$$_JAkbg}&skB61$|Vs>wO*2ZH0;{ zH)U^z^2q0;6@z3Y<@!{q2+may;j9%+3`j>nSsBA)8Js2y80})1GKBLk?at$x=Edkr z>Dv8*7(O@zw{0@oex$-?=SrHBLhS8`l9CcYY9_>$=K62K===d^qW9v%3T0ZNt}ap1 zPgcm!d#y4eh+|I2>9}iQ8pAE2kIpXlahoHp>%p(MpI*K(2BHx9=-0?75*ceeACQGS zC9fHKXp5F{Dg8`S9(9;xwO-=)_5Ia%i991J?@CL-p3ko|dC!(pMzlNHpB7u}T1&Zq zul26P8J-WnBY0viiX{=K%^R<+vk`thTDR|<`Vz*{;3*_`3%B)0@z=U!Sr)qkh&NczXQr*ZHG@67zO?U z(G6|+7brWee0Ut_p1@UI-ZS>8FT?E|zvx}W$c*(O+=yggF}6is38-b^tmS2CQc?~L^(ZS2f7MQM{p&stx9@$u>o)DO;WadfmNAi zvl=hpWu~uD(Ss2OPMZ7sywB3?>}thuw7+DY#N%rl)1)!3#ORAK*Med|<*gEJVv~3& zx)p-Tkxw{Q>23AQcUxC&42lp;Ng?HX4%X^4^{b7 z9Y;HRc$MkB0tP|JY9=9KeS*VYQC1}8nm<9%>*bh^TI8?|Qnl31p>)%)(sJToaCOvBsJ+Pch%9n7@f_zjkt-iZ&!V;_$61*xpWK7kfd;L z4y^OyDtdRJv`$G<^}JiR@2rUFJi}AbDVvWWwxPejO%hUKuX7jW{=w5cM?0ygOIL~_ zrU+smPVB!F>h)?gmM>ds#=^V|7zh3B1X&L1S&OYZ%6FJv>XVAhs1_ie`#2V9Br%3; zzrg!S;4)5kg;&Kgh9x=9!Ga$iS~4uB`;+uYbIp^p4&kw-h)(bBT#(RLM#QEyCqc5~ z9o~j<>}SA=rup63J(r;)B7h{(=4aW;9EgveH3;Eh5_D3{jANul;cGBf^;M~c6ELo0 ze>@K@ITO0i$Zor~aYoEEwU=Vaid98Y8b|yrSk>IeDQ<;i@{!Ehp@4ph_1re zW`#*E=N8A-sSG{hVhpj_jZeCkaMxbK>`bYs>mhHi@fU^HcUl?pJdGnS_+mRoM!Ux9 zK|rKbm&^c(BGXRN_@r0{!d4SlLM?Qf=`@%ubW3R3f^W<8^~Ono^Y9cX<%lFGda5d# z9xq4wiDW%-$tPDNXCk%J3IBEQY0t#*x@Xr-fb6cp?c-oJs`%_5$usbb*RO3fsZ`c6nOv*7HAa7p)vEOy^ab_zqL!kY z695VIKT9LpHG=Y!dZilIls&Zg4#HIM5j<5;*# z&^BfpFQi2)bKfNExRok(BC7d=NVrGTf=u|3Htzlx`659|cdn7F>v;e_qJcH8Mc4^0 z>C0S~6E}#bU!?}?5=J5Q_=(*Hv>K1iu=JRa8S&1~jp|HU7N41i1qTSf>Mx!PdlK)L57t)j?QeUkk`LKZ=t~yR)V;ovyj22F7 zaDLLy@+xg({Msrt}Z7%%5KTdzPhshSCs}I{?ncdH$qfR~HoAcJs)3T5u zl3RFH(;b+$Yj(_y)H?9z3^P@AC>YXit>fV;VcOaBd3@ZhQ^b+udhW~Ce$Xq;XU!l{;I8ar#(Nt2tZG53n?wd|)j+rV9jnmzO^f^|e zK-9{?>M<&r*5$W+mAUtPFYUKNL6*_$*lexbR-sb4J?-N%RXy-K*u{X14LiJHXL<^rQ``|lIL6m?j~;M-q9oM_?6-4G2t1A7xq~gXRe_L6(lBGFlh1SH8pO#A zCL=1#Y~S>cU_xSkY&geObg;@^djWShfH@$YZS{CV*ra0kr{U@ng)Xk{(dwYG`w%vG=8eK+~y-G1qZ1}|MH;(^ecT~?+wN5Ov4hO~6Qua?% z)n*kR!M4UtL}lP0DqS^+wO!IM(NK^iDNL;%%R<3m$8mc-xPlbYAYwi8lM&*us9R~q zD%Com992q>(ZhAbN0Cc#>j(`a2+3-=x*LnW2&LqlB_~aNTW@>;0xE!x`P*P;?kXl^ z6ps1`IG9!mA-8+OBmkzaJ`aosA|VkUX&k4pDw#s>qO zCf@K{qb4W&j9^Eu##bG(y1hBDs>YSbSD`q@ZT!Ug($lA`^1L|J)F%48yzd5PeJkBG ze@v&4P!HHxKC04y3k<3~8O;oARWRbpo3mNp-CY%XmyX$W-cZ&8-tMLK>BmJZ7ycxV|0&R2_7f3JUgX3%55>ux=Qo*CYRYdZ_Qw`u zEAVJT)EA)(^14Ec6!)Jj>-C@>{2-8lDQh?8O8?r5yTK9g>B<~0e^lupcsLo#-Ao?- z7N_HWeD(Ap)%GXS1A*{2xl2;jEe-w!qg7f8v}Q^b08=H6F7JVZgJWMzrxkQTP_-Y?Y! zg35f=D5&a_di^DxHQ<9fkT?GJN%a-Ws%Wy&q9P-Z=%vtHgo_nVz6wMZM(Ee;?Y_}x zKRbALUw4ONK0qmF9F60&`dfJ=znNL{lX|hy`EnVLc#slvy9eiR;#ZzwuMobwPmK%c z5BRQE2RQt}Y01}@PRR+)kU~$Hu4$|V3l6|LqC2i;jsNPIfOwv)!mCQ>_-V{$Zq$a# zqOHr+fZRS_Rf;hL{oAUu(@=q;Z2B&;jTpBad8$!B_C(&ku%6iaC8~lkQXd2Qp*i@( z9ij#}1!V{)Q)&`u9>gyr8XGt5Yr6&paZdZkpN6kP9!C<2joe-k4jxbqG`0dnSBQY-5C({KB(^5ngPzKRc5w@xq?ni2tokX|O@e$-r ziBkC7iCxRrdTwvMiQ(0|M%i%s{qYd+oi)0xM{6XW(-TU^=RLX30 zyvkbHM=#eV+))FKR$OFpm>()ySH*APFbcMx2uaKVwuBg~qc~4C5^eA#5i&z?^<~_9 zS7Qp+LRjy z!EOB+eLAJQsE!m>vpDW}37Hsb4wo;7)>svXk+8zu_Tf50s=jg2n?-%>sLi5NS?T(u z{&l)FM|7cNnG9E6;Z#~z6mHRGO&)od+Ut!{UzneMl$Qa&Cr<-EH^uQSl`~B;93@AsBua3)CQDRkIL}cXwI*UHzE&u-;9+)EgrZI=J#p1d4$ZLyl(

gWH8n*X&`*#p!5emOIb~ z!u|!US{Z-NF@pxu%`R&}_Cbi{)ZYD7*@T?myU&A)cch+w^6wf3=v&L9f3dj8or^i& zUnA(Ob8Dxidxx{!dl>>jheKPSLf|&nKbQ0mWcdG&C7z0SeE<5PbV}S;_cQ2>d5%`_ z!?`i;(9wRfaisYRLi-myTMxGeO3vxg*5kH>=RYcQ?1T2dQfP{Kp&~CHt`zF_y3zeQ z3+R+`-9<UlBmlXTQ=ccFvuc@dYpVI)5C1(n@Vs|D0Sgw_IIUk%4mVD^}3x zlsEZZ^X-41x!aYHT(O1^J4RzqX8t7eAo&xh9c~YJ_dEyPWLSTJ92S5sEdg3e zYJ-Eq)Z;^mdX|Ra3P_}-wz>mysckl>?6YqhiFqz|gCgJr&covvz%EELXt3tPwWt7Y z1~Q}=D)5Y4L_qRu<~_@g&7Mm@$9O-rES`)8WLS1Szo;e99pDKW_Mvb9;O@EtnS(gV zuY8NVN1)ete6Vhua2&OeQ&FJaKFGfcuA=)6naH5j$hcn&a#uj_tNu8f*4&Ap(Z^*1 z{uqb*mK-68#bxz%K0u!9n0~N!uZK2Z>AwScs?>Vqn%gJC0%I(Fn?9K2vUps<>~E1{ z0DN51@$P{bc;I<)wx1`u?_yo9#kpoI39`G=4{`JPaax<2D7M4^;8O1>C1%%Hn9MBX zDXDX7j*N&__l-%v5Sr{Za4~Ig()U#74emW&fq)hcTV(4%?|kSAsypph#K#lLKa4Z6w=ZRa z-V)$0cy$3XaXjukdHg_fiN?PQ^l?nG55kBhj%aD^Xv&Au09f(%#378c^=9yp^HEFm-L-hjNoFj^qZ!% ztQC?Vmk=$I=tv!{)Q=K_6_u0e4Ti|ozllrL4pj&)$&aHF2p7}kL+aHd<`ur^k!RqN zh=kFUR?NZ@`{BoxR)aR$>YPQhrGQdk3aP;o4rdMgc ze)4h=hLa@axJ+YT2X;grWFBisuf;-*g3rKxyJv5|M4s!T>Orp1h(kAj?#TE!k7aBW67*LsEXqXN-r$^08cb10mf>V$EK@XKFk(XXXVbfFHGLJS z87)&f#$X;JHkcfHG8jYWMe@JE@^S%_{=Ba9otF1N9mBExoqPv}=Mq;GvG#AWym&ug zPEvd(YK@CvlEs?28h|`78j*I=#xr3_a_P>F)@Bv7T?M^(ev&>=`3E42xUwR9wp*_9 zvNBO@QQ?t?SiuMKf^Pel$>tSIVbWf(5`o*yT;Vom0yEm$zqk_RLls<=>-mec!n-+( zj+%W3-ZEn6KtJUn5uFNb%SGGb?F=&Al+2TO(FkJ8IFgF$fNDjUsHuKrJ{E+BIti{- zB*8Y#yt7QRP)8)HNthUjwdMgQxLPO0$@D`+uKugbIAb&yfXl86al>gjCy8Z#VC%({ zS)Zmr^~eWJ?(>=v6=p&`Z)w10H2U|Uj1cpxC=uX3OQ4yG_I{UFL~y^ zovs=T58-I^mE?83q|fkustNUPeufdz0}VADB!~5k>P+_wVq^+xoq;jjXvK=}p%4nG za=X7QlEbdSF0@iJD|1)U5mhvC3^bk;5Ob8#)IVHT$g;J z__KyP*h05{NlT+>@1QA_zGnonJduB>%BtFrgad>)E*$}ZgF z1W~(i%Zv1#Gv4R`~5Ei7-4w$0oXOC#b4s`W70?bqT`$ov)l+g0jc&10XO04>% za67h1AugT9)39UJEhYEuGWq_mzSRg(0gc@s8w1Ars=K*-bc_OyZ**+p3;gYk^2>h+ zeyelMk2>zBmC>bYsS*0)j9(*nXwAOFtdxq>>$7|+92c^03ND~J-A)Bvq@jgbYV3y- z3#Ip|=gh}_zaIc^ccg`0Hl+7@bUi%tm7Yqy2bq_cbMdftstwJ|pj{mIdKJW_(IHK) zXVdbg58QOnk~4Do&X750-EMM)U`$52`w&j%w)&nF8AT&W{|js}-}@QFCa5>gg{wxo zvP_?6$||)c2eHMvISAAt*S@7!+B+}!GIYwp1YS*?*V&Nq#;rYrz}dtViuAa2q+1NC z@{VwQ8h0}UNbDxmTtw8{gt=-QwAO>4y;5<0N#3OO0d>VUa##qmUUtohwdmWHTY~va zei*4s&7p!~)f7Bm=?Ne2?SX@cO%=-|rZ@&C)@)syjIQ%wzwy6Z+>(h1i_?stB^#3U zaAsWHPEvdOJ<2VC&=2?%n8MmXU3{ir5C=*Le;>6G@~G-|r!ihft-p}eP0DX;JW@*BO1Z{5`o=hp1Un}#jWGnp$%HJHd^*5(OU+ejWDNB+Di@$%r;j=0D zt-RYin#cPe8InIGj&V%Zk&>zZVJinRg-spaTHx=2Rplr@S7z4aMyF69ven_*0v);q zKfi-RqZ~s5dh|{Sv)wt$Vg?|~Fs0x?1oNisv8i=tv{%T~+#!6X;^tC5uHgCXo{68( zm9o=8{OIdJ+6t2-4hQv=-d?iYMGY$Xplbdg`A}vBo{wCilY>}*|I)eA#!ze;?@SHC z!Ph17E>5Ws$+8a5!*Yn8u?b=kH%^0yDio?K?@ObIpUsg2cVq~KI?FT_=@jc{9y*bk zeGzqapzXgBu25vfda~jk#ChAH>?kz+k&>*lGk4F3Z&aKkzKZwcAGH>M%A25Q{;iIC zW@POm)CSH3f^C+5GeIUc2D(PqAP%v*2`uDcIw7g}h(|GY+zL8UQ@U1wBOab27~=X1 zE^QZgf-(TQO;zso1KL&P`s8W&h+NoUIJSS*CnQcQJ>rRQ8$Kh##t7ds28)+rm1<=Kb6hQ7H>qvTyh z71Gzakg=)JU6A&ugp|$w7e1~(k_s!b|7zL*H;-d{pdE;>_?ybAs6#lYHj})l0K8NO zvC(Z$2|aT<8wo7B!^~#0%|2X-_WNus646b}_VwYG;@~?vsa5vKbHKK*PJGf)lPOH- z4z-MG1W)XKN~HW(;55rPEVc{-QTOlHV?*EG`L8IY7mK8jn{lYdU{!_c(k6Mt4Mqlj z(N~HPD^mTjh|Z$f*RvAu%dlg%PjFe53yfFxkz7yeAh|@78igj_{Xvr;Y%}*@79mp) zWl`DF&Vq|RwO(Sba{JZ2p9+4n?5yZJ0M2H(XjU#{)AnxSC{)poJa0IqfAfQpLT;*~ ze|0hiE*hp^-vH_j2_GH?ytU{V*C#lZ!);lg*W9{^{&L-h*OH;6$7A7;KEjzf?=#G+cobZB zI|8{LJGoLQcVN)dX``UEpYL6q_1ciQ76+f)MhZvf{=Tqp^(GumCnE1}(E0{Xp82eu zM1jtaQbEQco6m%y&a&$|;)VM-VW>#Ek>(?tM(MY={cs6-HT6WrO)7`;SToA42NZy( z$Zi9*F^aBB+(d+vEz!=GgkEDn(Us}h;BcZ0PWM&Y@0vb*Y?qz%rtjgn*u#f2DY)y2 zE=e!w@9N$rHjyvioVA58P|0wWId)&w=H4w|TZ4C;i{f*cbP=bN2SOg$m%0DsPnsU% z-n5TeEFs8CV}vIPmJQER$xjR_8~G~J^*g!Pl;EXa5p_Ra73t2*W{1zpY{BBRcDaH` z()hO63-wZ+>WdHyPd&>j>)~0C{5~=YszlhO@qJ+5B6AIrZ`DIacar2@@8PT)<}`o) zH*VNfgpKgC2Vq76bCJK2g?>1KkN+rHv0UMWGiXpHA1GI*54+MY@q|n94G)rC@KoKe zJ#)6l>GBjoOn8{G4sCRG#%i=s;8#Nt42)r1fItZ(=YujPJ2RJuoqiHnY2{>R5Nr8> zb87OiQ^}M;OfRdVpcjq8AyjtfkWbzNT@E^6-|E|6I^F8pC{wk9GBlr4O ut@XbR{NL1p{SVjj?@#{sYZ0jYZ87qYB>wS};+I#zKV^9hxoVlmFaIBY(T#xs literal 0 HcmV?d00001